International Journal
on Marine Navigation
and Safety of Sea Transportation
Volume 5
Number 4
December 2011
417
1 INTRODUCTION
Since the terrorist attacks of 11th September 2001
security has become increasingly important on a
world-wide scale and the possibility of terrorist at-
tacks against seagoing ships came to the fore as
well. Consequences of such events are immense. A
sudden loss of a large number of human lives, de-
struction of material assets, environmental damages,
significant disruptions of transport streams and a
possible loss of confidence in maritime infrastruc-
tures can be mentioned in this context.
In order to take preventive actions against terror-
istic attacks, the ISPS Code (International Ship and
Port Facility Security Code) was introduced in 2004
(Regulation (EC) No 725/2004) due to the efforts of
the International Maritime Organization (IMO).
However, the prescribed security management needs
further adaptations and optimization. Against this
background, the collaborative project VESPER (im-
proving the security of passengers on ferries) was in-
troduced, which is funded by the German Federal
Ministry of Education and Research (BMBF). The
project addresses the problem of terrorist threats in
the maritime domain. The focus is on ferries and
passenger ships operating on international routes,
especially regarding roll-on roll-off processes, i.e.
cargo stevedored via lorries and trains.
The purpose of the collaborative project VESPER
is to systematically review the current security
standard and to improve hazard prevention measures
for ferries. The focus is on security during the access
to the ships as well as on the shipboard and seaward
measures. To guarantee security standards, there are
several originated positions required by the ISPS-
Code, including a Ship Security Officer (SSO) and a
Port Facility Security Officer (PFSO), which are re-
sponsible for identifying threats to the ship or port
security, recognizing their significance, and respond-
ing to them. Among other intentions the emphasis of
VESPER is on optimization of handling processes,
(especially a support for the implementation of
measures for different security levels). This includes
the introduction of aids for decision making in a cri-
sis in order to minimize risks.
Within the framework of VESPER, a new model-
ing technique to support SSOs and PFSOs was de-
veloped, which is described in this contribution.
Security Modeling Technique: Visualizing
Information of Security Plans
D. Ley & E. Dalinger
Fraunhofer Institute for Communication, Information Processing and Ergonomics FKIE,
Wachtberg, Germany
ABSTRACT: Since the terrorist attacks of 11th September 2001 efforts are made to enhance the security
standards in maritime shipping. The joint research project VESPER (improving the security of passengers on
ferries) funded by the German Federal Ministry of Education and Research (BMBF) addresses among others
the investigation of sea- and landside measures and processes. One of the results of the ongoing analysis
phase is that the current representation of information in security plans can hardly be used for a complete real-
time implementation of relevant measures in critical situations. As a result, information and design require-
ments to develop a Security Modeling Technique (SMT) were identified using the Applied Cognitive Work
Analysis (ACWA). SMT intends to support decision making of security officers during the implementation of
security levels. This contribution describes the phases of development and the resulting design concept.
418
First, the problem of handling changes of security
levels is described (chapter 2). Subsequently, a
method for the design of complex systems to support
effective decision making, the Applied Cognitive
Work Analysis (ACWA), is introduced (chapter 3).
The application of ACWA to the described work
domain and the consequential outcome, the Security
Modeling Technique (SMT), which supports securi-
ty officers in changing security level, is described
(chapter 4). Finally, results are summarized and an
outlook to future work is given (chapter 5).
2 PROBLEM FORMULATION
For the purpose of analyzing and optimizing security
relevant processes valid process and communication
models must be constructed. So, plenty data acquisi-
tion methods have been conducted, as observations,
exercise participations and interviews and discus-
sions with experts like security officers, designated
authorities, port operators, water police officers and
finally document analyses like examinations of ship
and port facility security plans.
In security plans measures and other information
are defined for three different security levels,
whereby level one is the level conducted by default.
In case of a security relevant event, measures must
be preventively intensified or added to a higher se-
curity level. Security officers are responsible for a
proper and prompt initiation of such security level
changes. The analysis of collected data showed that
the current presentation of information in security
plans relevant for a security level change was not
suitable for a prompt and complete implementation
of relevant measures in security-critical situations.
Measures and information for the three defined secu-
rity levels are mostly listed in wide and confusing
tables and continuous texts in several text passages
of a security plan.
