Académique Documents
Professionnel Documents
Culture Documents
a r t i c l e i n f o
a b s t r a c t
Article history:
Received 7 September 2012
Accepted 21 January 2013
Planning Threat Assessments (TAs) within an area consisting of numerous chemical installations, should
be part of adequate and sound Management Of Change procedures (including a baseline periodic TA, on
top of change control) of every company belonging to the chemical and process industries. This paper
discusses the optimization of threat assessment planning activities. By establishing a planning procedure
that objectively determines the need for TAs for all kinds of threats, correct, updated and consistent
information becomes easily available to the companys security management department. Threat assessments to be carried out in each facility belonging to an organization can thus easily be scheduled on
an organization-wide scale. A prioritization can be made considering legislative requirements, the type
of threats, the type of assessment to be carried out, the availability of external experts, etc.
2013 Elsevier Ltd. All rights reserved.
Keywords:
Threat Assessment
Complex industrial area
1. Introduction
Since the WTC attacks of 9/11, threats by terrorists and criminal
actions are often included in a chemical companys assessment of
risks. The tragic events in 2001 have made many organizations
aware of the real risk of an intentional release, deviation or theft
of hazardous chemicals with the intent to cause damage or even
devastation or disaster. Such actions may result in a large number of
public fatalities, environmental and economic damage and undermine the condence of society (see e.g. Baybutt, 2003; Cornwell &
Roberts, 2010; Rosenthal & Muller, 2007). Accidents thus not only
occur when people make errors or mistakes, or when equipment
fails. They can also be the result of intentional acts. Deliberate acts
are performed with the intention of causing harm and include
terrorism, sabotage, vandalism and theft. The focus of this paper is
on the last type of risks.
A Threat Assessment (TA) takes all the threats from inside and
outside an organization into account. TA is a specic step in a security risk assessment, and can be briey explained as a method to
determine the threat capabilities, strength, motives, weapons,
tactics, likelihood of attack, etc. As indicated in API Recommended
Practice 780 (2012), Threat Assessment is an important part of a
(company) security management system. There is a need for
* Corresponding author.
E-mail addresses: genserik.reniers@ua.ac.be (G. Reniers), jean-luc.wybo@minesparistech.fr (J.-L. Wybo).
0950-4230/$ e see front matter 2013 Elsevier Ltd. All rights reserved.
http://dx.doi.org/10.1016/j.jlp.2013.01.009
G. Reniers et al. / Journal of Loss Prevention in the Process Industries 26 (2013) 1662e1669
1663
Practice 780 (2012). The API guidance is concerned with elaborating, explaining and discussing a security risk assessment
methodology, and goes beyond the scope of this paper, since, as
already indicated, threat assessments are only part of a full-scale
security risk analysis.
The carrying out of safety-related risk analyses is regulated but
does not account for possible threats and only counts for internal
safety in a chemical plant. In Europe for example, Council Directive
96/82/EC (Council Directive, 1997), sets a term of 5 years for
revising the risk analysis when a number of dangerous substances
are present within the company.
Based on current events, new technologies, incident records,
etc., a period in which the threat assessment should be revised, is
suggested in this paper. The factors that give occasion for such a
threat assessment revision, are identied and discussed.
2. Methodology
The rst part of the study consists of conducting an extensive
literature review to identify threats present in a chemical company.
A lack of security increases the risk of an unwanted (deliberate)
event. Therefore a general list of threats was developed that can be
used by any chemical organization. To do this, internal, external and
internal assisted (an external person who is helped by an internal
person) threats were taken into account. All hazards that are susceptible to intentional criminal action were included. The threats
apply to any company of the industry and they apply to local,
regional or national events. In a second part of our study, a owchart is elaborated and proposed. The owchart should be
employed to check whether a TA is present for a certain threat or
whether the existing TA is still valid for the present conditions.
Different suggested triggers make it possible to control the present
threat awareness level within any installation belonging to a
chemical plant and the existence of appropriate countermeasures.
By doing so, the company is able to check its security level. The use
of the owchart might lead to a review of a TA for a specic threat.
Afterwards, a review of the SRA might also be desirable or appropriate, or not. This depends on the results of the newly carried out
TA. The triggers which may have an inuence on the characteristics
of the threats, are dened and described in this paper. In the third
part of the study, the planning and timing of threat assessment
reviews are suggested and discussed. An implementation algorithm
is suggested to implement the owchart in a complex organization.
