7,980 792 3MB
Pages 413 Page size 525 x 750 pts Year 2006
This page intentionally left blank
Strategic Security Management
This page intentionally left blank
Strategic Security Management A Risk Assessment Guide for Decision Makers
Karim H. Vellani
AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEW YORK • OXFORD • PARIS SAN DIEGO SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO Butterworth-Heinemann is imprint of Elsevier
Acquisitions Editor: Pamela Chester Acquisitions Editor: Jennifer Soucy Assistant Editor: Kelly Weaver Marketing Manager: Christian Nolin Project Manager: Jay Donahue Cover Designer: Eric DeCicco Compositor: SNP Best-set Typesetter Ltd., Hongkong Cover Printer: Phoenix Color Corp. Text Printer/Binder: The Maple-Vail Book Manufacturing Group Butterworth–Heinemann is an imprint of Elsevier 30 Corporate Drive, Suite 400, Burlington, MA 01803, USA Linacre House, Jordan Hill, Oxford OX2 8DP, UK Copyright © 2007, Elsevier Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Permissions may be sought directly from Elsevier’s Science & Technology Rights Department in Oxford, UK: phone: (+44) 1865 843830, fax: (+44) 1865 853333, E-mail: [email protected]. You may also complete your request on-line via the Elsevier homepage (http://elsevier.com), by selecting “Support & Contact” then “Copyright and Permission” and then “Obtaining Permissions.” Recognizing the importance of preserving what has been written, Elsevier prints its books on acidfree paper whenever possible. Library of Congress Cataloging-in-Publication Data Application submitted British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library. ISBN 13: 978-0-12-370897-7 ISBN 10: 0-12-370897-4 For information on all Butterworth–Heinemann publications visit our Web site at www.books.elsevier.com Printed in the United States of America 06 07 08 09 10 11 10 9 8 7 6 5 4 3 2 1
Working together to grow libraries in developing countries www.elsevier.com | www.bookaid.org | www.sabre.org
This book is dedicated to those who protect. Whether you protect your family, your organization, or your country, you don’t always get the praise you deserve or the resources you need, but you always remain strong in the face of new threats and challenges. I hope this book makes your job a little easier.
This page intentionally left blank
Table of Contents
About the Author, ix Contributing Authors, xi Acknowledgments, xv Introduction, xvii
Chapter 1:
Data-Driven Security, 1
Chapter 2:
Asset Identification and Security Inventory, 11
Chapter 3:
Threat Assessments, 27
Chapter 4:
Crime Analysis, 51
Chapter 5:
Vulnerability Assessments, 85
Chapter 6:
Risk Assessments, 109
Chapter 7:
Information Technology Risk Management, 133
Chapter 8:
Prevention, 159
Chapter 9:
Security Measures: Policies and Procedures, 173 vii
viii
Table of Contents
Chapter 10: Security Measures: Physical Security, 183 Chapter 11: Security Measures: Deploying Physical Security, 217 Chapter 12: Security Measures: Personnel, 231 Chapter 13: Project Management, 251 Chapter 14: Premises Security Liability, 265 Chapter 15: Forensic Security, 285 Chapter 16: Ethics in Security Consulting, 305 Appendix A: Certified Security ConsultantSM Code of Ethics, 319 Appendix B: Best Practice #2, Forensic Methodology of the International Association of Professional Security Consultants, 323 Appendix C: Risk Assessment Report, 327 Appendix D: Crime Analysis Reports, 343 Bibliography, 357 Recommended Reading, 361 Index, 375
About the Author
Karim H. Vellani is the president of Threat Analysis Group, LLC, an independent security consulting firm. Karim is board certified in security management (CPP) by the American Society for Industrial Security—International, and board certified as an independent security consultant (CSC) by the International Association of Professional Security Consultants. He holds a Master’s Degree in Criminal Justice Management from Sam Houston State University in Huntsville, Texas. As an independent security management consultant, Karim has extensive experience in risk and security management and provides security consulting services to government, commercial, and industrial clients. Recently, he developed unique risk assessment methodologies for specific industries and clients. That practical experience forms the basis for some of the knowledge in Strategic Security Management. Karim has also developed a crime analysis methodology that utilizes the Federal Bureau of Investigation’s (FBI) Uniform Crime Report coding system and a software application called CrimeAnalysis™. The methodology was first published in another book entitled Applied Crime Analysis and is available from the publisher, Elsevier Butterworth-Heinemann. Since developing the crime analysis methodology, Karim has assessed crime threats at thousands of facilities. As an adjunct professor at the University of Houston—Downtown, Karim teaches graduate courses in Security Management, Risk Analysis, and Security Law for the College of Criminal Justice’s Security Management Program.
ix
This page intentionally left blank
Contributing Authors
Norman D. Bates Norman D. Bates, Esq., is a nationally-recognized expert in security and the law. As the president and founder of Liability Consultants, Inc., he provides security management consulting services to private industry, as well as courtcertified expert witness services nationwide to both plaintiff and defense firms in civil cases regarding inadequate security, negligent hiring or training, and workplace violence. A frequent media spokesman, Mr. Bates has been interviewed and commented on current news stories regarding crime and liability for ABC’s 20–20, CBS News, NBC Nightly News, The Tonight Show, The Wall Street Journal, The New York Times, U.S. News and World Report, USA Today, and Security magazine. In standards development, his work includes his contribution as a past member of the Commission on Guidelines for ASIS International that published the ASIS General Security Risk Assessment Guideline in 2003. He regularly presents seminars on civil liability issues and has authored numerous articles and books on the subject. Actively involved with the drafting of various legislation, Mr. Bates authored a bill on criminal stalking in Massachusetts that was passed into law in 2000. Formerly, he was an assistant professor of Criminal Justice at Northeastern University in Boston and director of Security and Legal Counsel to the Saunders Hotel Corporation. He received his Juris Doctor degree from Suffolk University and a Bachelor of Science degree in Criminal Justice from Northeastern University. He is a member of the Massachusetts Bar, the International Association of Professional Security Consultants, the Association of Trial Lawyers of America (ATLA), the Defense Research Institute (DRI), the National Crime Victim Bar Association, and ASIS International.
xi
xii
Contributing Authors
James H. Clark James H. Clark, CPP, is managing partner of Clark Security Group, LLC, a Cleveland-based independent security consulting firm. For the past 15 years, Mr. Clark has provided security consulting advice to corporations, institutions, and government agencies throughout the United States and on four continents. He is a member of the International Association of Professional Security Consultants, ASIS International, and the International Federation for Cultural Properties Protection. He has been a contributing author to the Effective Security Officer Training Manual, Ralph F. Brislin, ed. (Butterworth-Heinemann, 1994); Security Consulting, Charles A. Sennewald, ed. (ButterworthHeinemann, 2004); the IAPSC’s Forensic Methodology for Security Consultants, 2000; and he has published various articles and white papers on risk-reduction strategies. Brian Gouin Brian Gouin, PSP, CSC., is an independent security consultant and owner of Strategic Design Services, LLC, Portland, Connecticut, and member of the American Society for Industrial Security—International (ASIS), International Association of Professional Security Consultants (IAPSC), National Fire Protection Association (NFPA), and National Association of Chiefs of Police. He is also a Professional Certification Committee member for IAPSC and belongs to the Item Development Group, Professional Certification Board, ASIS. He is board certified in physical security by ASIS and board certified as an independent security consultant by IAPSC. Karl F. Langhorst Karl F. Langhorst, CPP, director, Loss Prevention Randalls & Tom Thumb Food and Pharmacy, is a member of the American Society for Industrial Security—International (ASIS), Board member for Crime Stoppers of Houston, and former member of the Food Marketing Institute (FMI) Loss Prevention Committee. He received his Bachelor of Political Science from the University of Texas at Arlington. An author and a frequent speaker on various loss prevention topics including physical security and organized retail theft, he is board certified in security management by ASIS; licensed as a master peace officer, and an instructor and investigative hypnotist by the Texas Commission on Law Enforcement Officer Standards and Education (TCLOSE). Charles A. Sennewald Charles A. Sennewald, CPP, CSC, CPO, is a popular seminar leader and speaker, and now retired independent security management consultant in Escondido, California. He was formerly security director for the Broadway Department Stores; chief of campus police, The Claremont Colleges, Clare-
Contributing Authors
xiii
mont, California; deputy sheriff, Los Angeles County; and assistant professor at California State University at Los Angeles. He was the founder and first president, International Association of Professional Security Consultants (IAPSC), and former Standing Committee chairman and member of the American Society for Industrial Security. Recipient of Security World magazine’s Merit Award and the IAPSC’S Distinguished Service Accolade, he was twice designated by the U.S. Department of Commerce as the security industry representative on missions to Sweden, Denmark, Japan, China, and Hong Kong. He received his Bachelor of Science degree from California State University at Los Angeles. He is also the author and/or co-author of various Butterworth-Heinemann-Elsevier books: Effective Security Management, 4th ed.; The Process of Investigation, 3rd ed.; Shoplifting, Security Consulting, 3rd ed.; and Shoplifting: Managing the Problem, published by ASIS International. He has also authored Shoplifters vs. Retailers, the Rights of Both, and the novel The Last Volkswagen, both through New Century Press. Nick Vellani Nick Vellani, CISSP, CISA, CSC, is an information security and information technology audit professional; adjunct professor, College of Criminal Justice, University of Houston Downtown; and member of the Information Systems Audit Control Association (ISACA) and the Information Systems Security Association (ISSA). He is a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), and Certified Security Consultant (CSC). He received his Bachelor of Business Administration degree in Computer Administration, Houston Baptist University, and his Master of Business Administration from Houston Baptist University.
This page intentionally left blank
Acknowledgments
I’d like to thank my family for supporting me throughout the writing of this book, especially my wife and daughter. They put up with me as I locked myself in my office for hours on end, often late into the night, and tapped away (usually the delete key) on the keyboard. The depth of this book would not have been possible without the help of the contributing authors who bring an extraordinary amount of knowledge and expertise to their respective chapters. Thank you, gentlemen. Last but not least, my thanks to Francis Michael Johanssen who assisted with my research efforts and provided much needed criticism of my work as it progressed. Cheers.
xv
This page intentionally left blank
Introduction
If you picked this book up, you’re probably looking for more than the beginner’s guide to security. Strategic Security Management is unique in that it fills the need for a definitive text on security best practices, introduces the concept of analysis for security decision making, and discusses advanced threat, vulnerability, and risk assessment techniques that you can apply to your organization’s security program. You’ll learn how to enhance a security program using security metrics to gain a true understanding of the problem instead of relying upon gut instinct or anecdotal evidence. This book will also teach you how to use security metrics to select and implement countermeasures and fine tune the program to ensure constant improvement and continual effectiveness. The primary reason I wrote this book is simple: After searching many online and offline bookstores, I couldn’t find a book that went beyond the security basics in a practical manner. No doubt, you’ve read plenty of great books written by security practitioners and others written by visionaries and theorists, but there wasn’t that one book that brought it all together. Thus, the goal of Strategic Security Management is to bridge the gap between theory and reality, so to speak, on data-driven security and metric-based security decision making. Security metrics are woefully lacking in our industry today but are commonly used tools in other industries, including our cousins in the information technology security industry. With the goal of bridging that gap, Strategic Security Management is written for three groups of people: security professionals; other professionals responsible for making security decisions; and security management and criminal justice students. For security professionals, those who carry the titles of vice president of security, security manager, or security consultant, Strategic Security Management expands upon the collective body of knowledge in our industry and provides you with a fresh perspective on the risk assessment process. It will also
xvii
xviii
Introduction
give you some food for thought on the more controversial and complex issues of our business. Other readers who will benefit from this book are those professionals who do not hold a traditional security title, such as security director or loss prevention manager, but are nonetheless charged with protecting their organization’s assets. Your title may be facility director or property manager. As long as you make the security decisions for your company, Strategic Security Management makes the decision-making process easier. Security management and criminal justice students will find that Strategic Security Management gives some insight into the diverse business that is security. You’ll read (or should I say skim?) many security books that will teach you the basics needed to perform entry-level responsibilities in this industry. Conversely, this book provides the foundation needed to climb the next step up the corporate ladder. This book uses the term security decision maker largely to refer to anyone responsible for making decisions relating to security. The term security professional is also used when the issue under discussion is complex or a newer security concept. The structure of Strategic Security Management follows the standard risk assessment methodology, diagrammed in Figure I-1, and adds some unique chapters that will help you constantly improve your security program. Chapter 1, Data-Driven Security, sets the tone for the rest of the book with its discussion of a relatively new security concept, using data to drive the security program. Only recently have security professionals started using quantitative data to determine appropriate security levels. This chapter provides some of that food for thought mentioned above as well as a “how-to” for developing security metrics. Chapter 2, Asset Identification and Security Inventory, discusses the first two steps of the risk assessment process—the identification and categorization of organizational assets and the itemization of existing security measures. CritiTAG's Risk Assessment Process® Asset Identification
Policies & Procedures
Current Security Measures
Physical Security
Security Personnel
Threat Assessment
Crime Analysis
Vulnerability Assessment
Risk Assessment
Cost Benefit Analysis
Report and Recommendations
Figure I-1. Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com.
Introduction
xix
cal assets, those that are integral to the organization’s mission, are the focal point of the first half of this chapter, while three types of security measures are discussed in the latter half. Also included in this chapter is a list of definitions, provided so that we all speak the same language as we progress through the book. Chapter 3, Threat Assessments, should be an exciting section for most readers . . . well, as exciting as it gets for professional books. The goal of this chapter is to illustrate the dynamic nature of threats that organizations deal with on a daily basis as well as the high impact threats that we face less frequently, but can have a detrimental impact on the assets and organizations we protect. Chapter 4, Crime Analysis, is a component of a comprehensive threat assessment and the first major expansion on the crime analysis methodology published in Applied Crime Analysis. I’ve learned a lot since I originally outlined that book in 1999, and the security industry has advanced further toward the data-driven security concepts developed during the intervening years. If you read Applied Crime Analysis, you will add to that knowledge by reading this chapter. If you did not read it, well, that’s a dollar in royalties I didn’t earn. Fear not, I included an overview of the original material for you before getting into the new stuff. Chapter 5, Vulnerability Assessment, is the fourth step in the risk assessment process. Much like the rest of this book, this chapter presents material not found in any other security text. Basically, a “how-to” for conducting security surveys, this chapter also helps you put together a vulnerability assessment team and write effective vulnerability assessment reports. Chapter 6, Risk Assessment, wraps up the process of assessing your organization’s risk once you have identified the existing and emerging threats and the vulnerabilities at your facilities. Both quantitative and qualitative risk models are considered. Chapter 7, Information Technology Risk Management, is a primer for physical security professionals and others who have never delved into the world of information systems. Contributing author, Nick Vellani, is a certified information systems security professional (CISSP), a certified information systems auditor (CISA), and a certified security consultant (CSC). Nick wrote this chapter specifically for those of us, physical security professionals, with limited experience with information technology and information systems security. It’s an important chapter now that the information technology security and physical security industries are coming together through the process of convergence. Chapter 8, Prevention, provides some insight into why we do the things we do in the business of security. Don’t worry: While it does cover the theoretical foundation of security concepts, nine out of ten readers agree that it’s not boring. Ever hear the term criminal mastermind? This chapter discusses the ideas cultivated by the prevention masterminds.
xx
Introduction
Chapters 9 through 12 discuss the three types of security measures used in the protection of assets. Chapter 9, Policies and Procedures, covers the different types of written documents used to support a security program and the importance of documentation. Chapter 10, Physical Security, is written by Brian Gouin, a physical security professional (PSP) and a certified security consultant (CSC). Brian utilizes his vast technological experience to identify the function and application of physical security measures employed in the security industry today. This chapter will help you select effective measures for your security program. Chapter 11, Deploying Physical Security Measures, covers (you guessed it) the deployment of physical countermeasures. Written by Karl Langhorst, a certified protection professional (CPP), this chapter goes in depth into the implementation phase of a security program from an end user’s perspective. Karl is a true professional, and you’ll get a lot out of his chapter. Chapter 12, Personnel, discusses the most expensive component of any security program, the security force. This just might be the most debated chapter in Strategic Security Management in that I present some ideas that are contrary to what has been accepted for years in our business. You’ll learn about metricbased deployment of security officers, the pros and cons of using police officers for security purposes, and why we need to increase the level of professionalism among our line personnel. Chapter 13, Project Management, was added to the book’s topic list after working with other independent security consultants on some rather large projects. One of the toughest things to do for most independent consultants is to get out of the way of the guy designated as project manager. However, consultants are not the only audience for this chapter. It is written for any security decision maker charged with implementing a new security project or upgrading an existing security program. Chapter 14, Premises Security Liability, is written by Norman Bates, a wellrespected security professional and attorney. Norm is not like other lawyers, he’s actually a pretty good guy. Some of you might be familiar with his company’s ongoing study, Major Developments in Premises Security Liability. If you are, then the concepts in this chapter may be familiar to you as he draws upon that work and others to help us understand the liability risks we face every day. Chapter 15, Forensic Security, is written by my good friend Charles A. Sennewald. Chuck’s name should be familiar to most security readers because he has written a lot of security books, including two that are on the CPP reference list. He is also a certified protection professional (CPP), a certified security consultant (CSC), and founded the International Association of Professional Security Consultants (IAPSC). Needless to say, this chapter is worthwhile reading for security professionals, especially those who testify as expert witnesses or on behalf of their employers in premises security litigation.
Introduction
xxi
Chapter 16, Ethics in Security, is written by James Clark. Jim is also a certified protection professional (CPP) and has served on the IAPSC’s Ethics Committee. Always up for a good ethical debate, Jim has strong feelings on the subject and has shed some light on the practical side of business ethics, especially as it pertains to the security industry. This chapter will benefit not only independent security consultants, but also those security decision makers who hire them. So that’s the overview, 16 chapters of new concepts, food for thought on older security principles, and advanced techniques that I am confident will assist you in your job as a protector. Soon after Applied Crime Analysis was published in early 2001, I remember wishing that I had the ability to add material to that book in a timely fashion. Of course, it’s hard to do that with a printed book. So for this book I decided to add a companion website, www.ssminfo.com, where I will provide links to other helpful resources and update the information as the industry marches forward toward data-driven security. I may even add a message board so that we can talk in real time and let others join in on the fun. In the meantime, I have set up a special e-mail account for you to contact me. Feel free to reach me in cyberspace to discuss (or argue) a point in the book or if you think I should add something to the website. The e-mail address is [email protected]. One last thought before we dive into the first chapter. While researching this book, I sought out the wisdom of others and came across a quote by William O. Douglas which I think captures the essence of Strategic Security Management: “Security can only be achieved through constant change, through discarding old ideas that have outlived their usefulness and adapting others to current facts.” I think that pretty well sums up the intent of this book. Grab a cup of java and read on.
This page intentionally left blank
Chapter 1
Data-Driven Security
In this chapter . . .
Need for Data-Driven Security Security Metrics Data-Driven Assessments TAG's Risk Assessment Process® Asset Identification
Policies & Procedures
Current Security Measures
Physical Security
Security Personnel
Threat Assessment
Vulnerability Assessment
Crime Analysis
Risk Assessment
Cost Benefit Analysis
Report and Recommendations
Figure 1-1. Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com.
Data-Driven Security What cannot be measured cannot be managed. This is a commonly accepted business paradigm, yet its acceptance is not as far reaching within the security industry as it is in other industries. Simply put, data-driven security refers to using measurable factors to drive a security program. While not all elements
1
2
Strategic Security Management
of a security program lend themselves to measurement, many components can be measured effectively. For example, physical protection systems are measured via penetration times, and barriers are measured using delay and defeat times. Other security components can be measured, though not mathematically, including morale of protection forces. Some would argue that security is more of an art than a science. While they are correct, the business of security is not an art per se. The security department is a business unit not unlike other business units within a company that must justify their existence. The higher security moves up the corporate ladder, the more challenges the security director will face and the more business acumen will be required. Given the security industry’s growth out of public law enforcement, it is no surprise that it has taken the industry this long to develop into a full-fledged corporate entity. With this growth comes the need to depart from the police mentality. Twenty years ago, most security directors were retired law enforcement agents who made the jump to private security as a way to supplement their retirement income. This has proven to slow the growth of security within the corporate hierarchy, but it was probably a necessary step in the history of the industry. This is not to say that retired law enforcement personnel do not have a place in the security industry. To the contrary, many have proven to be exemplary business security leaders who have made significant leaps for the security departments in their companies. As the security industry grows to include not only physical security, but also information technology security, it is incumbent upon today’s security directors to focus more on the business than operational side of security. This necessity is best summarized by the world’s leading security association, ASIS— International, in its Chief Security Officer Guideline: Today’s business risk environments have become increasingly more severe, complex, and interdependent, both domestically and globally. The effective management of these environments is a fundamental requirement of business. Boards of Directors, shareholders, key stakeholders, and the public correctly expect organizations to identify and anticipate areas of risk and set in place a cohesive strategy across all functions to mitigate or reduce those risks. In addition, there is an expectation that management will respond in a highly effective manner to those events and incidents that threaten the assets of the organization. A proactive strategy for mitigation of the risk of loss ultimately provides a positive impact to profitability and is an organizational governance responsibility of senior management and governing boards. The guideline goes on to discuss the role of the chief security officer (CSO) as a business leader, a problem solver, as well as an expert in security for their company. Interestingly, the guideline also suggests that the CSO’s background
Data-Driven Security
3
includes business, not law enforcement, since the CSO’s key responsibility “is to develop and implement a strategy that demonstrates the processes in understanding the nature and probability of catastrophic and significant security risk events.” As the company security departments grow and begin to encompass more responsibility for the protection of people, property, and information, so too must the ability to fall back on empirical data to support our position. No longer can security professionals rely solely on gut instincts. Too often recommendations from the security department are presented with little or no thought to why certain procedures or security equipment should be used. Often, a security measure is deployed because other companies are doing it. It is all too common in the security industry for there to be a propensity for using certain security measures without complete understanding of the problem or a thorough analysis of the security measures’ ability to be effective in a given situation. Data-driven security can help security directors overcome this problem by identifying key concerns, the specific security measure’s ability to solve the problem, and the anticipated cost. How can security professionals justify to senior executives a sizable and usually growing annual security budget? By now, most security directors are keenly aware that a security program’s success depends on the commitment and support, or buy-in as it is commonly known today, of senior executives. Using anecdotal evidence to justify spending on physical security measures and costly protection personnel no longer suffices. A data-driven security program helps management understand that security is more than a must-have expense; it justifies costs to management by showing the proof of success that, when presented effectively, can garner the necessary buy-in from upper management and demonstrate a convincing return on investment. Security expenditures, just like other departmental budgets, need to be justified with empirical data and supplemented with cost-benefit analyses and comparisons. Throughout the first part of this book, various assessments used in the security industry are discussed, including threat, vulnerability, and risk assessments along with specific types of assessments such as crime analysis. Common to each of these assessments is a quantitative approach to establish a baseline from which security effectiveness can be measured. Assessments are the foundation on which a security program is built by establishing a baseline of risks that companies face. They guide the strategic planning and design of countermeasures intended to mitigate those risks. Such a logical approach brings benefits that are unattainable with qualitative assessments, which are still used throughout the public and private security sectors. While qualitative assessments cannot be abandoned, their use should be limited to those instances where quantitative ones cannot be used for lack of measurable elements. Thus, physical security is, and shall remain, more of an art than a science, though science can be infused into an otherwise abstract industry.
