Proceedings International Summer School on Aviation Psychology (ISAP), Graz July 2007

Aviation/ATM Security: An Introduction to Resilience

Rainer Klle, ATM Security Domain, EUROCONTROL

Abstract September 11th 2001 changed air transportation forever it also changed the way we look on and deal with security. Security is beginning to receive increased attention and not only within the military/security industry, but also within the civilian sector. Security is a chain with many weak links. The dynamics of security are crucial: compliance erodes, vulnerabilities develop, risk perceptions change and misperceptions fool people. The recent years have seen a strong emphasis on technical security measures. However, the interplay of human behaviour, organisational aspects and technology is an important enabler for security and represents a socio-technical system that must be addressed in an appropriate manner. The ultimate goal of security is to reduce the impact of security threats and vulnerabilities to an organisations strategic objectives. In other words, security needs to be managed with a view to establishing a resilient system/organisation. Keywords: Security, Resilience, Aviation Security, ATM Security, Security Management, Security Risk Assessment, Human Factor

1. Introduction Following September 11th 2001, security is beginning to receive increased attention within civil aviation and the air traffic management. The challenges of non-state actors and of irregular (or asymmetric) warfare are part of what the eminent scholar Lawrence Freedman has called the transformation of strategic affairs (Freedman, 2006). To a certain extent this is an issue to be dealt with by state authorities, traditional police, counter-terrorism and military forces on a national/state level. However, we also need to go beyond the traditional boundaries and measures when addressing societal and organisational aspects of security. In this sense private organisations become security actors and need to address as well as manage security challenges within their remits. In the aviation sector there has been a wellspring of security expertise and consultancies offering risk-based, layered and pro-active approaches to security. Despite the number of research efforts, the principal techniques for addressing security have not changed. For instance, a vast majority of todays security risk assessments is still based on the cold-war classifications and terminology. These concepts cast light on the nature of security systems and methodologies and offer standards to emulate, but they can also serve to mislead if not properly understood and mapped to todays context. Security, in general, refers to any of various measures with a view on safeguarding elements at risk (assets) against a broad range of threats (e.g. crime, fire, accidents, espionage, sabotage and attack). Aviation Security has been a concern since the beginning of commercial aviation. Recent attempts of aviation security seem to aim at the more visible part of security (e.g. limitations on gels and liquids for air travellers). Considering the fact that security is as strong as its weakest link, the author raises the questions whether the air transportation industry is focussing on the right issues. If we fail to adequately understand the interplay of human behaviour, organisational aspects and technological controls, how can we hope to accurately identify threats and vulnerabilities and promote a layered and risk-based security risk management paradigm? This paper covers two talks during ISAP07 which cannot be considered in isolation and unfolds accordingly as a retrospective view of the subjects covered. Its aims are: first, to

provide a general framework to address security risk; second, to review the changing nature of attacks to the air transportation system and review some of the key organisations and their major policies; third: to highlight some aviation security disciplines, and fourth: to present initial considerations of Human Factors in security.

2. Security in a Nutshell Security, in general, refers to any of various measures with a view on safeguarding elements at risk (assets) against a broad range of threats e.g. crime, fire, accidents, espionage, explosion and attack. In this talk, I follow an overall socio-technical system perspective. Hence security is tightly coupled with other business processes (e.g. safety, quality, reliability), and must not be ignored or relegated to incidental concerns. I take a broad view here of the problems of attaining security, and consider these problems as a unified global system/network/enterprise problem (Neumann, 1995/2006; Caralli, 2004). In this view security is linked to resilience. Resilience is commonly defined as the ability of a system to recover from adversity, either back to its original state or an adjusted state based on new requirements. 2.1 Security Fundamentals The concept of resilience is essential for identifying assets. An asset is generally defined as a tangible or intangible resource of an organisation/system that has a value. Critical assets can be people, equipment, systems and processes or a combination asset of any or all of these. It is important to note (s) that value does not necessarily translate into costs. From a resilience point of view, asset identification is closely linked with the criticality (role, relevance) of an asset security measures to ensure specific modes of operations of the system. Typically, assets are ranked according to their criticality for the organisation, its value chains, processes Figure 1: Security Fundamentals or services and the (potential) impact a loss, unavailability, destruction and/or disclosure may have on these.
vulnerabilities

threats

Within this context, threats can be defined as capabilities, intentions, and attack methods of adversaries to exploit vulnerabilities and/or any circumstance or event with the potential to cause harm to the asset(s). Threat is a term used very commonly, even in the standards, but not always an operative definition is given. The Common Criteria (ISO/IEC, 2005) characterizes threat as a 4-tuple: a threat agent, a presumed attack method, the vulnerability exploited by the attack and the asset under attack. According to this definition the concept of threat subsumes those of vulnerability and asset which I clearly prefer to distinguish. On top of this, it must be noted that threats are different from sources of threats. This differentiation is not always clear. There is a tendency in public media to refer to sources of threats as manifested threats (e.g. terrorist threat replacing a range of attack scenarios ranging from bomb attacks to hijackings). From a security/resilience perspective, threat relates to the potential cause of an unwanted impact to a system or organisation (ISO/PAS, 2007). A threat may also be a natural phenomenon such as an earthquake, flood, storm, or a man made incident such as fire, power failure, explosion, etc. Sources of threat or threat agents typically comprise the following groups of adversaries: vandals/troublemakers, disgruntled insiders, disruptive protest groups, socially/ethically/

