PASSENGER STATION AND TERMINAL DESIGN FOR SAFETY,...

Date: 29/11/2011

Document ID: SECEST-WP3.1-MTR-D3.1-PU-v1.0

Revision: 1.0

D3.1 - Evaluation report of the existing risk assessment methodologies and SECURESTATION methodology - 1 -

This project has been carried out under a contract awarded by the European Commission No part of this report may be used, reproduced and/or disclosed in any form or by any means without the prior written permission of the SECURESTATION project partners. © 2011 – All rights reserved

PASSENGER STATION AND TERMINAL DESIGN FOR SAFETY, SECURITY AND RESILIENCE TO TERRORIST

ATTACK Project nº: FP7-SCPO-GA-2011-266202

Funding Scheme: CP – Collaborative Project

Call (part) identifier: FP7-SST-2010-RTD-1

D3.1 – EVALUATION REPORT OF THE EXISTING RISK ASSESSMENT METHODOLOGIES AND

SECURESTATION METHODOLOGY

Due date of deliverable: 30/11/2011 Actual submission date: 15/10/2011

Start date of project: 01/06/2011 Duration: 36 months

Organisation name of lead for this deliverable: MTRS3 Ltd.

Contributors: ATM, InteCo, Isdefe, Heuristics, CRTM

Revision: 1.0

Project co-funded by the European Commission within the Seventh Framework Programme (2007-2013)

Dissemination Level

PU Public X

PP Restricted to other programme participants (including the Commission Services)

RE Restricted to a group specified by the consortium (including the Commission Services)

CO Confidential, only for members of the consortium (including the Commission Services)

Document Change Log

Revision Edition Date Author Modified Sections /

Pages Comments

0.4 19/09/2011 Paul Abbott Chapter 2, all Comments on chapter 2 (scenario definitions) and overall review

0.6 15/10/2011 Dr. Antonio Lancia Definitions, Glossary, Chapter 3 & 5

Comments on definitions, glossary and chapters 3 & 5

0.7 14/11/2011 Gilad Rafaeli Chapter 7 Comments on chapter 7 (recommendations)

0.8 27/11/2011 Dr. Jonathan Paragreen

All Overall review and proofread

0.9 28/11/2011 Dr. Rodica Hrin All Overall review and proofread

Date: 29/11/2011


Revision: 1.0



TABLE OF CONTENTS

1. INTRODUCTION ................................................................................................................. 17

1.1. Background ..................................................................................................................................... 17 1.2. Purpose and Scope ......................................................................................................................... 17 1.3. Document Structure ......................................................................................................................... 17 1.4. Applicable and Reference Documents ............................................................................................. 17 2. SCENARIO DEFINITIONS .................................................................................................. 19

2.1. Threat scenarios definitions ............................................................................................................. 20 2.2. Conclusions ..................................................................................................................................... 24 3. QUALITATIVE METHODOLOGIES .................................................................................... 25

3.1. Security Risk Assessment Framework ............................................................................................. 25 3.2. COUNTERACT – Generic Guidelines for Conducting Risk Assessment in Public Transport

Networks ......................................................................................................................................... 29 4. PARTIAL QUANTITATIVE METHODOLOGY .................................................................... 36

4.1. FEMA – Risk Management Series ................................................................................................... 36 4.2. EUMASS – Mass-Transit System Security Risk Assessment and Audit Methodology ..................... 43 5. QUANTITATIVE METHODOLOGY ..................................................................................... 49

5.1. Blue Ribbon Panel (BRP) and the US Federal Highway Administration (FHWA) ............................. 49 5.2. Sandia Laboratories – A Risk Assessment Methodology (RAM) for Physical Security ..................... 54 6. COST-EFFECTIVE RESPONSES TO TERRORIST RISKS IN CONSTRUCTED

FACILITIES ......................................................................................................................... 59

6.1. Introduction ...................................................................................................................................... 59 6.2. Methodology and Process ............................................................................................................... 59 6.3. Summary – Cost - Effective Responses to Terrorist Risks in Constructed Facilities ........................ 65 7. RECOMMENDATIONS FOR THE SECURESTATION METHODOLOGY .......................... 66

7.1. General Requirements for the SECURESTATION Methodology ..................................................... 66 7.2. Recommended Features of the SECURESTATION Methodology ................................................... 67 7.3. SECURESTATION Benchmark Methodology .................................................................................. 79

Date: 29/11/2011


Revision: 1.0

- 4 - D3.1 - Evaluation report of the existing risk assessment methodologies and SECURESTATION methodology

This project has been carried out under a contract awarded by the European Commission No part of this report may be used, reproduced and/or disclosed in any form or by any means without the prior written permission of the SECURESTATION project

partners. © 2011 – All rights reserved

LIST OF FIGURES

Figure 1: Threat evaluation process .......................................................................................................... 26

Figure 2: Threat assessment process ....................................................................................................... 26

Figure 3: Vulnerability assessment outcomes ........................................................................................... 27

Figure 4: Operational diagram matrix ........................................................................................................ 30

Figure 5: Risk matrix filled with risk categories.......................................................................................... 33

Figure 6: Vulnerability assessment matrix ................................................................................................. 34

Figure 7: Asset value scale and description .............................................................................................. 36

Figure 8: Event profiles for terrorism and technological hazards ............................................................... 37

Figure 9: Threat analysis factors ............................................................................................................... 38

Figure 10: Facilities inherent vulnerability assessment matrix ................................................................... 39

Figure 11: Standard chart for security measures selection ....................................................................... 40

Figure 12: Risk assessment screening matrix ........................................................................................... 41

Figure 13: Risk management cycle ........................................................................................................... 44

Figure 14: Risk assessment components ................................................................................................. 50

Figure 15: Weights to compute Importance Factor (IF value) .................................................................... 50

Figure 16: Weights to compute Occurrence Factor (OF value) ................................................................. 51

Figure 17: Weights to compute Vulnerability Factor (VF value) ................................................................. 51

Figure 18: Final ranking scores ................................................................................................................. 52

Figure 19: Cost benefit analysis of mitigated projects ............................................................................... 52

Figure 20: Order and sequence of the risk assessment methodology ....................................................... 54

Figure 21: Top level generic fault tree ....................................................................................................... 55

Figure 22: Estimating likelihood of attack, PA ............................................................................................ 56

Figure 23: Design and evaluation process outline ..................................................................................... 57

Figure 24: Classification of hazards by responsiveness to mitigation ........................................................ 61

Figure 25: Overview of the cost-accounting framework: dimensions and cost types ................................. 64

LIST OF TABLES

Table 1: Probability of occurrence matrix .................................................................................................. 31

Table 2: Impact / severity assessment matrix ........................................................................................... 32

Table 3: Risk assessment matrix .............................................................................................................. 32

Table 4: Risk management actions ........................................................................................................... 34

Table 5: Comparison parameters for choosing the type of benchmark methodology ................................ 80

Date: 29/11/2011


Revision: 1.0



LIST OF ACRONYMS

AASHTO American Association of State Highway and Transportation Officials APTA American Public transportation association BRP Blue Ribbon Panel BTN Backbone Transmission Network CBA Cost/Benefit Analysis CBRNE Chemical, Biological, Radiological, Nuclear, Explosive CCTV Closed Circuit Television CFD Computational Fluid Dynamics CONOP Concept of Operations, Operational Concept COTS Commercial Off-The-Shelf COUNTERACT Cluster Of User Networks in Transport and Energy Relating to Antiterrorist

ACTivities CPTED Crime Prevention Through Environmental Design DBT Design Basis Threat DfT Department for Transport DHS Department of Homeland Security DOD Department of Defence DOE Department of Energy DOT Department of Transport FEMA Federal Emergency Management Agency HAZMAT Hazardous Materials IED Improvised Explosive Device IID Improvised Incendiary Device IM Infrastructure Manager ISO International Standards Organization IT Information Technology NIBS National Institute of Building Sciences NIST National Institute of Standards and Technology OCC Control Facility / Operations Control Centre PBIED Person Borne IED PIH Poisonous by Inhalation PTA Public Transport Authority PTO Public Transport Operator RU Railway Undertaking SCC/SPC Security Control Centre / Security Operations Centre SEST-RAM SECURESTATION Risk Assessment Methodology SMS Safety Management System SoA State of the Art TIM Toxic Industrial Materials TSA Transportation Security Administration TVRA Threat, Vulnerability and Risk Assessment UIC Union Internationale des Chemins de fer / International Union of Railways UITP L‟Union internationale des transports publics / International Public transport

Organisation VBIED Vehicle Borne IED WMD Weapons of Mass Destruction

Date: 29/11/2011


Revision: 1.0




LIST OF DEFINITIONS

Access Control A system of technical means, personnel and procedures, which enables an organisation to control access to areas and resources in a given physical facility or computer-based information system. It has 3 essential functions: entitlement check, identification and documentation of the persons entering a certain controlled access area.

Accident A specific, unpredictable, unusual and unintended incident, which occurs in a particular time and place with no immediately apparent and deliberate cause but with marked effects and, generally, negative outcome. See also Incident.

Actor Any person or group of persons who interacts with a system / procedure, in the particular case of a public transport system.

Aggressor Any person seeking to compromise a function or structure

Antiterrorism Defensive measures used to reduce the vulnerability of individuals, forces, and property to terrorist acts.

Assessment The process of acquiring, collecting, processing, examining, analysing, evaluating, monitoring, and interpreting the data, information, evidence, objects, measurements, images, sound, etc., whether tangible or intangible, to provide a basis for decision making.

Asset Any person, part or feature of a system that has a value such as physical assets, human assets, soft assets (i.e., knowledge, experience) and information assets.

Attack A hostile action resulting in the destruction, injury, or death to the civilian population, or damage or destruction to public and private property.

CBRN devices Devices of Chemical, Biological, Radiological, Nuclear nature, which may require special response like post-incident decontamination of people and/or assets. In particular:

Chemical: dispersion of toxic chemical agents or toxic industrial materials (TIM) by non-military means, many with little or no clearly evident characteristics. Symptoms (e.g., passengers collapsing) may the first indication of an attack.

Biological: dispersion of disease-causing living organisms or replicating entities (viruses) that reproduce or replicate within their host victims and used to kill or incapacitate humans, animals or plants

Radiological: radioactive and/or radio-toxic material spread, usually through the detonation of conventional explosives, in the form of an IED or VBIED – as a „dirty bomb‟.

Nuclear: device aiming at a nuclear explosion and the consequent thermal and radiation effects; a weapon of mass destruction potentially requiring a national or multinational level response.

Head of Security / Director of Security / Security Manager

An individual responsible for the overall security management and preparedness of a public transport operator / infrastructure manager (PTO/IM) whose functions are usually identified in a security plan.

Closed circuit television (CCTV)

An electronic system of cameras, control equipment, recorders, and related apparatus used for surveillance or alarm assessment.

Date: 29/11/2011


Revision: 1.0



Consequence The outcome of an event which has an effect on objectives. A single event can generate a range of consequences, which can have both positive and negative effects on objectives. Initial consequences can also escalate through knock-on effects.

Contamination The undesirable deposition of a chemical, biological, or radiological material on the surface of structures, areas, objects, or people

Control Any measure or action that modifies risk. Controls include any policy, procedure, practice, process, technology, technique, method, or device that modifies or manages risk. Risk treatments become controls, or modify existing controls, once they have been implemented.

Controlled area An area into which access is controlled or limited. It is that portion of a restricted area usually near or surrounding a limited or exclusion area. Correlates with exclusion zone.

Counterterrorism Offensive measures taken to prevent, deter, and respond to terrorism.

Crime Any act or commission of an act that is forbidden, or the omission of a duty that is commanded by a public law and that makes the offender liable to punishment.

Crime Prevention Through Environmental Design (CPTED)

A multi-disciplinary approach to limit the opportunities for crime by focusing on design and the creation of an environment not tolerating crime.

Crisis A situation, derived from natural or man-made causes, which has the potential to compromise the safety (physical, economic, environmental etc.) of an individual, a group, a community or the whole society. A crisis usually triggers particular modes of governance, typically described with the terms crisis (or emergency) management (or response).

Crisis Management Group

A group convened when a crisis occurs to provide strategic decision making and co-ordination both within the organisation and with relevant external organisations e.g. police and government agencies.

Critical Asset An asset (human or material) the loss, denial or damage of which would substantially compromise the main functions of the system / organisation.

Critical infrastructure Assets, systems, and networks, whether physical or virtual, so vital to the nation that the incapacitation or destruction of such assets, systems, or networks would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

Cyber Attack Damage, unauthorized use, exploitation or destruction of electronic information by means such as viruses, worms, Trojan horses, phishing, denial of service (DoS) attacks, unauthorized access and control system attacks.

Cyber Security All means for protection against cyber-attacks, e.g. firewalls, anti-virus SW, intrusion detection and prevention systems, encryption etc.

Decontamination The reduction or removal of a chemical, biological, or radiological material from the surface of a structure, area, object, or person.

Date: 29/11/2011


Revision: 1.0




Design Basis Threat (DBT)

A set of assumptions regarding threats (number of adversaries, their modus operandi, the type of tools and weapons etc.), against which security systems / measures should be planned, designed and implemented.

Emergency An unforeseen or unplanned situation that has implications for the safety of persons and for assets and requires immediate attention.

Emergency Operating Procedure (EOP)

A pre-planned documented arrangement for managing or executing a set of actions in an emergency situation to ensure the safety of the people and a pre-identified level of operations and/or services.

Emergency Services / First Responders

The fire, police or ambulance services where an incident occurs, excluding any PTO/IM‟s internal security forces.

Event Could be one occurrence, several occurrences, or even a non-occurrence (when something doesn‟t happen that was supposed to happen). It can also be a change in circumstances. Events always have causes and usually have consequences. Events without consequences are often referred to as near-misses, near-hits, close-calls, or incidents.

Explosive device Device, comprising explosive (or explosive components) and a detonator, designed to cause an explosion. Explosive devices include military ordnance, civil and industrial devices as well as improvised devices (IED) meant to be used for terrorist or criminal acts.

Explosive Ordnance Disposal (EOD)

Actions performed by specialists to neutralise devices such as IEDs, IIDs or VBIEDs (see below).

Functional Requirements

A set of functionalities needed and / or expected from a product or a service under development or procurement. Alternatively referred to as „user requirements‟.

Functional Specification

The breakdown, quantification and association of the system‟s functional requirements to the main system's functional components.

Functionality The ability to perform a certain function; function is an action or use for which something is suited or designed.

Guideline A non-specific rule or principle that provides direction to action or behaviour; a plan or explanation in setting standards or determining a course of action; any document that aims to streamline particular processes according to certain rules and/or aims to achieve set objectives. Guidelines are adhered to voluntarily and are never mandatory.

Hazard A situation that can be a source / cause of harm to life, health, property, or environment; hazards are normally dormant, i.e. they represent a potential harm; a hazard can materialise through an incident (active hazard) that actually causes harm.

Hazardous Materials (HAZMAT)

Solids, liquids, or gases that can harm people, other living organisms, property, or the environment, including materials that are radioactive, flammable, explosive, corrosive, oxidizing, asphyxiating, bio-hazardous, toxic, pathogenic, or allergenic. They are grouped by class, e.g., Class 1 Explosives, and identified by a United Nations number, e.g., 1005 Anhydrous Ammonia.

Date: 29/11/2011


Revision: 1.0



Hijack The act of taking control of a vehicle (at land, sea or air) for terrorist or criminal purposes. The use of the term hijack has been extended to the virtual world (hijack a computer system, hijack someone‟s identity etc.)

Immediate Actions (IA)s Pre-planned actions taken immediately by the operational staff concerned in an emergency or when an incident occurs and before, if notified, the arrival of emergency services or other responding organisations.

Impact The consequences of an incident – harm to persons, physical damages, direct and indirect costs like damage of reputation or perception of security.

Improvised Explosive Device (IED)

An explosive device produced using available materials, e.g., timing devices, means of detonation, explosives (commercially available or improvised, i.e., „home made‟) and articles, such as nails for additional impact. IEDs may use components of military explosive articles and also contain incendiary materials. Initiation may involve a remote controlled device or timer mechanism.

Improvised Incendiary Device (IID)

A device produced from available flammable materials, intended to set fire to the target and cause serious damage from the heat and the dense and toxic fumes produced, An IID may be initiated manually on site, e.g., a Molotov cocktail, by a timer mechanism or a remote controlled device,. An IID may be combined with an IED.

Improvised Radiological Device (IRD)

A device intended to spread radioactive material, most commonly the spent fuel from nuclear power plants or radioactive medical waste, usually by conventional explosives, with the intention to harm, kill and/or cause major disruption. Also known as a dirty bomb. It is not a nuclear weapon as it does not involve a nuclear explosion.

