Concept of Security and Security Management Overview
This lesson serves as the first step in the journey we will take together in this course; Security Administration. Yet before we can administer something, we have to know what that something is. In other words, in order to properly oversee a project, program, or person, we need to have greater insight into what it entails and represents. As it relates to our overarching topic of security, it is one that can have a number of different meanings and interpretations. These can be impacted by events that transpire in the world in which we live; whether that is on a global or more intimate scale, as well as influences felt by the ever-changing nature of this world, such as technology and how it can be used as both a threat and a deterrent. It promises to be an interesting study for those who are or plan to be intimately involved in the world of security, or those impacted by it…all of us.
Introduction
As an overall discipline, security would appear to fall short of receiving the same status as other recognized academic fields. Yet, with the aid of ongoing research and real-world application, attaining such a position would appear to be progressing quite nicely. As the body of knowledge related to security continues to increase, as well as fundamental concepts and principles related to it evolve as well, the overall theory and practice of security is one that is being recognized on an ever increasing scale. Yet, that is not to say that it does not contain a number of inherent challenges, because security as a whole lacks definition, and is thus deficient in knowledge that is structured as well. However, it is the diverse and progressive nature of the various disciplines involved in providing security that will ensure that professional development will be carried out in a constant and measured manner. Therefore, attention will be directed in this lesson towards not only the overall concept of security, but how that security is managed as needed.
The Concept of Security
There is no discounting the vital importance of security. As humans, there is a basic and inherent need in all of us regarding the concern for our well-being. These can be translated to members of our family, community, nation, and overall world in which we live. By extension, the need to provide security will incorporate and impact a variety of issues found throughout our society, such as the environment, human rights, health-related epidemics, social injustice, etc. These and other such issues can directly impact the overall issue of security and how it is approached and applied; thus it is multi-dimensional. For instance, securing our home or place of business can be acquired through locking doors, installing surveillance systems, and other such measures. However, what about securing our country against the threat of terrorism? Not only are there a number of approaches regarding how to provide such security, but given the various issues many have raised (i.e. profiling, privacy, civil liberties, etc.) regarding this endeavor, there is a debate as to whether such security is in fact been provided or even worth it. So it should come as no surprise that “security is an ‘essentially contested concept;’ a concept on which no consensus exists” (Schafer, 2013, p. 5). Because security can be both vague and convoluted, it can be difficult at best to not only define all that it represents, but what it looks like when it is attained. However, a good foundation to build upon would be the fact that security “implies a stable, relatively predictable environment in which an individual or group may pursue its ends without disruption or harm and without fear of such disturbance or injury” (Fischer, Halibozek & Green, 2008, under “Defining the Concept”). It is from here that we will address security as it relates to individuals, groups, and from a broader perspective as it relates to culture, ethnicity, or a sovereign state.
Individual Security
As individuals, there is a basic, almost primitive need to be secure. We can see this throughout the history of mankind; something that still exists today. One of the most prevalent theories that speaks to this issue is Maslow’s Hierarchy of Needs. In essence, it describes the basic needs that motivate human behavior. At its foundation are found the basic biological and psychological needs related to the air, food and water required to sustain us, shelter, sex, and sleep. Once these are met, the individual is motivated to address those issues at the next level (and so forth up the hierarchy), where those related to safety specifically speak to the issue of security. In addition, by contemplating all that one’s individual security represents, some basic freedoms have been identified as well (at least in a political context). These include the freedom from fear (protecting the physical integrity of a human being), freedom from want (basic access to goods and services that meet basic needs), as well as freedom to inherit a healthy environment (Schafer, 2013, p. 8). So as Maslow’s hierarchy demonstrates, an individual’s innate desire to be safe and secure is a basic one. Yet although related, one must recognize the distinctions that exist between what it means to be safe versus secure. Simply put, safety represents another basic liberty, and that is the freedom from danger or risk of injury. Although related, it would appear that safety is focused more on particular incidents or accidents that might take place, while security deals with actions of a malicious nature and nefarious intent. Another defining factor would appear to be that safety concerns generally present themselves within the internal environment, while those related to security are normally external in nature (Smith & Brooks, 2012, p. 9). Yet one last point to offer regarding individual security concerns risk. Most practitioners regard security as a form of risk, where it must be managed in the proper manner. Therefore, the overarching goal of providing security is a perceived outcome of risk.
Security of Groups
In many ways, the security professional will be intimately involved in providing security to various groups of people, whether as an extension in the overall context of law enforcement and public security as a whole, or within the environment of the private sector as relates to a particular business or organization. Forming a basis for what is expected in this realm comes from society itself; where basic expectations are formulated. As an example, if a law is established regarding social norms (i.e. breaking and entering is not allowed), appropriate measures must be taken by both the group and those providing security in regards to it. Yet if they’ll all is then broken, there is an expectation that that social contract has been broken and appropriate actions are warranted. So from a public security perspective, maintaining acceptable behaviors within one’s community that impacts the group as a whole is a basic expectation. What is concerned to be “acceptable” can change not only from community to community, but transitions through points in time as well. This of course has a direct impact on private security efforts as well. Although many distinct differences might exist between how security is provided between the public and private environment, there are also a number of shared beliefs and approaches. This is noted in Security Science: The Theory and Practice of Security, where the authors highlight the fact that where public security is to sustain the overall social contract that exists, it is up to private security to protect an individual’s own assets. Regarding private sector security, it is an area that has grown and to a rather large international industry; where various groups serve as its primary clients. So not only is it concerned with issues such as loss prevention related to a particular business at the local level, but must take appropriate action as it relates to security threats and concerns on a more national and global scale as well.
Security of the Nation-State
No discussion of security would be complete without viewing it from an overarching, national perspective as well. Security as it relates to both nation-states and international systems as a whole have existed throughout history. Various defensive measures primarily enacted through military assets have and continue to be utilized in the name of national security. Although the concepts of homeland security and homeland defense have existed here in the United States since its founding, they certainly rose to the forefront after the events of 9/11. As has been the case thus far in this lesson, there are various parallels between certain terms and efforts, and so it is with defense and security. One such parallel is seen in the use of public security resources and those provided by military organizations; where there seems to be an increasing merging of the two in addressing various homeland security challenges. However, there is a great difference in a manner which certain threats are approached and considered. As Wolfers’ proposes, security is seen as “the absence of threats to acquired values” (Baldwin, 1997, p.13). Yet this is ambiguous as best, because not all threats are created equal. For instance, in response to a military attack from external forces, similar resources would be utilized to dissuade that threat. Yet what about those related to Mother Nature (i.e. an earthquake)? Generally speaking, there are no efforts that can directly impact the probability of such events occurring, but security measures can be taken to decrease the probability of damage that results from them. So as can be seen, homeland security in and of itself is a daunting and multifaceted endeavor; one that is certainly beyond the scope of what can be addressed here. Yet suffice it to say that national security is an issue that will impact both the public and private sectors moving forward; where the security industry as a whole will be influenced by it.
So at this point, whether we speak of security from the perspective of an individual, group, or nation, consideration must be given regarding the asset needing to be secured, the level of protection desired, as well as the perceived threat against that particular asset. Also, it is the sum of these various components that must be considered regarding the situation as a whole and how security must be managed. It is this particular issue that will now serve as our focus.
Security Management
To properly manage all that security represents, a broad-based systems approach must be employed. Such a system is nothing more than a collection of individual components and functions, yet must be brought together in an organized and coordinated fashion. Likewise, if the security management professional is to receive the input, acceptance, and support of those they are providing such security to, a thorough understanding of its culture and expectations must also be attained. Suffice it to say, no single framework can be applied in all situations, but must be tailored to the particular requirements and expectations at hand.
A Systems Approach
In order to provide security in both the responsible and expected manner, a holistic approach must be considered and enacted. Various theories exist (i.e. classical, behavioral, etc.) that are limiting because they do not recognize and overall organization or network and its various dependencies of its components. Yet a systems theory recognizes the interrelation that exists of these individual parts and takes needed actions to bring them together in a synchronized manner. Numerous benefits are derived from adopting such an approach, such as generating overall awareness of the system in order to garner needed support, enhancing both internal and external communications, as well as producing a security program that is both flexible and resilient. Within such a system, there are specific functions that must be carried out by those charged with providing overall security. These would include general roles and responsibilities related to planning, organizing, staffing, leading, and maintaining control. It must be understood that the security manager who is proficient and effective is first a business manager, where they must possess a mix of technical, interpersonal, and decision-making skills. Just some of the many tasks would include implementing needed controls, formulating appropriate metrics and performance standards, maintaining education and training (not only for self, but for staff and affected segments of organization), as well as being attentive to budgetary and financial issues, as well as succession planning. Greater detail regarding these various functions can be found in Chapter 2 of Security Science: The Theory and Practice of Security.
Policies and Procedures
Within any management system, appropriate policies and procedures are must, and they certainly apply to security efforts as well. At its basis, a policy serves as a formal record of an organization’s overall goals and objectives that has been put forth by management and decision-makers, while procedures are the precise actions taken to make those policies become a reality. So as it relates to security initiatives, some examples of procedural matters might be those overarching duties expected of security personnel (i.e. access control, processing visitors, etc.), the manner in which security breaches are to be handled, the proper usage of equipment and firearms, how to correctly handle personal or classified information, as well as fostering and maintaining needed relationships with external organizations (i.e. emergency response agencies, the media, etc.). If policies and procedures are to serve as an asset rather than a detriment, they must possess a number of features. First, staff must be intimately involved in formulating them. Also, attention must be directed towards ensuring that policies and procedures not only conform to establish laws, but social values and expectations as well. Obviously, policies and procedures must be reviewed on a regular basis in order to ensure that they aid in accomplishing the goals and objectives established at the outset. If this is not carried out on a regular basis, a gradual erosion of security effectiveness might be realized. Smith and Brooks label this as security decay, and note that if it is to be averted, the design, application, and management of security that is consistent with an overall systems approach must be employed (2012).
Conclusion
As we bring this first lesson to a close, attention has been directed towards the overall concept of security, as well as some of the fundamental components that are needed in order to effectively manage and overall security endeavor. In our next lesson, we will again direct attention towards management, but specifically as it relates to the issue of risk. There are a number of sub-components that impact this issue such as threat, criticality and vulnerability; topics that we will look at, as well as some of the theories and models that impact security risk management as well.
Risk
The overall topic of risk is one that most do not give much thought to, but deal with it each day in some form or fashion. Driving on the highway to various destinations provides a perfect example; where a number of issues are present that could cause great harm. Whether that be hazardous weather conditions or a motorist driving under the influence (including ourselves), an accident could produce a number of negative consequences. However, steps are also routinely taken to manage that risk, such as providing proper vehicle maintenance, utilizing seatbelts, as well as employing defensive driving skills. Likewise, risk in various forms is seen throughout all aspects of society, where some are charged with managing it in a prudent, plan, and effective manner. This week, we will provide a basis of understanding regarding the underlying principles related to security risk and how best to control it, some of the concepts that form risk and risk management (such as probability, likelihood, and consequence, as well as considering some theories that underlie decision-making within security risk management.