economically motivated activists (as a consequence of regional conflicts and/or state failure), crime, terrorism and national states. From an asset point of view, the source of threat is irrelevant since a threat manifests directly and impacts the asset or exploits a given vulnerability. By the end of the day, we are not interested in whether our money was stolen by a bored school-kid or an animal-rights activist. The negative outcome (loss of money/financial independence [= asset]) matters. A word of caution: prominent schools of thought in security risk focus on the first part of the definition given above. In this paradigm, threat equals (solely) the intentions and capabilities of an adversary. In order to address these, substantial intelligence would be required. I argue that this is the case for most of the threat sources listed above and that the majority of aviation stakeholders have no access to this intelligence. In my opinion, Sept. 11th demonstrated clearly that the old school of addressing risk in terms of intentions (using aircraft as weapons against civil infrastructure) and capabilities (ability to take over control and operate an aircraft) is obsolete. A recently growing concern aims at the so-called insider (threat). Insiders can be current or former employees and contractors who are familiar with internal security measures and exploit that knowledge to facilitate attacks or collude with external attackers. From an assetcentric perspective it is therefore of interest what makes a human violate security policies. We will come back to this later. As depicted in Figure 1, vulnerabilities are weaknesses of the system and its assets, which could be exploited by threats. By definition, vulnerabilities are a physical (or virtual) characteristic built into a system or the asset through its resources, design, policies, operations and procedures, etc. Vulnerabilities are independent from any threat and may be exploited at any point in time regardless of whether a previous threat attempt aimed at it or not. Countermeasure activity typically results in a list of security measures and controls designed to reduce specific vulnerabilities in (prioritised) critical assets. Security measures include a wide range of activities on an organisational, technical and operational level. On top of the life-cycle aspects of an asset, security measures are typically designed to address a specific stage with a view to security incident management and resilience. In line with current practice in emergency, disaster and/or crisis management, these life-cycle phases are: prevention, preparedness, response and recovery (SESAR, 2007). These phases do not imply a clear delineation or hierarchy between various measures, however, they can serve as a useful checklist to address treatment of security risks. Controls have the ability to either reduce the impact of an attack taking place or lower the consequences of an attack once it has occurred. These controls are used throughout the different life-cycle phases. A simple analogy is the security of an expensive item. Those responsible for that item may wish to reduce the likelihood of theft by keeping it under lock and key. In the unfortunate event that the item is stolen, the impact of the loss is high. If, however, an insurance policy is obtained against theft then the impact of the loss of the item has been dramatically reduced. Up to now aviation security measures in air transportation primarily address prevention. This is where resilience kicks in. As there is no 100% security, effort must be directed to response to and recovery from security breaches and incidents. 2.2 Security (Risk) Management Security Risk Assessment Managing security requires that the goals of security management are forged from and aligned with the high-level objectives of the organisation (Caralli and Wilson, 2004). The view of security as a financial impediment is often a consequence of the tendency to consider security as a technology-driven activity. Security, however, is a business or organisational problem that must be framed and solved in the context of the organisations strategic objectives. The evolution of a risk-based paradigm for security has made it clear that a secure organisation does not result from securing its technical infrastructure and production base

alone. A security approach that is mission-centric (i.e., based on strategic objectives) strives to secure the organisations critical assets and processes regardless of where they live. 2.2.1 Risk Management Applying a risk perspective to security is a logical progression - risk management is a basic business function, and whether it is done implicitly or explicitly, it must be performed at an organisational level to be purposeful. The concept of risk - how to define, assess, and manage it - is relatively complex. In this section, I will shortly recap some principles that are vital. Despite the fact that risks are unavoidable, the resources available for managing risk are finite. Thus, the challenge is to find the optimum response to risk, prioritised in accordance with the evaluation of it. Effective risk management does not operate in a vacuum but rather it gives full consideration to the context in which an organisation operates. The management of risks needs to be integrated throughout the organisation so that various risk management activities support, rather than compete with, each other. The latter aspect gives reason to believe that there is a joint and integrated (risk-driven) approach merging transversal areas such as safety, security and environment into a joint enterprise management process (c.f. SESAR, 2007; Caralli, 2004). Risk management is not a linear process but comprises a number of interwoven elements that interact with each other. The challenge to effective risk management is identifying the appropriate balance in knowing how to respond as risks evolve and impact one another. There is a myriad of risk management methodologies and literature that I leave to the interested reader to explore further. It takes on many names and can vary greatly in terms of method, rigor and scope, but the core elements remain the same: risk identification, risk assessment, risk response, and risk monitoring. Throughout all elements is the need for communication and learning across the organisation.