4
Strategic Security Management
I don’t care how skilled you are as a diplomat or how brilliant you are at leading, if you are not professional about security, you are a failure. —U.S. Secretary of State Madeline Albright
Security Metrics Between September 2001 and the writing of this book in April 2006, the United States suffered no major terrorist attacks. Although this fact makes for a great sound bite for political talking heads, it is not an accurate metric of the true threat faced by the United States. A more appropriate metric would be the number of attacks thwarted since September 2001 or the number of arrests made of known terrorists. When providing asset protection, accurate measurement of security effectiveness can have a profound impact on management’s level of support for the security department. As we have discussed, a common paradigm in business is that an activity cannot be managed if it cannot be measured. Security is one such activity. Security metrics communicate vital information about security activities and drive decision making. Metrics for various security components, such as the protection force or access control system, can be an effective tool for security professionals to understand the effectiveness of the overall security program. Metrics, as previously mentioned, may also identify risk based on failures or successes of security components, and can provide solutions to security problems. Security metrics focus on the results of security decisions such as a reduction in thefts after implementation of a CCTV system, an increase in visibility after a change in security officer uniforms, or a reduction in terrorist acts as a result of terror cell arrests. Security metrics help define how secure we are. They assist security professionals in answering basic questions posed by management, such as:
Are company assets protected? Which assets need more protection? Can the asset protection program be improved? What resources should be allocated to security? How does our company compare to others? Are we reducing our liability exposure?
The National Institute of Standards and Technology (NIST) defines metrics as tools designed to facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data. Thus, security metrics assist security professionals in making asset protection decisions through the measurement of performance-based characteristics of security components. Simply stated, security metrics are tools used for measuring a company’s security posture.
Data-Driven Security
5
For the security metrics to be accurate, security professionals must have two elements in the metrics model: 1. Proper performance data for the specific countermeasure under evaluation. 2. An appropriate baseline from which to compare. Baseline measurements are often difficult to obtain, especially in the business of security where companies are, out of necessity, secretive about their protection systems. In recent years, security industry associations such as ASIS—International, the National Fire Protection Association, and the International Association for Professional Security Consultants have promulgated standards, guidelines, and best practices. In addition to published and accepted industry standards, the courts have outlined baselines of measurement for the security industry. An example is a Texas Supreme Court case, Timberwalk v. Cain, which outlines the specific factors necessary for establishing foreseeability of crime in premises liability lawsuits. In Timberwalk, the court set forth five criteria for measuring the risk of crime: recency, proximity, publicity, frequency, and similarity of past crimes. An example of crime metrics legislation is the 1996 Illinois Automated Teller Machine Act (ATM). Section 20 of the Act provides procedures for evaluating the safety of ATM regarding “the incidence of crimes of violence in the immediate neighborhood of the ATM.” Texas has a similar ATM Safety law which requires that financial institutions collect crime metrics. Thus, the professional security practitioner will stay abreast of industry standards and the law. While laws must normally be reasonably followed, security professionals may fine-tune published industry standards to meet the needs of their company. In addition to establishing a baseline for comparing company metrics, metrics are also used to justify budgets, provide data for decision making, and improve security practices. Metrics can be used to justify budgets and provide the basis for obtaining additional monies for the security department. Security metrics may be plugged into cost-benefit analyses to identify the need for various security components. For security decision making, metrics can unveil trends and patterns in the security program’s performance from which security decision makers can make decisions to modify the program. For example, once a physical protection system is alerted of an intruder, security force personnel normally respond. By measuring the time needed to respond from the security officer’s fixed post to the breached access point, the security decision maker can determine if the response time is adequate or if another post needs to be established closer to the access point. Finally, metrics assist in the development of good security practices. An example may be found in the use of security personnel to provide escorts for company personnel exiting the building to the parking areas. Although this is a common practice in some companies, an analysis of security
6
Strategic Security Management
incidents during peak times may indicate a sharp increase in security breaches because security personnel are distracted from their primary protection duties while escorting personnel. In this instance, the value of providing escorts must also be considered in determining the company’s security practices.
SMART Metrics Good metrics are attainable when security professionals strive for metrics that are SMART—Specific, Measurable, Actionable, Relevant, and Timely. Specific—a metric must measure a specific variable. Measurable—a metric measures what is measurable. Not all components of a security program are measurable. For example, morale among security forces is often “measured” but not in a quantitative manner. Actionable—a metric should not measure variables that cannot be acted upon. If a security decision maker cannot remedy a problem, there is not much sense in wasting time on that variable. Relevant—a metric that fails to provide any information to improve the security program should be avoided. If the metric cannot tell us where we can improve, it is not relevant. Timely—metrics have expiration dates. Historical data are an excellent indicator of the future; however, the older the data, the less important they may be. A metric system incapable of assessing the latest data is useless. As discussed in the introduction to security metrics, the number of attacks against the country or the number of crimes at a location may not be the best indicator of an effective security program. While luck does play a part in the protection game, there are other factors that can be measured in answering the question of how secure we are. To develop a security metrics system, security professionals can adapt the Six Sigma methodology used to eliminate defects. The author has successfully implemented a variation of this methodology for use with protective forces within the federal government. The methodology involves seven steps that may be easily modified for our use in security metrics: 1. 2. 3. 4. 5. 6. 7.
Define the metrics system goals. Decide what metrics to generate. Develop strategies for generating the metrics. Establish benchmarks. Develop a metrics reporting system. Develop and implement an action plan. Create a formal system review cycle.
Data-Driven Security
7
Going through each step in detail should enable security professionals to adapt the methodology to their needs. The only security is the constant practice of critical thinking. —William Graham Sumner Step 1: Define the metrics system goals. Critical in today’s business environment is the need to set performancebased goals. Setting high, yet reasonable, goals during the development of a security metrics system is a necessary step. The goals should be well-defined and based on the needs of the security department, though continued refinement of the goals while moving through the seven steps is acceptable. Each goal should clearly state the desired result to which all metrics collection and analysis efforts are directed. An example of a metric goal within the personnel department of a security program is, “The response time metric shall clearly communicate to supervisors the average time needed for a security officer to patrol and secure the fifth floor office space.” Step 2: Decide what metrics to generate. Deciding what to measure is crucial to an effective metrics system. As referenced earlier in this chapter, during the five-year period covered since the September 11, 2001 attack and the writing of this book, the United States has suffered no major terrorist attacks. This is obviously good news, but it is not a true measure of our vulnerability. Thus, Step 2 is to identify the specific security components or practices that have kept us free from terrorism. One example of this is the number of arrests of known terrorists within U.S. borders. Another example may be the number of attacks thwarted due to intelligence efforts. Step 3: Develop strategies for generating the metrics. Collecting the data for metrics can be a daunting task. The security professional’s strategy for data collection should identify the source of information and the frequency with which that raw data is collected by the source. It is not uncommon for a security decision maker to require data from other departments. Successful identification of the sources is key to a sound metrics program. An example can be found in crime analysis. Security decision makers often use traffic levels at a facility to calculate the crime rate at that facility. While the security department itself typically does not have any way to determine how many people pass through a facility in a given day, month, or year, other departments normally do have this data. The security professional must therefore seek out that source and ensure that the data meets the quality control requirements of the metrics system. Step 4: Establish benchmarks. As we have noted, there are both industry benchmarks and internal benchmarks from which to compare. Benchmarking may be defined as the process
8
Strategic Security Management
of identifying and adapting outstanding security practices from organizations within the industry for the purpose of improving company security practices. In the crime analysis field, the author has had the opportunity to evaluate both internal and external crime reporting systems at many companies. With this information, the author has been able to improve the reporting systems for one client based on the system at another company. Step 5: Develop a metrics reporting system. The collection and analysis of metrics is not enough to improve the security program. The system must also include a reporting component whereby those who carry out the line function can work to improve their work. Effective communication is vital to the metrics system. The frequency, content, and method of dissemination of reports should also be established at this step. Continuing the example used in Step 1, collecting and analyzing response times does not in itself correct the problem. The security department must communicate the results to line personnel supervisors so that corrective action can be taken. Step 6: Develop and implement an action plan. A security metrics action plan guides the users toward the end result. The plan identifies and defines all tasks required for the metrics system to be effective, as well as a time line of events leading up to reporting of metric results. The plan should be written and available to everyone involved in the program. Step 7: Create a formal system review cycle. Similar to the business environment, security is dynamic and must be adjusted to the needs of the day. A formal system review at regular intervals ensures that the security department is measuring what it should be measuring. With time, things change and more security components may be added to a security program which require metrics generation, while other components are removed and no longer require metrics. Developing a security metrics system is time consuming, but can prove to be a panacea for a security department. The methodology outlined here makes the process easier and should be adapted to meet the security department’s needs. The incentive for this project is that the resulting security program will not only be effective within the company, but may also be regarded as the benchmark by other organizations.
Data-Driven Assessments This section briefly introduces the reader to the various definitions and tools used throughout the remainder of this book. Each topic presented in the following paragraphs will be discussed in depth in later chapters. Among the more commonly used terms are threats, vulnerabilities, and risks. Although various definitions are used in the industry and many people use these terms interchangeably, this book will attempt to clarify the differences among definitions.
Data-Driven Security
9
Generally speaking, threats are things that can go wrong or that attack the system. Examples include natural disasters and people. Vulnerabilities are those things that make the facility more prone to attack by the threats. Vulnerabilities are exploited by threats. For example, a lack of access control may be a vulnerability that can be exploited by a person. Risk is a function of threats and vulnerabilities. Countermeasures are things that reduce or block opportunity for threats to exploit vulnerabilities. They are preventive in nature. An access control system is a countermeasure that can block entrance by a threat. Whether security assessments are vulnerability, threat, or risk assessments, the primary goal should be to make the process as objective as possible. The two types of assessments are quantitative and qualitative; both can and should be utilized depending on the scenario. Qualitative assessments, on one hand, are normally used when the assets in need of protection are of lower value or when data is not available. The results of qualitative assessments depend on the assessment skills of the people involved in the assessment. Risk levels are normally given in abstract values such as high, medium, or low, or they are color coded as in the Homeland Security Advisory System. Quantitative assessments, on the other hand, are metric based and assign numeric values to the risk level. Overall risk levels are derived from all available security metrics. In a physical protection system, for example, the metrics used in determining the risk level include the threat level, probability of detection, delay times, and response force times. Quantitative assessments are commonly used for the protection of business critical or high-value assets. Threat assessments, as discussed earlier, identify things that can go wrong or that attack the system. When focused on the people threat, threat assessments ask who the bad guys are. Today, more than ever, racial profiling has come to the forefront of the public’s attention. Since the September 11 attacks, Arabs have come under greater scrutiny much as was the case with the Japanese during World War II. Without getting into the politics of this issue, it is safe to say that racial profiling is a form of threat assessment. Crime analysis, as discussed in depth in the following chapter, is a type of threat assessment that focuses on third-party crimes. Vulnerability assessments identify weaknesses in a security program without regard to the threats. Vulnerability assessments are common in business continuity planning where loss of assets is considered. The U.S. military has a number of declassified documents that outline vulnerability assessments. One such document is the United States Army Training and Doctrine Command Regulation 525-13 for Force Protection Programs (FPP). Vulnerability assessments may also be quantitative or qualitative, though quantitative assessments are fairly easy to accomplish since the emphasis is on assets whose values are typically known. Finally, risk assessments are comprehensive and logical reviews that look at both threats and vulnerabilities. They can be both quantitative and qualitative,
10
Strategic Security Management
or they can be a hybrid. This type of assessment thoroughly evaluates the overall risk, including asset identification, threat analysis, and vulnerabilities in the day-to-day operations of the facility or the company. Assets include people, property, and information. Qualitative assessments are based on the data available and the skills of the assessment team, whereas quantitative assessments utilize numeric data to evaluate risk. Risk assessments are typically a staged process whereby critical assets are identified, current countermeasures are enumerated, threat and vulnerabilities are defined, and prioritized recommendations are made to protect critical assets based on probabilities of attack. The first two steps of the risk assessment methodology, asset identification and security inventory, are discussed in Chapter 2.
General Characteristics of a Comprehensive Risk Assessment Methodology
Designed for a specific organization or industry Complies with regulations and is guided by industry best practices Designed for information technology security, physical security, or a combination of both Categorizes assets based on criticality to the organization’s mission Identifies existing security measures used to protect assets Determines threats using multiple sources Uses tools and techniques to identify vulnerabilities Analyzes risk to assets based on threats and vulnerabilities Recommends multiple strategies for reducing risk
Chapter 2
Asset Identification and Security Inventory
In this chapter . . .
Definitions Asset Classification Identifying Critical Assets Target Selection Consequence Analysis Countermeasure Inventory Security Assessments TAG's Risk Assessment Process® Asset Identification
Policies & Procedures
Current Security Measures
Physical Security
Security Personnel
Threat Assessment
Crime Analysis
Vulnerability Assessment
Risk Assessment
Cost Benefit Analysis
Report and Recommendations
Figure 2-1. Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com. All security programs, regardless of their complexity or industry application, are designed to protect assets, and generally speaking, assets are anything of value. This chapter introduces the concepts of asset identification, determination of criticality, and consequence analysis. Also discussed is how assets are
11
12
Strategic Security Management
selected by adversaries, those that seek to damage, destroy, or steal assets. Properly determining what is in need of protection is a necessary first step in the risk management process, for without asset identification, security measures are often haphazardly selected and deployed. This chapter also introduces more complex concepts that will be discussed in the remainder of the book. Thus, the first part of this chapter contains a list of terms and their definitions used throughout the book to ensure a commonality in understanding.
Definitions Adversary—An individual or group that is motivated and capable of stealing, damaging, or destroying critical assets. Adversaries are threats. They can include insiders, outsiders, or a combination of insiders and outsiders. Asset—People, property, and information. People may include employees and customers along with other invited persons such as contractors or guests. Property assets consist of both tangible and intangible items that can be assigned a value. Intangible assets include reputation and proprietary information. Information may include databases, software code, critical company records, and many other intangible items. Capability—The ability of an adversary to obtain, damage, or destroy an asset. Consequence—The extent of loss that can be anticipated from a successful adversarial attack against an asset. The impact of loss may be human, economic, political, environmental, or operational; however, consequences should be stated in financial terms if possible. Continuity of Operations (COOP)—A concept that seeks to ensure that an organization’s essential functions and mission-critical operations can be performed. Cost-Benefit Analysis—An assessment conducted during the countermeasure selection phase of the costs and benefits of each security measure option. Costs typically include the money and time resources required to implement the measure and any ongoing time and money needed to maintain the measure. Benefits are security program improvements derived from planned security measures. Countermeasures—Security measures that include policies and procedures, physical security equipment and protection systems, and security personnel. The primary purpose of a countermeasure is to mitigate risk through a prevention process that eliminates or neutralizes threats and reduces vulnerabilities. The term countermeasures is used interchangeably with security measures. Crime Analysis—The logical examination of crimes that have penetrated preventive measures, including the frequency of specific crimes, each incident’s temporal details (time and day), and the risk posed to a property’s inhabitants,
Asset Identification and Security Inventory
13
as well as the application of revised security standards and preventive measures that, if adhered to and monitored, can be the panacea for a given crime dilemma. Criticality—The operational impact to the organization’s mission due to the loss, damage, or destruction to an asset. Defeat—A security strategy designed to neutralize adversaries before an asset is lost, damaged, or destroyed. For defeat to occur, the security program must be operating at an optimum level. Delay—A security strategy designed to slow the progression of adversaries into or out of the facility. Barriers are an example of a delay measure. Detection—A security strategy designed to assess the threat and to alert security personnel of an adversary’s presence. Cameras and sensors are examples of detection measures. Deterrence—A security strategy designed to discourage adversaries by increasing the risks to the adversary, promoting a sense of security, and instilling doubt on behalf of an adversary. Uniformed security personnel and lighting are examples of deterrence measures. Emergency—Any event or combination of events that have the potential to negatively impact the organization’s mission or components of that mission for a period of time and that require immediate response and action to continue normal mission operations. Exposure—An instance of being exposed to losses from a threat. A weakness or vulnerability can cause an organization to be exposed to possible damages. Facility—A structure or group of structures in one physical location. Hybrid Assessment—A type of assessment that includes both qualitative and quantitative data and components. Typically, hybrid assessments numerically measure that which can be measured, such as response times, and assess qualitatively that which cannot. Infrastructure—The underlying foundation of assets needed for an organization to perform its essential functions and mission-critical operations. Mitigation—The act of causing a consequence to have less adverse impact on the organization’s mission. Project Management—The planning and execution of all aspects of a security project and application of skills, knowledge, and methods to achieve the project’s objectives, goals, and requirements on time, within budgetary limitations, and with a high level of quality. Qualitative Assessment—A type of assessment that is driven primarily by the assessment subject’s characteristics. Qualitative risk assessments are dependent upon the assessor’s skills. Scenario-based risk assessments are typically qualitative in nature. The National Terror Alert System is an example of a qualitative threat assessment. Quantitative Assessment—A type of assessment that is metric based and that assigns numeric values to the risk level. For example, quantitative assessments incorporate security response times and barrier delay times.
14
Strategic Security Management
Risk—A function of threats and vulnerabilities. Risk is the possibility of asset loss, damage, or destruction as a result of a threat exploiting a specific vulnerability. Risk Assessment—The process of identifying and prioritizing risks. A quantitative, qualitative, or hybrid assessment that seeks to determine the likelihood that an adversary will successfully exploit a vulnerability and the resulting impact (degree of consequence) to an asset. A risk assessment is the foundation for prioritizing risks in order to effectively implement countermeasures. Risk Management—A process that seeks to manage threats, vulnerabilities, and risks within an organization. Risk management involves assessing risk, evaluating and selecting security measures to reduce identified risks, and implementing and monitoring the selected measures to ensure that the measures are effective in reducing risk to an acceptable level. Security Decision Maker—Anyone who has an active role within an organization for asset protection. This term, or its acronym, SDM, is used throughout this text since some organizations do not have a formal position of security manager or security director. Risk managers also fall within the security decision maker definition. Security Survey—A fact-finding process whereby the assessment team gathers data that reflects the who, what, how, where, when, and why of an organization’s existing operation and facility. The purpose of a security survey is to identify and measure the vulnerabilities to the facility or to specific assets by determining what opportunities exist to exploit current security policies and procedures, physical security equipment, and security personnel. Threat—Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset. Threats are classified as either human or natural. Threat can also be defined as an adversary’s intent, motivation, and capability to attack assets. Threat Assessment—An evaluation of human actions or natural events that can adversely affect business operations and specific assets. Historical information is a primary source for threat assessments, including past criminal and terrorist events. Crime analysis is a quantitative example of a threat assessment, while terrorism threat analysis is normally qualitative. Vulnerability—Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. Vulnerabilities include structural, procedural, electronic, human, and other elements that provide opportunities to attack assets. Vulnerability Assessment—An analysis of security weaknesses and opportunities for adversarial exploitation. A security survey is the fundamental tool for collecting information used in the vulnerability assessment. A vulnerability assessment is sometimes referred to as a security vulnerability assessment, or SVA for short.
Asset Identification and Security Inventory
15
Asset Classification What is an asset? Assets are anything of value to an organization, and they range from the basic to the mission critical. It is the mission-critical aspect that is of primary importance for protection by the security program. Generally, assets consist of people, property, and information. Critical assets are those that are needed for the organization to execute its primary missions and functions.
People People assets may include employees and customers along with other invited persons such as contractors or guests. At a typical chemical facility, on one hand, the employees and contractors are the people in need of protection from various threats, including chemical leaks and explosions to natural disasters. On the other hand, at a hotel, the employees and guests are considered assets, for without the employees the hotel will not operate and without guests, the hotel does not serve its intended purpose.
Property An organization’s property assets consist of both tangible and intangible items that can be assigned a value. Tangible assets are usually simple to identify, whereas intangible assets are more difficult to identify and assign a value. Intangible assets include the organization’s reputation and proprietary information. While all property assets have value, not all are critical to the organization’s mission.
Information Among other things and dependent upon the type of organization, information assets may include databases, software code, and company financial records. Proprietary information, such as vital records, formulas, and methods, are also assets. Vital company records normally do not exceed 2 percent of an organization’s records and may include incorporation certificates, stock records, corporate meeting minutes, and some financial records.
Critical Assets Identifying the organization’s critical assets is the first step in risk management. Critical assets within industrialized nations include electrical power, gas and oil production, telecommunications, banking and finance, water supply systems, transportation, government operations, and emergency services. Business-critical assets are those that are needed to perform the primary mission of the business. Assets are deemed critical based on two primary factors:
16
Strategic Security Management
the value as defined by the organization and the short-term and long-term consequence to the business operations due to its loss, damage, or destruction. The critical assets of a business are those that are necessary for continued business operations and in need of protection. For governments, critical assets are those that sustain the economy, security, political landscape, and social services. Assets do not have equal value to the business operation. Whatever the critical assets of any organization, a value must be assessed for each and each asset must be prioritized based on the consequence of its loss due to human actions. For example, in the oil industry, pipelines are considered a critical asset as any damage or loss of a pipeline reduces the availability for refineries to continue production. For small professional service firms, computer files containing company information and client data may be the only critical asset. Protecting assets is the principal goal of any security program. These assets have both tangible and intangible value whose value can often be quantitatively assessed using the following elements: 1. Criticality of the asset to business operations 2. Replacement value 3. Relative value of the asset Criticality is a function of the operational impact to the organization’s mission due to the loss, damage, or destruction of an asset. The more impact asset has on the business operation, the more critical it is. The criteria for assessing the level of criticality should be specific. Does an asset affect companywide operations, or would the loss, damage, or destruction impact only a portion of the operations? In the oil example, it was determined that pipelines are critical assets; however, pipelines vary in their value for oil and gas production. Some pipelines are more significant because of their throughput, whereas others are less valuable. Assets are categorized by their level of criticality. This may be a quantitative assessment based on their actual value, or the impact on business operations from their loss, damage, or destruction. Numerically assigned criticality levels can be more difficult to ascertain but can be meaningful to the overall risk assessment. Alternatively, qualitative assessments can also be used by rank ordering the assets on relative scales such as high, medium, or low. Descriptive values such as catastrophic, critical, marginal, or negligible may also be used in understanding the relative value to business operations. A matrix of critical assets may be beneficial in understanding the relative nature of asset loss, damage, and destruction. For effective business continuity planning, security decision makers should not only consider the immediate impact of asset loss, but also the time and cost to replace the asset. Time to replacement can significantly impact the criticality level due to operational downtime, which in turn leads to loss of revenue. The longer the time necessary to replace a critical asset, the higher the conse-
Asset Identification and Security Inventory
17
quence. For some critical assets, it is imperative to have a fully operational backup in place. Take, for example, a professional services firm whose primary deliverables to clients are reports and other data files. The reports and data files are generated on a computer word processing application. Should the firm’s computer be destroyed, reports cannot be generated and a substantial loss of revenue can result. Most small firms such as the one described could either have a backup personal computer, or their client files should be stored on a storage device, such as a compact disc or flash drive, and a location where they can use another computer. The loss of one asset may affect other assets as well and should be considered in identifying the overall asset criticality analysis. For example, in preparing for natural disasters, hospitals use electrical generators to provide a backup source of power in the event of a loss of electricity to provide continued support to patients.
