Tuesday, March 2, 2010

Reader Comment 03-01-10 Target Mindset

Snyderman posted a comment about my earlier blog posting about the MTI report on the threats against Hazmat trucks. The complete comment is appended to the end of that blog, but Snyderman did write, in part:
“Between your mindset, and that of the government Bureaucracy, lets view everything as a possible weapon and force business to spend significant amounts of time and money to protect against something that MIGHT have a probability of .0000001 of happening.”
This is an interesting response to a posting that was looking at comparative risks between different types of hazmat transportation and did not advocate any type of security measures. Having said that, this is a relatively common response in many parts of the business community and deserves to be aired and addressed. First off, the basic premise of this attitude is absolutely correct, you cannot protect everything. Even if you had a huge amount of money available that wasn’t needed anywhere else, there would always be something else that a creative mind could find to target. Finally, even really good security systems do not provide absolute protection; there is always someway that someone can evade even the best security system. Risk Assessment So, instead of trying to protect everything, we concentrate our efforts on identifying the highest risk targets and trying to adequately protect them. The security professional does this in the full knowledge that most security money is wasted, the probability of any individual potential target actually being attacked is relatively low; and if the target is not attacked then the security measures were not ‘needed’. Except that one will never know if a terrorist considered attacking the facility, but was deterred from the attack because of the presence of the ‘wasted’ security measures. This means that the proper allocation of limited security resources requires the assessment of relative risk. In the CFATS program for instance this means that we limit our security assessment to just those chemical facilities that contain a relatively small list of dangerous chemicals. This limited our initial assessment to just 30,000 facilities that had the potential to be at high-risk for a terrorist attack based on the objective standard of the presence of chemicals that were present in a large enough quantity to be of potential threat of an off-site consequence in the event of a successful attack. Again, objective risk assessment criteria were used to whittle this universe of chemical facilities down to a significantly smaller list of high-risk chemical facilities. Even that list was further modified by evaluating the relative risk and assigning each facility to four categories, or tiers, or relative risk. Then we expect each facility to structure its security program based upon its relative risk of a terrorist attack; the highest risk facilities will have the most aggressive and thorough security measures. But, we realize that even the highest risk facilities are individually unlikely to actually be attacked by terrorists. Unfortunately, the consequences of a successful attack on these facilities is so high that it is reasonable to make the expenditures to lower the probability of such an attack being successful even lower. Risk Identification The ability to perform a reasonable risk assessment is predicated upon the ability to identify potential risks and the factors that affect the level of risk. This is the type information that DHS was requesting that the Mineta Transportation Institute (MTI) develop for the Hazmat trucking industry. Identifying what types of cargos are potentially at risk of being attacked by terrorists and the factors that could affect that risk is an important first step in developing a risk assessment procedure. Only after we develop a reasonable risk assessment process can we start to have a legitimate discussion about what types of security measures may or may not be needed to provide an acceptable level of protection against a potential terrorist attack.

1 comment:

Anonymous said...

. . . regarding Risk Management and the statement:
"The security professional does this in the full knowledge that most security money is wasted, . . ." The security professional could also recognize that if a target was not attacked, then certain deterring safeguards were successful and the security money, in fact, was not wasted.

/* Use this with templates/template-twocol.html */