Current approaches to nuclear security are best described by the International Atomic Energy Agency's guidance to develop 'risk-based physical protection systems and measures' intended to deter, detect, delay, respond and (if necessary) mitigate malicious acts regarding nuclear materials. These approaches can produce elegantly designed physical protections systems that may be limited by untenable assumptions (for mathematical tractability) or well stated descriptions of desired behaviors that rely on vague, imprecise notions of security-improving characteristics. More to the point, noted nuclear security culture expert Dr. Igor Khripunov noted a lack of guidance on "assessing the human factor in detection, delay and response." But no one has yet figured out a way to understand specifically how organizational and human factors might influence PPS effectiveness. This conference paper summarizes recent research exploring and developing a framework that evaluates system-level interactions between the technical nuclear security systems and human/organizational behaviors to determine overall security performance. Technical systems encompasses both the PPS and physical infrastructure on which it sits and is described by the traditional system effectiveness measure. Similarly, human/ organizational behaviors include formal (e.g., official roles and responsibilities) and informal aspects (e.g., networks of information flow and internal power dynamics) that are manifested in security procedures and concepts of operations (CONOPs). The Systems-Theoretic Framework for Security (STFS) uses security task completion to explain how human behavior is required to enact the technical system--and the technical system is necessary to guide human behavior--to achieve desired levels of security performance. This interaction is based on the logic that the adequate completion of security tasks, defined as performance specifications based on the PPS design, is required to achieve desired levels of security performance. STFS, then, argues that desired security performance is achieved when the PPS, human/organizational behaviors and their interactions support the validity of such performance requirements to enable adequate security task completion. Further, STFS aids in identifying where organizational influences on security task completion may be varying enough from what the technical system designers expected to undermine the assumptions on which they based their estimates of system performance.
展开▼