Risk Monitoring

Risk Identification

Risk Response

Risk Assessment

Figure 2: General Risk Management Cycle

Risk is commonly defined as the uncertainty of outcome that an action or event, will adversely or beneficially affect an organisation's ability to achieve its objectives. Identifying and acknowledging a risk is the first step toward managing it. Good risk management requires an ongoing effort to scan the environment for emerging and changing risk conditions. Risk Assessment pertains to the qualitative or quantitative assessment that certain risks will manifest themselves. Response involves one or more of the following four Ts: tolerating the risk; treating the risk in an appropriate way to constrain the risk to an acceptable level or actively taking advantage, regarding the uncertainty as an opportunity to gain a benefit; transferring the risk to another unit/organisation; or terminating the risk.

The level of risk remaining after risk response has been exercised (residual risk) is the exposure in respect of that risk, and should be acceptable and justifiable it should be within the organisations risk appetite. Risk appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of its objectives/mission. Risk tolerance could be defined as the residual risk the organisation is willing to accept after implementing risk-mitigation and monitoring processes and controls. It is important to emphasise that Risk Management is not about (complete) risk elimination.

Risk spectrum residual unidentified tolerate

treat transfer terminate

Figure 3: Risk Components

When it comes to aviation and ATM security, there is an on-going debate about risk appetite. This debate is the result of the shifts in economic policy resulting in the privatisation of public monopolies, infrastructures and networks, and the subsequent deregulation of service provision. While the liberalisation in many cases has improved efficiency and productivity, there are also concerns regarding accessibility and reliability. Thus, assigning responsibility for securing such services is problematic in a liberalised economy. In such an environment, companies aim to minimize costs which might lead to cut costs for security and resilience. This explains why, for instance, airlines argue that states shall pay for the costs associated with security measures like the fortified cockpit door. Despite the media coverage with respect to airlines, I can confirm that this concern is also discussed by other air transportation stakeholders (ANSPs, airports). This debate has been coined as a gap or the dilemma of societal security between customer and state expectations and private companies lack of interest for providing such measures for society as a whole (c.f. Andersson and Malm, 2004). 2.2.2 Security Risk Assessment Security (Risk) Management involves the process of ensuring that the residual risk posture of an organisation is within acceptable bounds. Security risk management acknowledges that it is impossible to protect everything, all the time, with security measures without interfering with normal daily functions or fiscal collapse. It attempts to strike a balance between security risks and accomplishing the strategic objectives. The security (risk) assessment provides the necessary detail for this trade-off. From a generic point of view a Security (Risk) Assessment ensures that a systematic and analytical process is conducted with the aim of identifying security measures and/or procedures that reduce the threat consequences or vulnerabilities of people, assets and operations to tolerable levels. In light of Figure 2 it is a common practice to subsume risk identification and risk assessment and sometimes response under the process of security risk assessment. Risk (exposure) is commonly calculated as the probability of loss meaning the threat manifestation frequency (typically a likelihood that adversaries will attack) and the severity of the potential loss. Factoring these two components together, risk is frequently given as an equation: Risk = probability P of risk manifestation times the severity S of loss = P * S. The practice of risk management is well-developed within the insurance, engineering, finance, and political risk industries. It is clear, however, that risk management remains relatively immature in its application to security. There are some issues that must be taken into account when assessing risk in a security context: lack of historic data; other disciplines benefit from a rich and voluminous set of data which can be mined for patterns of historical behaviour. dynamic nature of risk; security risks may differ significantly for different geographical and national contexts, organisational forms, etc.

Accordingly, the above stated (typical risk) factoring is not applicable to security risk assessments. In light of this paper, I propose a logical expressing that reflects the elements contributing to assess security risks. Namely: Risk = Threat Vulnerability Criticality as depicted in Figure 4. As introduced above, threat must be considered as the cause of an unwanted outcome in terms of the impact on an organisations objectives (e.g. permanent loss of surveillance data or aircraft due to physical destruction). Vulnerability is defined as those characteristics of an asset that could be exploited including preventive security measures. In addition, Figure 4: Risk contributing elements reference must be made to criticality an assessment seeking to identify and evaluate the role and relevance of an asset with a view to the objectives. The latter is an important factor and a key cornerstone to asset-centric security risk assessment aiming at resilience. Frequently, it is argued that, in many cases, criticality is already an inherent part of the threat assessment as this factor plays a part in terrorist planning and thus influences targeting and intent. But this is exactly where the popular old-school approaches are misleading as the underlying assumptions require intelligence and/or experience that typically is not available to private organisations. In undertaking security risk assessments there is a requirement to move forward and replace attack-centric (offensive) views with assent-centric (defensive) approaches. The latter will see risk at the intersection of threat, vulnerability and criticality as depicted above. Perhaps the most fundamental question today is this: How much security is enough? The answer in any particular application must rely on a realistic consideration of all of the significant risks. Organisations tend not to devote adequate attention to security until after they have been burned. The list of potential risks in aviation and air traffic management are enormous. There is a further tendency of ignoring risks that are difficult to deal with, unanticipated, or seemingly unlikely but with very serious consequences. Thus the question of How much security? is interlinked with deciding what is the risk appetite. There exists no shortage of definitions for security risk assessment, management and many other closely associated terms. Many of these definitions are overly complex or specifically geared to industry segments. But there is a common misunderstanding about Security Management Systems that I want to address in closing this section. A Security Management System is a documented set of procedures, processes and measures within an organisation as embodied in standards and best practices (e.g. ISO 28000). Thus, a security management system entails amongst other elements - the above described security risk management process and its constituting sub-process, security risk assessment. For instance, EUROCONTROL currently develops a management system entailing 18 different elements.