Introduction
The overall concept of risk is one that has always existed in some form or fashion. From the earliest accounts of mankind onward, exposure to various trials and tribulations has been an issue that has had to be dealt with. Whether it was “survival of the fittest” during the Stone Age related to prehistoric animals or those modern-day challenges that we face related to our own homes and society in which we find ourselves in, risk is an inherent part of our lives. However, the role of risk, the impact it has, as well as innovation and developments seeking to manage it have and continue to evolve. Yet as a concept, Smith and Brooks propose that it originated in the seventeenth century based upon a theory of probability. For example, risk has been defined as “the probability of an event occurring, combined with an accounting for the losses and gains that the event would represent if it came to pass” (2012, p. 52). At its very core, risk deals with the issue of uncertainty, and there are a number of approaches taken in order to deal with such insecurity. Perhaps the simplest our technical approaches, where risks and the effects they produce are objectively measured, such an approach is primarily seen in fields related to health care, the environment, as well as those related to actuarial studies. An approach taken in the field of social sciences is economic in nature, where an attempt is made to anticipate the connectedness of risk as seen throughout society. The advantage here is that not only are negative effects measured, but the possibility of profit or loss from the risk under review is also considered. As related to subjective judgment related to risk, psychological approaches are often employed, and can be carried out in different ways. One attempts to explain why certain individuals do not base their judgment of risk on certain probabilities and expected outcomes. Another seeks to identify biases that may exist related to the evaluation of risk. Lastly, the perception of risk is seen to be greatly influence by the overall context in which it resides. Although the psychological approach offers insight that other approaches cannot, it must be knowledge that it is difficult at best to gather personal preferences. One last approach related to the concept of risk is sociological and anthropological in nature; one that focuses upon the social interaction that must be considered in the overall context of risk. This approach is certainly a multifaceted in nature, but considers issues such as social inequality, individual versus group cohesion, masculinity versus femininity, as well as the avoidance of uncertainty as relates to strong versus week (Vasari, 2015). Suffice it to say that there is more than meets the eye when speaking of the overarching concept of risk. Yet as it relates to the primary issue under discussion this week, how the security professional is to manage risk in an effective manner, there must also be an understanding as to the probability of an event occurring, as well as properly carrying out various types of assessments. This is where our attention will now be directed.
The Role of Probability
In taking an overarching perspective, the management of risk must consider the probability of risk occurring in the first place. At its core, probability is found within the school of mathematics; where it “may be considered an analysis of random phenomena (Smith & Brooks, 2012, p. 54). Yet that does not mean that certain actions cannot be taken that seek to eliminate it, prevent it from occurring, or at least reducing it to an acceptable level. This is the essence of risk management. Obviously, it is impossible to calculate the probability of a single event occurring with total accuracy, especially where intelligent humans are involved (i.e. terrorist attack, break in and theft, etc.). So in the field of security risk management, the likelihood of an event occurring might be a better approach. Yet by acquiring, considering and utilizing certain types of data, probability does in fact offer the security professional a quantitative approach that can prove to be quite helpful.
A discussion of the probability and likelihood of an event occurring would not be complete without considering the consequence that it might produce. At first glance, consequence is generally related to financial cost, such as funds needed to replace structures, equipment, staff, etc. However, consideration must be given to such outcomes from a broader perspective. One concerns physical costs due to injuries and fatalities which equate to lost production and related issues of an economic nature. When dealing in the business/corporate world, intellectual calls must be considered. Although subjective in nature, the impact that a critical incident might have upon one’s reputation and credibility can be far-reaching. So when assessing consequence, the security professional must take into consideration the somewhat narrow-minded nature of individuals and groups. For instance, those working within a certain department of a company might feel that issues related to their efforts are paramount. However, an overarching view of the organization as a whole, the manner in which it subcomponents are interrelated, and how an event might negatively impact the whole must be considered. This was highlighted by Fischer and Green, who stated that “if security is not to be one-dimensional, piecemeal, reactive, or pre-packaged, it must be based on analysis of the total risk potential” (Fischer & Green, 2004, p. 129). Therefore, an all-inclusive approach must be taken that identifies key components and assesses them in the proper manner that allows management practices gather desired effect.
Assessments:
Risk
As we look at various issues that must be considered and properly evaluated, a good starting point would be that related to risk, since risk is seen as simply a function of identified threats, related vulnerabilities, and the consequences they produce. Such an approach is widely accepted; in fact, the Department of Homeland Security (DHS) and those found within the overall homeland security enterprise take this approach when assessing risk. Although it has evolved through the years, a formula has been developed (R = T x V x C) where the variables represent the following:
R is the level of risk, and establishes a priority for a given critical infrastructure asset, geographic location, etc.
T is the threat or the likelihood that a specific target will suffer an attack or disaster from a specific weapon, agent, occurrence, etc.
V is an assessment of the vulnerability of a potential target or area (how difficult or easy it would be for it to be attacked or impacted by threat under consideration).
C represents the consequences of an attack (As touched upon previously, although this is generally given as a dollar figure, there can be much debate as to other issues that should be considered, such as number of fatalities, also confidence, etc. and how these can be quantified).
Obviously, a simple formula only scratches the surface of all that it represents. A great deal of information must be collected and evaluated in order to produce information in a usable format. Also, this is not to say that this formula utilized by DHS must be utilized throughout corporate America or other settings, but it does provide good information that can prove worthwhile in a variety of applications (Masse, O’Neil, and Rollins 2007).
In conducting a risk assessment, a methodical, measured approach should be taken that includes a number of defined steps. First, identifying assets deemed to be critical to the mission of and organization must be determined. People, property, and information would all be included in such assets. When determining the criticality of an asset, time and money needed to replace it must be taken into account. Secondly, security measures already in place must be identified and considered. These include not only physical security equipment and personnel, but those related to the cyber environment as well. In addition, the policies and procedures that have been formulated that govern security efforts must also be reflected upon. Next, the particular threat under consideration must be properly assessed, and last, the vulnerability of current security measures related to these threats must be painstakingly and honestly measured. A closer review will now be offered related to both how the issues of threat and vulnerability should be approached and evaluated.
Threat
As it is with most topics that we have discussed, there is more than one definition and view related to threat and all that it entails. In a general sense, threat is defined as “any indication and circumstances, with the potential to cause the loss of or damage to assets” (Roper, 1999, p.13). Therefore, to adequately address such threats, a methodical approach must be taken in order to appropriately identify and consider those hazards that exist and the potential impact they represent. To begin, similar to the previous topic discussed related to risk, a formula has been produced related to threat and is worthy of further review. That formula states that Threat = Intent + Capability + Motivation. To begin with, threats in general can be broken down into two broad categories; human or natural. From this starting point, information must be gathered in order to determine the probability of certain types of threats to the organization, community, etc. in which security must be provided for. It has been stated that the best predictor of the future is the past; therefore, historical accounts, crime records, weather data, and other such sources can prove to be quite useful in making such determinations. Also, it must be understood that such assessments can be either quantitative or qualitative in nature. While statistics can be gathered (i.e. number of burglaries occurring in a given geographic area in a certain timeframe) that are measurable, others simply cannot be calculated in like manner, such as the level of fear that a proposed terrorist attack might represent. Moving forward in the formula itself, the first variable to consider relates to the intent of the threat under consideration. What is the underlying motivation or desire of the threat? What is the overall expectation regarding what is to be gained if the attack or event is successful? When dealing with a human threat, the intent may simply be to steal a piece of equipment, information from an organization’s database, damage a facility, destroy one’s reputation, or a host of other possibilities. However, when dealing with a naturally occurring hazard or one that is accidental in nature (i.e. tornado, mass power outage, chemical spill, etc.), although the intent may not be criminal in nature, the expected outcome must be contemplated. Once this step has been addressed, the issue regarding the capability of the threat to carry out their actions must be addressed. To possess the capability of actually carried out a threat in a successful manner, not only must appropriate resources be available, but the knowledge, skills, and ability to employ such resources in an appropriate manner. Knowledge would address issues related to the individual or group under consideration (i.e. cyber security hacker, criminal organization, etc.), the personnel that works with and supports them, use of any equipment that they might possess and their technical expertise, as well as the financial and other such resources that support their efforts. Obviously, when speaking of Mother Nature, her intent is not malicious in nature, yet based upon geographic location, historical accounts, current conditions, and a host of other factors would aid in determining capability of such threats. Lastly, the motivation of the threat must be pondered. When the incentive of the threat is considered, the security professional must realize that these two can be classified in a number of ways. Motivations can have an economic basis (i.e. theft of cash, jewelry, etc.), personal in nature, such as when a disgruntled employee who seeks to take revenge against a company that he feels unjustly fired him, or ideological; those associated with one’s philosophical beliefs. There are a variety of terrorist organizations and hate groups that will carry out malicious actions due to beliefs they hold dear and feel that others are in opposition to or destroying. Examples here could be related to the environment, animal rights, one’s culture or race, or divisive issues such as religion or abortion. Whatever the motivation, the role it plays within the overall context of the threat must be recognized.
So in summary, the threat assessment itself must be able to interpret those threats that have been identified in the overall context of what they/it hopes to accomplish through their actions, why they intend to do so, and their overall capabilities in being successful or not. Based upon this information, the next issue to be considered is how susceptible a particular target might be to such threats. This is where the vulnerability assessment comes into play.
Vulnerability
At its basis, vulnerability considers the exposure that exists related to physical, emotional, or other types of damage, while also taking into account one’s exposure to an attack or critical incident, as well as level of resiliency. So in order to conduct a vulnerability assessment, an analysis must be carried out that considers security efforts already in place in relation to those threats that have previously been identified. Simply put, this component of the overall risk management initiative seeks to determine how an adversary might exploit and take full advantage of current security measures. In addition, the overall goal is to ensure that life safety, protection of assets, and the ability to provide essential services in an uninterrupted manner is maintained. There are a variety of ways in which this assessment can be carried out. One of the most common is the use of a security survey; comprised of checklists and questions that seek to determine a location’s critical assets and services, current physical and cyber security measures, procedural controls, as well as known weaknesses. Also, vulnerability assessments can be either asset or scenario based. In regards to the former, focus is directed towards specific assets (i.e. jewelry found within a shopping mall) and probable threats that can directly impact those assets. Conversely, scenario-based assessments are concerned specifically with the attack itself. It is paramount that members of the vulnerability assessment team have sufficient knowledge related to the scenario under discussion. If this is not the case, assistance and expertise must be solicited. In essence, once a scenario has been chosen to be evaluated, specifics regarding the asset being considered to be protected, types of adversaries and the manner in which they might seek to attack, as well as the consequences should the attack be successful. “Red-teaming” is one of the most common methods of carried this effort out, where a team of individuals “attacks” the facility; taking on the role of the aggressor. Once assessments are completed, a rating scale is often utilized that ranks the level vulnerability from extreme (controls are nonexistent or can easily be breached, etc.) to low (i.e. current controls are extremely effective and no evidence of control failure exists). At this point, a written report is generally produced that offers an overview of current security measures, as well as recommendations or changes in the current security program.
Conclusion
This lesson has made an attempt to offer insight as to some of the primary components that make up an overarching, robust security risk management program. Additional topics such as decision-making, the perception of risk in light of the culture of a particular organization, as well as issues related to trust and gaining consensus must also be given their due attention. There are a number of settings that these assessments can be carried out, and we will look at one of those next week; the built environment and consider how the type and quality of it has a direct impact upon security measures.
Overview
Managing risk in a responsible and effective manner is an enormous task; one that must take into consideration a number of factors, while carrying out efforts in a coordinated manner. In addition, there are various domains in which security must be provided; both from a physical sense, as well as the ever increasing nature of the cyber operating environment as well. This week, we will focus attention as it relates to what is described as the built environment and how the security professional must address issues related to it.
The Built Environment
From an individual, personal standpoint, providing security generally begins where we reside. We take steps to block doors and windows, provide appropriate lighting, perhaps install motion sensors, cameras, and other devices in an effort to alert us of intruders and keep them from entering into our homes. Such physical structures serve as the basis for the built environment, which in essence refers to any human-made structure. Therefore, from the viewpoint of the security profession and those that operate within it, this environment can include everything from corporate offices to shopping malls and everything in between. Yet as noted by Smith and Brooks, this environment must be seen from a broader perspective as well, as transportation systems (roadways, bridges, etc.), the land and surrounding space in which the structures occupy, as well as the overall design must all be considered. Because of this, the security administrator must work hand in hand with facility managers and others that have a direct impact upon these resources.
Risk Management in Practice
Long before security measures are put into place, many of the issues discussed in last week’s lesson related to risk management must be considered. At the outset, those threats and hazards considered to be most likely in relation to the structure within the built environment under consideration must be identified and assessed. What is the probability of their occurrence? What might be the human impact; whether that is employees, visitors, customers, or those located in the surrounding area? Also, especially as it relates to those within the private sector, what might be the potential impact upon business operations? This is not only an issue that influences a company’s “bottom line,” but can directly impact others who depend upon needed goods and services. These are just some of the many questions that will need to be answered in order for appropriate emergency planning to take place. In regards to the various critical incidents that could occur, these can be categorized in various ways; a step that will aid in determining what resources and assistance might be needed to address them. Man-made emergencies, those that come as a result of Mother Nature, as well as issues related to technology all present their own challenges and opportunities. What must be realized is that no single company or those charged with providing its security possess all of the resources and expertise that might be required to adequately manage identified risk. It is therefore incumbent upon them to also identify these assets long before a critical incident takes place. Perhaps the most critical asset concerns those responsible for overseeing the operation of the structure itself; the facility manager. This person and their staff can make or break any security program, so it is imperative that a good working relationship be developed.
