A Practitioner's Guide to Effective Maritime and Port Security

Table of Contents:
Introduction xiii Foreword xvii Part OneThe International Maritime Operating Environment Chapter 1 Unique Characteristics of Ports and International Shipping 3 Introduction 3 The Multinational Nature of Shipping and Business Driversin Port Operations 6 Flag States 7 Vessel Registries 7 Types of Vessel Registries 8 Implications for Security 10 Third Country Owners 11 Implications for Security 11 Multinational Crews 13 Implications for Security 14 Port States 14 Regulatory Requirements 16 International Treaties and Codes 16 Oversight Mechanisms 18 Ship-Port Relationships 19 The Supply Chain 20 Just-in-Time Delivery 20 The Components of a Maritime Supply Chain 21 Regulatory Issues 22 Intermodal Links 24 Chapter 2 The Criticality of Ports: Why and How They Matter 27 Introduction 27 Geopolitical Considerations 27 Trade Routes 27 Trade Chokepoints 28 Sea Lines of Communication 30 Ports 33 Ports as Targets 34 Ports as Conduits 36 Cargo Theft 38 Smuggling 40 Ports as Borders 41 Intermodal Connections 42 Part TwoThreats to Ports and the Maritime Domain Chapter 3 Threats 47 Introduction 47 Threats by States 49 State Actors 49 Conventional Military Attacks Against Ports 49 Conventional Attacks Against Supply Chains 51 Asymmetric Attacks 52 State Proxies 56 Proxy Tactics 57 Nonstate Actors 58 Terrorism 61 Criminal Activity 62 Piracy 67 Terrorism, State Actors, and Criminal Nexus 68 Part ThreeCurrent Approaches to Maritime and Port Security Chapter 4 Approaches to Security Policy Development 73 Introduction 73 Political Considerations 73 Commercial Interests 74 Costs of Implementation 74 Increased Government Oversight 74 Potential Delays 75 Domestic Political Constituencies 76 Container Screening 77 Port Security Grants 79 Measuring the Effectiveness of Security Measures 81 Deterrence 81 Punishment 81 Denial 82 Consequence Management 84 Measurement of Activity vs. Effectiveness 87 Measurement of Activity 87 Resources Expended 87 Measurement of Criminal Activity 88 How to Measure Effectiveness 91 Why Don’t We Do This Already? 92 The Maritime Context of Assessing Deterrence 93 Lack of a Risk Approach 94 What is Risk? 95 Dynamic Risk 96 Pure Risk 96 Fundamental Risk 97 Particular Risk 97 Components of Security Risk 97 Threat 97 Vulnerability 98 Consequence 98 Risk Management 99 The Weaknesses of Current Risk Management Approaches 99 Lack of Understanding of Security Risk Components 100 Lack of a Process to Determine Risk Tolerances 100 Tendency Towards Risk Aversion or Avoidance 101 Focus on Risk Mitigation (Reduction) instead of Risk Treatment 101 viii Contents Lack of Recognition of Critical Nodes in the Maritime Domain 101 Overquantifying Security Risk 102 Tendency to Use the Rubric of All-hazard Risk 104 A Propensity to Minimize the Element of Threat in Performing Security Risk Assessments 104 Chapter 5 A Critique of Current Maritime Security Measuresand Approaches 107 Introduction 107 Regulations and Their Limits 108 The ISPS Code 109 Supply Chain Security 112 International Organization for Standardization 116 Lack of Recovery Planning for Key Maritime Supply Chain Components 117 A Disjointed International Regulatory Environment 117 Overreliance on Technology 118 Maritime Domain Awareness (MDA) 118 The Fallacy of 100 Percent Container Screening 120 The 'Magic' of Closed Circuit TV (CCT V) 121 Failure to 'Fire for Effect' 122 The Staten Island Barge Explosion 122 Minimizing the Importance of Understanding Threat 123 Hurricane Katrina--the Wrong Lesson Learned 124 Assessing Threat is Hard 126 Why Understanding Threat Matters 126 Bomb in a Box? 127 Deconstructing the Threat 127 Biological and Chemical Agents 128 Radiological Material 128 The Nuclear Grail 128 The Risk Conundrum 129 The Consequences of not Understanding the Threat 130 Hitting the Bystander 130 Al Qaeda’s View of Saddam’s Iraq and Vice Versa 130 The Threat That Wasn’t 131 The Fallout 131 The Lack of a True Risk-Based Approach 131 Insufficient Focus on System Integrity 135 Transparency 135 Corruption 135 Implications for the Maritime Domain 135 The Impact of Corruption 136 Lack of Incentives for the Private Sector 137 Part FourPrinciples for Effective Maritime and Port Security Chapter 6 Security as an Enabler 141 Introduction 141 Why is it Important for Security to be an Enabler? 