Incident Something that has happened and is likely to lead to some consequences. It includes events of both internal and external causes, deliberate or accidental and not necessarily of negative consequences. In that sense, it is a more general term than accident.

Incident level Ranking of incidents in terms of potential severity for command, control and response purposes typically as follows:

Level 1 - Incidents that do not affect the safety of people, system assets and operational capability.

Level 2 - Incidents affecting assets and operations in one or more stations, other facilities or line of route but not constituting a serious threat to people.

Level 3 - Incidents that result in casualties and/or significant traffic disruption or damage to the system‟s assets.

Level 4 - Crises involving multiple casualties and destruction/denial of critical assets (human, vehicles, facilities and other infrastructure) hence compromising the main functions and operations of the system.

Incident response plan A plan detailing the response to an incident or an emergency situation.

Date: 29/11/2011


Revision: 1.0




Intrusion detection systems

Sensor based (optical, microwave, vibration etc.) systems designed for the detection (and consequent alarm) of intruders crossing a perimeter or entering a protected area; they can be classified in perimeter protection systems (along fences, open spaces, etc.) or built spaces (home or industrial burglar alarm systems).

K9 K9 or K-9 is an abbreviation and homophone of 'canine', and refers to the use of police dogs such as those used for bomb or drug sniffing.

Lead person (LP) An identified qualified person appointed in an organisation with responsibility for the overall on-site incident command and control of their response (may also be referred to as “Emergency Management Coordinator”).

Level of risk Risk magnitude. It is estimated by considering and combining consequences and likelihood. A level of risk can be assigned to a single risk or to a combination of risks. A consequence is the outcome of an event and has an effect on objectives. Likelihood is the chance that something might happen.

Likelihood The chance that something might happen. Likelihood can be defined, determined, or measured objectively or subjectively and can be expressed either qualitatively or quantitatively (using mathematics).

Mitigation Activities providing a critical foundation in the effort to reduce the loss of life and property from natural and/or manmade disasters by avoiding or lessening the impact of a disaster.

Operations Concept (CONOP)

A written document describing an overall picture of an operation or series of operations frequently embodying operational strategies, methods, principles, plans, policies also organisation and command structures. It identifies connected or separate operations to be carried out simultaneously or in succession, by the entire organisation or by one or more of its operational bodies.

Perimeter security A system of technical means, personnel and procedures aiming in ensuring that nobody enters (or exits) a defined area except through the controlled access points. It has three essential functions: Deter, Delay (or deny) and Detect (& document) any intrusion, sometimes referred as 3D.

Personal Protective Equipment (PPE) Protective clothing, helmets, goggles, other garments or equipment

designed to protect the wearer's body from injury due to blunt impact, electrical hazards, heat, chemicals, and infection.

Poisonous by Inhalation (PIH)

A gas that is (or is presumed to be) toxic to humans to a degree posing a hazard to their health if inhaled even in minute concentrations.

Privacy The quality or state of being secluded from company or observation.

Probability of Attack / Probability of Occurrence

The probability of a threat materialising. The probability of a certain incident occurring.

Protective measures Elements of a protective system that protect an asset against a threat. Protective measures are divided into defensive and detection measures.

Date: 29/11/2011


Revision: 1.0



Protective system An integration of all of the protective measures required to protect an asset against the range of threats applicable to the asset.

PTZ cameras Cameras that have the capacity to pan, tilt and zoom, usually in remote control but sometimes also in automatic mode.

Public area Areas that are meant to be accessible to the general public; these can be of free or limited access; in the later case access control is generally limited to entitlement (i.e. control for a ticket or a access/travel card but not identity control)

Public entity Entity / body / organisation not necessarily of public (state) ownership but of public character (i.e. serving the public or ensuring a public function).

Public infrastructure All infrastructures (i.e. equipment, constructions and areas) that are meant to be at the service of the general public rather than the various specific actors or professionals

Residual risk The risk left over after you‟ve implemented a risk treatment option. It‟s the risk remaining after you‟ve reduced the risk, removed the source of the risk, modified the consequences, changed the probabilities, transferred the risk, or retained the risk.

Risk The potential that a chosen action or activity (including the choice of inaction) will lead to a loss (an undesirable outcome) - according to ISO31000 Or: Risk can be defined as the combination of the probability of an event and its consequences (ISO/IEC Guide 73). In all types of undertaking, there is the potential for events and consequences that constitute opportunities for benefit (upside) or threats to success (downside). Risk Management is increasingly recognised as being concerned with both positive and negative aspects of risk Or: Risk is the threat that an event or action will adversely affect an organisation‟s ability to achieve its objectives and to successfully execute its strategies.

Risk (Security) The degree of exposure to a threat. The risk increases with the potential impact and the probability of a threat materialising. Risk is measured in escalating categories.

Risk assessment / analysis

A step in a risk management procedure: the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat (or hazard). Quantitative risk assessment requires calculations of two components of risk: R, the magnitude of the potential loss L and the probability P that the loss will occur. Qualitative risk assessment is usually performed where statistical data for a quantitative assessment are missing. It usually involves the use of score matrices.

Risk assessment policy Guidelines for value judgment and policy choices, which may need to be, applied at specific decision points in the risk assessment process.

Risk Based Approach A security risk management approach, based on categorisation of the risk level following a risk assessment, selection of risk mitigation safeguards based on cost-benefit considerations, operational and technical feasibility, and accepted risk management strategies.

Date: 29/11/2011


Revision: 1.0




Risk estimation Risk estimation (ISO/IEC Guide 73) can be quantitative, semi quantitative or qualitative in terms of the probability of occurrence and the possible consequence. For example, consequences both in terms of threats (downside risks) and opportunities (upside risks) may be high, medium or low. Probability may be high, medium or low but requires different definitions in respect of threats and opportunities of risks.

Risk evaluation A process that is used to compare risk analysis results with risk criteria in order to determine whether or not a specified level of risk is acceptable or tolerable.

Risk identification Sets out to identify an organisation‟s exposure to uncertainty. This requires an intimate knowledge of the organisation, the market in which it operates, the legal, social, political and cultural environment in which it exists, as well as the development of a sound understanding of its strategic and operational objectives, including factors critical to its success and the threats and opportunities related to the achievement of these objectives (ISO/IEC Guide 73).

Risk Management The identification, assessment, and prioritization of risks followed by coordinated and efficient application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.

Risk management plan An organization‟s risk management plan describes how it intends to manage risk. It describes the management components, the approach, and the resources that will be used to manage risk. Typical management components include procedures, practices, responsibilities, and activities (including their sequence and timing). Risk management plans can be applied to products, processes, and projects, or to an entire organization or to any part of it.

Risk management policy

Defines a general commitment, direction, or intention. A risk management policy statement expresses an organization‟s commitment to risk management and clarifies its general direction or intention.

Risk management process

A process that systematically applies management policies, procedures, and practices to a set of activities intended to establish the context, communicate and consult with stakeholders, and identify, analyse, evaluate, treat, monitor, and review risk.

Risk owner A risk owner is a person or entity that has been given the authority to manage a particular risk and is accountable for doing so.

Risk treatment The process of selecting and implementing measures to modify the risk. Risk treatment includes as its major element, risk control/mitigation, but extends further to, for example, risk avoidance, risk transfer, risk financing, etc.

Sabotage Tampering intended to undermine the integrity of systems with the objective of causing damage to assets, and/or harm to humans, and disrupting routine operations; e.g. causing derailment, interfering with signalling, power supply or communications systems.

Date: 29/11/2011


Revision: 1.0



Safety The state of being free of risk or danger (natural or accidental); being in control of recognised hazards and reducing risk of harm or damage as low as reasonably practicable. The term „safety‟, when used as an attribute, encompasses all measures, actions or systems aiming at ensuring the state of safety.

Safety incident An accidental event, of internal or external causes, that is likely to lead to some negative consequences and compromise safety.

Safety Management System (SMS)

Documented arrangements/process identifying an organisation's safety policy, the means of achieving and maintaining defined safety targets, the distribution of roles and responsibilities and the response to incidents and investigation. For main line railways Directive 2004/49/EC (Safety Directive) a SMS is a fundamental operational requirement.

Security The degree of protection against intentional danger, damage or loss Or: The set of means / actions through which safety is ensured, in particular against intentional threats. Thus, the term „security‟ encompasses all measures, actions or systems aiming at preventing intentional threats from compromising safety.

Security Incident Deliberate act intended to harm and injure, damage equipment and infrastructure, disrupt operations and compromise safety.

Security Master Plan A document defining the overall roles, responsibilities and management arrangements of a security organisation.

Security officer Person responsible for security within an organisation or facility. The functions of the security officer are usually prescribed within a security plan; sometimes referred to as head of security / security director.

Security Plan A document, usually the outcome of a security risk assessment, defining the management chain and responsibilities in relation to security and detailing the measures (protective and reactive) such as procedures, systems, methods and staff, implemented at a particular facility or organisation for its protection against security threats and in response to security incidents.

Security Regulator (Security Regulating Body)

A public entity, governmental or recognised by government, responsible for defining statutory security requirements and for ensuring their application.

Security Risk Assessment

A process used to systematically analyse potential threats to a specific target. The process includes identifying and classifying assets by their criticality; the analysis of a range of potential threats and their probability of being realised, and their potential impact. A vulnerability assessment may be performed as part of a risk assessment.

Security Risk Management

The process of identifying security risks and selecting and implementing mitigating safeguards, based on risk management strategies.

Security Threat The expression of intention (or perception of a possible intention) to provoke a security incident, i.e. to harm or injure, damage equipment and infrastructure, disrupt operations etc. Security threats may materialize into security incidents that are a concern for safety.

Date: 29/11/2011


Revision: 1.0




Sensitive Security Information (SSI)

Information relating to security activities that is sensitive yet unclassified, the public disclosure of which may harm public transport system security, cause invasion of privacy or reveal trade secrets, privileged or confidential information.

Site (of an incident) The area within which the response to an incident is managed. Standard Operating Procedure (SOP)

A pre-planned documented arrangement for safe and effective management of a task.

Surveillance Observation from a distance, usually by means of electronic equipment (such as CCTV cameras) or, sometimes, by no- or low-technology methods such as human agents

Tactics The deployment and directing of resources on an incident to accomplish the objectives designated by strategy.

Terrorism The intentional and unlawful use of force / violence, deliberately targeting or disregarding the safety of civilians with the intention of inflicting significant harm to persons and/or damage to property; causing panic and fear; intimidating or coercing a government or a civilian population to further a religious, political or ideological goal.

Threat (Specific) A threat, which may give a time, directed at a specific target, e.g., a train, station or other asset and which may relate to the use of any type of IED, IID, VBIED, CBRN devices or the use of firearms. Specific threats may or may not result in an actual incident, but can involve serious operational disruption, safety and cost issues.

Threat analysis A continual process of compiling and examining all available information concerning potential threats and human-caused hazards. A common method to evaluate terrorist groups is to review the factors of existence, capability, intentions, history, and targeting.

Threat Level / Advised Threat Level

The „advised threat level‟ or „background‟ threat level, defined by a government agency.

Threat, Vulnerability and Risk Assessment (TVRA)

The process of risk assessment, disassembled into its independent or dependent processes.

Toxic Industrial Materials (TIM)

A general description of any substance that is poisonous or harmful to humans, animals, plant life or the environment.

User Requirements A set of needs and / or expectations of the user(s) from the product, system or service under development. The term „users‟ encompasses any citizens, businesses or public authorities that might use the final product, system or service.

Vehicle Borne Improvised Explosive Device (VBIED)

An IED carried by a vehicle – usually containing a large amount of explosives, intended to cause maximum casualties and damage.

Vulnerability A weakness, e.g. in physical structures, personnel protection systems, process or other areas that may be exploited by adversaries Or: the probability or likelihood that an attack is successful in causing the intended consequences

Date: 29/11/2011


Revision: 1.0



Vulnerability assessment

Any review, audit, or other examination of the security of a public transport infrastructure asset to determine its vulnerability to unlawful interference, whether during conception, planning, design, construction, operation, or decommissioning. Or: evaluating the probability or likelihood that an attack is successful in causing the intended consequences

Date: 29/11/2011


Revision: 1.0



1. INTRODUCTION

1.1. Background

SECURESTATION wishes to develop a risk assessment methodology for public transport passenger terminals. This element is included in the work content of the project, which focuses on evaluating existing risk assessment methodologies and choosing the one that will serve as a benchmark for the methodology that will be developed and updated within the framework of the project.

1.2. Purpose and Scope

This document has three purposes:

To define threat scenarios

To review and analyse existing qualitative, semi-quantitative and quantitative risk assessment methodologies

To select the methodology that will serve as a benchmark for development within the framework of WP 3.2 – "SECURESTATION Methodology for Risk Assessment at Public Transport Terminals".

1.3. Document Structure

This document is constructed of four main parts:

Definition of the scenarios and the design basis threats for the project.

Review and analysis of qualitative, semi-quantitative and quantitative risk assessment methodologies.

Review of cost-effective responses to terrorist risks in constructed facilities

Selection of the benchmark methodology that will be developed within the framework of WP 3.2 – "SECURESTATION Methodology for Risk Assessment at Public Transport Terminals".

1.4. Applicable and Reference Documents

R[1] Asset evaluation process by Allan R. Hunt and Karl Kellerman, Security Risk Assessment Framework. US, 2000. Available at www.akelainc.com

R[2] COUNTERACT / PT4: Generic Guidelines for Conducting Risk Assessment in Public Transport Networks; COUNTERACT D3a-n; SSP4/2005/TREN/05/FP6/SO7.48891; March 2009. Available at http://www.uitp.org/knowledge/projects-details.cfm?id=433

R[3] Reference manual to mitigate potential terrorist attack against buildings FEMA (Federal Emergency Management Agency) – Risk Management Series, US, 2003

R[4] Recommendations for bridge and tunnel security. The Blue Ribbon Panel on Bridge and Tunnel

http://www.akelainc.com/

http://www.uitp.org/knowledge/projects-details.cfm?id=433

Date: 29/11/2011


Revision: 1.0




Security, AASHTO, US, September 2003

R[5] Sandia laboratories - a risk assessment methodology (RAM) for physical security, 2000

R[6] U.S. Department of Commerce, Technology Administration, National Institute of Standards and Technology - Robert E. Chapman and Chi J. Leng - Cost-Effective Responses to Terrorist Risks in Constructed Facilities, March 2004

R[7] EN50126 - The specification and demonstration of reliability, availability, maintainability and safety

R[8] SECUR-ED, D21.1 – Public Transport Security Terminology & Definitions

R[9] Estimate of Adversary Sequence Interruption (EASI), Garcia 2001

Date: 29/11/2011


Revision: 1.0



2. SCENARIO DEFINITIONS

The scenarios definition is aimed at creating a list of possible potentially dangerous situations that operators may face.

Defining scenarios enable the analysis of threats from various reference points, such as: Place, time, strategy used, possible consequences, impact on assets, tools utilised, relation with mass media, possible association with other scenarios, etc..

The selection process of the scenarios was divided into three phases:

(1) Generation phase, in which a list of scenarios has been compiled, taking into account (i) incidents that had happened in the past; (ii) partners' ideas; and (iii) threats identified in previous other European projects, such as EUMASS, PROTECTRAIL, COUNTERACT and SECUR-ED.

(2) Weighting phase, in which each and every threat identified/suggested by the partners was weighted, its individual qualitative-quantitative characteristics considered, and the concrete conditions under which each threat may or may not materialise into an actual incident was studied.

(3) Selection and classification phase, which commenced after all the scenarios had been listed and thoroughly analysed. In this phase, the partners arranged the scenarios by priority and assigned each a colour reflecting the level of the hazard presented by the single threat (red, yellow or green). This degree was assigned to the threat based on the partner's assessment of its priority. Additionally, another degree was assigned to the threat, taking into consideration its relevance for the asset “station”.

The results from of all this data reflects the “weight” of each threat in relation to the asset "station". Taking into account all these considerations, the scenarios were classified into categories of threats, which are described below, taking into account all relevant elements. The contribution of SECURESTATION‟s partners to the definition of the threat scenarios was crucial.