Facility Management and Security
Overall, facility management is concerned with coordinating the overall physical workplace, but is carried out through a combination of a variety of efforts related to business administration, behavioral sciences, as well as engineering. Similar to any management function, the facility manager is expected to fulfill a number of roles related to organization, staffing of personnel, leading them in the proper manner, as well as control measures related to the facilities they are responsible for. Speaking of the facilities themselves (the primary component within the built environment) three core factors must be aligned in order to achieve their objectives. Primarily, these include maintaining a positive influence, being aligned in order to be productive, as well as being fit for purpose. In Security Science: The Theory and Practice of Security, the simple example is offered of installing an access control device to a particular door. If personnel are forced to deal with access control as they attempt to move packages back and forth through this particular door throughout the day, it can negatively impact productivity. Conversely, if it is propped open in order to aid in the movement of these packages, the original design of heightened security is greatly diminished or eliminated. Therefore, attention must be given to even the smallest of details within this overall environment; the primary responsibility of the facility manager. It is therefore apparent that an intimate and positive working relationship is developed between this individual, their staff, and those overseeing security measures. “Facility management may view security as one of the more universal services that must be provided.” (Langston & Lauge-Kristensen, 2002, p. 134). Although each may possess their own sphere of influence that requires their attention and due diligence, a clear understanding of each other’s roles and responsibilities must be acquired in order to achieve the many benefits that this working relationship can offer.
Building Management Systems
Whether the focus is placed upon a single facility or and overall complex, the built environment is made of a host of sub-systems that requires an understanding regarding their security vulnerabilities. For instance, not only does an HVAC system provide heating and cooling services, but it can also include the extraction of heat and smoke if such a need arises. However, what if these capabilities are negatively impacted or eliminated, whether that is a result of a lack of maintenance or a malicious act? This speaks to the overall issue of fire and life safety; a complex, multifaceted endeavor in and of itself. An understanding of fire chemistry, design and construction, human behavior, as well as both passive and active systems are all key elements in overall fire life safety; a study in and of itself. In addition as it relates to HVAC systems, there is what has been labeled as “industrial espionage,” where audio or video listening devices can be installed in the ductwork; yet another security issue that many are not even aware exists. Also, attention must be directed to how people are transported within a facility, namely elevators, and how security regarding them is treated, approached, and controlled. When and how they are to be accessed and utilized in various circumstances (such as during a fire or other type of emergency) must be considered. Yet controlling all of these components from a facility wide basis is what is labeled as an intelligence building system. This term has been used since the early 1980s, but has gained greater acceptance and application as the use of technology increases and plays a larger role in various functions. A perfect example concerns the emergence and growth of “Internet of Things” technologies and their applications. Although a single definition for an intelligent building system doesn’t exist, the primary components of it are somewhat universal; structure, systems, services and management, and the interrelationship between them (Peluffo, 2015). It is becoming increasingly clear that an intelligent building is one that is both connected and efficient. However, in order to maintain these levels of connectivity and efficiency, facility and security managers alike must not only acquire needed competencies regarding these facilities, but work in tandem to fulfill their own roles and responsibilities. So let us now look at some specific ways in which security can be provided and maintained in this environment.
Facility Security Management
Efforts related to emergency preparedness, as well as both facility and security management go hand in hand; so appropriate attention must be given to each area in a way that complements one another. When speaking of overall security goals responsibilities, these must be prioritized in the proper manner, with life safety and protecting people as the overriding concern, followed by the protection of property. Initiatives can be targeted towards these broad categories individually or collectively, such as hardening buildings against structural damage, ensuring that stairwells can accommodate a sufficient number of occupants during an evacuation, providing emergency backup lighting, and offering detailed emergency plans are just some examples. The bottom line is that all activities most complement and support one another. It is therefore the overarching objective of any facility security plan to protect employees, its assets, and products and services it provides from threats; both within and without.
Roles and Responsibilities
Considering not only the myriad of threats that can impact the built environment on any given day, as well as the impact that both physical and technology plays in providing needed security, the future of physical security must involve the information technology manager, security manager, and facility manager (Roper & Payant, 2014). As noted and Chapter 18 of the Facility Management Handbook, each of these positions has various duties and tasks, where the following serves as examples:
Facility Manager
Create a facility management program that helps reduce security risks
Assist with developing cost-effective security solutions
Coordinate with the security manager during the planning, design, and construction phases
Provide equipment and manpower to support security measures
Security Manager
Recommend physical security considerations according to the organization’s mission and identified vulnerabilities
Conduct physical security surveys and inspections in conjunction with facility manager
Coordinate with local law enforcement agencies
Establish and enforce uniform security standards and procedures
Information Technology Manager
Integrate information security procedures and to all business processes
Determine existing information security capabilities and related gap analysis
Develop information security plans to contain a security breach and restore critical data
Plan and conduct appropriate information security training and exercises
Roper and Payant also directed attention to and oftentimes overlooked resource within any organization, and that is its employees. Seen as an overall “force multiplier,” each and every employee must fully understand that security is a shared effort and cannot be discounted or simply feel that it is someone else’s responsibility. Therefore, concerted steps must be taken to educate employees as it relates to what is expected from them in relation to the link that exist between security and preparedness, and then both empowering and supporting them in this shared initiative. Knowledge of the security plan, resources available, providing requisite knowledge, conducting appropriate security drills and exercises, as well as promoting security from both a professional and personal perspective will certainly aid in this effort.
Planning
Before any specific security measures can be implemented, proper attention must be directed towards appropriate planning efforts. Formulated plans must be not only customize to fit the need of what is being focused upon within the built environment, but incorporate an appropriate measure of flexibility as well. So as it relates to planning, the managers noted previously must serve as the catalysts at the outset; formulating the outline that will lead to the formulation and implementation of the overall security plan. The overall plan addresses three important functions. First, it seeks to clarify the organization’s mission to ensure that the proposed security requirements meet and supports it. Secondly, it provides a methodical approach for executing those requirements. Lastly, it provides points of reference whereby established goals and objectives can be appropriately measured and analyzed (Roper & Payant, 2014). However, even though the security, facility, and IT managers may lead this effort, they depend greatly upon the overall team concept, where other individuals will be delegated certain tasks and expectations related to meeting times, agendas, individual responsibilities and overall delivery of the security plan. Once all “major players” have been identified, defined steps can then be taken to develop a plan that addresses security concerns, is realistic in nature, but can also be carried out within the financial constraints imposed. So the overarching approach that must be taken regarding the planning effort includes assessing the current state of security, developing the plan, where the planning team will seek to answer the “what, when, where, and how” questions related to what overall security should look like and how is to be provided, as well as implementing the plan itself. The time from assessment to implementation is impacted by a host of factors, such as initiating needed policies and procedures, developing appropriate educational programs and training, as well as implementing the technology needed to support these efforts.
Security and the Built Environment
The Role of Environmental Design
There is a recognized strategy that has great bearing upon this discussion known as “Crime Prevention through Environmental Design” (CPTED). It involves a number of underlying principles that correspond with one during the design phase of the built environment; one that recognizes that security is far more than just locks, keys, and alarms. It is based on the concept that the design of a facility, complex, etc., incorporating information from the built environment itself can have a positive impact upon both the reduction in crime, but enhancing life experiences at the location as well. As noted in the Facility Management Handbook, there are four different strategies that should be utilized in order to fully benefit from this approach.
Natural Surveillance
For the most part, if someone feels that they are being observed, they are less likely to carry out a crime. Therefore, acknowledging the need to maximize visibility during the design phase is paramount. Having windows that overlook parking lots, entrances, and sidewalks is one facet to consider. Others would include incorporating landscaping away that aids in monitoring efforts, as well as the use of exterior illumination to reduce blind spots and shadows.
Natural Access Control
Regarding the need to control access into a facility or complex, the overall intent is to direct individuals and vehicles to certain locations in a controlled manner. Confining such access to a single entrance, ensuring that entrances are kept clear of vegetation, storage, trash, etc., and taking advantage of fencing, gates, and walls to direct individuals to certain entrances all serve as pertinent examples.
Territorial Reinforcement
This strategy takes full advantage of certain design features in order to discourage malicious activities by making the actions of the perpetrator evidence. Here, boundaries related to the property should be well-defined, either through fencing gates, pavement, sidewalks, or signage. All of these work to make unauthorized personnel uncomfortable, while at the same time providing an overall sense of protection and comfort to those individuals who are justified to be at that location.
Maintenance
The level of maintenance provided to a facility speaks volumes of how well it is managed. Immediately, a positive or negative impression can be made; one that can lend itself to the probability of criminal activity. Broken windows, alarm systems and cameras that are inoperable, and lack of lighting due to a need of repair or basic upkeep can “make or break” a security program.
Facility Security Implementation
Access Control
Serving as a basis for any security program, access control must be clearly defined by an organization in a way that takes advantage needed control measures. Who is allowed to enter the facility, specific times in which this can and should occur, as well as in which areas must be considered. To determine the legitimacy of not only those who are employed there, but others who have a valid reason in being there as well, an appropriate credentialing should be employed. For employees, this can be carried out during the initial hiring phase, and for vendors can be addressed at the outset of the formalized contract that is initiated. There are a host of devices, cards, and keys on the market that can be used to validate one’s credentials. Regarding visitors, it is beneficial to establish some form of control as it relates to directing them to a specific location where there are met by a receptionist, and then escorted to their proper destination. Appropriate badges that are distinct in nature can be assigned upon arrival and approval. Also, with the ever changing nature of technology, communication, credentialing, and authorization procedures can all be carried out in a remote manner.
Deterrents
Preventing unwanted access to a facility must be considered the first line of defense. A robust physical security plan must take a multilayered approach; arranged in such a manner that the area considered to be most vital is at the center and the group perceives the greatest attention. Then, taking a layered approach moving outward, attention would be given regarding the various measures needed to provide overall security. Beginning with the outer perimeter, fences, bollards, lighting, and credentialing efforts serve as examples that would take place here. Working inward, this is where security is actually provided to the structure themselves, where appropriate locks, glazing, coating, and similar applications would be provided for doors and windows. The interior would then receive due attention through various means such as security guards, security cameras, door and window reinforcements an access control, as well as safes provided for certain items.
When considering the type of deterrents that can be employed to achieve overall objectives, they can take on a number of different forms:
Natural – ditches, waterways, etc.
Man-made – structural, turnstiles, lighting, technology, etc.
Human – screening job applicants, identification systems, etc.
One cannot also discount how deterrents can be psychological in nature as well. Although steps might be taken to secure a facility, if employees and customers do not feel safe and secure, then the perception is that security is lacking. Conversely, if the overall stance taken by the organization is one that clearly conveys a proactive stance and communicates that when a regular basis, then psychologically speaking, this can serve as an effective deterrent to anyone wishing to take unwanted actions.
Conclusion
This week’s lesson has taken a cursory look at the built environment, some of the components that make it up, as well as some of the many security measures that can be implemented in this environment. In addition to the actual steps that can be taken to enhance physical security, one cannot discount the great that a close and collaborative relationship between the security, facility, and IT has upon this overall endeavor as well. Turning our attention to next week, we delve deeper into one of the issues touched upon this week; physical security. We will seek to gain a greater understanding of various principles related to the protection of assets, as well as concepts related to crime prevention and approaches that seek to address this and related threats.
Overview
Thus far, we have touched upon a number of issues that must be addressed if security is to be administered appropriately. Identifying areas of risk, identifying needed assets and resources to address them, and then bringing together in a coordinated fashion must all be considered. It goes without saying that security must be provided in a number of different environments, especially given the fact that are world operates in both the physical and virtual realms. This week, we will direct attention upon one of those environments that has already been touched upon and appropriate actions related to it; those related to physical security.
