Combining EA techniques with Bow-Tie Diagrams to

enhance European Port Security

Nikolaos Papas
BMT Hi-Q Sigma Ltd.
Basingstoke, UK
Nikolaos.papas@hiqsigma.com

Introduction
Ever since the September 11 attacks on New York, and the attacks on the USS Cole
and the Limburg tanker, international organisations such as the International
Maritime Organisation (IMO) and the European Commission (EC) have been greatly
concerned with supply chain security and issued several items of legislation to
enhance security (e.g. IMO, 2003; EC, 2005).

This paper reports on the latest initiative by the EC to increase security at European
ports even further. It will be shown how the project undertook the development of a
comprehensive model that analyses risks, evaluates the effectiveness of risk control
measures and helps provide guidance to users on how to improve port security.
Following an explanation of the core concepts of this model, a description of the
project methodology is given and a description of how the initial draft of the model
was arrived at.

The interim results are presented afterwards, showing how Risk was calculated for
different threats and presenting aspects of the model that go beyond traditional risk
modelling. A discussion of the results follows.

Background
The “Security UPgrade for PORTs” (SUPPORT; SEC-2009-3.2.1-242112) Project is
an EC-funded project which aims to raise the current level of port security across
European ports. The project intends to identify security measures that could on the
one hand satisfy evolving international regulations and standards while at the same
time efficiently supporting the complexity of the port environment by enhancing the
flow rate of goods and people through the port. In the context of the SUPPORT
project, safety and security are regarded as completely separate topics. SUPPORT
concerns itself with antagonistic threat actors, who intend to cause harm to a port‟s
assets, customers, its operations and reputation. Issues of safety (e.g. accident
management) are not considered.

Bow-Tie Diagrams Technique

Bow-Tie Diagrams are a technique used to conduct Risk Identification and Risk
Analysis in a number of different industries, such as Petrochemicals (Zuijderduijn,
2000), Air Travel (Eurocontrol, 2009), Ship Building (Jacinto and Silva, 2010) and
even in Finance (McConnel and Davies, 2006). Bow-Ties combine elements of Fault
Tree Analysis, Causal Factors Charting and Event Tree Analysis (Giffort et. al., 2003)
to form a graphical representation of:

- a central loss event to be avoided

 - contributing factors that may cause (or help cause) that loss event, with a
specific probability
- consequences of that loss event occurring, and their impact
- controls that aim to reduce the probability of the loss event occurring, and
controls that aim to reduce the impact of loss events once they have occurred

The graphical representation of these factors provides audiences with a quick and
insightful understanding of a number of risks that may contribute to causing loss
events. It also highlights what controls have been put in place and what other
controls could be put into place in order to avoid such events from occurring. Figure 1
below describes an example of such a Bow-Tie diagram.

Figure 1: Bow-Tie Diagram

The above figure also shows how controls that reduce probability or impact of a risk
can be grouped into different categories, such as Technical or Managerial. This
provides a useful management tool that can highlight quickly where within the
security organisation investment or change is required, whether it‟s procedures,
technology or organisational policies.

In most known uses of the Bow-Tie technique, it is utilised as part of FSA-type

assessments that are undertaken with a view of reducing accidents based on
equipment failure, such as in Zuijderduijn (2000) or in Trbojevic and Carr (2000). For
example, Zuijderduijn (2000) describes how Shell‟s Health, Safety and Environment
Management system includes Quality Management principles in its business
activities. The focus of this system is the management of hazards and their effects,
through the application of a process called Hazard And Effect Management Process
(HEMP), which at its core produces Bow-Tie diagrams describing various hazards
that can occur and the existing process and equipment controls to prevent these from
occurring, or reducing the impact were these hazards to cause a loss event.
However, the primary use of the HEMP is to ready the organisation for accidents and
matters of safety, not matters of security.

