Certified Systems to Reduce Security Risks in Modern Societies and the Contribution of the CRISP Approach, Simone WURSTER

6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
Simone Wurster, TU Berlin, Institut für Technologie und Management, Germany
Nathalie Hirschmann, TU Berlin, Center for Technology and Society, Germany
Irene Kamara, Vrije Universiteit Brussel, Belgium
Thordis Sveinsdottir, Trilateral Research Ltd., United Kingdom
Certified systems to reduce security
risks in modern societies and the
contribution of the CRISP approach

6th
www.grforum.org
DUELING SOCIETAL NEEDS
A Need for Improved Security
 Security threats are evolving in both
public and private environments
 Protection for critical areas is
essential
o e.g. infrastructure, border security,
citizens, etc.
 New security systems are constantly
evolving (physical and digital)
 Challenge: societal risks

6th
www.grforum.org
Fundamental Human Rights
• Respect for private life
• Personal data protection
• Equal treatment
• Non-discrimination
• Presumption of innocence
• Due process
(see The Charter of Fundamental
Rights in the European Union,
article 6)
Societal challenges
 More data is collected than necessary
o Personal information is collected and
shared without consent 
negative social externalities
o examples: discrimination, mistrust
 Fundamental rights may be
infringed upon
 Security systems must be
high-performing, efficient and trustworthy
How to protect both implicit human rights and society?
A pan-European certification system  CRISP

6th
www.grforum.org
WHY CERTIFICATION?
 Certification can help to achieve public trust via
perceived:
 Accountability
 Transparency
 Comprehensive policy, systems and procedures development
(Walker and Johnson, 2009)
 New instruments outside of the legal framework needed
 Growing support from regulators and industry
 Public trust must be gained
 Organisations must be examined from a critical
perspective

6th
www.grforum.org
 Risk  “the combination of the probability of an event and its
negative consequences” (OECD, 2014)
 Risk Management  “the systematic application of
management policies, procedures and practices to the tasks of
analysing, evaluating, controlling and monitoring risk” (ISO, 2007)
 Resilience  “helps to avoid the occurrence of a crisis”, reduces
the magnitude of the impact of an event (Labaka, 2013)
o Core features: anticipation of vulnerabilities, threats and attacks;
preparedness; prevention, detection and response; mitigation;
recovery and sharing responsibility and co-operation between
stakeholders (Wright and Rodriguez, 2012)
 Surveillance  a valuable tool in risk management, but
produces several challenges
THE RISK MANAGEMENT CONTEXT

6th
www.grforum.org
CCTV SYSTEMS

6th
www.grforum.org
EVENT DRIVEN CCTV ACTIVITIES
Sources for parts of the figure: clipartkid.com, stockunlimted.com, clipartpanda.com, curseforage.com,
play.google.com, clipartlord.com

6th
www.grforum.org
CHALLENGES TO RISK MANAGEMENT
 Trade-offs between efficiency and security goals
o “Security is not usually an investment
that provides profit” (ENISA, 2012)
o Security is “the enemy of efficiency”
(Garrison and Levison, 2014)
 May foster a culture of suspicion and undermine trust
(Article 29 DPG, 2007)
 Vast amounts of information are collected
o This leads to decisions that influences people’s lives
 Security systems are not inherently effective

6th
www.grforum.org
CRISP’S GOALS
CRISP’s priority is the development of an innovative
methodology for evaluating and certifying security
systems to:
 Increase citizen trust and confidence in security technologies
 Facilitate a more harmonised playing field via pan-European
certification for security systems
 Provide protection in an efficient manner (Wurster et al., 2016)

6th
www.grforum.org
THE CRISP METHODOLOGY
 A novel approach that:
o Incorporates technical and non-
technical dimensions in the
evaluation stage without
redefining existing technical
requirements
o Integrates S-T-E-Fi dimensions
(Security, Trust, Efficiency and
Freedom infringement)
Incorporates social aspects
Protects fundamental rights
Complies with fundamental
EU laws
Audit and
inspection
Review &
decision
EVALUATION CERTIFICATION
SurveillanceAttestation
Assessment
S-T-E-Fi
Configuration
Selection and
Determination
R3R2R1
Requirements for certification
Requirements for systems and
components
Requirements for test/assessment method,
evaluating results and decision making,
monitoring regime, certification/inspection
body, competence auditors/assessors
Normative document (standard) Certification scheme
Supported by
current normative
documents
Supported by
relevant
literature
sources
Evaluation criteria
General - reference
to ISO/IEC standards
CRISP-specific
Source: CRISP project
Fig. 1: CRISP methodology

6th
www.grforum.org
INTERACTIONS WITH STAKEHOLDERS -1-
 Stakeholder analysis revealed:
o #1 benefit of certification perceived as “a seal of quality or
assurance” (85% of supply-side and 82% of demand-side
respondents)
o Positive support for one recog-
nisable European seal from supply-
and demand-side stakeholders
exists (71.4% & 54.3%, respectively)
o Strong certification schemes are
considered an addition to branding
and having the potential to increase
end user trust
Example taken from CRISP survey: Key benefits of a
EU certification scheme according to supply side
stakeholders (number of responses, 28)

6th
www.grforum.org
INTERACTIONS WITH STAKEHOLDERS -2-
 Workshop-based feedback loop
o Four scenario workshops starting in the second half of 2015
o Comprised of a wide range of external participants
o Findings were used to specify CRISP’s scope
 Workshops certification manual for the future CRISP
organization  roadmap for the implementation of CRISP
was developed
 Roadmap validation workshop  Further specification of
the scope and stronger alignment with Europe’s General
Data Protection Regulation (GDPR) was