3. Aviation Security 3.1 Aviation Security Phases Aviation Security has been a concern from the beginning of commercial aviation. The first recorded aircraft hijacking occurred in the 1930s. Structural targeting of air transportation by terrorist activities emerged during the late 1960s. The first effective aircraft hijacking countermeasures were introduced in 1970 and resulting in a slight decline in the number of incidents, e.g. passenger and cabin baggage screening from 1973.

With a view to attacks on air transportation distinct phases of aviation targeted security incidents can be identified; each of them marked with specific markstones (c.f. Aviasolutions and IAA, 2004) Phase 1: 1948 to 1968 - flight from persecution or prosecution Phase 2: 1968 to 1994 - the political phase Phase 3: 1994 to date - the aircraft as a weapon of destruction. The initial phase is characterised by using hijacking as a means to escape from persecution or prosecution. Phase 2 marks the birth of modern aviation terrorism establishing a link between politics and aviation terrorism. At this point in time airlines where operated by the states and subsequently the aircraft was seen as a proxy for the state. Adversaries aimed to utilise the vast media potential of a hijacking or bombing to exert pressure on specific states (change of policy, economic damage, money, release of imprisoned criminals/terrorists). The 3rd phase is considered to have begun on 24 December 1994, when Algerian terrorists hijacked Air France flight 8969, enroute to Paris from Algiers. According to intelligence sources the intention was to blow up the aircraft overhead Paris. In this sense, the events of Sept. 11th 2001 (using aircraft as weapons against civil infrastructure) do not - strictly speaking mark a new era. The question to raise is whether the fact that simultaneous attacks potentially overwhelming any coordinated national and international response marks a new era? In conclusion, all these phases are marked by major incidents, for instance Lockerbie, Scotland in December 1988 and the events of Sept. 11th 2001. Hijacking and sabotage have been consistent approaches used by adversaries, but what has changed is the philosophy behind the attacks. Historically, the approach to aviation security has been fragmented and improvements to aviation security have always been reactive. Recommendations put forward by different organisations dealing with security have been typically adopted as a response to an incident. Surprisingly, aviation security measures proposed after the Lockerbie bombing were not mandatory and applied globally. Thus, on Sept. 11th 2001 a huge number of states had not yet implemented many of the proposals based on the lessons learnt to improve the security situation (e.g. 100% passenger and hold baggage screening and positive baggage reconciliation). Throughout the recent years there is an interest in developing a global security policy to overcome the fragmented approach and differences in application of security measures in aviation. The heightened focus on aviation security resulted in the pro-active management of security threats and vulnerabilities throughout the aviation industry in general. E.g. the role of air traffic management as an enabler for air transportation has gained momentum and resulted in various security activities (c.f. security in NGATS, SESAR, etc.) being called ATM Security. There is a debate whether the on-going approach to aviation security has been triggered by the events of Sept. 11th that I will not fuel further. But the industry has moved forward with respect to another paradigm shift. One of the key lessons that has been learnt is that there is no 100% security. The task to secure air transportation is a mammoth and it requires a set of various layered measures addressing different aspects of aviations. Moreover, prevention can fail requiring resilience during response to and recovery from security incidents. The fact that complete security is impossible is the reason security experts recommend layered security. The idea is to have a set of measures that similar to the skins of an onion aim to protect the core the asset. These different layers may be organisational, operational and technical measures undertaking by a variety of units/actors. 3.2 Key Organisations and Aviation Security Players
This section introduces the key organisations involved in the development and implementation of aviation security policy across the EU and the rest of the world.

