World events continually remind us just how important security is. The FBI and INTERPOL databases record thefts from small rural museums, private individuals and world-renowned art collections. The prevalence of collections lost to theft is brought home to us with regular sensational media coverage. And then there are the often-unreported internal thefts and collection vandalism that also result in loss. The (not so) new aspect in this line-up is the demolishing of cultural heritage as a strategy in armed conflicts and wars.
Security and prevention must be a priority for every collection owner or museum, regardless of size. From a security point of view, institutions that conserve, exhibit and protect cultural heritage would do well to turn their organisations into high-reliability organisations (HROs), which are defined by security being an intrinsic part of the entire organisation. Private owners, small institutions and all others who possess or take care of cultural heritage should at least understand that prevention is the first step on the way to securing a collection. In this chapter we take you by the hand and guide you from strategy, to tactics, to technology and forwards in finding new paths in proactive security for cultural heritage.
There are a few, mostly similar, definitions for the word ‘strategy’. An apt one is ‘a high-level plan to achieve one or more goals under conditions of uncertainty’. Strategy generally involves setting goals, determining actions to achieve the goals, and mobilising resources to execute the actions. A strategy describes how the ends (goals) will be achieved by the means (resources). Although strategy is not synonymous with planning, it deals with competitive situations in an uncontrolled environment, meaning you still need to have a plan! And the plan for this chapter is that, if we want to make sure that our art is protected, we need a few security strategies to realise this.
The need for security measures in protection of cultural heritage is one almost everybody understands and subscribes to. But in the same order almost everybody has an opinion on how to secure these matters and, more commonly, to which level.
Cultural heritage, in whichever form – paintings, books, objects, buildings, remains of times gone by and so much more – is a global concept. The fact that we call it cultural heritage means it is more than just a piece of art. Within the world of protection of cultural heritage we can say that we, on the matter of security strategy, have come a long way, but we still have much to improve. Protecting cultural heritage is not just about actions and resources. It is about mind-set.
Anyone who is involved in protecting cultural heritage should start by asking themselves the following questions: What do I want not to happen to my collection? What threats might I have to face that my art will be damaged, stolen or even destroyed? If we answer these questions and we can all agree that we do not want these things to happen, then we can say we have a mind-set on protecting our art. The next thing to do, then, is to form a strategy on how to prevent these threats. Not by a one-size-fits-all approach, but in a bespoke manner: for the threat at hand and for the specific topic. This leads you not only to find the right solution for the specific threat, but also to determine which risks are involved and how to prioritise them. This will lead to the means you need to prevent the threat from solidifying. These means are most likely organisational, constructional or electronic security measures.
When mandated with the assignment to overhaul the entire security concept for the Van Gogh Museum in Amsterdam and bring it towards a level that equals and matches the cultural value of the Van Gogh collection, I, together with the museum’s directors, learned that there is a lot going on when it comes to organising protection of cultural heritage in the widest sense of the word. No doubt there are many good ways of securing collections, both constructional and electronic, but on the organisational side, getting a mind-set and awareness of the threats and risks at hand, within the whole of the organisation, is a totally different ball game. Bringing the Van Gogh Museum to the desired level and making security an intrinsic part of the entire organisation was quite a challenge. For us, the best way to get there was to approach the museum as a high-reliability organisation (HRO).
Bringing the HRO culture into a museum environment is a solution that, if you look at any museum’s vision or mission, becomes logical. More so if you look at the definition of an HRO. Although they may seem diverse, HROs have a number of similarities. Firstly, they operate in unforgiving social and political environments. Secondly, their technologies are risky and present the potential for error. Thirdly, the scale of possible consequences from errors or mistakes precludes learning through experimentation. Finally, to avoid failures, these organisations use complex processes to manage complex technologies and complex work. Taking these basic principles and looking at the turning point that reinvigorated HRO research by Karl Weick, Kathleen M. Sutcliffe and David Obstfeld,1 HROs are distinctive because of their efforts to organise in ways that increase the quality of attention across the organisation. They thereby enhance people’s alertness and awareness to details so that they can detect subtle ways in which contexts vary and call for contingent responding (i.e. collective mindfulness). This construct was elaborated and refined as mindful organising in Weick and Sutcliffe’s 2001 and 2007 editions of their book Managing the Unexpected.2
Weick et al. identify five characteristics of HROs as being responsible for the ‘mindfulness’ that keeps them working well when facing unexpected situations:
Meanwhile, the conditions for an HRO include:
In 2005 the Van Gogh Museum and in particular its security organisation was, like most museums in the world, a reactive organisation. As explained before, security was not an intrinsic part of the organisation and was developed and trained in reaction to situations and incidents that occurred. This meant that if someone damaged a painting it was the task of the security to attempt to apprehend that person and turn him or her over to the police.