Bow-Tie analysis can be used for both qualitative and quantitative risk assessments
in complex situations. Nordgård (2008) describes a case where Bow-Tie diagrams
were applied in the Energy industry to calculate residual risk levels for various
scenarios. Jacinto and Silva (2010) applied some quantitative techniques to enhance
their qualitative risk assessment to study accidents at a ship yard. We adopted a
similar approach (see “Methodology”), but combined it with qualitative data using
techniques from Enterprise Architecture to create a mixed qualitative/quantitative risk
assessment for European ports.

Enterprise Architecture
Enterprise Architecture (EA) is defined by Lankhorst (2009) as “a coherent whole of
principles, methods, and models that are used in the design and realisation of an
enterprise‟s organisational structure, business processes, information systems, and
infrastructure” (Lankhorst, 2009; p. 3). Schekkerman (2004) extends this definition by
stating that “EA…acts as a collaboration force between aspects of business
planning…business operations…organisation structures, processes…information
systems…and the enabling technological infrastructure of the business”
(Schekkerman, 2004; p. 13) and “provides a mechanism that enables communication
about the essential elements and functioning of the enterprise” (ibid., p. 14). It has
also been called “a blueprint of the organisation, which serves as a starting point for
analysis, design and decision making” (Steen et. al., 2004). According to Winter and
Fischer (2006), EA uses a mechanism of hierarchical layering to structure and
separate the various different data that can be used to describe an organisation.

Zachman (1997) identified that organisations are in need of such a comprehensive

picture of themselves. It is recognised that EA “plays a key role in the transition”
(Morganwalp and Sage, 2004) and re-orientation of an organisation; Boster et. al.
(2000) consider an EA as a value-adding asset. Brown (2004) lists six distinct ways
in which EA adds value to an organisation:

1) Readily available documentation of the enterprise

2) Ability to unify and integrate business processes across the enterprise
3) Ability to unify and integrate data across the enterprise and to link with
external partners
4) Increased agility by lowering the “complexity barrier”, an inhibitor to change
5) Reduced solution delivery time and development costs by maximising reuse
of enterprise models
6) Ability to create and maintain a common vision of the future shared by both
the business and IT communities, driving continuous business/IT alignment
Adapted from: Brown (2004)

As can be seen from this list, EA has the potential to allow organisations to change
and adapt much faster, more accurately and with less disruption than otherwise
possible. Brown (2004) refers to a case study which compared two public sector
organisations undertaking IT investment, with one following traditional development
methods, and the other utilising its deployed EA. Due to the available information in
the EA, the latter organisation spent just $3.5M in development, compared to the
former‟s spent of $42M. This discrepancy is explained through the fact that the EA
already contained a lot of information about how the new systems were meant to run,
existing infrastructure (incl. systems, code lines, data dictionaries and databases)
and the ability to use the EA to plan a future state. In other words, the more
expensive case had to undertake several phases of requirements analysis and
design where the EA provided the answer from its memory.
As Zachman (1997) has identified that “CEOs declare that the biggest challenge
facing the modern Enterprise is „change‟”, the possibilities and opportunities that EA
offers are very attractive for organisations.

Methodology
The research followed the Design Science methodology (e.g. Hevner et. al., 2004;
March and Smith, 1995), which is an iterative research methodology aimed at
inducing change in an organisation through the development and introduction of
artefacts which, according to March and Smith (1995), can be models, instantiations,
constructs and methods which must be capable of serving “human purposes” (March
and Smith, 1995). Being a Pragmatist research methodology (Cole et. al., 2005), the
quality and efficacy of the produced artefacts will be shown through their applicability
and appropriateness to the users‟ needs.

The project developed, using the Bow-Tie technique, a total of 21 Loss Events which
cover both crime and terrorism. These Loss Events were arrived at through three
focus groups meetings and a number of individual face-to-face reviews with a group
of highly experienced security experts, including a Port Facility Security Officer
(PFSO) of a large Passenger and Ferry Terminal, a former Port Security Officer with
over 30 years of experience, a PFSO for a Container Terminal and several currently
serving private security company experts who have extensive maritime/port security
experience. The focus groups were guided by a risk management consultant. With
the exception of two people, everyone at the focus group was ISO 28000 trained.
The aim of the focus groups was to build up a picture of what they considered
constituted a realistic depiction of current threats faced by modern European ports,
and to identify for a port with a theoretical unlimited security budget all available risk
control factors. In other words, this group of people built up a reference model of
threats, risks, consequences and risk control factors that could be considered as a
„state of the art‟ reference model against which other ports could measure their
performance.

