6th International Disaster and Risk Conference IDRC 2016 Integrative Risk Management - Towards Resilient Cities. 28 August - 01 September 2016 in Davos, Switzerland
Creating New Hybrid Products for Adapting the Insurance Mechanism to Drive Re...
Certified Systems to Reduce Security Risks in Modern Societies and the Contribution of the CRISP Approach, Simone WURSTER
1. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
Simone Wurster, TU Berlin, Institut für Technologie und Management, Germany
Nathalie Hirschmann, TU Berlin, Center for Technology and Society, Germany
Irene Kamara, Vrije Universiteit Brussel, Belgium
Thordis Sveinsdottir, Trilateral Research Ltd., United Kingdom
Certified systems to reduce security
risks in modern societies and the
contribution of the CRISP approach
2. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
DUELING SOCIETAL NEEDS
A Need for Improved Security
Security threats are evolving in both
public and private environments
Protection for critical areas is
essential
o e.g. infrastructure, border security,
citizens, etc.
New security systems are constantly
evolving (physical and digital)
Challenge: societal risks
3. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
Fundamental Human Rights
• Respect for private life
• Personal data protection
• Equal treatment
• Non-discrimination
• Presumption of innocence
• Due process
(see The Charter of Fundamental
Rights in the European Union,
article 6)
Societal challenges
More data is collected than necessary
o Personal information is collected and
shared without consent
negative social externalities
o examples: discrimination, mistrust
Fundamental rights may be
infringed upon
Security systems must be
high-performing, efficient and trustworthy
How to protect both implicit human rights and society?
A pan-European certification system CRISP
4. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
WHY CERTIFICATION?
Certification can help to achieve public trust via
perceived:
Accountability
Transparency
Comprehensive policy, systems and procedures development
(Walker and Johnson, 2009)
New instruments outside of the legal framework needed
Growing support from regulators and industry
Public trust must be gained
Organisations must be examined from a critical
perspective
5. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
Risk “the combination of the probability of an event and its
negative consequences” (OECD, 2014)
Risk Management “the systematic application of
management policies, procedures and practices to the tasks of
analysing, evaluating, controlling and monitoring risk” (ISO, 2007)
Resilience “helps to avoid the occurrence of a crisis”, reduces
the magnitude of the impact of an event (Labaka, 2013)
o Core features: anticipation of vulnerabilities, threats and attacks;
preparedness; prevention, detection and response; mitigation;
recovery and sharing responsibility and co-operation between
stakeholders (Wright and Rodriguez, 2012)
Surveillance a valuable tool in risk management, but
produces several challenges
THE RISK MANAGEMENT CONTEXT
6. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
CCTV SYSTEMS
7. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
EVENT DRIVEN CCTV ACTIVITIES
Sources for parts of the figure: clipartkid.com, stockunlimted.com, clipartpanda.com, curseforage.com,
play.google.com, clipartlord.com
8. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
CHALLENGES TO RISK MANAGEMENT
Trade-offs between efficiency and security goals
o “Security is not usually an investment
that provides profit” (ENISA, 2012)
o Security is “the enemy of efficiency”
(Garrison and Levison, 2014)
May foster a culture of suspicion and undermine trust
(Article 29 DPG, 2007)
Vast amounts of information are collected
o This leads to decisions that influences people’s lives
Security systems are not inherently effective
9. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
CRISP’S GOALS
CRISP’s priority is the development of an innovative
methodology for evaluating and certifying security
systems to:
Increase citizen trust and confidence in security technologies
Facilitate a more harmonised playing field via pan-European
certification for security systems
Provide protection in an efficient manner (Wurster et al., 2016)
10. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
THE CRISP METHODOLOGY
A novel approach that:
o Incorporates technical and non-
technical dimensions in the
evaluation stage without
redefining existing technical
requirements
o Integrates S-T-E-Fi dimensions
(Security, Trust, Efficiency and
Freedom infringement)
Incorporates social aspects
Protects fundamental rights
Complies with fundamental
EU laws
Audit and
inspection
Review &
decision
EVALUATION CERTIFICATION
SurveillanceAttestation
Assessment
S-T-E-Fi
Configuration
Selection and
Determination
R3R2R1
Requirements for certification
Requirements for systems and
components
Requirements for test/assessment method,
evaluating results and decision making,
monitoring regime, certification/inspection
body, competence auditors/assessors
Normative document (standard) Certification scheme
Supported by
current normative
documents
Supported by
relevant
literature
sources
Evaluation criteria
General - reference
to ISO/IEC standards
CRISP-specific
Source: CRISP project
Fig. 1: CRISP methodology
11. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
INTERACTIONS WITH STAKEHOLDERS -1-
Stakeholder analysis revealed:
o #1 benefit of certification perceived as “a seal of quality or
assurance” (85% of supply-side and 82% of demand-side
respondents)
o Positive support for one recog-
nisable European seal from supply-