It does not take a rocket scientist to understand that this means you will always be too late to protect your collection! The damage is done by the time you act. So, how to change that? With a few questions, throughout the organisation, we found out that there was a well-described vision on how to excel in being a museum but there was almost no knowledge about how to protect the art, other than the reactive measures that were developed when the museum opened in 1973. Most of the security attention was organised in constructional and electronic measures. The focus was on when the museum was closed to the public: the art inside was well protected when everybody was at home. It took some convincing, on various levels in the organisation, to get everybody to realise that this traditional ‘line of defence’ was important but that the biggest threats to the art were not so much at hand during closing hours. Most threats occurred when the museum was open, when more than 5,000 visitors a day were entering and leaving the museum and could come very close to the art.
Using the characteristics of an HRO, we developed the ORRI method for the security department (and later for all staff working in the public area of the museum). ORRI stands for: observation; recognition of (deviant) behaviour; risk analysis; and intervention. With this special skills training, we were able to change the reactive security staff of the museum into a proactive security force trained to prevent things from happening by recognising them early on.
This new way of working also established commitment and resilience within the security department. By changing the mind-set and giving the employees the training, the tools, the means and responsibilities in their jobs, they started to perform on the higher desired level. This visibly positive change on the work floor, but also the improved efficiency and efficacy of a whole department (the equivalent of around 80 full-time staff) was the spin-off for the other departments to change into working within HRO contours.
In managing security staff, the main issues are how to manage guard efficacy and how to deal with inertia. This goes for all kinds of cultural institutions, with the possible exception of private collectors. This last category usually does not have specially trained staff running around the house guarding their vulnerable collections.
In all other cultural organisations, how you position the security department is of great importance, regardless of whether it consists of highly trained security professionals or enthusiastic volunteers. It needs to be in the right place in the organisation, to be an intrinsic part of that organisation with a distinct identity as a security department. That is the best way to get an optimal result. The fact that the security staff are given goals, responsibilities and training and are equipped with the right tools, and challenged with new situations, threats and changes, will decrease inertia.
The position of the security manager and the budget for the security department are two important factors when it comes to effective management. The function of security manager should be positioned in the hierarchy directly beneath the managing director of an institution. Often in institutions the security manager reports to the facility manager or public service manager and is dependent on his or her input to forward relevant information to the management team or the board of directors. The same goes for the financial aspect: in many institutions, a security budget is dependent on the total budget of the facility department or the public services department.
Based on the HRO principle, a proactive security manager, well trained and educated, with an understanding of organisational sensitivity, placed in the right position and connected in- and outside the organisation, can change a security department into a well-organised, effective and efficient working force with a high commitment.
One of the most romanticised proactive security techniques, predictive profiling, was developed in Israel to recognise threats at an early stage and undertake countermeasures against these threats.
Predictive profiling works by making threat analyses based on individuals, goods or situations that deviate from the local norm and are associated with an adverse modus operandi (AMO): an action that is part of a sequence of actions of which it is known that it is dangerous in one way or another to an organisation or its primary (security) goals. Predictive profiling is the evaluation of whether or not an individual, a thing or a situation is a threat based on suspicious indicators and deviant behaviour. The intentions of the adversary are the focal point. By applying a security questioning to individuals who show suspicious indicators, a predictive profiler can debunk or confirm whether there is a threat, after which action can be taken. The proactive and client-friendly nature of predictive profiling has seen it applied in many different sectors in the Netherlands.
The application of predictive profiling in the Van Gogh Museum, and a number of other Dutch museums, can be seen as a further professionalisation of the ORRI method. The methods were adapted from their original (high-impact) Israeli form to a more client-friendly application specially crafted for the museum context.
