Process Management vs. Security by Philip Baum (Editor in Chief)

How does one evaluate the quality of a security system? One would like to think that it would be based on the capability of the system to prevent attacks? We bandy around terms such as ‘risk-based’, yet much of what we do is actually ‘process-centric’, often at the expense of security.

Many of those who gathered at the Blue Skies Thinking workshop in Hong Kong in June admitted that they struggled to think in a ‘blue skies’ manner and were drawn into discussions whereby ‘process’ was deliberated first and, only then, the ability of that process to address the various threats to which we are exposed. Whatever the threat we need to respond to, surely the solution must either, and ideally, be to neutralise the threat, or, at the very least, to reduce our exposure to a level of risk which is acceptable?

I am concerned that we are setting the wrong goals. The date by which we can screen LAGs in bags, for example, is not really the challenge we should be setting ourselves. If you want to be able to identify explosives in checked luggage, what must the system be able to achieve? The answer is not ? passengers per hour. The answer is actually a product, or methodology, which can identify a clearly identified quantity of a specified range of explosive materials concealed in all ways realistically open to the terrorist. Of course, many will argue that if we can achieve that goal, but only by making passengers arrive at the airport hours before they fly, the solution may be effective yet would be totally impractical. High throughput rates, minimal footprint, low false alarm rates and reasonable cost are significant factors when selecting a technology, but they are meaningless if the resultant solution fails to address the threat.

If we have a system whereby passengers flow through checkpoints and the screening service provider is only assessed by the number of random passengers they can screen, or the amount of time passengers have to wait in line, or an absence of complaints received, we end up with a wonderful ‘process’ that is devoid of security. It’s often termed ‘security theatre’.
So, sticking with the LAGs example, just what are we achieving by confiscating LAGs from passengers? We have done nothing to improve security! If we believe that what we are disposing of is an actual threat, then we are building up huge quantities of highly combustible materials and leaving them right in the middle of the airport checkpoint. Worse still, by disposing of LAGs, we are actually saying that we do not trust the passengers who brought them to the airport. In which case, why are we then allowing them to board an aircraft?

The argument is that the technology available today is not capable of distinguishing between a threatening liquid, aerosol or gel and a similar innocuous/genuine substance. So, can it identify chemical or biological (CB) weapons being, presumably, credible threats given that aircrew are supposed to be able to manage a CB incident in-flight? Quite simply, no. So why LAGs?

John Pistole, the Administrator of the TSA, has acknowledged that ‘Underwear 2’, being the second generation underpants bomb which the authorities became aware about in May 2012, would not have been detected due to the explosives being encased in household caulk (waterproof sealant), thereby devoid of explosive traces or vapours. Refreshing that somebody ‘in post’ is actually telling it as it is. Around the world, there seem to be plenty of people who once held government posts, or were security managers at airports and airlines, and once freelance, hence no longer process driven, suddenly starting to proclaim the obvious: the system is not responding to the threats. It’s a shame that they did not speak out vociferously whilst they were in a position to really make a difference.

I am really excited about, and encouraged by, the widespread interest in the Checkpoint of the Future, but we must ensure that it is first and foremost a security solution and that we don’t water down the security element at the expense of facilitation. Differentiation must be based on a realistic analysis of the threat any passenger might pose. True, somebody we have no information about poses a greater challenge (as opposed to risk) to the security system than the person who has furnished us with all their personal details, but I am opposed, in principle, to the concept of ‘trusted travellers’. It is a process-focussed concept awaiting exploitation by the terrorists of the world.

We are quick to ask ourselves how we can improve the passenger experience. As a frequent flyer, I am delighted that question is asked, but I would far rather the question posed be how can we improve security and, in doing so, provide better facilitation? We must not allow ourselves to be sucked into accepting a system that ticks the facilitation boxes, and scores a grade A for ‘process’, but a C- for ‘security’.

Our challenge is that, fortunately, the likelihood of an attack taking place via any one checkpoint on any given day is exceptionally low. The downside of this is that screeners don’t expect to find a genuine threat. Compare this with a door supervisor at a nightclub who knows that, almost every night, he will have a couple of guests smuggling drugs into the premises and some intoxicated individuals who will have to be physically ejected; the threat is real. Yet the stakes at the airport checkpoint are far higher.

Solutions may come in the form of technology or processes, but technologies to address specific threats, not technologies or processes for process sake..

“…if the screening service provider is only assessed by the number of random passengers they can screen, or the amount of time passengers have to wait in line, or an absence of complaints received, we end up with a wonderful ‘process’ that is devoid of security…”