14 minute read
Finding pragmatic, proportionate and effective physical security solutions
Chris Philp, Security Risk Advisor at ICARAS Security Consultants, combines theory with practice to acquaint us with the building blocks of assessing security risk and identifying an effective security solution.
Most people understand that physical security control measures, such as security alarms, access control and CCTV systems, are a necessary evil in this day and age. However, when it comes to what security measures to install, and to what extent, everyone has a different view.
Nobody wants to “undercook” their physical security and risk insufficient protection of their people and assets. But neither does anyone want to throw money away on extensive and expensive systems that are unnecessary.
In this article, I will lay out a basic process that can be used to help you determine a pragmatic, proportionate and effective physical security solution for your organisation. I will start by looking at threat and risk, followed by how to apply threat and risk assessments to your organisation’s physical security environment.
I will then look at some of the principals of physical security and how these apply to different physical security control measures. Finally, I’ll pull everything together to present a high-level process for determining an appropriate physical security solution for your business.
It’s probably worth noting that the language and terminologies used in this article have been deliberately simplified so that it can be understood by everyone and not just the technical experts!
Part 1 – Threat and Risk Understanding threat and risk is the fundamental building block to achieving the pragmatic and proportionate aspects of a physical security solution. Most organisations regularly deal with risk assessments in the health and safety domain, but often don’t take the same approach in the security domain.
By identifying the threats to your organisation and the associated risks they present, you can determine where your vulnerabilities lie. However, there is often a lack of understanding of the difference between threat and risk. While there are many standards, handbooks and guides on threat and risk, we will try and boil it down to a magazine article-sized summary below.
What are threats and risks A threat identifies an action or event that leads to a negative outcome and incorporates who or what perpetrates that action or event. For example, a threat may be a petty criminal breaking into a storage shed and stealing some tools.
Common threat categories used within government circles are shown in Table 1 below. These are fairly broad and some may be more relevant to your organisation than others.
Terrorism International extremists Domestic extremists
Disruptive activity Protestors, activists or issue motivated groups Fixated or acutely disaffected persons
Sabotage / unauthorised Insiders disclosure of information Hostile intelligence activity
General crime Violence, theft and vandalism Organised criminal activity
Economic crime Cybercrime
Table 1 - Common threat categories
Identifying what may go wrong on its own is not that helpful, so threats also consider the likelihood of that action or event occurring. For example, if your site is in an industrial area with a high crime rate and your shed is secured with a low grade lock, you may determine there is a fairly high chance that someone might steal your tools.
Risk takes this a step further and considers the impact or consequences. Identifying instances of how these threats
Figure 1 – Threat and risk relationship (Source: National Security Journal).
could occur and assessing the impact or consequences of these occurrences results in a set of risks.
For example, if the tools were low value and used only for routine maintenance, the impact of them being stolen might be low. However, if the tools were a critical part of your operations and difficult to replace, the impact of them being stolen might be very high.
Another way of looking at the relationship between threat and risk, and how to determine them, is shown in Figure 1. This is the process used by the Combined Threat Assessment Group (CTAG) when setting the national terrorism threat level.
To provide context, threats and risks are usually assigned a level. This could be low/medium/high or a scale of one to five, or whatever system works for you. From Figure 1 we can see that the risk level is usually the combination of the Likelihood and Impact or Consequence.
A common approach is to use a numerical scale, then output a colour coded high/medium/low rating, an example of this is shown in Table 2. However, the purpose of a risk rating is to help you understand the significance of a risk to your organisation, both absolutely and relative to other risks, so use any system that provides the relevant information and works for you.
So far, we’ve looked at threat and risk, covering the highlevel concepts in identifying the physical security risks to your organisation. This next part looks at how to use that risk assessment.
Part 2 – Applying risk assessments So far, I’ve looked at threat and risk, covering the high-level concepts in identifying the physical security risks to your organisation. This next part looks at how to use that risk assessment.
Balancing detail Threats and risks can be expressed broadly (for example, the current assessed threat of terrorism in New Zealand is ‘Medium’). A broad threat and risk analysis will, however, yield broad results, which may be less helpful when looking at specific risk mitigations.
Defining threats and risks in more detail can be beneficial – the more specific the risk, the more specific the risk mitigation. However, on the flip side, too much detail can become overwhelming and counterproductive.