3. Research results
3.1. Security threats
A security risk is any event that could result in the compromise of
organizational assets. The unauthorized use, loss, damage, disclosure,
or modication of organizational assets for the prot, personal interest, or political interests of individuals, groups, or other entities constitutes a compromise of the asset, and it also includes the risk to harm
people (CCPS, 2003). Due to security risks, there may thus be
physical damage as well as human detriment. A security threat
is not the same as a security risk, and can be dened (API
Recommended Practice 780, 2012) as any indication, circumstance, or event with the potential to cause loss of, or damage to, an
asset. It can also be dened as the intention and capability to undertake actions that would be detrimental to valued assets. Hence,
a threat implies the notion of intention and indication to cause
malicious acts. The compiled list of security threats given hereunder should be regarded as a (general) non-exhaustive list. It is
obvious that circumstances, working conditions, living conditions,
etc. change continuously or from time to time, and new security
1664
G. Reniers et al. / Journal of Loss Prevention in the Process Industries 26 (2013) 1662e1669
threats will arise. Some security threats on the list may thus not be
present in the company but are standard for the chemical industry
and/or for local, regional or national events. These threats should be
kept on the list because they may become present in the future due
to changes. Nonetheless, security management should keep an inuse list with security threats up-to-date. Table 1 shows a list of
security threats that should be regarded as essential.
Besides the threats mentioned in Table 1, also contextual factors
may be very important contributors to a certain level of threat. Such
factors should also e at least to some extent e be taken into account. Contextual factors can be for example
It might be possible that several triggers do not have a signicant inuence on the existing results as a single trigger, but they
might have, when considered together. If this appears to be the
case, the Threat Assessment should be reviewed. Otherwise, the
next security threat should be considered.
The TARP owchart process stops when all security threats from
the list are assessed and evaluated.
When all threats of the list have been considered, and all Threat
Analyses are updated and present, security management needs to
investigate whether a full-scale Security Risk Assessment is desired
or needed for the company, facility or location under consideration.
3.3. Triggers for reviewing a threat analysis
In real life, there are continuously changes in resources enabling
criminals to achieve their goals. Therefore, it is necessary to
discover new threats and to regularly update the existing threat
assessments. Determining changes in the capabilities of the adversary and in internal security measures can be performed by socalled TA-triggers.
A TA-trigger can be regarded as an occasion that results in a
change in the threat. If the threat factor substantially increases or
decreases, a review of the threat analysis is needed. Monitoring
such triggers should be done by security management. The various
TA-triggers should be analysed for every security threat in order to
adequately map the changes within company threats and company
security. Note that a trigger does not necessarily lead to a new
threat assessment. Based on the assessment of the security manager, helped by the list of security threats and by the list of TAtriggers, it is decided by a security team whether there is a need
for a new TA per threat.
Due to the diversity between the different threats, there are
different triggers. Some triggers exert no inuence on the threat
assessment, while other triggers do. The trigger occurs or has
occurred when a change in the relevant characteristic of the security threat took place with respect to the last assessment of that
threat. We distinguish nine triggers with different characteristics.
The TA-triggers are discussed hereafter.
3.3.1. Technology
CCPS (2003) indicates that technological advantages can be
used for better but also for worse, the latter by those who desire to
deliberately cause losses. Through research and development,
mankind nds new ways to reach the same goals. A safer way to
produce a hazardous substance or a new technology with benet
for criminals are examples that give rise to a revision of the
existing threat analysis. This trigger covers the internal (secure
environment) and external (new threats) conditions. ICT is an
example of technology that has completely changed security:
assets and information are protected jointly but also the programs
and databases must be protected. The intention is to observe the
current technological developments. This can either be used for
the reduction of threats, as well as for the assessment of new
threats.
3.3.2. Neighbouring activity
Activities in the surroundings of the chemical company may
give rise to an increased or decreased security threat. An adjacent
chemical company with excellent, respectively poor, security
measures may affect the security level of the own company in a
positive, respectively negative, way. Another neighbouring activity
would be the construction of a railway or waterway near a chemical
company making it easier to get into the proximity of a plant. Yet
another possibility for danger would be the damages of a neighbouring activity spreading to the plant (by so-called domino
G. Reniers et al. / Journal of Loss Prevention in the Process Industries 26 (2013) 1662e1669
Table 1
Basic list of security threats with possible targets.
