| | 28/02/2019
The Price of Failure – or the Cost Saved
By Nir Ran
Major security failures are not necessarily the result of professional deficiency. Sometimes, even the worst failures originate in a minimizing assessment of the risks, or in the avoidance of making a decision.
The events of September 11, 2001 were a turning point in the history of world terror. Four passenger aircraft were hijacked while on commercial flights in the USA – three were used as guided missiles that crashed into the twin towers of the World Trade Center in New York City and into the Pentagon, and the fourth crashed into an open field, on its way to its destination (which was most likely either the White House or the building of the US Congress in Washington DC).
These attacks caused shock and destruction. Approximately 3,000 lives were lost that day. The World Trade Centerbuildings were completely destroyed, and the Pentagon building sustained heavy damage. The direct economic loss from these attacks was estimated at US$ 30 billion, and the indirect cost – who can say? A loss of US $1.4 trillion (!) was registered when trade opened after the attack, 430,000 people lost their jobs, the value of the US dollar sank, the US waged war against Iraq and Afghanistan…
The attacks have been studied from every possible angle. A national investigation committee appointed by the Senate issued a report hundreds of pages long, countless professional documents and academic papers were written on the subject (including one by the author of this article), and many books – some better than others – have been published.
It seems as though there is nothing new that can be written on 9/11… an incident that could have easily been prevented.
Security systems sometimes fail due to professional reasons – such as a lacking assessment of the risks or insufficient measures for dealing with it, or from deficient functioning of security staff whose work is based on a predefined doctrine and procedures. Professionalism, meticulously paying attention to details, reviewing and continuously updating the combat doctrine, implementing supervision and control processes – all these should prevent, or at least mitigate such failures.
Yet sometimes a failure is caused by failing to act, negligence, neglect or avoiding making a decision.
The sad truth is that the 9/11 terror attacks originated in a systemic failure that was known in advance, and whose roots may be found in the avoidance of making a decision: not in the fact that 19 terrorists managed to board the four aircraft without arousing suspicion – even though this could most likely have been prevented, and not even in the fact that they managed to conceal box cutters. The problem is that someone forgot to shut the door.
The hijacking of commercial aircraft has been a well known phenomenon since the 1960s, becoming more pervasive in the 1970s and onwards. This is another type of threat – and not the most severe – that is faced by commercial aviation. The use of an aircraft as a guided missile is also not surprising – possible modes of operation of aircraft hijackers have been repeatedly analyzed. One basic fact has been found to be common among past incidents – the only way to hijack a plane is to enter the cockpit. In other words, the adversary cannot take control of an aircraft unless he physically enters the cockpit.
On a basic level, installing security doors in cockpits and shutting them is the response to this threat. It is simple enough to accomplish. However, international regulations requiring all airlines to lock the cockpit doors for the entire duration of the flight have only been enacted after 9/11.
The question is, therefore, why were security doors not installed and locked until after this tragedy occurred? This is the question of major importance with relation to the past, present and future. The decision to carry out security actions in order to deal with a known threat only after it is realized is always considered a major failure.
We may assume that the hijacking of the aircraft did not surprise security experts. They were certainly aware of the fact that locking the cockpit doors would have disrupted such as attack. A methodic risk assessment process (methodology for dealing with risks before they are realized), which includes a damage equation and a risk acceptance matrix, must lead to the recognition of the severity of the potential damage in this type of incident. A proper decision making process would have led to the understanding that the hijacking of aircraft should be eliminated at any reasonable cost. Therefore, securing and locking cockpit doors would have been a reasonable decision when considering the "evil that security will cause as compared with the evil that it prevents", despite objections voiced by pilots (who may have indeed objected), and despite the cost involved (in the case of thousands of aircraft, this would have amounted to tens of millions of dollars). However, this was not done.
This is not written for the sake of criticism or as an academic discussion, but rather in order to illustrate the cost of this major security failure. Wise persons learn from other people's experience, not only from their own.
The reality as we see it is not lacking in failures (in the sense of avoiding taking action). This is certainly not a generality. From an organizational viewpoint, senior management too often takes no heed of its responsibility for security and emergency preparedness. While senior executives should most certainly delegate authority, they must keep in mind that ultimately the responsibility is theirs. However, executives tend not to delve too deeply into issues involving security and emergency and rely on the alleged proficiency of the security manager and on compliance with the minimal regulatory standard. This policy therefore means they effectively shirk their responsibility, and leads to waiving management inputs and avoiding investments in the processes required to enhance the security system.
