Dear Fellow SARMA Members,
As summer draws to a close, there is much to look forward to at SARMA!
In September, we will hold a half-day symposium on the Implementation of PPD-8 and the National Preparedness System. Scheduled for September 19, 2012, and co-hosted by Virginia Tech's Research Center in Arlington, VA, this event will bring together federal, state, and local government leaders, as well as private sector and non-governmental organizations, to assess where we are with this initiative, identify current challenges, and discuss opportunities for improvement. Our Keynote Speaker will be Mr. Eric Runnels, Executive Director of the PPD-8 Program Office at the Federal Emergency Management Agency (FEMA). He will be followed by two panels that will examine PPD-8 implementation from a variety of stakeholder perspectives. Check out the current agenda and register through the SARMA Conferences and Events Website.
On October 30, we will hold our 6th Annual Conference on Security Analysis and Risk Management. Again co-hosted by George Mason University's Center for Infrastructure Protection and Homeland Security, this year's theme is "Professionalizing Security Risk Management." We will examine this issue via three tracks: 1) the Security Risk Management Profession; 2) the Application of Security Risk Management Principles; and 3) Challenges and Innovation in Security Risk Management. To see the latest agenda and to register for this highly anticipated annual event, please visit the SARMA Conferences and Events Website. I'm also pleased to announce that we have just added a second corporate sponsor - ABS Consulting!
As I noted in last month's issue, the annual conference also serves as an opportunity to elect new members to the SARMA Board of Directors. This year, SARMA is seeking qualified nominees to fill six seats. We invite you to consider nominating a member in good standing with the Association who would be willing to represent the interests of their colleagues in the profession. To read more about the nominating process and requirements, please view the SARMA Nominating Committee's official Call for Candidates. All nominations for the SARMA Board of Directors must be received by SARMA and/or postmarked by midnight, September 15, 2012 to be considered for this year's elections. Similarly, the annual conference provides an opportunity to recognize outstanding contributions to the security risk management profession and SARMA. To read more about the nominating process and requirements, please view the SARMA Award Committee's official Call for Nominations. As with nominations for the SARMA Board of Directors, all nominations must be received by SARMA and/or postmarked by midnight, September 15, 2012 to be considered.
Finally, as some of you may recall, SARMA conducted a first of its kind survey of security risk practitioners in 2009. While rudimentary, that effort identified a number of needs within this emerging profession that then were used to inform the development of the Association's first strategic plan. This year's conference, coming eleven years after the events of September 11, 2001, offers the perfect opportunity to revisit what defines the security risk profession and what its needs may be in the years ahead. In that regard, I am pleased to announce that we will initiate a new survey effort in the months leading up to the annual conference, and then weave the findings into a number of the planned sessions. Much more to follow on this in the weeks ahead!
Kerry L. Thomas
In The News
FEMA To Change Frequency of State Mitigation Plan Update Requirement
The Federal Emergency Management Agency (FEMA) is exploring rule changes governing the frequency that states must update their State Mitigation Plans, according to David Kaufman, FEMA policy director. Kaufman made the statement in a written response to a DHS Inspector General Report, Survey of Hazard Mitigation Planning, in which several states told the IG that they were wasting time and money updating their plans every three years. The proposed change would increase the update requirement to every five years.
FEMA uses its guidance and funds to encourage state, local, and tribal jurisdictions to identify natural hazards and to implement projects that would reduce losses from disasters. Although the program is voluntary, all 50 states and Washington, D.C., as well as several territories participate in it. More than 26,000 jurisdictions have produced mitigation plans, covering about 70 percent of the U.S. population.
"Mitigation activities may be implemented before, during, or after an incident," the IG report noted. "However, it has been demonstrated that hazard mitigation is most effective when based on an inclusive, long-term plan that is developed before a disaster occurs. Two recent cost-benefit analyses found that every $1 spent on mitigation saved society $3 to $4."
Since the first round of approval for mitigation plans in 2004, FEMA has reviewed and assessed more than 5,000 mitigation plans and distributed more than $5.2 billion in hazard mitigation grants, the IG reported.
Mitigation planning grants include the Hazard Mitigation Grant Program, the Pre-disaster Mitigation Grant program and the Flood Mitigation Assistance program.