Such a presentation of information does not per-
mit to operate efficiently. This weak point has been
confirmed by experts in subsequent discussions and
by the data analysis of the accompanied exercise.
Hence, a demand for an optimized information
representation and therefore information manage-
ment has been identified. This should support securi-
ty officers in making decisions. For this purpose a
concept of a new modeling technique has been de-
veloped based on the Applied Cognitive Work
Analysis (ACWA), which is introduced in the fol-
lowing part.
3 METHODICAL APPROACH
In order to develop a modeling technique for a sup-
port of decision making processes of security offic-
ers, first, an analysis of the work domain must be
performed. The traditional task analysis methods fo-
cus on what operators do and what tasks must be ful-
filled and provide descriptions of task sequences
(Annett, 2004; Kirwan and Ainsworth, 1992). To
account for factors like unanticipated events, dynam-
ic changes of the situation, and real-time reactions to
these changes, methods are required, which examine
human cognitive processes. Cognitive Systems En-
gineering (CSE) is a design framework which focus-
es on analysis of cognitive demands in order to iden-
tify cognitive processes of operators (Crandall et al.,
2006; Rasmussen et al., 1994). Methods of CSE help
to understand, how experts make decisions and why
they make certain decisions, what cues they need,
what knowledge and strategies they use. The Ap-
plied Cognitive Work Analysis (ACWA) is a CSE
approach for the analysis, design and evaluation of
complex systems and interfaces. In this paper we
discuss the application of ACWA for designing a
modeling technique.
ACWA is a methodology for the design of a user
interface for effective decision support. The process
begins with the identification of the decisions that
operators must make and ends with the identification
of visualization and decision-aiding concepts. Thus,
this methodology can be used to develop a technique
to support decision maker, which is based on effec-
tive information visualization.
ACWA comprises the following process steps
(Elm at al., 2003, see figure 1):
− Development of a Functional Abstraction Net-
work (FAN) – a model to represent the functional
relationships between the work domain elements
− Identification of cognitive demands which arise
in the domain and need support – Cognitive Work
Requirements (CWR) or decision requirements
− Identification of the Information/Relationship
Requirements (IRR) for effective decision-
making
− Definition of a relationship between the decision
requirements and visualization concepts (how the
information needs to be represented) – Represen-
tation Design Requirements (RDR)
− Implementation of representation requirements
into a powerful visualization of the domain con-
text – Presentation Design Concepts (PDC)
419
Figure 1. Iterative steps of the Applied Cognitive Work Analy-
sis (ACWA).
The ACWA begins with a FAN which is a func-
tion-based goal-means decomposition of the domain,
based on Rasmussen’s representation formalism for
a work domain – an abstraction hierarchy (Rasmus-
sen, 1985), which describes human information pro-
cessing. With ascending in the hierarchy the under-
standing for goals to achieve rises. Moving to deeper
levels reveals a better understanding for the system’s
functions with a view to achievement of these goals.
The FAN is a multi-level representation of the work
domain. Each node in the network represents a goal,
links represent support. Each goal has a process
providing a description how to achieve this goal.
Processes define supporting functions for achieving
the goals in the hierarchal level above.
The FAN provides the basis for the definition of
CWR or decision requirements. The CWR help to
gain understanding of the goals in the work domain
and enhance the decision-centred perspective. The
decision requirements are to be defined for each goal
node in the FAN. This ensures an understanding
what decisions are to be made to achieve the goals.
Next step is to identify required information for
each decision. Factors, which are essential for deci-
sion making, are identified with the CWR and there-
fore the context for information requirements is pro-
vided. Decision making is based upon the
interpretation of information. Incorrect or incom-
plete information leads to wrong decisions.
Hence, the way of information presentation is
very important. Appropriate information visualiza-
tion can improve information processing and thus
the process of decision making. The next step is to
develop the decision-aiding concepts on the basis of
the information requirements taking into account
human perception and cognition. Display concepts
which support the cognitive tasks through an appro-
priate visualization should be developed. At this step
several different design concepts may be generated.
These design concepts are still requirements and not
an implementation.
The developed visualization concepts provide hy-
potheses about effective decision support. The next
step is the development of a prototype to evaluate
the effectiveness of the new system. The prototype
can help to identify additional decision and infor-
mation requirements for decision support which
have been missing in the first steps. Thus, the
ACWA approach is an iterative process (see figure
1), which leads in several steps from the analysis of
the demands of the work domain to the identification
of effective decision-aiding visualizations.