6th
www.grforum.org
NEXT STEPS
 Roadmap for the
implementation of the CRISP
scheme will soon be available
at: http://crispproject.eu/
research-reports
o Describes all future CRISP
activities in detail
 Next step: developing a CEN
workshop agreement on
CRISP methodology for the
evaluation of security systems
(working title)

6th
www.grforum.org
ADDED VALUE FOR INTEGRATIVE RISK
MANAGEMENT AND URBAN RESILIENCE
 Benefit for urban management by:
 Addressing the need for protection, trust and privacy
 Responding to the “redefinition of urban policies in economic
terms” (Webster, et al. 2012)
 Two aspects of CRISP are directly relevant in this context:
 Increasing citizen trust and confidence in security systems
 Providing protection efficiently
 Various indirect added-value benefits to risk managers
 CRISP’s intensive interaction with stakeholders can be seen as
an important factor for success

6th
www.grforum.org
CONCLUSION
 Challenge: longstanding tension and trade-off between
effective security systems and the protection of fundamental
rights
 Strong and effective agreements, guidelines and frameworks
can mitigate the impact and ease citizen concerns, as well as
respond to economic pressures
 CRISP develops a rigorous certification process that protects
the right to:
 Non-discrimination
 Presumption of
 innocence
 Moreover, efficiency goals will be considered

Bodily integrity
Personal privacy

6th
www.grforum.org
REFERENCES
• Article 29 DPG [Article 29 Data protection group] (2007). Opinion 1/2007 on the Green Paper on Detection Technologies in the Work of Law Enforcement,
Customs and other Security Authorities. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp129_en.pdf.
• Duttona, W., Guerrab, G. A., Zizzoc, D. J. and Peltua, M. (2005). The cyber trust tension in E-government: Information Polity, 10, pp. 13-23.
• ENISA (2012). Introduction to Return on Security Investment. Helping CERTs assessing the cost of (lack of) security,
https://www.enisa.europa.eu/publications/introduction-to-return-on-security-investment.
• European Commission (2011). Programming Mandate Addressed to CEN, CENELEC and ETSI to Establish Security Standards, M/487, s.l.: 2 s.n.
• European Union (2000). Charter of Fundamental Rights of the European Union. Official Journal of the European Communities, OJ C 364/01 (18.12.2001).
• Garrinson, W. L. and Levinson, D. M. (2014). The Transportation Experience: Policy, Planning, and Deployment. Oxford University Press.
• Hempel, L., Hirschmann, N., Haponava, T., von Laufenberg, R., Wurster, S., Sveinsdottir, T., de Hert, P. and Kamara, I. (2015). Validated CRISP Methodology,
Deliverable 5.1 of the CRISP Project. 30 October 2015.
• Hempel, L., Hirschmann, N., Haponava, T., von Laufenberg, R., Wurster, S., Wadhwa, K., Sveinsdottir, T., de Hert, P., Kamara, I., Pauner, C., Viguri, J., García,
R., Burnik, J. (2016). Report on the scenario-based workshops and the refinement of the CRISP Methodology, Deliverable 5.2 of the CRISP Project. 1
February 2016.
• Hempel, L. and Toepfer, E., CCTV in Europe. Final Report of the EC-funded project Urban Eye. http://www.urbaneye.net/results/ue_wp15.pdf.
• Hildebrandt, M. (2013). Balance or Trade-off? Online Security Technologies and Fundamental Rights. Philosophy & Technology, 26 (4), pp 357–379.
• ISO (2007). ISO 14971:2007, Medical devices -- Application of risk management to medical devices.
• ISO (2009). ISO 31000:2009, Risk management – Principles and guidelines.
• Kamara, I., de Hert, P., Tanas, A., Konstantinou, I., van Brakel, R., Pauner, C., Viguri, J., Rallo, A., García, R., Fritz, F., von Laufenberg, R., Kalan, E., Burnik, J.
(2015). Legal Analysis of existing schemes, Deliverable D4.1 of the CRISP project. 15 February 2016.
• Labaka, L. (2013). Resilience Framework for Critical Infrastructures. Navarra University.
• OECD (2014). Guidelines for resilience systems analysis. s.l.: OECD Publishing.
• Rhett, H. and Walker, L. W. J. (2009). Signaling intrinsic service quality and value via accreditation and certification. Managing Service Quality: An
International Journal, 19(1), pp. 85-105.
• Webster, C. W. R., Töpfer, E., Klauser, F. R., Raab, C. D. [eds.] (2012). Video Surveillance, Practices and Policies in Europe. IOS Press, US.
• Wright, D. and Rodrigues, R. [eds.] (2012). A report on resilience in “democratic” surveillance societies, Deliverable D6.1 IRISS project,
http://irissproject.eu/wp-content/uploads/2014/06/D6.1-Resilience-report.pdf.
• Wurster, S., Burnik, J., Tomšič, A. et al. (2016). Final Roadmap and Implementation Plan. Deliverable D6.1 of the CRISP project. 30 June 2016.

Certified Systems to Reduce Security Risks in Modern Societies and the Contribution of the CRISP Approach, Simone WURSTER

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (20)

Similar a Certified Systems to Reduce Security Risks in Modern Societies and the Contribution of the CRISP Approach, Simone WURSTER

Similar a Certified Systems to Reduce Security Risks in Modern Societies and the Contribution of the CRISP Approach, Simone WURSTER (20)

Más de Global Risk Forum GRFDavos

Más de Global Risk Forum GRFDavos (20)

Certified Systems to Reduce Security Risks in Modern Societies and the Contribution of the CRISP Approach, Simone WURSTER