Computer Assisted Exercise as Capability Enhancement Methodology Author

Computer Assisted Exercise as Capability Enhancement Methodology Author Dr. Dušan Marinčič

ABSTRACT The Computer Assisted Exercise (CAX) is training methodology that is simulating a societal processes in synthetic environment. CAX has been used in the last two decades for preparations of National and International security elements on strategic, operational and tactical level in order to prepare timely and appropriate repsonse to security deviations in the crisis areas. By shaping the common understanding of societal needs of the affected countries, it has been much easier after that to send apropriate international capabilities for societal rebuilding. Main motive for this research was to find out if the same methodology could be used for the management of corporative security, which is rensponsible for efficient and prompt reactions on external and internal threats to corporations' processes. Main purpose is to describe opportunity for corporations to train and understand own internal security interactions and external societal dynamics, in order to provide appropriate management of corporate security and to maintain continuity of corporate governance. It is a corporation’s function that oversees and manages the close coordination of all functions within the company that are concerned with security, continuity and safety. Globalization is pushing companies to more risky places where is important to understand an interaction between societal dimensions and potential risks in order to maximize the realization of opportunities. The CAX methodology was explained by phases as follows: planning and preparation, scenario development, execution and analysis. Spain was analyzed as a case study of the Local Capability for sustainable development in 2012, where the findings are representing prerequisites for the final analytical framework of decision making process. Research has been confirming a value of CAX, which ensures to the Corporate Security Management a suitable and timely reaction to security deviations, and creates conditions for effective corporate governance and continuity of corporate security functions.

Keywords Globalization, corporate security management, computer assisted exercise

1

1 INTRODUCTION Throughout the history people wants to be aware and prepared for the incoming threats to their existence, to their families, tribes, religious groups, to their district, municipality or province and to the whole country. It has been always question about their perception of security and readiness to react properly in order to protect themselves, society and societal values. Capability of each society could be described with the ability to protect certain level of potential of the main security dimensions which are: demography, economics, social, environmental and politics. A balanced interaction between mentioned dimensions ensures desirable and predictive societal development. In case of unexpected, unscheduled, unplanned, unprecedented, and definitely unpleasant events (Crichton, 2001:8), society has to have appropriate counter measures in place, in order to neutralize undesirable effects. Historically, corporations have been part of societies throughout the history. They are sharing responsibilities for proper readiness against global, multidimensional security threats on their geographical locations in order to provide proper corporate governance and corporate security functions, which leads to corresponding corporate security management.

2 Globalization Contemporary security environment is shaping corporations' response towards security deviations on global and local security environment. Dominating process in that environment is globalization, which was presented as the process of enhancing collective measures to stop international violence and wars, to save global environment, and to eliminate Third World poverty and economic inequality through developed communications, investments, trade, and aid. Simplistic view on interdependence between corporations and globalization will be that the corporate security management depends on globalization's evolution. Globalization is a process of interaction and integration among the people, companies, and governments of different nations, a process driven by international trade and investment and aided by information technology. This process has effects on the environment, on culture, on political systems, on economic development and prosperity, and on human physical well-being in societies around the world. Proponents of globalization argue that it allows poor countries and their citizens to develop economically and raise their standards of living. Opponents of globalization claim that the creation of an unfettered international free market has benefited multinational corporations in the Western world at the expense of local enterprises, local cultures, and common people.

2

Current wave of globalization has been driven by policies that have opened economies domestically and internationally. The root causes for the current global malaise are twofold: (a) massive and reckless industrialization, and (b) dehumanization of science, technology, and industry. Globalization is not the panacea for the contemporary world crises. The remedy lies in the de-globalization of the dehumanized trade, investment, and aid schemes. The answer to globalized militarization and wars, to globalized pollution and ecological disaster, and to globalised exploitation, poverty and inequality, is not more globalization, but less of it, and its eventual elimination. The world is still made up of separate states which enjoys basic sovereign rights. Each state has its own interests to advance and defend but concurently has to have the capability to manage integration into the global economy, and provide social and economic opportunity and security. The cornerstone of a fairer globalization lies in meeting the demands of all people for: respect for their rights, cultural identity and autonomy, decent work and the empowerment of the local communities they live in. The quest for a fair globalization must be underpinned by the interdependent and mutually reinforcing pillars of economic development, social development and environmental protection at the local, national, regional and global levels. McGee (2006:30) has described that one of the effects of globalization has been a proliferation in the number of threats which face large organisations with exposure to operational risks all over the world. This in turn has made the job of protecting businesses much more complicated and means the number of skills required to do so effectively are more numerous. The emergence of global terrorism, the propensity of terrorists to attack civilian targets and symbols of western influence, and the realisation that damage to economic infrastructure can potentially be just as devastating as damage to physical infrastructure has made large commercial organisations legitimate and attractive targets in the eyes of terrorists (McGee, 2006:31).

