Addressing risks by means of access control layout and design

Residential Estate Security Handbook 2019 Access Control & Identity Management, Security Services & Risk Management

In order to develop a suitable, practical and appropriate security system for any organisation, it is essential to first develop a master security and life safety plan strategy. Defining your core business processes is the first step, which then allows one to identify essential resources and facilities that need protection.

However one must first perform a risk assessment to identify the associated risks to one’s facilities and resources which will map out on those to focus on which you consider most likely to occur. The risk assessment will determine and quantify if the chance of threat/risk is low, medium or high and what the exposure, frequency and severity of the risks are to the business.

Although the core elements of businesses may differ, they generally all have a number of processes and strategies, and are capable of identifying and responding to attacks when they occur. In saying this, there is a common tendency to look at security technologies as a quick fix to security risks.

Effectively addressing and preventing security risks requires much more than getting the right technology, and as highlighted above, fails by neglecting to adopt a holistic system-based approach when considering and designing access control.

There are five security principles that need to be considered when exploring the deployment of access control solution.

Security principle 1

Delay without detection is not delayed. Consider a door fitted with a deadbolt lock which would take some time before an intruder could penetrate the door where the detection of the intruder is first detected (when the door is opened). The time value of the lock as a delay barrier can be several minutes, however, the moment the door is opened, the time value of the lock as a physical barrier is actually zero. If a homeowner, for example, is not at home it would make no difference if the burglar took five minutes or five hours to get through the lock because delay without detection is not delayed.

Security principle 2

Detection without assessment is not detection. This principle is similar to that of an alarm system. The first detection takes place; however, the detection process is not complete until the assessment takes place. An effective access control system requires the components of where people and procedures must be well articulated. Depending on the design when configuring access control layers, the response times could be short at the point of detection. It must be noted that in order to meet the desired access control design standards, this will only be possible with a clear systematic approach.

Security principle 3

People make great assessors but poor detectors. A common mistake is to assume the security personnel will be able to detect a threat in a sufficient amount of time to respond and deploy the final denial barriers. Often the required response times are too short and therefore people do not make good assessors.

Security principle 4

Adversary path. There are a number of adversary paths/routes a burglar may take to gain access to a business and therefore it is important to identify and address the multiple adversary paths when designing one’s access control solutions.

Security principle 5

Critical detection point. This is the culminating principle that borrows from the other four principles. Once one’s adversary paths have been identified and determined they must then be analysed by measuring the time it takes for the adversary to reach the asset/identified threat along with the probability of detection in order to determine the critical detection point. Note that if the adversary makes it past this point it’s too late.

Crime Prevention Through Environmental Design (CPTED).

This is an essential discipline that is often overlooked. This principle outlines how the proper design of a physical environment can reduce crime by directly affecting human behaviour and has three main strategies:

• Natural access control. This relates to the guidance of people entering and leaving a space by the placement of doors, fences, lighting and landscaping, including bollards, use of security zones, access barriers, and use of natural access controls.

• Natural surveillance. This entails the use and placement of physical environmental features, personnel walkways and activity areas in ways that maximise visibility. The goal is to make criminals feel uncomfortable and make all other people feel safe and comfortable through the use of observation.

• Territorial reinforcement. This is achieved by creating physical designs that highlight the company’s area of influence to give legitimate owners a sense of ownership, and is accomplished through the use of walls, lighting, landscaping etc.

In conjunction with the above principles, when designing one’s access control platform it is critical that the following zone layout and design must also be considered, which can be divided into four primary zones:

• Approach zone.

• Access control zone.

• Response zone.

• Safety zone.

Generally speaking, it is important that the detection elements needed must be placed either in the approach or access control locations that will ensure the guard force has the response time needed for alarm assessment and response.

All these components take time, and the engineering and design will be directly affected when calculating the response times directly. Also, do not forget that this will also have a direct impact on were the final barriers will be placed. If they are too close behind the access control zone, the guard force will not have sufficient time to respond to the threat.

When one looks at the three primary zones in the zone corridor, one can begin to understand how critical these security principles are relative to access control point layout and design.

Lastly, based on the above application of risk process, principles and zone configuration, the effects of the different design elements to deter, deflect, delay, detect and response models will assist in determining the required subsystems – alarms, barriers, surveillance, EAS, smoke cloak, audio, lighting, etc. in order to provide the most cost-effective vulnerability solution.

It must be noted that in order to be successful, a systems approach will always include a combination of personnel, equipment and procedures. Herein lies additional issues which are another story in respect of the people element (poorly selected, poorly paid, poorly trained or poor retention) plus, in many instances, little or no procedures are in place.

For more information, contact Christopher C. Cobb, Accenture, +27 11 208 3153, [email protected]

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Deception technology crucial to unmasking data theft
Information Security Security Services & Risk Management
The ‘silent theft’ of data is an increasingly prevalent cyber threat to businesses, driving the ongoing leakage of personal information in the public domain through undetected attacks that cannot even be policed by data privacy legislation.

Proactive strategies against payment fraud
Financial (Industry) Security Services & Risk Management
Amid a spate of high-profile payment fraud cases in South Africa, the need for robust fraud payment prevention measures has never been more apparent, says Ryan Mer, CEO of eftsure Africa.

How to prevent and survive fires
Fire & Safety Security Services & Risk Management
Since its launch in August 2023, Fidelity SecureFire, a division of the Fidelity Services Group, has been making significant strides in revolutionising fire response services in South Africa.

A long career in mining security
Technews Publishing Editor's Choice Security Services & Risk Management Mining (Industry)
Nash Lutchman recently retired from a security and law enforcement career, initially as a police officer, and for the past 16 years as a leader of risk and security operations in the mining industry.

Risk management: There's an app for that
Editor's Choice News & Events Security Services & Risk Management
Zulu Consulting has streamlined the corporate risk management process with the launch of Risk-IO, a web-based app designed to consolidate and guide risk managers through the process, monitoring progress as one proceeds.

Integrated information platform for risk management
Editor's Choice News & Events Security Services & Risk Management
Online Intelligence recently launched version 7 of its CiiMS risk and security platform. Speaking to SMART Security Solutions after the launch event, the company’s Arnold van den Bout described the enhancements in version 7.

Global Identity Fraud Report revealing eight-month ‘mega-attack’
Editor's Choice Security Services & Risk Management
AU10TIX recently released its Q4 Global Identity Fraud Report, with the research identifying two never-before-seen attack patterns, with the worst case involving 22 000+ AI-generated variations of a single U.S. passport.

Linking of security officers by security businesses
PSiRA (Private Security Ind. Regulatory Authority) News & Events Security Services & Risk Management
[Sponsored] By law, all security businesses are required to declare their employees to PSiRA so that they can be accounted for administratively. Failure to link employees by security businesses is a contravention of the Code of Conduct and a criminal offence.

Defending against SIM swap fraud
Access Control & Identity Management
Mobile networks must not be complacent about SIM swap fraud, and they need to prioritise the protection of customers, according to Gur Geva, Founder and CEO of iiDENTIFii.

Access Selection Guide 2024
Access Control & Identity Management
The Access Selection Guide 2024 includes a range of devices geared specifically for the access control and identity management market.