Meetings with security managers have revealed that much is being done, but there are also many gaps in various areas pertaining to the standing of the security manager and security management in institutions, organizations, companies and facilities. The mapping of the gaps points primarily to the lack of a common language and to significant differences in the perception of the work and in the level of professional knowledge. This causes various problems, starting from security breaches, through a lack of balance and suitability between the technologies and the manpower operating them, among others. There are significant differences in the levels of security in different organizations. We often find security systems that are quite effective despite the fact that they are not necessarily expensive, on the one hand, and quite expensive security systems that include gaps, on the other hand. There are also cases of very costly security plans that are a heavy burden for an organization to bear, which are not always justified.
Reinforcing the security manager's standing in the organization, while also hiring experts to implement professional planning methodologies, are the recipe for an effective security system that balances the need to maintain a welcoming civilian ambiance and to provide an effective response to the threats. However, success is primarily dependent on carrying out an effective, professional methodological risk assessment process, and on the associated decision making process.
Risk assessment is a process involving the identification of the risk factors, determining their characteristics, evaluating the level of risk, determining the level of risk acceptance based on the existing means and measures, and recommending processes and means to mitigate or neutralize the risk – i.e., a security system.
Presenting a clear and professional risk assessment document to an organization's senior management is the appropriate way to present the available solution and to reflect their responsibility.
Fundamental, strategic and tactical working assumptions form the basis of a risk assessment process; we will name only the main ones here – one example of each type.
The first working assumption is that security is not a goal in itself, but rather a means aimed at enabling the secured body to fulfill its function. This means that security cannot force a disproportionate modification of the organization's characteristics or its method of operation. Shutting cockpit doors is therefore a legitimate act, as opposed to installing a perimeter fence around a communal settlement as a way of dealing with property crime – as it mortally harms the nature of the settlement and its inhabitants' quality of life; it is therefore not the desirable approach, and alternatives must be sought and found (and such alternatives do exist).
The second working assumption is that the security plan must be tailor made, and precisely adapted to meet the specific threats faced by the organization in question. The security concept and the components of the security response for a particular kind of facility may, and even should, be uniform. However, the security plan itself, the security staff members and their deployment, the technical means, the protective means, etc. must be determined specifically for each facility or organization. The expert performing the risk analysis must also relate to the influencing factors of the relevant organization – analyze its site, the types of buildings it operates in, its methods of operation, employees and visitors, opportunities and constraints.
The third working assumption is the lack of intelligence on an attack. The security system should have an in-depth understanding of the adversary, the way it operates and its capabilities. Many attacks are foiled by intelligence and security forces before they are executed or while the perpetrators are on their way to the site of the attack, but instances in which the adversary reaches the target are probably cases in which we no prior intelligence was available. The significance of this is that the adversary benefits from the element of surprise. The security system must therefore be prepared everywhere, at all times, to address any possible mode of operation of the adversary.
The decision making process lying at the foundation of the security plan is based on the working assumptions detailed above, as well as on three additional main elements (which comprise an element of the risk analysis process): the damage equation, the risk acceptance matrix and the grading of the threats. The damage equation presents all the consequences of all possible scenarios. Relating only to casualties and damage is a mistake that is frequently made. The damage equation presents a multidimensional picture and requires weighting all the damage, including to the organization's ability to function, economic consequences, psychological aspects, harm to the organization's image and reputation, and more. The risk acceptance matrix presents the risks and their severity, and requires handling the risks based on the weighted consequence of both axes. The grading of the threats is the result, which ensures appropriate allocation of budgets and proper management of resources to deal with the specific threats that have been identified.
The purpose of an effective security plan is first and foremost to prevent and foil hostile elements' attempts to carry out attacks or cause damage (including property crime, violence and vandalism). The implementation of a well planned, customized and professional security plan also sends a reassuring message of control and responsibility to the organization's employees, clients and visitors from its management, as well as to the public at large.
The fundamental prerequisite of each security plan is that it must be tailored to the operational characteristics of each organization and to its particular needs. The security plan must be well planned and professionally designed, taking into account cost-benefit considerations. It must focus on addressing the threat, yet not reduce the level of service provided by the organization. This plan will be reassuring to the public, yet will broadcast a firm and uncompromising message of preparedness to potential adversaries.