Date: 29/11/2011


Revision: 1.0




Execution of each of the various defined scenarios will depend on a variety of circumstances such as the intended impact and may involve professional criminals, terrorist groups, organised gangs or individuals. All will involve cost implications for PTOs. Planning and execution may involve:

Access to specialised resources (equipment, knowledge, people etc)

Accomplices providing „ insider „ knowledge

Targeting symbolic/religious targets

2.1. Threat scenarios definitions

2.1.1. Dispersion of CBRN materials

Using weapons of mass destruction, the intention is to cause the greatest number of casualties and instil panic among the population, and cause massive damage resulting in significant downtime and economic losses. Large, central and crowded stations are the most attractive targets for this threat, which involves the entire station, including above ground and under-ground areas. The attack must be well organised, taking into account numerous aspects: Tools, location, time, number of potential victims involved, etc. It is not necessary for the terrorist planting the bomb, to remain present inside the station to activate it.

2.1.2. VBIEDs (Vehicle Borne Improvised Explosive Devices) with remote / time operated mechanism

This scenario involves the use of a vehicle packed with explosives, usually improvised, and additional IED components (detonator, etc.). The size of the vehicle and the characteristics of the target of the attack (size, construction materials used, etc.) would determine the quantity of explosives used. 250 kgs of explosives would cause a large number of casualties and heavy damage, while 500 kg could destroy bridges or viaducts.

The vehicle may approach the entrance of the station, park near the station wall (in which case it will be activated by a remote control device) or crashed into the building by a suicide driver.

2.1.3. IEDs carried by a suicide bomber on his person

In most cases, suicide bombers use improvised explosive devices (IEDs) (which they either carry on their person in the form of a suicide vest or belt or in a bag, satchel, etc). A suicide bomber can carry an explosive device weighing up to about 15 kgs without arousing attention, and will aim to detonate it where and when the blast is likely to produce the greatest number of casualties and maximum damage. This will most likely be a crowded location, within a closed part of the station – where the effects of the blast shock wave would be greatest. The location would preferably be near large windows producing glass shards causing additional damage. The suicide bomber will detonate the device during peak hours involving the largest number of people.

Date: 29/11/2011


Revision: 1.0



2.1.4. Planted IEDs (Improvised Explosive Devices)

Improvised explosive devices, particularly relatively small ones, can be easily carried in a bag or rucksack. They are planted in advance by the attacker in a location where they are less likely to be detected, yet in a crowded area of the station – for example, underneath a bench, or in a location where they would cause maximum damage and are remotely operated or triggered by a particular event. The type of explosive material usually used is TNT, and the maximum weight of such a bag being carried unnoticed would depend on the person carrying it (a strong man would be able to carry a heavier device without appearing to be carrying a suspiciously heavy bag). At times, anonymous calls are made to the station in such cases, announcing that a bomb has been planted.

2.1.5. Dispersion of PIH (Poisonous by Inhalation) substances

This kind of attack involves dispersing poisonous substances with the intention of killing people. The worst case scenario would be an attack in which PIH is widely dispersed through the ventilation system of the station. In such a case, the number of casualties is likely to be extremely high, if the attack is carried out during peak hours. The toxic materials may be of industrial origin – which are legal and easy to find. Bacteria or viruses could also be used in this type of attack, although they would be harder to acquire.

2.1.6. Flooding

Flooding may be caused when the attacker deliberately damages the station's or a related water system. Flooding damages equipment and is likely to cause disruption of services, and in extreme cases – even death by drowning.

2.1.7. Cyber attack

Cyber attack can take two forms:

(1) Hacking and crashing the computer system;

(2) Taking control of the computer system in order to disrupt its operation.

Terrorists may take control of the system to: (i) Attack mission critical systems (telecom and signalling), in order to cause train collision, derailment or disruption of services; (ii) Deliberately destroy critical mission and information systems; (iii) Infiltrate critical information systems; (iv) Hack IT systems (to carry out identity theft, abuse access privileges, manipulate the configuration of software applications, intercept information; (v) Inject malware (viruses, spyware, worms, etc.).

2.1.8. Attack on mission critical systems

Attacks on mission critical systems may be carried out in a number of ways:

Physical or cyber attack on communications systems

Electronic attack using one computer system against another

Armed assault, hostage or barricade situation

Date: 29/11/2011


Revision: 1.0




Explosive device planted near or in the OCC

Eavesdropping using phones and hand-held radios or planting bugs.

This kind of attack is not directed at stations per se, but it may entail consequences at one or more stations, indirectly causing casualties, damage and traffic disruption.

2.1.9. Arson

In the most severe cases of arson, the intent is to cause multiple casualties as well as extensive damage, and to shut down service at the station for an extended period of time. In less severe cases, such attacks are intended to cause damage only, and are committed when the station is closed and empty. In least severe cases, the arsonist is only interested in drawing attention to his cause, in which case the attack may also be considered as a form of vandalism.

The fire may be activated through contact, using a remote control device or remotely delivered by a projectile.

2.1.10. IIDs (Improvised Incendiary Devices)

This type of attack is carried out using an improvised incendiary device in the station, for example, one consisting of 1,5L of gasoline – which is readily accessible – in a PVC bottle. When such an attack takes place in a crowded station it may cause heavy damage and also casualties harmed by fire and smoke. To maximize the number of casualties, an attacker will prefer peak hours.

2.1.11. Attacks using assault rifles and grenades

This scenario involves the use of firearms and grenades against passengers in the station and trains, with the aim of causing the largest amount of casualties; therefore, peak hours are the preferred time for such attacks. Damage is also caused, though it is not as severe as when IEDs are detonated.

2.1.12. Running down with a vehicle

The ideal location for this type of attack would be a station with easy vehicle access or with underground parking, from which a vehicle may reach the turnstiles. This type of attack causes casualties, damage, panic and disorder.

2.1.13. Hijacking

Hijacking is more likely in surface transport, but is also possible in the case of underground transport systems, such as metro systems. Terrorists or criminals carrying weapons may take people in the station hostage, or overcome a train driver and take passengers hostage while they are still onboard. Such instances have the potential for involving extreme violence.

Date: 29/11/2011


Revision: 1.0



2.1.14. Violence against users

Statistically, violent acts against passengers and employees are more frequent in the evening/night hours. These acts can be committed by individuals or a group, whether within the framework or a robbery, resulting from drunkenness, etc. Violent acts include:

Attack with non-lethal means: Optical systems, chemical agent in gas form (e.g., tear gas, pepper spray etc.), chemical agent in liquid form (e.g., spraying acid), high voltage system (e.g., taser), millimetre radio waves, rubber bullets, torching (criminal use of inflammable liquids and setting fire to victim);

Physical assault and theft: Physical assault, theft, armed robbery;

Physical assault with physical violence only: Attempted rape and rape, sexual harassment, kidnapping, spitting, stabbing (with a knife or sharp object);

Assault with neither physical violence nor theft: Aggressive behaviour, peeping, use of abusive language, up-skirt photography;

Murder;

Behavioural and public disorder offences: Abusive use of personal audio devices, begging, drunkenness, exhibitionism, hawking, non-compliance with animals rules, non-compliance with smoking rules, soliciting (prostitution), vagabonds (homeless, squatters, etc.).

2.1.15. Public disorder

This includes unruly behaviour – shouting, damaging assets, violent protests, etc. Public disorder is more likely to occur when large scale events take place (soccer matches and other sporting events), or during strikes / students demonstrations. People using sparklers, firecrackers, etc., can cause widespread panic. Public disorder may be accompanied by violence from groups, such as gang fights, confrontations in stations, riots, mass demonstrations.

2.1.16. Vandalism and graffiti

Usually vandalism is perpetrated by juveniles, most often late in the evening or at night, when the chance of apprehension is low. These acts can involve damaging station walls and windows, as well as trains, using sharp objects, for example. Security systems, cameras, motion detectors, IR barriers, etc. may also be vandalised.

Graffiti involves drawing on station walls and trains. The consequences are property damage and interference with the smooth running of the system, in cases where the operator has a policy not to use trains that are covered with graffiti, for example.

2.1.17. Fare evasion

Those committing fare evasion are usually young people. "Ticket sharing" is also a form of fare evasion.

Date: 29/11/2011


Revision: 1.0




2.1.18. Ticket fraud

Ticket fraud is not necessary an act that one commits intentionally; passengers may be innocent victims of criminals who manufacture fake tickets and sell them. Operator employees may also be involved in such a scheme.

2.1.19. Bogus attack (e.g., screaming, fake bombs, mysterious objects)

Bogus attacks cause disorder, service interruption, panic. The perpetrator could be either a single person or a group, with a variety of objectives: Provocation, causing disorder, drawing attention, etc.

2.1.20. Sabotage

Sabotage refers to acts perpetrated with the intent to derail trains through removal of rail, placement of dangerous objects or tampering of equipment (e.g., the signalling system). This scenario involves an attack on technological systems crucial to the operation of the public transport system.

Maximum effect is achieved when these acts take place during peak hours. Sabotage may also take the form of cutting the supply of energy (e.g., traction power, sub-stations), interfering with signalling or power equipment, neutralising door systems or stopping rolling stock movement (e.g., use of super adhesives and bindings to immobilise vehicles; catenary sabotage).

The most dangerous of these is sabotage of the rail track systems in order to cause train collision or derailment, or deliberate sabotage of infrastructure (e.g., stations, bridges, tunnels). Sabotage, in particular scenarios, may consist of flooding an underwater tunnel (see 2.6).

The purpose of sabotage attacks is to interfere with safe operation, cause casualties or severely interrupt service and cause damage to a PTO‟s assets.

2.1.21. Pick pocketing

Pickpocketing is usually perpetrated by juveniles, individuals or gangs, in the stations or trains where people are crowded together during peak hours. They open backpacks, bags or briefcases without being noticed, or pretend to bump into a person and then steal their wallet.

2.2. Conclusions

The definition of the scenarios summarises situations that would place the station at risk from a wide variety of threats, which have been listed, classified, prioritised and analysed.

Although the threat classification shows that it is unlikely that some scenarios will actually be realised, the partners unanimously considered them very important to study, in view of their potentially catastrophic consequences (e.g., CBRN-E attack). On the other hand, some threats with a higher frequency of occurrence were considered of lesser importance, due to the limited scope and severity of their consequences.

Date: 29/11/2011


Revision: 1.0



3. QUALITATIVE METHODOLOGIES

3.1. Security Risk Assessment Framework

3.1.1. Introduction

A good example of a qualitative method is the Security Risk Assessment Framework[R1], which evaluates potential threats, their consequences and the techniques available to mitigate the threats. It is based on five steps:

1. Asset criticality.

2. Threat evaluation.

3. Vulnerability assessment.

4. Countermeasure investigation.

5. Security measure selection.

3.1.2. Methodology and Process

Of the above five steps, the first three are relevant to this chapter on threat analysis and risk assessment:

(1) Step one: Asset criticality

Understanding the criticality and value of the assets to be protected is a crucial factor in security management. An enterprise can assess the impact of the potential loss of its assets only after identifying and analysing them. A list of typical assets is presented above under Recommended Risk Assessment Practice.

The enterprise must determine which assets or categories of assets have the greatest impact on it if lost, damaged or disrupted. In transport, this can mean a major disruption in service or total inability to provide service.

A reference guide to criticality assessment is available from the US Government Accountability Office (GAO): Domestic Terrorism: Prevention Efforts in Selected Federal Courts and Mass Transit Systems, 1988.

(2) Step two: Threat evaluation

Threat evaluation deals with intentional actions committed by an adversary that have the potential to cause harm (death, injury, destruction, or disruption of operation). Within the framework of a threat evaluation, the likelihood of a terrorist attack against critical assets is assessed. One approach used in the transport sector is shown below.

Date: 29/11/2011


Revision: 1.0




Figure 1: Threat evaluation process

The threat assessment process includes verifying the existence of the terrorist group; its capability to carry out terrorist attacks; its past activity; its intentions; and its likely target/s.

Specify

Undesirable

Event

Specify

Threat

Does threat

have

resources

to achieve

undesirable

event?

Does

threat have

intention

or

history?

Has threat

targeted

the

facility?

Is the

threat

present?

Y Y Y Y Y

N N N N

PA = VL PA = L PA = M PA = H

PA = VH

Existence Capability

Intention

or History Targeting

Specify

Undesirable

Event

Specify

Threat

Does threat

have

resources

to achieve

undesirable

event?

Does

threat have

intention

or

history?

Has threat

targeted

the

facility?

Is the

threat

present?

Y Y Y Y Y

N N N N


PA = VH

Specify

Undesirable

Event

Specify

Threat

Does threat

have

resources

to achieve

undesirable

event?

Does

threat have

intention

or

history?

Has threat

targeted

the

facility?

Is the

threat

present?

Y Y Y Y Y

Specify

Undesirable

Event

Specify

Threat

Does threat

have

resources

to achieve

undesirable

event?

Does

threat have

intention

or

history?

Has threat

targeted

the

facility?

Is the

threat

present?

Y Y Y Y Y

Specify

Undesirable

Event

Specify

Threat

Does threat

have

resources

to achieve

undesirable

event?

Does

threat have

intention

or

history?

Has threat

targeted

the

facility?

Is the

threat

present?

Y Y Y Y Y

N N N N


PA = VH

Existence Capability

Intention

or History TargetingExistence Capability

Intention

or History Targeting

Figure 2: Threat assessment process

(3) Step three: Vulnerability assessment

This step identifies the elements of design, technology, operations and management of assets that may increase the likelihood of attack if they remain unmitigated. The process identifies specific weaknesses which may encourage the execution of a known threat.

A partial list of vulnerabilities include relative ease of accessibility to the targeted assets, a site layout that hampers access control, easy access to incoming utilities, building resistance to blast, lighting and ease of penetration of information into technology networks.

Date: 29/11/2011


Revision: 1.0



There are two main approaches to vulnerability assessment: Scenario-based and checklist-based assessments.

Scenario-based assessment

A common approach in transport security is to develop scenarios of threats against priority assets, and then determine how mitigation measures would alleviate the threat. The objective here is to obtain a list of vulnerabilities which will allow decision makers to prioritise the security measures to be implemented.

Checklist-based assessment

Checklist-based assessment is based on a detailed survey of critical assets, classified into categories (e.g., by physical areas, such as entrance, main corridor, station platform, restrooms etc.), for which industry security standards exist.

Checklist-based assessment is based on the “defence in depth” concept, whereby rings/layers of protection are identified.

Figure 3: Vulnerability assessment outcomes

(4) Step four: Countermeasure investigation

Countermeasure activity typically results in a list of measures and controls designed to reduce specific vulnerabilities in prioritised critical assets, Countermeasures include a broad range of activities that may be implemented by the transport organisation. They are often organised into categories Countermeasures considered applicable to protecting transport assets are often identified in terms of the capability to deter, detect and delay threats.

Deter – A potential aggressor who perceives a risk of being caught may be deterred from attacking an asset. The effectiveness of deterrence varies with the aggressor‟s sophistication, the asset‟s attractiveness and the aggressor‟s objective.

Date: 29/11/2011


Revision: 1.0




Detect – Detection senses an act of aggression, assesses the validity of the detection and communicates the appropriate information to a response force. A detection system must provide all three capabilities to be effective.

Delay – These measures protect an asset from aggression by delaying or preventing an aggressor‟s movement toward the asset or by shielding the asset from weapons and explosives.

(5) Step five: security measure selection

The final step is the process through which the transport system evaluates which among the proposed security measures will be implemented. This process is usually guided by assessments of cost effectiveness.

3.1.3. Summary – Security Risk assessment Framework

Qualitative methodologies are widely used, as they are practical in risk assessments. Although the methodological process at the analysis stage is extremely clear in relation to threats and vulnerabilities, it is vague about their impact and the connection between their various components. As a basic analysis tool in the organisational risk management process, the methodology meets its objectives and achieves a satisfactory broad mapping of threats and vulnerabilities. However, the methodology's main weaknesses result from the use of qualitative, and not quantitative assessment tools. Consequently, the analysis itself is overly vague and subjective on the one hand; and the connection between the various risk factors (threat, vulnerability, potential damage) and the results are insufficiently distinct, impairing its scientific validation. The following points outline the methodology's main weaknesses:

The threat analysis is too generic. The analysis as presented above represents, to a large degree, the threat level that the organisation, city or country is exposed to; however, it only represents the probability of attack element to a lesser degree. The most obvious drawback of this method is that it produces similar, even identical results for all relevant scenarios applicable to transportation systems on the one hand; while on the other hand – some of the analysis elements require access to classified information.

The assessment of vulnerabilities is carried out in a systematic manner; however the result is very vague and subjective.

The parameters on the basis of which the impact analysis is carried out are unclear.

The risk analysis results are presented through situational definitions of "high", "serious/severe" and "low", which produce results that are far too subjective. A clear distinction cannot be made between one "high" situation and another, which undoubtedly exist in the real world; for example, the use of an explosive device containing X kgs of explosive material, as compared to an explosive device containing double the amount of explosive material.