4 APPLYING ACWA
Subsequent it is described how the ACWA approach
can be applied to determine design requirements for
a security modeling technique. To gain understand-
ing of the domain of maritime security diverse
knowledge elicitation techniques have been used.
Relevant documents, such as the ISPS Code, ship
security plans and safety management handbooks for
ships have been reviewed, interviews with masters
and security officers on board of ferries have been
conducted.
4.1 Functional Abstraction Network (FAN)
Based on collected information a FAN, which is the
first step of ACWA (Figure 1), has been generated.
The rectangles (Figure 2) represent goals, which are
organized hierarchically, links represent supporting
connections from lower-level goals to higher-level
goals. The achievement of goals is described
through processes (not represented in the figure).
Figure 2. Functional Abstraction Network (FAN)
Presentation
Design
Concepts
Cognitive
Work
Requirements
Information /
Relationship
Requirements
Representation
Design
Requirements
Functional
Abstraction
Network
2
1
5
43
G7: Manage
information
about measures
G4: Observe the
progression of
the execution
G3: Implement
measures
G1: Successfully implement
security measures
G2: Identify
relevant
measures
G9: Identify area of interest for
implementation of measures
G5: Make adjustments
to measures
G8: Successfully
manage resources
G6: Maintain
communication
420
Table 1. Exemplary requirements for goals 7 to 9
__________________________________________________________________________________________________________
Goal CWR IRR RDR
__________________________________________________________________________________________________________
G7 - Choose necessary - Indicate security levels Represent security level I in green colour
information on measures - Indicate means/tools Represent security level II in yellow color
- Search for additional - Indicate allocation of means/tools Represent security level II in red color
information concerning to measures in different security …
measures levels
- Recognize passenger - Indicate comments
procedures - Indicate belonging of comments
- … - …
G8 - Select operator necessary - Assignment of operators to measures - Integrate operator labels in measure shapes
to fulfill tasks - Necessary means/tools - Separated representation of means/tools
- Allocate operator to area - Assignment of technical resources - Connection of technical resources with
- Select technical resources to measures appropriate measures of a security level
necessary to fulfill tasks - … - …
- Allocate technical resources
necessary to fulfill tasks
G9 - Choose relevant areas for - Information about the kind of areas - Represent ships with abstracted contour
c
onducting measures (ships, port facilities, sub-areas, - Represent port facilities with
- … restricted areas, permitted areas) abstracted contour
and their locations
- Caption of areas
__________________________________________________________________________________________________________
Figure 3. Exemplary SMT model of a ferry ship (numbered components are described in 4.5)
The overall goal is to successfully implement se-
curity measures from a ship security plan. For ex-
ample, this goal can be described as a process as fol-
lows: Initial situation is a declared change of a
security level. This induces the responsible security
officer to find appropriate measures for a level
change. Next, these measures have to be initiated
accordingly. In the further process step the accom-
plishment of measures has to be controlled until all
relevant measures are implemented. The overall goal
of implementing security measures is supported by
subordinated goals (with corresponding process de-
scriptions). Their goals are described below.
Information about measures has to be managed,
which is a supporting goal for the measure adjust-
ments as well as the identification of relevant
measures. Communication plays an important role in
gaining and forwarding information. One needs to
provide the information of the incident to responsi-
ble personnel on board and receive the responses.
Maintenance of communication supports the im-
plementation and observation of execution of
measures. On the other hand communication
maintenance and implementation of measures are
achieved through a successful management of re-
sources. Before the initiation of countermeasures it
is essential to determine whether the resources (in-
cluding personnel and equipment) necessary to ful-
fill the measures are available or adequate. Finally,
the identification of the area of interest is necessary
for the implementation of measures, supporting the
identification of relevant measures and the manage-
ment of information as well as resources.
421
4.2 Cognitive Work Requirements (CWR)
The developed FAN is the basis for the definition of
Cognitive Work Requirements (CWR) respectively
decision requirements. Cognitive Work Require-
ments refer to the goals in the FAN. They enable
comprehension of what decisions are to be made to
reach the defined goals. By this means, CWR help to
develop a decision-centered perspective. In the se-
cond column of Table 1 CWR are listed for the goals
G7, G8 and G9 of the FAN (Figure 2). For example,
for the goal “Successfully manage resources” (G8)
an operator and technical resources have to be se-
lected. In addition the operator and the technical re-
sources have to be allocated to the relevant area.