The developed reference model was then showcased in stakeholder workshops at a

number of European ports across the various regions (Baltic, North Sea, Eastern and
Western Mediterranean) and feedback collated. These workshops typically consisted
of representatives from Police, Customs, Coast Guard, Port Authority, PFSOs and
some Terminal Operators. Their feedback was captured and helped refine the model.

Interim Results
The completed Bow-Tie diagrams were created in the EA modelling tool “MooD”1.
We implemented the standard Bow-Tie notation of placing threats and vulnerabilities
to the left of a central loss event, with preventive controls providing barriers to some
or all the threats (i.e. measures to reduce probability of that threat or vulnerability
being successfully exploited). Similarly, we placed consequences and consequence
controls (i.e. measures to reduce impact) to the right hand side of the central loss
event. Early on, we realised that it would be overly complicated to replicate
accurately the various consequences that different disparate events such as terrorist
attacks and petty thefts can have. We therefore decided to have six specific types of
consequences, with each having an impact factor of 0-5. The following table shows
what these consequences are and the impact factor for each.

1
http://www.tsorg.com/
Impact People Environment Asset Value Reputation Disruption of
(€ Million) Port
0 No health No effect Nil No Impact None
effect/
injury
1 Slight health Slight effect 0.01 – 0.1 Slight Impact Slight
effect/injury (rapid on-site clean- Disruption
up)
2 Minor health Minor effect (short 0.1 – 1 Limited Impact Some
effect/injury term Disruption,
within facility affecting
boundary) mainly
one terminal
3 Major health Localised effect (long 1 – 10 Considerable Considerable
effect/injury term within facility Impact Disruption,
boundary) affecting
Neighbouring
terminals
4 Single fatality Major effect/damage 10 – 100 Major national Major
or multiple long term or extensive impact disruption,
permanent affecting
injuries multiple
terminals and
waterways
5 Multiple Massive effect/ >100 Major Massive
fatalities damage international disruption,
long term and impact affecting entire
extensive port area
Table 1: Consequences and their Impact values

The one consequence not represented in that table is the “Follow-On Consequence”;
this object captures the fact that some Loss Events are merely precursor to other
types of Loss Events. Examples are a diversionary riot being created to hide other
criminal activity, or the theft of data that could result in further economic loss. The
Follow-On consequence obtains an Impact factor that is determined by the overall
risk value of the Loss Events it causes. We were able to identify several of these.

Each control factor was given a value between 0 (highly effective) and 1 (not
effective at all) and thus acted as a multiplier increasing or decreasing the probability
or impact of a threat or consequence. For each Loss Event, Probability and Impact
were assigned to Threats and Consequences respectively, a control factor was
assigned to each risk control measure using expert opinion, and the tool then
automatically calculated a Total Risk Value for a particular Loss Event. This was
achieved through a combination of expert input at the focus groups and the face-to-
face reviews, and a study of literature on similar events in the past.

The figure of Total Risk Value was later expanded to include a „minimum‟ and
„maximum‟ Total Risk Value, which represents a Worst-case, best case and most
likely scenario of a particular Loss Event occurring. The mathematical relationship
could therefore be expressed as the total Risk per Loss Event (R), consolidated
Threat Probability and Impact values (P,M), derived from all individual Threats (ti),
Consequences (ci) and Preventative and Consequence Control Factors (fi and gi)
associated with that loss event.
Figure 2: Bow Tie Diagram in MooD, showing variable definitions.