3 Corporate Security Management Briggs and Edwards (2006:40) have a different opinion. When companies are properly integrated into the communities within which they work they become a partner rather than a target. Companies could learn a lot from the ways in which nongovernmental organisations (NGOs) manage their security, based on ‘the security triangle’, which has three elements: acceptance, protection and deterrence. The most interesting section of the triangle is the acceptance strategy, which works on the assumption that genuine security is achieved only when an organisation’s work is accepted by the local community. If it understands and believes in what you are doing you are less likely to be targeted.

3

Security management tends to be decentralized in most large companies with responsibilities clustered into three distinct categories (The Conference Board, 2005: 6): 1. physical security (protection of personnel, goods, and facilities) 2. IT security (protection of data and communications) and 3. risk management (insurance and other financial issues). Further on preparedness and business continuity is for smaller companies bigger challenge, because they have less likely written security guidelines and procedures in place to handle security challenges. Smaller companies are less prepared for emergencies. Larger companies are more likely to have backup storage at an off-site location, conduct a risk assessment or audit of vulnerabilities, have security checkpoints, and regularly test their disaster recovery and business continuity plans. The risk of business interruption is greater for smaller companies, because relatively few of them have established off-site emergency operations centers. Briggs and Edwards (2006:12) have stated also that globalization has changed the structure and pace of corporate life. The saturation of traditional markets is taking companies to more risky places, the shift towards a knowledge economy is eroding the importance of ‘place’ in the business world, new business practices such as offshoring challenge companies to manage at a distance, and new forms of accountability, such as corporate governance and corporate social responsibility, put added pressure on companies to match their words with deeds, wherever they are operating. At the same time, security risks have become more complex, too. Many of the threats, such as terrorism, organized crime and information security, are asymmetric and networked, making them more difficult to manage. There is also greater appreciation of the interdependence between a company’s risk portfolio and the way it does business: certain types of behavior can enhance or undermine an organization’s ‘license to operate’, and in some cases this can generate risks that would not otherwise exist. As a result, security has a higher profile in the corporate world today than it did thirteen years ago. Companies are looking for new ways to manage these risks and the portfolio of the security department has widened to include shared responsibility for things such as reputation, corporate governance and regulation, corporate social responsibility and information assurance. There are six characteristics of alignment between security and the business (ibid: 13): 1. The principal role of the security department is to convince colleagues across the business to deliver security through their everyday actions and decisions – not try to do security to or for the company.

4

2. The security department is in the business of change management rather than enforcement and works through trusted social networks of influence. 3. Security is there to help the company to take risks rather than prevent them and should therefore be at the forefront of new business development. 4. Security constantly responds to new business concerns and, as such, the portfolio of responsibilities and their relative importance will change over time. Security departments should never stand still or become fixed entities. In many companies today, its role is more concerned with overall corporate resilience than ‘traditional’ security. 5. Security is both a strategic and operational activity, and departments must distinguish between these two layers. 6. The power and legitimacy of the security department does not come from its expert knowledge, but from its business acumen, people skills, and management ability and communication expertise. For many years corporate security has been dominated by a ‘defensive’ approach, focused on protection and loss prevention. The head of security was seen as little more than the ‘guard at the gate’, someone whose actions invariably stopped people doing their jobs instead of enabling the business to function more effectively. Typically, heads of security came from a narrow talent pool, namely police, armed forces or intelligence. Briggs and Edwards (2006:80) have emphasized that there are many reasons companies tend to recruit security managers from these backgrounds. The police and armed forces turn out individuals with intensive training in the practice of security and protection, and have hands-on experience that is rarely available elsewhere. There are a number of reasons greater diversity is essential within the corporate security function: a) There is a growing recognition of the strategic importance of security and as a result security departments need to operate at a much more senior level. b) Matrix organizations require a particular approach to management and leadership, which can be antithetical to those with police or armed services backgrounds. In today’s corporate environment, the impact of the security department is proportionate to its ability to persuade individuals and teams all over the company to collaborate and cooperate. This means that dialogue between security specialists and non-specialists is essential.

