**1. Introduction**

Risk-based security is built around the premise that information obtained from observable aspects of human identity and possession and knowledge acquired about hidden aspects of human capability and intent can be intelligently combined to assess to some great extent of accuracy the threat a given individual poses to a security system, be it an airport or a border crossing point (BCP). Then, in turn, associating the estimated level of threat with a measure of risk by factoring in the cost that the assessed threat can represent to the system that is being secured by taking into account the impact and cost a given threat can have on a security system, a risk-based security approach can be designed and implemented, whereby security checks are tailored to be commensurate to the estimated risk each individual may pose, instead of being uniform irrespectively of the risk posed by each individual, as is the case today. Taking into account that less than 5% of all individuals can be a potential security risk, the savings in terms of time required to go through risk-based security systems with speedier tests for the 95% of low to no risk individuals can be significant, waiting times in security lines can be reduced and thus the level of comfort and customer satisfaction be drastically improved.

The concept of *risk-based security* is founded on the premise that less than 5% of travelers represent a threat to the security of a border crossing point (BCP), it is conceivable that by somehow identifying the risk-free travelers, the security checks for those "trusted" travelers can be relaxed and sped up, leading into lower delays in the security screening systems. By easing off the security checks on the "trusted" 95% of travelers, the security screening process can focus on the potentially "suspicious" 5% of travelers, thus increasing the odds of identifying them more efficiently.

The concept of risk-based security is indeed promising in terms of improving travelers' experience by easing off security screening and reducing the overall time required to spend at a security check-point. However, the difficulty in implementing a risk-based security systems lies on: (a) developing and implementing non-intrusive, GDPR1 compliant technology and systems that can estimate the risk level of each traveler without inducing additional and cumulative delays; (b) testing such systems before rolling them out in operational environments; and (c) estimate their performance and efficacy under ideal conditions for obtaining performance bounds, calculating the cost of the required investment for implementing risk-based technologies; and (d) calculate the degradation in performance when moving away from the "ideal" operational conditions into realistic operational conditions.

into account the probability of existence of such an event and possibly the range of values the event can assume. These methods are "blind," that it they draw samples from the distribution indiscriminately and without takin into account any specific attributes of the samples, and thus, they are also GDPR compliant. As it will be pointed out further down in the chapter, risk-based methods need to pay special attention to comply with GDPR as they gather and use information and knowledge about individuals' private data such as identity, possession, capability, and intent. Risk-based security associates the estimated risk for each traveler with a commensurate level of security scrutiny. Using prior information about each traveler and sensory data obtained while the traveler is within the security perimeter of a monitored area, a risk-based security system assigns a risk factor to each traveler and depending on the value of the risk factor, the traveler is mapped to a level of security scrutiny commensurate with the perceived risk. Although different number of levels can be associated with the estimated risk, for practical reasons, it is sufficient to associate the entire range of risk values into three different levels of security, Trusted/Registered (Green), Casual (Yellow) and Enhanced Security

*Risk Assessment and Automated Anomaly Detection Using a Deep Learning Architecture*

3,4 a number of GDPR-compliant technologies that can be used for

and contribute to the risk assessment are shown in and include: mobile app way

Innovation project (http://www.fly-sec.eu/) has developed and demonstrated an innovative, integrated and end-to-end airport security process for travelers, enabling a guided and streamlined procedure from the landside to airside and into the boarding gates, and offering for an operationally validated innovative concept for end-to-end aviation security. FLYSEC has contributed towards: (i) innovative processes facilitating riskbased screening; (ii) deployment and integration of new technologies and repurposing existing solutions towards a risk-based Security paradigm shift; (iii) improvement of traveler facilitation and customer service, bringing security as a real service in the airport of tomorrow; (iv) achievement of measurable throughput improvement and a whole new level of Quality of Service; and (v) validation of technologies, devices and applications that can be used to assess risk while the travelers move around in the security perimeter. <sup>4</sup> TRESSPASS … TRESSPASS focusses on risks emerging from people that use the BCP such as travelers and staff, including people that act as such. This includes their luggage, both checked in and hand-held. A typical DBT for a BCP is based on a subset of a typical set of attributes regarding such persons and their travel group. In a DBT, threats are described using as building blocks in terms of *Observable aspects*: (a) *identity*: specific people of which we know that they cause, or will not cause, a threat; and (b) *possession*: assets that we know that can be used to generate a threat, e.g. explosives; whereas in terms of *Hidden aspects*: (c) *capability*: people with specific skills with which they can, generate a threat; and (d) *intent*:

<sup>3</sup> FLYSEC … . Complementing the ACI/IATA efforts, the FLYSEC European H2020 Research and

(Red), as shown in **Figure 2** [5].

people that have an intent from which a threat can be derived.

*Today's security check-point concept (curtesy of TRESSPASS).*

*DOI: http://dx.doi.org/10.5772/intechopen.96209*

In **Figure 2**,

**117**

**Figure 1.**

The European Union (EU) and other international organizations promote this approach through various initiatives. The European Commission (EC) issued the "Smart Borders package" which aims to modernize the Schengen area's external border management by improving the quality and efficiency of border crossing processes through the establishment of 'Stronger and Smarter Information Systems for Borders and Security' [1]. The International Air Transport Association (IATA) proposed a Checkpoint of the Future, designed to enhance security while reducing queues and intrusive searches at airports by using intelligence-driven risk-based measures [2]. Along these lines the EC funded the Research and Innovation project FLYSEC [3] has developed and demonstrated an innovative, integrated, and endto-end airport security system facilitating risk-based screening with the introduction of novel intelligent technologies.

This chapter *discusses* a model of risk-based security developed over a number of EU funded projects, *highlights* the need to using simulation in assessing the efficacy of risk-based security technologies and protocols, and *elaborates* on the use of AI and deep learning algorithms for assessing the perceived risk for each traveler based on observable behavioral indicators (parameters), while *factoring in* information acquired from various sources about hidden behavioral parameters.