The Leading Edge Today Digital Report: Biometrics & ID Management
A new digital report from Homeland Security Today's Multimedia Division combines feature stories, guest commentaries, market analysis and video coverage of the most important technology, policy and program developments in biometrics.
In This Issue:
The Future of US-VISIT
Inside one of the most successful biometric programs in history.
The Power of Biometrics
Serco Inc. helps the State Dept. match identities.
* Mobility & Biometrics
* Biometrics Market Forecast
* The Grid: News, Gadgets, Tips
Seven demos of biometrics that really work
View The Digital Report
NYPD, Microsoft Launch Domain Awareness System
By Dan Verton
New York City, working in close partnership with Microsoft Corp., on Aug. 8 announced the full deployment of a new system designed to aggregate and analyze public safety data in real-time, and provide law enforcement officers with a comprehensive view of emerging terrorist threats and criminal activity.
Mayor Michael Bloomberg, flanked by New York Police Department (NYPD) Police Commissioner Raymond Kelly, said the so-called Domain Awareness System will feed real-time data from the city's existing infrastructure of security cameras, radiation detectors, license plate readers, and 911 calls onto a dashboard of large screen displays located at the Lower Manhattan Security command center.
The system was developed jointly by Microsoft and members of the NYPD. Microsoft handled what Bloomberg referred to as the "the technical and engineering muscle" -- the coding and system architecture -- and the NYPD set out the system requirements, which were developed through an exhaustive series of focus groups with patrol officers and members of the 1,000-strong counterterrorism division. Microsoft has agreed to pay the city 30 percent of its gross revenues on the sale of the system to other customers worldwide.
New York City has approximately 3,000 closed-circuit TV cameras connected to the Domain Awareness System. The majority of these cameras are in Lower Manhattan -- south of Canal Street, from river to river -- and in Midtown Manhattan, between 30th street and 60th street, from river to river. Each camera is programmed to send an automatic alarm if it records a suspicious package. The NYPD has also begun to expand camera coverage throughout the boroughs outside of Manhattan.
Likewise, the city has deployed more than 2,600 radiation detectors around bridges and tunnels, as well as on police cars, the roofs of precinct buildings and even on police officers' belts.
Jessica Tisch, director of policy and planning in the NYPD Counterterrorism Division, provided a live demonstration of the Domain Awareness System, during which she walked reporters through the three main focus areas of the system: real-time alerting, investigative support and crime analysis.
Watch The Briefing & Demo
SARMA's 6th Annual Conference: Save The Date!
The Security Analysis and Risk Management Association is pleased to announce that its 6th Annual Conference will be held from Tuesday, October 30, through Thursday, November 1, 2012
in Arlington, Virginia.
SARMA's annual conferences are renowned as the primary outreach event for the security analysis and risk management community, and we expect to attract approximately 300 participants this year. Held in partnership with the George Mason University School of Law's Center for Infrastructure Protection and Homeland Security (CIP/HS), the conference is an exceptional forum for collaboration, information sharing and networking, with a wide array of practitioners from federal, state and local governments, private industry, and academia in attendance.
Our theme this year is "Professionalizing Security Risk Management". Further details will be announced shortly when we activate our conference registration site. In the meantime, please save the date on your calendars -- and we hope to see you this fall!
Risk Management of the Maritime Terrorist Threat
By Richard Adler, PhD.
Since the terrorist attacks of September 11, 2001, the United States Coast Guard (USCG) has conducted an aggressive terrorist risk analysis and management program focused on direct and exploitation attacks.
This program developed the Maritime Security Risk Analysis Model (MSRAM). The methodology and software tool is used to identify, characterize, and quantify risks from terrorist attacks based on the Department of Homeland Security (DHS) model of Risk as a function of Threat, Vulnerability, and Consequence.
The MSRAM database contains thousands of targets and scenarios (target/attack mode pairings) across the nation's ports and waterways. This robust national dataset is the product of collaborative local level assessment efforts between USCG security experts and port stakeholders to score the risk components for each scenario. National resources including consequence modeling and security studies, intelligence data, and reliability engineering techniques support their analysis. As part of a formal revalidation cycle, MSRAM risk is updated annually. Risk analysts can also update MSRAM risk scores as conditions change in the operational environment or when new information becomes available.