5

c) Traditional security skills are associated with an approach where security is perceived as a ‘dis-enabler’ of business. Those with formal security training can tend to be risk averse, while businesses need to take calculated risks to stay ahead of competitors, break into new markets and maximize profits. d) The corporate security function needs people who are happy breaking rules, innovating and thinking outside the box. Studies of security-related professions such as the police, the ambulance service and local authority emergency planning departments have suggested that ‘too much’ experience in a traditional security context can inhibit people from making innovative responses to security incidents. Heads of security consistently rated qualities such as independent thinking, willingness to challenge assumptions and behaviors and innovation as being ones they value most in their team. One said: ‘I’m looking for people who push the boundaries and constantly challenge the way we work.’ e) There is a growing recognition of the value of ‘the human element’. According to experts, many security professionals are typically trained to address security incidents and emergencies in ways that fail to factor in the human dynamics of such situations, including the impact of emotions, perceptions and fear on people’s behavior. Emotional intelligence is critical to effective alignment, but the human element of security and risk management is routinely overshadowed by the emphasis on technical security skills. For security to be aligned with the business, security managers must understand the business and how they contribute towards its objectives (ibid: 81).

4 Computer Assisted Exercise (CAX) The most valuable training methodology for all security elements is a CAX with the scenario, which can provide realistic training conditions with the acceptable and achievable exercise objectives. Common understanding of possible security threats, outcomes and overall procedures is increasing situational awareness among all participating security elements and strengthening ability to manage threats. A CAX can be defined as a type of synthetic exercise where forces are generated, moved and managed in a simulation environment based on the commands coming from the exercise participants. Application of simulation models on CAX is representing training method, which is dynamically introducing operational conditions of real systems in synthetic environment.

6

Dynamic training system is consisting of digital terrain and equipment and allowing to the exercise participants to gain new knowledge, skills and human behavior. Each CAX is also a research method, because is fulfilling a few conditions for that, for example: - Novelty of the problem, - Importance and applicability of solutions for the practice, - Level of interest in problem solving processes, - Available equipment and other research conditions, - Actuality of research results, - Possibility to find solution for the decision making problems by research. Through the process of CAX, we are undoubtedly optimizing current staff procedures and decision making processes in synchronization with all other stakeholders in the area of responsibility. Therefore, the definition of CAX should not be limited only the usage of modeling and simulation. CAX is ensuring high quality of individual and collective training on decision making processes on tactical, operational and strategic level. These facts are requesting a systemic approach in terms of planning and preparation, oriented execution and objective analysis (Cayirci and Marinčič, 2009: 12).

4.1 Planning and Preparation Qualitative, timely planning and preparation of the exercise are origins for execution of all kind of the exercises in particular for CAX. Planning has to take in account logic of planning procedure, which has to be performed by exercise planners: -

Study and analysis of the concept and conditions for the exercise execution,

-

Definition of purpose, exercise and training objectives,

-

Determination of exercise participants,

-

Production of Exercise plan (EXPLAN),

-

Planning of logistic and financial support.

Although, the planning is separate activity of planning teams, it has to be synchronized with the four exercise training phases1. The EXPLAN consists of the following four stages: exercise Phase I-Academics; Phase II - Operational planning – OPP; Phase III-Execution and Phase IV - After action review. 1

7

concept and specification development, exercise planning and product development, exercise operational conduct, and exercise analysis and reporting.