Identifying Critical Assets Asset information can come from various sources; however, critical asset information is best obtained for those who manage the day-to-day operations of the organization. This may be the asset owners themselves or operations managers. Comprehensive interviews of these people should be conducted to obtain the information regarding each asset. Often, a consultant is brought in to conduct a risk assessment. Interviewing key personnel is the first step that the consultant will take, guiding the interviewee through a series of questions that will allow the consultant to fully understand the process and procedures of the organization. For example, a consultant hired by a manufacturing company would start the project with a series of interviews with site personnel, review security manuals and other documentation, and seek out other sources of information to assist in ranking assets based on their mission criticality. Depending on the organization’s mission, asset information may be available via the Internet and other public sources. Property management companies, for example, often list their entire portfolios on their website. From a marketing perspective this makes sense; it can be used by adversaries by helping them select a target.
Target Selection From the adversarial perspective, assets are called targets. Targets may not be of the same value to the adversary as they are to the owner. As such, asset value must be based not only on its mission-critical level, but also on its value to the adversary. Target value must be calculated based on the best available information. For example, from a national security perspective, certainly the Pentagon and U.S. Capitol building are of higher value to the U.S. government than the World Trade Center was. A foreign government would certainly place a high value on the Pentagon when waging a war against the United States.
18
Strategic Security Management
However, for terrorist groups such as al-Qaeda, the World Trade Center presented a far more attractive target because of its social, economic, and political value. Depending on the industry for which a risk assessment is being performed, certain factors should be considered in evaluating target values:
Casualty and injury rates Asset potential for loss, damage, or destruction Damage to the political landscape Disruption to operations Disruption to the economy Media attention Impact on the organization’s reputation Impact to employees’ morale Fear
Depending on the nature of a company’s business, asset value may not be obvious to security decision makers. Threat assessments can help discern which assets are susceptible to loss, damage, or destruction. In the grocery business, for example, criminals target small, high-value items such as infant formula and over-the-counter medicines. For U.S. national security purposes, particularly for the prevention of terrorism, political and economic assets are more likely to be targeted. With recent and realistic threat information, security professionals can make decisions based on asset attractiveness and provide for higher security levels.
Consequence Analysis History indicates that the likelihood of crime and terrorism, as well as other threats, is inversely related to its magnitude. That is, the probability of attack decreases as consequence increases since it is easier to conduct small-scale attacks than large-scale ones. The recent history of al-Qaeda reflects this type of consequence analysis in that this organization executed a number of relatively low level attacks prior to and since the September 11 attacks, a large scale, high consequence attack. We have to get it right every day and the terrorists only have to get it right once. So we have to be ahead of the game. —TSA Spokeswoman Lauren Stover Consequence analysis is an assessment of the effect on operations if an asset is lost, damaged, or destroyed. Operations may include business operations or national defense. Business continuity planning is based on consequence analysis. By estimating the likelihood and magnitude of asset loss, security decision
Asset Identification and Security Inventory
19
makers can prepare alternative methods to continue operations and restoration of primary operations capability. Organizations need to be prepared for a wide range of attacks based on statistical probabilities of occurrence. A consequence analysis allows the assessment team to prioritize assets in need of protection given their criticality to the organization. Consequence analysis is a fundamental step in the risk assessment process since the organization may not be able to afford the same level of protection for all vulnerable assets; thus, prioritizing assets allows the organization to protect those that are most critical. Consequences can be categorized in a number of ways: economic; financial; environmental; health and safety; technological; operational; and time. For example, a process control center may be essential for the safe production of a particular product. Its loss, or inability to function properly, could result not only in a disruption of production (with its concomitant loss of revenue and additional costs associated with replacing the lost capability), but it might also result in the loss of life, property damage, or environmental damage, if the process being controlled involves hazardous materials. The loss of an asset might also reduce a company’s competitive advantage, not only because of the financial costs associated with its loss, but also because of the loss of technological advantage or loss of unique knowledge or information that would be difficult to replace or reproduce. Individual firms, too, have to worry about loss of reputation. The American Petroleum Institute and the National Petrochemical and Refiners Association (API/NPRA) in their Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries also suggested considering the possibility of “excessive media exposure and resulting public hysteria that may affect people that may be far removed from the actual event location. A criticality assessment is a process designed to systematically identify and evaluate important assets and infrastructure in terms of various factors, such as the mission and significance of a target. For example, nuclear power plants, key bridges, and major computer networks might be identified as “critical” in terms of their importance to national security, economic activity, and public safety. In addition, facilities might be critical at certain times but not at others. For example, large sports stadiums, shopping malls, or office towers when in use by large numbers of people may represent an important target but are less important when they are empty. Criticality assessments are important because they provide a basis for identifying which assets and structures are relatively more important to protect from an attack. The assessments provide information to prioritize assets and allocate resources to special protective actions. These assessments have considered such factors as the importance of a structure to accomplish a mission, the ability to reconstitute this capability, and the potential cost to repair or replace the asset. Thus far, what has been discussed is a quantitative assessment of assets using actual costs, replacement values, and operational downtime. Criticality can be measured qualitatively also using
20
Strategic Security Management
relative terms to prioritize asset loss, damage, or destruction. A four-level scale is suggested ranging from low to critical. Critical—Assets that, if lost, damaged, or destroyed, can result in mission failure High—Serious unwanted impact that may impair normal operations in their entirety or complete loss of a portion of the operations for an extended time period Medium—Moderate operational impact that may only affect a portion of the business processes and for a short period of time Low—A manageable impact to business operations and no likelihood of mission failure TAG's Risk Assessment Process® Asset Identification
Policies & Procedures
Current Security Measures
Physical Security
Security Personnel
Threat Assessment
Crime Analysis
Risk Assessment
Vulnerability Assessment
Cost Benefit Analysis
Report and Recommendations
Figure 2-2. Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com.
Countermeasure Inventory Asset identification is just the first step in the risk assessment methodology. The second step involves inventorying existing security measures designed to protect the assets at the facility. Depending on the quality of previous assessments, existing countermeasures may or may not be effective in protecting the facility and its critical assets. While time brings change to both the assets and the countermeasures, previous risk assessments and subsequent security program designs should be working to protect assets. Existing countermeasures may include security personnel, physical measures, and policies and procedures. Security personnel include people specifically designated or indirectly working toward the protection of assets. Uniformed security officers would be the most visible and recognizable example of security personnel. Others who may also be involved in the protection are not as easily identified, including undercover officers, security managers dressed in business attire, and common employees trained in how to handle security incidents. Physical security measures may range from low-
Asset Identification and Security Inventory
21
technology items such as barriers and curbing to high-tech measures such as closed circuit television (CCTV) cameras, biometrics, and fencing. Physical security measures may also include items not visible to the naked or untrained eye, such as pressure mats and alarm sensors. Policies and procedures are written documents and unwritten rules that relate directly to asset protection and guide the security program. Security manuals and security post orders are examples of policies and procedures. One of the best sources of information regarding current security measures at a facility is the security officer who is trained in observation and awareness and spends much of his or her time simply observing. Other sources may include the security manager or the officer’s direct supervisor. Security manuals, if updated, can also provide invaluable information regarding the security program. Controlling the capability and motivation of adversaries is a difficult proposition for security decision makers. Motivation is created by the actual crime target and is considered the reason for security breaches. Since organizations usually require assets to operate, the removal of motivation is not always possible. Most organizations must instead turn their attention to blocking the opportunity of crime. As seen in Figure 2-3, reducing vulnerabilities for security breaches leads to a reduction in incidents. Thus, the security decision maker’s strategic goal of countermeasure deployment is to reduce the opportunity for security breaches to occur by reducing vulnerabilities. Opportunities relate to targets in that removing or hardening an asset will lead to a reduction or an elimination of vulnerabilities. Asset protection programs integrate a combination of policies and procedures, physical countermeasures, and
Assets
Risk Threats
Vulnerabilities
Figure 2-3. Venn Diagram—assets, threats, and vulnerabilities. Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com.
22
Strategic Security Management
security personnel to protect assets against a design-basis threat. The characteristics of asset protection programs include deterrence, detection, delay, and defeat. Typical security measures of a comprehensive security program include security policies and procedures, physical security measures, and security personnel. These security measures are inventoried during the risk assessment and are categorized into key areas as described in the following. Security Policies and Procedures Security Management Plan Emergency Management Plan Workplace Violence Prevention Crisis intervention Vital Records Protection Key Control Policy Visitor Management Security Escort Physical Security System Testing Security Force Deployment Fire Prevention and Response Bomb Threat Access Control Employment Background Investigations Physical Security Equipment Alarm Systems Control Panels/Communicators and Keypads Door and Window Contacts Motion Sensors Glass break detectors Object Detectors Miscellaneous Detectors Duress Alarms CCTV Systems Cameras Monitors
Asset Identification and Security Inventory
23
Recording IP Video Intelligent Video
Access Control Systems Stand-alone Devices System Controllers Readers Locking Devices Egress Devices Door Hardware Perimeter Security Systems Fencing Gates Bollards Locks Lighting Fire Systems Specialized Protection Systems Metal and Explosive Detectors Ballistic-Resistant Materials Security Personnel Proprietary Security Force Contractual Security Force Off-Duty Law Enforcement Officers Other personnel who serve in a protection capacity
Security Assessments The remaining steps of a risk assessment involve various evaluations designed to analyze threats, vulnerabilities, and overall risks and a suggested course of remediation. Each step is a systematic approach to determining the actual risk posed to the assets, specifically those that are mission critical. As discussed in Chapter 1, there are three types of security assessments: vulnerability, threat, and risk assessments. The final step of the risk assessment is to
24
Strategic Security Management
evaluate the costs and benefits of remedial measures, including redeployment of resources to protect higher risk areas or assets. This step often provides the greatest heartache to security decision makers because it often involves reducing security to one asset and redeploying those resources to protect more critical assets or at-risk assets. While the heartache is justified, the task is possible. It is possible. It is reasonable. It is defendable. In a nutshell, the risk assessment is designed to provide a continuous process of identifying critical assets and threats to those assets, and reducing any vulnerabilities by careful analysis and implementation of effective countermeasures to achieve an optimum level of protection. Security assessments are very specific to the type of organization or facility being assessed. Similarly, the methodology used must also be specific to the organization or industry. An assessment methodology designed for chemical facilities will not be useful for a university campus. If an industry-specific methodology is used, it should clearly identify the type of facility for which it is designed and any limitations. Security assessment methodologies are also designed to address certain security arenas. Currently, the division is twofold: physical security and information technology security. Although the gap is closing through the process of convergence, the two fields still stand alone and require different methodologies. Regardless of the type of organization or whether the assessment is related to physical security or to information technology security, the assessment should state what critical assets require protection, what type of information is needed for each asset, and how the asset’s loss, damage, or destruction would impact the mission of the organization. The assessment should also include a threat assessment, vulnerability assessment, and risk assessment that allow security decision makers to prioritize asset protection protocols. Finally, the assessment should make specific recommendations as to how to block opportunities for adversaries to attack and how to protect specific assets. Once the risk assessment has been completed, certain assets may have a high critical rating, but a lower security level may be required for the overall facility. A typical qualitative approach to facility security levels is as follows: Security Level 1 Minimum Security A system designed to impede some unauthorized external activity. Security Level 2 Low-Level Security A system designed to impede and detect some unauthorized external activity.
Asset Identification and Security Inventory
25
Security Level 3 Medium Security A system designed to impede, detect, and assess most unauthorized external activity and some unauthorized internal activity. Security Level 4 High Security A system designed to impede, detect, and assess most unauthorized activity. Security Level 5 Maximum Security A system designed to impede, detect, assess, and neutralize all unauthorized activity.
This page intentionally left blank
Chapter 3
Threat Assessments
In this chapter . . .
Threat Formula Threat Identification and Classification Threat Information Sources Assessing Threats Emerging Threats Threat Dynamics The Homeland Security Advisory System
TAG's Risk Assessment Process® Asset Identification
Policies & Procedures
Current Security Measures
Physical Security
Security Personnel
Threat Assessment
Crime Analysis
Vulnerability Assessment
Risk Assessment
Cost Benefit Analysis
Report and Recommendations
Figure 3-1. Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com.
27
28
Strategic Security Management
Threat Formula THREAT = INTENT + CAPABILITY + MOTIVATION Following the asset identification and security inventory steps of the risk assessment process, the third step is to perform a threat assessment. As discussed previously, a threat is anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset. Threats are classified as either human or natural. Threat can also be defined as an adversary’s intent, motivation, and capability to attack assets. Threat assessments, then, are evaluations of human actions or natural events that can adversely affect business operations and specific assets. Historical information is a primary source for threat assessments, including past criminal and terrorist events, whereas real-time information is also being used with increasing frequency owing to its availability in some arenas. Threat assessments can be quantitative or qualitative. Crime analysis is a quantitative example of a threat assessment, while terrorism threat analysis is normally qualitative. An important distinction is that threats are acts or conditions that can harm organizational assets, whereas adversaries are the people, groups, and organizations that are hostile to the assets. Adversaries are also characterized by their history of attacking assets, the intention to attack assets, and the capability and motivation to continue to attack assets. Threat assessments are used to evaluate the likelihood of adverse events, such as terrorism and crime, against a given asset as well as other hazards such as natural disasters that may affect business operations. As such, the focal points of threat assessments are assets (targets) and the threats that seek to compromise those targets. Threat assessments also ask who the bad guys are by evaluating each threat on the basis of capability, intent, and impact of an attack. General threat assessments estimate the likelihood of adversarial attacks, including the type of adversary, their tactics, and their capabilities. Facilityspecific threat assessments also define the number of adversaries and their method of operation or attack. With this information, security decision makers use threat assessments as a decision-making tool that helps to establish and prioritize safety and security program requirements, planning, and resource allocation. The process of threat assessment includes: Threat identification—identify potential adversaries and their characteristics. Asset classification—identify targets and determine their criticality. Consequence/Criticality analysis—assess the effect of an assets compromise. Whether security professionals are in the business of national security or in the commercial and industrial sectors, threat assessments should be conducted as often as necessary to meet the needs of the organization. While threat assessment is a continuous activity for the U.S. government, businesses and other organizations should strive for annual threat assessments. Crime analysis is the
Threat Assessments
29
most common type of threat assessment undertaken by American businesses. It is done every year at minimum, and it is sometimes completed as often as once a quarter. Location-specific threat assessments at infrastructure facilities, such as ports, are carried out less frequently, but threat data is usually updated constantly. It should be noted that the biggest failing in threat assessments is a lack of specificity. For example, when the national terror alert system was first introduced, a move in the threat level required all industries and agencies, regardless of geographic location, to change their readiness level. Upon further reflection, the Department of Homeland Security adjusted the model to consider location or sector-specific information. Since this change, the United States has seen increases in threat levels to certain parts of the country or within certain sectors. For example, after the London Underground (subway) bombings in 2005, the threat level in the United States did not rise, but U.S. mass transit was put on alert. Similarly, the United States has experienced increased threat in the Northeast while the rest of the country has remained at a lower level. It is the task of security professionals to use a targeted approach to threat assessment, whether the target be by geography or asset classification. Of primary concern with regard to raising the threat level across all jurisdictions or across all organizational operations is the cost associated with a higher level of preparedness. Depending on the threat, security professionals can assess the likelihood and types of potential attacks if specific information on potential targets is available. Based on their assessment, specific, targeted countermeasures can be implemented. Threat assessments evaluate the full spectrum of threats that can impact assets, including natural disasters, criminal activity, terrorism, safety-related accidents, and common security breaches such as unauthorized access. Each potential threat must be analyzed using all available information to establish the likelihood of occurrence. Gulf coast states such as Texas, Louisiana, and Mississippi, for example, have a wealth of historical data that can be used to plan for hurricanes during high-risk months. Urban convenience stores also have ample evidence of their general crime threat level. Despite an awareness of general threats, security decision makers must refine their assessments to include specific scenarios in the protection of assets. A convenience store located in a high-crime area that experiences an inordinately high level of crime on its premises should elevate its site-specific threat level and allocate security resources accordingly. Asset attractiveness should also be considered in the threat assessment. Certain assets and businesses have a higher inherent threat level because of their attractiveness to the criminal element. One obvious example is jewelry stores. Despite the lack of previous crimes at a particular jewelry store, the threat level for robberies and burglaries is still high. This is not to say that jewelry stores are inherently vulnerable, only that the threat level is higher. Another example of a business with an intrinsically elevated threat level is the construction site, which, compared to other sites, typically has a higher rate of accidents resulting in injury to workers. Again, the threat exposure is there, but the
30
Strategic Security Management
vulnerability need not be. This concept will be discussed further in the vulnerability assessment chapter (Chapter 5).
Threat Identification and Classification The best predictor of the future is the past. This same idea holds true when assessing adversaries. A thorough understanding of how adversaries operated in the past can assist security decision makers in predicting future adversarial operations. Without fear of jumping to conclusions, many security professionals knew immediately that Osama Bin Laden was responsible for the World Trade Center and Pentagon attacks on September 11, 2001 as soon as the second plane hit the World Trade Center. This accurate assessment was based on knowledge of prior attacks by a terrorist organization that the world came to know as al-Qaeda. While the al-Qaeda example is universally understood in the security industry, the same logic can be applied to commercial and industrial targets. If security decision makers understand the adversary’s perspective, effective protection measures can be efficiently allocated to reduce the threat. How do adversaries select targets? What types of assets have been targeted in the past? What are their intentions, capabilities, and motives? Bank and financial institution security professionals have made excellent use of threat information sharing to prevent certain crimes. Similarly, retailers have shared information to track baby formula thefts. Although the goal of any security decision makers should be to quantitatively identify threats, it is not always possible to do so, and some threats must therefore be assessed qualitatively based on assumptions and educated guesses. Crime threats can normally be assessed quantitatively based on historical crime data, whereas understanding a particular criminal must be qualitatively addressed. This is a key difference of crime analysis, the examination of historical crimes with little regard to the criminal himself, the adversary. In this chapter, the focus will be on understanding the adversary or the qualitative perspective. In the crime analysis chapter (Chapter 4), a data-driven, quantitative method will be discussed. So what type of information is needed to describe a threat qualitatively?
The type of adversary The adversary’s intentions The adversary’s motivations The adversary’s capabilities
Threats can be classified as either human or natural. Human threats are those involving people working on the inside of the organization such as employers and contractors (insiders), people who attack from outside of the organization (outsiders), or a combination of the two. Natural threats are those
Threat Assessments
31
events that are not man-made such as tornados, hurricanes, floods, fires, and other environmental events. Human threats can be further categorized as insiders, outsiders, and insiders working with outsiders. Insiders may be subclassified as criminal employees, dissatisfied employees, criminal contractors, and disgruntled contractors. Threats from insiders are considerable given their security program awareness, opportunity, and unfettered access to the facility. Insider threats may be active and violent or stealthy, perpetrated by silent participants with outsiders. Although workplace violence poses a high risk to other employees, insiders who are blackmailed or threatened by outsiders create a more difficult problem for security decision makers. Since the insider threat is typically the result of policies and procedures, security decision makers cannot rely on traditional security measures such as alarms, cameras, and lighting to thwart this kind of threat. Good mitigation strategies may be put in place to protect against the insider threat, though strong policies and procedures are among the most reasonable and effective. Policies should include personnel reliability programs, recurring background checks, and limitations on access to sensitive areas of the facility. Outsiders may be subclassified as foreign governments and militaries, gangs, criminals, extremists, and terrorists. The depth of classification should meet the security organization’s needs. For example, the U.S. government classifies terrorists as political, religious, or environmental. Terrorist characteristics may include a willingness or desire to die or martyr oneself, inflict a high level of damage, injuries, and deaths, cause psychological pain to citizens, and showcase abilities to terror fund raisers. Outsiders may be motivated by ideological goals, economic gain, or personal reasons. Insiders colluding with outsiders pose the greatest threat of all and may be classified as coerced or willing participants. Coerced insiders are unwilling participants in the attack who are forced by threat of harm to themselves or family or who are blackmailed. Willing insiders may have a financial interest (bribes) or may be ideologically sympathetic to the outsiders’ cause. Threat assessments should consider the possibility of all three types of human threats and should be based on reasonable intelligence available from multiple sources, including internal information, law enforcement data, red teams, specialists, media reports, and federal and private intelligence sources. Only rarely do security decision makers have accurate knowledge of a specific threat beforehand. Information may be incomplete or vague, and as such, educated judgments must be made in defining a threat. The more complete the available threat information is, the better the assessment.
Adversary Motivation Adversaries may be motivated by any number of factors, but the most usual motivations are economic, personal, and ideological. And the most common of these three is economic where the gain of valuables, including money, is the
32
Strategic Security Management
driving force behind a criminal attack. Economic criminals include robbers, burglars, and thieves. While this description appears quite simplistic, it may be more complex than it seems as these criminal perpetrators may actually be driven to commit economic crimes for personal reasons. Drug addicts are a great example: they commit the economic crime purely to obtain valuables to exchange for drugs, a personal motivation. A similar example is the teenager who steals electronic music players, such as the Apple iPod, or basketball shoes, such as Air Jordan’s, to raise his self esteem and fit in with his peers. As already suggested, personal motivators are often emotionally driven; examples include an angry husband who abuses his wife, or a disgruntled employee who commits acts of workplace violence. Motivations for the insider threats are often personal and driven by poor workplace management, real or perceived, resulting in an unhappy worker who bears a grudge usually against management. Personal crimes are sometimes difficult to prevent because they can be committed as a spontaneous act of rage or because of a mental disorder. Andrea Yates, the Texas mother who drowned her four children in a bathtub, is an example. Ideological motivations are linked to philosophical beliefs. Environmental criminals are those who seek to harm those whom they believe are damaging the environment. Take the example from California where environmental terrorists, such as the Earth Liberation Front (ELF), committed an act of arson at car dealerships that sold high-fuel-consumption sport utility vehicles. Other terrorist groups are ideologically motivated to protect animals and attack laboratories that experiment on animals. Of course, most of the world understands what motivates terrorist groups like al-Qaeda. The 1993 World Trade Center attack, though not indicative of al-Qaeda’s capability, showed that terrorists were motivated to attack landmark buildings.