3.2.1 ICAO The International Civil Aviation Organisation (ICAO), a non-governmental organisation body within the United Nations, came into being on April 4th 1947. ICAOs mission is to develop the

principles and techniques of international air navigation and to foster the planning and development of international air transport. Improvement in international aviation security is made through Standards and Recommended Practices (SARPs) agreed upon by Contracting States. These are set forth in Annex 17 (and subsequent documents, e.g. DOC8973, Security Manual for Safeguarding Civil Aviation Against Acts of Unlawful Interference) to the Chicago Convention. It is through the Conventions, to which all States are signatories,, that they are obligated to adhere to international standards. Annex 17 to the Convention on International Civil Aviation, entitled Security: Safeguarding International Civil Aviation Against Acts of Unlawful Interference lays out the minimum security standard expected of all contracting states. Annex 17 defines Aviation Security as: a combination of measures and human and material resources intended to safeguard civil aviation against acts of unlawful interference. In light of this talk it can thus be considered as an integrated and joined approach by various stakeholders. Today, ICAO Annex 17 recognizes three principal actors in aviation security: States, Airport and Airlines. Whereas the state has a monitoring and inspecting role ensuring the application and implementation of security measures through a national security programme. It is anticipated that the planned update of Annex 17 will extend the list of actors to include Air Navigation Service Providers. 3.2.2 ECAC ECAC (European Civil Aviation Conference) was founded in December 1955 by 19 States (now 42) as an intergovernmental organisation. In close liaison with ICAO and the Council of Europe, ECACs aim is to promote the continued development of a safe, efficient and sustainable European air transport system that has regard to environmental requirements. Acting independently of ICAO, ECAC can adopt procedures well in advance of those established by the UN body and indeed it can usually draw on its Member States collective experience of new procedures when proposing or supporting the introduction of standards and recommended practices in the world forum.
ECACs main achievements in the field of aviation security consist of the development of a European aviation security manual Document 30, the establishment of a security audit programme and an integration and technical assistance programme, including aviation security research and training.

3.2.3 European Commission On 10 October 2001, the European Commission proposed the adoption and enforcement of common security rules for civil aviation across the Member States based on ECAC Document 30. The overall objective of this regulative action was to establish and implement appropriate Community measures for both international and domestic flights. A subsidiary goal was to provide a common interpretation of the related ICAO provisions. 3.2.4 Other Organisations There are various other organisations which are concerned with or have a posture on aviation security. The following non-exhaustive list may serve as an input for the interested reader: EUROCONTROL, NATO, State Authorities dealing with Security Matters, EUROPOL, IATA, airline associations, IFALPA, IFATCA, etc). 4. Some Aviation Security disciplines Terminology is a constant discussion point amongst security experts. The term Aviation Security as defined by ICAO (c.f. 3.2.1) is a broad concept that might be subdivided into smaller disciplines. Up to now, there is no commonly agreed ontology and set of terms for aviation security sub-disciplines. The following sections shall not contribute to the proliferation

of terms nor are they aiming to be carved in concrete or complete. Here, I simply list a couple of areas that are used to apportion aviation security or have gained higher attention recently. 4.1 Aircraft Security The protection of an airframe - by primarily technical security measures - to prevent attacks and unlawful interference. Aircraft security revolves around the aircraft as the key asset and aims at the integrity of the flight deck/air crew, the cabin or aircraft hull. An example for aircraft security measures represents the fortified cockpit door countering against unauthorised access to the cockpit. Less visible measures comprise the use of biometrics to positively identify crew member or maintenance staff accessing mission-critical on-board systems. A re-occurring theme resulting in various research activities is the prevention of missile attacks on aircraft (MANPADS, man-portable air defence systems) based on past experiences. E.g. on November 22nd 2003, an Airbus A300B4-203F cargo plane, operating on behalf of DHL was hit by a 9K34 Strela-3 missile while departing from Bagdad. The crew managed to land the crippled aircraft safely by using only differential engine thrust (powerand-attitude flying). 4.2 Airport Security Airport Security refers to the techniques and methods used in protecting airports and avoiding harm to aircraft and passengers. From a functional perspective an airport can be described as the synchronisation point between various value chains, e.g. passenger (dis)embarking on(/from) a flight, cargo on/offloaded and shipped, supplies (catering, fuel, etc.). Recent years have seen major investments in non-aviation related facilities and an ever-increasing number of non-flying visitors. The following slogan might represent this best: Tomorrows airports are shopping malls. Most of us will relate Aviation Security to the security checks performed at an airport, namely passenger and hand-baggage screening. On August 10th 2006, British authorities managed to foil a terror plot aimed at detonating liquid explosives on flights between the UK and US. All of us are aware of the resulting limitations and procedures with respect to liquids and gels when travelling by air. Less visible but requiring continuous effort is involved in the screening of checked and hold baggage. E.g. the single deadliest airline catastrophe resulting from the failure of airport security to detect a bomb being loaded onto an aircraft was Air India Flight 182 in 1985, which killed 329 people. 4.3 Air Traffic Management Security As indicated above, ATM Security has received higher attention during the course of the recent years as a result of the continued threat to the aviation industry. As air traffic management plays a critical part in ensuring that civil aviation can continue to operate normally its security has gained importance. ATM Security is concerned with those threats that are aimed at the ATM System directly, such as attacks on ATM assets, or where ATM contributes to the prevention or response to threats aimed at other parts of the aviation system (or national and international assets of high value) and limiting their effects on the overall ATM Network. Another driver for ATM Security is related to the pervasive nature of communications and interoperability coined as system-wide information management (SWIM) that forms a cornerstone of the on-going research activities under the umbrella of NGATS and SESAR.