and demand-side stakeholders
exists (71.4% & 54.3%, respectively)
o Strong certification schemes are
considered an addition to branding
and having the potential to increase
end user trust
Example taken from CRISP survey: Key benefits of a
EU certification scheme according to supply side
stakeholders (number of responses, 28)
12. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
INTERACTIONS WITH STAKEHOLDERS -2-
Workshop-based feedback loop
o Four scenario workshops starting in the second half of 2015
o Comprised of a wide range of external participants
o Findings were used to specify CRISP’s scope
Workshops certification manual for the future CRISP
organization roadmap for the implementation of CRISP
was developed
Roadmap validation workshop Further specification of
the scope and stronger alignment with Europe’s General
Data Protection Regulation (GDPR) was
13. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
NEXT STEPS
Roadmap for the
implementation of the CRISP
scheme will soon be available
at: http://crispproject.eu/
research-reports
o Describes all future CRISP
activities in detail
Next step: developing a CEN
workshop agreement on
CRISP methodology for the
evaluation of security systems
(working title)
14. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
ADDED VALUE FOR INTEGRATIVE RISK
MANAGEMENT AND URBAN RESILIENCE
Benefit for urban management by:
Addressing the need for protection, trust and privacy
Responding to the “redefinition of urban policies in economic
terms” (Webster, et al. 2012)
Two aspects of CRISP are directly relevant in this context:
Increasing citizen trust and confidence in security systems
Providing protection efficiently
Various indirect added-value benefits to risk managers
CRISP’s intensive interaction with stakeholders can be seen as
an important factor for success
15. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
CONCLUSION
Challenge: longstanding tension and trade-off between
effective security systems and the protection of fundamental
rights
Strong and effective agreements, guidelines and frameworks
can mitigate the impact and ease citizen concerns, as well as
respond to economic pressures
CRISP develops a rigorous certification process that protects
the right to:
Non-discrimination
Presumption of
innocence
Moreover, efficiency goals will be considered
Bodily integrity
Personal privacy
16. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
REFERENCES
• Article 29 DPG [Article 29 Data protection group] (2007). Opinion 1/2007 on the Green Paper on Detection Technologies in the Work of Law Enforcement,
Customs and other Security Authorities. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp129_en.pdf.
• Duttona, W., Guerrab, G. A., Zizzoc, D. J. and Peltua, M. (2005). The cyber trust tension in E-government: Information Polity, 10, pp. 13-23.
• ENISA (2012). Introduction to Return on Security Investment. Helping CERTs assessing the cost of (lack of) security,
https://www.enisa.europa.eu/publications/introduction-to-return-on-security-investment.
• European Commission (2011). Programming Mandate Addressed to CEN, CENELEC and ETSI to Establish Security Standards, M/487, s.l.: 2 s.n.
• European Union (2000). Charter of Fundamental Rights of the European Union. Official Journal of the European Communities, OJ C 364/01 (18.12.2001).
• Garrinson, W. L. and Levinson, D. M. (2014). The Transportation Experience: Policy, Planning, and Deployment. Oxford University Press.
• Hempel, L., Hirschmann, N., Haponava, T., von Laufenberg, R., Wurster, S., Sveinsdottir, T., de Hert, P. and Kamara, I. (2015). Validated CRISP Methodology,
Deliverable 5.1 of the CRISP Project. 30 October 2015.
• Hempel, L., Hirschmann, N., Haponava, T., von Laufenberg, R., Wurster, S., Wadhwa, K., Sveinsdottir, T., de Hert, P., Kamara, I., Pauner, C., Viguri, J., García,
R., Burnik, J. (2016). Report on the scenario-based workshops and the refinement of the CRISP Methodology, Deliverable 5.2 of the CRISP Project. 1
February 2016.
• Hempel, L. and Toepfer, E., CCTV in Europe. Final Report of the EC-funded project Urban Eye. http://www.urbaneye.net/results/ue_wp15.pdf.
• Hildebrandt, M. (2013). Balance or Trade-off? Online Security Technologies and Fundamental Rights. Philosophy & Technology, 26 (4), pp 357–379.
• ISO (2007). ISO 14971:2007, Medical devices -- Application of risk management to medical devices.
• ISO (2009). ISO 31000:2009, Risk management – Principles and guidelines.
• Kamara, I., de Hert, P., Tanas, A., Konstantinou, I., van Brakel, R., Pauner, C., Viguri, J., Rallo, A., García, R., Fritz, F., von Laufenberg, R., Kalan, E., Burnik, J.
(2015). Legal Analysis of existing schemes, Deliverable D4.1 of the CRISP project. 15 February 2016.
• Labaka, L. (2013). Resilience Framework for Critical Infrastructures. Navarra University.
• OECD (2014). Guidelines for resilience systems analysis. s.l.: OECD Publishing.
• Rhett, H. and Walker, L. W. J. (2009). Signaling intrinsic service quality and value via accreditation and certification. Managing Service Quality: An
International Journal, 19(1), pp. 85-105.
• Webster, C. W. R., Töpfer, E., Klauser, F. R., Raab, C. D. [eds.] (2012). Video Surveillance, Practices and Policies in Europe. IOS Press, US.
• Wright, D. and Rodrigues, R. [eds.] (2012). A report on resilience in “democratic” surveillance societies, Deliverable D6.1 IRISS project,
http://irissproject.eu/wp-content/uploads/2014/06/D6.1-Resilience-report.pdf.
• Wurster, S., Burnik, J., Tomšič, A. et al. (2016). Final Roadmap and Implementation Plan. Deliverable D6.1 of the CRISP project. 30 June 2016.