Adversary Capability Assessing adversarial capability relies heavily on good intelligence. No better example exists than the failure of U.S. intelligence to forecast the Japanese attack on Pearl Harbor, precipitating U.S. entry into World War II. Without delving into the politics of this event, it is fair to say that incomplete and slow intelligence underestimated Japan’s capability. Time and time again, history has shown that faulty intelligence over- and underestimates adversarial capability. In the commercial and industrial sectors, where companies are in competition with one another, good intelligence is difficult to come by. Industry sharing of threat information is rare but not impossible. Through informal organizations, some industries have successfully shared information about adversaries with each other in an effort to thwart a problem before every company is affected. Again, the banking industry does this with regularity and with great success.
Threat Assessments
33
For security decision makers, assessing the capability of an adversary includes the following factors:
Number of attackers Skills Knowledge of the facility’s security Types of weapons Other equipment Methods and tactics (deceit, force, stealth) Means of transporting attackers, weapons, and equipment Possible collusion with an insider
Terrorist capabilities may include providing highly trained and skilled military units with shoulder-fired weapons and explosives; developing unsophisticated nuclear weapons, known as dirty bombs or other improvised explosive devices; and funding operations and furnishing fake identification, including passports and driver’s licenses. Terrorists may also be trained in sabotage, hostage taking, and homicides. Each threat should be specifically described in sufficient terms and relative to its ability to attack particular assets. This description is known as the design basis threat (DBT) because it forms the basis for the design of security programs. The DBT includes statements of intent, motivation, and capabilities of each threat. The description also includes the known tactics and methods, weapons and equipment, and other details of past attacks by the adversary. Studying past security breaches is critical in forming the design basis threat.
Threat Information Sources As we have discussed briefly, security decision makers should endeavor to seek out all possible sources of threat information. Threat information should come from multiple and redundant sources. Depending on the nature of the assets in need of protection, the sources of threat information may include internal information, security breach investigative reports, law enforcement data, red team penetration analysis reports, security consultants, media news reports, and both federal and private intelligence sources. For security consultants and other security decision makers who are not intimately familiar with the facility they are assessing, the best starting point in gathering threat assessment data is through interviews and surveys of people who are more familiar with the site. A security consultant, for example, may begin a threat assessment by speaking with line-level security personnel, including police working at the site and proprietary and contractual security officers. Other line-level personnel working on site make for good sources as
34
Strategic Security Management
well. Among the basic questions that should be asked of line personnel regarding each asset are the following.
What assets have been targeted in the past? When were assets attacked? Who targeted the assets? Why is that asset(s) targeted? How was the asset attacked? Were any remedial security measures implemented in response to the attack?
Many security-conscious organizations also maintain internal records of security incidents, breaches, and crimes. Security decision makers should review this information on a regular basis while looking for trends and patterns that might indicate existing threats or that might point to a vulnerability that can be solved with remedial measures. An often overlooked source of threat information is prior threat assessments. Many organizations conduct risk assessments on a continual basis and have the associated reports filed away. For security consultants, this is among the documents they request from the organization during the initial days of a risk assessment, or even prior to setting foot on the premises. External threat information, including crime data from the local law enforcement where the facility is located, should also be reviewed. (This is known as crime analysis and will be discussed in depth in the next chapter.) Other external sources include private threat specialists, who are especially useful for executive protection. Some companies that specialize in threat assessments for other countries go far beyond the basic information provided by the U.S. State Department. Even before September 11, the FBI created InfraGard, a partnership between the government and private industry to share terrorism, intelligence, criminal, and security information about critical national infrastructures.
Assessing Threats After collecting, reviewing, and summarizing threat information from all available resources, security decision makers must apply the threat to specific assets. Although critical assets are the primary concern during the assessment, other assets may also be considered during the assessment phase. The goal of the assessment then is to estimate, quantitatively or qualitatively, the likelihood of occurrence that a threat will attack an asset. The better the understanding of the intent, motivation, and capability of an adversary, the better the assessment. Of course, a history of attacks against a particular asset may be beneficial to satisfy the intent and motivation criteria. Capability assessment requires good intelligence about the adversary’s current
Threat Assessments
35
status. Looking back on the 1993 World Trade Center attack, we can see that al-Qaeda was motivated to destroy the World Trade Center towers but that their capabilities did not correlate with their intention. With the towers still an attractive target and assuming there was no credible intelligence that planes would be used as guided missiles, al-Qaeda certainly did not seem to have the capability to destroy the Towers. Obviously, before September 11, any intelligence about the plane scenario was reasonably treated as non-credible. Because of a lack of quantitative data, scenario-driven, qualitative assessments are appropriate for high-value assets that have suffered no prior attacks. A qualitative threat assessment is defined as a type of assessment that is driven primarily by the characteristics of the threat and is highly dependent on the skills of the assessment team. The threat assessment team or individual, using a qualitative approach, considers each asset in light of the given threat information for that asset, and develops scenarios that adversaries may use to estimate the likelihood of attack. Using a qualitative rating system, the threat assessment team assigns a linguistic value to each scenario. An example of a qualitative rating scale is as follows.
Level 5—the adversary has a history of attacks as well as the intent, motivation, and capability to launch a renewed attack. Level 4—the adversary has a history of attacks and the capability to execute an attack, but may lack the intent and motivation to launch new attacks. Level 3—the adversary has a history of attacks and the intent and motivation to launch new attacks, but lacks the capability to execute an attack. Level 2—the adversary has a history of attacks but no longer has the intent, motivation, and capability to launch new attacks. Level 1—the adversary has no history of attacks and lacks the intent, motivation, and capability to execute an attack.
As can be seen in the qualitative assessment scale, good threat intelligence is necessary to accurately assign threat levels. An example of a threat that can be assessed qualitatively is weapons of mass destruction (WMD). WMDs are made up of chemical, biological, and nuclear weapons. Because these threats have a low likelihood of occurrence historically, little data is available for assessing them quantitatively. U.S. Army Physical Security Field Manual/FM 3-19.30 THREATCON Levels Specific security measures should be directly linked with THREATCON levels. These considerations are:
36
Strategic Security Management
THREATCON Normal. This THREATCON level exists when a general threat of possible terrorist activity arises but warrants only a routine security posture. THREATCON Alpha. This THREATCON applies when there is a general threat of possible terrorist activity against personnel and facilities (the nature and extent of which are unpredictable) and when circumstances do not justify full implementation of THREATCON Bravo measures. It may be necessary to implement measures from higher THREATCONs either resulting from intelligence or as a deterrent. The measures in this THREATCON must be capable of being maintained indefinitely. THREATCON Bravo.This THREATCON applies when an increased and more predictable threat of terrorist activity exists. The measures in this THREATCON must be capable of being maintained for weeks without causing undue hardship, affecting operational capability, or aggravating relations with local authorities. While in Bravo, the installation should bring manning levels and physical-protection levels to the point where the installation can instantly transition to THREATCON Charlie or Delta. THREATCON Charlie. The transition to THREATCON Charlie must be done on short notice. It is a result of an incident or the receipt of intelligence indicating that some form of terrorist action against personnel and facilities is imminent. Charlie measures should focus primarily on manning adjustments and procedural changes. Security forces will usually enhance their security presence by acquiring additional manning or by adjusting the work-rest ratio (such as moving from a 3 : 1 to a 6 : 1 ratio). At Charlie, off-installation travel should be minimized. THREATCON Delta. Since the transition to THREATCON Delta is immediate, Delta measures should focus primarily on manning adjustments and procedural changes. THREATCON Delta applies in the immediate area where a terrorist attack has occurred or when intelligence has been received that terrorist action against a specific location or person is likely. The security force’s manning level usually peaks in Charlie; therefore, Delta’s additional manning will often come from an augmentation force. Once in Delta, nonessential operations will cease in order to enhance the security and response posture. Normally, this THREATCON is declared as a localized condition.
Where a fair amount of threat data is available, a quantitative threat assessment is possible. A quantitative threat assessment is a type of assessment in which metrics are used to assign numeric values to the threat level. With vast amounts of prior incident data, a quantitative assessment can include mathematical projections to forecast future incidents. Using mathematical projections, quantitative threat assessments can achieve high levels of confidence, but the forecast range widens. Forecasting will be discussed in the next chapter since it is most commonly used with crime data. A quantitative threat assessment uses a numeric threat rating scale, normally employing probability ratings. An example of such a scale is as follows.
Threat Assessments
37
Level 5—90 percent or higher likelihood of attack because the adversary has a history of attacks as well as the intent, motivation, and capability to launch a renewed attack. Level 4—70 to 89 percent likelihood of attack because the adversary has a history of attacks and the capability to execute an attack, but may lack the intent and motivation to launch new attacks. Level 3—50 to 69 percent likelihood of attack because the adversary has a history of attacks and the intent and motivation to launch new attacks, but lacks the capability to execute an attack. Level 2—10 to 49 percent likelihood of attack because the adversary has a history of attacks but no longer has the intent, motivation, and capability to launch new attacks. Level 1—less than 10 percent because the adversary has no history of attacks and lacks the intent, motivation, and capability to execute an attack.
Despite a given threat rating, threats are not static; rather, they are dynamic and rise or fall over time. Threats can and should be reassessed as needed and when new information becomes available. A good example might be the increased threat level near the anniversary of the Oklahoma City bombing on April 19, 1995, which itself coincided with the Branch Davidian standoff in Waco, Texas, between cult leader David Koresh and the Bureau of Alcohol, Tobacco, and Firearms (ATF) which occurred two years prior to the day.
Emerging Threats Accurate threat assessments are critical for security decision makers; however, not even the best threat assessment can anticipate every possible scenario which may emerge. Terrorists and criminals always adapt to and overcome updated countermeasures. In today’s high-technology world, state-ofthe-art countermeasures are outdated at an increasing pace, and adversaries usually move at a similar pace. Security decision makers should keep abreast of the latest threat information using the best available sources of information. Using the threat information sources discussed above and adding to them where possible will help keep the security professional abreast of the latest threats and ensure that the assessment report is up to date. The mitigation of emerging threats requires the ability to think and act like the adversary. Historical data, specifically data on the adversary’s modus operandi (method of operation), sheds significant light on what security decision makers should watch for in the future, but truly thinking like a criminal or terrorist will allow security decision makers to think outside the current wisdom.
38
Strategic Security Management
Maintaining a current profile of adversaries is important for the threat assessment. W. Dean Lee, Ph.D, in an article entitled Risk Assessments and Future Challenges, which was published in the FBI’s July 2005 Law Enforcement Bulletin, developed the acronym CAS-DRI-VARS to characterize the adversarial tactics and methods currently being used by adversaries operating around the world.
Creative—applying innovative use of the ancient arts of unconventional warfare Asymmetrical—launching multifaceted physical, political, informational, and cyber attacks Secretive—cloaking in multiple layers and compartmented cells Deceptive—misleading and manipulative in their intent and behavior Resourceful—maximizing the use of available resources to achieve their objectives Intelligent—capitalizing on detailed planning and orchestration Visionary—foreseeing the third and fourth order of effects of their actions Adaptable—evolving and adjusting with each new countermeasure Ruthless—striking with brute violence against the innocents Sophisticated—employing intricate ploys and strategies
Beyond these characteristics, security decision makers should continually study the goals and objectives that adversaries are attempting to achieve. Their motivation and intent must also be evaluated. Keeping a watchful eye on adversarial capability is by far the most important way to keep the threat assessment current. For example, commercial businesses, retailers in particular, know that an incarcerated shoplifter has little to no capability. Thus, they lobby for prosecution, stiffer sentencing guidelines, and strong enforcement of existing laws. The United States government understands that terrorist capability is highly dependent on funding for terror operations and thus has implemented various worldwide strategies to stop the flow of funds to and between terrorist leaders and operations personnel. Adversaries’ skills may deteriorate or, alternatively, improve over time as well. Without recent experience and training, some adversaries may lose their capability to attack successfully. Security decision makers, depending on the nature of the organizations they protect, can keep abreast of the latest tactics and methods of their most common adversaries. Here again, the United States government recognizes this and has also attempted to close down terrorist training camps in hopes of reducing the overall skill level of terrorists. Asset knowledge is critical to adversaries, and moving targets are more difficult to attack successfully. Although most businesses are not able to move assets to throw criminals off the track, they are able to keep information about
Threat Assessments
39
some assets confidential and prevent adversaries from knowing exactly where they are or how they can be accessed. While most criminals will be familiar with people who store their money under a mattress, few criminals will be privy to the knowledge of where the family’s safe is located within the house. One of the more interesting home protection ideas from the past came from the homeowner who posted a sign on his door which stated, “This house protected three days a week by Smith and Wesson. You pick the days.” Amusing as the sign may be, one would have to believe that the unmotivated house burglar may have been deterred by the existence of such a sign. Threats may also change depending on the adversary’s access to tools and weapons. Arguably, the point of the now defunct assault weapons ban in the United States was to reduce the availability of high-capacity weapons to criminals, in particular street gangs. Passports have long been sought-after tools for terrorists and spies. In recent years, many countries have improved their country’s passports to prevent duplication. Some countries have even canceled all existing passports and reissued new ones to their citizens with better security features. Opportunities can impact the threat level more than any other factor. Fortunately, security decision makers can control opportunities largely through the careful monitoring of asset vulnerabilities. An example is the assassination of John F. Kennedy in Dallas, Texas, in November 1963. Not only was the president traveling in an open-top automobile, but the motorcade was traveling with many points of higher ground surrounding it. As a result of that tragic fateful day, the United States Secret Service will not likely ever allow a president to travel in a convertible automobile. Reducing opportunities will be discussed in depth in Chapter 5.
Threat Dynamics The daily assessment of terror threats applies primarily to security decision makers who are charged with protecting critical infrastructure assets, such as chemical plants, oil refineries, airports, and maritime ports. Most security decision makers focus on terrorism as a high-risk, low-probability concern that needs to be addressed on an irregular basis. Once terrorism contingency plans, emergency procedures, and business continuity plans are established, security decision makers can once again turn their attention to the day-to-day issues that threaten the organization’s assets. Everyday crimes are the most common threat facing security decision makers in protecting their assets; a thorough assessment of the specific nature of crime and security breaches can reveal possible weaknesses in the facility’s current security posture and provide a guide to effective solutions. A full understanding of the dynamic nature of everyday crime allows security decision makers to select and implement appropriate countermeasures to reduce the opportunity for these incidents to occur in the future. Thus, the remainder of this chapter focuses on the dynamics of
40
Strategic Security Management
everyday threats, identifying their key elements and describing how to analyze these elements to block specific threats. In discussing threat assessments thus far, we have laid out ideas in an effort to help the reader understand the conceptual perspective of threats. Everyday threats can now be discussed to enable the reader to understand the practical nature of common threats and to evaluate the threats to the organization’s assets. Before selecting countermeasures, security decision makers should be well versed in a number of threat dimensions. As conceptually outlined previously, these dimensions include:
The facility’s situational elements Target/Asset characteristics Adversary motivation and capability Adversary target selection factors Opportunity-reduction strategies
Situational elements are those characteristics of the facility that create an environment that is more or less conducive to certain types of crimes or security violations. For example, a retirement home may suffer more from thefts within the community than from auto thefts due to the nature of the business. Another example of situational elements affecting crime may be the proximity of the facility to escape routes such as dense fields or wooded areas that can be used to conceal the offender on foot or quick escapes via highways used by the criminal in a motor vehicle. Situational elements also include the nature of the activities that occur on the property. Businesses face different problems than residential areas. The type of business that is conducted on a property may attract more crime. For example, bars and nightclubs may be more prone to assault-type crimes and sexual offenses because alcohol consumption lowers inhibitions. Hotel, motel, and other lodging facility customers are often victimized on or near the property because they are not as aware of the area’s crime history. Criminal perpetrators know this and take advantage of the situation. A target’s characteristics are often determined by the nature of the business. Jewelry stores possess two types of attractive assets—large amounts of money and small, easily concealed property. Sometimes, the characteristics of targets are self-evident. For example, banks can be assured that their primary concern is the money stored on-site, whereas the retail store’s primary concern is usually shoplifting. Analysis of past crime data may reveal other threats that may not be evident. For example, a retail store that has a history of car-jacking robberies and assaults of customers may only be fully known by reviewing internal security reports or police crime information. Facilities with high levels of auto thefts can narrow the field of targets by using threat assessments and crime analysis to determine which cars are more theft prone. If the ideas presented in the asset identification chapter (Chapter 2) are followed, security decision makers will
Threat Assessments
41
have identified the organization’s critical assets and their attractiveness as well as past history of attack. Adversary motivation and capability are key to understanding the nature of crime on the property. Criminals, more often than not, are rational decision makers capable of being deterred or enticed to commit their acts. In modern criminal justice, it is widely accepted that certain people can be generally deterred from committing crimes given swift and severe punishment. Specific deterrence measures can be taken at the property level by introducing countermeasures that increase the risk of detection by security personnel. For example, the presence of security dogs or closed circuit camera systems (CCTV) may deter many adversaries. By the same token, given ample opportunity and a low risk of detection, people may also be encouraged to commit crime. An adversary’s capability must also be considered. The same adversary who attempts to enter the property secured by security dogs may have the capability to bypass the dogs by way of poisoned treats or a distraction method. The security decision maker’s goal is to reduce encouraging elements and increase the risk. For instance, hiding assets in a safe is often a good way to make valuables “out of sight, out of mind.” Through an ability to select specific targets the rational criminal will select the easiest target that provides the highest reward. An open and inviting property provides a high level of opportunity for criminals. University campuses are a good example of an easy target since they are typically open environments with minimal perimeter security measures. It is quite a challenge to secure university campuses without creating impediments to the institution’s primary goal of Education. Adversaries also select targets where the rewards are high. Malls, for example, provide ample auto theft opportunities for the perpetrator who specializes in stealing cars. One may think of target selection primarily as a force of opportunity. The goal for security decision makers, then, is to reduce the available crime opportunities at the facility. Opportunity-reduction strategies address the characteristics of the facility that either encourage or deter crime. Each facility will be different in terms of the solutions that are effective because each property has its own unique characteristics and unique threats. Unfortunately, what works at one facility may not work at a similar facility in a different geographic area. Opportunityreduction strategies may take the form of enhanced policies and procedures, physical security measures, or security personnel. Although the focus of this text is on cost-effective solutions to everyday crime concerns, the reader should not feel limited to using what is discussed herein, but rather is encouraged to be creative in the search for appropriate solutions for particular concerns. Although it may sound basic, one of the fundamental opportunityreduction strategies for litter prevention is the installation of trash receptacles. The following section is not intended to be comprehensive in addressing every possible threat, but it will endeavor to cover the more common crimes
42
Strategic Security Management
that affect many facilities. Security decision makers are encouraged to study in depth the particular crimes that have historically occurred at their facilities.
Assault-Type Crimes (Assault, Aggravated Assault, and Murder) Assault, aggravated assault, and murder are evaluated together because their threat dimensions are similar. Assault-type crimes can escalate to aggravated assault crimes and aggravated assault can escalate to murder. The facility’s situational elements may either encourage or discourage assault-type crimes. For example, as noted earlier, bars, nightclubs, and other venues where alcohol is served can be prone to assault-type crimes because alcohol tends to lower inhibitions and cause people to become more combative. South American soccer games are also more prone to assaults than American football games, primarily because of the passion of the fans. European soccer fans were satirized in the 1990s in an old Saturday Night Live skit about Scottish soccer hooligans who were so aggressive and passionate about their teams that they beat each other up. It is the task of the security decision maker to determine what threats are inherent to their facility. Residential communities, such as apartment buildings, may also suffer from assault-type crimes. Demographic and crime data would indicate that interpersonal, or domestic, assaults are more likely to occur in lower socioeconomic communities. Criminological data indicates that assault-type crimes are committed by and against people who are similar in age, race, and gender. Thus, for assault-type crimes, the target’s characteristics will often be substantially similar to those of the adversaries. Schools provide a good example of this correlation: in schools the victim and the offender are typically the same age and race because of the very nature of schools. Security decision makers can identify threats using this information. Adversarial motivation and capability for assaults, aggravated assaults, and murders are typically rooted in emotional issues. Here again, soccer games provide the emotional, passionate high wherein fans may express their excitement in violent ways. Gun control laws are society’s method for reducing the capability of adversaries to commit violent crimes. Though sometimes effective, gun control laws are certainly not without controversy. Many schools have implemented zero tolerance policies for guns to protect students. Some have even installed metal detectors to reduce the capability of bringing a gun into a school. Target selection methods vary according to assault-type criminals. Although many assaults are driven by anger, some targets are carefully selected. Serial killers, for example, normally select their victims based on certain characteristics. Ted Bundy’s victims were attractive girls with long, dark hair normally parted down the middle, while Jeffery Dahmer’s victims were young males. How do security decision makers prevent assault-type crimes? Those assaults, aggravated assaults, and murders that are not interpersonal are called stranger-
Threat Assessments
43
initiated. Stranger-initiated assault-type crimes are easier to prevent than interpersonal assaults. Opportunity-reduction strategies include deterrence and response measures designed to create an environment perceived by the adversary as risky with a high chance of apprehension. Some assault-type crimes are very difficult to prevent. Interpersonal assaults, for instance, which occur between two known parties, are not typically deterred by security measures. For example, an apartment community may have a security fence and gate, parking lot lighting, and high security locks on doors, yet none of these measures can prevent a husband from striking his wife.
