printer friendly version

Start with risk, not technology

All too often we are inundated with technical specifications, background information and conflicting argument over what technology to adopt. The industry experts tender for this work and leave the responsibility back with the end-user, who effectively accepts a list of ‘kit’ and not a solution that is designed or programmed to meet the needs of the original requirement. There is a need to become more objective and performance oriented.

This article looks to avoid the usual technological rhetoric approach and provide end users with a list of performance-based requirements that will leave the responsibility of providing the correct access solution with the system provider.

Before any system-based security technology mitigation solution scope can be considered, the starting point has to be in first adopting a pure risk management principles and practices approach.

This is the biggest area of opportunity and why so many organisations fail dismally when selecting the appropriate and applicable security technology solution that is needed to mitigate micro risks; they have failed from the outset to identify and quantify each risk in terms of:

* Exposure (which includes brand trust reputational risks),

* Severity,

* Frequency, and

* Probability.

Having completed one’s risk identification, one must then perform a risk analysis in order to determine the following before commencing with the risk control step:

* Which risks can be terminated?

* Which risks can be treated?

* Which risk can be tolerated?

* Which risks will be transferred (insurance)? Remember insurance is the last leg of the process not the first.

This critical process is far too often overlooked or is over simplified, yet this is the single most critical success factor needed. In order to ensure the limited funding available is spent effectively, one’s ROI is achieved and the intervention has the desired impact in preventing, reducing and maintaining risks to an acceptable level, one needs to perform quantifiable risk analysis.

Far too often this failure on the part of organisations to first adopt effective risk management principles and practices results in many organisations having to repeatedly revisit the poorly designed master security plan resulting from ongoing incidents being experienced after installing the security technology solutions. This subsequently results in the loss of confidence in security, loss of revenue, negative brand trust reputational exposure etc., and ultimately this poorly executed approach is not only costly, but extremely ineffective due to the piecemeal reactive and corrective approach.

In closing this matter, risk management requires the analysis of risk, relative to potential benefits, consideration of alternatives, and finally, implementation of what management determines to be the best course of action. Risk management consists of two primary and one underlying activity, risk assessment and risk mitigation being the primary activities.

Risk assessment: The process of analysing and interpreting risk, is comprised of three basic activities:

* Determine the assessment’s scope and methodology.

* Collecting and analysing data involves: asset valuation, threat identification, consequence assessment, safeguard analysis, vulnerability analysis, likelihood assessment and interpreting risk assessment results.

Risk mitigation: This process involves the selection and implementation of security controls to reduce risk to a level acceptable to management.

* Select safeguards, accept residual risk, implementing controls and monitoring effectiveness.

Addressing risks via access control layout and design

In order to develop a suitable, practical and appropriate security system for any organisation, it is essential to first develop a master security and life safety strategy. Defining your core business processes is the first step, which then allows one to then identify essential resources and facilities that need protection. From here, as highlighted above, you must perform a risk assessment to identify the associated risks to these resources and focus on those you consider most likely to occur. The risk assessment will determine and quantify if the chance of threat / risk is low, medium or high and what the exposure, frequency and severity of the risks are on the business.

Although the core elements of businesses may differ, however, they generally all have a number of processes capable of identifying and responding to attacks when they occur.

In saying this there is a common tendency to look at security technologies as a quick fix to security risks. Effectively addressing and preventing security risks does require much more than getting the right technology, and as highlighted above, fails by neglecting to adopt an holistic system-based approach when considering and designing access control.

There are five security principles that need to be considered when exploring the deployment of access control solution.

Security Principle 1. “Delay without detection is not delay”

Consider a door fitted with a deadbolt lock, which would take some time before an intruder could penetrate the door if the alarm system’s detection of the intruder is first activated when the door is opened. The time value of the lock as a delay barrier is several minutes, however the moment the door is opened, the time value of the lock as a physical barrier is actually zero. If a homeowner, for example, is not at home, it would make no difference if the burglar took 5 minutes or 5 hours to get through the lock because delay without detection is not delay.

Security Principle 2. “Detection without assessment is not detection”

This principle is similar to that of an alarm system. First detection takes place. However, the detection process is not complete until assessment takes place. An effective access control system requires that the components of People and Procedures must be well articulated. Depending on the design, when configuring access control layers the response times could be very short periods at the point of detection. It must be noted that in order to meet the desired access control design standards, this will only be possible with a clear systematic approach.