Three calculations for Total Risk were employed based on average (RA), minimum
(Rmin) and maximum (Rmax) weighted probability and impact values. The average risk
calculation derives a risk estimate that balances all threats and impacts. The
minimum and maximum calculations take best-case and worst-case views of risk
respectively; the minimum sets the total risk to the minimum weighted Threat
Probability and Impact values, while the maximum uses the maximum weighted
Threat Probability and Impact values. The precise calculations used are:

 I ,J M ,N

   i, j  f i t j   m, n g m c n 
 i 1, j 1 
R A  P, M   
m 1, n 1
I ,J
, M ,N 
   i, j    m, n  
 i  1 , j 1 m  1, n 1 

Rmin P, M   min  f i t i , min g m c n 

Rmax P, M   max  f i t i , max g m c n 

where J is the total number of threats, N is the total number of Consequences, I and
M are the total number of preventative and consequence controls respectively. The
function (i,j) equal one where the threat/consequence and control are connected
and zero otherwise.

Together, these values RA, Rmin and Rmax give an indicative risk range.

The tool was thus able to quickly calculate a range of Risk Values for the Loss
Events identified by the expert focus group. The complete results for Loss Events are
captured in the following table:
Loss Event Best case Average case Worst case
Impa Probabilit Impa Probabilit Impa Probabilit
Label
ct y ct y ct y
Attack on hazardous goods
within 2,0 0,8 3,4 2,6 5,0 4,0
port area
Attack with car bomb 2,0 0,9 3,4 2,4 4,5 4,0
Availability of Port Data is
0,0 0,2 1,0 1,3 5,0 4,0
compromised
Blind Passengers get on
board 0,0 0,4 1,7 1,1 5,0 4,0
successfully
Bomb Threat against
Ship/Port 3,5 3,5 4,5 3,9 5,0 4,0
Facility
Co-ordinated bombing of port
0,9 1,2 2,5 2,4 4,5 4,0
infrastructure
Confidentiality of Port Data is
0,0 0,5 1,2 1,9 5,0 4,5
compromised
Contamination of cruise ship 0,8 1,2 2,2 2,5 4,5 5,0
Demonstrations leading to
Riots, 0,6 0,2 1,5 1,7 2,7 4,5
disrupt port activity
Direct Attack on Oil Terminal
0,9 0,8 2,2 1,8 4,5 4,5
and its Infrastructure
Dirty bomb attack 1,2 0,6 2,6 1,1 5,0 3,0
Disruption of Port Waterways
to 1,5 0,4 2,7 2,0 4,5 4,0
impede Port Operations
Drugs smuggled through port 0,0 0,9 0,6 1,9 3,0 3,5
External Electrical Power to
0,3 1,2 1,5 1,5 5,0 1,8
Port is Cut
Illegal Immigrants/Trafficked
Humans pass through the 0,0 1,2 2,3 2,8 4,0 4,0
port
Integrity of Port Data is
1,0 0,3 2,4 2,1 4,0 5,0
compromised
LNG/LPG carrier attacked in
2,0 0,0 3,1 1,3 4,5 3,2
port
Successful attempt at Arson 0,9 1,2 2,0 2,1 4,5 4,0
Theft of container with high
value 2,0 1,0 2,4 2,5 3,0 5,0
goods
Theft of low value goods from
0,9 1,2 1,3 2,5 2,0 4,5
port buildings and pax
Economic loss suffered due
2,5 1,2 3,3 2,1 4,5 5,0
to crime
Mean value 1,1 0,9 2,3 2,1 4,3 4,1
Table 2: Identified Loss Events and their various Risk Values
These results must be considered with the caveat that the Risk Values all represent a
hypothetical „Model Port‟, which combines features of all European Ports, and which
has a theoretical unlimited Security Budget.