142 Security as a Value-Add 142 A Culture of Security 142 Changing Security’s Image 143 Security a Key Organizational Component 143 Resilience 144 Why Resilience? 145 Risks of Ignoring Resiliency 145 Additional Risks 147 The Benefits of a Resilience Approach 147 Resilience and Maritime Security 149 Resilience Guidance 149 Integrating Security into Resilience 150 The Elements of Resilience 151 The Medical Comparison 155 Enabling Resilience 156 Chapter 7 Standards and Regulations 159 Introduction 159 Review of the ISPS Code 159 The ISPS Code 160 ISPS Code 2.0 161 Use ISO 28000 as the Foundation for a new ISPS Code 162 Considerations 164 Acceptance Issues 164 Implementation Issues 167 Other Implementation Considerations 171 Notional Contents and Structure of a New Code 173 The New Code 174 Chapter 8 Assessing and Managing Risk 177 Introduction 177 ISO 31000 178 Risk Terminology 180 Risk 180 Risk Management 180 Risk Assessment 180 Risk Analysis 180 Risk Appetite or Tolerance 180 Other Definitions 181 Threat 181 Hazards 181 Vulnerability 181 Likelihood 181 Consequence 181 Core Components of Risk 182 Establishing the Risk Management Context 182 Identify Risks 183 Analyze Risks 185 Evaluate Risks 186 Treat Risks 188 Making the Business Case for Risk Treatment 190 What is a Business Case? 192 Composition of the Business Case 192 The Business Case and Risk Treatment 193 Monitor and Review 194 Communicate and Consult 195 Maritime Considerations 197 Chapter 9 Measuring Effectiveness 199 Introduction 199 Measure Effectiveness, Not Security Activity 200 Measurement of Activity 201 Resources Expended 201 Measurement of Criminal Activity 201 Uniform Crime Reporting System 202 CompStat 202 The Black Swan Effect 202 Measuring Effectiveness 203 A Hybrid Solution 203 Ask the Enemy 204 Crunch the Numbers 207 Deterrence as the Primary Measure 207 Deterrence 208 Ensuring Integrity and Countering Corruption 209 Foster Continuous Improvement 210 Chapter 10 Conclusion 211 Appendices Appendix A Conducting Security Risk Assessments 215 Introduction 215 Risk Assessment Steps 216 Establish the Risk Management Context 217 Identify Risks 217 Analyze Risks 218 Evaluate Risks 218 Conducting Risk Assessments 219 Assessment Team Composition 219 All Assessors 219 Lead Assessor 219 Assessment Team Members 220 Facility Risk Assessment Process 220 Facility Risk Assessment Preparation 221 Written Notification to Facility Operators 221 Planning Assessment Activity 222 Facility Risk Assessment Administration and Logistics 223 Facility Risk Assessment Activity 223 Document Reviews 224 Formal and Informal Interviews 224 Observations 224 Assessment Opening and Closing Meetings 224 Opening Meeting 224 Closing Meeting 225 Facility Assessment Reporting 225 Assessing Vulnerability 225 Assessing Consequence 227 Developing a Risk Rating 227 Appendix B Conducting Threat Assessments 231 Introduction 231 Consistency with ISO 31000 232 Threat Identification 233 Identify the Range of Potential Threat Actors 234 Identify an Extensive List of Threat Actor Characteristics 234 Identify Sources of Threat-Related Information 234 Analyze and Organize Threat-Related Information 238 Threat Evaluation 238 Threat Actors and Scenarios 241 Develop The Design Basis Threat 241 Appendix C Tips for Assessing Risk Appetite 259 Introduction 259 Defining Risk Appetite 259 Risk Appetite and ISO 31000 260 Assessing Risk Appetite 260 Helping a Client Determine Risk Appetite 261 Pairwise Exercise 262 Risk Appetite and Risk Treatment 263 Index 269

About the Author :
MICHAEL EDGERTON is a security and risk manager based in the Middle East with more than twenty-five years of experience in maritime security, security risk management, critical infrastructure protection, and crisis management. He has advised national governments, agencies, and corporations on security matters and has performed strategic-level, risk-based assessments of critical infrastructure, including system resiliency, business continuity, and recoverability. Prior to entering the private sector, Mr. Edgerton served in the United States Coast Guard and United States Navy as a commissioned officer specializing in security and intelligence.