5. Human Factor in Security The last section of this paper will be dealing with Human Factors in security. It is obvious that the aviation industry has made substantial progress in the area of security. After the first

urgent measures were taken, the entire system has attuned itself to handling the security of air transportation more seriously and professionally. Nonetheless, there is an overemphasis on so-called terrorist attacks and technical measures. Recent research on Human Factors in security has been focussing on performance of screening staff at airports (Dillingham, G.L., 2001) and subsequent ergonomic and technical improvements. It is time to do an interim debriefing and try to measure the effectiveness of security measures in order to improve resource allocation and consequently the level of security. Recent studies have shown that the human factor is the area of greatest variability and the weakest link part of a security system (Patrick, 2002; Dourish et al, 2003), and thus the source of a majority of security risks. Before declaring that humans are the enemy, we should consider how we integrate humans and security in our daily operations, why they do specific things, what humans are good in and what they are trained to do? Grinter and Smetters (2003) identified challenges to embedding security and postulated that security cannot be considered in the abstract, separated from a particular application and context of use. However, Human Factors are typically - not part of the equation when constructing threat and vulnerability models or undergoing security risk assessments. The general aim of Human Factors in security can be defined as to apply the social and behavioural sciences to improve detection, analysis, and understanding of the threats posed by individuals and their vulnerabilities with a view to support resilient operations of aviation/ATM. From that perspective Human Factors will have to address the following areas of interest: Selection: recruiting the right person for both fields, the standard aviation operational function as well as new aviation security function. Performance, Training and Competence: developing the right techniques and tools to assess human performance and resiliency, associated proficiency and competence training modules Post-incident: initiation and coaching of security incident responders and participants. These threads are aiming to produce competencies and capacities that are not typically found in aviation, e.g. psychologically and physically trained operators and incident experts, procedures and habit patterns to enhance security awareness and perception, stress management and fatigue (physical, motivational, etc). An interesting framework to populate Human Factors research has been proposed during the AVSEC2004 panel discussion on Managing Stress, Trauma and Change in the Airline Industry (Behnke et al, 2004), as depicted in the following figure. Based on current realities it expands on incident management life-cycle phases and related human factor aspects and processes. This framework can serve as a reference for the threads mentioned above and I am positive that some of you might explore and research aspects of this matrix.

Figure 5: Human Factor framework (Behnke et al, 2004) I want to address two areas that I find require immediate attention: (stress & trauma) incident stress management and individual stress response awareness with respect to insider threats As stated above, Human Factors in security require special abilities to cope with incident trauma and stress, both during and after an incident. There has been research into crowd behaviour, hostage situations etc for police, law enforcement and special forces. There is much recent research into psychological aspects of terrorism (psychological aspects, several). However, these efforts offer limited insight for security in air transportation and are not yet available as security training and development modules. An initial attempt has been developed by DFS offering a so-called first speaker training for Air Traffic Controllers. There is a requirement for Human Factor expertise to improve personnel job satisfaction, retention, and performance; to support new procedures and technologies; and to incorporate security and resilience concepts into our day-to-day procedures. Human Factors based design and engineering has a long and successful record concerning the enhancement of human performance. Following the YerkesDodson Law of Arousal' optimum performance occurs at intermediate levels of stress. Thus, when the levels of arousal become too high, performance will decrease (YDL, several). The aim is Figure 6: Yerkes-Dodson Law of Arousal to develop and provide tools and techniques to keep human performance in the peak area of the Yerkes-Dotson-Law curve. The point I want to make here, is that we need to review the ways we operate to make sure that on top of normal day-to-day operations humans have the capacity and skills to stay within the bounds of optimal performance.

Earlier, we have been touching the insider security risk (Schultz, 2002; SEI, 2005). Insiders can be current or former employees and contractors who have or had authorized access to their organisation's resources, system and networks who are familiar with internal policies, procedures, and technology and can exploit that knowledge to facilitate attacks and even collude with external attackers. Social Engineering is an often unrecognised threat even though it is a common method for obtaining access or by-passing security. Many employees are completely unaware that theyre the weak link with respect to disclosing information about security policies and practices. It is difficult to estimate how often organisations face attacks from within. It has been suggested that insider attacks are commonly under-reported for various reasons (insufficient level of damage to warrant prosecution, lack of/insufficient evidence to prosecute, and concerns about negative publicity, etc). Recent research on insider threats focuses primarily on cyber attacks (NRC, 2002; SEI, 2005). The 2006 E-Crime Watch Survey conducted by the US Secret Service and the SEI CERT program revealed that in cases where respondents could identify the perpetrator of a cyber attack (e-crime), 32% were committed by insiders. These efforts have resulted in an extensive list of recommendations and best practices for countering insider cyber attacks. As stated above, security requires a layered approach entailing organisational, operational and technical measures. Security awareness and human performance are therefore interrelated aspects and enablers for successful security management. From that perspective, I see a security centered crew resource management approach. Applying these techniques to ensure that the humans in the system are ready for changes in procedures, organisation and regulation, and technologies will be a valuable contribution to resilience. As is also true with respect to safety, it is unreasonable to expect that aviation and air traffic management will ever be completely free of risk as a result of increased security. However, it must be the goal of everyone in the system to eliminate as many known deficiencies as possible. In summary, many layers of security must be upgraded to achieve an air transportation system that is as secure and resilient as it is safe. Similarly, there are many subdivisions in the field of Human Factors with the relevant knowledge and tools to accomplish this. This section may have highlighted potential avenues for improving security.