It is unclear how countermeasures can be investigated on the basis of this methodology, both on a theoretical level and from an individual perspective.

The results of a risk assessment do not enable the user to carry out quantitative cost-effectiveness analyses that also include a financial component

Date: 29/11/2011


Revision: 1.0



3.2. COUNTERACT – Generic Guidelines for Conducting Risk Assessment in Public Transport Networks

3.2.1. Introduction

Within the framework of the COUNTERACT[R2] project, a qualitative methodology for risk assessment in public transport systems was developed. The methodology is generic for urban transport system operators, whether metro, commuter trains, light rail, trams or buses. The main motivator for the development of a united methodology in this project was the desire of the EU, following the terror attacks of 9/11, Madrid and London, to provide security and risk managers of public transport systems with decision support tools that will help determine the appropriate resource that need to be allocated for managing risks in these systems.

The developers of the methodology defined the following parameters as fundamental:

It can be applied to most types of organisations;

It does not require that the users have prior knowledge of risk assessment;

It facilitates and supports collective brainstorming and evaluation processes by experts from various backgrounds;

It allows the inclusion of all different kinds of threats;

It allows the inclusion of all phases of risk-management, i.e. prevention, mitigation and rehabilitation.


The starting point of the process, as defined in the methodology, includes two workshops: A kick-off workshop and a risk assessment workshop.

Workshop 1 – “Kick-off” – all relevant parties must attend, including those mentioned above, to decide the scope of the study, distribution of tasks, agree definitions to be used, appoint workshop moderator, adoption of a work-plan, gather all necessary background information and arrange into an operational diagram, etc

Workshop 2 – “Risk Assessment” – where the results will be ranked, a vulnerability assessment will be done and conclusions report will be submitted to management

The methodology includes five steps: Structuring of operational diagram, assessing the probability of occurrence, assessing of impact/severity, assessing the risks and vulnerability assessment.

(1) Step one: Structuring of operational diagram

At the first stage, the operator and/or infrastructure owner identifies the organisation's assets and creates a matrix of these assets (Figure 4). The matrix is created for each transport system, and presents the main critical assets (infrastructures and systems), and beneath them, the elements of the each asset.

Date: 29/11/2011


Revision: 1.0




Figure 4: Operational diagram matrix

(2) Step two: Assessing the probability of occurrence

Step 2 involves conducting a qualitative assessment of the probability of threat occurrence in cooperation with the security authorities, which relates to the following issues:

How severe are the threats for their own network?

How attractive is the city/region for terrorists compared to others?

How attractive is the PT(Public Transport)-system for terrorists compared to other potential targets in the city/region?

Which system elements are most attractive for terrorists?

Which parts of the network are most critical to the operation?

The evaluation of the attractiveness of the target in the eyes of the adversary is also taking into account in the threat assessment, which covers the following fields:

Number of passengers in interchanges/stations/stops, vehicles (at peak times)

Nodes and intersections / Role and Importance for network

Geographical and geological distinct features that could facilitate attacks or impede response efforts and therefore increase the potential impact

Symbolic importance

Special/Large events organised nearby (adjacent or where PT carries the visitors) that could temporarily raise the risk level

Date: 29/11/2011


Revision: 1.0



Special dates (anniversaries)

Temporary building works

Institutions/Organisations nearby that generate a group of passengers, which is at special risk (e.g. political or religious groups)

Cash handling

Is there a history of attacks? Have there been attacks in the past?

Areas with easy access of vehicles to sensitive areas at close range, e.g. stations and critical assets

Based on the parameters of the threat assessment and the evaluation of the target's attractiveness, the probability of occurrence is now assessed using a matrix with qualitative categories – from "very high" to "very unlikely", as shown in Table 1. The definition of each parameter is derived from EN50126.

Probability of Occurrence

Definition Criteria (derived from Euro Norm 50126)

Very high The threat can be realised at any time and/or has been repeatedly realised within the organisation

High The threat has been repeatedly realised; including once within the organisation

Possible (probable) The threat has either been repeatedly realised within other PT operations worldwide, or at least once within a PT operation in the same/neighbouring country

Low The threat has been realised on rare occasions in other organisations (worldwide)

Very unlikely It is extremely unlikely that the threat will be realised; it has never been executed in other PT operations

Table 1: Probability of occurrence matrix

(3) Step three: Assessing of Impact/Severity

The third step in the methodology involves conducting a qualitative assessment of the consequences of each threat and scenario. This assessment relates to two parameters:

Consequences for persons and/or property/environment

Consequences for PT operator and services

The impact/severity of the consequences is based on four qualitative parameters: Disastrous, critical, marginal and uncritical, as displayed in Table 2. The definition of each parameter is derived from EN50126.

Date: 29/11/2011


Revision: 1.0




Impact / Severity

Definition Criteria (derived from Euro Norm 50126)

Consequences for Persons and/or Property/Environment

Consequences for PT Operator and Services

Disastrous Several (to be defined by Operator) deaths and/or numerous severe injuries and/or most severe damage to property and/or environment

Loss of vital functions and/or operation for a long (to be defined by Operator) period of time

Critical Low (to be defined by Operator) number of deaths and/or severely injured and/or severe (to be defined by Operator) damage to property and/or environment

Loss of vital functions and/or operation for a short period of time

Marginal Light casualties and/or notable damage to property and/or environment

Minor impact on functions and/or operation

Uncritical Possibility of few light casualties and/or slight damage to property and/or environment

No impact on functions and/or operation

Table 2: Impact / severity assessment matrix

(4) Step four: Assessing of risk

After the evaluation of the probability of occurrence and of the consequences, these values are presented in the risk matrix (Table 3). The X and Y axes represent values of the consequences and the probability of the occurrence of the threat respectively, and the values in the matrix are presented in four risk categories: Intolerable, precarious, tolerable and negligible.

Probability of Occurrence

Risk Categories

Very high (5) Tolerable (5) Precarious (10) Intolerable (15) Intolerable (20)

High (4) Tolerable (4) Precarious (8) Precarious (12) Intolerable (16)

Possible (3) Negligible (3) Tolerable (6) Precarious (9) Precarious (12)

Low (2) Negligible (2) Tolerable (4) Tolerable (6) Precarious (8)

Very unlikely (1) Negligible (1) Negligible (2) Negligible (3) Tolerable (4) Uncritical (1) Marginal(2) Critical (3) Disastrous (4) Impact / Severity

Table 3: Risk assessment matrix

The risk assessment is translated into the matrix that was developed in Step 1. The risk faced by each asset within the transport system is evaluated in the relevant cell of the matrix. The result is presented in Figure 3.

Date: 29/11/2011


Revision: 1.0



Figure 5: Risk matrix filled with risk categories

(5) Step five: Vulnerability assessment

The last step in the risk assessment is defined as a "vulnerability assessment", in which we examine the influence of the various risk management safeguards on the risk category. This assessment is summarised in a matrix that displays the value of the risk before and after the assimilation of the safeguards. In addition to the assessment conducted for the purpose of risk management, one must also take into consideration a qualitative and quantitative evaluation of the following parameters:

Costs;

Effectiveness;

Time for implementation;

Additional benefits regarding safety-aspects (increasing the lighting level for the use of CCTV cameras will facilitate evacuation) or service/comfort of passengers, improving the security perception of passengers /staff, reduction of vandalism, etc.

Insurance impact

Date: 29/11/2011


Revision: 1.0




Figure 6: Vulnerability assessment matrix

The risk management policy depends on the risk parameter, and is detailed in Table 4 below:

Risk-Category

Score Action Required

Intolerable 15-20 Must be avoided or Impact must be mitigated as far as possible

Precarious 8-12 Shall only be accepted if the efforts for prevention and/or mitigation of impact is unreasonable high

Tolerable 4-6 Shall be accepted, but threat needs to be assessed regularly

Negligible 1-3 Shall be accepted

Table 4: Risk management actions

3.2.3. Summary – COUNTERACT PT4 (Generic Risk Assessment Guidelines)

The generic methodology developed within the framework of the COUNTERACT project allows assessing risks via a straightforward process that is clearly aligned with safety risk assessment methodologies utilised in the industry. From an applied perspective, the methodology achieves the objectives defined by its developers, and enables performing risk assessments even by those lacking expertise in this specific area.

However, the methodology's main weaknesses result from the use of qualitative, and not quantitative assessment tools. Consequently, the analysis itself is overly vague and subjective on the one hand; and the connection between the various risk factors (threat occurrence and

Date: 29/11/2011


Revision: 1.0



impact/severity) and the result are insufficiently distinct, impairing its scientific validation. The following points outline the methodology's main weaknesses:

The process requires the involvement of security and law enforcement bodies, whose contribution to the process of assessing the probability of occurrence of the threat is essential, but at the same time, make the independent performance of this assessment by the operator more difficult.

The definition of the probability of the occurrence of the threat, as defined in EN50126, is overly general. Furthermore, it is not clear whether other influencing parameters, for example – accessibility to a critical asset in the system, were considered, how they were considered and to which extent. The calculation of the probability does not consider any of these elements and does not reflect the parameters associated with the adversary's capability, target attractiveness and the evaluation of the adversary's potential for success.

The consequences assessment categories are represented by the four severity parameters and two categories: The impact on people and property; and the impact on the service provided by the operator. No clear distinction is made between different severity levels, for example – ”disastrous” and ”critical”; consequently, the risk assessment results heavily depend on the assessors‟ point of view and are therefore very subjective.. The definition of the impact, as defined in EN50126, is overly general and generic, and does not reflect clear, quantifiable parameters.

The assessment of the consequences' components is relative and not absolute, and is based on subjective definitions; i.e., Operator A and Operator B may analyse the impact of the same event and arrive at results that are in totally different risk categories, based on the definitions of impact on their own assets/property and services. Consequently, the weakness of the methodology is in an overly subjective risk assessment.

The methodology's interpretation of the concept "vulnerability" is flawed, and for some reason relates to the risk mitigation process and not to the process of assessing the adversary's ability to implement a specific tactic when attacking a specific asset.

A ready to use supporting software tool e.g., Excel spreadsheet with basic data, has not been provided to facilitate the task of filling in the risk matrices and also to save risk assessment reports from previous analysis.

The prioritisation of countermeasures/safeguards according to their performance, effectiveness, cost efficiency, etc., is insufficiently clear, as no guidelines have been provided to perform such an evaluation.

Date: 29/11/2011


Revision: 1.0




4. PARTIAL QUANTITATIVE METHODOLOGY

4.1. FEMA – Risk Management Series

4.1.1. Introduction

The US Federal Emergency Management Agency (FEMA) is responsible for disaster mitigation, preparedness, response & recovery planning. As part of a risk management series, the agency has published a manual on building asset value, threat/hazard, vulnerability and risk assessment. The following approach can be considered from the point of view of it‟s validity to typical transport physical assets and infrastructure.


4.1.2.1. Asset value assessment

Identifying a facilities‟ critical assets is a two-step process [R3]: (1) define and understand its core functions (primary services or activities, occupants and visitors) and (2) identify the building physical infrastructure (e.g., structural components, information systems, utilities, safety and security systems).

Once facilities‟ assets requiring protection have been identified, they should be assigned a value which reflects the importance of the impact caused by the incapacity or destruction of these particular building assets. A variety of scales may be used. Some are linguistic (e.g., high, medium, low), others are numerical.

Figure 7: Asset value scale and description

Very High - Exceptionally grave consequences, such as extensive loss of lives, widespread severe injuries, total loss of primary service, core processes and functions

High - Grave consequences, such as loss of lives, severe injuries, loss of primary service or major lose of core processes and functions for an extended period of time

Medium High - Serious consequences, such as serious injuries or impairment core processes and functions for an extended period of time

Date: 29/11/2011


Revision: 1.0



Medium - Moderate to serious consequences, such as injuries or impairment of core functions and processes

Medium low - Moderate consequences, such as minor injuries or minor impairment of core functions and processes

Low - Minor consequences or impact, such as slight impact on core functions and processes for a short period of time

Very low - Negligible consequences or impact

4.1.2.2. Threat/Hazard Assessment

Understanding who the people are who intend to cause harm is paramount. One should attempt to have an understanding of their weapons and tactics, even if these can change rapidly. The best source for this type of information is usually the intelligence and national police community. For technical hazards, the best sources are the state agencies involved in civil protection (e.g., fire brigade).Rail specialist input would also be necessary.

The following table gives an idea of the sort of risks that should be considered and of their consequences.

Figure 8: Event profiles for terrorism and technological hazards

Date: 29/11/2011


Revision: 1.0




4.1.2.3. Threat definition of physical attack

To stop a terrorist or a physical attack on a building is very difficult. However the more secure the facility or site is the better the odds are that the facility or site will not be attacked.

The threat definition of physical attack requires an assessment of the reality of the threat, the capability of the aggressors, their history and their intentions.

The consequences of a terrorist attack on a given facility depend heavily on its system interactions. See figure below for an example of the different impacts that a terrorist attack may have.

Figure 9: Threat analysis factors

4.1.2.4. Vulnerability assessment

A vulnerability assessment is an in-depth analysis of the facility functions, systems and site characteristics that highlight weaknesses or a lack of redundancy. This process identifies in turn the corrective actions that can reduce vulnerabilities.

A vulnerability assessment should be performed for existing facility and the lessons learned should be incorporated in the design of new building construction or renovation.

Date: 29/11/2011


Revision: 1.0



Figure 10: Facilities inherent vulnerability assessment matrix

Date: 29/11/2011


Revision: 1.0




Figure 11: Standard chart for security measures selection

The preceding tables will help determine the most appropriate security standards for the building.

4.1.2.5. Risk assessment

Following FEMA risk management series, partial quantitative methodology is particularly relevant to high risk assets. Risks do not simply “add up”, they grow exponentially as shown in the following formula:

Risk = asset value x threat rating x vulnerability rating.

This shows the importance of conducting in-depth risk assessments that give engineers and architects the means to design mitigation measure which will reduce vulnerability.

Date: 29/11/2011


Revision: 1.0



Figure 12: Risk assessment screening matrix

Date: 29/11/2011


Revision: 1.0




4.1.2.6. Summary – FEMA's partial quantitative methodology

Partial quantitative methodologies are more widely used in risk assessments, and it appears that most consultants or those active in this field tend to utilise them. On the one hand, there is a strong element of initial analysis in the methodical process, which is mostly taken from qualitative methodologies; while on the other hand – quantitative tools are used in the presentation of the data. As a basic analysis tool in the organisational risk management process, this methodology achieves better results than the qualitative methodology. However, its main weakness is its over-generalisation in the translation of the qualitative analysis to a quantitative one, which causes an inherent deviation in the data itself and significantly weakens the methodology's scientific validity. The main weaknesses of this methodology are presented below:

The threat parameter indicates the value of the probability of attack. The qualitative analysis of this value is comprehensive; however in reality, the quantitative value is too simplistic and general. It is unclear how the transition from one to the other is made.

The vulnerability parameter, together with the concept of asset value, allegedly indicates the value of the consequences of occurrence. The transition from the comprehensive qualitative process to the very simplistic quantitative parameters is unclear from a methodical point of view, and produces a significant deviation between the qualitative and the quantitative processes.

The result is a certain number that can be compared with other results, using simple tools. Nevertheless, the result is too subjective and its scientific validation is lacking.

It is unclear how a countermeasures investigation is executed when implementing this methodology, both on a theoretical level and from an individual perspective.

Date: 29/11/2011


Revision: 1.0



4.2. EUMASS – Mass-Transit System Security Risk Assessment and Audit Methodology

4.2.1. Introduction

The EUMASS project (European Mass Transit System Security Risk Assessment and Audit Methodology), is a response to the challenge of developing a risk assessment and audit methodology capable of assessing the vulnerabilities of a mass transit system to a potential terrorist attack, as part of the EPCIP (European Programme for Critical Infrastructure Protection), within the DG-JLS Programme: “Prevention, Preparedness and Consequence Management of Terrorism and other Security- related Risks”.


The EUMASS objective was to deliver a unified innovative solution for a risk assessment methodology that can be used by all European mass transit operators.

The main challenge was to achieve an integrated process based on / developed on the basis of an audit method and a risk assessment methodology. In addition, a software tool has been developed to support the entire risk analysis cycle by providing the following functionalities: Knowledge base management, risk analysis scenario management, risk analysis calculation and evaluation, and auditing support management.

The overall EUMASS approach process covers three main phases:

(1) Initial Assessment Audit: At which any information that is to be used for the risk assessment is collected and evaluated.

