This article discusses a study in which morphological analysis was used in order to create a framework that would proactively assess the rest of a terrorist attack on an air transportation system (ATS). The goal of morphological analysis is to create possible attack scenarios and the likelihood of those scenarios. In this example, profiles of various terror organizations were developed and outlined so that a specific assessment of high-risk scenarios was able to be made. If this method was used by defensive organizations, then they would be capable of quickly assessing the risks of the various terrorist attack scenarios and be able to protect air transportation systems more effectively. This is a very practical example as the commercial aviation system continues to be a very critical part of infrastructure, gets a lot of attention from the media when something occurs, and continues to be a high risk target for terrorist attacks.
This article also discusses the background of risk management and assessment. According to this article, risk is "the combination of the likelihood of a given event and the consequence or associated outcome of that event if it occurs." When the risk has been characterized and evaluated, then the next step is the mitigation of that risk. The combination of risk assessment and risk mitigation is known as risk management. Risk assessment is when the risk is modeled and quantified by estimating values for risk parameters.
When the risk was assessed in this case, it was determined as a product of probability and a consequence scalar index, then identified within a risk-level matrix that is depicted in the article. This event impact is categorized as low, medium, or high, with corresponding scalar values of 10, 50, and 100. In addition, the low, medium, and high likelihood events are modeled via probability values of 0.1, 0.5, and 1.0. For this example, the values for high risk events scored above 50, the medium risk events scored between 10 and 50, and low risk events scored below 10.
To study the vulnerabilities of the ATS in this example, the system's architecture was explored from a purely operational perspective which means that the only important elements were the ones directly involved in the architecture (i.e. control tower of the airport and the airport itself).In order to do this, morphological analysis was used. What the morphological approach allows analysts to do is to break down the potential attacks into their key components, examine and identify the combinatorial rules between them, and search for specific attacks that would reveal those vulnerabilities. The first step to do this in this specific example was to define an attack model that featured the key elements. In the model, the target is the parts of the ATS that will be primarily affected (i.e. aircraft or parts of an airport), and the tactical objective defines the impact or effect caused by the attacker. There were two limitations in the study however: the model couldn't capture ulterior motives or higher level objectives by the attackers.
Based on the morphological field that was created by the authors, there were 5,040 different attack scenarios that were created and 1,172 of them were internally consistent. Something to keep in mind with this example, however, is that the authors of this study are not experts on ATS security, so the values and results are notional and meant just for the demonstration of this method. When the results were generated, it was found that explosives are a high-risk weapon, weapons transported in a ground vehicle or in garments or carry-on luggage were particularly interesting, and people who use airports are high-risk targets in comparison to other assets. Because of this, it seems that no single particular area of focus exists and that points of entry in areas that are more accessible and closer to passengers are at a much higher risk.
The results say that the use of morphological analysis was helpful overall. They specifically say that top-level and tactical attack models provide general applicability and show a wide range of scenarios and sensitive security information can be avoided. The fact that the results could be visually represented was also a plus since the authors say that it's vital for adequate assessment and evaluation of potential risks. It was also helpful because the attacker profiles mapped to data filters allowed the generic attack data set to be characterized and refined which then allowed a defense approach tailored to what the entities of interest were.
Overall, I thought this article was beneficial and interesting. In intelligence analysis I can definitely see the value of using a method such as morphological analysis because scenarios are created and then different aspects of them are weighted which isn't an option with some methods. In this particular example, however, there seemed to be a few critiques that could be made which are the fact that the authors who conducted the study were not experts on ATS security which could have affected the scenarios that they were able to come up with and the fact that this method seems to be most useful for tactical analysis. It did provide a good example of a morphological analysis though, so I think it is worth the read.