Due to MooD‟s particular qualities as an EA tool, we were able to supplement the

Bow-Tie representations with additional details. For each Loss Event, we captured
the type of terminal that might be subjected to a specific Loss Event threat (see Table
2, Loss Events #1 & #10 for terminal-specific Loss Events); whilst we did try to keep
Loss Events common to all Terminals, some Terminals do face unique threats, which
are represented in Table 2. We also captured, for each control factor, the relevant
port stakeholder that is responsible for management and implementation of a
particular control. We also captured “Best Practice” guidance for each control, to help
highlight what a well-implemented control must look like in order to achieve the
effectiveness that is indicated by the control factor value of a particular control.
Finally, each control factor was also equipped with basic cost information (controls
were identified as low, medium or high cost controls) to help with an initial cost-
benefit analysis and investment strategy. All of these „supplementary‟ data fields are
represented in Figure 4 and 5 below:

Figure 4: „Allocating‟ an applicable Terminal for a specific Loss Event

Figure 5: Enhancing the information contained within Control Factors

This information will later help users identify what they need to do to implement a
control factor effectively, in what cost band that factor is likely to fall, who the
responsible actor is and at what ISPS security level this control should be
implemented.

At the time of writing, the developed model had not yet received the full scrutiny by
port stakeholders, as initial meetings were focused on more general topics of the
project as a whole. Nevertheless, some feedback from respondents had been
received already. Notable feedback included:

- the identification of new threats and risk control factors

- the identification of Loss Events not considered by the focus groups
- the rejection of Loss Events that the focus groups had considered
- the adjustment of a few risk control values
- discussions about how the developed model could be re-used for use by the
ports‟ risk assessment teams

These meetings also kick-started discussions on the most effective „baseline‟ for risk
control factors to be implemented; whilst some larger ports favoured a formal
implementation of ISO 28000, smaller ports were concerned that such a system
might be cost prohibitive, especially as smaller ports noted that they are much more
concerned with economic rather than terrorist threats.
Discussion
Whilst the use of Bow-Tie diagrams is well established in literature, our particular
implementation is, as far as we can ascertain, fairly novel because we manage to not
only capture Risk information in a purely graphical manner, but we also capture a lot
of contextual information „behind‟ the model which gives more meaning to the
numbers involved. For instance, the „Best Practice‟ section for risk control factors
gives guidance that a PFSO could use to enhance a particular security factor at a
facility to a level of effectiveness more closer to what our panel of experts deem „best
practice‟. In other words, the output can be thought of as a dynamic and interactive
tool that can guide a user to identify the best aspects of security to invest in. We have
started undertaking such an analysis at an elementary level but it is too soon to be
able to report on the results yet. This is possible because the tool allows for dynamic
input of values into the model (for example, a user could log in and change the
probability, impact and control factor values in a particular loss event model and view
the results on the total risk value immediately). Therefore, this model can be used for
what-if scenario analysis and cost-benefit analysis.

Concerning the numbers within the model, especially those for control factor values
and Probability, these must be understood as theoretical ideals. They do not
represent any one specific port. This poses a particular problem for the types of
threats faced by ports. Not all ports are situated in a country that is understood to be
a target for political or religious extremists; not all attackers use the same tactics.
Also, no port has an unlimited security budget. In order to account for these important
differences between theory and practice, the developed model shall remain a
reference model only, a theoretical ideal that ports should strive for. The section on
“Future Research” will outline how the model will be perused further.

Attentive readers will have noticed that the maximum and minimum risk values for
worst and best case scenarios respectively are not based on a mathematical model
of probability, but merely on the calculation of multiplying probability or impact with
the best/worst risk control factor in a given Loss Event. The reason for this lies in the
fact that no accurate security statistics are available. Were accurate details available,
i.e. details of total flow of customers/goods, number of inspections, number of
incidents, estimated number of non-detection etc., then an accurate model could be
created that captures accurate risk control factor values and an accurate model for
calculating Rmax and Rmin. However, this information is not available and therefore
the numbers were based on expert opinion. This, in turn, makes it impossible to
develop a detailed model for best/worst case scenarios so a decision was made to
handle this aspect fairly simplistically for the time being until this reference model can
be refined. Furthermore, feedback from the initial stakeholder workshops shows that
businesses do not seem to understand the effect of the numerical value of these risk
control factors. It is very difficult to highlight to them how a split of 10% physical
search, 90% document search can be translated into a search effectiveness value of
0.2 for example (the stakeholders seemed to understand Impact and Probability,
though). This is particularly relevant because the effectiveness of the risk control
factors are what truly determines the overall risk control factor values, so further
research needs to focus on refining these control values using more empirical
means.