The ‘red teaming’ exercise is probably familiar to most people as the so-called ‘mystery guest visit’. An external assessor pays an unexpected visit to an organisation and judges the organisation on a number of predefined factors. Such a simple approach has its advantages; however, it completely misses its goals as a technique when it comes to improving and sharpening the operational protection of an organisation. In combination with predictive profiling, for instance, red teaming exercises constitute a continuous measurable process in which security employees at the operational level improve not only their security skills but also their measure of service drive and client-friendliness.
The clearly defined goals in predictive profiling, combined with the active testing and motivational effects of red teaming, have a direct and fundamental impact on guard efficacy and combating inertia. If applied organisation-wide, this effect is also recognisable in other parts of the organisation. However, in applying these measures, organisations are confronted with a new factor in security: information requirements.
In order to effectively apply proactive security and preventive measures, organisations need to obtain knowledge pertaining to the threats that are relevant to them: to the unwanted scenarios that they are likely to face and that pose a direct threat to their security goals. In short: if you want to prevent something from happening, you need knowledge of what that something is.
When developing security tactics, in any organisation or even in private situations – whether for a private collection, a small public collection or religious institution, a museum, an archaeological site, a library or an archive – the first step is defining your security needs. If you do not start there, you will never have a working security chain. Putting yourself in the place of the responsible decision maker in one of these organisations, the first question you should ask yourself is: What is the worst thing that could happen? Or, what do I not want to happen here? Or, what would jeopardise the very existence of my organisation? Answering this question (with the help of your organisation) is the foundation of everything you will decide afterwards in developing security tactics for your organisation.
If you aim for a high target, in this multidisciplinary field of interest, you are likely to cover all lower threats that your organisation will have to deal with in the approach of preventing this high target from happening. The target might be: ‘I do not want my collection to be damaged, stolen or destroyed.’ By identifying this security goal and agreeing on it with every stakeholder in your organisation (making it a board decision/policy), you will make this the starting point and reference for every subsequent step in forming tactics to enforce this ultimate goal.
Identifying your target will lead you to the next step in protecting your collection: that is, defining the threats that are connected to this target. In the example mentioned above these could be vandalism, burglary, robbery, insider theft, fire, natural disasters, acts of terrorism, etc.
If you have defined the threats in relation to your target, you can assess how great the risks are that these threats will happen in your organisation. This assessment will provide you with the necessary information about the probability (chance) of a risk happening versus the effect it would have on the organisation, in relation to your target. In this way you can prioritise all the risks at hand and categorise them (risk = probability × effect or R = P × E). This is the risk assessment that will lead you to the desired measures to protect your collection.
The next tactical step is to decide how to prevent the defined and prioritised risks from happening. What kind of measures do you need to take in relation to these prioritised risks? Within security there are three basic security measures we normally use: organisational, constructional and electronic measures (OCE measures). When used together, these three measures are mutually supportive. Depending on the risk or situation it is not always possible, or necessary, to choose or use all three of them. The chosen security measure should be bespoke for the specific situation or risk concerned.
It is important to remember that any choice for a constructional or electronic security solution implies that there is also an organisational measure to take. Having burglary-proof doors and fences but nobody who checks if they are closed and locked, or having a very sophisticated CCTV system but nobody watching the footage, or having an expensive burglary detecting system but no alarm response, is in fact throwing your investment, and therefore your money, away. The organisational part of security measures should always be leading, where construction and electronics are supporting. This makes the human factor the strongest link in the security chain, flying in the face of the common perception that the human is the weakest link.
If you are in need of security measures on the OCE levels, you will be targeted by all kinds of experts and security firms, big and small. And when they tell you that they are there to help you, you can believe them. They are there to help you … to get rid of your money. With the lessons learned from the past, it is important to know that you or your institution are the ones who decide what the security goal is for your organisation. That also means that you can set your own standards and you are not obliged to conform to the so-called standards of the firms who want to sell their products to you. Keep in mind that the goals of a private company are totally different from your goals, in spite of the good intentions of some individuals. The saying: ‘If something is too good to be true, then it probably is’ always applies here.