7. Summary This paper covers various topics each of them justifying a separate presentation. Rather than echoing what we touched so far, I would like to re-use the conclusions of a recent presentation on Threats to aviation (Woodall, 2007). Air Transportation is a global business, with global links, hubs and inter-connections. Air Traffic Management is a key enabler ensuring the safe, orderly and expeditious flow of air traffic. The threat can move, twist and turn to accommodate and exploit this fact. It will continue to seek the weakest link and exploit it. Success in any area, against any target at any time will affect aviation in Europe in some way, shape or form. Sept 11th 2001 taught us that a successful attack on aviation, even outside Europe, can have dramatic and long lasting repercussions for us all. We may not agree on who faces the biggest threat, its size, severity, breadth and depth. But we should all agree there is one and it affects us all no matter where it manifests itself. We have to be lucky everyday - They only have to be lucky once! The smarter we work, the closer we work, the luckier we will get!. Human Factor considerations are gaining a more important role. E.g. aviation security related research including HF. In conclusion, there are gradations of resilience within the risk chain, and thus, the manipulation of any element of security risks, whether threat, vulnerability, or consequence, will cause the resilience of a system, network, or asset to change. Ultimately, a more resilient air transportation system proves better able to recover from natural and man-made disasters,

less susceptible to disruption, and thus, less attractive to attacks of adversaries. Proactively addressing the elements of the risk chain can positively impact resilience. A resilient approach transforms the basic premise of security - that of physically and technically hardening and locking down an asset so that it is free from harm - to one that positions security as a contributor to strengthening the organisations ability to adapt to new risk environments and accomplish its mission. Aiming to make the organisation more sensing, agile, and prepared provides a clearer purpose, direction, and context for security management. Looking beyond security (to resiliency) may provide the change in perspective that organisations need to balance security and risk management with the organisations strategic objectives. The latter will emphasise organisational and operational security measures over technical controls and thus integrating Human Factors in security as well. There is a need to integrate Human Factors not only into the equation, but also make them part of the solution.

References Andersson Jan J. and Andreas Malm (2004), Minding the Gap: Reconciling Responsibilities and Costs in the Provision of Societal Security, in CRN Workshop Report, Societal Security and Crisis Management in the 21st Century, Swedish Emergency Management Agency, Stockholm, pp 33-52, 2004. Aviasolutions and Irish Aviation Authority on behalf of the European Commission, DG TREN (2004), Study on civil Aviation Security Financing, Study Nr. TREN / F3 / 51-2002, Summary of Final Report, September 2004 Bailey Elizabeth E. (2002), Aviation policy: past and present, Association Lecture, The Free Library, http://www.thefreelibrary.com/Aviation (accessed 07.06.2007), 2002. Behnke Paul, Keith MacDonald, Jessica Stockwell and Dai Williams (2004), Managing Stress, Trauma and Change in the Airline Industry, Panel Discussion, AVSEC World 2004, Vancouver November 3rd 2004. Brackney Richard C. and Robert H. Anderson (2004), Understanding the Insider Threat, Proceedings of a March 2004 Workshop, RAND report CF196, http://rand.org/pubs/conf_proceedings/CF196 (accessed 05.06.2007), 2004. Caralli Richard A.(2004), The Critical Success Factor Method: Establishing a Foundation for Enterprise Security Management, Carnegie Mellon University, Technical Report, CMU/SEI2004-TR-010, 2004. Caralli Richard A. and William R. Wilson (2004), The Challenges of Security Management, Software Engineering Institute SEI, http://www.cert.org/archive/pdf/ESMchallenges.pdf (acessed 27.06.2007), 2004. Dillingham G.L. (2001), Aviation Security: Weaknesses in Airport Security and Options for Assigning Screening Responsibilities. US General Accounting Office, GAO-01-1165T, 2001. Dourish Paul, Jessica Delgado de la Flor, and Melissa Joseph (2003), Security as a Practical Problem: Some Preliminary Observations of Everyday Mental Models, Workshop on HumanComputer Interaction and Security Systems part of CHI2003, Fort Lauderdale, April 5-10th 2003. Freedman Lawrence (2006), The Revolution in Strategic Affairs, Adelphi Paper 379, Routledge, 2006.