Robbery Robberies are a big concern for most security decision makers and adversely affect business in a number of ways, including causing injuries, loss of property, negative reputation, and liability. There are two primary types of robberies: robberies of people and robberies of business. Bank robberies, shoplifting escalation, and retail holdups are business-related robberies; personal robberies include car-jacking, purse snatching, and mugging. A facility’s situational characteristics that contribute to a robbery-prone environment are easily identified by experienced security decision makers once they understand the precise type of robbery impacting the property. Poor lighting, the existence of hiding places, and unprotected assets provide ample opportunity for personal robberies. Poor employee training, unfettered access, and easy escape routes can create an environment conducive to business robberies. Among the better security concepts developed in recent years is improved parking lot design at retail stores and shopping malls. Additional curbing has been used to control the flow, direction, and speed of traffic, all of which constitute a deterrence to robbery and other crimes by creating obstacles to a robber’s escape from the property. Robbery target characteristics depend on the nature of the robbery. Purse snatchings obviously require an unaware female holding a purse, whereas carjackings are limited to areas where cars can travel or park. Why does a convenience store experience more business robberies than another convenience store located across the street? Poor lighting and store windows cluttered with signs and posters at the robbery-prone location might be contributing factors. A robber’s motivation is typically a rational balancing of risk and reward. If an asset is valuable (high reward) and unprotected (low risk), the probability of attack increases. Banks are susceptible to robbery because of the high reward for perpetrators. As such, bank security professionals institute various strategies for protecting bank assets. Capability is dependent on the type of robbery executed. Bank robberies require greater skill than simple purse snatchings. What does a robber look for in an attractive target? Regardless of the type of robbery contemplated, targets are rarely selected randomly. Obviously, the
44
Strategic Security Management
balancing test of risk and reward is a factor. Purse-snatch robbers seek out unaware women to target, with the reward being higher in higher socioeconomic areas. Like assault-type crimes, robbery opportunity-reduction strategies vary with the type of robbery occurring on the property, but generally increased physical security measures, enhanced natural and artificial surveillance, and security personnel provide protection. Banks may implement silent alarms or install bullet-proof glass to protect against robbery. Residential homeowners may install alarm systems with sensors mounted on all entry points and may even have the alarms monitored by a private company or the police. Convenience store owners may remove obstructive signs from windows to increase surveillance both into and out of the store. Car manufacturers have also started to include automatic locks on their vehicles to prevent car-jacking. Often, simple and inexpensive changes in policies and procedures can have a positive impact on robbery reductions.
Theft and Auto Theft As is true of robbery, there are many types of thefts. Situational elements at a facility are a primary determinant of the types of theft that may occur. Retail stores are prone to shoplifting, while large parking structures experience auto thefts and burglaries of motor vehicles (BMV). Laundromats may experience high levels of theft from the coin-operated machines, and schools may report a large amount of bicycle thefts. Each year the automobile insurance industry releases data on the nation’s most frequently stolen cars and trucks. Although it might surprise some readers that BMWs and Mercedes don’t make the top ten list, it won’t be news to most security professionals. Cars such as Hondas, Toyotas, and Chevrolets are more easily hidden among the masses, and they are also more easily fenced or stripped for use in other cars. It is for these characteristics that certain cars are more likely to be stolen than BMWs. The thief ’s motivation and capability are subject to the risk- and rewardbalancing test. Grocery stores, for example, often suffer from high levels of baby formula and over-the-counter drug thefts because of the high value of both items. These items are often turned over to a fence, or middle man, who will pay decent amounts to the thief and then sell the items back to the retailers. The thief ’s capability is limited only by his or her skills and creativity. Some thieves work alone committing petty thefts, stealthy thieves may be pickpockets, and organized thieves may band together to commit larger thefts. Normally, an asset has the same value and attraction to property owner and thief alike. Jewelry, for example, is both valuable and easy to conceal because of its size. Financially motivated thieves will seek assets that they can later sell for a profit. Personally motivated thieves will steal assets such as drugs or expensive basketball shoes that they can personally use.
Threat Assessments
45
Opportunity-reduction strategies for theft range from the simplest to the most complex, from moving an asset out of sight to installing vaults, alarms, and camera systems. Auto theft reduction may take the form of simple alarm systems to monitored tracking systems. Some grocery stores have now begun to store baby formula and over-the-counter drugs in locked cabinets. Clothing retailers use electronic security tags to prevent their clothes from being shoplifted. Here again, in order to implement appropriate countermeasures, the security decision maker must fully understand the type of theft experienced at the facility.
Political Crimes (Terrorism) The FBI defines terrorism as the unlawful use of force or violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof in furtherance of political or social objectives. What situational elements of a facility lend themselves to terrorism?. Without delving into the politics of terrorism, it is safe to say that groups angry with a government’s policies and actions can create the justification for terrorists to take action. In 1995, Timothy McVeigh bombed the Murrah Federal Building in Oklahoma City because of his outrage over the U.S. government’s actions in Waco against the Branch Davidians in 1993. And Osama Bin Laden claims that one of the reasons al-Qaeda is angry at America is because the United States established a military base in Saudi Arabia during the first Gulf War.
The Adversary’s Target Election Factors Obviously, national monuments and critical infrastructure assets are the terrorist’s most likely targets; areas where large numbers of people (targets) gather make good terrorist targets. Therefore, bus stops are frequent terrorist targets in Israel, while trains have been attacked in both Great Britain and Spain. In the United States, one of the homeland security specialists’ greatest fears is a terrorist incident at a large significant sporting event, such as football’s Super Bowl or baseball’s World Series games. As Timothy McVeigh taught government security professionals, government buildings with a concentrated level of enforcement agencies such as the Federal Bureau of Investigation and the Bureau of Alcohol, Tobacco, and Firearms make better targets than government buildings with agencies such as the Social Security Administration or the Equal Employment Opportunity Commission. Reducing the motivation and capability of terrorists is the prime method for reducing the threat of terrorism. It might make one wonder whether Osama Bin Laden considered the risk- and reward-balancing test before launching the September 11 attacks. For now, that issue will be left to the experts to figure out. Reducing capability, as we have already discussed, is a good way to lower
46
Strategic Security Management
the threat level. Certainly, too, cutting terror funding and destroying training camps are good opportunity-reduction strategies.
The Homeland Security Advisory System Despite its relatively short existence, the most well-known threat-rating scale is the Homeland Security Advisory System. The system is qualitative in nature with color-coded levels indicating the threat level. The rating scale includes general responses and countermeasure deployments that should be considered, depending on the nature of the organization the security decision maker is protecting. 1. Low Condition (Green)—This condition indicates a low risk of terrorist attacks. Refine emergency operation plans and business continuity plans. Conduct emergency response drills. Train personnel in emergency response. Assess vulnerabilities and develop mitigation strategies. Continue to monitor threats. 2. Guarded Condition (Blue)—This condition indicates a general risk of terrorist attacks. Follow the responses and countermeasures described under Level 1. Ensure communications with designated emergency response personnel. Review and update emergency response procedures. Provide employees with information that would strengthen its ability to act appropriately. 3. Elevated Condition (Yellow)—This condition indicates a significant risk of terrorist attacks. Follow the responses and countermeasures described under Levels 1 and 2. Increase surveillance of critical assets. Coordinate emergency plans as appropriate with other businesses and law enforcement. Assess and refine mitigation strategies with the characteristics of the current threat. Implement additional contingency and emergency response plans as needed.
Threat Assessments
47
4. High Condition (Orange)—This condition indicates a high risk of terrorist attacks. Follow the responses and countermeasures described under Levels 1, 2, and 3. Coordinate security efforts with all organizational departments and law enforcement. Take additional precautions at public events and possibly consider alternative venues or even cancellation. Execute appropriate elements of emergency response and business continuity plans. Restrict facility access to essential personnel only. 5. Severe Condition (Red)—This condition indicates a severe risk of terrorist attacks. Follow the responses and countermeasures described under Levels 1, 2, 3, and 4. Prepare emergency response personnel. Preposition emergency response equipment. Evacuate the facility.
Basic Threat Assessment Report The threat assessment is based on the Uniform Crime Report (UCR) data from the City of Stafford Police Department. Using the Federal Bureau of Investigation’s UCR coding system, all crimes were reclassified to meet the FBI standard. Twentyfour (24) crimes were analyzed for each facility for the period January 1, 2002 through December 31, 2004. These crimes include: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13.
Murder Rape Robbery Aggravated Assault Burglary Theft Motor Vehicle Theft Arson Other Assaults Forgery and Counterfeiting Fraud Embezzlement Stolen Property—Buying, Receiving, Possessing
48
Strategic Security Management
14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24.
Vandalism Weapons—Carrying, Possessing, etc. Prostitution and Commercialized Vice Sex Offenses Drug Abuse Violations Gambling Offenses Against the Family and Children Driving under the Influence Liquor Laws Drunkenness Disorderly Conduct
Site 01 Administrative Offices Property crimes, including vandalism, theft, and auto thefts are the primary concerns at the administrative offices. During the three years analyzed, no crimes against persons occurred on the premises. Site 02 Park Meadow Park Meadow is a medium population facility located on the Town’s west side.There have been a number of violent crimes, primarily robberies, at this location; however, there has been a significant downward trend since 2002. Property crime is considerably low at Park Meadow despite the violent crime level. Crime rates for this property were calculated using the facility’s population and violent crimes for each year analyzed. In 2002, the violent crime rate was 54.8 violent crimes per 1,000 persons, while 2003 marked the beginning of the downward trend to 30.8 per 1,000 persons, and 2004’s rate of 24.2 per 1,000 persons. Site 03 Haley Gardens Haley Gardens, a medium population facility centrally located, has seen a remarkable drop in crime in 2004 with no violent crimes occurring during the past year.This is likely the result of enhanced security measures implemented at the facility in 2003. Burglaries of motor vehicles (BMV’s) and acts of vandalism have also decreased. Site 04 Waverly Waverly is a low population facility located on the Town’s south side. There have been very few violent crimes on the premises, and none occurred in 2004. Property crimes, on the other hand, are still prevalent.
Threat Assessments
49
Site 05 Autumn Hill Autumn Hill is a medium population facility located on the Town’s west side in close proximity to Park Meadow. This facility also received additional security measures in 2003, and both violent and property crime declined substantially in 2004.The violent crime rate dropped from 30.7 in 2003 to 6.0 per 1,000 persons in 2004. Site 06 Broadknoll Purse-snatch robberies are the primary crime occurring at Broadknoll. While the rate of violent crimes dropped in 2004, there is still a high threat level. In fact, property crime escalated significantly in 2004. Despite a decrease since 2002, the threat level is notable considering this is a low population facility. Site 07 White Sands White Sands is a high population facility with a high threat level.Thirty percent of all the robberies at the ten facilities occurred at White Sands. Though the crime rate has dropped from 2002, the threat level is still significantly high. In addition to the high robbery rate at this location, two rapes occurred, though both incidents were domestic in nature and posed no threat to other residents. One murder also occurred at White Sands and is still under investigation by the Police Department. Site 08 Ashland Grove Ashland Grove is a medium population facility located on the north side. Similar to Broadknoll, purse-snatch robberies are the primary concern; however, the violent crime rate is relatively low. BMVs are also a concern as most thefts occurring on the property are burglaries of motor vehicles. The violent crime rate doubled in 2004; however, there was still a low level of crimes of violence. Site 09 Meadow Gardens Meadow Gardens is the highest population facility of the 10 sites analyzed. Given this high population, the violent crime rate is relatively low in comparison to the other sites, however the crimes tend to be more violent in nature, with two rapes and numerous car-jacking robberies. Domestic assaults are also prevalent. Site 10 Hyde Heights Hyde Heights is a low population facility located on the Town’s east side. No violent crimes occurred during 2004 on this property. Thefts are a major concern on this property, with the vast majority being Burglaries of Motor Vehicles.
50
Strategic Security Management
Site 11 The Terrace Veteran’s Terrace is a medium population facility on the Town’s north side and is considered by residents and management to be a crime-prone property given its size. UCR data confirms this with the highest 2004 violent crime rate of all the properties.Two murders and five rapes and a significant amount of robberies and aggravated assaults in the past three years have led to a high threat level and a general fear of crime by residents. Summary Of the 10 residential properties, White Sands, The Terrace, Park Meadow, and Broadknoll have the highest threat level and fear of crime by residents. Robberies are most prevalent at White Sands, and crime trends are discernible at each property. Simple assaults were also common at all facilities, although most were domestic in nature and not likely a result of inadequate security. Property crimes at the 10 residential facilities include thefts and auto thefts; however, burglaries of resident apartments are notably absent.
Chapter 4
Crime Analysis
In this chapter . . .
Statistics for Security Management Crime Triangle Purpose of Crime Analysis Data Sources Law Enforcement Data versus Social Disorder Models Advantages of Law Enforcement Data Geographic Levels Methodology Return on Security Investment
TAG's Risk Assessment Process® Asset Identification
Policies & Procedures
Current Security Measures
Physical Security
Security Personnel
Threat Assessment
Crime Analysis
Vulnerability Assessment
Risk Assessment
Cost Benefit Analysis
Report and Recommendations
Figure 4-1. Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com.
51
52
Strategic Security Management
Statistics for Security Management Statistics are used in planning for the future. As a key component of a threat assessment, crime and security statistics guide the risk assessment process, help in the selection of appropriate countermeasures, monitor program effectiveness, and alleviate risks and the associated costs of risks. The use of information regarding crimes and other security incidents helps the security decision maker plan, select, and implement appropriate security measures that address the actual risks of the facility. Security decision makers, after assessing the crime problem, can select the most effective countermeasures that eliminate risk or reduce it to an acceptable level. Budget justification is also accomplished through the use of statistics since effective security measures will reduce the risk, and returns on security investments can be calculated and considered in the bottom line. A common application of statistics in the security arena is the use of security reports and crime data to determine the risks to a facility, including its assets and personnel. The security professional need not be a mathematician to fully utilize statistical data; rather, he or she needs only a basic understanding of the various methods to use such information, along with a basic knowledge of personal computer and spreadsheet software. The use of statistics extends beyond planning security at an existing facility. Statistical data may also be used to select and plan security at new facilities. For example, the real estate department of an organization may provide the security decision maker with a list of potential new sites, one of which will be selected based on, among other things, the threats at the location. In this role, the security decision maker serves as an advisor to the real estate department by conducting crime analysis of the proposed sites as well as perform security surveys of each site to identify vulnerabilities in an effort to select the location that poses the least or a tolerable level of risk. In this scenario, the security decision maker will gather and analyze crime data for similar businesses in the area surrounding each site to determine the security problems. The sites that have the least number of crimes can be evaluated further by means of a security survey that identifies potential or existing vulnerabilities. After the sites have been narrowed down by threat and surveys have been completed, the security decision maker has the necessary information to advise the real estate department. Integrating crime analysis into an existing risk model is a fairly simple task for most organizations. Threat assessment information is the backbone of security surveys and defines the scope of the security survey and vulnerability assessment. Before embarking on a security survey, security decision makers will have a thorough understanding of the threats, crimes, and security incidents at the facility. This information guides the security decision maker as he conducts the survey and looks for vulnerabilities and the crime opportunities that can be blocked with security measures. For example, an office building security director concerned with a flood of thefts of employee wallets and purses may conduct a survey with an eye toward
Crime Analysis
53
the opportunities that are available in the office suites. As he walks through the offices, he may find that purses and wallets are readily visible from office doors and windows, thus providing the opportunity for criminals to see the target property. A simple and cost-effective solution to this problem is to institute a “clean desk” policy whereby employees are encouraged to lock their personal belongings in their desks or a company locker. A more serious security problem that the building security director may face is that of assaults and robberies in the parking garage adjacent to the office building. If the statistical information indicates that the assaults are occurring on the upper floors of the garage and the victim does not know the perpetrator, the security director will assess the security weaknesses of the parking garage. He may find that numerous unlit hiding areas provide the necessary cover for robbers. By applying relatively low-cost measures such as mirrors and lighting, the building security director will reduce the opportunity for criminals to hide. It isn’t that they can’t see the solution. It is that they can’t see the problem. —G.K. Chesterton from The Scandal of Father Brown
Crime Triangle Reducing the opportunity for crime to occur is a strategic goal of security professionals. Behind this goal is the concept of a crime triangle, whereby three elements must exist for a crime to occur: Motive Capability Opportunity With little or no control over a determined offender’s desire, security decision makers focus their attention on the remaining elements of the crime triangle by attempting to block opportunities and remove motivation, both of which can be controlled to a large extent by an effective security program. Motivation is created by the actual crime target. In the private sector, a criminal’s motive is the asset(s) that the security program is created to protect. Here again, assets include people, property, and information. Since organizations usually require assets to operate, the removal of motivation is a difficult task, if not altogether impossible. Most businesses must instead turn their attention to blocking the opportunity of crime. As seen in the Figures 4-2 and 4-3, blocking opportunities for crime leads to a reduction in crime. The crime triangle is a simple, yet effective, method for illustrating how a crime can be prevented. More complex methods for explaining crime causation exist such as the Routine Activity theory developed by Marcus Felson. Part
Strategic Security Management
e
Crime
tiv Mo
Ca pa bili ty
54
Opportunity
bili pa Ca
e
Crime
tiv
Mo
ty
Figure 4-2. Crime Triangle. Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com.
Opportunity
Figure 4-3. Crime Triangle. Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com. of this theory explains crime causation and may be considered an expansion of the crime triangle. According to this explanation, for a crime to occur, six components must be present: 1. Motivated offender—a person ready and willing to commit a crime. 2. Absent or ineffective handler—a person who influences the behavior of the offender. Handlers include parents, relatives, friends, teachers, and employers. 3. Suitable target—a person or asset that is of value to an offender. 4. Absent or ineffective guardian—a person who protects the target from harm. Guardians include police, parents, relatives, friends, and property managers. 5. Time—a period for the first four ingredients to come together. 6. Space—a place for the first four ingredients to cross paths.
Crime Analysis
55
Purpose of Crime Analysis Sir Arthur Conan Doyle in his Sherlock Holmes mystery, A Study in Scarlet, said, “There is a strong family resemblance about misdeeds, and if you have all the details of a thousand at your finger ends, it is odd if you can’t unravel the thousand and first.” It is on that basic premise that crime analysis is founded. Whether one is working proactively to address security concerns or reactively in litigation or during the investigation of a crime, crime analysis is an effective tool. From an asset protection perspective, crime analysis is the identification of risk and vulnerability, and from a liability prevention perspective, crime analysis is the determination of foreseeability. Broadly speaking, crime analysis is the logical examination of crimes that have penetrated preventive measures, including the frequency of specific crimes, each incident’s temporal details (time and day), and the risk posed to a property’s inhabitants, as well as the application of revised security standards and preventive measures that, if adhered to and monitored, can be the panacea for a given crime dilemma (Applied Crime Analysis, 2001). While this definition of crime analysis is holistic, it can be dissected into three basic elements:
The logical examination of crimes that have penetrated preventive measures The frequency of specific crimes, each incident’s temporal details (time and day), and the risk posed to a property’s inhabitants The application of revised security standards and preventive measures
Examining crimes perpetrated at company facilities is commonplace in today’s business environment. In larger companies, a person or group of people may be solely dedicated to the function of crime analysis, usually working under the risk management or security departments. In smaller companies, the crime analysis function is handled by someone who also has other security management duties. Crime analysis may also be an outsourced function, whereby company personnel simply utilize crime data that a contractor has collected, entered into a database, and possibly provided some analytical workup or the tools to do so. With regard to the analytical component, crimes are analyzed in different ways depending on what one is trying to accomplish. Most commonly, facilities are ranked based on the crime level or rate. Generally, facilities with more crime or a higher crime rate are given a larger piece of the security budget, while less crime-prone sites are given less security money. Crimes are also analyzed on a facility-by-facility basis, allowing security professionals to select appropriate countermeasures. (The various types of crime analysis methods are discussed in depth later in this chapter.) Finally, crime analysis is used to assess and select appropriate countermeasures. Crimes that are perpetrated on a property can usually be prevented using
56
Strategic Security Management
security devices or personnel. However, it should be noted that not all measures are cost-effective or reasonable. Certainly, a criminal perpetrator would be hard pressed to steal an automobile from a small parking lot patrolled by 20 security officers, though that type of security extreme is not reasonable, nor is it inexpensive. Crime analysis guides security professionals in the right direction by highlighting the types of crimes perpetrated (crime-specific analysis), problem areas on the property (spatial analysis), and when they occur (temporal analysis), among others. By using this information, it is much easier to select countermeasures aimed directly at the problem. In summary, crime analysis seeks to:
evaluate actual risk at a company’s facilities and rank facilities by risk level. reduce crime on the property by aiding in the proper allocation of asset protection resources. justify security budgets. continually monitor the effectiveness of the security program. provide evidence of due diligence and reduce liability exposure.
Why would a security decision maker need to know how crime occurs? Understanding the factors that lead to crime, coupled with a comprehensive study of crime on the property, assists security decision makers in creating effective security programs to block opportunities for crime. Crime analysis seeks to answer the questions What? Where? When? Who?, How?, and Why? Answers to these questions help security decision makers better understand the particular nature of crime on a given property and to formulate specific responses. The What question tells us what specifically occurred. For example, was the crime against a person or property, violent or not violent, completed or attempted? What also distinguishes between types of crime that require different solutions, such as whether a reported robbery was actually a burglary. Where answers the location-specific question. Did the crime occur inside the walls of the location, in the parking lot, in the alley behind the site? If the incident occurred inside, did it occur in a public area or a controlled area? Determining the precise location assists security decision makers in creating additional lines of defense around targeted assets. For example, if the crime analysis indicates that a vast majority of loss at a small grocery store is occurring at the point of sale, then little will be accomplished by installing a lock on the back office where the safe is located. In this example, the crime analysis will rule out certain measures, but by the same token, crime analysis will also spotlight certain solutions, such as increased employee training or updated accounting systems at the point of sale. The When question gives us the temporal details of each incident. Knowing when crimes are most frequent helps in the deployment of resources, especially
Crime Analysis
57
costly security measures such as personnel. Temporal details include the date, time of day, day of week, and season in which a crime occurred. Who answers several important questions that help a security decision maker create an effective security program. Who is the victim(s) and who is the perpetrator? Knowledge of the types of criminals who operate on or near a given property assists security decision makers in selecting the best measures to reduce crime opportunities. For example, gambling casinos have used closed circuit television (CCTV) for some time to track known gambling crooks. Also important are the potential victims of crime. Ted Bundy and Jeffrey Dahmer, like other more common criminals, select particular types of victims. Thus, an understanding of the people that may be targeted focuses a security decision maker’s attention. For example, a residential apartment complex that caters to recently released psychiatric patients has a larger responsibility to provide a safe environment given the fact that their clientele are not usually capable of protecting themselves. The oldest example of the Who question dates back to premises liability law itself whereby innkeepers were often found to be responsible for the safety of a guest when crime was foreseeable. People on travel usually do not know the area in which they are staying, and they also have little control over the security measures they can take to protect themselves inside the hotel room. How is the most consequential question to be answered by the crime analysis. How a crime is committed often directly answers the question of How the crime can be prevented in the future. More specific How questions may also be asked. For example, how did the criminal access the property? If we know that a criminal has accessed the property via a hole in the back fence of the property, efforts can be taken immediately to repair the fence. Other specific questions reveal the method of operation (MO). How did a criminal enter the employee entrance of an electronics store to steal a television? How did a burglar open the safe without using force? How did the car thief leave the gated premises without knowing the exit code? Obviously, the list of examples is unlimited, and security decision makers need to ask as many questions as possible about the criminal’s actions to learn the most effective solutions. It is true that often the How question will be the most difficult one to answer. This leads into a problematic area as crime sources can be divided into two categories, internal and external. Internal sources of crime can be employees and other legitimate users of the space such as tenants. They are called legitimate users of the space because they have a perfectly valid reason for attending the location but in the course of their regular activities, they also carry out criminal activities. External sources of crime are illegitimate users of the space whose prime motivation for coming to the site is to conduct some type of criminal activity. Security strategies may be vastly different between legitimate versus illegitimate users of space. For example, several barriers can exist between the outside public access and a specific target. If the property or security decision maker is
58
Strategic Security Management
only concerned with someone breaking into an area, then he or she will be ignoring the legitimate user who may have an access control card, Personal Identification Number, password, biometric feature, or any number of other avenues of entry. With these answers, security professionals are better armed to attack the crime problem.
