An Introduction to the APT Theory of Security

There has been growing dissatisfaction in professional circles with current methodologies for identifying, evaluating, and managing risks, whether at the personal, corporate, national, or global level. Much of it derives from a lack of an agreed-upon body of knowledge in the security domain. Everyone talks about security and uses it as a go-to justification for policies and actions that cannot be possibly justified in any other reasonable way, but nobody seems to understand or be willing to explain what security is and, most importantly, what it is not.

As long as these issues are discussed in private or in restricted circles, it will be difficult to reach any common understanding that can lead to any constructive conversation. I have, therefore, decided to get the ball rolling and write this simple introduction to Giovanni Manunta’s APT theory, hoping to jumpstart a serious conversation that is long overdue and very much needed in the current professional, economic, social and political circumstances.

I have decided to introduce my father’s theory in a more conversational tone, leaving the formal explanation to a few references that you can find at the end of this article. I thought it would be easier to get a quick overview, and if you are interested, you can always reach out to me and see how to apply it in real-world scenarios. After almost 30 years of development in research, training, and application, I am very confident about its robustness and applicability across domains since it allows for iterative analysis, from rapid qualitative analysis with pen and paper to highly detailed computer simulations. I hope you will enjoy it!

The APT Theory of Security was put together in its most basic form during the Summer of 1991 before being polished in a PhD Thesis at the University of Leicester in 1997, and improved and field tested since then. My father was frustrated with the fragmentation of the security domain, made even more apparent after a cycle of international conferences he organised in the 80s, calling as speakers top experts from US, UK, Israel and Italy. Airport security, personal security, physical security, bank security, home security, information security, and communication security, to name just a few, all following different approaches, principles and methodologies, often in open contradiction with one another. This was unsurprising since each specific security sub-domain had been developed under the vision of people with very different backgrounds, whether military, engineering, law enforcement, quality control, fraud investigators, intelligence officers, etc. The lack of a standard scientific approach that could integrate the different disciplines was making it difficult for experts at the time to be able to justify their analysis, assessments, recommendations and intervention beyond appeals to “in my experience”, “this is how it is done”, “it is my intuition” or “trust me, I know”. So, my father decided to go back to basics, study philosophy of science from Descartes to Russell and Popper and try to identify the common denominator between the different security branches. By the end of the Summer, he had his Ah-ha moment. Airports, people, information, communications, infrastructures, buildings, were all just situational factors. He asked himself: “If we take the situation out of security, what remains?”.

Whatever the Situation is, for any context to have anything to do with Security, there has to be something that needs to be protected (Asset), by someone who can do it (Protector), against a source of threat capable of doing damage (Threat). Hence, the core conceptual formula:

S = f (A, P, T) Si

In other words, a context of Security (S) exists if and only if at least one Asset (A), one Protector (P) and one Threat (T) are present and interacting in a specific Situation (Si). There is no security context if any of these three elements are missing.

Taking the Situation outside the parenthesis makes it easier to focus on the principal elements and stay focused. This has a lot of incredible advantages, for instance… it makes no sense to speak about Cyber Security and then have as a protector a Cyber expert (although it has been very fashionable in recent years), and that is because no Cyber attack is purely cyber (need for physical attack, social engineering, communications breach, etc.). This means that protection does not need to be (and cannot be) purely cyber but must also include physical security, personal security, counter-surveillance etc.

Now, by looking at the essential elements, A, P and T, one is forced to ask questions. What is an Asset? What is its value? According to whom? Is the value constant, or does it change according to circumstances? Is an asset valuable by itself? Because of its relationships? Because of its functions? Then perhaps the asset is not “the thing” but “the function”. Can the function be carried out without “the thing”? Yes? Then, should we not protect also the other ways the function can be carried out? Who is interested in damaging/altering/knowing/hijacking/disrupting/exploiting/sabotaging/… the function that needs protection? As the questioning line moves to types of damages to the Asset, Threats, and Protectors, it becomes clear, even in cases of fundamental security analysis, that the elements of the APT formula should not be seen as individual elements but as systems that interact with each other.