Physical Security
When speaking of physical security, it can be perceived in a number of different ways; thus can take on numerous applications as well. Simply put, physical security speaks to the overall incorporation of people, equipment, and associated activities needed in order to provide asset protection against identified threats and risks. Specific to this study, physical security is described as the methods by which a given facility protects itself against theft, vandalism, sabotage, and unauthorized access (Fischer, Halibozek & Green, 2008). Simply put, such security seeks to prevent these types of unwanted activities from taking place through a variety of effective and appropriately designed defense measures. There are a host of barriers that can be implemented that seek to provide appropriate parameter protection; many that have been touched upon already in this study. Therefore, additional details and insight will be provided when warranted. However, there have been certain theories and strategies identified that have a direct bearing upon physical security; those that any security professional should be aware of and the role they play in an overall security management plan. Thus, appropriate attention will be directed towards these within this lesson as well.
Routine Activity Theory
In order to adequately provide needed physical security, it is advantageous to have a fundamental understanding as to why certain individuals carry out criminal actions in the first place. Although various philosophies and models exist regarding this issue, one that has great bearing here is the routine activity theory. It was originally developed by Marcus Felson and Lawrence E. Cohen in an effort to explain the rate of crime within the United States during a specific period of time (1947-1974). What is interesting about their study is that instead of solely focusing upon the various characteristics of the offender (although certainly important), they directed needed attention towards the characteristics of the crime itself and the environment in which it took place. At its most basic, this theory states that three basic elements must be present at the same time in order for an offense to take place; a target that is not only available but suitable to the offender, a perpetrator who is motivated to carry out their actions, and in the absence of any authority figure or security measures to prevent their intended actions from taking place. At its most basic, the Routine Activity Theory assumes that a crime can be committed by anyone who simply has the opportunity to do so. By extension, it states that intended targets (i.e. an individual, corporation, etc.) have choices as to whether they are victims or not, simply by not placing themselves in such situations. Granted, employees, customers, and the public at large may not feel they have such a choice to make, and in many ways this is accurate. It is therefore up to security professionals to feel that the environment they find themselves in is one that offers them an appropriate degree of security and confidence.
In the article Putting Process into Routine Activity Theory: Variations in the Control of Crime Opportunities, Schaefer and Mazerolle expand upon the basic control measures associated with this theory (offender handling, target guarding and place managing) and propose three different mechanisms that can directly influence crime prevention, and thus security techniques. These are relationality, relativity and responsibility. Regarding these matters, the researchers propose that those charged with handling, overseeing, or simply seek to manage the actions of potential perpetrators can produce a variety of outcomes. These include preventing an individual from even pursuing to commit a crime in the first place, blocking individuals from committing a crime should the opportunity presented itself, as well as creating an environment (both physical and virtual) in a way that there are fewer chances to carry out such activities. So concerning the first of what is described as “routine activity dynamics” by the researchers; relationality, this refers to the social integration that exists that formulates how people relate to and interact with one another. The field of criminology has long supported the notion that interpersonal relationships can serve as a great aid in either preventing or encouraging criminal behavior. Therefore, the importance of community, corporate, and other such shared relationships play a key role in decreasing those opportunities that allow one to carry out illegal activities. The second topic concerns relativity, and is concerned with the level of connectivity of a particular person in their daily activities in situations. Building upon the first issue, an individual’s connection with their community will have a direct impact upon their perception of whether a crime can or should be carried out. Conversely, the more closely an individual has their “finger on the pulse” of their own worker living environment, the more likely they will be to observe irregular behavior. The last issue concerns responsibility; the basic sense of duty that individuals have that either contribute to or detract from the welfare of a particular space. Community groups, civic engagement, as well as an overall corporate structure can have a direct impact upon prevention efforts. However, in order for desired outcomes to be realized, people must care about them in the first place to even address them; which speaks to both individual and collective responsibility. For additional insight and conclusions reached by these researchers, you are encouraged to fully review the article Putting Process into Routine Activity Theory: Variations in the Control of Crime Opportunities.
So what does the overarching Routine Activity Theory and the ideas proposed by these researchers have to do with security administration? Simply put, increasing one’s knowledge of not only the overall environment in which a facility or complex resides, those who inhabit or frequent these areas, as well as those that are internal to these structures (i.e. security managers, decision makers, employees, etc.), can not only aid in determining what physical security measures are most appropriate, but carry out such security in a much more proactive and effective manner. The following quote from Sun Tzu is quite applicable here:
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
Defense-in-Depth
The Defense-in-Depth (DiD) strategy is not a new approach by any means, as it has been utilized military armies, clans, and similar groups for hundreds of years. Its fundamental essence lies on the premise of fully protecting an asset with a series of different barriers. Therefore, one can easily see its applicability to physical asset protection of an organization as well. Since an overarching goal of physical security is to prevent, or at least delay the intended actions of a motivated perpetrator, the DiD can offer various measures that will either deter an intruder or delay their actions until appropriate steps are taken regarding their apprehension. It is interesting to note that in their analysis of this strategy, Coole, Corkill, & Woodward, these researchers not only deem it as being sound in its application to physical security, but is supported in a theoretical sense by a number of recognized theories including both the previously discussed Routine Activity and Rational Choice philosophies. These three researchers also note that security as an academic discipline is still in many ways in its infancy when compared to other disciplines such (i.e. sociology, psychology, etc.), and because of this, there can be a variety of interpretations and applications related to certain terms and phrases. Examples include where the DiD strategy under discussion might be used interchangeably with other approaches such as Protection in Depth as well as Security in Depth. This has been exasperated due to security being applied to both traditional physical and information technology domains. While small nuances exist between the three, the bottom line is that each of these is grounded upon a systems approach that is needed to provide security in a comprehensive manner. Granted, consistency related to the verbiage used and a grounded understanding of these various terms should be pursued within the profession, but does not deter from the shared approach taken by these strategies under discussion.
As noted in Security Science: The Theory and Practice of Security related to this strategy, the primary components that make up DiD are some that we have previously addressed in previous lessons, but are worthwhile of revisiting as they related to this strategy.
Deterrence-this is carried out by instituting physical measures in a way that would psychologically dissuade a perpetrator from attempting to carry out a malicious act.
Detection-sensors, monitoring devices, cameras, and assigned personnel serve as viable examples of those measure employed to achieve early detection.
Delay-various barriers (i.e. barbed wire, natural and man-made barriers, locks, etc.) that seek to hinder the advances of an intruder.
Response-since the previous measures are not foolproof or prove to be inadequate, the response function is a necessary component of DiD. Whether an on-site response team or similar efforts provided by emergency response personnel, these efforts seek to counter the actions of an attacker I an overwhelming fashion.
Recovery-This component seeks to employ measure that would allow an organization to “bounce back” from a critical incident and resume normal operations in an expedient manner.
When an organization considers these various functions, to what degree they might be needed depends upon a variety of factors. First, the value and the level of importance placed on assets being protected must be considered. Also, a broad-based analysis of viable threats, a look at how critical an asset is if it were stolen, destroyed or limited in some way, as well as the current state of vulnerability must all be considered. These and similar initiatives serve as the core sequential functions that underpin the overall DiD strategy; one that has and will continue to serve a viable role within the security profession.
Physical and Information Security
Although this week’s lesson is specifically focused upon physical security, such efforts cannot be carried out as needed without also considering the impact information security has on them. Although the specific measures related to protecting the cyber operating environment are unique and must be treated separately, the direct connection one has upon the other cannot be discounted or overlooked. In the report, Physical Security and Why It Is Important, the author makes this very point, albeit from the vantage point of the IT professional. As correctly noted by Hutter,” Physical security must be implemented correctly to prevent attackers from gaining physical access and take what they want. All the firewalls, cryptography and other security measures would be useless if that were to occur” (2016, p. 1). He also goes on to tout the need of a “layered approach” to provide this needed joint security; certainly a perspective supported by what was just addressed related to DiD. So how does physical security actually relate to IT security? One example would be preventing unauthorized access into an area where mobile devices or computers are stored. If this technical equipment is located in a locked room, where access to the building is controlled through various means (i.e. ID card, biometrics, etc.), the perimeter of the complex is surrounded by appropriate fencing, and security guards patrol the area on both a regular and random basis, we can see where this layered approach would serve as an effective deterrent. However, the security professional must recognize that threats can be both internal and external in nature. So unfortunately, there must be a recognition that employees can serve as a viable threat as well. Yet this must be balanced with addressing employee safety within the overall security policy, while being cognizant of the laws and regulations that address protection of privacy.
Conclusion
As this week’s lesson highlights, providing security from a physical standpoint requires appropriate planning if an organization’s assets are to be protected in a responsible manner. Administrative, technical and physical controls must all be considered and utilized to combat identified and anticipated threats. A layered approach has been found to be the most effective in providing physical security, where a host of options are available to the security administrator. There are a variety of resources to aid in this effort, not the least of which are the employees of the facility/complex being protected. They have a joint responsibility in safeguarding assets and must be incorporated in the overall planning and implementation process.
Overview
In previous lessons, we have directed attention towards various principles (i.e. defense-in depth, crime prevention through environmental design, etc.) that offer strategies that administrators should consider in relation to security design. Yet, to adequately deny or limit access to a potential target (target hardening), security technology can prove to be a most effective ally. Various reinforcements can take on a number of configurations and characteristics; ranging from types and strengths of materials to concealed observation of defined boundaries. Yet our attention this week will be regarding how such target hardening can be enhanced through various forms of detection systems that produce a widespread security management plan. These systems in the form of technology serve as one of three primary components within an overall holistic approach; the other two being planning and design and the management plan itself. Therefore, we will look at the role technology and related detection systems play in enhancing the protection of assets.
Critical Path Analysis
Throughout this study, we have looked at a number of theories and methodologies that have a direct impact upon gaining a greater, more fundamental understanding of how security can be approached and provided. Last week, we discovered that through the defense-in-depth strategy, adequate protection is provided when barriers possess the capability to deter the actions of a perpetrator, or at least delay them until appropriate resources arrive. In order to assess the time and capability of a response, critical path analysis (CPA) can be applied. This is an approach that has been utilized in government, the medical field, as well as throughout the business community to identify the interdependencies of various processes and the most essential and susceptible points within them. As noted by Smith and Brooks (2012), CPA offers the following functions:
Breaks down overall project into smaller, more manageable segments
Determines the appropriate sequence of individual activities in regards to their performance
Confirms those activities that cab only start when others have been completed
Indicates those steps that can be carried out concurrently
Highlights what special resources might be needed to perform various functions
Since determining overall time of a security action being implemented is an integral part of an overall security management initiative, CPA can prove quite beneficial. One particular analytical model utilized within CPA that aids in evaluating the performance of physical security is one developed by Easy Analytic Software Inc. (EASI). It is a tool that is quantitative in nature and allows the security professional to enter certain data related to both detection and communication (probability that the function will be successful) and delay and response (standard deviations are allowed for each security component). Suffice it to say that far more time needs to be devoted to the EASI model than what can be provided here, but a primary takeaway is that overall response time is obtained from the point at which an alarm is initiated to the point at which a perpetrator’s actions are interrupted. A number of individual components make up this overall time frame, those that include time taken to communicate initial alarm, assessing that alarm, summoning guards (or other such aid), as well as time associated with assembling, deployment, and travel.
Up to this point, CPA’s application to external, physical threats has been the primary focus, and does serves as its primary role within security. Yet it is interesting to note that this tool can also be used for internal threats as well. In the report Application of the Critical-Path Analysis Method to Evaluate Insider Risks, particular elements and indicators of heightened risk related to insider hostile acts are described as they are placed within the context of CPA. In this study, Shaw and Sellers (2015) identified certain factors, placed them along the critical path, and then applied them to historical cases in an effort to produce meaningful implications that might be useful for security personnel. Broadly, those broad categories considered and examples of each include the following:
Personal predispositions
Medical or psychiatric disorders
History of rule violations
Stressors
Personal problems
Financial difficulties
Concerning behaviors
Rules violations
Lack of social network
Problematic organizational responses
Inattention
No risk assessment process
The student is encouraged to review this entire report, but as related to this particular lesson, the CPA provided investigators with information targets and a basis for pursuing certain clues and indicators. It is understood that the science of security is in many ways still in its infancy, and the ability to predict the actions of an individual is difficult at best. However, there are a variety of tools available that might aid the security professional in carrying out their duties related to both external and internal threats, and we will now turn our attention to yet another one.
Universal Element Conceptual Mapping
Before actually embarking upon a discussion regarding some of the components that make up a physical protection program, it is worth noting that a great deal of attention has been directed towards the underlying concepts of delay, detection, and response from a theoretical standpoint. Specifically, researchers have developed a conceptual map that has identified risk curves related to what have been labeled as delay probability and detection probability. In real-world applications, this planning tool allows the user to consider various defense systems that are or proposed to be implemented in relation to resources possessed by a potential assailant. Suffice it to say that numerous variations can be introduced that produce a host of outcomes in which to consider. Various examples of this mapping are provided in Chapter 6 of Security Science: The Theory and Practice of Security for your review. Such theories and models related to security science provide security analysts with the tools needed to consider the options available to them regarding detections systems and related security technology.
The Role of Security Technology
Technology is ever-evolving and permeates all aspects of our society, and it should go without saying that the field of security has taken full advantage of all that innovation can offer. A core function of such technology is to offer the ability to detect the presence of individuals and/or those activities that might present a threat to an organization. Such advanced perimeter intrusion detection (PID) systems offer needed assistance to adequately monitor boundaries that may span a large area. According to Accetturo (2012), when reviewing PID technologies in regards to their application, the following items should be considered:
System durability/reliability
Minimal nuisance alarms (false positives)
Maximum detection capability
Minimal maintenance
Ability to accurately pinpoint the location of intrusion
Ability to work with other/complementary technologies
Throughout the remainder of this lesson, we will take a look at some of the various components that individually or collectively can provide the capabilities that the security professional requires.
As has been previously discussed, there are some primary categories related to security as a whole. As a refresher, these are those efforts related to deterrence, delay, detection and denial. The first two would be considered to be passive in nature, while the others are deemed as being active. Although technology can and does play a role in each one, it is in the areas of detecting those with malicious intent that we will focus upon.
Detection Systems
In order to accurately detect the presence of persons or activities, appropriate sensors must be developed and employed for the targeted environment. In broad terms, a signal must be produced in order to be sensed. A sensor then responds to a signal that has been produced, where it is then analyzed in order to determine verification. Once this is completed, an alarm is produced that indicates that a signal has in fact been detected. Obviously, all of these can be seemingly be completed “in the blink of an eye;” where a number of sub-components carry out these separate, yet related functions.
Detectors
Detection systems can be employed in a host of environments, configurations, and applications; whether that is along the perimeter of a property, an open area, inside buildings, or even under the ground or floors. Therefore, there is no single “one size fits all” approach. However, the security administrator has a host of detectors at their disposal; classified to meet whatever need is being addressed.
Similar to what might be used in a home security system regarding doors and windows, point detectors are designed at a particular location. Simply put, these devices identify movement at a specific location, whether that when something is opened, such as a hatch on a roof, or can even come in the form of pressure pads, where the removal of a certain item (i.e. a work of art, jewelry container, etc.) is removed. In the case of linear detectors, as the name suggests, that are utilized to direct movement along a straight and direct path. These can come in the form of lasers, tripwires, or fiber optic cables and can used along perimeter fence lines, walls, as well as walkways. In the security field, it should be noted that point detectors would be considered as zero-dimensional in nature, while the linear is single dimensional. Building upon these capabilities, area detectors have the capability to monitor a much larger area, and do so in two different dimensions (horizontal and vertical). Recognizing vibration or motion in a particular geographic location (whether that be a parking lot, courtyard, or bank safe) are just two ways in which the presence of unauthorized persons can be detected. It is worth noting that an area detection system can incorporate a number of line detectors within its configuration as well; enhancing its capability to address particular security challenges, whether that be size of area or terrain that might prove to be problematic. Lastly, there are those classified as volumetric detectors which are three dimensional in nature. These take full advantage of all that technology has to offer and can be used both internally and externally. Examples include microwave, infrared, as well as taking advantage of the Doppler effect (used routinely in weather forecasting applications). There are various issues that must be considered that can limit the application and effectiveness of these devices. These include the strength of the signal produced, sensitivity of the detector receiving the signal, as well as characteristics related to the physical surfaces within the radiating field. An excellent overview of these various components is provided in Security Science: The Theory and Practice of Security for your review.
Testing and Evaluation
As is the case with all such systems, proper assessments must be carried out at regular intervals in order to determine if expectations are being met, capabilities fulfilled, and data being produced can be validated. Various guidelines, standards, and protocols have been developed to aid in this effort. One such example would be NFPA (National Fire Protection Association) 72, National Fire Alarm and Signaling Code. As noted at the outset of this document, it “covers the application, installation, location, performance, inspection, testing, and maintenance of fire alarm systems, supervising station alarm systems, public emergency alarm reporting systems, fire warning equipment and emergency communications systems (ECS), and their components” (NFPA, 2013, 72-16). Obviously, this standard is quite comprehensive in nature and serves as but one example of the type of guidance that one must be familiar with and adhere to. From an overarching perspective, there are two levels in which testing must be directed. The first level is carried out within the confines of a lab and is focused upon determining if security equipment is both technically and physically capable of meeting specified needs. The second level attempts to replicate the environment in which the security equipment will need to perform in and assess its ability to perform expected roles. Lastly, the concepts of both reliability and validity must also be considered. Reliability is concerned with the level of assurance offered related to the same results being produced by a particular testing method, while validity seeks to determine the outcomes from a particular application do in fact assess what they claim to. These two work hand in hand where a variety of combinations can be realized. For instance, test results can be both reliable and valid, as well as being unreliable an invalid. They can also be reliable and invalid, but not unreliable and valid.
Conclusion
This week, we have again looked at various theories and models that have a direct impact upon security, especially as it relates to our focused topic of interest; detection. In addition we touched upon some of the primary components that make up a robust detection system, as well as how their performance should be tested and evaluated. Looking ahead, we will continue to look at the role technology plays in the field of security as we approach the broad and ever-changing area of integrated identification security. Some of the primary issues that will be addressed include the importance of coordinating various detection, recognition, and identification applications, the central purpose and role of access control systems, as well as some of the options available to the security administrators in regards to the identification activities their programs might require.
Overview
As noted in last week’s lesson, technology plays a major role is how security is provided in today’s ever-changing environment; specifically related to detection activities. This week, our focus discussion moves beyond when an individual has been detected; but in the ways they can be recognized and identified in a way to determine whether they have a valid reason in being there or not. Therefore, some foundational principles regarding access control will be addressed, as well as how technology plays a role in these additional efforts as well. Credentialing through the use of codes and cards, biometrics and the many forms they can take, as well as digital enhancements made to Closed Circuit Television systems (known as intelligent CCTV) provide numerous options to the security industry. The challenge for security administrators will be to include these technologies in a continuous, coordinated manner.
Introduction
In order to successfully apply and take full advantage of technology related to surveillance activities, a model must be developed and heeded. When viewed as a continuum, one end would find those efforts related to detection, while on the other deals with identification. Various approaches have been developed that can be integrated into such a model; each one incorporating the underlying components of detection, recognition, and identification. Each one represents the primary stages of the overall process.
Detection
The first of these, detection, was dealt with last week, so little attention will be directed towards this component. Yet as was discussed, various sensors (i.e. point, line, area) are used to sense the presence of an object or person when entering the field of view of applicable devices. At present, there are various methods used to detect presence or movement. As noted in Chapter 7 of Security Science: The Theory and Practice of Security, some examples include the background subtraction method, using disparity templates of images, classifying objects and matching their motion, as well incorporating edge information and skin tones. For additional details and information concerning applicable resources, this text should be consulted.
Recognition
In order to properly place the component of recognition within the overall security paradigm, a specific certain parameters must be established in which to compare the object to. For this, a number of visual perception models have been formulated to aid in the process of recognition. For instance, the template theory asserts that certain patterns are developed are developed over time, stored, and then utilized to identify certain objects. Then there those that are known as feature theories, which as the name implies states that certain characteristics of an object are identified and compared against those that have been stored or input in memory. Yet another is the computational theory; a rather intricate concept that incorporates shadows, textures, and other features in both two and three dimensional sketches and models to aid in the recognition process. Yet at their basis, these share certain commonalities, and that is that certain traits and attributes are compared with a particular class or category that has been developed. Each of these theories has their own limiting factors and capabilities, so their applicability to a certain environment must be clearly understood (Smith & Brooks, 2012).
Identification
The last of the three components to be touched upon deals with the principle of identification. Once an object has been detected and recognized, it must then be distinguished from others in a unique fashion. Traits of both a physiological and behavioral nature can be used here; where both bodily features and social posture can aid in making proper identification. While more traditional means can be employed in an attempt to verify the identification of a person (i.e. passport or driver’s license, reciting certain bits of information such as place of birth, mother’s maiden name, etc.), taking advantage of technology requires that such efforts be carried out within the confines of an overall system. For instance, biometric features require the correspondence of certain characteristics with those that are found in a database; therefore, this and similar actions must be completed within a similar structure.
Attention will now be directed towards just some of the many tools that can be used by security practitioners related to integrated identification technology.
Tools Used By Security Practitioners Related to Integrated Identification Technology
Access Control
Previously, we have discussed the layered approach that is a primary component of the defense-in-depth strategy, and noted how access control plays a major role in this overall effort. Therefore, an overarching access control system (ACS) should be employed related to a facility or complex in which security is required. This system can incorporate a host of individual components, whether that is signage, security staff, or using technology in the form of codes, automated electronic access controls, and the like. Generally speaking, an ACS will first require entry into a certain area via a locking system; where various means (credentials, readers, etc.) are then used to verify identification. It must be noted that an ACS must be incorporated in and work in tandem with other systems related to security, elevators, fire and life safety, software management if they are to function together in a seamless manner.
Credentials
Credentialing a person within an ACS adheres to three basic principles; something you have (e.g. access card), something you know (e.g.. password), or something you are (e.g. biometric feature).
Codes and Cards
The use of codes and cards in order to confirm the identification of an individual is commonplace in society today and is used in a host of settings. Yet here at the outset, it must be understood that using these methods to positively identify is not fool-proof, and must be used in conjunction with other forms of authorization if total security is to be achieved. There are vulnerabilities related to the fact that these methods can be compromised in some form or fashion, or that there are limiting factors related to personal identification numbers (PINs) and passwords as well. However, this does not negate the positive way in which they can aid in providing needed security.
With respect to codes, (whether in the form of a PIN, password, or encryption key), from a theoretical point of view, level of security is determined by a number of factors. These include possible code combinations, as well as the ability of the user to keep such information secure. With respect to cards, a number of options are available to very identification. Proximity cards, driver’s licenses, ID badges and the like are routinely used to gain access to a certain area. As listed and described in Security Science: The Theory and Practice of Security, there are a host of cards that have been determined worthy of being part of an overall security access control system. These include but not limited to the following:
Infrared cards
Holographic cards
Optical cards
Magnetic stripe cards
Wiegand effect
Proximity cards
Smart cards
Each has their own unique features, capabilities, and modes of operation, so again, the security administrator must consider these factors and employ what best suits their organization’s needs.
Biometrics
As previously noted, even though codes and cards serve as a great aid in verifying the credential of an individual, they fall short in making a positive identification. Therefore, they offer limited security as they can only rely upon the information being provided and can easily be altered. However, individualized characteristics can validate identification, where physical and behavioral characteristics can greatly enhance this process. Known as biometrics (which comes from the Greek words bio “life” and metric “to measure”), using such features greatly enhances the overall concept of identification and can aid in authorizing whether a person should enter a building/area or not. These technologies can be used in a host of situations that include computers and related systems, financial accounts, records related to human resources, communication systems, as well as producing profiles tailored to those who have disabilities in an effort to enrich mobility of the disabled. If placed in a corporate setting, these technologies can be used to maintain accountability related to both employees and vendors and how transactions are maintained (Asha & Chellappan, 2012). As is the case with technology in general, biometrics is a field that is ever in a state of progression; meeting new-found needs and applications.