4.3 Information/Relationship Requirements (IRR)
Decision making is based on interpretation of infor-
mation. Incorrect or incomplete information leads to
incorrect decisions. Thus, the next step of ACWA is
to identify information necessary to come to deci-
sions. In the third column of Table 1 infor-
mation/relationship requirements are listed with ref-
erence to the CWR. For example, the goal “Choose
relevant areas for conducting measures” (G9) re-
quires to provide information about the kind of areas
(e.g. ships and ports), as well as caption of areas.
4.4 Representing Design Requirements (RDR)
Next, representing design requirements (RDR) based
on the IRR are defined, constituting first design ide-
as for an effective decision making support. The
kind of information representation is of great signifi-
cance since an adequate visualization of information
can improve human information processing and with
that the process of decision making. In the right col-
umn of table 1 RDR are listed. For example, the in-
dication of security levels is implemented in terms
of the colours green, yellow and red in order to fulfil
G7: “Manage information about measures”.
4.5 Presentation Design Concepts (PDC)
The next step of the ACWA method involves a draft
of a presentation design concept and its prototypical
implementation. Since ACWA is an iterative ap-
proach a prototype enables the developer to define
additional requirements for the next iteration not
identified in the previous one. A prototype is cur-
rently under development. Below, the presentation
design concepts are introduced.
Basically, the SMT consists of five modeling cat-
egories integrated in one complex model: Modeling
of areas, security levels, measures, processes and
communication. In order to simplify the application
of SMT, the quantity of components has been mini-
mized. Figure 3 shows a SMT model of a ferry ship,
representing information of a ship security plan.
Such a model, including interfaces to adjacent port
areas, allows the responsible ship security officer to
get an overview of all relevant measures and adjoin-
ing information for a change of a security level. In
the following we will explain the five modeling cat-
egories, mentioned above (numbers correspond to
figure 3).
Modeling of areas: Fundamental to a SMT model
is a modeling of areas corresponding to the real spa-
tial conditions. Basically, there are shapes represent-
ing ships and port facilities (1) as well as shapes rep-
resenting their corresponding sub-areas, namely
restricted (grey) and permitted (white) areas (2). By
this means, the categorization of areas concerning
access authorizations is immediately evident as well
as the search for location-dependent information is
simplified. Particularly, the interface between ship
and port which has been neglected so far, can now
be taken into account by the use of the concept of
area modeling.
Modeling of security levels: Each measure is al-
located to one of three defined security levels. To
find measures and further information for a specific
security level, an intuitive and differentiating illus-
tration is needed. Therefore, information related to
security level one is coded green, to security level
two yellow and to security level three red. Addition-
ally, security levels are identifiable through Roman
numerals. Apart from measures, also contact points
and resources are modeled depending security lev-
els. See Figure 4 for an activity shape representing
the security levels.
Figure 4: Activity shape
Modeling of measures: Measures are modeled in
activity shapes for a certain area or the access of an
area (3). An activity shape is structured in the fol-
lowing way (see Figure 4). At the top left is a label
for the area for which the measures have to be ap-
plied. At the top right a responsible operator can be
named. Apart from that the shape is divided into
three colored sections listing the measures for the
three security levels. Thereby, measures of higher
levels substitute those of lower levels, visualized
through the integration of lower level fields into
III
II
I
q Activity/ies in Level I
q Activity
/ies in Level II
q Activity
/ies in Level III
A Activity
Operator
II Security-Personal
Operator
Location
Activity/ies in Level I
Activity/ies in Level I
Activity/ies in Level I
III
II
I
q Activity/ies in Level I
q Activity
/ies in Level II
q Activity
/ies in Level III
A Activity
Operator
II Security-Personal
Operator
Location
Activity/ies in Level I
Activity/ies in Level I
Activity/ies in Level I
422
higher ones. Checkboxes in front of each measure
allow the marking of implemented measures.
Specific tools, equipment or additional personnel
are partially necessary for a successful implementa-
tion of measures. To visualize the demand for such
resources, a resource shape (4) is added to the corre-
sponding measure (see resource shape for security
level II in figure 4). By this means a resource man-
agement is maintained so that available resources
can be found and allocated situation-dependently.