Data Sources Security Reports A valuable and highly encouraged source of data is the in-house security report (SR). As the name implies, SRs are reports of criminal activity and other incidents (parking, loitering, and security breaches) that may be of concern to security professionals. These reports may be generated by management directly or through contracted security companies. The validity of SR data is only as good as the policy that outlines the reporting and recording procedures, the quality of supervision over security personnel, and the verification process used to eliminate subjectivity. Regardless of the quality of their SRs, management should be cautious not to exclude other sources of data and should not rely solely on in-house security reports. In requiring the collection of security reports, management can stipulate precisely what information is beneficial for their purposes and is contained within each report. Having said that, management should strive to include the following minimum elements: 1. 2. 3. 4. 5. 6. 7.
Incident reported Date of incident Time of incident Precise location where the incident occurred on property Victim(s), if any Witness(es), if any Modus Operandi (MO), or Method of Operation used by perpetrator, if any 8. Follow-up investigation(s) 9. Remedy The most successful use of security reports that the author has seen occurred in a large, multibuilding apartment community. After spending over $40,000 on fencing and access control systems to reduce the high level of auto thefts at the apartment complex, the apartment manager was distraught that the auto thefts continued at the complex despite the fact that the innovative access control system had been installed. As a consultant, the author was asked to analyze the situation and determine additional measures to be implemented to
59
Crime Analysis
SECURITY OFFICER INCIDENT REPORT PLEASE PRINT LEGIBLY, SIGN WHERE INDICATED, AND DISTRIBUTE AS LISTED ON LAST PAGE
Date and Time of Incident: Date:
/ / (MM/DD/YEAR)
Time: _____________________ (24 Hour Clock)
Name of Security Officer: _________________________________________________ Type of Incident: (Check as Applicable) [ ] Prohibited Item(s) ___________________________________________________ [ ] Disorderly Conduct
[ ] Disturbing the Peace
[ ] Public Intoxication
[ ] Alarm Activation
[ ] Other _____________________________________________________________ Name of Offender: ______________________________________________________ Address: ______________________________________________________________ ______________________________________________________________ General Information: [ ] Male [ ] Caucasian Behavior:
[ ] Female
[ ] African-American [ ] Cooperative
[ ] Hispanic
[ ] Native American
[ ] Uncooperative
[ ] Other
[ ] Combative
Date of Birth:_________________________________ Scars, Tattoos, or Other Identifying Marks: ____________________________________ Brief Narrative Description of Incident (Attach Statement as Necessary):
Use of Force: [ ] No force was used during this incident [ ] Force was used as indicated below (mark all that apply): [ ] Offender was physically escorted from the facility [ ] Offender was physically restrained and placed in handcuffs at ________(insert time) [ ] Offender was subdued using expandable baton
Security Consultants Group, Inc.
1 of 2
SCG Form NC-ICR (REV 10/05)
Figure 4-4. Incident Report, Copyright ©2007 by Security Consultants Group, Inc. Used by permission. Additional information available from Security Consultants Group, Inc. via www.scgincorp.com.
60
Strategic Security Management
Witness: [ ] There was no witness to this incident [ ] Witness: (If more than one witness list additional data for each on back of page) Name: _________________________________________________________________ Address: _______________________________________________________________ _______________________________________________________________ Phone/Email: ___________________________________________________________ Statement Attached?
[ ] Yes
[ ] No
Action Taken on Incident: [ ] Offender voluntarily departed from facility [ ] Incident reported to Director or designated representative [ ] Local law enforcement was contacted for response/assistance
_______________________________________ SIGNATURE OF SECURITY OFFICER
_____________________ DATE
Distribution: Original: Copies:
Director, Department of Environmental Services Local Security Office Files Project Manager, Oak Ridge (Only if Any Force is Used)
Security Consultants Group, Inc.
2 of 2
SCG Form NC-ICR (REV 10/05)
Figure 4-4. Continued
thwart the problem. After analyzing the crime and verifying the extent of auto thefts, a review of the apartment’s resident screening policies was conducted, and it was learned that management was not carrying out criminal background checks on prospective tenants as required by policy and leases. The apartment management immediately conducted the checks and learned that three convicted auto thieves were living in one unit of the complex. This information was corroborated by analyzing the auto theft data for the complex which showed that, although auto thefts occurred in all areas of the parking lots, they were concentrated around the particular apartment building where the three men lived. Because the men lived on property, they had full, authorized access to the complex and its parking areas. Management proceeded to have the three men evicted for failing to pay their rent on time, and soon after the eviction was finalized the auto theft problem disappeared. This example
Crime Analysis
61
shows the importance of following security policies and procedures as well as analyzing the crime statistics and other internal data thoroughly.
Law Enforcement Data versus Social Disorder Models Some companies have used social disorder models in place of crime analysis, though more and more are realizing the problems associated with these models. Since the publication of Applied Crime Analysis in 2001, the author has seen more than 90 percent of his security consulting firm’s clients migrate away from using social disorder theories toward utilizing true crime analysis. While those numbers are substantial, still many organizations do not understand the concerns of social disorder models, the most problematic of which are discussed here. Social disorder models are based primarily on criminological theory with little practical use since the primary source of their metrics is demographic data. Among the primary problems of the social disorder model is the failure to publish the methodology used in arriving at the model’s results. Without a published and peer-reviewed methodology, security professionals cannot rely on the data, and one can only imagine the implications of having a large part of a company’s risk model rejected by the courts during litigation. Security directors have a responsibility to fully understand the risk model they use and to be prepared to explain it in deposition and trial when representing their company in litigation. Another problem associated with social disorder models is their reliance on demographic data. Although private firms collect demographic data more frequently, the majority of demographic data in the United States is only collected every 10 years via the U.S. Bureau of the Census. Because of the time lag needed to obtain the demographic data and the subsequent time required to develop the model from that data, results are not timely. Social disorder models also present some challenges in effectively removing race from the analysis since the base demographic data are based on an area’s population and its characteristics, including socioeconomic levels, education levels, and personal traits of the populace such as age, sex, and race. Contrary to FBI crime reports and actual police data, large areas of the United States are considered high crime according to social disorder models, necessitating many companies to discontinue use of the model in large parts of the country. Some companies have faced charges of redlining, which is the private-sector equivalent of racial profiling, resulting in a negative impact on the corporate reputation.
Advantages of Law Enforcement Data Police data represents the most widely used source data for crime analysis because it presents an accurate crime history for a property and is from an objective source. Since police departments don’t have a stake in a company or
62
Strategic Security Management
any associated liability exposure, their crime data is considered reliable and unbiased. Although some instances of city or county-wide crime statistics manipulation have occurred historically in some law enforcement jurisdictions, rarely, if ever, are the statistics for specific addresses and facilities skewed. Most crime data manipulation occurs to overall city crime levels to serve various political goals. At the facility level, law enforcement agencies have little reason to skew the statistics. Another advantage of police crime data is its vast availability due to extensive reporting, capturing, and maintenance of the crime statistics across most jurisdictions in the United States. Although costs for the data vary from jurisdiction to jurisdiction, most fees are reasonable. The only downside to police data is the time required to obtain it from police agencies, with the necessary time ranging from hours to weeks. Various crime data and analysis methodologies have been published and used by many cutting-edge companies in the protection of assets. Crime analysis methodologies have been published and subjected to peer review in various security and police textbooks, the definitive security book being Applied Crime Analysis. Law enforcement data is almost always accepted by the courts and in fact is sometimes required by the courts in determining the foreseeability of crime. Although a particular methodology may be subjected to scrutiny, the data is normally admissible. The security professional tasked with testifying on behalf of his or her employer is safe to rely on crime data from police departments as long as the methodology used is sound.
Law Enforcement Data Sources Among law enforcement data sources are Uniform Crime Reports (UCR), Calls for Service (CFS), and Offense Reports. These data sets are typically easy to obtain, and in the case of UCR for large geographic areas, they are available online at the Federal Bureau of Investigation website (www.fbi.gov). Local law enforcement data is normally accessible via Freedom of Information (FOIL) requests or under individual state laws regarding public information. For state laws and detailed instructions, contact the state’s Office of the Attorney General.
Uniform Crime Reports According to the Federal Bureau of Investigation, “the Uniform Crime Reporting Program was conceived in 1929 by the International Association of Chiefs of Police to meet a need for reliable, uniform crime statistics for the nation. In 1930, the FBI was tasked with collecting, publishing, and archiving those statistics. Today, several annual statistical publications, such as the comprehensive Crime in the United States, are produced from data provided by nearly 17,000 law enforcement agencies across the United States. Crime in the
Crime Analysis
63
United States (CIUS) is an annual publication in which the FBI compiles the volume and rate of crime offenses for the nation, the states, and individual agencies. This report also includes arrest, clearance, and law enforcement employee data.” The Uniform Crime Report, or UCR as it is commonly known, is the nation’s crime measure. It employs constant crime definitions across the country’s many law enforcement jurisdictions and measures the following crimes: Part I Offenses 1. Murder 2. Rape 3. Robbery 4. Aggravated Assault 5. Burglary 6. Theft 7. Motor Vehicle Theft 8. Arson Part II Offenses 9. Other Assaults 10. Forgery and Counterfeiting 11. Fraud 12. Embezzlement 13. Stolen Property—Buying, Receiving, Possessing 14. Vandalism 15. Weapons—Carrying, Possessing, etc. 16. Prostitution and Commercialized Vice 17. Sex Offenses 18. Drug Abuse Violations 19. Gambling 20. Offenses Against the Family and Children 21. Driving under the Influence 22. Liquor Laws 23. Drunkenness 24. Disorderly Conduct These crimes were selected because they are serious, they occur frequently, they are likely to be reported to law enforcement, they can be confirmed by
64
Strategic Security Management
means of investigation, and they occur across all jurisdictions in the country. Developed by the FBI, the UCR includes crime data for most geographic areas in the United States ranging from counties and cities to the nation as a whole. Intermediate areas, such as state and metropolitan statistical area (MSA) crime data, are also available. Although these areas are too large to be included as the primary focus of crime analysis, the methodology and classification system is what security professionals should understand and use at the property level. When using the UCR, it is best to examine violent and property crimes separately because they pose different concerns for security professionals and may require the application of different security measures. To be certain, crimes should be evaluated individually and as specifically as possible. For example, the crime of robbery can be further divided into robbery of a business and robbery of an individual. Often, the security measures used to counteract these two robbery types are different.
Calls for Service (CFS) Although internal security reports and police crime data may overlap, it is incumbent upon the security decision maker to consider both in determining a facility’s true risk. Thus, the next step is to contact the local police department and determine what types of data are available by address. Though it is rare, UCR data or actual crime information can sometimes be obtained for a specific address. If it is available, it should be requested and analyzed (see UCR above). If UCR data by address is not available, Calls for Service (or 911 dispatch logs as they are referred to in some departments) should be requested from the law enforcement agency. The primary data set is Calls for Service (CFS), which serves as the basis for crime analysis and provides for the most accurate portrayal of criminal and other activity at a property. CFS may be regarded as the complete array of fragments that, when joined, form the most strikingly grounded survey of criminal activity for a specific property. Calls for Service consists of every report of crime, suspected crime, and activity called in to the police from a property. No other crime information source is as focused on a specific address for such a vast time span as Calls for Service, with the possible exception of in-house security reports generated by personnel operating on property 24 hours a day, 7 days a week. These inclusions, by definition, omit the imprecise factor of unreported crime. Research has concluded that unreported crime accounts for a 10 percent higher crime index, although this is highly dependent on the type of crime under observation. Despite the exclusion of unreported crime, Calls for Service still provides representative illustrations of criminal activity on a property. Calls for Service consists of those crimes or other activity reported by a victim, witness, or other person to a local law enforcement agency via the 911 emergency system and other channels. These reports may consist of actual crimes ranging from murder to theft, or suspicious activity, and other incidents
Crime Analysis
65
January 17, 2006
Houston Police Department Attn: Records Department 1200 Travis Houston, TX 77002 Re:
Freedom of Information Request
Dear Records: This request is made pursuant to the Freedom of Information Act. I am writing to request the Calls for Service for the time period January 1, 2004 to December 31, 2006 for the following addresses: 6720 Administration Avenue 5125 Park Meadow Street 6411 Waverly Street 1515 Haley Gardens Blvd 11703 Autumn Hill Street 3434 Broadknoll Lane 1043 White Sands Road 11341 Ashland Grove Drive 14251 Meadow Gardens Street 421 Hyde Heights Drive 320 Veteran’s Terrace Avenue Please contact me once this request has been completed and I will mail payment. This request may be e-mailed to [email protected] or faxed to (281) 494-5700 or mailed to P.O. Box 16640, Sugar Land, TX 77496. Should you have any questions, please feel free to call me at (281) 494-1515. Thank you for your time and assistance in this matter. Sincerely,
Karim H. Vellani, CPP, CSC P.O. Box 16640 • Sugar Land, TX 77496 • (281) 494-1515
Figure 4-5. Sample Request Letter for Calls for Service. Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com.
66
Strategic Security Management
such as missing children, motor vehicle accidents, and parking complaints. Whatever the concern, if it is reported by a person, it is noted by the law enforcement agency. The synopsis of the given incidents is included on the record, along with the location, date, and time the event was reported. From devastatingly influential to seemingly insignificant, these records exist as clues waiting to be examined in some Holmesian mystery and because of their completeness of representation and maintenance by a local governing body, and as they operate independent from the security decision maker’s interests, they can generally be considered objective, thus adding the first of many threads of reliability to the crime analysis conclusions. In addition to the more obvious crimes, CFS adds elements that may be of interest to management such as the above-mentioned suspicious activity, accidents, and parking violations that could be realized to be important in the holistic concept of crime prevention. Being hyperinclusive, no single set of data exists that rivals Calls for Service for its accuracy. As with any set of statistics, many more desirable possibilities can be derived by performing additional correlations such as sorting crimes by precise location on the property and by times at which they occurred. When more raw data is available in one’s database, more meaningful cross-references and correlations are possible. One can consider that some of the fundamental ways people learn about various disciplines is through comparison, trial and error, or cause-and-effect methods. CFS allows trends or patterns in crime activity to come to light, which aids in the selection of appropriate crime countermeasures and provides for more enlightened comparisons between properties. Among other considerations that users of CFS should remember, CFS data reflects the location where a complaint was made, which may or may not be the site of the incident. However, the location and precise nature of the calls can be verified, and reliability can be enhanced when CFS is used in conjunction with the local law enforcement agency’s offense or incident reports (which will be discussed in depth later in this chapter). Some newer CFS systems encode data using the FBI’s Uniform Crime Report codification system. Thus, crimes can be easily differentiated from false reports and easily compared to city, state, and national crime levels. Older systems, however, must be converted to UCR through verification with offense reports. CFS is generally available from the local police department at a reasonable cost. In light of the availability and aforementioned considerations, CFS data can be used effectively to produce a fairly accurate crime history of a property, distinguish any crime trends or patterns, and compare properties.
Reliability of Calls for Service (CFS) The reliability of CFS has been tested to meet the demands of forecasting crime and other activity that might be of interest to management; among these activities are minor or major traffic accidents, medical emergencies, parking
Crime Analysis
67
problems, and essentially any situation that may possibly present concerns that would occupy the time of security decision makers to solve or remediate. One study indicates that Calls for Service over a year’s period would have a 90 percent accuracy rate—significantly higher than demographic data in predicting crime in the long run. CFS is a listing of all reports called into the police from the property and normally includes the reported incident, the date and time the call was made, and an incident number. In some cases, Calls for Service also tells us whether an offense report was written, the disposition of the case, and possibly the UCR classification. In essence, CFS discloses the initial details of crimes reported to the police from a particular location and includes every report of crime, suspected crime, and other activity as reported by a victim, witness, or other person to a local law enforcement agency.
Reliability of CFS data in predicting long-run risks (all calls, not just crimes): One month of data = 50% accuracy Two months of data = 60–65% accuracy Six months = 80% 1 year (13 28-day periods) = 90% Source: Spelman in Crime and Place, 135
Offense Reports Offense reports are the written narrative of a crime investigation and are used to verify CFS. This verification process is necessary because, as noted earlier, CFS data reflect the location from where a complaint was made, not necessarily the incident location. Offense reports also confirm the type of crime committed as well as the date and time of the offense. In many jurisdictions, only select portions of the offense report are available; however, the public information section contains enough information to allow an accurate database of crime incidents. Generally speaking, crime analysis seeks to build the most accurate database possible using only public information. During the course of a lawsuit, complete offense reports including arrest records and final case dispositions become available by subpoena, but the goal here is to proactively address the crime situation to prevent injuries and lawsuits. More of an expansion of Calls for Service than an independent data source, offense reports, or incident reports as they are sometimes known, should clear up ambiguities and possible inaccuracies through verification of CFS. Sometimes, however, an offense report is generated when police officers discover a crime independent from a call into the 911 emergency system. More precisely, offense reports are the written narrative of a Call for Service that resulted in
68
Strategic Security Management
March 17, 2006
Houston Police Department Attn: Records Department 1200 Travis Houston, TX 77002 Re:
Freedom of Information Request
Dear Records: This request is made pursuant to the Freedom of Information Act. I am writing to request the following Public Release Offense Reports: 050710E260 050912A236 050926G197 051208G929 050124D692 050728D094 051022C365 051123A631 050728A645 Please note that I am requesting only public information. Please contact me once this request has been completed and I will mail payment. This request may be e-mailed to [email protected] or faxed to (281) 494-5700 or mailed to P.O. Box 16640, Sugar Land, TX 77496. Should you have any questions, please feel free to call me at (281) 494-1515. Thank you for your time and assistance in this matter. Sincerely, Karim H. Vellani, CPP, CSC P.O. Box 16640 • Sugar Land, TX 77496 • (281) 494-1515
Figure 4-6. Sample Request Letter for OR’s. Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com.
Crime Analysis
69
an actual crime and includes the individual reports of all law enforcement agents, including officers, detectives, and supervisors who worked the case. Although the availability of offense reports may be limited by law because of inclusion of personal information, victim names, criminal methods, or ongoing investigation, security decision makers should attempt to obtain them from the local law enforcement agency while in the process of conducting crime analysis. Often, however, most states allow the report or a portion of the narrative to be released to the general public upon request. As with all information, security decision makers should seek access to as much relevant crime information as possible to help them make knowledgeable management decisions. By no means should security decision makers feel that they are in error for not including offense reports when they are not available; on the contrary, one can only do what is reasonable and possible.
Geographic Levels Before delving into the crime analysis methodology, it is imperative to determine what geographic area is to be covered by the crime analysis. For the purpose of crime analysis, a hierarchy defines the geographic levels of analysis. Although one cannot mathematically quantify the importance of each level of geographic analysis, one can distinguish a relationship between each level, or ascertain the order of importance for each level. In defining each level, they have been listed in order of importance, and simultaneously in the order that should be of most concern.
Facility or Site Census Tract
Crime Statistical Reporting Area Beat, District or Precinct City or County Metropolitan Statistical Area State Nation
Figure 4-7. Hierarchy of Data. Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com.
70
Strategic Security Management
Facility or Site From a security professional’s perspective, control of crime is normally limited to the organization’s facilities. This geographic area is the fundamental level of analysis for both crime prevention and liability prevention inasmuch as security personnel have the greatest ability to regulate most facets of its use. The primary sources of crime data for this level are CFS and offense reports, as well as in-house security reports, if they are available. Although security may influence neighboring areas with a diffusion of benefits—a process by which security measures implemented at one property may prevent crime at another location—the goal is to prevent crime at the controlled facility. For example, a security decision maker may be able to reduce crime on neighboring properties by increasing the lighting on his or her property as the light cannot be wholly contained to one property. Thus, security measures may positively impact neighboring properties indirectly. As we move away from the property level in the crime analysis, the geographic areas get larger and less easily influenced. The smaller areas that can be analyzed include Census Tract, Crime Statistical Reporting Areas, and Beats, Districts, or Precincts. Police departments sometimes maintain crime data for these areas. Although they are only marginally useful in crime analysis, they do assist us in determining how our area compares to other areas in the same city. Whenever possible, the population should also be known for these areas so that the crime rate may be calculated (see Methodology below).
Census Tract Census tracts are geographic areas defined by the U.S. Census Bureau for population and demographic purposes. In some instances, law enforcement agencies accumulate crime statistics by census tract. Since this occurs infrequently, it is not a standard level of crime analysis, but it may be included if the local law enforcement agency maintains data by census tract.
Crime Statistical Reporting Area A reporting area (RA) is another uncommon level of analysis and criteria, for their creation may diverge significantly across law enforcement jurisdictions. Generally, RAs are small, homogeneous areas created for the sole purpose of supporting crime data collection. When RA data is available, it may be used to assist with the crime analysis of an individual property.
Beat, District, or Precinct Patrol beats are common geographic zones in metropolitan areas that are created by law enforcement agencies to meet their resource allocation objectives—the number of patrol units in an area (beat). Beats are sometimes
Crime Analysis
71
grouped together and fall under one command center, district, or precinct. The actual land area of beats, the total number of beats, and the number of districts/precincts overseeing the beats can vary considerably in different cities. Crime data for these areas is normally available from the local law enforcement agencies on an annual basis and often maintain crimes similar to those in the Uniform Crime Report. Larger areas may also be considered in the crime analysis. These areas include cities and counties, states, metropolitan statistical areas, and the nation, and they are all included in the UCR. The advantage to these geographic areas is that population data is available; however, their sheer size creates a disadvantage.
City/County City and county crime data is available from the Uniform Crime Report and encompasses crime information for an entire law enforcement jurisdiction. County data includes only the crime statistics for rural (unincorporated) areas and not the information for cities within the county.
Metropolitan Statistical Area (MSA) Another geographic area created purely for crime statistical purposes, metropolitan statistical areas account for approximately 76 percent of the total U.S. population. MSAs consist of core cities of over 50,000 people and the surrounding suburban regions.