(2) Semi-quantitative Assessment: At which the extent of the security risk is evaluated, and mitigation actions and the residual risk are identified.

(3) System Monitoring Audit: This audit is performed as part of the Security Management Process, in order to keep abreast of any change in the information acquired by the assessing entity.

Date: 29/11/2011


Revision: 1.0




Risk Management Phases

EUMASS Activities

Quantitative

Risk

Assessment

System

Monitoring

Audit

Assessment

Audit

Figure 13: Risk management cycle

With reference to the EUMASS methodology, the first phase: Initial Assessment Audit, is devoted to modeling the system whose risks will be assessed, based on the strategic security goals and all the relevant security elements of the system under evaluation.

Based on the acquired information, a semi-quantitative security assessment is carried out in the second phase of the process, at which the risk is calculated by applying the following proposed EUMASS formula:

The semi-quantitative security assessment comprises the following stages:

Critical assets identification

Threats identification

Scenario definition

Global and local conditions

Risk assessment

The system monitoring audit will provide a structured method for continuously verifying that the selected countermeasures have been assimilated, and for identifying the relevant modifications that must be implemented to ensure the system remains protected.

The steps comprising the semi-quantitative security assessment are described in further detail below:

Risk = Probability * Impact = [Threat level * (Attractiveness * Vulnerability)] * Impact

Date: 29/11/2011


Revision: 1.0



(1) Critical assets identification

A list of metro system assets will identified and classified by category. These assets will be analysed for the purpose of identifying critical assets that comprise attractive potential targets in the eyes of the adversary, and which will be therefore taken into consideration in the risk assessment.

The critical assets of the metro system that have been identified are listed below:

Station building

Platform

Track sections

Service entrances

Technological systems – operational control centre (OCC)

Technological systems – ventilation system

Technological systems – communication system

Technological systems – signalling system

Technological systems – power supply system

Vehicles

Depot / s

(2) Threat identification

Potential threats faced by the public transport systems system are listed below:

Dispersion of chemical, biological or radiological agents

Attack involving the use of IEDs / VBIEDs

Arson

Hijacking of a train or service vehicle

Sabotage of tracks or equipment

Public disorder and vandalism

Illegal acts (e.g., fare evasion)

Terrorism alert (e.g., fake bomb)

(3) Scenario, local and global factors

When putting together a specific threat with a specific asset we can define a scenario of attack that a potential adversary may follow, taking into account all relevant factors, for example:

Maximum impact expected on people, infrastructure and service.

Attack carried out by reasonably skilled perpetrators.

Perpetrators are unaware of the security measures implemented in the transport system.

Attack timed to take place during peak hours

Date: 29/11/2011


Revision: 1.0




Attack is the realisation of a single threat (no multiple attacks).

The threat is unique and real (no fake threats).

The complete list of potential scenarios shall be analysed in order to determine the most representative cases for the assessment of the security level of a typical metro system. Reference scenarios will be chosen according to the following criteria:

Higher ranking scenarios, as determined by a qualitative criticality assessment performed by experts;

Most likely scenarios, taking into account past events;

In the scenarios definition, each asset should be the potential target of at least one type of attack.

The application of the above mentioned criteria ensures that the selected reference scenarios will fully cover and represent the most sensitive security threats faced by metro transport systems, by considering the most critical potential events occurring to a typical system.

(4) Risk Calculation

The EUMASS method for risk calculation is based on the following factors:

Risk = (Attractiveness * Vulnerability) * Impact

Where:

Attractiveness assesses the probability that an asset is considered a target by a terrorist group.

Vulnerability assesses the potential for a successful attack

Impact assesses the damage (people, infrastructure and service continuity) arising from the realisation of a threat

Moreover, it may be necessary to add another factor, which reflects the different levels of terror threats that Member States may face. This factor represents the underlying level of threat that is faced by a specific Member State, in which the asset is located by the terrorist group.

Therefore, taking into account these factors as well, risk can be defined as:

Risk = [Threat Level * (Attractiveness * Vulnerability)] * Impact

Additional sub-factors are considered when calculating the risk factors:

Vulnerability (accessibility, prevention, physical hardening)

Attractiveness (perceived target vulnerability, perceived hardness)

Impact (people, infrastructure, service)

The influence of each security measure implemented on each of the aforesaid factors is estimated by a qualified assessor by a qualified assessor, producing a Risk Mitigation Level / Degree / Rank, which indicates for each scenario the influence of the implemented measure countering a specific scenario built around a specific threat.

Date: 29/11/2011


Revision: 1.0



In order to estimate the effect of each threat on the same asset, the measure of this effect, which is considered in the analysis, must be assessed at the beginning of the analysis, to allow an effective comparison between the improvements achieved by each countermeasure against different threats faced by the same asset.

4.2.3. Summary – EUMASS Risk Assessment and Audit Methodology

The methodology developed in the EUMASS project represents an innovative and unified methodology that combines both the audit and the risk assessment methodologies, reinforcing their synergies and interdependencies.

The unified methodology can be applied in a continuous process at regular intervals or as needed:

To evaluate the risk faced by a public transport system;

To choose the countermeasures/safeguards to be implemented in order to reduce the risk to an acceptable level;

To periodically verify the the continued effectiveness of these countermeasures/safeguards

The EUMASS methodology meets its objectives by going a step further, beyond the traditional calculation of the risk as the product of the probability of an attack and its impact, and where the calculation of the probability is mainly based on statistical information and subjective considerations. In the innovative methodology proposed in EUMASS, the probability is replaced by relative probabilities resulting from the assessment of several factors, such as the attractiveness of the target and its vulnerability to an attack, as well as additional factors, which reflect the different levels of terror threats that the countries in which the transport system operate may face.

Furthermore, this unified methodology has been implemented as a prototype IT supporting tool, which enables the user to manage: i) the knowledge base, ii) the risk analysis scenarios and risk assessment, iii) the auditing results and iv) to store information in the database.

Both the risk assessment methodology and the IT supporting tool were tested and validated by conducting several analyses, from a theoretical viewpoint, and also by applying the IT tool to use cases based on real threat scenarios potentially faced by mass transit systems.

All these tests and validation activities, together with deliberations with PTOs during the project lifetime, have ensured the applicability and usability of the EUMASS methodology and of the supporting software tool. However, there are some weak points that need to be mentioned as well, such as:

The results are too sensitive to variations of the sub-factors' values, especially when the risk level is low

It is unclear how the parameter “threat level” is defined, and the quantitative values assigned to this parameter are calculated in a very simplistic manner, with the aim of providing added value to the calculation of the probability

The evaluation of some parameters, e.g., the level of interest that a particular asset would hold in the eyes of the potential adversary (target attractiveness) which affects the overall probability calculation, is very subjective, and also requires a good understanding of the adversary organisation

Date: 29/11/2011


Revision: 1.0




The prototype IT supporting tool does not carry out cost-effectiveness analyses. Additionally, the quantitative calculation for impact costs is overly general, and requires a specific individual refinement per case.

Date: 29/11/2011


Revision: 1.0



5. QUANTITATIVE METHODOLOGY

5.1. Blue Ribbon Panel (BRP) and the US Federal Highway Administration (FHWA)

5.1.1. Introduction

Even if subjective criteria can never be fully taken out of risk assessment, we believe that the more critical the asset is, the more quantitative the risk assessment methodology should be. This approach would be expected to decrease the margin of error inherent in risk assessment.

A good example of quantitative methodology is found in the report on Recommendations for Bridge and Tunnel Security published in 2003 by The Blue Ribbon Panel on Bridge and Tunnel Security set up by the American Association of State Highway and Transportation Officials (AASHTO) and the US Federal Highway Administration (FHWA).

The Blue Ribbon Panel (BRP) opted for a risk assessment method based on engineering and mathematical principles, in other words, a quantitative methodology, in response to the strategic importance of the assets involved. The BRP was of the opinion that the loss of a critical bridge or tunnel in the country‟s transport system could have such consequences in terms of casualties or socioeconomic costs that only the most elaborate risk assessment method was adequate.

The BRP came to the conclusion that security solutions should be “engineered” and that technology should be developed to meet bridge and tunnel security requirements.

The BRP recommended the development of technical methods for identifying critical bridges and tunnels. It also called for operational security measures that employed effective security procedures and available technology, engineering and design approaches for reducing the vulnerability of critical infrastructure. Finally, it advocated a greater understanding of structural responses to terrorist attacks and countermeasures to mitigate potential consequences.


The quantitative risk assessment method used by the BRP involved three main factors: the Importance Factor (IF), which is a measure of the socio-economic impact of the facility‟s operation; the Occurrence Factor (OFi). a measure of the relative probability or likelihood of threat i occurring, and a vulnerability Factor (VFi), a measure of the consequences to the facility and the occupants given the occurrence of threat i

Expressed in equation format, the risk score (RS) for a given facility, is written as follows:

RS = IF x Σ [OFi x VFi ] (1)

Where OFi,VFi, and IF are defined as above, and Σ denotes the summation over all considered threats to the facility.

Each of the factors in Equation (1) is a number between 0 and 1, computed using a multivariate utility method. In this method, each factor is computed as the summation of the weighted values (between 0 and 1) of the attributes that define the factor as follows:

IF = Σ [Wj x Vj(Xj)] (2a)

OF = Σ [Wj x Vj(Xj)] (2b)

Date: 29/11/2011


Revision: 1.0




VF = Σ [Wj x Vj(Xj)] (2c)

Where Xj is the value of attribute j (e.g., very high), Vj(Xj) is the function or table that maps Xj to a utility value (between 0 and 1; e.g., very high corresponds to 1), Wj is the weighting factor on attribute j, and Σ denotes the summation over all considered attributes for the factor.

The weighting factors used for combining the attributes that make up each of the factors listed above are developed using the pair-wise comparison procedure in the Analytic Hierarchy Process, whereby each member of the decision making group assigns a numerical value to the relative influence of one attribute over another. The scores are averaged and used to compute the weighting factors, which are then reviewed by the group as a whole and revised until all members of the group are satisfied with the results.

Figure 14: Risk assessment components

Figure 15: Weights to compute Importance Factor (IF value)

Date: 29/11/2011


Revision: 1.0



Figure 16: Weights to compute Occurrence Factor (OF value)

Figure 17: Weights to compute Vulnerability Factor (VF value)

Date: 29/11/2011


Revision: 1.0




Figure 18: Final ranking scores

Figure 19: Cost benefit analysis of mitigated projects

Date: 29/11/2011


Revision: 1.0



5.1.3. Summary – Blue Ribbon Panel's quantitative risk assessment methodology

Quantitative methodologies are much less prevalent in risk assessments, and it appears that some of the consultants or those active in this field tend to avoid using them.

At first glance, it seems that the quantitative methodology translates the risk elements: probability of attack; vulnerability value (probability of successful attack); and (aggregated) consequences into a mathematical algorithm. The risk score formula as a result obtained from the multiplication of its parameters is widespread in the industry. However we do not have enough information about the algorithms themselves and their relative weights, which are presented by W, for each tactic.

The most significant innovation presented by this methodology is that it relates to each of the risk elements separately for each tactic, as a relative risk and not generically, from a general perspective, as do the qualitative and partial quantitative methodologies. Additionally, the risk is presented in financial values, which allows a cost-benefit analysis in a relatively straightforward manner.

Despite the above, there are several weaknesses in the methodology itself, which include the following, among others:

The importance factor, according to our approach, represents a probability of attack variable. How the value of the various weights is determined is too general and might be biased. According to our understanding, the algorithms lack additional parameters, such as the success variable; result-influencing factors relating to casualties, damage and disruption of circulation; the adversary's characteristics; and the attack planning elements. Also, this variable, as opposed to others, is generic and not relative; i.e., it relates to risk in an absolute and not in a relative manner, in accordance with the asset element and the tactic.

In our method, the occurrence factor (OF) represents the relative vulnerability. Here, some of the parameters composing the variable are overly generic and do not necessarily represent vulnerability. How the value of the various weights is determined is too vague and might be biased. Additionally, the way in which the variable is adapted to each tactic and how it is represented in a relative manner is also unclear.

The vulnerability factor (VFi) in our method represents the potential damage resulting from a successful attack. There is confusion about this variable as a result of the use of the term "vulnerability" instead of "consequences". How the value of the various weights are determined is also too general and might be biased.

The various analytical tools that are available for the analysis of the VFi consequences) variable in this methodology and how exactly they are carried out are unclear.

Date: 29/11/2011


Revision: 1.0




5.2. Sandia Laboratories – A Risk Assessment Methodology (RAM) for Physical Security

5.2.1. Introduction

A risk assessment methodology has been refined by Sandia National Laboratories to assess risk at various types of facilities.. The methodology is based on the traditional risk equation:

Risk = PA * (1 - PE) * C,

where:

PA is the likelihood of adversary attack,

PE is security system effectiveness,

1 - PE is adversary success, and

C is consequence of loss resulting from the attack.


The first step in the process involves characterising the facility, identifying potential undesired events and the critical assets that may damaged in such events. for the methodology includes guidance on defining design basis threats and on estimating the likelihood of an attack on a specific asset, and estimates of the . relative values the consequence of the attack. Also included are methods for estimating the security system's effectiveness against an attack, and a calculation of the risk. In the risk is considered too high, the methodology details ways of identifying and evaluating required risk mitigation upgrades to the security system.

The the seven basic steps of the risk assessment methodology are displayed below, in sequence.

Figure 20: Order and sequence of the risk assessment methodology

Date: 29/11/2011


Revision: 1.0



(1) Facility Characterisation

To characterise the facility, one must describe it (geographic location, buildings, floor plans, access points), describe the activities taking place in it and also detail any existing physical protection features.

(2) Undesired Events/Critical Assets Identification

Undesired Events – Events that may adversely affect public health and safety, the environment, the facility's assets, operation and image are site-specific, and must be defined. .

Critical Assets - System components that are critical to system operation and safety must be identified, to allow prioritising risk mitigation measures later on.

Figure 22 illustrates the top-level section of a generic fault tree for facilities.

Figure 21: Top level generic fault tree

(3) Consequence Determination

This step involves classifying undesired events and loss of critical assets by their consquences.

(4) Threat Definition

Threat - Threat definition covers the type of adversary, his tactics and capabilities The specific type of threat to a facility is referred to as the design basis threat (DBT), and includes information regarding the number of adversaries, their modus operandi, the type of tools and weapons they would use, and the type of events or acts they are willing to commit.

Likelihood of Attack - Once the threats have been identified, they must be classified according to their likelihood of occurrence. The assessment of the likelihood of attack is complex, as it relies heavily on the human element, which is hard to predict. It can be estimated with a qualitative relative threat potential parameter. Factors that can be used to estimate relative threat potential are included in Figure 22. The estimation process follows a complete threat analysis, and the parameter is estimated per undesired event and per adversary group. The basis of the parameter estimation includes:

Date: 29/11/2011


Revision: 1.0




o Characteristics of the adversary group, taking into consideration the specific asset to be protected

o The relative attractiveness of the asset in the eyes of the adversary.

Figure 22: Estimating likelihood of attack, PA

(5) Protection System Effectiveness Analysis

The design and analysis process that can be used for estimating physical protection system effectiveness is presented in Figure 23. The physical protection features must first be described to allow evaluation of security system effectiveness.

DETECTION is the discovery of adversary action - whether overt or covert. This is done through:

sensing covert or overt actions. To detect an adversary action, a technological or human sensor must identify an out of the usual occurrence and alert to it, and the sensor information must be displayed along with the assessments of subsystems, and reported. The information should allow determining whether the alarm is real or false, and about what caused it to be activated. The effectiveness of the detection is measured by the probability of sensing adversary action and the time required for reporting and assessing the alarm.

DELAY means impeding the adversary as he initiates the attack. This can be achieved by implementing physical means, such as walls, security doors, etc.; by sensors; and by security personnel or police present at the site. Delay effectiveness is measured by the time required by an adversary who has been detected to overcome each delay element.

RESPONSE involves actions taken by police / security personnel to prevent the adversary from perpetrating a successful attack through interruption and neutralisation. The measure of response effectiveness is the time between receipt of a report of an adversary's actions and their neutralisation.

Protection System Effectiveness – The analysis of a security system's effectiveness requires thorough understanding of the system's objectives in terms of which assets it is being implemented to protect; and the effectiveness of each of the security system's components, as well as of their integrated level of performance.

The Adversary Sequence Diagram (ASD) is a graphical representation of physical protection system elements along paths that adversaries can follow to perpetrate an attack. The most vulnerable path can be determined for each specific physical protection system and threat, and it is

Date: 29/11/2011


Revision: 1.0



the path that is used to determine the effectiveness of the total physical protection system. An ASD can be developed for each critical asset associated with an undesired event.