Security threats
Criminal threats
Assassination
Attack, assault or
harassment
Bombing
Civil disorder
Crime
Cyber attack
Drive by shooting
Fire/arson
Funding
Inadvertent
disclosure
Kidnapping
Leakage
Manipulation of data/
information
Physical assault
Poisoning
Robbery
Sabotage
Sexual assault
Theft
Unauthorized or
forced access
Vandalism
Verbal assault or
harassment
Terrorist threats
Assassination
Attack, assault, or
harassment
Bombing
Cyber attack
Drive by shooting
Fire/arson
Funding
Inadvertent
disclosure
Kidnapping
Leakage
Loss of data or
sensitive trade
material
Physical assault
Poisoning
Sabotage
Unauthorized or
forced access
Vehicle bombing
Verbal assault or
harassment
Foreign intelligence services threats
Assassination
Civil disorder
Cyber attack
Financial stress or
gain/inuence
Funding
Impersonation of
staff member
Isolation
Kidnapping
Loss of data or
sensitive trade
material
Target
People assets
People assets
Physical assets, People assets
Business and nancial status,
People assets, Physical assets
Various
ICT network, information assets
Business and nancial status,
People assets
Various
Various
Business and nancial status,
People assets, Physical assets
People assets
Business and nancial status,
People assets, Physical assets
Business and nancial status,
ICT network, Image, Information
assets
People assets
People assets
Physical assets
Physical assets
People assets
Physical assets
Various
Business and nancial status,
Physical assets
People assets
People assets
People assets
Physical assets, People assets
ICT network, Information assets
Business and nancial status,
People assets
Various
Various
Business and nancial status,
People assets, Physical assets
People assets
Business and nancial status,
Image, People assets, Physical
assets
Business and nancial status,
Image, Information assets
People assets
People assets
Physical assets
Various
People assets, Physical assets
People assets
People assets
Business and nancial status,
People assets, Physical assets
ICT network, Information assets
Business and nancial status
Various
People assets
People assets
People assets
Business and nancial status,
Image, Information assets
1665
Table 1 (continued)
Security threats
Target
Loyalty/coercion/
corruption/
collusion
Manipulation of
data/information
Various
Poisoning
Robbery
Sabotage
Theft
Unauthorized or forced
access
Threats from commercial or industrial competitors
Co-location with high
Business and nancial status,
risk tenants
Image, People assets, Physical
assets
Commercial espionage
Business and nancial status,
Information assets
Discrimination/
Image, People assets
prejudice
Disgruntled employee
Image, Information assets
Business and nancial status,
Failure of equipment
Image, Physical assets
(e.g., maintenance
and reliability)
Financial stress or gain/
Business and nancial status
inuence
Funding
Various
Impersonation of staff
People assets
member
Isolation
People assets
Loyalty/coercion/
Various
corruption/collusion
Manipulation of data/
Business and nancial status,
information
ICT network, Image, Information
assets
Public perception
Business and nancial status,
Image
Reluctance to adopt
Various
security policy
Staff attraction
Image, Information assets,
People assets
Staff loyalty
Image, Information assets,
People assets
Stress related behavioural
People assets
issues
Theft
Physical assets
Travel
People assets
Threats from malicious people
Assassination
People assets
Attack, assault or
People assets
harassment
Bombing
Physical assets, People assets
Civil disorder
Business and nancial status,
People assets, Physical assets
Crime
Various
Cyber attack
ICT network, information assets
Discrimination/prejudice
Image, People assets
Disgruntled employee
Image, Information assets
Disruption of service
Business and nancial status,
ICT network, Image, Physical
assets
Drive by shooting
Business and nancial status,
People assets
Business and nancial status,
Failure of equipment
(e.g., maintenance
Image, Physical assets
and reliability)
Fire/arson
Various
Fraud
Business and nancial status,
Image
Funding
Various
Impersonation of staff
People assets
member
Inadequate emergency
Various
management procedures
(continued on next page)
1666
G. Reniers et al. / Journal of Loss Prevention in the Process Industries 26 (2013) 1662e1669
Table 1 (continued)
Security threats
Target
Various
Various
Business and nancial status,
People assets, Physical assets
People assets
Business and nancial status,
Image, People assets,
Physical assets
Business and nancial status,
Image, Information assets
Various
Kidnapping
Leakage
People assets
Business and nancial
Image, Physical assets
Business and nancial
ICT network, Image,
Information assets
Various
People assets
People assets
Business and nancial
Image
Business and nancial
status,
status,
status,
status
Various
Physical assets
Physical assets
People assets
People assets
Image, Information assets,
People assets
Image, Information assets,
People assets
People assets
Physical assets
People assets
Various
Business and nancial
status, Physical assets
People assets
People assets,
Physical assets
effects). CCPS (2003) warns for collateral exposure and denes this
as the presence of third-party high-vulnerability entities or highthreat targets, which is possible for example when the company is
located close to attractive targets such as embassies, religious
buildings, military installations, etc. A change in this trigger clearly
may have an impact on the security of the process company and
associated security measures.
