Risk-Based Security; Getting on With It

There has been much talk about risk-based security (RBS) in aviation security circles over the last six years, but do we have a common understanding of what it means?

The International Civil Aviation Organization (ICAO) Aviation Security Panel Working Group on Threat and Risk has been focused on this very question, attempting to identify a common equation for calculating risk across ICAO Member States, and mapping out ways to most effectively deploy countermeasures (ICAO Risk Contexts).

Getting dozens of states to agree on a common approach at the international level will take time. In the meantime, airlines and airports around the world – or governments at the national level – can already create security strategies that effectively incorporate risk analysis into day-to-day operations.

Risk-Based Security, the US Model

For the US Transportation Security Administration (TSA), RBS means investing your security resources in a manner that most effectively and efficiently limits residual risk (TSA Risk Based Security Successes and Challenges). Put another way, if I have one unit of currency, how do I invest it to best limit the chances of an attack and/or ensure an effective response in its aftermath?

The term RBS is not to be confused with Risk-Based Passenger Screening, the process of differentiating passenger screening practices based on real-time screening tactics, rules, and/or individual passenger risk scores. Sure, Risk-Based Passenger Screening is an RBS approach, but it’s one of many.

There are two schools of thought on RBS (put in very basic terms!):

The Risk Modelers

This camp is committed to the idea that robust risk models and empirical analysis will help us identify effective countermeasures and how to best deploy them.

Strength: When looking at budgets (or Congress), decision-makers like quantifiable models. They help us answer the question as to why screening is less robust in a small airport between two cornfields. A risk model is likely to help us stop a less-skilled adversary, given that decision-making is based on a threat calculation incorporating past events.

Weakness: Unlike safety, aviation security risk is non-linear. If you look back at major aviation security-related incidents over the past 30 years (e.g. 9/11), most tactics were not incorporated into risk models given the tactics had never been used before. Put another way, risk models do not consider a Black Swann event, something that “comes as a surprise, has a major effect, and is often rationalized after the fact with the benefit of hindsight.” (Taleb, Nassem Nicholas. The Black Swan: The impact of the highly improbable)

The Black Swann Believers

This side feels that we shouldn’t spend much time on complex risk models, as predictions based on historical events are irrelevant. In their view, resource allocation decisions should be made based on security effectiveness and efficiency data (where available), and should emphasize the detection of intent, as opposed to objective risk – given we might not know what future events may entail.

Strength: This approach focuses on innovative and skilled adversaries, who are likely to get around existing security measures. Moreover, focusing on intent and unpredictability, rather than objects, enhances the odds of finding the bad guy with a new tactic – irrespective of what he may be using in his/her attempt to wreak havoc.

Weakness: Deploying intent-based measures, like behavior detection systems, is difficult. It’s hard to solidify metrics around the number of behavior detection officers required to stop the bad guys. In addition, relying too heavily on to an approach that focuses on intent and unpredictability, and which may ignore past modi-operandi, runs the risk of missing the copy-cat.

What’s the best approach? A mix of the two, coupled with solid intelligence integration between government partners.

Aviation security operators have an opportunity to build risk models that incorporate threat, vulnerability, and consequence, and which effectively counter known attack paths… but they shouldn’t get too wrapped around the axle. In addition to ongoing risk assessments, operators should place some of their eggs in the behavior detection, data analysis, and unpredictability baskets, designed to deter or detect a bad guy who has mastered a new technique.

An Israeli colleague once made a clear distinction between the Israeli approach to aviation security, and the approach of the rest of the world: Israel has built their technology and screening system around a strong human factor (i.e. behavior detection), while the rest of the world is trying to fit the human factor on top of the technology. When pushed as to how Israeli operators “prove” the effectiveness of intent-based measures like behavior detection, the response is that they don’t have to prove it; they believe it. Put another way, human interaction as a key screening measure does not need to be justified.

Combining a proper risk model with a belief in intent-based approaches could very well represent the right RBS model.  Now, let’s get on with it.