Figure 23: Design and evaluation process outline

(6) Risk Estimation

RISK- Risk is quantified by the following equation:

Risk = PA * (1 - PE) * C,

where:

PA is the likelihood of adversary attack,

PE is security system effectiveness,

1 - PE is adversary success, and

C is consequence of loss to the attack.

(7) Upgrades and Impacts

System Upgrades - If the estimated risk for the threat spectrum is regarded as too high, system upgrades should be considered. Firstly, all assumptions concerning undesired events, target identification, consequence definition, threat description, estimation of likelihood of attack and safeguards should be carefully reevaluated. System upgrades may take the form of additional safeguard features and retrofits, among others. Once these are implemented, the risk needs to be

Date: 29/11/2011


Revision: 1.0




reassessed. If the risk is still found to be unacceptable, the process should be repeated until the risk level has been sufficiently reduced.

Upgrade Impact - The impact of the system upgrade on the facility's function and the cost involved are to be assessed to ensure that the upgrade will not impede the facility from fulfilling its function, that the budget for the upgrade is available, and that proper balance has been achieved between any such hindrance and the risk level. To attain such a balance, modifications in the upgrade may be necessary.

5.2.3. Summary – Sandia Laboratories a Risk Assessment Methodology for Physical Security

The RAM methodology of Sandia Laboratories is based on the product resulting from the multiplication of three risk assessment parameters: Probability of occurrence, likelihood of a successful attack, and the consequences of the attack. The first two are probability parameters, with values of 0-1. The strength of the methodology as compared with methodologies originating in safety risk assessments is in the distinction of the variable "likelihood of success" (1 - PE) in the risk equation. Yet some elements in the methodology require a qualitative and quantitative clarification, including:

What is the formula and what are the qualitative variables for assessing a specific threat and scenario directed against an organisational asset?

How are the consequences of a deliberate event quantified – are they quantified based in terms of harm to people, damage to physical property, direct impact on the operation, and direct and indirect effects on the environment?

Date: 29/11/2011


Revision: 1.0



6. COST-EFFECTIVE RESPONSES TO TERRORIST RISKS IN CONSTRUCTED FACILITIES

6.1. Introduction

The purpose of this chapter is to describe economic evaluation methods for cost-effectively allocating limited resources to implement mitigation strategies to reduce personal harm, financial losses and property damage. Economic evaluation methods will enable key decision makers to produce a risk mitigation plan that responds to the potential risk of terrorist attacks in a financially responsible manner. To address terrorism threats, we propose an approach based on three risk mitigation strategies: (1) engineering alternatives; (2) management practices; and (3) financial mechanisms. In order to make efficient decisions about protective measures, Public transport operators and infrastructure owners and managers of constructed facilities require information about threats and vulnerabilities, and about the effectiveness and cost of protective measures.

6.2. Methodology and Process

6.2.1. Risk Mitigation Strategies

The objectives of the risk mitigation strategies are to:

(1) Detect security breaches

Detection measures are intended to alert building officials to attempted breaches before they occur (or just as they are occurring). Detection may allow building security or other personnel to prevent the attack, delay or avert its full consequences, and perhaps even capture the attackers. Examples of possible detection measures are closed-circuit television (CCTV) cameras, intrusion detection systems, alarms, motion or thermal sensors, x-ray machines, metal detectors and security patrols. These measures may be evident or inconspicuous, and may incur one-time and recurring costs.

(2) Deter terrorists from attacking

the implementation of risk mitigation safeguards can deter an attack by increasing either the resources potential attackers need to inflict a given level of damage to the facility, or the probability of being thwarted or apprehended. Mitigation may deter terrorist attacks by making the terrorists‟ objectives more difficult, dangerous, or costly to achieve. Deterrents are most effective when they are obvious, whereas other measures may be most effective when they are undetectable or covert. Examples of deterrents include controlled access points, security personnel and physical perimeter controls such as concrete barriers or tire shredders.

(3) Protect the facility if an attack occurs

Hardening and reinforcing the building skin, creating redundancies in critical systems and increasing standoff distances are some examples of protective measures. Included in this category are measures designed to contain or delay the attack or the onset of its consequences in order to “buy time” to activate countermeasures, or to implement damage controls. Two examples of such measures are automatic depressurisation of a room where airborne contaminants are detected, to prevent or reduce the spread of the contaminants to other areas; and installation of bulletproof wallboard to protect against shrapnel and other projectiles caused by an explosion.

Date: 29/11/2011


Revision: 1.0




(4) Apprehend transgressors

These measures help onsite security or law enforcement personnel apprehend individuals attempting or committing a security breach. Examples of these resources include trained security personnel, use of attack dogs / K9 units, video surveillance, searchlights, and sealed corridors or other exit controls.

(5) Recovery and business continuity

Recover and restore operations to allow fulfilling the mission of the facility. Building in system redundancies, establishing sheltering procedures, stocking shelters with emergency provisions and first aid, and diversifying the locations of critical facilities and systems are examples of measures that building owners and managers can take to improve survival and facilitate a facility‟s recovery.

6.2.2. Protocol for Creating a Risk Mitigation Plan

Producing a risk mitigation plan requires three essential components: Risk assessment, identification of potential mitigation strategies and economic evaluation. Risk assessment is used to identify the risks confronting a facility. It includes development of possible scenarios of attack, probability of occurrence assessment for these scenarios, and identification of the facility‟s vulnerabilities and critical areas. Identification of mitigation strategies, engineering alternatives, management practices and financial mechanisms provide performance data for the possible combinations of risk mitigation strategies. The third component, economic evaluation, enables building owners and managers to choose the cost-effective combination of risk mitigation strategies and the optimal sequence for implementing them.

(1) Risk Assessment

The first step to creating a risk mitigation plan is performing a risk assessment for the facility. Risk assessment is made up of assessments of threat, vulnerability and criticality for each asset within the facility, and for the facility as a whole. Threat assessment identifies scenarios of attack, develops an understanding of the motivations behind different terrorist groups‟ selection of targets, and determines (absolute or relative) probabilities of attack. Vulnerability assessment includes identification of, for example, single-point vulnerabilities (SPVs), the absence or inadequacy of system redundancies, collocation of critical systems components, and exposed or easily accessible areas of the facility or its systems. Criticality assessment determines how essential the facility, its systems and its contents are to the organisation‟s mission and function. Threat assessment requires specific information about terrorist intentions, resources and capabilities.

Date: 29/11/2011


Revision: 1.0



Figure 24: Classification of hazards by responsiveness to mitigation

(2) Identification of Potential Mitigation Strategies

Engineering Analysis

Engineering analysis is an essential counterpart to risk assessment and economic evaluation. It helps identify potential mitigation strategies and provides the information used to assess the consequences of the attack scenarios developed in the risk assessment. While engineering analysis is useful in estimating the exposures and vulnerabilities of facilities, it also serves a critical role in the identification of potential mitigation strategies. Engineering analysis is used to: (1) identify risk mitigation measures; (2) evaluate the performance of these strategies under different scenarios.

Economic Evaluation

The final component of a risk mitigation plan is economic evaluation. Economic evaluation is critical to the process of choosing risk mitigation strategies to minimise lifecycle costs (LCC), which include expected losses from terrorist attacks and other hazards. Economic evaluation is used to combine the risk, threat, vulnerability and consequence assessments with information about mitigation strategies and their costs, to determine the most cost-effective combination of strategies to protect constructed facilities. The economic evaluation takes into account the possibility of interdependence and substitution among different strategies. For example, a building‟s large standoff distance from public roads and garages conveys protection from explosive devices, which affects the need for structural measures. For

Date: 29/11/2011


Revision: 1.0




buildings in urban settings with limited standoff distances, however, decisions about structural enhancements would be different. The economic evaluation methods are sufficiently flexible to address the possibility that different measures can compensate for situations that are difficult or impractical to change.

6.2.3. Choosing the Most Cost-Effective Risk Mitigation Plan

The decision methodology is based on two types of analysis, four methods of economic evaluation, and a cost-accounting framework.

(1) Baseline Analysis

The starting point for conducting an economic evaluation is to perform a baseline analysis. In the baseline analysis, all data elements, and any functional relationships among these elements entering into the calculations, are fixed. For some data, the input values are considered to be known with certainty (e.g., a physical constant or a value that is mandated by legislation). Other data are considered uncertain, and their values are based on some measure of central tendency, such as the mean or the median value.

(2) Sensitivity Analysis

Sensitivity analysis measures the impact on project outcomes of changing the values of one or more key data elements or input variables, about which there is uncertainty. Sensitivity analysis can be performed for any measure of economic performance (e.g., life-cycle cost, present value of net savings, savings-to-investment ratio, and adjusted internal rate of return). Since sensitivity analysis is easy to use and understand, it is widely utilised in the economic evaluation of government and private sector applications. Therefore, a sensitivity analysis complements the baseline analysis by evaluating the changes in output measures when selected data or input variables are allowed to vary about their baseline values.

Life-Cycle Cost Method

The life-cycle cost (LCC) method measures, in present-value or annual-value terms, the sum of all relevant costs associated with owning and operating a constructed facility over a specified period of time. The basic premise of the LCC method is that to an investor or decision maker all costs arising from that investment decision are potentially important to that decision, including future, as well as present costs.

The LCC method is particularly suitable for determining whether the higher initial cost of a constructed facility or system specification is economically justified by lower future costs (e.g., losses due to natural or manmade hazards), when compared to an alternative with a lower initial cost, but higher future costs. If a design or system specification has both a lower initial cost and lower future costs relative to an alternative, an LCC analysis is not needed to show that the former is economically preferable.

t = a unit of time;

T = the length of the study period in years;

d = the discount rate expressed as a decimal.

The prefix, PV, is used to designate currency (Euro, USD, etc) denominated quantities in present value terms. The present value is derived by discounting (i.e., using the discount rate) to adjust all costs - present and future - to the base year (i.e., t=0).

Date: 29/11/2011


Revision: 1.0



The present value terms are: The present value of investment costs (PVI), the present value of non-investment costs (PVC), and the present value of expected losses (PVE(L)).

Because PVE(L) includes some loss categories which accrue to investment costs, and some which accrue to non-investment costs, it has been denoted the present value of investment costs inclusive of losses as PVI', and the present value of non-investment costs inclusive of losses as PVC'.

The LCC for alternative Aj may now be expressed as: T K j M j Pj

LCCj = Σ(ΣIkjt +ΣCmjt +ΣE(Lpjt))/(I+d)t t=0 k=1 m=1 p=1

Associated with each alternative are investment cost categories k (where the index k ranges from 1,…, Kj), and non-investment cost categories m (where the index m ranges from 1,…, Mj). The potential for future terrorist attacks, as well as other natural and manmade hazards, are measured by the expected value of annual losses. Associated with each alternative are expected loss categories p (where the index p ranges from 1,…, Pj). The LCC for alternative Aj may also be expressed in present value terms as: LCCj = PVIj + PVCj + PVE (Lj) or, by explicitly including losses in investment costs and non-investment costs, as: LCCj = PVI'j + PVC'j Denote the alternative with the lowest initial investment cost (i.e., first cost) as A0; it is referred to as the base case. Then: I00 < I j0 for j = 1,…, N The LCC method compares alternative, mutually exclusive, designs or system specifications that satisfy a given functional requirement on the basis of their life-cycle costs, to determine which is the least-cost means (i.e., minimises life-cycle cost) of satisfying that requirement over a specified study period. With respect to the base case, alternative Aj is economically preferred if, and only if, LCCj < LCC0.

Present Value of Net Savings

The present value of net savings (PVNS) method is reliable, straightforward and widely applicable for finding the economically efficient choice among investment alternatives. It measures the net savings from investing in a given alternative, instead of investing in the foregone opportunity (e.g., some other alternative or the base case).

Savings-to-Investment Ratio

The savings-to-investment ratio (SIR) is a numerical ratio whose size indicates the economic performance of a given alternative, instead of investing in the foregone opportunity. The SIR is savings divided by investment costs. The LCC method provides all of the necessary information to calculate the SIR.

Date: 29/11/2011


Revision: 1.0




Adjusted Internal Rate of Return

The adjusted internal rate of return (AIRR) is the average annual yield from a project over the study period, taking into account reinvestment of interim receipts. The reinvestment rate in the AIRR calculation is equal to the minimum acceptable rate of return (MARR), which is assumed to equal the discount rate, d, a constant. When the reinvestment rate is made explicit, all investment costs are easily expressible as a time equivalent initial outlay (i.e., a value at the beginning of the study period), and all noninvestment cash flows as a time equivalent terminal amount. This allows a straightforward comparison of the amount of money that comes out of the investment (i.e., the terminal value) with the amount of money put into the investment (i.e., the time equivalent initial outlay).

A. Detailed Cost-Accounting Framework

Costs are classified along four dimensions within the detailed cost-accounting framework: (1) bearer of costs; (2) budget category; (3) building/facility component; and (4) mitigation strategy. To differentiate these costs from the generic cost categories, they are referred to as cost types and cost items. Each dimension contains a collection of cost types. The cost types are used as placeholders for summarising and reporting aggregated cost information. Each cost type is a collection of cost items. Each cost item has a unique set of identifiers that places it within the cost-accounting framework. Each dimension captures the full spectrum of costs (i.e., all costs summed across each dimension add up to the same total).

Figure 25: Overview of the cost-accounting framework: dimensions and cost types

Date: 29/11/2011


Revision: 1.0



6.3. Summary – Cost - Effective Responses to Terrorist Risks in Constructed Facilities

The highlight of the study is the comprehensive manner in which the users are being guided through the complex decision making process of browsing and selecting the most cost effective responses to terrorist risks in constructed facilities. It is worth mentioning that the study has a broad approach, which enables its adaptation to specific scenarios. Although it has a strong quantitative outlook, the framework of cost estimation is addressed in a strategic manner, which leaves room also for qualitative assessments.

One of the strong points of the report is that methodological consistency in computation, application and interpretation is provided by the usage of the ASTM International standard practices. The “standardised” evaluation methods used in this report are, however, generic, which signifies that adaptation to specific scenarios is further required in order to be fully usable in real life operation.

Protecting against low-probability, high-consequence events, such as terrorist acts and other natural and man-made hazards, complicates the capital asset decision-making process. Additional research on decision-making under uncertainty is needed to provide a better understanding of how decision makers responsible for constructed facilities respond to the way information is provided to them, how they process this information, and how they perceive extremely low probabilities.

Since the quantitative methods employed are deterministic, some of the advantages of probabilistic calculus are forgone. For example, considering that the probability distribution of events requiring cost based decisions follow a normal distribution, in the event that a low probability high cost event does occur, the perceptions of the user would shift, increasing the probability of similar events resulting in a new heavy tail probability distribution.

One important downside of this approach is that many investment alternatives differ in characteristics that decision makers consider important, but that are not readily expressed in monetary terms. Because the standardised evaluation methods employed in this report consider only monetary benefits and monetary costs associated with alternative investment choices, their application does not reflect the importance of these non-financial characteristics to the decision maker. When non-financial characteristics are important, decision makers need a method that accounts for these characteristics when choosing among alternative investments. A class of methods that can accommodate non-monetary benefits and costs is multi-attribute decision analysis.

Date: 29/11/2011


Revision: 1.0




7. RECOMMENDATIONS FOR THE SECURESTATION METHODOLOGY

7.1. General Requirements for the SECURESTATION Methodology

The principal and specific requirements that the SECURESTATION risk assessment methodology should meet may be discussed through a review of the expected contribution of its results to design (architectural and engineering) and risk management related decision-making.

Depending on the context and on the design phase, design teams (architects and engineers) would use the risk assessment outputs for various purposes – from validating a basic layout, in an initial phase of the design process, to optimizing the design of the station and of its technological systems (ventilation, fire protection, lighting, etc.) at a later stage. The risk assessment would allow them to take security considerations into account, along with safety and other functional and normative requirements. In some cases, security risk considerations may lead them to define different options with different costs and diverse levels of residual risk.

Design teams would also use risk assessment results to document the achieved security level and/or to discuss the possible options with their clients and the relevant authorities.

Furthermore, it is expected that end users (PTOs, IM and PTAs) may request the station design team(s) to use the SECURESTATION security risk assessment methodology, so they adopt a risk based approach during the architectural and engineering design.