Beyond assessing and analyzing risk, MSRAM provides risk management capabilities to evaluate risk mitigation strategies at the tactical, operational and strategic levels. MSRAM risk information informs resource allocation decisions at every level, including the DHS Port Security Grant Program, USCG Maritime Security Response Operations and regulatory development. MSRAM was awarded the USCG Innovation Award and is institutionalized in USCG policy.
The MSRAM program is currently being extended with a new framework called Maritime Security Dynamic Risk Management Model (DRMM). DRMM leverages MSRAM's quantitative risk assessment data and methods in scenario-based "what-if" simulations that project the likely impacts of maritime counter-terrorism strategies over time. It also captures estimated lifecycle costs and timetables for deploying such strategies and achieving risk reduction. By combining these outputs, DRMM enables USCG decision-makers to assess the cost-benefit (and time-benefit) tradeoffs for alternate strategies across a range of plausible future situations and identify robust security options. DRMM is being developed for the USCG by DecisionPath and ABS Consulting.
Dynamic Risk Management - Key Problems Addressed
MSRAM evaluates alternate risk reduction strategies individually, via discrete before/after "snapshots" of risk. In contrast, DRMM assesses combinations of security strategies, by projecting how they are likely to reduce risk exposure over time. DRMM also enables comparative "what-if" analyses assuming that various aspects of the security "landscape" might change in the future. In effect, DRMM provides a virtual environment for practicing alternate risk management strategies and learning from simulations rather than costly investments with unknown effectiveness.
Individual security strategies generally only address a sparse subset of attack modes and their attendant risks. For example, a single patrol boat can counter a single small boat, but cannot engage and defeat an attack involving multiple boats or a large hijacked vessel. Accordingly, DRMM supports construction and testing of portfolios of security strategies, including acquiring resources and personnel, training, and improving allocations and tactics to deploy new and existing assets.
This raises the question of how to combine risk reduction contributions from multiple independent strategies that impact a given scenario. DRMM assumes that as risk is reduced, it becomes progressively harder to achieve further gains: more effort is required to achieve the next level of improvement. Accordingly, as DRMM projects increasing risk reduction from original levels, it progressively discounts estimates of security strategy impacts, resulting in a nonlinear model. The discounting factor can be tuned as the USCG accumulates data from quantifying risk reduction benefits of its security strategies.
Since budgets and assets are increasingly constrained, risk management decisions hinge on tradeoffs among alternate risk reduction strategies. DRMM allows analysts and decision-makers to compare the simulated values of key performance metrics to identify the relative strengths and weaknesses of alternative strategies. DRMM currently tracks and projects three strategy key performance metrics to inform strategy tradeoff analyses for decision makers:
- How much risk does a security strategy reduce over time?
- How much risk does the strategy reduce per dollar of investment over time (i.e., return on investment)?
- How soon and at what rate does a strategy reduce exposure to risk (i.e., expected time efficiency)?
Risk management strategies are developed based on specific assumptions about risk and funding, in the short and long term. As strategies are implemented over time, these situational factors continue to evolve, often outside of government control. For example, economic conditions, patterns of radicalization, and leadership of terrorist groups shift. Such changes may potentially invalidate key assumptions underlying a strategy, however reasonable they were at the initial point of decision.
In addition to the dynamic nature of the overall security environment our terrorist adversaries are adaptive. In essence, DHS agency efforts to reduce the nation's exposure to risk from terrorist attacks simultaneously increase terrorists' risk of failure. In order to achieve their goals and objectives, terrorist groups respond, typically by altering their intended targets and tactics, or developing capabilities to overcome security measures. Such "threat shifting" means that the effectiveness of risk reduction -- including deterrence -- is transitory, so our strategies must be adaptive in order to defeat adaptive adversaries.
DRMM addresses the first challenge by facilitating "lifecycle" decision support: as time passes, analysts periodically update scenarios based on the best available intelligence (and execution results to date). DRMM then re-projects the chosen strategy into the future. If outcomes continue to be favorable, the strategy has been re-validated. If not, DRMM acts as an "early warning system," alerting analysts promptly to emerging problems, helping them isolate variances from initial assumptions, and enabling them to define and validate suitable mid-course corrections in security strategies.