Process modeling: In most cases access controls
for different passenger categories must be conducted
in a predefined manner. In case of an occurrence of
such structured procedures, concerned activity
shapes can be connected by control flows and thus
represent processes (5). By modeling processes the
security officer deploying the model is able to quick-
ly identify measures in chronological order and may
coordinate involved measures according to the par-
ticular situation. Beginning and ending of a process
are represented through distinct circles.
Communication modeling: Communication be-
tween different points is a condition for a successful
implementation of measures and coordination of re-
sources. Hence, given communication and infor-
mation paths between appropriate contact points
must be presented in SMT models. This is realized
through contact point shapes and corresponding in-
formation flows (6).
Furthermore, there are additional components like
a shape for the insertion of explanations (7) and a
shape for a clustering of content-related components
for clarity improvement (8).
5 SUMMARY AND FUTURE WORK
The Applied Cognitive Work Analysis (ACWA;
Elm et al., 2003) is a Cognitive Systems Engineering
(CSE) method which closes the gap between cogni-
tive analysis and design existing in other methods.
ACWA has been applied in the project VESPER to
get a functional model of the maritime work domain
of security officers. Hence, cognitive and infor-
mation demands have been identified. Out of these
demands visualization and design requirements have
been derived. These previous steps provided the ba-
sis for the development of a presentation design
concept of the security modeling technique. This
technique, called ‘SMT’, enables security officers to
create models of ships and port facilities. These
models, used as a computer-based tool or as a large-
format poster, support them in making decisions
during the implementation of measures and the man-
agement of resources in the context of a security
level change. Emphasis of SMT is a suitable repre-
sentation of security plan information. It illustrates
spatial conditions, communication, processes and ar-
ea-specific measures in an integrated manner and al-
so distinguishes the three defined security levels.
To ensure a user-friendly development of SMT
models by ship, company and port facility security
officers but also officers of designated authorities,
an SMT editor is currently under development with-
in the iterative development process of ACWA. The
editor will also contain control functions, e.g. to
guarantee the completeness of modeling measures.
The concept of SMT has been developed in close
collaboration with experts in the field of maritime
security (e.g. masters, security officers, ship compa-
nies, officers of designated authorities). Also the
SMT editor will be evaluated and improved in inten-
sive cooperation with these experts.
Moreover, the application of SMT and the editor
shall not be limited to ferry shipping. Therefore, the
concept has to be tailored to the entire international
shipping. Feedback of involved experts of the mari-
time security domain, including representatives of
German designated authorities and delegates of the
European Commission, shows a concordant en-
dorsement of the use of SMT models.
REFERENCES
Annett, J. 2004. Hierarchical Task Analysis. In D. Diaper & N.
Stanton (eds.), The Handbook of Task Analysis for Human-
Computer Interaction: 67-82. Mahwah, New Jersey: Erl-
baum.
Crandall, B., Klein, G. & Hoffman, R.R. 2006. Working
Minds: A Practitioner’s Guide to Cognitive Task Analysis.
Cambridge, MA: MIT Press.
Dalinger, E. & Motz, F. 2010. Designing a decision support
system for maritime security incident response. In O. Tu-
ran, J. Boss, J. Stark, J.L. Colwell (eds). Proceedings of In-
ternational Conference on Human Performance at Sea.
Elm, W., Potter, S., Gualtieri, J., Roth, E. & Easter, J. 2003.
Applied cognitive work analysis: a pragmatic methodology
for designing revolutionary cognitive affordances. In E.
Hollnagel (ed.), Handbook for Cognitive Task Design,
London: Lawrence Erlbaum Associates.
Kirwan, B. & Ainsworth, L. K. 1992. A Guide to Task Analy-
sis. London: Taylor & Francis.
Rasmussen, J., Pejtersen, A.M. & Goodstein, L.P. 1994: Cog-
nitive Systems Engineering. New York: Wiley.
Rasmussen, J. 1985. The Role of Hierarchical Knowledge Rep-
resentation in Decisionmaking and System Management.
IEEE Transactions on Systems, Man, and Cybernetics.
SMC-15 (2): 234-243.
Regulation (EC) No 725/2004 of the European Parliament and
of the Council of 31 March 2004 on enhancing ship and
port facility security’. Official Journal L 129 of 29.04.2004.