The requirements that the SECURESTATION risk assessment methodology must meet, should also be discussed in terms of coherence with some fundamental choices made at the project definition stage concerning the sophistication of certain computational and modelling activities. Specifically, relatively sophisticated computational models for assessing consequences (blast waves propagation, structural failures, smoke transport, etc.) are planned to be implemented in this project, and will include the formal modelling of the impact of initial events (blasts, fires, etc.) on the integrity of technological systems (HVAC, etc.). This implies that the benefits resulting from such sophistication should not be degraded to a rough approach by other risk assessment tasks, such as vulnerability estimation.

In any case, the diverse components of the assessment results (probability of attack, vulnerability, consequences) will be characterized by diverse levels of uncertainty, which should be rated / defined in a relatively straightforward manner, and should be presented along with the results. Failing to do so may preclude a well informed decision making and would diminish the value of the methodology and of its results.

Further considerations about the SECURESTATION risk assessment methodology requirements include the budget required for applying the methodology, the need to retain the services of security and consequence modelling professionals and the possible difficulties in assembling the necessary multidisciplinary team on short notice. In this respect, it is our opinion that security analysis for a “critical infrastructure”, such as a large rail station, deserves a minimum quality that can only be achieved by involving the necessary specialists. It is for instance awkward to propose a method where vulnerability computing (see below in this chapter) can be properly evaluated by someone without a professional security background, on the sole basis of what we can explain and specify in the SECURESTATION design handbook. The need for specific technical specialists is already a normal practice in the design of modern public transport facilities (e.g. underground metro stations) and some typical examples can be found in HVAC and smoke management design or in fire protection systems design.

Date: 29/11/2011


Revision: 1.0



Another major contribution of risk assessment during the design stage of a station is the possibility of incorporating risk reducing structural elements into the construction at a much lower cost than adding risk reducing measures later on, once the station is built.

Considering and combining the above considerations, the following general and basic requirements may be proposed for the SECURESTATION risk assessment methodology (“SEST-RAM”):

The methods specified within SEST-RAM will be selected for ensuring that the methodology as a whole would be as defendable as possible (methods and details that are scientifically questionable or clearly flawed should be avoided);

SEST-RAM will produce results that will be particularly suitable for decision making concerning design alternatives, taking into account the risk level of terror attacks, their nature and potential consequences (low, uncertain and variable probability of occurrence with potentially severe consequences);

SEST-RAM should be applicable in an incremental manner as the design process progresses – in particular, a preliminary evaluation of basic design should be possible before running the simulation codes for consequence analysis;

SEST-RAM will provide a basic estimation of the level of uncertainty of its results, as a minimum;

The general structure and the documentation of SEST-RAM will allow persons lacking specialised knowledge in security analysis to understand the methodology and its results;

SEST-RAM will enable the execution of risk assessment to multiple stations in a cost-effective manner, rather than small number or those considered as "high risk", so the overall risk will enable a 'system wide risk assessment".

The following section in this chapter discusses the elements and some features of SEST-RAM, in a manner that is consistent with the above general requirements. Some references will be made to methodologies that were presented in the previous chapters.

7.2. Recommended Features of the SECURESTATION Methodology

7.2.1. Risk expression

It is recommended that SEST-RAM be defined as a “quantitative methodology", which delivers the following numerical values for each relevant scenario:

“Relative probability of attack”, Pa i

Vulnerability, V i

A set of consequence magnitudes, C1i, C2i, ...

Where the index i indicates the corresponding scenario.

Vulnerability is defined as in the Sandia RAM approach, i.e., the conditional probability that an attack corresponding to the relevant scenario is successful.

Date: 29/11/2011


Revision: 1.0




The value Pi of “relative probability of successful attack”, is defined as the product of Pai and Vi .

The consequences associated with a scenario would be separately expressed for the different types of loss (e.g. harm to people, damage to equipment, losses due to traffic disruption and shut down time costs, indirect cost due to increase of insurance premium, etc), thus defining a set of separate “relative risk components”:

R1i = Pai Vi C1i ; R2i = Pai Vi C2i ; .........

The diverse classes of consequences and the corresponding relative risk components may be summed up when expressed in homogeneous units, e.g., a monetary unit.

The values of Pai , Vi and Cni are discussed in separate sections below.

It is therefore proposed to adopt the basic approach of Sandia RAM and further specify a set of methods, procedures and guidelines to define the scenarios, to compute the three components of the security risk equation, to rate uncertainty and to present results.

This recommended approach also appears similar to the EUMASS approach (based on information delivered by EUMASS partners).

All the other methodologies (excluding Sandia and EUMASS) described in the previous chapters implement a qualitative or semi-quantitative approach to risk evaluation, and generally do not respect the mathematical dependence of risk based on linear values (or log values) on the probability and losses. They are, however, of interest for the SECURESTATION project, because they (or other, similar methodologies) have been frequently used. Moreover, they contain specific concepts, classifications and information that may be the subject of reasoning in the development of the diverse evaluation methods within SEST-RAM.

7.2.2. Relative vs. absolute probability of attack

Definition of relative probability of attack

If:

We assume that at a certain point in time, a value can be postulated (as opposed to known)

for the absolute probability of attack i for a defined scenario (to be carried out during a certain period of time),

p refers to the absolute probability that an attack will be carried out (during the same certain period of time) on the specific station

We can define the “relative probability of attack”, Pai , using the three equivalent expressions:

Date: 29/11/2011


Revision: 1.0



i = p K Pai , Pai i

Kp and KPai

i

p

Where K is an arbitrary constant and, by definition, p ii .

Reasons for skipping the evaluation of absolute probability values

The use of relative probability of attack Pai is consistent with the conceptual model, stating that terrorists' decision making process consists of considering which station to attack and choosing the scenario, based on criteria such as target attractiveness; perceived success criteria; the adversary's 'technical' capacities; expected harm to people; damage to physical assets and traffic disruption; political and/or social impact, including the media coverage etc.

Using the above definition of Pai does not mean that the adversary's decision making process includes the choice of the target station followed by a choice of the tactics.

Apparently, the variable “attractiveness” used in EUMASS corresponds to Pai with a particular choice of K.

As far as theoretical correctness is concerned, it should be pointed out that the use of relative probability of attack Pai for risk assessment of a station over a period of time (several years), implies the simplistic hypothesis, or approximation, that risk changes over time, but the ratio of the probabilities for any two different scenarios will remain the same. However, this approximation is consistent with the context of use and with the scope of SEST-RAM.

The value p is characterised by a very high level of uncertainty, since:

p at a certain time is difficult to estimate, and its value is highly debatable;

p greatly changes over time as a result of national and international events and political decisions;

p for a certain station also changes as a result of the improvement in the level of security of other potential rail station and other target facilities in the same region.

The proposed approach is justified in principle when one considers that a station, following construction or major revamping, will not be subject to structural and technological modifications for several years, and therefore, the basic decision to be made (assuming the cost involved is reasonable) is whether or not to protect the station from terror attacks. In other terms, the updating of the estimation of p is very relevant for day-to-day optimisation of risk reduction by organisational means (inspections, deployment of patrols, surveillance of entrances, intensified controls at borders, etc.), and less so for infrastructure planning.

Conversely, the set of Pai values is subject to little change over time for a certain adversary profile, and is useful for evaluating the expected effectiveness of risk reduction investments and recurring costs for the set of relevant scenarios.

Date: 29/11/2011


Revision: 1.0




The reason for K within the Pa definition

By summing over i, we can obtain (from Pai definition) 1

Kp Paii

ii Paii .

i = KPai is the conditional probability that, given a generic attack on the station, it will follow the ith

scenario. i and Pai have the same value for k = 1 (normalisation of Pa values).

The constant K allows defining Pai as a value proportional (not necessarily equal) to i , i.e.,

freedom is allowed in the definition of the relative probability of attack Pai without the constraint of normalisation (the values for all scenarios are instead intrinsically normalised to an arbitrary value 1/K ).

A principal motivation for defining Pai = i/K lies in the reasoning that a terror threat on an entire

region is considered, instead of regarding the station as the only relevant target.

In an example involving a major station, where the highest risk corresponds to a primary scenario, in which a VBIED is driven into the main hall through a glass façade and thus detonated, where a secondary scenario involves an attack on an (insufficiently protected) space below a group of platforms. Let's assume that high resilience bollards are installed outside the station, making an attack following the first scenario extremely difficult to be implemented. In such a case, will the risk of the second scenario dramatically increase? The answer is clearly negative, if we take into account that the adversary can implement numerous alternative scenarios in other facilities in the region. The opposite answer would be correct if, for some reason, the station would be the only significant target of interest, and a constant “intention to strike” would be shared between different scenarios.

This observation be perceived as a paradox1; however it is not if we consider that K in the recommended approach is arbitrary and is not a constant value (it may change if safeguards are introduced). In fact, the risk level decay for the first scenario will have the following effects:

1 The paradox would result in particular from the common belief that the “security level” of a facility is

principally determined by the weakest point in its defence. This is true indeed when “subjectively reasoning” on defending a facility, regardless of “the rest of the world”. The proposed value of Pa is instead related to a “relative risk” associated to individual scenarios, which is a different concept and is consistent with the quantitative concept of risk when a few adversaries have a “virtually unlimited” number of alternative facilities they can choose from for their single strike. The proposed approach can be criticised in that it does not make sense to sustain costs to reduce the risk for certain scenarios and not for others, because the residual overall risk for the facility would remain high. This issue can, however, be dealt with by defining a possible criterion for decision making, which states that a critical facility should be protected (e.g., using an ALARP criterion) for all the attacks corresponding to scenarios with a certain minimum value of Pa. For all practical purposes, this criterion corresponds to the principle of “balanced protection”. The paradox could be maintained by citing the well-known example of a treasure in a room with four doors, three of which are armoured, and the fourth is a regular door, or even an open unprotected door. Such a case would, however, be treated in the proposed methodology as a single scenario with four possible sub-scenarios, and the one with the open door would be chosen for evaluating the Pa. A truly different scenario would correspond to reaching the treasure by digging a tunnel to the treasure under the room's floor.

Date: 29/11/2011


Revision: 1.0



Both Pa and will decrease for the first scenario and remain the same for the others;

p will decrease;

K will increase.

Risk reduction through introduction of security safeguards can be quantitatively modelled for the diverse scenarios in relative form, producing useful figures (for decision making) that are independent on the value of p. This implies that decision makers would use a qualitative expression to replace the “collective absolute probability” of an attack on the station, i.e., whether or not considering the threats, or an adversary corresponding to a set of threats (see below). It is, however, possible that p is evaluated through an additional method, which is not necessarily described as a part of the SEST-RAM methodology.

Alternate definitions of Pa

As an alternative to the definition provided above in relation to absolute risk for a station, Pai may also be defined as a set of numbers that are believed to be, with good approximation, proportional to the probability that the adversary will adopt each of the considered scenarios.

A further possible definition is that, given any two scenarios that were considered for a certain station, the ratio of the corresponding Pa values would be a good approximation of the ratio of the probability that the station would be attacked based on the two scenarios.

Evaluating Pa for terrorist attack risk

The following factors will be considered when defining the Pa values within the SEST-RAM methodology for the scenarios corresponding to terror threats:

Importance attributed by the adversary to a successful attack;

Perceived vulnerability (adversary's estimation of his chances of success);

Additional factors that may increase the attractiveness of the specific attack in the adversary's eyes (e.g., collateral damage to a national symbol, for example);

Difficulty in obtaining a resource, component or material required for the attack;

Difficulty in obtaining information needed to plan the attack (e.g., drawings, schemes, operating manuals, security equipment deployment, etc.);

Need for insider collaboration and difficultly to locate such an insider or infiltrate the organisation;

Evidence of successful similar attacks in the past.

The development and the finalisation of the procedure to evaluate Pa will be a principal issue handled within the framework of Task 3.2, since this appears to be the most critical element in the proposed SEST-RAM methodology, in terms of research effort, “defensibility” and “usability” for the SECURESTATION objectives.

Date: 29/11/2011


Revision: 1.0




A decision making approach, where branching is governed by the weighted impact of the above factors, is proposed as a possible model to evaluate Pa.

Validation by a set of security analysts would also be considered.

More than one terrorist organisation profile may be considered, at least when applying the methodology in certain countries or regions. In this respect, a choice must be made during the methodology development process on how to deal with multi-profile threats.

Pa naming and statistical approach

The term “relative probability of attack” for the Pa variable may be questionable, due to its subjective statistical nature (though based on a clearly stated evaluation model), and may be criticized within certain approaches. Alternate names for Pa, such as “likelihood”, “relevance” and “importance”, will be considered, to avoid misunderstandings and for the purpose of conforming to the theoretical approach (e.g., Bayesian decision theory) that the Pa evaluation method will be grounded on.

7.2.3. Adversary profile(s) definition

It is recommended that SEST-RAM include, as its first step, an explicit statement of the adversary profiles that will be considered in the risk assessment.

Adversary profile definition is particularly important for terrorist threats, corresponding to the severest possible consequences – at least because various terrorist organisation profiles' interest in choosing the possible scenarios vary, and they have different capabilities in terms of human and material resources.

This definition may be based on considerations relating to specific (national and international) reference terrorist groups. Alternatively, some generic terrorist profiles may be described and selected at the beginning of the risk assessment process.

The defined adversary profiles, however, are not limited to terrorist organisations, and may include organised crime, vandals and ordinary criminals.

Ideally, the adversary profiles definition is prepared also using inputs from national or regional authorities and should be agreed upon and shared with the client who had commissioned the station design. It is important to note that such an ideal definition process may not be viable, and a generic multi-profile standard statement may therefore need to be adopted.

Adversary profile definition has been explicitly described as a task in some methodologies, e.g., in Sandia studies, while in other cases it is carried out as part of the threat definition task, e.g., in the Security Risk Assessment Framework [R1].

7.2.4. Threats definition

Security threats relevant to stations have been discussed in Chapter 2 of this document.

Such a list / classification of specific threats would be used, together with the adversary profiles definition, to define which threat will be developed into scenarios for risk assessment.

Date: 29/11/2011


Revision: 1.0



7.2.5. Scenarios identification and selection

Risk assessments will be performed for a list of scenarios that correspond to the possible materialisation of threats within the specific station, i.e., defining a set of attacks in terms of means and attack sequence.

In some cases a set of sub-scenarios corresponding to similar alternatives for a threat‟s materialisation will be defined. For instance, an IED attack may take place in diverse locations (in the entire station or only in certain parts), with diverse values of Pa, V and consequences.

It is recommended that scenarios for risk assessment will be defined by preparing a list of “candidate scenarios” and then refining the list by excluding some items. Such exclusion should be based on clear and defendable criteria, and therefore, the selection process should not be based on a rough evaluation of probability of attack and of vulnerability (whose evaluation is a subject of the following risk assessment tasks).

A table of scenarios will be produced from this task, and their ranking and associated parameters will be used for an orderly / a structured risk assessment process, including the presentation of results.

Guidelines will be provided in the methodology for identifying the scenarios that include cyber attacks or involve actions on technological systems.

7.2.6. Vulnerability assessment

Vulnerability assessment will be based on modelling the probability of completing the attack sequence in the presence of the foreseen safeguards.

SEST-RAM will therefore adopt the approach of Sandia'a[R5] methodology for the evaluation of the conditional probability of a successful attack.

The EASI model[R9] is a principal candidate tool that may be used in SEST-RAM, with the advantage of modelling the statistical distribution of the input parameters (POD for the detection measures, etc.).

A Monte Carlo simulation of the attack sequence in parallel to the defence reaction is an alternative to be considered, also for modelling some cases for which EASI and similar models are not appropriate (e.g. the case of IED planting at night with remotely controlled or timed detonation).

A decision will be made in Task 3.2. whether to model in the event tree only one (worst case) unfavourable outcome of the attack (corresponding to the ideal intended consequence), or to also include the evaluation of the probability of less severe consequences, associated to partially successful attacks.

7.2.7. Consequences assessment

The following categories of losses are proposed for SEST-RAM:

Injuries and fatalities (weighted sum), i.e., consequences on persons who are directly affected by the attack;

Date: 29/11/2011


Revision: 1.0




Physical damage to assets (subdivided into stations assets, commercial activities in the station and nearby third party assets);

Direct damages related to traffic disruption and shut down time (e.g. penalties, lost of revenues, social costs, etc)

Indirect consequences, with special reference to station loss of function, The above loss categories are characterised by different evaluation methods and by diverse uncertainties.

Indirect consequences of a terror attack are the most important parameter to be taken into account in relation to the critical infrastructure of a large railway station. However, the evaluation of the consequences is very complex since, ideally, it first requires the modelling of the regional public transport system, and should also include an evaluation of the economic impact on the region (the evaluation of “social consequences” would add further complexity). For this reason, and taking into account the decision making scope of SEST-RAM, Task 3.2 should consider the definition of a less severe alternative to rate this type of loss.