4.2 Scenario Development

Exercise scenario is providing conditions for computer simulation modeling of natural and societal processes in holistic way. The entire process should ensure timely recognition of societal deviations, correct procedures for their stabilization and objective analysis of affected society. CAX is ensuring that training audiences (TA) can observe the effects of their own decisions and to improve or adjust the exercise decision making process to the circumstances of artificially affected society or corporation. Proper computer simulation of contemporary operation, demands common understanding of: the security environment, characteristics of the area of emergency and standard procedures in responding to perceived threat. The contemporary security is in wider sense multidimensional and consists of: politics, economics, demography, social situation and environmental conditions. Thus, exercise scenario need to cover all above mentioned dimensions and interactions among them. The most important condition for the CAX is to use the security information about affected corporation or society in the physical environment within the geographical locations. Geographical conditions for execution of the operation have a crucial impact on preparations of security elements and also on establishment of common understanding on history, habits, mentality, behavior and culture of affected local communities. Theoretical development of scenario is not focused on 'what will happen', but rather 'what are the necessary and sufficient conditions for a given result to be obtained?’ That means, in practical terms that for the CAX are more important processes which leads to the desirable end state than the requested exercise conditions. The natural progression from the initial exercise scenario is MEL/MIL (Master Events & Incidents list) development process.

4.2.1 MEL/MIL Development

MEL/MIL development process has been established because of technological under development of simulation models. The MEL/MIL process has been used as a tool for covering automatic event generator gap, which is using the scenario as its basis. The responsibility, for

8

provision of proper training conditions for TA, lies on CHIEF MEL/MIL as a manager of Event managers (EM) coordination group. He is responsible to manage MEL/MIL strategy meeting in order to decide about proper training events; than MEL/MIL Incident development meeting, where all participating sides are discussing about desirable incidents under each exercise event. The last is MEL/MIL scripting workshop, which is dedicated to the creation of suitable injects to support each incident. The MEL/MIL process should include all injects provided to the TA, from the Initiating Directive that starts the Emergency Planning Phase, the Situation Updates prior to the and through to the end of the exercise (ENDEX). Thus, the key requirements of those drafting it will be the Approved exercise specifications, the Scenario outline and the Approved Training Objectives. The Scenario and MEL/MIL groups will usually hold their meetings during the Exercise Planning and Product Development Stage. The Event Managers have to show ownership for their events and to assume full responsibility for development of storyboard and delivering of the exercise. The exercise injects have to be created for the decision making level of the TA. On tactical and operational level, injects need to trigger decision making processes for Management Agency or Emergency Operation’s Center. The most important is to provide flow of exercise in the spirit of jointness. Chief MEL/MIL and EM should take care about quality and intensity of injects throughout of the exercise execution. Balance between exercise requirements and rhythm have to be shaped after STARTEX Validation conference among TA, the Database Management Team (DMT), scenario group and EM. Prepared MEL/MIL is just a part of static scripting prior STARTEX, during execution TA is reacting upon certain injects. If the reactions are not in the line of expected outcome, than the Chief MEL/MIL, scenario representative, EM and response cells (RC) have to create dynamic scripting in order to achieve a desirable effects on TA, and as result of that, achievement of the exercise and training objectives (TOs).

4.3 Execution For the Phase III - Execution, CAX has to have a proper exercise functional elements or structure. TA is the center of gravity for all activities, where the Exercise director (EXDIR) and Exercise control (EXCON) are providing requested exercise conditions. EXCON consists of exercise center (EXCEN), situational forces (SITFOR), Response cells (RC) as needed, Observers and Training Teams (TT), which are delivering exercise and at the same time

9

controlling outcome of TA decision making processes. The EXDIR has a significant freedom to use EXCON structures that are most appropriate for achieving the exercise aim and objectives and the TOs. Therefore, he directs the EXCON who control the exercise execution in order to set the proper training conditions. The TA will conduct activities in accordance with the appropriate policies, doctrine and processes as well as directives and their SOPs. So CAX has main elements (figure 1), which are helping to activate TA in order to fulfill TOs, they are: scenario, injects as a tactical or operational problem, model, simulation and analysis (Cayirci and Marinčič, 2009: 240).