Security Principle 3. “People make great assessors but poor detectors”

A common mistake is to assume the security personnel will be able to detect a threat in sufficient amount of time to respond and deploy the final denial barriers. Often the required response times are too short. People do not make good assessors.

Principle 4. “Adversary Path”

There are a number of adversary paths / routes a burglar may take to gain access to a business. It is therefore important to identify and address the multiple adversary paths when designing one’s access control solutions.

Security Principle 5. “Critical Detection Point”

This is the culminating principle that borrows from the other four principles. Once one’s adversary paths have been identified, they must then be analysed by measuring the time it takes for the adversary to reach the asset / identified threat along with the probability of detection in order to determine the Critical Detection Point. If the advisory makes it past this point it’s too late.

Crime Prevention Through Environmental Design (CPTED)

This is an essential discipline that is often overlooked. This principle outlines how the proper design of a physical environment can reduce crime by directly affecting human behaviour and has three main strategies:

Natural access control: This relates to the guidance of people entering and leaving a space by the placement of doors, fences, lighting, and landscaping including bollards, use of security zones, access barriers, and use of natural access controls.

Natural surveillance: This entails the use and placement of physical environmental features, personnel walkways, and activity areas in ways that maximise visibility. The goal is to make criminals feel uncomfortable and make all other people feel safe and comfortable, through the use of observation.

Territorial reinforcement: This is achieved by creating physical designs that highlight the company’s area of influence to give legitimate owners a sense of ownership and is accomplished through the use of walls, lighting, landscaping, etc.

In conjunction with the above principles it is critical that the following zone layout and design must also be considered which can be divided into four primary zones:

* Approach zone

* Access control zone

* Response zone

* Safety zone

Generally speaking it is important that the detection elements needed must be placed either in the approach or access control zones that will ensure the guard force alarm response time needed for alarm, assessment and response.

All these components take time, and the engineering and design will be directly affected when calculating the response times directly. Also, do not forget that this will also have a direct impact on were the final barriers will be placed. Remember, if they are too close behind the access control zone, one’s guard forces will not have sufficient time to respond to the threat.

When one looks at the three primary zones in the zone corridor, one can begin to understand how critical these security principles are relative to access control point layout and design.

Lastly, based on the above application of risk process, principles and zone configuration, the effects of the different design elements to deter, deflect, delay, detect and response models will assist in determining the required subsystems – alarms, barriers, surveillance, EAS, smoke cloak, audio, lighting etc., in order to provide the most cost effective vulnerability solution.

It must be noted that in order to be successful, a systems approach will always include a combination of personnel, equipment and procedures. Herein lies an additional issue, in respect of the people element (poorly selected, poorly paid, poorly trained or poor retention), plus in many instances little or no procedures are in place.

Life cycle planning

The following are typical phases of the life cycle planning that are often poorly executed and or often not considered:

Initiation phase

* Prepare and define the master access control security plan to ensure it supports the mission of the organisation.

* Develop a visible access control programme policy that is consistently supported by management, which must address the organisation’s strategic direction, assign responsibilities, and include a compliance programme.

* Conduct a sensitivity assessment.

Development/acquisition phase

* Determine security requirements and specifications.

* What are the system and related security activities.

Implementation phase

* Install/turn-on controls.

* Security testing.

* Accreditation.

Operation/maintenance phase

* Security operations both on and off line, assurance and administration.

* Ensure SLA addresses support, turnaround times, assured supply, define response times etc.

* User training.

* Audits and monitoring.

Staffing and user administration

* Position definition, separation of duties and least privilege.

* Determining position sensitivity.

* Screening and employee training and awareness.

* User account management and audit and management reviews.

* Detecting unauthorised/illegal activities

* Termination.

Business plan priorities

Develop scenarios to identify and analyse resources needed to determine if there are any overlapping of common areas plus resources that can be used and the time frame needed. This will include recovery, resumption, implementation, test and revise plan in order to determine ability to respond quickly and effectively so as to contain, repair damage and prevent future damage

Address awareness and training strategies. Identify the programme scope, goals, and objectives. This includes:

* Identifying target audiences.

* Administer, maintain and evaluate the programme.

Evaluate physical access controls and fire safety factors, including the failure of supporting utilities and other environmental issues such as plumbing leaks and security concerns about possible interception of data, protection of security hardware, etc.

Share this article:

Further reading: