Our mind tell us how to perceive the reality

We are really not made for grasping the concept of probabilities, especially not small probabilities (this is well documented). This is especially problematic when it comes to systematic security work were taking the right decision in relation to small probabilities is the key to effective measures.

In security analysis one has to identify the most important weak areas out of several, all with low probability. This we’re not meant to be doing and if done unaided we’re going to be making bad choices. Research show that we overestimate the probability of things happening close to us (even if it exist good proof that the probability is low, i.e. purchase earth quake insurance after the earth quake).

I fear that, in the case of maritime piracy, some of the information/rumors floating around in the industry actually makes things worse and makes the already hard security choices even harder. As this information is not giving people the full picture (not necessarily by purpose, rather describing the events close to one self) it will make people assuming wrong things about small probabilities.

But there seems also to be companies out there that make a business out of presenting events that fit in to their agenda. The other day I visited a blog by a North America based maritime security company which presented “piracy news”. From my perspective the “news” seemed a bit to selective and the blog will make it even harder for people to make the right decisions.

Risk: only a part of the truth

Many (both some people working with risk analysis and people trying to explain why they don’t) seem to have a hard time remembering that the assessment/calculation/analysis of risk most often doesn’t have that much value in itself; it is one part of a bigger understanding of a system (ship, enterprise, family vacation…). Therefore you can’t do a risk analysis without first considering the rest of the system and what you really want to analyze. After that you can define your system and decide what type consequences you measure.

Often the measured consequence is number of deaths, or people injured, and in reliability you focus on the system output. But use the aim of the analysis to decide the measured consequence, you don’t need to be limited by what others do.

So whatever you are interested in: resilience, safety, security, reliability, utility, effectiveness or efficiency the risk analysis should be used as one, out of several, perspectives used when analyzing your system and develop system specific knowledge to base your decisions on.

Law on armed guards on Swedish ships

The debate regarding piracy off the coast of Somalia (and ship security) in Sweden has for the last years been focusing on the possibility to have armed guards on board. Swedish ship owners association has the opinion that Swedish ships should have the possibility to use armed guards and that it should be regulated by Swedish law (at the moment it is unregulated). I don't mind their position, but I can maybe think that the debate has been somewhat single-minded.

As I understand it will now be regulated (and allowed) from Jan 2013. Which of course is better than the current situation, but it won't really change anything as guards already are used on Swedish ships and most often picked out with reasonable care.

I'm however more interested in were the ship security focus will be turned now when the big former question seems to be resolved. I can think that one important issue is to educate people about how lonely ships are on the seas and that the security is limited to the ships security, there is no one else, no police to call. Which also stresses the point that ship security is not only a question of terror threats using ships against ports, ie that ships are important of their own.

Hazards with incentives

On the topic of the difference between analyzing security and safety:

There could be a difference regarding the size of the probabilities were safety incidents in many cases have higher probabilities than security incidents. This is discussed by Kunreuther in an article on risk analysis in an uncertain world where he draws some conclusions from terrorist attacks in USA.

Kunreuther however doesn’t discuss the fact that the security threat has a mind, incentives, agenda and intent. In the article Freakonomics of Maritime Piracy J. Kraska uses Steven Levitt’s concept of freakonomics on piracy. They both argue that in many situations human conduct can be described by economic incentives which reveal “interesting findings about the risks people are willing to take, the rewards they seek, and the rationale they use in negotiating choices”.

From this I draw the conclusion that in order to analyze security risks we have to understand the threat’s incentives and from that describe the intent and modus operandi. And when the intent and modus operandi is given we have limited the scenarios, choices and valid probabilities considerably, at least if we are discussing the security of a specific thing such as a car, building, computer system. This because there has to be a link between our protected asset and the intent or it won’t be attacked. But…

…when analyzing the risk of terrorist attacks on society there is no specific asset in the intent, the intent is to cause terror. The specific assets involved are chosen out of convenience. This does off course not limit the scenarios, choices and probabilities and the number of alternatives to analyze is endless. But…

…this if you are to consider the probability of an terrorist attack on society, are you instead ONLY interested in limit a specific assets (car, plane, ship, material…) probability of being used in an terrorist attack, again there has to be a link between that asset and the intent.

Security or safety hazards, how do they differ?

There is alot of experience in dealing systematically with safety hazards, atleast much more than security hazards. So what is the difference then?

The biggest is that the security "hazard" as an agenda and the safety hazard doesn't even have a mind. But how does this affect risk assessment?...

I'll have to get back to you about that, this year or mabey next...

I'm not alone!

It turns out that Dstl in UK is barking up the same tree as me: the survivability risk assessment tree (they do it for military helicopters). Apparently for the same reasons (to find right security/survivability solutions for a specific platform), but refreshingly with some other tools and interesting ideas about the output.

At a classified workshop somewhere on Europe

The somewhat ridiculous post title aside:
These kinds of multi national workshops are proof of a very intense cooperation between European countries. Swedes are sometimes accused of being to USA focused which probably also goes for some other European countries. We need these kinds of cooperation in Europe, especially as so much of the academic cred is dictated by the guys on the other side of the Atlantic. This to make sure that we will have influential future.
P.S. But the balance between being intimate enough for fruitful cooperation and open enough for making sure to get enough critique is important and hard to get right, especially if you are dealing with defence or security.

Get out of the comfort zone

The research on piracy I’ve been involved with seems to be interesting for people outside my regular network. As a result I get invitations to all kinds of organizations to do presentations. Every event off course steals time and often is somewhat undefined in objective, suitable scope and so on … but seems to be rewarding in the long run.

At each event I get good constructive critique, some laughs, the possibility to see my own work with a new perspective, often a good cup of coffee and sometimes even a nice bowl of ice cream.

I’m generally content with my situation, colleagues and network, but in regards to my research I must say that dealing with a topic that get people’s attention is good for me and my research and gets me out of my comfort zone.

Do people really need to be so secret about security?

I’ve been working with classified stuff, luckily so long ago so I’ve forgotten everything of importance. But one thing I remember is that very much about security, survivability and threats is non-classified. But why then are people so secretive about security?

When visiting seminars and conferences I notice that people in a ridiculous way talks around security probably thinking they are very clever. Tell it like it is! That you are doing security analysis and why; it is most likely not classified so be open with that, but the results are probably classified so don’t discuss them.

Instead the public (and press) go and do a lot of assumptions about security assessment that really isn’t fruitful and make the society un educated in regards to security.

”A very opinionative guy”

The failure of risk management: Why it’s broken and how to fix it by D. W. Hubbard is an interesting book. The book discusses risk management in many different areas from economics to engineering and argues successfully (I think) that if you are going to do any kind of risk analysis; do it well and quantitatively. Hubbard also in a good way discusses the challenges with probabilities.

When discussing the book with a famous Operations Research professor the professor described the book with the words “He [Hubbard] is a very opinionative guy”. My interpretation of that now after I read the book is that Hubbard manages to cram very much about risk management in to the book and if you make sure to at least consider all the areas discussed you are very well set of if you need to defend your work.

P.S. Hubbard also argues that it actually is easier than you think to do a more extensive risk analysis (but you have to have the right knowledge) and it is therefore worth the extra effort.

Surprised

…when doing research, meeting people and discussing my work I sometimes get very surprised about the level of knowledge people show when discussing things they should know about…

When being a representative of a European ship owner: shouldn’t you then know there are pirates operating out of Somalia?

When being involved in European transports policy making: shouldn’t you then know that transport security in regards to shipping is in many cases the same as ship security (because there actually is no one else protecting the ship than the crew and the measures on board)?