State Similar to city and county data, state data can be found in the Uniform Crime Report and includes crime information for the entire state. This level of analysis details crime statistics for individual states and is often available from a state law enforcement agency.
Nation Crime statistics for the nation are primarily available through the Uniform Crime Report program, via actual crime information and estimations for the occasional law enforcement jurisdictions that are not involved in the program. While larger geographic areas are easier to analyze owing in large part to the availability of crime statistics, crime at each facility tells the more accurate story.
Methodology The best method for learning the true risk at a facility is to analyze internal security reports and verified police data using a computer spreadsheet appli-
72
Strategic Security Management
cation or database software program. Once this information is in a usable format, a number of basic and advanced statistical analyses can be performed. The security decision maker will adapt the analysis to best meet the needs of his or her organization. Whereas some security professionals prefer highly detailed charting and graphing functions, others prefer to view the raw numbers. Either way is fine as long as the security professional is comfortable and able to disseminate the information to those who need the data. Among the statistical tools available to the security decision maker are crime-specific analysis, modus operandi analysis, crime rate ranking, forecasting, temporal analysis, spatial analysis, and pattern analysis. The crime analysis methodology outlined below has been tested in the courts and in private organizations, is based on a logical foundation, and provides useful information for a security decision maker. By no means is the methodology limited to what is described, for security professionals may for the most part find that the information requires customization to meet company needs. Whatever the case, this methodology provides the cornerstone from which a more comprehensive analysis can be built when necessary. Whatever methodology is utilized in crime analysis, it should at minimum coincide with case law on issues of foreseeability so that claims of negligent security can be negated. Most states use crime data to determine if crime was foreseeable (predictable) and if management is on notice of crime. If management is found to be on notice of crime in the area or on the property, they normally have a duty to protect their invitees (customers, employees, etc.) against it. Although a foreseeability analysis is a good place to start the process of crime analysis, it certainly need not be the end. To be proactive, security decision makers require more data analysis in order to efficiently track security deficiencies and deploy more effective security measures. Courts have typically accepted two to five years of historical crime data in premises liability lawsuits, while for security purposes, recommending three years of crime data. At this point, the Calls for Service and corresponding offense reports should have been requested and received from the law enforcement agencies and in-house security reports will have been incorporated into the database or spreadsheet application. Altough crime analysis can be conducted using paper and pen, software applications are recommended as they permit quicker data entry, sorting, and analysis of the data. Software application also allows users to easily create graphs, charts, and maps. A typical spreadsheet will start with keying in basic elements from the CFS and offense reports, including
Site (address and/or site number) Reported Crime—This information is located on the CFS sheets and may also be listed in the offense report. UCR Code—Since most police departments do not include this code, this may be inserted later.
Crime Analysis
73
UCR Description/Actual Crime Committed—The first page of the offense report will normally have the final crime classification. Date—This is the date on which the crime occurred, not the date reported. Time—This is the time at which the crime occurred, not the time reported. Day of Week—This may be inserted manually if it is not listed on the offense report. Offense Report (or Incident) Number—This is listed on the offense report. Crime Location—This is a description for advanced analysis and may not be known or gleaned from the offense reports. As mentioned earlier, in reviewing a crime scene location, it is often important to determine whether the crime was internally or externally generated.
Since most law enforcement agencies use different offense report forms, at first it may be difficult to ascertain each of the elements that are to be included in the database. However, given some practice with each law enforcement agency’s forms, the process becomes rather routine. Once all the information from the offense reports has been entered, security report information can be added, with caution taken not to duplicate entries from the offense reports. Additional codes may be created for incidents of concern to management that are not included in the UCR coding system. The crime analysis format should be versatile and expandable so that when new data becomes available or when management needs change, different types of analysis may be added. Once the data, including Calls for service, offense reports, and in-house security reports for the property has been assembled, it needs to be translated into a standardized set of codes that denote actual crimes. To ease comparisons, the UCR codification system should be used because it is simplistic and other data sets already use it. If anything other than UCR codes are provided, then the crimes must be transferred to UCR codes. This is required because police reports may differ in how they are worded or coded from the norm or from one another; to simplify matters, the UCR coding system is recommended because it includes a fairly complete listing of possible crimes, which will make analysis that much more complete. Using this main database, security decision makers can sort information by site, by type of crime, and by date, time, or day of week. The database will also allow the security decision maker to begin performing basic calculations such as totals for specific types of crime at each site and the average crimes per site. One may also be able to discern any patterns or trends in crime types or temporally (date, time, day). Another piece of data that should be entered on the spreadsheet is the site’s annual traffic level, which is generated from internal records. The traffic level
74
Strategic Security Management
will be used as the site’s population to calculate crime rates and trends. Traffic levels may also be calculated using transaction counts or other data that reflects the number of persons at a property. For example, at an apartment complex, they may use two residents per one-bedroom apartment unit and three residents per two-bedroom apartment unit. Thus, for a 100-unit apartment building that has 50 two-bedroom units and 50 one-bedroom units, the population of the apartment building would be 250 people: 2 people × 50 one bedroom units = 100 people + 3 people × 50 two bedroom units = 150 people = 250 people. Most security decision makers would add other people who are frequently on premises, including employees such as maintenance and leasing personnel. One large fast-food restaurant chain uses a standard number of customers per transaction based on historical records for the entire company. For every transaction, there are on average 2.1 people. Thus, if the restaurant has a daily transaction count of 4,000 transactions, they will have had 8,400 persons through the restaurant on that day. In an effort to take geographic variables into account, some companies use a different multiplier for each region or district. Although this is more accurate, the multiplier may be difficult to discern. Security decision makers should use whatever multiple is reasonable. Several different types of analysis make up a crime analysis as a whole. These include Temporal Analysis, Crime-Specific Analysis, Crime Rate Analysis, Spatial Analysis, Modus Operandi Analysis, and Forecasting. Each of these modes of analysis examines an aspect of crime’s impact at a facility, identifies crime patterns and trends, and indirectly points to security measures that are appropriate to counter the known risks.
Crime-Specific Analysis Although the FBI’s UCR coding system breaks crimes down into their specific legal elements, it is often beneficial to break crimes down into sublevels for security purposes. Crime-specific analysis focuses not only on the type of crimes committed at a facility by enumerating the amount of crimes such as robberies and assaults, but also on whether the robbery victim was a business or an individual. Further specificity aids management in knowing the specific type of problem, to what degree it exists, and indirectly what specific crime prevention measures can be used to reduce the opportunity for those problems, if not eradicate them completely. Another benefit of this type of analysis is that a breakdown by crime will help to indicate whether the asset targeted was a person or property, whether the crime was violent or not, the resulting
Crime Analysis
75
loss or damage to that particular target, and the implications of that loss or damage. As already mentioned, this data should be coded in compliance with the FBI’s Uniform Crime Report system for ease of comparison among properties and to create uniformity among the data sets. However, further information may be included beyond the UCR code and description, including victim type, asset targeted, and location of crime.
Crime Rate Analysis Crime rates, like most statistics, exist to actively represent events that have transpired or to extend that number to forecast future occurrences. Within crime analysis, crime rates assess a property’s risk of violent and property crime victimization. The calculation of crime rate is fairly uncomplicated and requires little more than two pieces of data—a management-derived figure and a figure gleaned from the crime statistics. Simply stated, the violent crime rate is calculated by dividing the number of crimes by the traffic level and then multiplying by 1,000—the number commonly used to compare crime rates across the various levels of geographic analysis. In contrast, for property crime rates, the number of property targets is used as the denominator. Most calculations of crime rates are not estimates of crime risk because inappropriate measures of the crime opportunities (targets) are used for the denominator in the calculations. For example, burglary rates are calculated by dividing the number of burglary events by the population of the area being studied. The appropriate denominator is the number of buildings in the area. Crime rates should be calculated using the number of targets as the denominator. In other words, for crimes against persons, the denominator should be the number of persons. For crimes against properties, the denominator should be the number of items under consideration. Crime rates are one of the best methods for comparing crime at various facilities. They should be used whenever possible because they offer the most accurate reflection of crime at a site by taking not only the crime level into account, but also the traffic level. By utilizing the population and transaction counts discussed above, a security decision maker is able to make apples-toapples comparisons of facilities under his or her control to similar businesses in the area, as well as to larger geographic areas such as the city in which the facility is situated. Comparisons may also be made to other geographic areas for which crime statistics are available including census tracts, police beats, MSAs, states, and the nation as a whole. Again, it is important to note that the larger the geographic area, the less relevant the comparison. Crime analysis emphasizes the smallest geographic area possible, the property level. Crime rates are calculated using the following formula: Violent Crime Rate (VCR) = (Total Violent Crime/Population) × 1,000
Table 4-1 Spreadsheet with Victim, Location, Comment. Offense Report #
10 70 10 90 20 70 10 70 20 10 10 50 40 50 50 40 20 90 60 20 10 90 30 80 50 10 70 20 30 40 60 80 40 10 10 70
1 2 2 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3
Crime Type
Date
Time
Location
Victim
Comments
Murder Rape Rape Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery Robbery
Tuesday, July 27, 2004 Thursday, January 01, 2004 Tuesday, July 12, 2005 Wednesday, January 07, 2004 Wednesday, March 10, 2004 Sunday, January 23, 2005 Thursday, March 24, 2005 Tuesday, July 12, 2005 Friday, October 28, 2005 Friday, December 09, 2005 Wednesday, February 04, 2004 Monday, May 10, 2004 Sunday, June 20, 2004 Tuesday, December 07, 2004 Friday, July 22, 2005 Friday, August 26, 2005 Thursday, September 22, 2005 Friday, October 07, 2005 Friday, August 20, 2004 Sunday, February 01, 2004 Sunday, March 07, 2004 Tuesday, May 18, 2004 Sunday, June 13, 2004 Tuesday, July 06, 2004 Wednesday, September 29, 2004 Saturday, October 02, 2004 Monday, October 18, 2004 Friday, November 12, 2004 Tuesday, December 21, 2004 Sunday, February 06, 2005 Thursday, March 24, 2005 Friday, April 29, 2005 Thursday, July 14, 2005 Thursday, September 22, 2005 Wednesday, November 30, 2005 Monday, December 19, 2005
8:06 8:00 23:58 7:07 9:32 15:25 22:51 14:18 15:59 5:34 22:00 19:14 16:45 14:08 19:07 15:24 20:35 7:23 10:00 4:45 12:22 22:00 20:05 7:07 19:05 0:30 8:28 12:05 9:32 16:44 14:16 18:41 17:00 10:00 9:32 23:17
Outside Outside Outside Outside Outside Outside Outside Outside Outside Outside Outside Outside Outside Inside Outside Inside Outside Outside Outside Outside Outside Outside Outside Outside Outside Outside Outside Outside Outside Outside Outside Outside Outside Outside Outside Outside
Person Person Person Person Person Person Person Person Person Person Person Person Person Business Business Person Person Person Person Person Person Person Person Person Person Person Person Person Person Person Person Person Person Person Person Person
Aggravated Robbery Interpersonal Interpersonal Aggravated Robbery Aggravated Robbery Aggravated Robbery Aggravated Robbery Aggravated Robbery Aggravated Robbery Aggravated Robbery Car Jacking Car Jacking Car Jacking Car Jacking Car Jacking Car Jacking Car Jacking Car Jacking Interpersonal Purse Snatching Purse Snatching Purse Snatching Purse Snatching Purse Snatching Purse Snatching Purse Snatching Purse Snatching Purse Snatching Purse Snatching Purse Snatching Purse Snatching Purse Snatching Purse Snatching Purse Snatching Purse Snatching Purse Snatching
Strategic Security Management
Crime Type ID
76
2004-00568 2004-00001 2005-05795 2004-00025 2004-00193 2005-00027 2005-00110 2005-00234 2005-00464 2005-00531 2004-00095 2004-00356 2004-00457 2004-00862 2005-00253 2005-00317 2005-00360 2005-00407 2004-00630 2004-00089 2004-00168 2004-00371 2004-00442 2004-00494 2004-00726 2004-00729 2004-00756 2004-00811 2004-00905 2005-00045 2005-00112 2005-00158 2005-00236 2005-00361 2005-00512 2005-00552
Site ID
Crime Analysis
77
Note that the crime rate refers to violent crimes, which have an easily countable target via the site’s traffic level (population). Other crimes, such as auto theft, will have calculable crime rates if the target count is available. For example, the auto theft crime rate can be figured using the auto theft level and the annual number of vehicles on the property (traffic level). Thus, with 17 auto thefts and an average of 3,500 cars per day last year, our auto theft rate is 4.86 per 1,000 autos: Auto Theft Rate = (Total Auto Theft/Population) × 1,000 Auto Theft Rate = (17/3,500) × 1,000 Auto Theft Rate = (0.00486) × 1,000 Auto Theft Rate = 4.86 Using this formula for each site allows us to accurately compare risk levels at different sites. This formula may be applied to each year of the crime analysis to formulate trends and patterns over time, which are easily discernible when graphed. Burglary rates are calculated by dividing the number of burglary events by the number of targets. In a large apartment community with 2,000 units and 5,000 residents, the appropriate denominator for calculating the property crime rate is 2,000, while the denominator for calculating the violent crime rate is 5,000. Taking this example further, if the community experienced 25 violent crimes and 200 property crimes during the preceding year, the violent crime rate is 0.005 [(25/5,000)*1,000], while the property crime rate is 100 [(200/2,000)*1,000]. Simply stated, for crimes against persons, the denominator should be the number of persons. For crimes against properties, the denominator should be the number of properties.
Temporal Analysis Various methods for understanding a facility’s crime peaks and valleys are available to the security manager. Temporal analysis, or the analysis of time, is among the most effective tools for allocating security resources. Patterns can be considered, including time of day, day of week, week of month, seasonal trends, and, at the extreme, crime trends during full moons. If there is historical evidence that particular crimes occur during certain periods, security can focus on additional crime defense measures during those time periods. Deploying security measures during periods of high crimes can save the security department money and generate cost avoidances that can be used in calculating Return on Investment. Temporal analysis is the consideration of time periods when crimes occur. It allows the security decision maker to effectively allocate scarce security resources during peak crime periods. Although other security practices can be adjusted and modified based on temporal analysis, its most common use is in the efficient scheduling of security and protective force personnel.
78
Strategic Security Management
Figure 4-8. Crime Rate Graph. Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com.
The temporal factors of crime may be analyzed in many ways, including time of day, day of week, quarter, and seasonal trend. When a temporal pattern exists, we can deploy resources during the peak times to block the opportunities for crimes. Temporal analysis can significantly cut down the cost of a security force.
Spatial Analysis Crime analysis focuses on wheredunit rather than whodunit—that is, where the crime occurred rather than an offender-specific crime analysis. Spatial analysis is another critical kind of analysis that helps deploy security resources efficiently by assessing the location of crime within the facility. For larger properties, spatial analysis can be very useful, but even for smaller facilities, an understanding of whether crimes are occurring inside the facility or outside in common areas such as parking lots can be beneficial in selecting countermeasures. Hot spot analysis is a form of spatial analysis in which hot spots are small places in which crime occurs so frequently that it is highly predictable. Hot spots are identified using clustering—that is, repeat events or crimes at the same place.
Crime Analysis
79
Figure 4-9. Site Summary Temporal Analysis. Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com. Specifically where does the problem stem from? Through what door did an intruder enter the property? At what point did an attack take place between the building exit and the parking garage? Around what certain corner was an attacker hiding before perpetrating the crime?
80
Strategic Security Management
Figure 4-9. Continued
Figure 4-10. Temporal Analysis by Day of Week. Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com.
Crime Analysis
81
Knowing the answers to these questions can help determine the nature of defenses that are at the security team’s disposal. For example, if the security decision maker of an office building realizes that the parking garage is the paramount source of crime, emphasizing security for the suites inside the building would certainly do little to address the problem at hand. Spatial analysis focuses on specific targets within the property and the security measures that were penetrated. For example, if a crime pattern has been established at a particular location within the facility, the security decision maker can review the security measures currently in place as well as the access points to that area and mark them for improvement by way of personnel, physical measures, or simple policy and procedure changes. Spatial analysis is aided by facility blueprints and other schematics of the site to help pinpoint crime scenes. If the security decision maker finds that a number of crimes are clustering in the same location, he can then look to see what opportunity there is for crime to occur there and he can attempt to block the incidents in the future.
Modus Operandi Analysis Modus operandi, a term commonly heard in television crime dramas, refers to the method of operation, or MO, used by a criminal perpetrator. Crime profilers often use the term signature when referring to a criminal’s modus operandi. Dependent on the availability of details culled from in-house security reports, offense reports, or interviews with victims, witnesses, and offenders, MO analysis determines an offender’s criminal tactics that separate their crimes from those of other criminals. From modus operandi analysis, certain crime features become known. Some crimes such as purse snatchings on days when people are to be paid from their jobs might make sense when one considers what has been learned about rational choice theory and routine activity theory, or that home burglaries tend to occur when the home is unattended or that shoplifting tends to occur more frequently when a business is sparsely staffed. If such a fact in a given area is known and known enough by criminals, then the seed of criminal activity can be planted and come to fruition when such times arrive. Such occurrences happen for a reason.
Forecasting Forecasting is a useful crime analysis technique that allows the security decision maker to mathematically project future crime by using the facility’s crime history. Forecasting can project specific crime concerns as well as the times, days, and locations of these future crimes. For forecasting to be accurate, larger samples of data are beneficial, typically at least three years of data. The larger the database, the more accurate the forecasts are.
82
Strategic Security Management
Table 4-2 Forecast. Site ID
Crime Type
10 10 10 10
01—Murder 02—Rape 03—Robbery 04—Aggravated Assault 05—Burglary 06—Theft 07—Auto Theft 08—Arson
10 10 10 10
Min (68% confidence level)
Max (68% confidence level)
Min (95% confidence level)
Max (95% confidence level)
0 1 5 1
0 1 7 1
0 0 4 1
1 2 8 1
0 14 15 0
0 20 21 0
0 11 12 0
0 23 24 0
Once the various statistical analyses are complete, the security decision maker finds him- or herself well equipped to make decisions about future allocations of security resources. The crime analysis results should be disseminated among as many departments in the company as feasible to obtain feedback and possible solutions. Most importantly, the information should be distributed to line security officers and supervisors so that they are aware of the threats and can work toward reducing the opportunity of these crimes. Obviously, the information should be as specific as possible to enhance the detection and protection function with which the security force is charged.
Return on Security Investment (ROSI) In today’s corporate environment, it is important for all departments to show bang for the buck. This philosophy applies to the security organization all too much, for often its budget is among the first to be cut. Showing a return on investment simply means that security measures are either paying for themselves or, better, adding to the bottom line. Return on Security Investment is important because it helps the security decision maker justify costs and obtain future budget monies. Some security programs will not pay for themselves, whereas others actually become a profit center. For example, crime analysis almost always pays for itself because it helps the security decision maker select the most appropriate security solutions for specific problems and efficiently deploy the resources. Without it, the effective security decision maker has little to guide him toward effective, adequate, and reasonable solutions. It is more difficult for more expensive countermeasures such as CCTV systems and personnel to show return on investment. Over the long run, however, these measures become relatively inexpensive when compared to the financial turmoil that can occur from even just one indefensible claim of negligent security.
Crime Analysis
83
A recent case study published by the American Society for Industrial Security International in Volume 6 of its Security Business Practices Reference discussed a retail company that was able to generate a 7 percent savings on its projected security budget using crime analysis. In order to select and deploy appropriate security measures, the retailer outsourced its crime analysis needs to the author’s security consulting firm. Using the crime data generated for each of its stores, the retailer expanded its risk model from internal security reports only to include the police crime information in assessing the threat level at each of the company’s retail stores. Since the company’s retail stores cater to a diverse group of people and are normally the anchor store in strip centers, a lot of the crimes reported from each store did not actually occur at the facility. Offense reports were used to verify all violent crimes in order to ensure that only those crimes that actually occurred at the property and occurred as reported were included in the database. The security department utilized a crime analysis software application to analyze the databases of crime data for each of its stores. The database includes the time and date of each crime and the specific nature of the crime that occurred. The software allows the department to quickly determine where the violent crimes occurred on the property and to identify the victim. With this information, the security personnel are able to determine not only whether a store is high, medium, or low risk, but also who is being targeted, customers or the store itself. With this specific information, the security department can deploy appropriate security measures to reduce the risk at each store specifically. By the end of their first year with this new program, the security department was able to realize a sizable return on investment. Based on the company’s 300 stores, an annual savings, or cost avoidance, of $9.2 million was gained in the first year after implementation. This savings reflect a number of changes to the security program, but primarily constitute the redeployment of security personnel during higher risk times. Prior to this new program, security personnel were used haphazardly with no regard for actual risk levels. Although this example is tangible, most savings in the business of security are intangible and not as easy to assess quantitatively. One of these categories is the savings generated by reducing crime and thus the avoidance of securityrelated litigation. Regardless of a security measure’s ability to be quantitatively assessed, security decision makers should strive to calculate a return on security investment.
This page intentionally left blank
Chapter 5
Vulnerability Assessments
In this chapter . . .
Definition Vulnerability Assessments Scope of Vulnerability Assessments The Vulnerability Assessment Team Asset-Based and Scenario-Based Vulnerability Assessments Vulnerability Assessment Steps Vulnerability Rating Scale The Security Survey Report The Vulnerability Assessment Report
TAG's Risk Assessment Process® Asset Identification
Policies & Procedures
Current Security Measures
Physical Security
Security Personnel
Threat Assessment
Crime Analysis
Vulnerability Assessment
Risk Assessment
Cost Benefit Analysis
Report and Recommendations
Figure 5-1. Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com.
85
86
Strategic Security Management
Definition In simple terms, vulnerabilities are opportunities. More precisely, they are weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. Vulnerabilities include structural, procedural, electronic, human, and other elements that provide opportunities to attack assets. Vulnerabilities can be categorized as physical, technical, or operational. Physical vulnerabilities may include structural characteristics of the facility, accessibility by outsiders, geographic location of facility and location of assets within the facility, strength of access control measures, and illumination levels. Technical vulnerabilities may include equipment properties, network weaknesses, susceptibility to eavesdropping and other electronic surveillance, effectiveness of locks, and type and number of cameras. Operational vulnerabilities may include policies, procedures, practices, and personnel actions and behavior. A vulnerability assessment, sometimes referred to as a security vulnerability assessment, is an analysis of security weaknesses and opportunities for adversarial exploitation in one or more of the preceding categories. The fundamental method for assessing vulnerabilities is the security survey, which is a tool for collecting information about the facility. The goal of a vulnerability assessment is to identify and block opportunities for attacks against assets. By effectively blocking opportunities, security decision makers can mitigate threats and reduce risk.
