In February 2004, the Tampa Police Department faced a risk management challenge, one that required pre-event security assessments, security planning and event security management for 300,000 visitors descending on the city.
In short, Tampa was hosting the 100th anniversary of its annual Gasparilla Pirate Fest, a weeklong celebration that included events on both land and sea. Gasparilla, which amounts to $22 million in economic benefits for Tampa, is also an enormous potential headache for the TPD, relative to a possible terrorist attack or other security-based disruption.
"This year's (2004) Gasparilla was particularly eventful, as it marked the 100th anniversary of the celebration--security was of the utmost concern," says Doug Pasley, Tampa's master police chief.
Looking for help, the TPD turned to a relatively new type of risk management software application that allowed the department to secure the festival's sprawling geographic area, tried to ensure attendee protection, and considered precautions associated with the elevated risk status declared by the U.S. Department of Homeland Security at the time.
To do those things, the TPD used Site Profiler, a Web-based software application from Digital Sandbox, a Reston, Va., enterprise risk management software vendor.
With Site Profiler, which carries a $250,000 price tag, any user can look out over a representation of a city (or any physical asset or group of assets, for that matter) and try to get inside the mind of a terrorist.
For example, with just a few keystrokes a user can "set off" a bomb at a crowded stadium, office building or hotel--and learn about the horrific consequences. More importantly, Site Profiler can redeploy security measures to maximize the resources risk managers have to work with.
So far, outside of several federal government agencies, the software as of last year had only been used by two clients, the City of Tampa and the Port Authority of New York and New Jersey, a bistate agency.
In Tampa's case, the city obtained Site Profiler in November 2003, using it to link the police department with the mayor's office, as well as the city's strategic planning and technology departments.
Pasley says that once the data was downloaded, Site Profiler offered a three-dimensional model of Tampa, helping the TPD make decisions about where to deploy personnel.
The model included every street, bridge, waterway, park and major public building, including Tampa City Hall, Tampa General Hospital and Raymond James Stadium, home of the Tampa Bay Buccaneers football team.
TRISTATE PUBLIC AGENCY SIGNS ON
For the Port Authority of New York and New Jersey, the challenges are especially daunting because of the scope of the responsibility of its infrastructure.
The massive agency oversees the security of three major airports, a network of interstate tunnels and bridges, a complex rail system and many other commercial and industrial properties, as well as a 1,400-person police force with law enforcement powers in two states.
The Port Authority sought an affordable way to help it identify risks in an atmosphere of changing conditions so they could prioritize, respond in real time and share information while enabling their internal teams to polish decision-making skills.
According to Digital Sandbox CEO Bryan Ware, all of the Port Authority's security service providers are being required to use Site Profiler to help leverage information across the network.
Ware adds that Tampa and the Port Authority are hardly alone in trying to get a handle on the many scenarios resulting from a terrorist attack. He says many state and local governments also have assessed their security needs and have come to the realization that existing budgets account for a small fraction of the actual resources needed to effectively manage the risks.
In addition, Ware says, as the number and scale of the risks increase, so do accountability and expectations for public-sector preparedness.
"These entities are challenged with solving a variety of risk management problems," Ware says. "Governments are faced with restricted budgets and resources, excessive amounts of data, interoperability, and exhaustive risk planning demands."
Ware claims that Site Profiler is the first application of its type whose technology is not based on traditional actuarial and statistical databases.
"Site Profiler is geared to areas of risk where there is not a lot of historical data," he says. "As it turned out, terrorism and security are the best new market for it."
What Site Profiler does is assess every asset entered into its database, including the people involved. Then the software develops metrics that can help users prioritize potential threats, Ware says.
James McDonnell, vice president and chief information and security officer at USEC Inc., a Bethesda, Md.-based supplier of enriched uranium fuel for commercial nuclear power plants, is a former Site Profiler user when he served as head of infrastructure protective security for the Department of Homeland Security.
McDonnell says his main challenge was taking a look at the entire nation, determining what was at risk and what required the most protection.
Those potential terrorist targets included tunnels, nuclear power plants, bridges and other high-risk structures and properties.
"We had a $300 million budget, which sounds like a lot, but it really isn't considering the size of our country," McDonnell says. "We looked to the Digital Sandbox guys to help us make sense of these things. We needed a way to go out to a couple thousand sites and roll them up to make a good assessment of how to best protect those assets."
In this case, DHS sent 2,000 compact disks to police chiefs across the nation, asking them to use Site Profiler for their locations and return the results to the DHS.
"No one had ever done it before, so it was a little bit hit and miss," McDonnell says. "But we needed to know how to make sense out of the diverse infrastructure. We wanted to understand what happens when the code goes from yellow to orange. What does that mean? Part of Site Profiler was that we were able to identify these things."
McDonnell says as far as he can tell, Digital Sandbox is the first company to create something like this for the private sector, especially one so easy to use. He expects more to follow, depending on how Site Profiler fares in its efforts to reach both risk managers of large organizations with diverse assets, as well as property and casualty insurers.
A LOSS-CONTROL TOOL
"Applications like Site Profiler are tremendous loss control tools," says McDonnell, "and Digital Sandbox's success is going to create competition." The company was working on Site Profiler before Sept. 11, 2001, but the events of that day certainly hastened the need for it.
Tom O'Brien, senior risk modeling consultant at Boston-based AIR Worldwide Corp., a catastrophe modeling firm, says he sees Site Profiler as more of a complementary product to AIR's Cat Station, rather than a competing application.
Cat Station quantifies the likelihood for an attack and the corresponding severity. Unlike Site Profiler, it doesn't provide analytical tools for adjusting security and risk management strategies.
"Risk managers might use CAT Station for a building in downtown Manhattan to determine if they are more likely vulnerable to a truck bomb, given that a truck bomb is the greatest risk, and what measures can be deployed to limit damage," he says.
"The reality of managing risk when it comes to security is that it's very difficult to understand where the return on investment will come in," says Digital Sandbox's Ware. "Of course, the best security is when nothing happens, but that makes it even harder to figure out how much money to spend."
Digital Sandbox customers have limited resources, yet have to be accountable, Ware says. Typically, those organizations either own a lot of property or are responsible for an array of assets.
Ware adds that this type of risk management is complex, and there is no right answer, but there is a decision space wherein you have to be able to measure and quantify risks based on potential terrorist attacks.
"We are trying to help risk managers find the optimal solution," he says. "It's a 'peace of mind' solution, because risk managers ultimately are accountable for decisions made and not made. When you have a system like Site Profiler to measure and quantify, you want to know you can defend that you did all the right things with all the right information."
a Philadelphia-based writer, is a frequent contributor to Risk & Insurance® on technology issues.
April 15, 2005
Copyright 2005© LRP Publications