Depending on your need as a private owner or, at the other end of the spectrum, as a security director, you will have to decide what you need to close the security chain. Benchmarking with colleagues in the field and asking for advice from those who have experience seems to be a logical step. However, experience shows that we do not tend to use these kinds of opportunities. Instead we try to find our own way. And unless you are very well educated and trained in security technology, this will lead to disappointment and high costs. The goal for this section of the chapter is not to sum up all the various devices and systems that exist in this business, but rather to point you in the direction of some innovations in the use of preventative and protective technology at the heart of cultural heritage, namely with or on the art work or object itself.
One project of interest is the FING-ART-PRINT project developed and initiated by Dr William Wei, coordinator at the Netherlands Rijksdienst voor Cultureel Erfgoed, and founded by the European Commission.5 Illicit trafficking of stolen objects has been a problem for centuries, and continues to be a major problem to this day for archaeological sites and museums that lie unprotected in war zones such as we have in Afghanistan, Iraq, Syria, Egypt and others. A key problem in fighting the illegal trafficking of objects, as well as the tracking and tracing of objects in transport and on loan, is their irrefutable identification. In the field, and in particular at archaeological sites in Third World countries, the identification of objects can be far more difficult. There is thus a clear need for a method of identifying objects quickly and uniquely. The FING-ART-PRINT technique involves taking a unique ‘fingerprint’ of an object without coming into contact with the object. This fingerprint consists of the measurement of the roughness and reflectance spectra (colour) of an object at a specific position on it – for example, a square centimetre – selected by the owner.
As an extension to the identification task that is addressed by FING-ART-PRINT, the system will also have a significant impact on the analysis and detection of frauds. It will allow museums and law enforcement authorities to clearly mark and identify objects which are already known to be authentic. In the case of the loss and recovery of an object, a fingerprint of the object can be taken and compared with a database containing objects which have been fingerprinted, in exactly the same manner as law enforcement officers use fingerprints, DNA or dental records to identify missing persons, criminals or potential personnel security problems.
Another new kid on the block, based on a similar technique and coming from research with forensic investigations into crimes, is DNA coding. Forensic property marking represents a ‘quick win’ in terms of tracing and recovering stolen property.
These forensic coding solutions generally consist of two elements. The first and most significant of these is a liquid that contains an absolutely unique synthetic forensic code (similar in structure to real DNA, but created in a laboratory from sugar phosphate to form the ‘molecular’ backbone), which, upon forensic laboratory examination, will directly match the (unique) DNA solution coded that is registered to the legitimate owner of the item. The second is a UV fluorescing agent which, when illuminated with a UV lamp, indicates that the item has been marked with a forensic coding solution. This will only be applied in certain circumstances depending on the type of item being coded (for example, it would not be applied to a calligraphy work on paper). Not only does this provide an unequivocal identification of the item, it also supplies irrefutable evidence for use in criminal prosecutions.6
There are probably further innovative techniques in development as I write. Some of them will not move beyond the ideas phase, while others will be developed into useful tools to make it easier to protect our cultural heritage and prevent a total loss in the case of wars and long disputes.
To conclude this chapter on security for the protection of art, I would like to introduce you to the newest development within proactive security in the Netherlands, namely predictive security intelligence.
In the context of the organisational aspect of security being the primary focus of attention in securing organisations handling cultural heritage in the broadest sense of the word, a recent, innovative development is the application of security intelligence.
Intelligence, as applied by government agencies and private intelligence companies worldwide, is in its essence not as exciting as the romantic, Hollywood-induced vision that the word conjures in most people’s minds. Rather, intelligence is information that serves a purpose; it is actively collected, analysed and reported to decision-makers based on their needs and questions. In essence it is the right information, given to the right people at the right time.
Important information requirements that might arise within an organisation tasked with the protection of cultural heritage might entail, as mentioned earlier, that pertaining to the methods of potential wrongdoers: the so-called AMOs relevant in the prevention of unwanted behaviours and early detection and handling of threats in predictive profiling. However, they might also entail information relevant for managers and directors in decision-making pertaining to long-term goals in security. How is a threat likely to develop in the long term? What are the currently unknown and potential future threats? What are the current and possible trends in crime and other threats? Security policy and practice in this form can be collectively referred to as information-driven security. These specific information requirements (AMOs, future scenarios and critical unknowns) allow for the application of methods and techniques from the world of Intelligence to produce accurate and reliable reports that fulfil these requirements. In a nutshell, security intelligence encompasses the application of Intelligence methods and techniques with the specific goal of improving security and decision-making in the security context.
