Addressing risks by means of access control layout and design

August 2019 Access Control & Identity Management, Security Services & Risk Management

In order to develop a suitable, practical and appropriate security system for any organisation, it is essential to first develop a master security and life safety plan strategy. Defining your core business processes is the first step, which then allows one to identify essential resources and facilities that need protection.

However one must first perform a risk assessment to identify the associated risks to one’s facilities and resources which will map out on those to focus on which you consider most likely to occur. The risk assessment will determine and quantify if the chance of threat/risk is low, medium or high and what the exposure, frequency and severity of the risks are to the business.

Although the core elements of businesses may differ, they generally all have a number of processes and strategies, and are capable of identifying and responding to attacks when they occur. In saying this, there is a common tendency to look at security technologies as a quick fix to security risks.

Effectively addressing and preventing security risks requires much more than getting the right technology, and as highlighted above, fails by neglecting to adopt a holistic system-based approach when considering and designing access control.

There are five security principles that need to be considered when exploring the deployment of access control solution.

Security principle 1

Delay without detection is not delayed. Consider a door fitted with a deadbolt lock which would take some time before an intruder could penetrate the door where the detection of the intruder is first detected (when the door is opened). The time value of the lock as a delay barrier can be several minutes, however, the moment the door is opened, the time value of the lock as a physical barrier is actually zero. If a homeowner, for example, is not at home it would make no difference if the burglar took five minutes or five hours to get through the lock because delay without detection is not delayed.

Security principle 2

Detection without assessment is not detection. This principle is similar to that of an alarm system. The first detection takes place; however, the detection process is not complete until the assessment takes place. An effective access control system requires the components of where people and procedures must be well articulated. Depending on the design when configuring access control layers, the response times could be short at the point of detection. It must be noted that in order to meet the desired access control design standards, this will only be possible with a clear systematic approach.

Security principle 3

People make great assessors but poor detectors. A common mistake is to assume the security personnel will be able to detect a threat in a sufficient amount of time to respond and deploy the final denial barriers. Often the required response times are too short and therefore people do not make good assessors.

Security principle 4

Adversary path. There are a number of adversary paths/routes a burglar may take to gain access to a business and therefore it is important to identify and address the multiple adversary paths when designing one’s access control solutions.

Security principle 5

Critical detection point. This is the culminating principle that borrows from the other four principles. Once one’s adversary paths have been identified and determined they must then be analysed by measuring the time it takes for the adversary to reach the asset/identified threat along with the probability of detection in order to determine the critical detection point. Note that if the adversary makes it past this point it’s too late.

Crime Prevention Through Environmental Design (CPTED).

This is an essential discipline that is often overlooked. This principle outlines how the proper design of a physical environment can reduce crime by directly affecting human behaviour and has three main strategies:

• Natural access control. This relates to the guidance of people entering and leaving a space by the placement of doors, fences, lighting and landscaping, including bollards, use of security zones, access barriers, and use of natural access controls.

• Natural surveillance. This entails the use and placement of physical environmental features, personnel walkways and activity areas in ways that maximise visibility. The goal is to make criminals feel uncomfortable and make all other people feel safe and comfortable through the use of observation.

• Territorial reinforcement. This is achieved by creating physical designs that highlight the company’s area of influence to give legitimate owners a sense of ownership, and is accomplished through the use of walls, lighting, landscaping etc.

In conjunction with the above principles, when designing one’s access control platform it is critical that the following zone layout and design must also be considered, which can be divided into four primary zones:

• Approach zone.

• Access control zone.

• Response zone.

• Safety zone.

Generally speaking, it is important that the detection elements needed must be placed either in the approach or access control locations that will ensure the guard force has the response time needed for alarm assessment and response.

All these components take time, and the engineering and design will be directly affected when calculating the response times directly. Also, do not forget that this will also have a direct impact on were the final barriers will be placed. If they are too close behind the access control zone, the guard force will not have sufficient time to respond to the threat.

When one looks at the three primary zones in the zone corridor, one can begin to understand how critical these security principles are relative to access control point layout and design.

Lastly, based on the above application of risk process, principles and zone configuration, the effects of the different design elements to deter, deflect, delay, detect and response models will assist in determining the required subsystems – alarms, barriers, surveillance, EAS, smoke cloak, audio, lighting, etc. in order to provide the most cost-effective vulnerability solution.

It must be noted that in order to be successful, a systems approach will always include a combination of personnel, equipment and procedures. Herein lies additional issues which are another story in respect of the people element (poorly selected, poorly paid, poorly trained or poor retention) plus, in many instances, little or no procedures are in place.

For more information, contact Christopher C. Cobb, Accenture, +27 11 208 3153,

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

24-hour emergency response for staff
August 2019 , News, Security Services & Risk Management
The FirstRand Group has partnered with PanicGuard to create a 24-hour emergency response programme for staff.

HID addresses identification challenges at ID4Africa
August 2019 , News, Access Control & Identity Management, Government and Parastatal (Industry)
Being able to verify people’s identities is critical for a nation’s growth and prosperity and yet HID says nearly half of all African citizens can’t prove who they are to vote, travel freely and receive government benefits and services.

Came acquires Turkish company Özak
August 2019, CAME BPT South Africa , News, Access Control & Identity Management
Came broadens its market horizons and signals growth and consolidation in the Middle East.

Keeping our changing environment secure
August 2019 , Editor's Choice, Security Services & Risk Management
For a crime to take place there needs to be a victim and a criminal who sees an opportunity. For a cybercrime to take place we need the same set of circumstances.

The importance of real security risk assessments
August 2019, Sentinel Risk Management , Editor's Choice, Security Services & Risk Management, Residential Estate (Industry)
Andy Lawler, MD, Sentinel Risk Management, says a security risk assessment is an onerous task, but is not something estates can consider optional or a luxury item anymore.

Risk assessment or product placement?
August 2019, Technews Publishing, Alwinco, SMC - Security Management Consultants , Editor's Choice, Security Services & Risk Management, Residential Estate (Industry)
Hi-tech security solutions asked a couple of experts to provide estate managers and security managers with some insights into what a ‘real’ risk assessment includes.

Residential security – caveat emptor
August 2019, Stafix , Integrated Solutions, Security Services & Risk Management
When it comes to improving your property’s security, make sure you take all the options into account as you build a layered approach to keeping people safe and assets secured.

Ensuring your electric fence is compliant
August 2019, Stafix , Perimeter Security, Alarms & Intruder Detection, Security Services & Risk Management
A challenge facing both existing and potentially new perimeter electric fence installations is how to economically meet the legal requirements required in the SANS 10222-3:2016 standards document.

The benefits of electronic visitor management
August 2019, Powell Tronics , Access Control & Identity Management, Residential Estate (Industry)
Access control is a critical aspect of estate security as it represents the controls put in place to restrict entry (and possibly exit) along the outer boundary of the location.

Secure hands-free access
August 2019, Suprema , Access Control & Identity Management, Residential Estate (Industry)
Suprema’s facial biometric terminals bring no-touch access into secure residential estates, high-rise apartments and luxury homes providing fast, easy and intuitive user authentication with the added benefit of hygiene.