Figure 1: Elements of CAX As was described before, the computer simulation support is with its hardware and software, essential for preparation, execution and analysis of the exercise. During execution, computer simulation model is presenting interaction among entities, individuals, and structure in synthetic environment. At the same time it ensures Data Stream for communications (text, picture, sound) between TA and EXCON in real time (figure 2). The generic execution process of CAX starts with the pre-planned inject from injector (EM, RC, WC), which is received by the TA in the Emergency operation’s center. Operation’s center is disseminating information from the inject to the appropriate functional board, for short or for long term planning (figure 3). It depends on required actions, designated functional area groups are than deciding about required actions. At the end of the day, the main Coordination Board (CB) is issuing directions for action to certain operational element. Serial of injects should create an operational pattern for decision making process and provide enough information for the TA Operational assessment of the situation. Training teams are observing coordination processes on the site, and together with the EXCEN observations (figure 3), providing concise picture to the EXDIR what happened and what need to be modified in order to steer CAX toward desirable TOs. Majority of explained activities should be visible in EXCEN.

10

DISTAFF & EXCON

OR

Battlefield Situation (Simulation Model, Horus, Janus, etc.)

Simulation network

EVENT LOG: (all INPUT&OUTPUTdata) -orders -reports -requests -etc.................. time: 1230 unit: 1tcoy data: sitrep content: moving to 345334 position, to prepare hasty attack to enemy at 325334, unit 95% complete

Tactical Picture of battlefield (Training staff, Brigade, Battalion, etc.)

IMS network

Figure 2: Controlling TA activities on the CAX

Figure 3: Injection of an incident in decision making process For the analytical purposes, simulation model is saving all initiated activities or exercise data for quantitative and qualitative analysis about TA reactions, on different exercise injections. At

11

the end is possible to run comparative analysis of exercise events, with the TA decisions in exercise time and space. So the primary goal of CAX is interaction among TA during decision making process and their exercise products. Entire working process on CAX is connected to the theoretical origins of decision making process and its practical application. Simulation model presents quality of TA decisions, through the interaction among terrain databases and operational components, and integration with the assessment of the EXCON. The use of simulation models permits decision makers to determine nearly all outcomes. As an excellent and cheap instrument of analysis, simulation enables the effects of plans, tactics or doctrines to be tested in a variety of environments by repeating and replaying the scenario. Although, entire training process happens in synthetic environment, is still ensuring improvement in decision making skills of TA, decreasing expenditure, increasing security for participants, and in a long term protecting natural environment. With the application of CAX methodology in a training cycle for corporate security management, there are new perspectives for joint training and preparations among corporate security and senior management personnel, in terms of corporate security management in the area of responsibility. Professional approach towards occurred incidents (external or internal) means creation of common understanding, mutual acceptance and harmonization of all involved in the decision making process, and their interaction until the desirable end state.

4.4 Analysis The Exercise analysis is Phase IV in the overall exercise process, and the most important one. The main task for this CAX activity is to provide to the all CAX participants observations and information in the form of After Action Review (AAR) support package (figure 4). The Exercise Analysis begins with the collection of observations and conduct of evaluations as well as assessments compiled throughout the Exercise Process. It includes post exercise analysis and reporting by the TA to the supporting organizations in accordance with requirements and procedures established in the EXPLAN. There are three categories of data and information, that should be used to support exercise analysis and reporting as described below. The EXPLAN should set the requirements, timings and responsibilities for collection, archiving and appropriate distribution of each category.