Types of Biometric Identification
As highlighted, the characteristics associated with biometrics can either be physical or behavioral in nature. From a physical standpoint, fingerprints have (and continue) to be used by law enforcement and other agencies to verify identification. Transitioning from inks and powders to sensors and glass plates, trained users can obtain and store digital images of the thumb, fingers and palm. Yet other physical characteristics noted by Smith & Brooks (2012) can serve as biometric identifiers, those that include:
Finger length
Vein pattern on underside of wrist
Vein pattern on back of hand
Knuckle creases formed when gripping a bar
Fingertip structure related to blood vessel pattern
Hand topography
Shape or ear and lip
In regards to those that are behavioral in nature, these include the pattern of one’s voice, characteristics related to the eyes (retina scans and iris recognition), as well as patterns and dynamics related how an individual signs their name (not the signature itself, but the underlying pressure in providing it), types on a keyboard (style and rhythm), or even their manner of speech. Still others have been classified as biometric IDs, such as facial recognition, body odor, and even the manner in which a person moves and walks.
Biometric System
As has been the case throughout this study, individual components related to security must work together within an overall system if they are to achieve their objectives. The same holds true for biometrics, as each individual device must work in concert with the other parts found within the overall security program.
Within a biometric system, there are three primary components needed if information is to be obtained and authorization granted. These include a device used to acquire a signature, scan, or any of the other biometrics signatures that have been noted. Secondly, there must be a way to process and compare the information obtained, and lastly, there must be a way in which this biometric identification interfaces with the access control system. As it relates to obtaining information from an individual, the security administrator must be familiar with the various sensors, extractors, templates, and matchers needed to carry this function out. When it comes to choosing which biometric identifier might be most appropriate, there will be a host of issues to consider (associated costs, level of security desired, anticipated number of identifications, etc.), but whatever is selected should possess the following qualities:
Universal-all persons should have the distinguishing factor
Permanent-characteristics should not fluctuate over time
Distinctive-characteristics obtained should vary as much as possible between individuals
Robust-repeated applications of a particular individual should repeatedly produce same results
Accessible-easy to present to the sensor
Acceptable-should be perceived as non-intrusive by the user
Difficult to circumvent-problematic for an imposter to trick the system (Smith & Brooks, 2012)
As can be seen, biometrics can play a major role in verifying the identification of an individual. However, its use must be approached with a healthy dose of awareness and caution as it relates to privacy concerns and the fear that storage of such data and records could be an infringement on personal rights. There are also fears that biometric technology could be used to monitor the movements of an individual as well, so as it relates to this matter, forewarned is forearmed. However, proactive steps can be taken to address this issue by controlling access, storage, and use of this information, as well as providing requisite training for those who do deal utilize it.
CCTV Technology
The last issue related to integrated identification technology is not a single piece of technology, but an overall system that incorporates a variety of cameras, lenses, monitors and components to transmit information and images. CCTV Technology, or as is noted in Security Science: The Theory and Practice of Security, “Intelligent CCTV,” can serve as a force multiplier for those charged with providing security. As it relates to certain environments and applications, it is simply not feasible for security personnel to cover a given area or provide attention as needed. Therefore, these systems can be a “one stop shop” as they can combine video coverage with alarm capabilities related to perimeter protection, intrusion detection and access control.
The first step is perhaps one of the most vital, and that is designing the system in the first place. Appropriate attention must be directed towards overall system needs given the operating conditions that currently exist. A team approach should be taken when assessing requirements; those that relate to function, operations, supporting infrastructure, as well as those related to video retention. A thorough survey of the site will offer insight regarding how the system itself should be designed and applied to the environment under consideration. A number of individual features will play a major role as well, such as lighting that must work in concert with cameras (which of course would determine location of each), and how power will be distributed regarding the operation of these components. Obviously, licensed electricians and engineers acquainted with these applications should be consulted. Also, as technology evolves, the manner in which video is transmitted changes as well, where it seems that something new today is outdated tomorrow (maybe an exaggeration, but not too far off). The point is, scalability and affordability must be balanced with a view of present and future needs. The system as a whole must be reliable, but realizing that it must also be maintained and upgraded as needed.
As noted previously, an Intelligent CCTV system is made up of various components; comprised of various types of cameras, lenses, housing and mounts, video monitors, switchers and multiplexers, video recorders, the wired transmission that connects all of these devices together, as well as a manner in which to store the data they produce. For a detailed look at all of these, you are encouraged to review the document produced by DHS, System Assessment and Validation for Emergency Responders (SAVER): CCTV Technology Handbook. Likewise, the student should refer to Chapter 7 of Security Science: The Theory and Practice of Security as well regarding some additional aspects of CCTV technology known as video content analysis (VCA), video analytics (VA), and video motion detection (VMD). These applications provide enhanced capabilities that offer a host of options for the security administrator in order to meet their specific needs.
Conclusion
In this lesson, we have looked closely at some of the primary components of a security management system; specifically the manner in which technology proves advantageous in recognizing and identifying an individual once detected. The capabilities and options are numerous, and the security professional must conduct due diligence in determining what might best suit their specific needs. Yet suffice it to say, technology is a great tool if it is utilized and harnessed in the proper manner.
Next week, we will look at some specific topics from the perspective of management. These include the management of knowledge and information that can contribute to enhanced security, the management of intelligence with respect to probable threats and hazards, as well as managing the various activities that collectively allow an organization to provide its essential services in an uninterrupted manner.
Overview
As the overall title of this course entails, our primary focus has been centered upon the administration of security-related functions as they relate to a given environment or to meet a particular need. Yet interjected within our discussions have been a number of words and phrases that are quite similar, yet have some fundamental differences as well. One of those concerns the word “management;” something we will discuss at length in this particular lesson. At first glance, administration and management might appear to be one and the same, and there are certainly some similarities. Yet where administration alludes to the process used to effectively direct, run, and operate an entire organization or subcomponent of it (i.e. security), management can be understood as the skills needed to get work or efforts accomplished through individuals or other facets of an organization. So this week, we will look at two broad topics related to management, and they will deal with the broad issues of knowledge, as well as that related to business continuity.
Knowledge Management
An overall security plan that seeks to identify probable areas of risk and formulate strategies in which to manage them is dependent upon a number of resources; not the least of which is credible and relevant information. Such information related to risk and threat assessments is carried out in large part through knowledge management. Yet here again, attention must be directed towards various terms being discussed that on the surface might seem to be interchangeable, but a thorough understanding of their differences must be maintained.
Information concerns various facts that are provided or learned about something or someone.
Knowledge concerns information that has been acquired through various experiences, education, the environment, or the theoretical or practical understanding of a particular topic.
Intelligence is information that has been evaluated, interpreted, and processed in a way that provides accurate, timely, and relevant insight for a particular purpose.
So as to be seen, overall knowledge management can be somewhat broad in nature, as it is made of various subcomponents that deal directly with the location and storage of relevant information and intelligence, as well as supporting systems that aid in the decision-making process. The dimensions associated with knowledge management include overall strategy, the processes needed to carry it out, as well as ways in which output is measured. A range of methodologies have been developed, as no single “one-size-fits-all” approach can be expected to be effective in any organization or environment. Smith and Brooks share three such approaches that have been developed through both theory and actual practice, and include:
Technocentric knowledge management approach has an emphasis on technology, which enhances knowledge dissemination and creation.
Organizational knowledge management approach is concerned with the design of an organization to best facilitate the knowledge processes.
Ecological knowledge management approach is concerned with the interaction of people, identity, knowledge, and environmental aspects as a complex adaptive system. (2012, p. 180).
So as can be seen, that knowledge is to be managed as needed, there are a host of factors that must be considered related to the role that technology can play, the manner in which the organization itself is structured, as well as the overall environmental “make-up” as it relates to the people involved and the manner in which they interrelate. So let us look at some of the strategies that have been employed.
Strategies
Given the fact that knowledge can be accessed before, during, and after a particular step or phase in the overall security management process, there are a variety of options available to the security practitioner in order to both generate and obtain requisite knowledge. For instance, there is what is known as the push strategy, which involves individuals purposely adding knowledge into a defined database or repository, where it is available for others to access on a defined needs basis. Conversely, there is the pull strategy, where requests are made for particular bits of knowledge that are produced by those possessing expertise regarding that particular issue, field, etc. Others that have been identified and are noted within the reading Security Science: The Theory and Practice of Security include, but not limited to providing incentives for sharing knowledge, formulating systems that allow the transference of best practices, methodically evaluating particular competencies of employees, as well as measuring and reporting intellectual capacity found within an organization.
Motivating Factors
So given the different approaches available to produce effective knowledge for an entity, what might these motivations for its application? From an economic perspective and desire to maintain relevance in the corporate world, there are a host of reasons. These include the fact that increase knowledge will aid in the development of future products and services demanded by customers and clients, shortening the time related to research and development, benefiting from the expertise found within the organization, as well as taking full advantage of both internal and external networking opportunities. Yet from the perspective of the security administrator, a comprehensive knowledge management system can take full advantage and integrate the various elements related to information and intelligence that aid in furthering their roles and responsibilities. For instance, the various policies, procedures, and guidelines that must be formulated and adhered to could be controlled to a greater degree. When incidents must be reported related to the health and safety of employees and other such individuals found on premises, as well as those related to the environment, such a system would prove to be advantageous. Also, whether approaching threats and hazards internally or in conjunction with recognized external partners, maintaining records related to such areas of risk in an organized and easily accessible manner cannot be underestimated. These are just a few examples of how such a system can aid in the coordination and integration of security-related information.
Knowledge Management Systems
As far as the system itself is concerned, it must carry out a number of functions that must support actions related to the acquisition of information, how it is stored, as well as how it is disseminated in an appropriate manner. It must meet the particular needs of the organization in order to justify the time and resources needed to formulate and maintain it. A basic knowledge management framework is offered in Security Science: The Theory and Practice of Security and as seen here, illustrates the various processes related to both the input and output of knowledge generation.
It should be noted that existing systems can be tailored to carry out these knowledge management functions, where efforts that have already been carried out to validate their reliability has already been accomplished. Yet, what distinguishes a knowledge management system from those that might already exist within an organization must be recognized. They must possess the defined purpose of managing knowledge related to an organization, do so in the proper context, take advantage of needed processes that create, capture, transfer, and retrieve information as needed, as well as other issues related to those who participate in the program and various instruments that allow management efforts to proceed as needed. Such a system can prove to be a great asset to the security administrator, but there are issues that must be recognized when contemplating the type and approach that should be pursued. All facets of an organization should be solicited in regards to what they may require and expect; those that include both executive and those involved in direct operations. In addition, issues related to the integration of technology, coordinating various vendors, as well as how proprietary applications may work those that are not branded in like manner.
Intelligence
Based upon earlier comments, intelligence goes beyond the acquisition of knowledge and information, but collects evaluates analyzes and synthesizes it in a manner that aids policymakers and security administrators to make effective decisions. Such intelligence will greatly aid in protecting assets of an organization and can provide the foundation that a security manager needs to counter those threats and hazards that are discovered and exposed by intelligence. There are a number of defined steps that take role and basic information and turning it into actionable intelligence. Known as the “intelligence cycle,” its individual components and the manner in which they are interrelated in a cyclical nature allows the process to be repeated as needed; incorporating needed feedback and adjustments in order to address specific issues at hand. Although they are placed in a defined manner within the cycle, it must be understood that these are not required to be carried out in a sequential manner, but are in fact carried out concurrently. A brief overview of each, as well as a graphic depicting the intelligence cycle can be seen below. The student is encouraged to review Security Science: The Theory and Practice of Security for additional details regarding these individual components, as well as insight obtained from conducting their own research.
Direction or requirements will be decided jointly by upper management decision makers, and security managers that will be based upon policy and security issues.
Collection of pertinent information and data can be accessed from various sources internal to the organization, as well as from a host of external groups and agencies.
Processing of information requires transforming large volumes of data retrieved into a form that is manageable and appropriate for the task at hand.
Analysis is the stage in which information is reviewed and evaluated by subject matter experts in order to place it into its proper context for the protection of the organization.