A good place to start is to focus on the threats that are most relevant to your organisation. The categories in Table 1 cover a wide gambit of threat sources and it is likely only a few will be particularly relevant to your organisation. Likewise, similar risks can sometimes be grouped together.
Handling risks
Risks can be either tolerated, terminated, treated or transferred. • Tolerate: Accept the risk without mitigation (or further mitigation). This may be employed when the risk consequence is assessed as being very low or the cost of mitigation is disproportionate to the risk rating. For example, just accept that tools will sometimes be stolen and need to be replaced. Tolerate is also employed once mitigations are applied to a risk to lower the rating to a level that is within the organisation’s risk appetite.
• Terminate: Remove the object of the risk – for example, stop undertaking the work that requires tools to be stored at high crime sites.
• Transfer: The risk is transferred to a third party. For example, the financial component of the risk of stolen tools can be transferred to an insurance company through an insurance policy.
• Treat: Develop one or more options to mitigate the risk. This is usually the most appropriate option when it comes to physical security risks and is where physical security control measures come into play.
Determining where your organisation’s risk tolerance level, or risk appetite, sits is a key component of the risk assessment process. It gives a clear picture of what risks can be tolerated without mitigation and what physical security measures are needed to bring the other identified risks down to an acceptable level.
A risk can be mitigated by either reducing the likelihood of a threat action or event occurring, or by reducing the consequence or impact on your organisation should the threat action or event occur. Risk mitigation measures will generally operate on one or both of these risk aspects.
For example, storing tools in a more robust shed with a high grade lock will make it harder to access the tools, thus reducing the likelihood they will be stolen. Ensuring a second set of tools is available at another site means work can continue even if one set of tools is stolen, thus reducing the impact of the tools being stolen.
Part 3 – Physical security concepts and principles Having looked at threat and risk, and applying a risk assessment to your organisation, I’ll now take a small sidestep and look at some of the key concepts and principles in physical security and physical security control measures.
Deter, Detect, Delay and Respond Physical security measures can mitigate risks through one or more of deterring, detecting, delaying, or responding to threat actions:
• Deter. The aim of deterrence is to stop or displace an intrusion before it has taken place. This is the primary goal of the whole physical security system – the best outcome is always to stop a threat action from happening when possible. For example, a sign stating an area is under CCTV surveillance may make a criminal think twice before breaking into a shed to steal tools.
• Detect. The primary purpose of detecting a threat action or event occurring is to initiate a timely response, which may reduce the impact of the event. For example, a fence alarm may detect an unauthorised intruder entering your site, prompting a security guard response which may disrupt an attempt to break into the shed to steal the tools.
• Delay. Measures that are put in place to delay, or slow down, the intrusion. This decreases the chances of the intruder reaching their target before being apprehended or giving up. For example, a high quality lock on the storage shed may be beyond the capability of many criminals to defeat or take a determined criminal some time to bypass.
• Respond. The response to an intrusion should ensure that the incident is stopped or, at a minimum, cannot progress any further. Also, a post-incident response can provide information that enables additional control measures to be employed that reduces the risk of the incident occurring again. For example, the arrival of a security guard on site will likely cause a criminal to cease their attempts to break into the storage shed and leave as quickly as possible.
It is important to understand what domains a security measure operates within to determine how effectively it will mitigate a specific risk, if at all. For example, a CCTV camera will deter but not delay an intruder, a mechanical lock will delay but not detect an intruder, an alarm system will detect and instigate a response but not delay an intruder.
Crime Prevention Through Environmental Design (CPTED) CPTED provides a framework for incorporating crime prevention within quality urban design by focusing on reducing the opportunity to commit crime, therefore lessening the motivation to offend. The natural and built environment can help or hinder physical security.
While the origins of CPTED are in urban design, there are elements that are applicable to many other types of site. There are four key overlapping CPTED principles: • Surveillance. People are present and can see what is going on. For example, ensuring your storage shed is well lit and visible to passers-by on the street will increase the chances of a criminal trying to break into that shed being seen • Access management. Methods are used to attract people and vehicles to some places and restrict them from others. For example, closing off your site carpark to vehicles after hours will discourage people from congregating, which may in turn reduce the risk of opportunistic targeting of your storage shed.