It is interested to note that when one looks at Table 2 and the risk values calculated
for the various Loss Events, then it becomes apparent that the total Risk Values
(regardless of whether the best/worst/average cases are being considered) are not
that different from each other. In other words, there is very little spread between the
Loss Event with the lowest and highest risk values. This is exacerbated when one
considered a graphical representation of the data spread as per the following figure:

Bomb threat against ship/port facility

Attack with car bomb

Attack on hazardous goods within port area

LNG/LPG carrier attacked in port Economic loss suffered due to crime

3
Disruption of port waterways
Dirty bomb attack
Impact

Co-ordinated bombing of port infrastructure

Theft of container with high
Data integrity compromised
value goods
Illegal immigrants/human
Attack on oil terminal/infrastructure trafficking
contamination of cruise
2 ship
Successful attempt at Arson
Blind Passengers get on
board Electrical power to port is
cut
Riots disrupting port activity
Theft of low value goods
Port data confidentiality
1 compromised
Port data availability
compromised
Drugs smuggled through
port

0
0 1 2 3 4 5
Probability index

Figure 6: Graphical representation of Loss Events‟ Risk Values (Average Case)

As can be seen, the Loss Events are clustered together in one big homogenous
group. A similar picture is seen for the best and worst case Risk Values. A traditional
Risk Assessment would have anticipated seeing a roughly linear line from the bottom
left to the top right corner of the Figure, showing a comprehensive set of Risks.
However, Figure 6 shows the results expected by the project – the project considers
itself with those risks that European ports should be particularly concerned about,
and not necessarily well prepared for. Therefore, the expert focus groups (and the
initial feedback from stakeholders) have managed to capture a number of Risks that
are similar and don‟t vary much between each other, which is the expected outcome
if one were to investigate the most pressing security issues in individual facilities for
example. Figure 6 thus validates the project‟s approach by showing that the identified
Loss Events are roughly similar in their anticipated probability and impact.
Future Research
To account for the issue that the developed reference model is built as a theoretically
ideal model with only little empirical data, there are plans to re-built several
instantiations of the developed risk model on the basis of the specific local conditions
of the participating ports. In other words, there will be a complete model for each
participating port, capturing the as-is conditions of the threats and their probability
being faced, the available risk control factors and values, and the consequences and
their impact specific to that port. This will allow for a detailed gap-analysis between
the reality of these ports, and the theoretical ideal that security experts have helped
construct.

The “Best Practice” description of risk control factors (see Figure 5) will be expanded,
so that procedural control factors will be described through a Business Process
Modelling notation, providing a clear graphical overview over how such a procedure
should be implemented. This will be in addition to the textual description provided
already. The expectation is that the completed model, including the local
instantiations, will thus provide a comprehensive tool that can show a future user
(e.g. Port Authority, PFSO) where and how to upgrade specific aspects of their
security.

We also intend to add a field on the legal requirements and guidelines; specifically,
maritime legislation, such as the ISPS code (IMO, 2003) and the EC‟s port security
directive (EC, 2005), put certain requirements and demands on PFSO‟s and Port
Authorities. These typically influence the types of threats that Ports must be ready to
face, a set of minimum security standards and specific requirements against specific
technology. This is especially true when looking at other voluntary schemes, such as
AEO (EC, 2010) and C-TPAT (CBP, 2004), which will also be considered and added
to our model. This will show users the legal requirements they must comply with, and
requirements of voluntary schemes that they may wish to comply with.