The three loss categories may use non-homogeneous units (e.g., number of deaths and injured persons, M€ and a non-dimensional rating of public transport disruption in the region). Their conversion into currency units should be regarded as an optional step, which may not be required each time SEST-RAM is applied.

7.2.8. Risk and risk reduction results presentation

The presentation of results produced when implementing the SEST-RAM methodology is a crucial issue, because decision making would not be the responsibility of the security analyst. It is therefore important for the decision maker to be able to access the information included in the results without losing important content, without misunderstandings and without necessitating a deep understanding of all background technical topics.

A major challenge is, therefore, aiming for straightforward understanding of results without sacrificing their correctness.

Risk, Risk Factors and Risk Reduction

As discussed at the beginning of the chapter, the SEST-RAM methodology will deliver results in the form of the three risk factors: “relative probability of attack”, “vulnerability” and “consequences”; and each of these three values will be associated with a rating of the corresponding uncertainty.

The multiplication of the three risk factors produces a “relative risk value” that may be helpful for ranking the diverse scenarios using one single number, but in general, it is important to preserve the “visibility” of the three factors in the presentation of the assessment results.

A primary reason for presenting risk through the triplet of risk factors (or at least by the product of the two probabilistic factors and by consequences) is that a same risk value generally corresponds to an infinite number of triplets with diverse ratios of the factors and corresponding diverse “risk situations”. It is a particularly common observation (also in safety risk analysis) that a low probability scenario with very severe consequences cannot be considered “fully equivalent” in risk terms to a scenario with a rather large probability and moderate consequences.

An explicit presentation of the three risk factors is very important also for presenting the reduction of risk that may be attained by implementing a certain set of countermeasures. In fact, the effectiveness of different countermeasures in dealing with the three risk factors generally varies:

Date: 29/11/2011


Revision: 1.0



The reduction of direct damage to persons and assets is principally achieved through design changes in architectural and technological features, and by improvement in rescue operations;

The reduction of indirect consequences is principally achieved by design features and contingency plans that reduce the time to restore the station's functionality;

The reduction of vulnerability corresponds to improving the protection of the station by installing security technologies, introducing architectural features and organisational security;

Mitigating consequences may also mitigate risk by reducing the motivation to strike, and hence – the probability of attack;

Reducing vulnerability by non-covert active defence also affects the probability of attack by what is referred to as dissuasion;

The protection of sensitive technical information concerning the station may reduce the probability of attack for certain scenarios, and in certain cases, the vulnerability as well.

Risk reduction can be expressed in relative terms, i.e., by a fraction or percent value indicating the relative risk abatement or the residual risk reduction. The use of percentages or fractions is particularly expressive and informative if made for the three risk components.

Since risk is calculated by multiplying the three risk factors, the overall risk reduction corresponds to the multiplication of the relative risk reduction for each of the three factors.

The overall risk reduction fraction should be presented, and probabilistic and loss components should also be delivered to allow evaluating the risk reduction strategy and for the purpose of understanding the nature of the resulting residual risk.

An interesting advantage of expressing risk reduction in relative terms (by fractions or percentage) is that the uncertainty is only associated with the confidence level of the model used to predict the influenced factor. For instance, the uncertainty regarding the consequences does not influence the relative risk reduction, if a security measure only reduces the vulnerability and the probability of attack.

This consideration also applies to the unknown factor that links absolute and relative risk for a certain scenario. For instance, stating that a certain security measure reduces risk for a certain scenario by 95% or by a factor 0.95 is a statement on the effectiveness of that particular measure, irrespective of the presence of other risk factors relating to the infrastructures in the region, and of risk fluctuation over time.

Benefits from using logarithms and logarithmic graphs of risk and risk factors

Probability (absolute and conditional values) and loss are expressed as such in quantitative safety risk analyses. Logarithmic graphs are, however, frequently used in presenting results, because the actual values (we'll refer to these as “linear values”, as opposed to using their logarithms) fall in ranges that are several orders of magnitude wide.

Probability, loss and risk values in semi qualitative analyses of both safety and security (much more frequently in security) are instead often expressed as integer values, and these “ranks” are usually also labelled using expressions such as “very low”, “moderate”, “high”, etc.

One advantage of “integer ranking” is that the human mind apparently maps numbers with a very large variation (several orders of magnitude) with a “perception scale” that is close to a log scale. However, expressing results in such a way is frequently limited by the loss of the mathematical

Date: 29/11/2011


Revision: 1.0




relationship between the integer rank and the corresponding linear value or interval. Some common violations of risk metrics that are made in semi qualitative methods are:

Associating numerical ranges to probability or damage by a log law with diverse basis, or by a non-linear and non-log law;

Computing risk ranks by multiplying probability rank and consequence rank, the latter being log values or “quasi log” values (R = P*C implies log R = log P + log C ).

The proposal is thus built on using logarithms of relative attack probability, vulnerability, consequences and relative risk, instead of the corresponding linear values as the preferred manner of presenting the SEST-RAM results, both in tabular and in graphic representations (e.g., in histograms of risk factors for the diverse scenarios).

A further advantage of using log values of risk factors and risk is that, when expressing uncertainty in relative values (fraction of the given value) fractional uncertainty of values converts into additive values of the corresponding log (e.g. R = 5300 ± 30% correspond to log R = log 5300 ± log 0.3)

Risk reduction in log form has the very attractive feature – that total risk reduction is simply the sum of the logarithm of fractional reduction of each of the three components. It is thus very immediate and easy to see the relative contribution of consequences reduction, vulnerability reduction, etc.

Quantifying the relative risk reduction using log values could be done using the dB (deciBel) formalism. Expressing risk reduction through implementation of a certain countermeasure in dB offers the attractive possibility of defining risk dB, vulnerability dB and consequences dB. However, the relevant partners should discuss whether risk dB should be recommended for the presentation of SEST-RAM results, as it is unclear how well understood such a presentation would be to all parties concerned.

Non-dimensional consequences, log biasing and use of words for value ranges

Using a dimensional base unit to divide the values of consequences (transforming their values into dimensionless ones) is appropriate if the log values are used.

In general, it may be appropriate to use arbitrary scale factors for linear risk factors, and therefore, to use an arbitrary biasing of their logarithms. This allows expressing risk factors with (log) “ranks”, which may be more “aesthetic” in the presentation of results (for example, vulnerability can be plotted by its log, and in such a case, its reasonable range from 10-4 to 1 would correspond to the log range -4 ÷ 0.0 ; using a multiplying factor of 105 may change the log range to 1.0 ÷ 5.0 and be more suitable for presentations).

The log values (e.g. the range 1.0 † 5.0) can also be associated with expressions such as “very low”, “moderate”, “high”, etc. The use of tables to explain these correspondences (words expression, biased log value, linear value and possibly examples corresponding to the magnitude) is a way to combine the easy reading of results by “scores” with a correct treatment of the risk factors values.

Further improvements of results legibility by certain graphical representations

The communication of quantitative results to decision makers may be further improved by choosing certain graphical representations.

Date: 29/11/2011


Revision: 1.0



The use of log graphs allows drawing coloured bands corresponding to log ranges (e.g., a band for 1÷2, another for 2÷3, etc., corresponding to linear values separated by factors of 10) allows plotting symbols in correspondence to decimal values on a background corresponding to integer values.

A particular case is a bi-log diagram of probability and consequences where points can be plotted for scenarios while preserving the look of a discrete risk matrix in the background. In this case, the colour may be assigned to the “equivalent cells” of the background matrix.

An alternate possibility is using tint for representing the distribution of risk in the diagram background without discrete steps.

Uncertainty ranges are very effectively rendered by graphics. For instance, uncertainty ranges can be overlapped with histograms, while ovals or orthogonal uncertainty ranges can be associated with value points on log-log risk diagrams.

7.2.9. Risk reduction, organisational security and countermeasures packages

It is recommended that the process of defining and evaluating countermeasures to reduce risk will be carried out according to the following steps:

Define and describe the expected organisational means and measures to support station security;

Execute risk assessment for a basic design;

Examine the scenarios with a higher residual risk (to be certainly or possibly mitigated);

Identify design modifications, additional technological features and organisational features that may improve security for such critical scenarios;

Group such possible sets of security enhancement means in a small number of “countermeasures packages”, ideally not more than three packages;

Evaluate capital and recurring costs for the countermeasures packages;

Evaluate risk in association with the identified countermeasures packages;

Present results to decision makers.

The above general procedure has already been proposed and used in security risk management, and the following considerations explain the reasons for some of its features:

Risk and risk reduction are highly dependent on organisational security – it is generally unfeasible to assess security risk for a station without making clear assumptions on the security organisation;

Security risk reduction is effectively achieved by the concurrent effects of technological, structure and organisational means;

Evaluating the effectiveness of single countermeasures in terms of a single number is generally impossible, because effectiveness changes depending on the presence of other countermeasures;

Evaluating risk reduction for single security means (as opposed to countermeasures packages) would imply a multiplication of results sets with a consequent higher assessment cost and an increased complexity for the decision makers.

Date: 29/11/2011


Revision: 1.0




Grouping of countermeasures into packages is generally performed by security specialists. A formal process involving the combinatorial generation of alternate packages and the corresponding evaluation of effectiveness is theoretically possible but practically unfeasible, unless complex software is available to carry out the entire process automatically.

A useful way to present the impact of the single countermeasures on risk reduction is a table with rows and columns corresponding to scenarios and countermeasures, with a value in each cell that is a qualitative expression of the effectiveness or importance for risk reduction.

7.2.10. Risk acceptability and decision making

Risk tolerability or acceptability is usually defined (for mitigated and for unmitigated risk) through the use of risk matrices or graphs, where the two dimensions are the probabilistic factor and the loss factor. However, it is not always true, particularly for security (vs. safety) that the acceptability threshold is always defined by a certain (relative or absolute) single value of risk. Particularly, it is possible that very low consequences can be considered acceptable with a relatively high probability while the same value of risk is considered less tolerable for much higher loss with low probability. Furthermore, such diverse acceptability of risks for diverse consequence values is generally not the same for diverse classes of damage (direct and indirect damages).

It is also common that an intermediate risk 'region' is defined, where risk is considered difficult to accept, but can be tolerated if mitigation measures are impractical to implement, or are far too expensive.

Diverse combinations of probability and damage resulting from security events may lead to comparing residual risk to the usual occurrence of certain types of crimes that are more or less considered “normal” or “almost inevitable”. In the particular case of indirect risk (station unavailability/downtime) the acceptability of risk for medium-short service interruptions is typically related to the acceptance of the equivalent unavailability resulting from technical failures (equipment faults, extreme weather, etc.).

Decision making is, of course, based on (mitigated and unmitigated) risk and on the cost of risk reduction. In this respect, the standard methods for expressing capital and recurring cost along the lifecycle of the station and its technology systems is indeed advisable. However, the combination of lifecycle cost with risk reduction for providing an absolute index upon which to base decisions is questionable in the case of terror-related security risks, mostly due to the very high uncertainty of absolute attack probability and to its unknown variability over time.

A special aspect of security costing that concerns stations and similar infrastructures is that risk reduction is achieved by structural and technological investments with a lifecycle of decades, and by organisational security, the cost of which can be partly modulated over time, depending on the regional threat level.

Decision making is particularly difficult when the desired risk reduction requires heavy investments. In these cases, the decision is typically made by, or in conjunction with, the relevant authorities. In such cases, deciding to invest more or less money to provide a more or less secure and resilient station ideally falls into the domain of “strategy”, as intended in the context of defence (it is similar to deciding whether to commission design and construction of a number of new vessels or tanks with specific characteristics).

Due to the above considerations, it is advisable that the SEST-RAM methodology leaves decision makers with a measure of flexibility concerning the acceptability of unmitigated and mitigated residual risk for the diverse scenarios and for the diverse classes of consequences. The

Date: 29/11/2011


Revision: 1.0



presentation of risk and risk reduction in terms of probability of attack, vulnerability and the value of diverse types of damage for each scenario is particularly advisable, to allow “flexible well-informed decisions”.

7.2.11. Risk assessment for non-terror threats

Most of the recommendations detailed above for the development of the SEST-RAM methodology in Task 3.2 refer to risk from terror threats.

Some threats, such as riots, vandalism, arson as a form of retaliation by organised crime, etc. are not classified as terror threats, but should be included in the assessment, since they may result in severe consequences, and as the risk they pose can be mitigated similarly to the risks presented by some terror threats. The above recommendations concerning the SEST-RAM methodology are generally valid for these threats as well.

Some other crimes may / should also be considered, such as pick pocketing, ATM or ticket fraud,, violence against individuals, robbery, vandalism, graffiti, fare evasion, etc. A decision should be made concerning the inclusion of such crimes within the scope of the SEST-RAM methodology, at least because none has the potential to affect the critical mission of the station. However, if such crimes will be excluded from the assessment, some specific guidelines may be provided in order to qualitatively evaluate if a certain design positively or negatively affects their occurrence.

7.3. SECURESTATION Benchmark Methodology

The SECURESTATION project plan foresees that an existing methodology will be chosen as a “benchmark methodology” and applied in parallel to SECURESTATION SEST-RAM to a benchmark station.

Section 7.2 above has been included in this report also because the choice of the benchmark methodology can be best achieved if the general features of the SEST-RAM methodology are identified.

The decision on which methodology to use as a benchmark is documented below in terms of first choosing between groups of methodologies, and subsequently selecting specific features of the residual candidates.

Choosing the type of benchmark methodology

The envisaged SEST-RAM methodology is a relatively high-end one, particularly in terms of formal foundations, skills required, assessment effort, sensitivity and information contents of results. In this respect, the first issue to be addressed is whether the benchmark methodology should be a similar one (one of the “most quantitative” methodologies presented in this report), or on the contrary, it should be a qualitative or semi-qualitative one, i.e., whose suitability and effectiveness is questionable, yet it is more straightforward simpler and faster to use, but will deliver coarse results. The following table lists some pros and cons of such two basic options.

Date: 29/11/2011


Revision: 1.0




Issue Simpler benchmark

methodology High-end benchmark

methodology

Possibility to compare the list of scenarios

Possible Possible

Possibility to compare the level of detail in the scenario definition

Possible Possible

Possibility to compare the sensitivity of results to architectural options and to building details features

Possible, but likely limited to qualitative observations

Possible with greater detail

Possibility to compare the sensitivity of results to alternatives in safety technological systems (HVAC, fire protection)

Possible ,but likely limited to qualitative observations


Possibility to compare the sensitivity of results to alternatives in security technological systems

Possible, but likely limited to qualitative observations


Possibility to compare the clarity and the level of detail and coverage of the delivered results

Possible Possible

Possibility to compare the assessed values of probability of attack, vulnerability and consequences

Low possibility, i.e., limited to checking if similar or widely diverse

Possible (with some interpretation required for some values in certain methodologies)

Possibility to compare the uncertainty in results

Barely possible, and with limited significance

Possible, but generally requiring a considerable additional effort

Effort required for applying the benchmark methodology

Lower Higher and largely depending on the availability of a supporting SW application

Need for skilled analysts Lower Higher

Need to modify or complement the methodology in order to apply it to the benchmark station design

Depending on the actual methodology


Completeness of the available documentation for applying the methodology



Table 5: Comparison parameters for choosing the type of benchmark methodology

Date: 29/11/2011


Revision: 1.0



Based on the above table 5, a decision was made to select the benchmark methodologies among the high-end “most quantitative” ones.

Choice of the benchmark methodology

The choice has been, therefore, restricted to the following methodologies, from those described in the previous chapters:

EUMASS

FHWA - BRP

Sandia labs

The main reason that FHWA has been excluded from the list is because the available documentation lacks essential explanations on how some of the results are computed.

EUMASS has been selected as the most appropriate benchmark methodology for the following main reasons:

EUMASS was explicitly developed for assessing security risks faced by mass transport, and optimised in terms of results quality vs. application effort;

A collection of software modules has been developed to support the application of the EUMASS methodology (only the EASI model and possibly some other vulnerability assessment computer models would be available for the Sandia methodology);

Even though the EUMASS methodology and the corresponding software are not fully in the public domain, two SECURESTATION partners participated in its development and possess the most knowledge on the methodology and the possibility of using the associated software;

Sandia Labs' methodology is well documented and is very flexible, but its application to a railway station requires the development of some specific methods (e.g., for the evaluation of indirect consequences, modelling of some scenarios, presentation of results, etc.). – the entire additional development activity would require defining a task that may be perceived as a substantial duplication of the developments within Task 3.2 for the SECURESTATION SEST-RAM methodology.

Date post:	07-Oct-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times