Defining the elements as “systems” allows us to make another qualitative leap in analysis since it means that A, P, and T have inputs and outputs, can be decomposed into smaller elements that are in relationship with each other, and are connected to larger systems (through more inputs and outputs), which help us to identify flows. Since flows can be of matter, energy, or information, we increase complexity while keeping everything conceptually neatly organised.

As an example, imagine a government research facility, with strict security measures implemented, creating a sense of concentration camp (I am sure you must have had a similar experience). While it gives an eerie sense of “military grade” security, this approach drastically reduces the energy value of the researchers (they cannot talk with each other, going to the restrooms becomes a voyage, the environment is unpleasant, …), which ultimately impacts the quality of the research (existing researchers become demotivated and good researchers move to the private sector), reducing the value of the asset that needed protection in the first place.

Another advantage of looking at the formula systemically is that relationships stop being linear but become non-linear, allowing for the identification of loops and creating the high-quality understanding needed to improve security and boost resilience. Beginning the analysis with the identification and understanding of the Assets adds value because the identification of risks becomes almost natural. There is no need to use precooked tables of negative events and risks; they emerge naturally from the combination of assets and threats. Moreover, because the analysis is systemic, the chains of events and scenarios also emerge naturally through the analysis without having to recur to fantasy and science fiction.

Strategy mitigation, at this point, becomes a question of identifying the pressure points in the system, the loops that favour the Threat and the chains of events leading to crisis, and choosing tools, methods, resources, and interventions to apply pressure, manage loops, reinforce or disrupt chains of events as appropriate. This is what clarifies what needs to be done to improve the knowledge, capability, resources, authority and responsibility of the necessary Protectors.

If this approach is applied consistently (and the mitigation strategies implemented), the system's resilience is naturally boosted, with clear positive impact on business continuity and crisis management among others. Of course, an event can occur that was not foreseen, but by having already a map of the system, the process of identifying the potential impacts of the new negative event becomes much faster. By following the basic flows, identifying secondary and tertiary damages, by the way, also becomes easier, as does the process of identifying and evaluating key performance indicators.

In conclusion, a conceptual framework exists, with a theory and a methodology that can inform and assist decision-making from policy to strategy to operations across domains and with full integration and coordination. I am sure that in these 30 years, other theories have been formed, and I am very open to discussing them, but, at the very least, the APT theory can offer a robust first step towards the consolidation of a true Security Science.

I hope you enjoyed this brief introduction. Reference material is below, and I am available for explanations, clarifications, or hearty constructive discussions!

?

?

?

Manunta, G. (2003) Sicurezza. Emmekappa Edizioni.

Manunta, G. ‘Sicurezza, Criminologia ed Investigazione: Un Approccio Sistemico’ Detective and Crime Magazine 2002 n.2 Anno IX pp61-72

Manunta, G. ‘Risk and Security: Are they Compatible Concepts? Security Journal 2002 Vol.15 n.2 pp. 43-55

Manunta, G. Is Security Utilitarian? Security Journal 2000 Vol 13 n2? pp. 49-58

Manunta, G. Security Management: How Robust is the Justification Process? Security Journal 2000 Vol 13 n 1 pp 33-43

Manunta, G. Security Decision Making and PRA Methodology: Does PRA Methodology Effectively Assist Security Decision Makers? Journal Of Security Administration Dec 1999. Vol.22 n.2 pp. 1-9

Manunta, G. (1998) Illegitimati Non Carborundum in Intersec, January 1998

Manunta, G, (1998) Security and Introduction. Cranfield University

Manunta, G. (1997) Towards a Security Science Through a Specific Theory and Methodology, PhD Thesis, University of Leicester.

Manunta, G (1996a) Teoria e Metodologie di Sicurezza. in ‘Criminologia Applicata per la Investigazione e Sicurezzà. Ed. Franco Angeli pp. 88-181

Manunta, G. (1996b) La Sicurezza Aziendale. in ‘Dalla Criminologia alla Security’ Ed. CLUEB, Università di Bologna pp. 27-45

Manunta, G. The Case Against: Private Security is not a Profession, in International Journal of Risk, Security and Crime Prevention, (1996c) Vol.I n.3

Manunta, G. (1990) Autodifesa, Milano: Arnoldo Mondadori.

?

?

?