12

What Happened Observer Reports

Simulation Data

Command & Staff Actions

Game Truth, Results

What was Right….. or Wrong

Analysis: Why

Reports

Analytical Tool

Integrate

• Trends, Issues • Strengths & Weaknesses • Possible Solutions

it Happened AAR Support Package

AAR: Facilitated Discussion

HOW TO DO IT BETTER NEXT TIME

Figure 4: After Action Review Process Cayirci and Marinčič (2009: 244) have mentioned that there are two major categories of Exercise analyses and reports - those addressing the performance and accomplishments of the TA and those addressing the planning and execution of the exercise, analyses of specific objectives or experiment aims. TA data and information are perishable and requirements for their collection by designated means should be laid down in the EXPLAN. Throughout all training phases of the exercise, the TAs should be making, collecting and processing observations in accordance with their lessons learned program. The messages, decision briefings, VTC tapes, records, reports, etc. that are produced by the TAs during the course of the exercise should be archived for exercise analysis and reporting purposes. These documents may also be examined by analysis and evaluation teams in pursuit of identification and justification of potential recommendations for improvement of doctrine, SOPs, etc. Also diaries, Event logs and decisions are an essential tool for the preparation of the TA First Impressions Reports. Analytical products should be in quantitative and qualitative formats. Majority of analytical products about TA effectiveness have been produced by qualitative analytical methods. Only quantitative analysis for emergency simulation could be produced in connection with existing data bases about operational entities. Observers and TA are producing descriptive assessments on a daily and overall efficiency of decision making process on CAX. For proper overview on TA performance, it is advisable to combine these qualitative products with the quantitative measurements of the TA impact on

13

security dimensions of the synthetic crisis area. Multivariate analysis of Local capability for societal reconstruction from the real geographical area (figure 5) could represent initial situation in the synthetic environment. By measuring changes of local potential on main security dimensions (demography, social situation, economy, political situation, environment) CAX analyst could have daily effectiveness of TA decision making process.

Figure 5: Local Capability for Sustainable Development of Spain in 2012 At the end of each exercise day, daily results should be added to the analytical model. Total sum of all capability indexes at the end of exercise shows transparently to the CAX participants and EXDIR, level of Local capability for societal reconstruction in the area of responsibility, and at the same time assessment of the TAs efficiency in the given exercise framework (figure 6).

14

Figure 6: Analysis of TAs efficiency at ENDEX

5 CONCLUSIONS

When companies are properly integrated into the areas within which they work, means that their processes have been accepted by the local community. By creation of interaction between elements of ‘the security triangle’ acceptance, protection and deterrence, corporation is achieving a genuine security and reducing level of potential threats. With the application of CAX methodology in a training cycle for corporate security management, there are new perspectives for joint training and preparations among corporate security and senior management personnel, in terms of security management procedures in the area of responsibility. Professional approach towards occurred incidents (external or internal) means creation of common understanding, mutual acceptance and harmonization of all involved in the decision making process, and their interaction until the desirable end state. Although, entire training process happens in synthetic environment, is still ensuring improvement in decision making skills of TA, decreasing expenditure, increasing security for participants, providing understanding of human interaction and in a long term protecting natural environment. The use of computer simulation models permits decision makers to determine nearly all outcomes. As an excellent and cheap instrument of analysis, CAX enables the effects of plans, tactics or doctrines to be tested in a variety of environments by repeating and replaying the scenario. In today’s corporate environment, the impact of the security department is proportionate to its ability to persuade individuals and teams all over the company to collaborate and cooperate. This means that dialogue between security specialists and non-specialists is essential.

15

CAX has been providing an excellent training environment for people who are happy breaking rules, innovating and thinking outside the box. Businesses need to take calculated risks to stay ahead of competitors, break into new markets and maximize profits. For the corporate security function is important to respect an emotional intelligence and the human element of security and risk management, which should overshadow technical security skills. By the proper planning and preparation, scenario development, execution and analysis, CAX has been an indispensable training methodology. It ensures to the Corporate Security Management a suitable and timely response on external or internal security deviations, and creates conditions for effective corporate governance and continuity of corporate security functions. CAX has definitely a potential to become a capability enhancement methodology for management of corporate security.

References Cayirci E., Marinčič D. (2009) Computer Assisted Exercises and Training: A Reference Guide. Hoboken, New Jersey: Wiley & Sons, Inc. Publication. Crichton M. (2001) Training for decision making during emergencies. Aberdeen: University of Aberdeen, Department of Psychology. Briggs R., Edwards C. (2006) The Business of Resilience Corporate security for the 21st century. London: DEMOS. Retrieved January 17, 2013 from www.demos.co.uk McGee A. (2006) Corporate security’s professional project: An examination of the modern condition of Corporate security management, and the Potential for further professionalisation of The occupation. Cranfield: Cranfield University. Defence College Of Management And Technology Department Of Defence Management And Security Analysis. The Conference Board (2005) Corporate Security Measures and Practices. New York: The Conference Board, Inc. An Overview of Security Management Since 9/11.

16