Grinter R. E. and D. K. Smetters (2003), Three challenges for embedding security into applications, Workshop on HCI and Security Systems, ACM Computer-Human Interactions Conference, 2003. ISO/IEC 15408 (2005), Common Criteria, Information technology -- Security techniques -Evaluation criteria for IT security, Part 1: Introduction and general model, International Organization for Standardization, 2005. ISO/PAS 22399 (2007), Societal security - Guideline for incident preparedness and operational continuity management, International Organization for Standardization, 2007. Neumann Peter G. (1995) Computer-Related Risks, Addison-Wesley, 1995. Neumann Peter G. (2006), Illustrative Risks to the Public in the Use of Computer Systems and Related Technology, ftp://ftp.sri.com/risks/illustrative.html (accessed 05.06.2007). NRC (2002), Cybersecurity Today and Tomorrow: Pay Now or Pay, Later, Computer Science and Telecommunications Board, National Research Council, NATIONAL ACADEMY PRESS, Washington D.C., 2002. Patrick Andrew (2002), Human Factors of Security Systems: A Brief Review, National Research Council of Canada, March 19th 2002. Psychological aspects (several) - some exemplary resources/recommended reading - Alexander, David A. and Susan Klein, The psychological aspects of terrorism: from denial to hyperbole, Journal of the Royal Society of Medicine, 2005 98: pp 557-562, 2005. - APA briefing: The Psychological Impact of Terrorism on Vulnerable Populations, June 2003, http://www.apa.org/ppo/issues/terrorbrief603.html (accessed 07.06.2007), 2003. - Butler Stith, Allison M. Panzer and Lewis R. Goldfrank (Eds.), Preparing for the Psychological Consequences of Terrorism: A Public Health Strategy, Committee on Responding to the Psychological Consequences of Terrorism, Adrienne, 2003. Human factors & technology for countering terrorism, http://www.apa.org/ppo/issues/snasbehavefact.html (accessed 07.06.2007). - S. Ozeren, I.D. Gunes and D.M. Al-Badayneh (Eds.), Understanding Terrorism: Analysis of Sociological and Psychological Aspects, Volume 22 NATO Science for Peace and Security Series: Human and Societal Dynamics, June 2007. Schultz Eugene E. (2002), A framework for understanding and predicting insider attacks, Compsec 2002, London, pp 526-531, 30 October 2002. SEI (2005), Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors, U.S Secret Service and CERT Coordination Center, May 2005. Woodall Mike (2007), Transport Security & Contingencies Directorate (TRANSEC), UK Department for Transport The Threat to European Aviation, presentation given during NATO/EUROCONTROL Workshop on Security Incident Management (SIM), June 26th 2007. Wilkonson P. and B. Jenkins (eds.), Aviation Terrorism and Security, Cass Series on Political Violence, Routledge, March 1999. YDL (several) - exemplary resources/recommended reading - Post, Jerrold M. (1993), The Impact of Crisis-Induced Stress on Policy Makers, in Avoiding Inadvertent War, George A. (Eds.), Westview Press, Boulder, 1993. - FAA Human Factor web-training on cognition, http://www.hf.faa.gov/Webtraining/Cognition/Workload/Mental3.htm - Yerkes, R. M. and Dodson, J. D. (1908) The relation of strength of stimulus to rapidity of habit-formation, Journal of Comparative Neurology and Psychology, 18, 459-482

Bibliography Rainer Klle is an ATM Security expert with EUROCONTROL, ATM Security Domain, which he joined in April 2005. Rainer has worked in aviation and air traffic management throughout his career. Prior to joining EUROCONTROL, he served as a career officer in the German Air Forces with 18 years service experience in total. During this time he was seconded to various international organisations. Rainer represents EUROCONTROL in various standardisation activities, R&D projects and policy guidance working groups (e.g. EUROCAE WG72, SESAR, ECIP). He is active in a number of security and risk analysis networks on crisis management, critical infrastructure protection and ATM/aviation security. Rainer's research focus is on time-critical decision making in aviation security, decision making under uncertainty and real-time threat assessment, high-level and distributed information fusion/communication systems and shared situation awareness. He further has a strong background in cognitive system engineering, resilience engineering, complex adaptive systems and network centric operations. Rainer holds a Diploma in Electrical Engineering from the University of the Bundeswehr and a Bachelor degree in Economics. He is currently enrolled in a part-time PhD programme with Lancaster University, Aviation Security Group. Address: EUROCONTROL, Directorate ATM Programmes DAP/SSH, ATM Security Domain, Rue de la Fusee 96, B-1130 Brussels, Belgium E-mail: rainer.koelle@eurocontrol.int The views expressed in this article are those of the author. They do not necessarily represent the views or policy of the authors employer.