3.3.3. Politics and prosperity
A stable prosperity is accompanied by a stable political government. However, this harmony cannot be found everywhere in
the world. Chemical companies located in a country where political
instability rules, are forced to more frequently review their existing
threat analyses due to possible chaos or unexpected events (cfr. also
trigger 9: Learning from external events).
3.3.4. Companys characteristics
The image of the company may give rise to controversy and even
to hatred. Dismissals and staff changes can also undermine an organizations security since such people know the company from the
inside. Even the future strategy of a company may give rise to new
threats.
G. Reniers et al. / Journal of Loss Prevention in the Process Industries 26 (2013) 1662e1669
1667
1668
G. Reniers et al. / Journal of Loss Prevention in the Process Industries 26 (2013) 1662e1669
In year 10, all TAs for the general security threats list are reviewed,
as well as all TAs for major security threats. These reviews are
carried out, regardless if no changes occurred at all. Moreover,
frequent-assessment threats (mentioned on a specic list) are
assessed with a higher frequency, for example every year. The review frequency depends on different factors specic for industrial
activities, and is determined by company security management.
To verify for the changes in a systematic way, it is recommended
to use a 2-year frequency for implementing the TARP owchart
within the parts of the company. Security management ultimately
decides on the TARP implementation frequency. It should be noted
that the 2-year period may for example be different from one facility (or installation or factory) to another, within one company.
As we mentioned with the trigger number 9 (Learning from
external events), if a sudden event (outbreak of civil war, technological revolution, etc.) with a major impact on security threats
would occur anywhere else, it is straightforward that security
management does not have to wait to use the TA-triggers. If a new
threat assessment would be required to account for the analysis of
that event, it should be planned as soon as possible. This can be
seen as an event-driven asynchronous updating scheme.
3.5. TARP implementation diagram
Reniers (2009) indicates that the review planning concept can
be integrated in a complex organization by the following ve
steps. In the case of the suggested threat assessment planning, the
rst step is for facility/installation/factory/location management
to collect the general and present security threats for the facility
and keep this list of security threats up-to-date. Step 2 covers the
periodically use of the TARP Decision Flowchart. This step points
out if there is need to review one or more TAs for the region
under consideration. If this is not the case, local management
keeps the list of security threats in order and looks forward to the
next period. If there would be need for one or more TA reviews,
the organizations company security management is informed in
detail about the triggers, potential threats, scenarios, timeline,
etc., completing step 3. In a next step, company security management plans the necessary TA reviews and assessments of
existing/needed countermeasures for the whole organization,
taking the different factory/installation management recommendations into account. This way double work or different approaches or methods are avoided, and a TARP plant-wide
overview scheme is created. Company security management holds
a good view about the present security threats, security measures
and review planning in the different departments of the organization. A last step is the execution of the planned TAs aligned
with all other planned TAs. When all reviews have been executed,
the cycle starts again. Local management keeps the list of security
threats up-to-date until the TARP Decision Flowchart is used over.
Fig. 3 shows the different steps composing the TARP owchart
implementation diagram.
G. Reniers et al. / Journal of Loss Prevention in the Process Industries 26 (2013) 1662e1669
1669