The consequences of nuclear terrorism represent a grave threat international security. The responsibility to address the risk of nuclear material theft or sabotage of nuclear facilities is shared by multiple organizations that must strategically collaborate based on their individual missions and capabilities. Stakeholder organizations share a common need to prioritize their activities based on threats, available resources, and existing security program maturity/capabilities, develop engagement plans and measure their progress - identifying milestones, measuring program performance, and communicating program impact is challenging.
However, the nature of improving security touches disparate, complex disciplines. The purpose of this paper is to propose and evaluate a methodology that will assist selecting long-term risk reduction goals and planning improvement activities across multiple security disciplines and stakeholder organizations. The methodology proposes maturity metrics to assess and communicate performance. The methodology is extensible to any security discipline and a cyber security example will be developed for demonstration.
Security Disciplines - A nuclear security program is composed of multiple security disciplines. These disciplines include Physical Protection, Material Control & Accounting, Cybersecurity, etc. To improve the security program, it is necessary to evaluate the disciplines individually and prioritize those areas that should have additional resources applied.
Discipline Domains - A domain is a logical grouping of common nuclear security practices that represent a core capability. For example, a core capability for a cyber security program is ASSET MANAGEMENT. A high performing cyber security program knows what hardware and software has been installed and manages those assets. Our process measures, tracks, and communicates improvement in maturity of identified domains.
Maturity Indicators - Maturity indicators are the observables that demonstrate security capability for a given domain. For each domain, there are multiple performance indicators to enable an assessment of capabilities. For example, does the site track assets? This would be one of many maturity indicators of an asset management program.
Maturity Levels - To simplify communication of goals, maturity indicators can be grouped into levels. Maturity Indicator Levels (MILs) describe a progressive step in a country’s capability and/or represent a demonstrated capability that is measured by the model. The proposed model would assign attributes, characteristics, and indicators that represent fundamental capabilities within a domain – Maturity Indicator Levels (MILs).
Stakeholder Engagement Activities - For each domain and maturity level, multi-stakeholder actions are identified based on standards, best practices, or country-specific goals. The stakeholder engagement activities matrix has two important features:
• It can be adapted to different levels: international organizations, nation state, regulatory agencies, individual organizations, etc. It is not specific to just one organization. Rather it proposes specific actions for all potential stakeholders such as government and regulatory agencies, industry working groups and international organizations. This is an important feature as it represents the breath of potential resources and shows how organizations need to collaborate.
• It is based on the necessary maturity level specific to the security discipline and domain. This delivers action plans that are at the right level and can evolve over time as security maturity develops.
This method is actively being developed and piloted in the US Department of Energy International Nuclear Security program so our paper will include an evaluation and lessons learned from the pilot - what works, what doesn’t, challenges in implementation, etc.