Finally, the “cost” field will be greatly expanded on the basis of more data gathered
from the ports. A “low/medium/high” cost grading for security upgrades is not very
useful, especially when applied to a reference model that is not comparable to a real
port. Therefore, as more data is gathered from the ports, the individual port model
instantiations will be expanded in such a manner that the control factors‟ cost
information reflects the actual situation within a real port. In other words, if Port X of a
specific size with a certain amount of security technology already implemented wants
to upgrade its security measures to reflect the theoretical risk control value
developed in the reference model, then Port X‟s expenditure is likely to be different to
Port Y‟s expenditure, with a different size and different amount of security. This will
make the model interesting to the relevant PFSO‟s and Port Authorities as the model
can then be used as a dynamic and interactive simulation tool that could help them
with cost-benefit and what-if analysis to determine the best investment options and
the true cost of upgrading security, and effectiveness of such upgrades.

Link with eFreight Capabilities

The risk control factors that the project will concern itself with are of relevance to
current eFreight initiatives. The data gathered by the project so far indicates that the
following nine risk control factors will form the main focus of the SUPPORT project:

1) Risk and Vulnerability Assessments

2) Access Control
3) Improved Monitoring and Surveillance
 4) Standards for Fencing, Intrusion Alarms and CCTV systems
5) Improved Inspection and Securing of Cargo through advanced scanning and
screening technology
6) Guidelines for checking/scanning of personnel
7) Improved background checks on Employees
8) Improved Security and Security Awareness Training
9) Promotion of High Resilience Concepts

The SUPPORT project intends to exploit eFreight technology to help Port

Stakeholders upgrade their security. This will require explicit links between the
generic threat model developed (see above), the creation of reference models that
include all relevant domain entities, and processes that show how security
assessments are carried out, how specific risk control factors reduce probability or
impact, and the use of eFreight technology to manage the day-to-day operation of
some of these control factors. Currently, the project proposes that eFreight
technology be used to develop a Decision Support System to define the path for
Security Upgrades (which will depend on the information captured in the Generic
Threat Model, such as cost, effectivity, and size of the threat), which will help
stakeholders plan a program for upgrading security. Also, eFreight technology is
envisaged to undertake surveillance and monitoring of suspect activities, by running
Data Fusion and Artificial Intelligence modules against data collected from a wide
variety of sensors. Whilst all these plans are at an early stage of planning, the
SUPPORT project hopes to start exploiting eFreight technology in time for the
SUPPORT demonstrators, so that it can be showcased how eFreight technology can
help enable improved security operations.

Conclusions
The comprehensive model being gradually built and enhanced has a lot of potential
to help Port Authorities and PFSO‟s plan, prepare and undertake security upgrades
to their facilities and infrastructure. It combines an analysis of Risk, identifies
measures that could be used to reduce that risk, provides effectiveness values for
measures that could control risk, guidance on how to implement these, and
references to legislation that a Port Facility must oblige with. Future users can
therefore use this model for various purposes: cost-benefit analysis, upgrade
planning, audits, what-if scenario analysis and even as a training tool.

The model is implemented in an EA tool and the way it has been implemented in it
permits a user to fully exploit the potential benefits of an EA as a whole. The model
will eventually be released with guidance that will show how to add non-security
aspects to the model, so that an EA can be built up and maintained.

How does this work affect European Port Security though? By bringing together the
opinions of security experts and current users, users and experts can learn from
each other about what represents current threats and whether existing measures are
sufficient to cover these. The model being developed will help reduce the barriers to
upgrading security as it clearly identifies security gaps and legal requirements that
must be met, thus it becomes a helpful tool that users can use to effectively upgrade
security where it is necessary and effective to do so. It also visualises the most
severe threats faced by European ports, leading to better understanding of risk and
the enhanced security that could be gained from simple changes to processes and
procedure.
Acknowledgments
The SUPPORT project is funded by the EC‟s 7th Framework Programme. We also
would like to thank all project partners for their support in helping to gather and
develop elements of the information presented herein.

References
Boster, M., Simon, L., and Thomas, R. (2000). “Getting the most from your enterprise
architecture.” IT Professional 2 (4): 43-51.

Brown, A. (2004). “The Value of Enterprise Architecture.” Retrieved from

http://74.125.155.132/scholar?q=cache:LxeDkl9J7PQJ:scholar.google.com/&hl=en&
as_sdt=0,5 on 02/02/2011.

