It has been identified through this study that a security assessment which is undertaken in advance of establishing a port facility security system should be performed correctly in order to ensure that the system is set up in accordance with the ISPS Code. Also it was found that an appropriate methodology is required to undertake the port facility security assessment in a correct manner.
The risk assessment methodology applied in the safety fields has been adopted as the methodology for the security assessment for this study. This study looks at seven stages of risk assessment.
At first stage, the identification and evaluation of important assets and infrastructure requiring protection is carried out. Such undertakings are needed to clearly identify the function of the assets and infrastructure within the port facility, ascertain ones that are to be protected from security threats or security incidents, decide on their relative importance, and determine which ones are to be subjected to the security assessment.
All identified assets and infrastructure should be included in the evaluation. Three parts should be considered in the evaluation. First, the role or objective of the assets and infrastructure in the operation of the port facility should be considered. The next consideration should be the effect of destruction. Finally, the ability to recover from destruction of the assets and infrastructure should be considered.
At second stage, an on-site security survey is carried out. An on-site security survey is a process through which the present security conditions of the port facility and of the important assets and infrastructure within port facility can be identified. When conducting such on-site security survey, security procedures, security organizations, security equipments and systems, and the security ability of the port facility personnel having specific security duty should be considered.
At third stage, the identification of the possible threat scenarios and security incidents to the important assets and infrastructure is carried out. The security incidents that had occurred in the past and the security rule or regulations for the security in force should be considered at the time of identifying the security threats and incidents. And the consultation with the security expert authority should also be carried out.
At fourth stage, the assessment of consequence and vulnerability is carried out. The consequence and vulnerability should be evaluated to confirm the effect of identified security incident and the probability of the target to the attack. Five elements are included in the consequence assessment: death and injury, economic impact, environmental impact, national defense impact, and symbolic effect. And the vulnerability assessment should be evaluated in two parts: accessibility and organic security. The results of the on-site security survey carried out at the second stage should be considered in the vulnerability assessment.
At fifth stage, the security risk level is determined. The security risk level should be determined based on the level of consequences and vulnerability. The security risk is classified into three levels: mitigate, consider and document.
"Mitigate" means that mitigation strategies should be developed to reduce risk for that threat scenario.
"Consider" means that the threat scenario should be considered and mitigation strategies should be developed on a case-by-case basis.
"Document" means that the threat scenario does not need a mitigation measure at this time and therefore need only to be documented.
At sixth stage, the mitigation targets and implementation methods is determined. The mitigation targets should be identified based on the security risk level. And the mitigation methods to be implemented for that target should be decided based on the effectiveness and possibility of the methods. Generally, it is required to consider the mitigation strategies in lowering vulnerabilities in advance than the mitigation strategies in lowering consequences.
At seventh stage, the security risk reassessment is carried out. And the confirmation of mitigation measures is carried out based on the result of the reassessment. A security risk reassessment to the mitigation measures determined at the sixth stage should be practiced to confirm whether the measures can actually reduce the security risk level. The reassessment should be started from the fourth stage. If the security risk level is not reduced as the result of the reassessment, another mitigation measures should be considered for implementation. If the security risk is reduced as the result of the reassessment, the mitigation measures should be adopted and planned to be put into action in the port facility security system.