• Territorial reinforcement. Clear boundaries encourage community ‘ownership’ of the space. For example, a clearly marked boundary around your site will discourage people from entering and loitering, which may in turn reduce the risk of opportunistic targeting of your storage shed.
• Quality environments. Good quality, well maintained places attract people and support surveillance. For example, a poorly maintained storage shed suggests a lack or care or concern for it, which in turn may lead to a potential criminal believing their risk of being caught is reduced.
Security in depth ‘Security-in-Depth’ involves layering multiple security measures to make unauthorised access difficult. These measures should complement and support one another. A visual representation of this is shown in Figure 2.
Each individual layer represents a set of security controls or obstacles that any threat or attacker would need to breach in order to compromise the asset(s), with the layers operating cumulatively towards the total effective protection. Layers of security controls also provide redundancy, reducing the risk of compromise should a single layer fail.
For example, a criminal may need to pass through multiple layers, include a perimeter fence, security lighting, a robustly constructed storage shed and a high quality lock, before getting access to the tools in the shed to steal them.
Part 4 – Pragmatic and proportionate physical security control measures In this part, we bring the threads of what we’ve covered so far together to determine effective physical security controls to address the identified risks, guided by the relevant concepts and principles.
Firstly, your risk assessment and organisational risk tolerance should highlight the key physical security areas that need mitigation measures. By focusing on the highest risk areas you ensure you are expending effort and resource in the areas where it is most needed to provide a proportionate solution.
Next, determine which physical security controls will provide suitable and effective mitigation against those risks. Before looking at direct controls, think about how the principles of CPTED and using the natural and built environment can be used to your advantage. Then consider each of the direct physical security controls in terms of how they fit into the deter, detect, delay and response framework – which aspects of the framework are required to effectively mitigate the risk and what controls can be applied to each of those aspects.
Figure 2 – Layered approach to physical security
While most controls will span more than one aspect, it is unlikely only one control will give full coverage to mitigate a risk. Which brings us to security-in-depth – think about the process of the threat action or event and how it “interacts” with each security control along with any potential interdependence between controls (for example, a guard force response requires an alarm or other prompt to initiate it). Ensure you have multiple layers and try and avoid single points of failure.
Once you have mapped out proportionate and effective physical security controls, find the common ground. It is likely many of the controls will overlap different risks and these can be consolidated into a single control specification that covers all the relevant risk mitigation requirements. This provides a pragmatic deployment solution for each control.
Alongside this, undertake a gap analysis with your existing physical security controls – look at what you might already have in place that can provide effective mitigation and may reduce the additional controls that need to be installed. This provides a pragmatic deployment solution across all controls.
Finally, take your list of the additional physical security controls required to mitigate your identified risks and develop a deployment plan, looking to link the control and management systems of each control together wherever possible to enable them to work together and to reduce the management burden.
Worked example Lets bring it all together, based on the very basic example used throughout this article.
The identified risk is petty criminals breaking into a storage shed on site, stealing tools that are essential to the operation of the business. As the site has minimal existing physical security controls and the loss of the tools would have a significant impact on business operations, the risk rating is assessed to be high.
There is an overgrown hedge around the site that blocks the view of the shed door from the road. By trimming this hedge, the door can be seen from the road, is better illuminated by the streetlights and makes the site look tidier and well kept (natural surveillance and quality environments).
While the door to the shed is reasonably robust, it opens inwards and is prone to a solid kick or shoulder charge. By converting it to an outwards opening door with hinge bolts, it presents a much tougher target requiring more time to defeat (delay), in full view of the street (deter).
Installing a monitored security alarm in the shed will provides a notification of attempted unauthorised access (detect) and allow a response from the security guard force (respond).
A locked internal cabinet or storage cage can also be installed, providing an extra layer of physical barrier but also providing an additional delay factor after the alarm detection to give the guard force time to respond.
This is just a basic example and there are many other options available to mitigate this type of risk – one of the simplest being to move the tools to a more secure location. However, hopefully this have given you an idea of the process to determine a pragmatic, proportionate and effective physical security solution for your organisation that is a little more robust than just glossy brochures and good ideas.
This article was originally published as four blog posts at www.icaras.nz.