Cole, R., Purao, S., Rossi, M. And Sein, M.K. (2005). “Being proactive: Where action
research meets design research.” Proceedings of the 16th International Conference
on IS (ICIS), Las Vegas, USA: 325-335.

US Customs & Border Protection (2004). “Securing the Global Supply Chain.
Customs-Trade Partnership against Terrorism.” Retrieved from
http://www.cbp.gov/linkhandler/cgov/trade/cargo_security/ctpat/what_ctpat/ctpat_stra
tegicplan.ctt/ctpat_strategicplan.pdf on 03/02/2011.

European Commision (2005). “Directive 2005/65/EC Of The European Parliament

and Of The Council on Enhancing Port Security.” Official Journal of the European
Union, L310: pp. 28 - 35

European Commission (2010). “Authorised Economic Operator (AEO).” Retrieved

from
http://ec.europa.eu/taxation_customs/customs/policy_issues/customs_security/aeo/in
dex_en.htm on 03/02/2011.

EUROCONTROL (2009). “Generic Safety Assessment for ATC Surveillance using

Wide Area Multilateration.” EATMP Infocentre: Brussels. Retrieved from
http://www.eurocontrol.int/surveillance/gallery/content/public/documents/Vol%201%2
0Generic%20WAM%20Surveillance%20Safety%20Assessment%20v6-0.pdf on
02/02/2011.

Gifford, M., Giltert, S. and Bernes, I. (2003). “Bow-Tie Analysis.” Equipment Safety
Assurance Symposium (ESAS), 2003.

Hevner, A.R., March, S.T., Park, J. and Ram, S. (2004) “Design Science in IS
Research”, MIS Quarterly 28(1):75-105.

International Maritime Organisation (2003). “The International Ship and Port Facility
Security Code.” IMO Publications.

Jacinto, S. and Silva, C. (2010). “A semi-quantitative assessment of occupational

risks using bow-tie representation.” Safety Science 48(8): 973-979.

Lankhorst, M. (2009). “Enterprise Architecture at Work: Modelling, Communication

and Analysis.” Springer-Verlag: Berlin.
March, S.T. and Smith, G.F. (1995). “Design and natural science research on
Information System Technology.” Decision Support Systems, 15(4): 251-266.

McConnell, P. and Davies, M. (2004). “Safety first – scenario analysis under Basel
II.” Retrieved from http://www.continuitycentral.com/feature0338.htm on 02/02/2011.

Morganwalp, J.M. and Sage, A. P. (2004). “Enterprise architecture measures of

effectiveness.” International Journal of Technology, Policy and Management 4 (1):
pp. 81-94.

Nordgård, D.E. (2008). “Quantitative Risk Assessment in Distribution System

Maintenance Management using Bow-Tie Modeling.” 16th PSCC Conference,
Glasgow, Scotland.

Schekkerman, J. (2004). “How to survive in the jungle of Enterprise Architecture

Frameworks.” 2nd Edition. Trafford Publishing: Victoria.

Steen, M.W.A., Akehurst, D.H., ter Doest, H.W.L. and Lankhorst, M. M. (2004).
“Supporting Viewpoint-Oriented Enterprise Architecture.” Eighth IEEE International
Enterprise Distributed Object Computing Conference: pp. 201-211.

Trbojevic, V.M. and Carr, B.J. (2000). “Risk based methodology for safety
improvements in ports.” Journal of Hazardous Materials 71: pp. 467-480.

Winter, R. and Fischer, R. (2006). “Essential Layers, Artifacts, and Dependencies of

Enterprise Architecture.” Enterprise Distributed Object Computing Conference
Workshops, 2006. 10th IEEE International EDOCW: pp 30ff.

Zachman, J.A. (1997). “Enterprise Architecture: The Issue of the Century.” Database
Programming and Design Magazine, Issue March 1997.

Zuijderduijn, C. (2000). “Risk Management by Shell Refinery/Chemicals at Pernis,

The Netherlands.” EU Joint Research Centre Conference on Seveso II Safety Cases,
Athens.