After 9/11 terrorist attacks, critical assets protection has become a priority all over the world. The focus moved from “safety”, so from the prevention and mitigation of casual and unexpected events, to “security”, so mitigation of deliberate acts.

Regarding the protection of particular critical assets as vessels and ports or aircrafts and airports, respectively International Maritime Organisation (IMO) and International Civil Aviation Organization (ICAO) developed two different methodologies for security management, both taking into account that “total security” would be attainable only with an infinite cost.

IMO, through the International Ship and Port Facility Security (ISPS) Code, has stated that countermeasures have to be identified and implemented in a scalable way, according to the “security level”. Nevertheless, “security level” is the result of intelligence information, whose trustworthiness is in inverse relation to malicious people’s capability to act by surprise, which undoubtedly increases the success of their actions. Therefore, security risk assessment and consequent countermeasures should set aside intelligence information and base their cost-effectiveness on other considerations.

This paper aims at proposing an innovative methodology for security risk management that allows the identification of cost-effective countermeasures, based on the evaluation of the impact of each potential incident, independently from the “security level”. To meet this objective we will benefit of past experiences in airport security, where different strategies are suggested by ICAO.