Dissemination is the point at which the intelligence product is actually passed on to those who have requested it and/or use it for defined, appropriate applications.
Feedback is an optional phase where the recipient or security manager can make needed revisions in the overall process or a particular facet of it.
Obviously, there is a great deal that goes on “behind-the-scenes” regarding each of these individual steps of the cycle. A great deal of time and effort must be devoted to determining the various sources in which information might be collected, where professional analysts must then make complex judgments at the most basic of levels in order to enhance decision-making for intended consumers based upon various situations or within a specific setting.
Thus far, the topic of intelligence has been approach from a rather global, generic perspective; one that can be applied to a host of settings in order to carry out a variety of objectives. Yet, regarding its application to security management, there is a subset known as security intelligence (SYINT) that represents a process that collects and examines information specific to defined overall goal of lessening impact a threat might have upon an organization. As it relates to internal and external threats, a primary capability of SYINT is to augment current knowledge regarding each and every aspect of a probable threat. In other words, where might it present itself? What might be the threat’s intentions? In what ways might it take advantage of current security measures? A basic expectation of such intelligence would be to decrease the level of uncertainty regarding such capabilities and intent, and by doing so, valuations carried out by security administrators will be more factual in nature rather than subjective.
As noted in the introductory remarks, management activities in which the security administrator might be expected to be intimately involved in can take on many forms. So in addition to what has been discussed thus far related to the broad issue of knowledge, attention will now be directed towards that related to business continuity.
Business Continuity Management
Let’s face it; sooner or later a disaster will take place that will negatively impact an organization in some form or fashion. Granted, how a “disaster” is defined and its magnitude will differ, but generally speaking, it will overwhelm those impacted by it for a certain period of time. However, with proper planning and related supporting actions, these disruption-related events can be properly managed. This serves as the essence of business continuity management (BCM); a broad effort that allows an organization to not only fully understand what must be achieved and maintained during such occurrences, but how they articulate and carry out critical objectives as well. As noted in the Guide to Business Continuity Management (2013), BCM actually consists of three core elements:
Crisis management and communication – this is focused upon providing the capabilities for an effective response to an emergency situation; dependent upon effective planning, strong leadership, and effective communications.
Business resumption planning – this involves the retrieval of identified business functions deemed critical in nature that have a direct impact upon the provision of essential services.
IT disaster recovery – as would be expected, this component is focused specifically upon those issues (i.e. networks, databases, storage, etc.) related to information technology.
Therefore, some primary objectives related to such management efforts include bringing stability to the affected environment in as short as time period as possible, as well as allowing a quick resumption of normal operations; both of which lead to overall organizational resilience. So whether these types of events are labeled as a disaster, crisis, critical incident, or given something else, the point is that BCM is a strategy used to properly manage an event that would be considered unlikely, yet be deemed a significant disruption if it did. Above and beyond the fact that it is simply a good, prudent, and responsible step to take, there may be situations where an organization is required to adopt a BCM program, whether that is through insurers or industry regulations. Yet whether mandated to do so or recognize that it is simply a good business practice, it has a direct impact upon security efforts as well. Traditionally, security officials have embraced an emergency and crisis approach within their own practices, seen in efforts such as fire evacuation plans. Yet even though the security administrator may not be the “lead” as far as a BCM program is concerned (although they certainly could be), the actions carried out when implemented during a critical incident can have a direct impact upon security measures in place. Therefore, the administrator must recognize their responsibilities that will focus upon issues related to life safety and protection of property and assets, utilize security personnel to ensure access points are controlled, provide needed a and resources to support overall BCM efforts, and play and integral role in communicating with and supporting both internal and external resources.
Framework and Elements
Regarding an overall BCM program, there are those that might ask if there a single, “best” method to carry this out. As with all things, there simply is no “one size fits all,” as there are so many factors at play that must be considered regarding the requirements and expectations of the organization under consideration, areas of risk it is exposed to, resource available, and other matters at play. However, there are some characteristics that will be common in any BCM effort. What follows is a brief description of some of the more widespread.
Program design, initiation and management: This would include defining applicable policies that will provide guidance throughout the process, as well as determining critical elements of the overall initiative. For each of these, responsibility and accountability clearly defined and assigned. Yet one of the most crucial features here at the outset is to obtain needed support from the decision makers and others in key leadership roles.
Risk assessment and business impact analysis (BIA): Although a number of approaches can be taken to identify and assess risk, generally speaking, employing a combination of the likelihood or probability of an event occurring, coupled with its severity or impact is used. In regards to the process to be carried out to the BIA, here again, a number of factors must be considered that include the dynamics of the industry in which the organization operates, how complex business operations might be, as well as management style involved. The primary components of the BIA itself include identification of business functions, collecting relevant data and information regarding them, arriving at some conclusions related the types of impacts a work stoppage might have, as well as reporting the findings in an understandable and actionable manner.
Strategy design and implementation: In the design stage, some basic issues must be discussed that determine objectives related to recovery, the order in which recovery is to take place, how various interdependencies can impact the overall process, as well making assumptions regarding what could transpire based upon resources available in relation to risks encountered. Some of the overarching issues that will be addressed concern alternate facilities, recovery solutions that can be conducted “in house” versus those provided by a third party, considering whether a mobile recovery site is feasible, the role an Emergency Operations Center might play, as well as the role and impact technology might play. Once these and other issues have been addressed, attention can then be turned to actually developing and implementing the plan. Here some of the most vital issues to be confirmed include the identification of essential services and key personnel. Concerning the latter, clearly defining order of succession and delegation of authority is paramount. Also, the great importance of communications must be recognized, as it takes place, before, during, and after an incident takes place; both from an internal perspective. Obviously, clear and consistent communications must be maintained between upper management, employees, marketing, human relations, and those overseeing the BCM project throughout the process. Yet there are countless outside agencies that also be included, whether that includes emergency response agencies, the media, or a host of other entities that might be impacted or involved in some form or fashion.
Training and awareness: Although some may consider these as a single overarching effort, they represent two varying levels of attention and involvement. For instance, awareness may include those steps to ensure employees and appropriate members of the community are cognizant of the BCM plan itself through a company newsletter, social media, or other appropriate avenues. Yet for those who have been assigned specific roles, targeted training must be conducted. It would be unfair to ask anyone to fulfill these duties before providing them with the appropriate education, training, and support. This should include the provision of needed resources, as well as the opportunity to exercise skills in an environment that seeks to replicate the critical incident under consideration; whether that is through the use of a “table top” drill or within the setting of a notification, callout, or live scenario exercise. The overall BCM should be tested on a regular basis; where needed revisions are made as appropriate. Lastly, this initiative must be audited and monitored in a way to ensure that it complies with industry standards and other appropriate guidelines.
This particular section has served as an overview of some of the components found to be most common in a BCM program. It cannot be overstated the important role that security personnel can and must play in these initiatives. Whether that is through serving as a consultant in regards to those matters related to safety and protection, or in taking on the overall or other leadership role, the security administrator should take full advantage of these opportunities.
Conclusion
This week, we have looked at a couple of defined ways in which the security professional can fulfill roles related to management. As has been seen, working with the energy and commitment exhibited by others can serve as a great force multiplier. So as we turn our attention to the final lesson in this study, our focus will be directed towards what awaits us on the horizon. This will not only entail the future demands and expectations of the security profession itself, but how current processes of security can have an impact on predictive strategies for future planning, as well as the integral role technology will play in these efforts.
Overview
Well, we have now arrived at the final lesson of this particular study related to security administration. As we glance back over the preceding weeks and consider what has been addressed, we quickly realize that the tasks associated with this endeavor are numerous, diverse, and ever changing. It is this last point that will serve as a basis for this concluding lesson, because if security is to be provided in a competent and effective manner in the future, so underlying issues must be considered. These include an understanding of issues that may serve as threats moving forward, formulating a predictive strategy in regards to them, as well as the impact and role that technology will continue to play in these efforts. Add to these are the educational and professional requirements associated with the security industry and the impact they may have on those already in or desiring to enter into this field. These will serve as the some of the primary issues that will addressed.
The Future of the Security
When considering what awaits the security profession in the years to come and those that will operate within it, developments and forecasts related to security science will in large part be impacted by what has occurred in the past and in present day. What might occur, what is most plausible and feasible given current and expected occurrences, and what has proven to be effective (or not) will all need to be considered in determining those issues that will remain relevant or change. So predicting the future (not in the form of Nostradamus or similar prophets) as it relates to security is a technique that considers probable or desirable outcomes in the face of known or anticipated risks. So given this backdrop, where is security heading?
Physical Security
As long as there are structures that people operate within and house various assets, there will continue to be a need to offer needed protection related to them. All of the topics discussed in this course related to walls, fencing, sensors, alarm systems, guards, locks, and other such issues will be needed in some form or fashion. Whether through manual or technological means, these will remain a constant for the security administrator in providing appropriate defensive measures for the material, tangible assets they oversee. Concerning technology, the same trend will continue in serving as a needed aid in providing security moving forward. Mobile devices of various types, functions, capabilities, and their ability to access data, the ever-increasing use of robotics and the functions they can carry out, sensors that will be able to gain more intelligence regarding detection, and high frequency security cameras that will have the capability to verify the chemical compound of an object at a distance are just some of the many technical innovations on the horizon. Yet, just as technology has taken on a greater role in providing these efforts, so too does technology represent ever-increasing concerns to the security manager.
Cyber Security
As society becomes connected on an ever-increasing basis, attention must be directed towards what implications this environment has related to not only security, but related privacy concerns as well. In Future Scenarios and Challenges for Security and Privacy (2016, Williams, Axon, Nurse, & Creese), the researchers took a very methodical approach in considering some 30 predictions obtained from a variety of organizations and disciplines; consolidating them into ten defined scenarios. These scenarios took into consideration a range of not only technological possibilities that might occur over the next decade, but those that represented commercial and political ramifications as well. A brief overview will be provided regarding these various situations:
Growth of the Internet-of-Things. The Internet-of-Things will permeate all aspects of daily life moving forward, making the lines between the physical and virtual worlds less defined. Unfortunately, this only lends itself to increased online risks and related threats and attacks.
Proliferation of offensive tools. Although all public or private sector entities will not find themselves targeted by nation-states or other forms of government, the capabilities represented by a variety of simple attack tools can place individuals and organizations alike under the pervasive risk of identity theft.
Privacy becomes reinterpreted. As it is with many issues, the overall concept of privacy can be viewed and defined differently. Nowhere is this more evident than in those labeled as “digital natives,” individuals who have been raised in an age of unfettered Internet access and increased use (and dependence) of social networking. Although the development and use of these platforms has become commonplace and offer a host of benefits, they can be seen as invasive and present a number of risks and concerns regarding confidentiality.
Repressive enforcement of online order. Issues related to free speech have and will continue to have an impact on security; where liberal versus what might be seen as repressive approaches regarding online activity are taken. Issues regarding surveillance, censorship, and regulations not only have the potential to impact attacks that are carried out in the cyber operating environment, but could inadvertently affect commerce and free enterprise as well.
Heterogeneity of state postures. An environment made up of dissimilar or diverse elements can certainly be a positive in many ways. However, when there is a great disparity in how Personally Identifiable Information (PII) is defined, cooperation over cyber norms could be negatively impacted. This would generally be seen at the uppermost levels where certain governments may decline to prosecute their cyber criminals; where working relationships would no doubt be impacted. However, even in corporate America, this could be seen as well to varying degrees.
Traditional business models under pressure. Each and every day, it seems that the landscape the overall business community, associated operating frameworks, and issues related to intellectual property are all impacted by not only competitors, but those that would wish to do them harm through nefarious means. Although financial capital, ingenuity, and innovation will remain in high demand, “the evolution of new business models would see individuals’ personal data become the most valuable commodity (2016, p. 3). As such data resides in global repositories on an ever increasing basis, associated security concerns will also increase.
Big data enables greater control. There is really nothing new with manipulating data in order to produce a desired outcome (as can be in every election cycle related to polls), but the amount of data that will continue to be accessible moving forward will have a great impact on how an individual’s behavior might be managed by both corporations and government. Such analysis could be utilized to customize everything from advertisements to campaigns, but straying away from these types of activities must be viewed with suspicion and appropriately guarded against.
