Addressing risks by means of access control layout and design

Residential Estate Security Handbook 2019 Access Control & Identity Management, Security Services & Risk Management

In order to develop a suitable, practical and appropriate security system for any organisation, it is essential to first develop a master security and life safety plan strategy. Defining your core business processes is the first step, which then allows one to identify essential resources and facilities that need protection.

However one must first perform a risk assessment to identify the associated risks to one’s facilities and resources which will map out on those to focus on which you consider most likely to occur. The risk assessment will determine and quantify if the chance of threat/risk is low, medium or high and what the exposure, frequency and severity of the risks are to the business.

Although the core elements of businesses may differ, they generally all have a number of processes and strategies, and are capable of identifying and responding to attacks when they occur. In saying this, there is a common tendency to look at security technologies as a quick fix to security risks.

Effectively addressing and preventing security risks requires much more than getting the right technology, and as highlighted above, fails by neglecting to adopt a holistic system-based approach when considering and designing access control.

There are five security principles that need to be considered when exploring the deployment of access control solution.

Security principle 1

Delay without detection is not delayed. Consider a door fitted with a deadbolt lock which would take some time before an intruder could penetrate the door where the detection of the intruder is first detected (when the door is opened). The time value of the lock as a delay barrier can be several minutes, however, the moment the door is opened, the time value of the lock as a physical barrier is actually zero. If a homeowner, for example, is not at home it would make no difference if the burglar took five minutes or five hours to get through the lock because delay without detection is not delayed.

Security principle 2

Detection without assessment is not detection. This principle is similar to that of an alarm system. The first detection takes place; however, the detection process is not complete until the assessment takes place. An effective access control system requires the components of where people and procedures must be well articulated. Depending on the design when configuring access control layers, the response times could be short at the point of detection. It must be noted that in order to meet the desired access control design standards, this will only be possible with a clear systematic approach.

Security principle 3

People make great assessors but poor detectors. A common mistake is to assume the security personnel will be able to detect a threat in a sufficient amount of time to respond and deploy the final denial barriers. Often the required response times are too short and therefore people do not make good assessors.

Security principle 4

Adversary path. There are a number of adversary paths/routes a burglar may take to gain access to a business and therefore it is important to identify and address the multiple adversary paths when designing one’s access control solutions.

Security principle 5

Critical detection point. This is the culminating principle that borrows from the other four principles. Once one’s adversary paths have been identified and determined they must then be analysed by measuring the time it takes for the adversary to reach the asset/identified threat along with the probability of detection in order to determine the critical detection point. Note that if the adversary makes it past this point it’s too late.

Crime Prevention Through Environmental Design (CPTED).

This is an essential discipline that is often overlooked. This principle outlines how the proper design of a physical environment can reduce crime by directly affecting human behaviour and has three main strategies:

• Natural access control. This relates to the guidance of people entering and leaving a space by the placement of doors, fences, lighting and landscaping, including bollards, use of security zones, access barriers, and use of natural access controls.

• Natural surveillance. This entails the use and placement of physical environmental features, personnel walkways and activity areas in ways that maximise visibility. The goal is to make criminals feel uncomfortable and make all other people feel safe and comfortable through the use of observation.

• Territorial reinforcement. This is achieved by creating physical designs that highlight the company’s area of influence to give legitimate owners a sense of ownership, and is accomplished through the use of walls, lighting, landscaping etc.

In conjunction with the above principles, when designing one’s access control platform it is critical that the following zone layout and design must also be considered, which can be divided into four primary zones:

• Approach zone.

• Access control zone.

• Response zone.

• Safety zone.

Generally speaking, it is important that the detection elements needed must be placed either in the approach or access control locations that will ensure the guard force has the response time needed for alarm assessment and response.

All these components take time, and the engineering and design will be directly affected when calculating the response times directly. Also, do not forget that this will also have a direct impact on were the final barriers will be placed. If they are too close behind the access control zone, the guard force will not have sufficient time to respond to the threat.

When one looks at the three primary zones in the zone corridor, one can begin to understand how critical these security principles are relative to access control point layout and design.

Lastly, based on the above application of risk process, principles and zone configuration, the effects of the different design elements to deter, deflect, delay, detect and response models will assist in determining the required subsystems – alarms, barriers, surveillance, EAS, smoke cloak, audio, lighting, etc. in order to provide the most cost-effective vulnerability solution.

It must be noted that in order to be successful, a systems approach will always include a combination of personnel, equipment and procedures. Herein lies additional issues which are another story in respect of the people element (poorly selected, poorly paid, poorly trained or poor retention) plus, in many instances, little or no procedures are in place.

For more information, contact Christopher C. Cobb, Accenture, +27 11 208 3153,

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

The year resilience paid off
Issue 8 2020 , Editor's Choice, Security Services & Risk Management
Hi-Tech Security Solutions spoke to Michael Davies about business continuity and resilience in a year when everything was put to the test.

Suprema ranks first in survey
Issue 2 2021, Suprema, neaMetrics , News, Access Control & Identity Management
In a recent survey conducted in Korea, Suprema was chosen as the top brand for access control management software and mobile access solutions.

Suprema integrated with Nedap
Issue 2 2021, Suprema , Access Control & Identity Management, News
Suprema recently announced that it has integrated its latest facial recognition devices into Nedap's access control system, AEOS, to enable organisations to manage their access control by making use of Suprema’s latest facial recognition technology.

Single bollard stops and destroys simulated bomb truck
Issue 2 2021 , Access Control & Identity Management
Delta Scientific announced the successful testing of its Model DSC635, a single shallow foundation bollard design that stops and destroys a 6804 kg test truck with less than 0.6 m of static penetration and 1.87 m of dynamic penetration.

Size of OSDP-verified list is underappreciated
Issue 2 2021 , Access Control & Identity Management
Farpointe Data announced that, at first glance, it appears that there are just 25 devices from seven different vendors listed as OSDP Verified. Although that doesn't seem like a lot, it really is.

Mail.Ru selects HID Global
Issue 2 2021, HID Global , Access Control & Identity Management
HID Global announced that Mail.Ru has chosen its HID Mobile Access solution for secure and convenient access control using smartphones and other mobile devices.

Free technology to boost future careers
Issue 2 2021 , Cyber Security, Security Services & Risk Management
A global shortage of cybersecurity professionals has become so severe that companies are increasingly at risk from hacking and industrial espionage.

Dealing with farm attacks
Issue 2 2021, Technews Publishing , Editor's Choice, Integrated Solutions, Security Services & Risk Management, Agriculture (Industry)
Brutal farm attacks are unfortunately a common event in South Africa. Laurence Palmer suggests a proactive, community-based approach as the optimal way to prevent these heinous crimes from happening in the first place.

Paxton hires top talent in South Africa
Issue 1 2021, Paxton , News, Access Control & Identity Management
The international access control and video surveillance manufacturer, Paxton, announced it will continue to invest in new talent to accelerate expansion into the South African market.

Gallagher achieves UK cybersecurity standard
Issue 1 2021, Gallagher , Access Control & Identity Management, Cyber Security, Government and Parastatal (Industry)
The Gallagher UK CPNI CAPSS High Security System features compliances to the Cyber Assurance for Physical Security Systems (CAPSS) standard, and the Centre for the Protection of National Infrastructure (CPNI) Readers and Tokens standards.