DRMM addresses the second challenge of adaptive adversaries in a similar fashion, by enabling analysts to create diverse scenarios that anticipate potential terrorist responses to proposed security strategies. For example, scenarios can incorporate assumptions as to when terrorist adversaries are likely to detect improvements in our defenses, and how (and over what duration) they are likely to modify their targeting tactics and attack capabilities. The resulting simulations provide a war gaming capability for testing and tuning strategies to ensure that they are robust against plausible terrorist adaptations before rolling them out. In effect, DRMM enables strategic planning to shift from reactive to proactive.
Finally, MSRAM enables USCG security experts to perform detailed risk analysis on individual targets (e.g., vessels, port facilities, commercial installations). However, program-level investments to reduce risk generally focus on geographic regions (i.e., clusters of targets), target types or attack modes (e.g., power plants, IEDs), or capabilities (e.g., regional communication, situational awareness, evacuation planning, etc.). DRMM rolls up its key risk reduction metrics from targets geographically from ports, Captains of the Port (COTPs), and up through the rest of the USCG command hierarchy (Sector, District, Area, Headquarters). It can also roll up risk by target type or attack mode. By aggregating risk, DRMM bridges the gap between policy-level decisions (how and where money is spent) and MSRAM's fine-grained, physically localized target-level risk estimates.
DRMM Software Solution
DRMM employs a model-simulate-analyze software framework. The USCG has applied DRMM in pilot projects to explore alternative strategies for managing risks from small boat threats, radiological and nuclear weapons of mass destruction, and transfer threats of terrorists and materiel from foreign ports. In these evaluations, the HQ MSRAM Team considered solutions that addressed vulnerabilities and consequences as well as USCG tactical solutions to increase effectiveness and capacity of USCG boat patrol operations in a major port.
These diverse risk management solutions employed one or several improved capabilities combined across the Prevent-Protect-Respond-Recover continuum. The various security solutions analyzed addressed risk reduction by mitigating vulnerabilities, accounting for Prevent and Protect. Additionally, the consequence reduction solution focused on Respond. Future analysis may look at the long term consequence reduction and infrastructure recoverability of various resiliency solutions, and can assess the cost and time efficiency of such solutions in a similar manner.
DRMM simulations projects outcomes in terms of four key performance metrics: risk reduction, total lifecycle costs, Return on Investment (ROI) measured in dollars spent per unit risk reduced), and time efficiency. The ROI metric assigns credit for both reducing risk and keeping risk reduced over time (much like the effectiveness of a diet). The time efficiency metric measures the rate at which risk gets reduced over time, giving credit for solutions that reduce risk exposure earlier rather than later. These metrics enable commanders to compare alternate strategies and make critical policy-level tradeoffs relative to available resources, perceived risks, etc.
In summary, DRMM allows USCG leaders to "test drive" maritime counter-terrorism solutions across a range of alternative possible futures and identify robust security strategies. DRMM's underlying model/simulate/analyze paradigm and performance metrics are not inherently tied to maritime terrorism risks. This flexibility opens the door to applying these USCG methods and software tools to risk management problems facing other DHS agencies, such as aviation, highway, and border security, as well as to security challenges facing other critical infrastructure networks, such as systemic risks to financial markets.
About The Author
Richard Adler, PhD., is President of DecisionPath Inc.
TSA Takes a More Reasoned Approach Toward International Cargo Screening
by John Costanzo
When the Transportation Security Administration (TSA) announced that it was going to miss its December 2011 deadline for achieving 100 percent screening of all cargo arriving on international flights, many in the aviation, security and logistics industries breathed a collective sigh of relief. Industry insiders expressed concern that the agency was on the wrong track in pursuing a "one size fits all" approach. Instead, experts urged the TSA to adopt a more reasonable process that made distinctions for known shippers, different types of cargo, and shipments originating in countries with proven security systems in place.
The TSA was also advised to recognize that the United States is not the first country to attempt 100 percent screening, and to rely on "best practices" (referenced below) that have been effectively implemented in other countries. The United Kingdom, for example, has maintained an international screening program for many years that incorporates a trusted shipper component. Other countries, including Israel, have had success at implementing screening programs, albeit on a much smaller scale.
