Reader Comment 09-11-09 Aphorisms

Anonymous left a brief reply to Friday’s blog on the 9-11 anniversary. The comment was short, so I’ll post it in its entirety here. Anonymous wrote: “‘Those that try to defend everywhere, defend no where’”. Aphorisms are nice, short sweet sayings that attempt to communicate a complex idea in a simple way. Unfortunately, they seldom achieve their objective because it is too easy to contradict the saying with a couple of counter examples. In this case, any military man will be quick to see the error in this saying, you must defend everywhere or else the enemy will just go where you are not. A good defender will concentrate his forces in the areas most likely to be attacked, but will leave at least a thin screen of defenders across the entire front to detect an unconventional approach. If such an approach is detected, an appropriate response will be developed and implemented. You Can’t Protect Everything Equally Now if Anonymous meant that you can’t protect everything equally I would have to agree. If you spread limited resources too thinly then nothing will be adequately protected. This is why there has been a continuing emphasis on risk-based security. This means that one takes a detailed look at what the risk is for a particular site or activity and then plan the security accordingly. Of course the problem lies with how to calculate risk. Risk is a product of likelihood of occurrence and the consequence of the event. Event consequences are relatively easy to define for the most part. It is the frequency or likelihood of occurrence that is more difficult to establish. In process chemistry we assumed that failures, equipment failures or personnel mistakes, were essentially random events and that we could thus predict the number of occurrences in a given period of time from past history. We would then establish a risk matrix based the severity of the result and predicted frequency of occurrence. This would allow us to establish the number safety procedures required and prioritize their implementation. For example a high frequency event (once every five years for example) that had a serious consequence (on-site personnel injury or serious equipment damage) might require two preventive actions, at least one of which would be required before unit start-up. A low frequency event (once every 20 years) and low consequence (out of spec product) would require a single preventive action within six months of unit start-up. It is more difficult to establish a risk response matrix for non-random events like potential terrorist attacks. For chemical facilities DHS has established a formal evaluation technique to establish such a matrix; it is known as the Chemical Security Assessment Tool. While DHS has not revealed the details of exactly how it determines which of four risk tiers a facility will be assigned to, those tiers are the risk response matrix for high-risk facilities. Tier 1 facilities will be required to implement more security than a Tier 4 facility because their risk is higher. Does Low Risk Mean No Risk ? DHS initially looked at over 30,000 chemical facilities to determine which facilities in the United States would be classified as high-risk facilities. These facilities were selected from a much larger number of chemical facilities using the presence of one of 300+ chemicals as the screening criteria. Now that we know which are the high-risk facilities that will have their security regulated by DHS, what does that mean for the remaining chemical facilities in this country? Not ‘high-risk’ does not mean ‘no’ risk. There is a continuum of risk that extends from those facilities that just missed the cut of being labeled high-risk through the lowest-risk facility in the country. There is no such thing as a no risk facility. DHS was given the job of regulating only high-risk companies because Congress realized that they had limited resources and could only spread them so thin. That does not mean that the remaining facilities need not worry about their facility security. It just means that the lower risk facilities will have to look after their own security without the assistance and oversight of the Infrastructure Security Compliance Division of DHS. There is another DHS program that will provide some assistance for those facilities in evaluating their security program. I’ll look at that program later this week.