The rather romantic perspective of intelligence often pertains to the collection of data as input for intelligence analysis: spying, infiltrating organisations, double agents, cloak and dagger. Such spy craft is, however, not of great importance in the context of security intelligence for cultural heritage. Most of the necessary information is already in the hands of individual organisations, or freely available in media or on the internet. The potential of this information to improve security policy and practice is, in reality, almost never fully unlocked.
Individual organisations tasked with the protection of cultural heritage exist, mostly, in a culture of non-disclosure when it comes to security information. Security successes and failures are rarely shared with colleagues, or even with the police. There are a number of explanations for this culture of non-disclosure, an important one being the reliance of many museums on the exchange of art and exhibitions. If a museum freely shares information about being robbed, for instance, other museums might be reluctant to lend an exhibition. Other factors are the influence of insurance companies in the sector, and the fear of fuelling criminal copycats. However, the lack of information collection and sharing between these organisations prevents them from actively applying information-driven security in their organisations.
At the forefront of these innovations in security is Dutch security company SoSecure, and their Knowledge Centre for Security Intelligence. Their expertise in the fields of ORRI, and more recently predictive profiling and red teaming, brought them to the conclusion, early on, that for security to be effective at preventing threats, companies require as much information as possible about these threats. In an attempt to fulfil these information requirements for the Dutch cultural heritage sector as a whole, they began collecting information pertaining to crime in the sector. Later, this database grew to include the same information provided by a number of larger and smaller museums in the Netherlands. And within a few years the ‘Database of Crime in Cultural Heritage’ (Database Erfgoed Criminaliteit) was the most complete source of information pertaining to crime in cultural heritage in the Netherlands – more complete even than government and police databases.
However, to make the products that flow from the intelligence analysis that is applied to this information of even higher quality and reliability, the Knowledge Centre for Security Intelligence has always sought to further increase the sources of information that feed its database and analysis, seeking information cooperation with government, police and other organisations In cultural heritage. More sources and information lead to higher quality and reliability of intelligence products. Even the construction of comparable databases for crime in other sectors as an input in analysis is part of this process, as many types of crime are not exclusive to one sector of business or another. This rich source of information, which is collected, analysed and shared in a highly anonymous and confidential manner so as not to be threatening to the individual interests of museums, is a direct input into the security policy and practice of these museums.
If a museum knows in what ways it is likely to be attacked, based on information that is as all-encompassing as it can be, it is unlikely to be surprised by a novel or previously unknown threat. And even these novel and unknown threats, otherwise termed ‘critical unknowns’, can be analysed. Through alternative analysis processes such as strategic red teaming analysis, it is possible to creatively and realistically build likely scenarios of future attacks, based on the goals and capabilities of potential adversaries. Quantitative, even automated, data crunching in the large databases of the cultural heritage sectors, and even across the multiple pan-sectoral crime databases, reveals trends and tendencies in crime information that had previously been missed. This information is potentially about crime that already takes place but has not yet been discovered.
So, in summary, if a museum dares to sufficiently share information with other museums, or with a central party specialising in security intelligence, it could gain access to intelligence products that directly fulfil its information requirements in security policy and practice. If utilised to their maximum potential, security intelligence and predictive databases provide information about not only all threats that have already taken place, but also the threats that are most likely to take place. This complete palate of relevant and potential threats allows for information-driven security at the highest organisational level within cultural heritage, as it is highly improbable that an organisation will be faced with a threat that is a surprise to its security organisation.
Dick Drent was formerly the Director of Security at the Van Gogh Museum, Amsterdam, and worked for 25 years in law enforcement in international settings on organised crime and counter terrorism. His company, Omnirisk, is engaged in the development and implementation of proactive museum security and as an associate director with SoSecure in training on predictive profiling and security intelligence. He teaches at the Association for Research into Crimes against Art’s Postgraduate Certificate Programme in Art Crime and Heritage Protection Studies, in Umbria, Italy. Since 2006, he has been a board member of the International Committee on Museum Security (ICMS) with ICOM.