Now there is reason to believe that the agency has taken a step in the right direction. In a press release announcing a new "can't miss" deadline of December 3, 2012, the TSA described its new system as "risk-based," and "driven by intelligence."
It seems the TSA has realized that its efforts to convince the world's airports to accommodate its U.S.-driven standards might not have been the most effective way to win converts. "Harmonizing security efforts with our international and industry partners is a vital step in securing the global supply chain," TSA Administrator John Pistole said in a separate press statement. "By making greater use of intelligence, TSA can strengthen screening processes and ensure the screening of all cargo shipments without impeding the flow of commerce."
Among the key provisions of the new screening process:
- Better coordination and communication with foreign countries;
- Use of intelligence to isolate high-risk cargo;
- Less onerous processes for low-risk cargo;
- Greater emphasis on "who is shipping it and where is it headed" and
- Commitment to consideration of a trusted shipper program, whereby data would be collected prior to flight departure.
The TSA's efforts received a boost, with the signing of air cargo security partnerships with Canada and the European Union. Through these agreements, the countries agree to mutual recognition of each other's security protocols, and increased communication and coordination.
Quite unlike the TSA's first attempt at carrying out its mandate, its revised efforts accompanied by a pilot program have been favorably received. "One good sign, the TSA has accepted two of the Express Delivery & Logistics Association's member companies into the Air Cargo Advanced Screening (ACAS) pilot program," commented Jim Conway, Executive Director, Express Delivery & Logistics Association (XLA). "Their inclusion within the pilot program will reflect the experience and demands inherent within our sector of the industry, based on expedited shipments loaded on inbound passenger planes."
While industry is certain to keep the heat on TSA to move toward adopting some sort of trusted shipper program, it does seem that the TSA has taken a reasonable and workable approach toward achieving 100 percent screening.
About The Author
John Costanzo is President of Purolator International, an air and surface transportation company based in Jericho, New York.
Information Systems Auditor
Conduct audits of the organization's information systems and related processes. Perform walkthroughs and lead testing of Sarbanes-Oxley general computing controls. Conduct risk-based audit testing of applications, operating systems, and databases and related processes. Participate in the implementation of new systems, providing guidance in the design of internal controls.
View The Job Announcement - Booz Allen Hamilton
Cyber Security Engagement Manager
Lead technology and information security engagements for financial services clients. Act as the primary day-to-day client relationship and delivery manager on IT and information security engagements, oversee project scope, define the client's problems, lead executive-level facilitation meetings, and manage delivery expectations. Lead project delivery teams and ensure the delivery of high quality products and services on-time and within budget, meeting profitability goals. Develop new business revenue by working with senior leaders and driving the proposal process to successful submission. Coach and mentor junior staff and assist with managing their career development.
View The Job Announcement - Booz Allen Hamilton
Director, Cross Modal Division, TSA
Open Period: Monday, August 20, 2012 to Monday, September 10, 2012
You will serve as the Director, Cross Modal Division and be the primary advisor to the Assistant Administrator and the Deputy Assistant Administrator for the Office of Security Policy and Industry Engagement (OSPIE) on matters involving intermodal transportation security policy, plans, initiatives and regulations. You will provide critical support to the various transportation stakeholder networks by tracking and disseminating security information. You will be responsible for reviewing and analyzing national and strategic goals and procedural issues and work management processes related to these efforts. You will be responsible for developing, maintaining or coordinating the planning efforts in support of national strategies and plans, including those required by legislation, the White House and the Department of Homeland Security, e.g., National Strategy for Combating Terrorism, National Strategy for Homeland Security, National Strategy for Physical Protection of Critical Infrastructure and Key Resources, National Response Framework, National Infrastructure Protection Plan, as well as the Transportation Systems Sector Specific Plan and its modal plans and the Transportation Systems Sector Risk Assessment. You will be responsible for ensuring appropriate and current data collection and maintenance of risk reductions metrics that gauge security enhancement by industry operators in all modes, which enables measurement of security improvements in the transportation sector. You will ensure thorough communication and collaboration with other Division Directors and the continuous coordination and implementation of security policies and regulations, and reviews economic analyses of regulatory initiatives and proposed rulemaking efforts.
View Job Posting - USA Jobs