Home » Identity & Access » Access Control

TSA's Risk-based Approach to Security

George Naccara is betting that the lift of his risk-based reforms will overcome the drag of politics and bureaucracy. And the test bed for these innovations is Boston's Logan Airport

And there's a general grant of permission to invent. Anthony Ventresca, one of several Logan veterans who came over to TSA from the airlines, was in the supermarket one day and noticed how several checkout lanes were earmarked for different numbers of itemsseven or fewer, 11 or fewer, and so on. It seemed to him awfully specific. Eventually, he learned that supermarkets use throughput analysis to configure their checkout lanes. Wouldn't that work at security checkpoints in airport terminals, Ventresca wondered. Naccara says he told Ventresca what he tells any TSA person looking to try something out: "Go for it. I can't really give you any money or people, but give it a shot."

So Ventresca built a software program on top of a spreadsheet to collect data from the terminals' security checkpoints. Because of it, TSA at Logan has shifted from guessing at passenger loads to predicting them with remarkable accuracy. TSA Ops Center guys in Boston can predict how many people will be coming through a terminal, what types of people (business travelers, school vacationers), and the amount and type of baggage they'll have. Staffers can even predict, based on all this data, the number and type of security events to expect at any given terminal on any given day of the year.

It's real risk analysis, the kind of thing Naccara loves. Ventresca says it's an ad hoc tool in a constant state of upgrade; it doesn't even have a name. But other airports have recently begun borrowing the software to see if they can do throughput analysis the way Logan does.

Logan has also implemented other, nontechnological innovations, such as injecting some degree of randomness into the security profile. This may sound counterintuitive, but making the profile more variablefor example, by occasionally adding canine units and semiautomatic weapons to patrols, or changing the screening process from time to timemakes the airport a less desirable target because there's no predictable pattern to break.

But the most important nontechnical security that's been added is behavioral profiling. After 9/11, Massport hired Rafi Ron, the former security director of Jerusalem's Ben Gurion airport, as a consultant to assess Logan's security and suggest improvements. A cornerstone of Ron's advice was behavioral profiling, which uses techniques long employed by the Israelis to discern potential malevolence revealed through physical tells (stiff torsos, a rapidly quivering adam's apple or clenched fists, among others). The program teaches screeners how to detect these tells and respond to them with techniques like "walk and talks." (For Katherine Walsh's interview with Ron about his methods, see "Suspicious Minds," www.csoonline.com/020106.) Law enforcement and TSA personnel trained in the programs say that once you've learned behavioral profiling, the difference between an average nervous flyer and a suspicious one is stark. It's as if the suspicious person were dyed purple.