Growth of public-private partnerships. It should come as no surprise that as the amount of information submitted, stored, and retrieved about individuals increase, that it would be shared between various entities as well. However, even though the sharing of data between those within the public and private sectors can offer a number of advantages, the risk of confidentiality being violated as the spectrum of these partnerships increase as well.
Citizens demand greater control. The demand for transparency has become commonplace in our world today, especially as it relates to those who hold elected office. Yet the same demands and expectations by members of the public regarding personal data held online will require appropriate approaches and policies.
Organizations value cyber-resilience. As more activities are carried out within the virtual environment, it becomes increasingly important for organizations to be resilient in the face of attacks on it. These can come as a result activities carried out by external perpetrators, but insider threats but also be considered. Also, those known as “Advanced Persistent Threats” can especially wreak havoc and must be guarded against. This is where an attack is carried out on an entire network by unauthorized personnel and remains there undetected for a long period of time.
After offering insight regarding each of these issues, the researchers turned their attention to what challenges await professionals in regards to both security and privacy in light of current practices. It was noted that a number of gaps can be found in existing guidelines; those that will prove insufficient in addressing the level to which technology permeates daily life. At its core, a fundamental understanding of online presence and protection of it is needed at the individual level. Likewise, organizations and the documents that have been developed to offer needed guidance would appear to fall short in relation to many of these issues noted. For instance, current recommendations do offer protection against certain risks as long as applicable devices are identified, inventoried, and monitored. Yet as it relates to the Internet-of-Things, it is expected that many of these devices will be personally owned; incorporated as part of their clothing or implanted. Therefore, accounting for each of them would simply not be feasible. So much work needs to be done in the areas of research and development, education and training, and the accompanying policies and guidance needed to enact and govern appropriate security measures.
The Security Professional of the Future
Based upon what has been discussed thus far, a rather dismal picture has been painted moving forward regarding the myriad of threats organizations will face and how to properly protect against them; especially related to technology. Yet as noted in the report Securing Our Future: Cybersecurity and the Millennial Workforce, the following concluding remarks are offered. “Cyber risks are likely to grow more pervasive and complex as technology becomes more ingrained in today’s lifestyle. However, this doesn’t mean the cause is lost — not even close. An increased cyber talent pool and efforts by governments, businesses and employees to practice safe-cyber activities can still lead to a safer online world for everyone” (2017, p. 16). It is obvious from this quote that a concerted, coordinated effort will be needed, and the security professional is an integral part of that broad-based initiative.
So what elements defined and support the security professional, and what elements were most assist the drive to the security professional? These are the two primary questions posed and addressed within the document Defining the Security Professional: Definition through a Body of Knowledge. Although conducted and published in 2010, I feel it still offers great insight regarding not only how the overall role of security has evolved in a way that incorporates a variety of disciplines and competencies, but seeks to move forward with a degree of certainty in the midst of an oftentimes ambiguous world. As we have noted throughout this study, security is far from being single dimensional in nature. This is evident in the fact that a single definition for security and all that it represents remains elusive; simply because it contains so many different facets. It has been stated that there are four key internal drivers of security, and those have been identified as criminology, risk, terrorism, and management (Borodzicz & Gibson, 2006). We have touched upon each of these throughout the preceding weeks, so they remain valid and will continue to impact the direction the overall profession of security takes in the future. Therefore, what steps must be taken on the road to professionalism? Let us now turn our attention there.
Education and Training
As it relates to any profession, there are certain characteristics that apply to all of them, and security certainly would be included as well. These include the workforce that is educated, and underline infrastructure that is mature to the degree that it is self-regulating, has leadership that is proactive in nature and recognizes its responsibility to all within the security sector as a whole, is proactive in nature in developing and conveying a vision for the future, as well as ensuring that a competent workforce is maintained. Yet what makes the security industry somewhat unique is that it is actually a mixture of a host of different disciplines that must work together in a defined and coordinated manner. Yet through it all, the greatest benefits will be derived from a workforce that is highly educated; advantages that will be realized by security professionals and clients alike. These include a higher-level of service being provided to consumers of security services, the fact that all levels of training and education represent the most cost-effective solution in meeting customer’s needs, the management and technical skills needed “out in the field” will be enhanced, and a standardized approach regarding procedures and techniques will be attained through broad-based education as well. There are various avenues in which such learning and instruction can be attained, and ASIS International is one such example. ASIS is a professional organization focused upon the needs of security professionals and offers various certifications, standards, and guidelines for the security profession as a whole. As it relates to education, a number of options are provided to the security professional that allows them to build their base of knowledge, skills, and expertise at any stage of their career; both online and within the classroom. This serves as but one of many options that are currently available, and stresses the importance of professional development as a whole, as well as building of, maintaining, and sharing a robust body of knowledge.
Ethics
Ethical considerations are also at the heart of any recognized profession, and security cannot be any different. This should be stressed and receive appropriate attention by any organization, association, etc. associated with the educating, training, and certifying of those within the security industry. For instance, the previously mentioned ASIS offers the following on their website:
Aware that the quality of professional security activity ultimately depends upon the willingness of practitioners to observe special standards of conduct and to manifest good faith in professional relationships, ASIS adopts the following Code of Ethics and mandates its conscientious observance as a binding condition of membership in or affiliation with ASIS.
Details are then provided regarding how members shall perform professional duties in accordance with the law and highest moral principles, observe the principles of truthfulness, honesty, and integrity, shall be diligent in carrying out their professional responsibilities and do so in a competent manner, shall take needed steps to protect confidential information, and shall not maliciously harm the reputation of any colleague, client, or employer. Yet in the ever-changing landscape of providing security in the face of mounting threats, especially related to technology, it has been determined that a stressful situation can cause individuals to perform in an unscrupulous manner. This was the focal point of an article entitled Do ethics get in the way of security professionals?, where the author noted that a distinct increase in data breaches and an overabundance of successful cyber attacks may produce less than enviable responses and actions. In a study that was conducted at a security conference related to this issue, it was found that 20% of respondents have witnessed a company hide or cover up a breach, and that such security breaches are oftentimes used as leverage to increase security budgets (Zorz, 2015). Considering the fact that information technology security is somewhat in its infancy, it has been thrust into the spotlight from a number of different sources, whether they are political or business in nature, or related to the media. Unfortunately, such pressure and attention can often lead to the cutting of corners in order to meet expectations and demands. This only highlights the need to be attentive to this component of the security profession and the manner in which the various individuals operating within it understand their individual and collective responsibilities.
Conclusion
In this final lesson, we have but scratched the surface regarding what awaits the security industry moving forward in regards to threats and hazards that may be looming on the horizon, as well as the industry itself and what is needed to make it the respected and animal profession it truly is. The student is encouraged to build upon what has been offered here through various avenues. These include conducting your own research regarding the topics that have been addressed, becoming a member of a recognized organization within the overall security industry, attending related conferences and other such opportunities to not only build upon your base of knowledge and technical expertise, but expanding your professional network as well. The future is one that promises to be both challenging and exciting for the security administrator; offering a host of opportunities to take advantage of.
References
Accetturo, P. (2012) Principles for intrusion detection. A security system is only as good as its weakest length. Security Today. Retrieved from https://securitytoday.com/Articles/2012/02/01/Principles-for-Intrusion-Detection.aspx?p=1
Asha S. & Chellappan, C. (2012). Biometrics: An overview of the technology, issues and applications. International Journal of Computer Applications. Retrieved from http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.736.1587&rep=rep1&type=pdf
Baldwin, D.A. (1997). The Concept of Security. Review of International Studies. Retrieved from https://www.princeton.edu/~dbaldwin/selectedarticles/Baldwin(1997)TheConceptofSecurity.pdf
Borodzicz, E. P., & Gibson, S. D. (2006). Corporate security education: Towards meeting the challenge. Security Journal, 19(3), 180-195.
Code of Ethics. (n.d.) ASIS International. Retrieved from https://admin.asisonline.org/About-ASIS/Pages/Code-of-Ethics.aspx
Coole, M., Corkill, J. & Woodward, A. (2012) Defence in depth, protection in depth and security in depth: A comparative analysis towards a common usage language. Edith Cowan University: Australian Security and Intelligence Conference. Retrieved from http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1023&context=asi
Department of Homeland Security: Science and Technology. (2013). System Assessment and Validation for Emergency Responders (SAVER): CCTV Technology Handbook. Washington, D.C. : Government Printing Office.
Fischer, R.J. & Green, G. (2004). Introduction to Security, seventh ed. Butterworth-Heinemann, Boston.
Fischer, R.J., Halibozek, E.,Green, G. (2008). Introduction to Security, eighth ed. Butterworth-Heinemann, Boston.
Griffith, M., Brooks, D.J., & Corkill, L. (2010). Defining the security professional: Definition through a body of knowledge. Paper presented at the Proceedings of the 3rd Australian Security and Intelligence Conference, Perth, Western Australia. Retrieved from http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1004&context=asi
Guide to Business Continuity Management. (2013). Frequently asked questions. Protiviti. Retrieved from https://www.protiviti.com/sites/default/files/united_states/insights/guide-to-bcm-third-edition-protiviti.pdf
Hutter, D. (2016). Physical security and why it is important. SANS Institute InfoSec Reading Room. Retrieved from https://www.sans.org/reading-room/whitepapers/physical/physical-security-important-37120
Langston, C.,Lauge-Kristensen, R. (2002). Strategic Management of Built Facilities. Boston: Butterworth-Heinemann.
Masse, T., O’Neil, S. & Rollins, J. (2007). The Department of Homeland Security’s risk assessment methodology: Evolution, issues, and options for Congress. Congressional Research Service. Washington, D.C.: Government Printing Office.
National Fire Protection Association. (2013). NFPA 72, National Fire Alarm and Signaling Code. NFPA. Quincy, MA.
Peluffo, M. (2015). Defining today’s intelligent building. Commscope. Retrieved from https://www.commscope.com/Blog/Defining-Todays-Intelligent-Building/
Roper, C.A., 1999. Risk Management for security professionals. Butterworth-Heinemann, Boston.
Roper, K. O., & Payant, R. P. (2014). The facility management handbook. (Fourth;4; ed.). US: Amacom.
Schafer, P.J. (2013). The concept of security in Human and water security in Israel and Jordan. Retrieved from file:///C:/Users/Kevin/Downloads/9783642292989-c2(1).pdf
Schaefer, L., & Mazerolle, L. (2017). Putting process into routine activity theory: Variations in the control of crime opportunities. Security Journal, 30(1), 266-289. doi: http://dx.doi.org.ezproxy2.apus.edu/10.1057/sj.2015.39
Securing Our Future: Cybersecurity and the Millennial Workforce. (2017). Raytheon. Retrieved from https://www.raytheon.com/sites/default/files/2017-12/2017_cyber_report_rev1.pdf
Shaw, E. & Sellers, L. (2015). Application of the critical-path analysis method to evaluate insider risks. Internal Security and Counterintelligence. Retrieved from https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/csi-studies/studies/vol-59-no-2/pdfs/Shaw-CriticalPath-June-2015.pdf
Smith, C., & Brooks, D. J. (2012). Security science: The theory and practice of security. Burlington: Butterworth-Heinemann
Sun Tzu. (n.d.) Art of war quotes: Sun Tzu quotes from the book the art of war. Retrieved from http://www.artofwarquotes.com/
Vasvari, T. (2015). Risk, risk perception, risk management: A review of the literature. Public Finance Quarterly. Retrieved from https://www.asz.hu/storage/files/files/public-finance-quarterly-articles/2015/a_vasvarir_2015_1.pdf
Vellani, K. (2014). Strategic security management: A risk assessment guide for decision makers.
Williams, M., Axon, L. Nurse, J. & Creese, S. (2016). Future scenarios and challenges for security and privacy. Department of Computer Science, University of Oxford. Retrieved from https://www.cs.ox.ac.uk/files/8337/2016-rtsi-wanc.pdf
Zorz, M. (2015). Do ethics get in the way of security professionals? Help Net Security. Retrieved from https://www.helpnetsecurity.com/2015/05/13/do-ethics-get-in-the-way-of-security-professionals/