Vulnerability Assessments A vulnerability assessment is a systematic approach used to assess a facility’s security posture and analyze the effectiveness of the existing security program at the facility. The basic process of a vulnerability assessment first determines what assets are in need of protection by the facility’s security program, then identifies the protection measures already in place to secure those assets and what gaps in protection exist. Finally, the assessment measures the security program’s effectiveness against valid security metrics and provides recommendations to security decision makers for improvements. In essence, the vulnerability assessment assists security decision makers in determining the need for additional security measures, security equipment upgrades, changes in policies and procedures, and manpower needs. Vulnerability assessments identify security weaknesses that can be exploited by an adversary to gain access to the organization’s assets. For example, a vulnerability assessment may reveal gaps in security in an investment bank’s financial management system; security weaknesses that limit the ability of a nursing home to protect its residents; or security gaps in a national monument’s visitor management process. The goal of vulnerability assessments is to ensure life safety, protect assets, and promote continuity of operations. The driving forces
Vulnerability Assessments
87
behind vulnerability assessments include new legislation, revised threat assessments with new or emerging threats, increased criticality of assets, concern for continuity of operations, and newly recognized vulnerabilities. A comprehensive vulnerability assessment affords security decision makers and facility management personnel the opportunity to make future planning decisions based on an acceptable methodology that can be used for budget considerations, capital expenditures, personnel allocation, and procedural guidelines. The vulnerability of an asset is determined by the potential weaknesses in operational processes and procedures, physical security weaknesses, and technical gaps that can be exploited to attack an asset. Vulnerability assessments are used to identify these weaknesses by way of a security survey. To paraphrase noted author Charles A. Sennewald, a security survey is a fact-finding process whereby the assessment team gathers data that reflects the who, what, how, where, when, and why of an organization’s existing operation and facility. The purpose of a security survey is to measure the vulnerabilities at a facility or of specific assets by determining what opportunities exist to exploit current security policies and procedures, physical security equipment, and security personnel. The outcome of a security survey is a report, normally written, that outlines a series of solutions that, if implemented, will reduce the short-term and long-term opportunities at a facility. Security surveys are designed to meet the unique needs of a facility or type of facility. For example, one may use a security survey designed for a maritime port facility for other port facilities, but a maritime port facility security survey will not likely meet the needs of an office building. Even within similar-type facilities, unique characteristics must be considered and included in the security survey. Security surveys are simply questions and checklists that the assessment team must complete during off-site preparations and on-site inspections of the facility. Surveys may range from a few basic questions to highly detailed lists comprising thousands of questions. A typical security survey contains general information about a site and evaluates the geographic characteristics of the facility, physical layout of the facility and its unique characteristics, security and other personnel, operational requirements, security equipment capability and deployment schedules, and threats and other incidents that impact security. General information normally captured in a security survey includes:
Vulnerability Assessment Team (identify by name and title) Date Name of Facility/Site Emergency Contacts and Telephone Numbers Law Enforcement Jurisdiction (agency name, address, and phone number) Main Facility Telephone Numbers Site Address
88
Strategic Security Management
Site Description General Purpose of Site Open to Public Normal Operating Hours High Activity Use (hours/days) Other Tenants or Users of the Site Individuals Who Have Access to Critical Areas Location of Critical Assets within the Facility Known Vulnerabilities
Scope of Vulnerability Assessments The scope of a vulnerability assessment depends on the goal of the security team. Some assessments are geared toward protecting only the most critical assets, such as an assessment that emphasizes only the reduction of violent crime opportunities to protect people at the facility. Other vulnerability assessments emphasize the full range of opportunity-reduction strategies for all critical assets and lesser assets. One may wonder why there is a difference in scope among vulnerability assessments. Normally, a truncated scope is in reaction to a particular threat or the identification of a new critical asset. Sometimes, a limited scope vulnerability assessment is the result of a need coupled with finite resources, typically time and money. Independent security consultants face this often where management identifies a need for a vulnerability assessment based on a new threat and has limited funds in which to execute the assessment. The threat assessment, for example, which is normally conducted prior to the vulnerability assessment, may have identified and prioritized threats, and these high-ranking threats serve as the scope of the vulnerability assessment. Simply prioritizing threats will lead to a limited scope assessment. For example, a hospital that operates one main facility and several medical clinics off campus may decide to pursue the primary, most attractive target first and leave the other facilities for another budget cycle. Regardless of the range of the scope, the assessment team often uses a written mission statement to guide the vulnerability assessment. This statement identifies the stakeholders and outlines the assessment’s objectives. The stakeholders include the company that owns the facility, the organization’s employees, the people who frequent the facility, possibly the community at large, and possibly all of society. The mission statement identifies the key issues that are of interest to the stakeholders. A sample mission statement for a hospital vulnerability assessment may be: To perform a vulnerability assessment that identifies security vulnerabilities, opportunities for security breaches, and hazards on the hospital’s premises that can adversely affect the employees, visitors, and patients of the hospital.
Vulnerability Assessments
89
Key to the vulnerability assessment is project management. The vulnerability assessment team leader is best suited to take on the role of project manager. Project management includes defining the scope of the assessment, refining the security survey for the unique needs of the facility, and determining a project work plan, time line, and milestones. The project manager should also define the role of each assessment team member and arrange for all resources needed for the assessment, such as light meters, facility access, and measuring tape.
The Vulnerability Assessment Team An important quality for the vulnerability assessment team is the ability to think like an adversary. When conducting the assessment, the assessment team should consider three focal points: how an adversary can carry out a specific type of attack against a specific asset or group of assets; how effective existing security measures are in deterring, detecting, and delaying the specific attack; and the current level of vulnerability. This last item should have either a quantitative or qualitative value assigned. The attack modes considered will have been developed during the threat assessment and are used in conjunction with targeted asset lists to assess vulnerabilities based on predetermined performance metrics or against accepted security guidelines. The assessment team should include not only security personnel, but also personnel intimately familiar with the facility under assessment and specialists as needed by the facility. The project manager should be familiar with various assessment methodologies unless a particular methodology must be followed. For example, Sandia National Laboratories Risk Assessment Methodology for Water Systems (RAM-W) may be required by the facility. The team should also include experts or specialists as needed. Blast analysis specialists and structural engineers, for example, may be needed for a water system or dam. Of primary consideration to be included on the team are people with precise knowledge of the processes and procedures that occur on the facility as they relate to critical assets. Depending on the nature of the vulnerability assessment, a team may consist of as few as one person or its size may range much higher. Typically, the assessment team is made up of three to eight people. On smaller teams, the project manager’s role is often shared by a general security management person, while other roles may include a technical security professional and a person familiar with the facility. Often, the assessment team includes external personnel such as consultants experienced in conducting assessments for various types of facilities and exposed to other security systems. One of the greatest advantages of an outside consulting firm is the range of security strategies they bring to the current vulnerability assessment. Having had experience in different and similar facilities and through the process of trial and error, security consultants usually have more experience than internal personnel in conducting vulnerability assessments.
90
Strategic Security Management
Asset-Based and Scenario-Based Vulnerability Assessments Vulnerability assessments tie assets to threats in an effort to identify potential vulnerabilities and countermeasures to reduce those vulnerabilities. The level of vulnerability of each asset and threat is evaluated using either an assetbased or a scenario-based assessment. Asset-based vulnerability assessments are broad evaluations of assets and the threats that impact those assets. For example, an asset-based assessment at a jewelry store will focus on the jewelry as the primary asset in need of protection and the threats that may impact on the jewelry. Asset-based assessments assume that every scenario cannot be imagined or that those that are imaginable are too speculative to consider. Scenario-based vulnerability assessments, on the other hand, focus on the attacks themselves. The scenario-based assessment evaluates vulnerability by asking how targets might be attacked. This type of assessment requires knowledgeable assessment team members who have an understanding of history and can foresee the methods used by adversaries in the future. While history is a primary indicator, not all future threats can be anticipated based on past attack modes. Certainly, the September 11 attacks are evidence of a new attack mode that was not anticipated, at least not by the masses, prior to 2001. Scenariobased assessments are advantageous in that they are better suited for assessing high-value assets and high-consequence attacks. Unfortunately, this advantage also creates a problem whereby lesser threats are ignored and security measures are not implemented. The scenario-based vulnerability assessment process includes the following six steps undertaken by the vulnerability assessment team: 1. 2. 3. 4.
Selects the scenario to evaluate. Studies the target’s (asset) characteristics. Evaluates certain types of adversaries and attack modes. Evaluates the likelihood of the existing security measure’s ability to deter, detect, or delay the attack. 5. Analyzes the consequences of the assets loss, damage, or destruction. 6. Assigns a vulnerability rating. The attack scenarios are normally selected by the vulnerability assessment team from the high-consequence alternatives. While the team’s goal is to be creative, the scenario must be sufficiently realistic. A fair assessment of the target’s attractiveness, from the adversary’s perspective, is critical to accurately evaluate the strengths and weaknesses of each asset. Although it is easy to theorize about well-trained, skilled, and properly equipped adversaries, the team should not create an infallible threat. History has shown repeatedly that adversaries
Vulnerability Assessments
91
make mistakes. The next step is to evaluate the likelihood that the existing security measure will deter, detect, or delay the attack. Typically, an outside-in approach is used whereby the assessment team identifies the outermost layer of protection and works its way inside toward the assets, passing through each protection layer in the same order in which an adversary would go. The training, skills, and equipment of the theoretical adversary should be considered as each protection layer is breached. Finally, the assessment team analyzes the consequences of loss, damage, or destruction of the assets and assigns a vulnerability rating. An example of a scenario-based vulnerability assessment is one where the assessment team selects a low-grade explosion outside a government building as an attack scenario. They postulate that the explosion occurs immediately outside the building during normal business hours. What are the characteristics of the building and its assets (employees and other people would be among the critical assets) that may contribute to the loss, damage, or destruction? How would an attacker detonate a bomb in close proximity to the building? Would any element of the current security system be able to deter, detect, or delay the attack? Would the closed circuit television (CCTV) system detect the adversaries? Is the CCTV system monitored with direct communications to the security response force? Would the building survive a low-grade explosive attack? As seen in this example, there is a downside to scenario-based assessments, in that these types of assessments force the team to focus on protecting against particular threats and possibly ignoring other threats. Nevertheless, both assetbased and scenario-based vulnerability assessments will result in a list of recommendations for changes to the security program.
Vulnerability Assessment Steps Like threat assessments, vulnerability assessments may be quantitative or qualitative depending on the nature of the assessment and the availability of metrics. In both scenario-based and asset-based vulnerability assessments, the general steps are as follows. 1. 2. 3. 4.
Identify assets in need of protection. Review historical security and incident information if available. Prepare a security survey. Identify existing security measures for each asset and determine the effectiveness of each measure individually or in combination with one another. 5. Assign a rating to each asset based on a quantitative or qualitative vulnerability rating scale. 6. Prepare a written report with recommendations for additional security measures or changes to the security program.
92
Strategic Security Management
Step 1 assumes that the vulnerability assessment is not being conducted as part of an overall risk assessment and therefore assets have not yet been identified. If the vulnerability assessment is being conducted as part of a risk assessment, then the asset information should be readily available to the assessment team. Step 2 also assumes that the vulnerability assessment is not being conducted as part of an overall risk assessment and therefore a threat assessment has not yet been conducted. If the threat assessment is already completed, reviewing the threat assessment report should indicate any vulnerabilities that adversaries have exploited in the past. For example, the threat assessment report indicates that security personnel have responded to an alarm generated from camera 7 repeatedly during the past year. The vulnerability assessment team determines that camera 7 surveys the right rear perimeter fencing of the facility. Upon inspection, the assessment team finds that the fencing in that area is in disrepair and is an older design relative to the fencing in the front of the facility. Step 3 of the vulnerability assessment is to prepare the security survey. There are many sources of security surveys, limited only by the assessment team’s creativity. Previous vulnerability assessments may also be refined, updated, and used for the current assessment. Numerous security books contain sample security surveys and various industry organizations that have developed surveys specific to their industry. Step 4 of the vulnerability assessment is to identify existing security measures for each asset and determine the effectiveness of each measure individually or in combination with one another. As the team assesses the facility, existing security measures designed to address known security gaps are identified and noted on site diagrams or blueprints. Depending on the nature of the facility and the type of security measures in place, the countermeasures may be tested and compared to established metrics and industry standards. One of the biggest mistakes a vulnerability assessment team makes is to assume that existing countermeasures are adequate and to counter the threat. Using performance testing, the team can determine whether the countermeasures are doing what they were designed to do, that is, reduce the vulnerabilities. Experienced assessment teams will analyze the facility from the adversary’s point of view rather than from the security decision maker’s perspective. What factors may deter the motivated offender? What paths might the attacker take into the facility? What tools will be required to defeat security measures? Will stealth or deceit be necessary? Will an insider be needed? Technical security people are also beneficial to the overall evaluation of existing security measures in that they will know the limitations of electronic measures. The vulnerability assessment team conducting an asset-based assessment will spend more time in the field assessing routes to assets, identifying points of detections, and determining lines of defense. The scenario-based assessment team will spend more time brainstorming and conducting table-top exercises in an effort to assess worst case attacks and consequences to the facility’s most critical assets.
Vulnerability Assessments
93
Step 5 requires that the vulnerability assessment team assign a vulnerability rating to each asset based on a quantitative or qualitative vulnerability rating scale. These scales are discussed in detail at the end of this chapter. For now, it is important to understand that each vulnerability is rated based on the assets value (qualitative or quantitative), the threat posed, and the security measure’s effectiveness in reducing the opportunity for vulnerability exploitation. The rating will also be dependent on the consequence of loss, damage, or destruction. For manufacturing-type facilities, this is measured in operational downtime and loss of revenue, both of which can be measured quantitatively. In step 6, the vulnerability assessment team prepares a written report summarizing the assessment and recommendations for additional security measures or changes to the security program to reduce the overall vulnerability level and the vulnerability level of specific assets. The report should also include a basic cost-benefit analysis outlining the reduced vulnerability level that may be achieved after implementing recommended security measures. Some of the factors the assessment team should consider in their report, especially for critical facilities, are
Facility population Structural integrity of facilities Land area of facility Distance to emergency services Redundant power supply Closed circuit television (CCTV) systems Intrusion detection systems Barriers External lighting Armed security personnel
Vulnerability Rating Scale Vulnerability ratings are based on the attractiveness of the target and the level of protection afforded those assets. The rating scale can be either quantitative or qualitative. Qualitative ratings are scaled by relative value to the organization’s mission. Quantitative ratings are based on life-cycle costs, including the actual value of the asset, replacement cost, operational costs, maintenance costs, and costs associated with time lost while the asset is replaced or repaired. A simple example will illustrate the point. If your personal car were to be stolen, the current value would be lost, plus the cost of purchasing a new car, plus the cost of transportation between the car’s loss and replacement.
94
Strategic Security Management
Qualitative Vulnerability Rating Scale An example of a qualitative vulnerability rating scale for facilities is as follows: Very High—A facility with attractive targets, a history of threats, inadequate security measures, and adversaries capable of exploiting the security weaknesses. An attack on this type of facility may include structural damage, operations may be severely hampered or completely stopped, and assets contained within the facility may be destroyed. High—A facility with attractive targets, no history of threats, inadequate security measures, and adversaries capable of exploiting the security weaknesses. An attack on this type of facility may include some structural damage, operations may be reduced to only the most critical, and assets contained within the facility may be destroyed. Moderate—A facility with attractive targets, no history of threats, adequate security measures, and no adversaries capable of exploiting the security weaknesses. An attack on this type of facility may affect normal operations with minimal downtime. Low—A facility with no attractive targets, no history of threats, and adequate security measures. An attack on this type of facility will cause minimal disruption to normal operations. Security Survey Areas for Hospitals General Information Organizational Issues General Security Visitor Management Security Force Policies and Procedures Emergency Management Human Resources Building Security Survey Perimeter Barriers and Controls Gate Security and Construction Vehicle Control and Perimeter Entry Point Access Clear Zones and Signage Building Exteriors Access Control Lock and Key Control Outdoor Lighting Closed Circuit Television (CCTV) Intrusion Alarms
Vulnerability Assessments
95
Patient Safety Emergency Center Infant/Patient Abduction Prevention Measures Medical Supply Storage Facilities Information Services (IS) Joint Commission on Accreditation of Healthcare Organizations Security Sensitive Areas Central Plant Cash Handling Parking Facilities General Access Control Personnel Lighting Physical Security Measures Crime Prevention Through Environmental Design (CPTED) Office Area Security Loading Docks
The Security Survey Report The security survey report is the result of an on-site review of the facility or an asset’s vulnerabilities and security measures. While the typical security survey report does not comprehensively address all facets of the vulnerability assessment, it does address the vulnerabilities and security measures, and provides recommendations. A typical security survey report includes general information about the facility, a review of critical assets, some form of threat assessment, an outline of existing security measures, a description of vulnerabilities, and recommendations for security changes. Noticeably absent from the preceding security survey report sections are the cost-benefit analysis and vulnerability ratings, which are not normally included in the security survey report. Depending on the scope of work, security consultants often use a letter format for their security survey reports. According to Sennewald and Vellani in Consultants as a Protection Resource, Protection of Assets Manual, 2004, “The scope of [the consultant’s] work refers to the central objective of the consulting task, or the clear focus of the effort.” A very limited scope consultant’s report is presented in Figure 5-3 and a large-scale risk assessment report is presented in the next chapter. The report in Figure 5-2 demonstrates a phased approach to vulnerability mitigation wherein certain elements of the security program are modified and new security measures are added. The effects of
96
Strategic Security Management
these measures are allowed to take place over a fixed period of time, and then the threat and vulnerability level are reassessed before implementing phase 2 recommendations. The time between assessments and deployment of the next phase may be very short or as much as one year. Report for a Limited Scope Security Survey October 26, 2002 James Buchanan, Director of Facilities & Safety Anytown Medical Center 14623 North Freeway Anytown, PA 15213 Re: Security Survey Dear Mr. Buchanan: Per your request, I have completed a security survey for Anytown Medical Center (AMC). The report is multi-phasic in that it recommends a number of relatively cost effective steps (Phase 1) that may reduce the opportunity for crime on the property with escalating measures (Phase 2) for persistent issues. Phase 1 issues should be addressed immediately and evaluated in a reasonable time after implementation. Phase 2 measures may be implemented in whole or in part as needed after evaluation of the effectiveness of Phase 1 measures. This report is based on the following: 1. Crime and Foreseeability Analysis (January 1, 2000 to December 31, 2002) 2. Meetings with management and security personnel to gather facts regarding the property 3. Day and night exterior security inspections 4. Parking Lot Lighting Survey 5. Crime Prevention Through Environmental Design (CPTED) analysis I have also reviewed the following documents relevant to this security survey: 1. 2. 3. 4. 5. 6.
Security Management Plan JCAHO Standards Site Diagrams AMC Security Incident Reporting for 2000, 2001, and 2002 AMC Security Department. Policies and Procedures Anytown Police Department (APD) crime records pertaining to 14623 North Freeway (January 1, 2000 through December 31, 2002)
General Information AMC is located in a hybrid commercial/residential area with low traffic on surrounding streets and high traffic along the main entrance adjacent to Interstate 10. There is an internal security manager and a facility manager responsible for security of the facility. Additionally, there are two unarmed (noncommissioned) security officers on duty 24 hours a day, 7 days per week except during the daytime hours when
Vulnerability Assessments
97
the security manager fills the role of one security officer. At times, there is additional security provided by police officers. Crime Analysis Internal security incident reporting for 2000, 2001, and 2002 indicates that the most common security issue is theft-related concerns, specifically auto theft, burglary of automobiles, and theft of property. An external crime analysis was conducted for the property for the dates January 1, 2000 through December 31, 2002. During this period, APD records indicate that no murders occurred on the property. The records also indicate that 12 violent crimes were reported from the address, including 1 rape, 3 robberies, and 12 aggravated assaults, with two of these occurring in 2002. For a detailed listing of crime, please review use the CrimeAnalysisTM software provided as a supplement to this report. Phase 1: Obtain official crime data (Calls for Service and offense reports) from the police department for the property annually. Phase 1: Review both internal security incident reporting and external crime records and make any appropriate security changes. Phase 2: Obtain official crime data (Calls for Service and offense reports) from the police department for the property every six months. Foreseeability Analysis No recent pattern or trend of violent crimes on the property would indicate any foreseeable violent crimes. Offense reports for the two violent crimes that were reported from the premises during 2002 indicate that they occurred on the road. Phase 1: Implement a system to notify employees and others of violent crimes on the property. Phase 1: Retain Security Daily Activity Reports (DARs), light check reports, and other security documentation for a period of five to seven years. Liability Analysis A security expert will likely attack the following possible security vulnerabilities: 1. 2. 3. 4.
No ongoing effort to monitor crime on the property (Crime Analysis attached) Lighting of the property (see “Lighting” below) Location of AMC in a “high-crime area” (subjective) Numerous hiding places due to high shrubs and fencing (see CPTED below)
Crime Prevention Meetings and Security Training Security training is provided to employees during orientation and annually thereafter. Phase 1: Continue this training and maintain logs of employees in attendance. Phase 1: Implement a program to provide training to security officers on an ongoing basis, including daily briefings, CPR, crisis intervention, workplace violence, refresher courses, and understanding of policies and procedures.
98
Strategic Security Management
Phase 2: Require that security officers undergo International Foundation for Protection Officers training and obtain certification of Certified Protection Officers (CPO) or similar training. Phase 2: Implement crime prevention meetings on a biannual basis to inform employees of current risks and protection measures, including personal protection. Internal Crime Thefts comprise the majority of incidents at the facility, according to both internal security incident reporting and external crime records. Phase 1: Institute a “Clean Desk Policy” that works toward reducing the opportunity for thefts of employee purses and other personal items. Crime Prevention Through Environmental Design (CPTED) CPTED is a security tool that manipulates the environment to reduce opportunities for crime. It includes the concepts of natural access control, natural surveillance, and territorial reinforcement to reduce crime opportunities. Phase 1: Install benches in the various open areas in front of the hospital for use by patients, employees, and visitors. This will create a sense of territoriality and allow surveillance of the parking areas and hospital entrances. Phase 1: Permanently seal parking lot entrances, keeping open only those that are necessary for effective traffic movement. Phase 1: Close unnecessary entrances at night. Phase 1: Trim back or remove trees to create more common space for patients, employees, and visitors to gather and “claim territory,” thereby showing wouldbe offenders that the area is “under surveillance.” Phase 1: Plant thorny shrubs near blind corners to deter use as a hiding place. Phase 1: Trim (or replace) shrubs that are not along a fence line to 3 feet. Phase 2: Install a security “shack” at the front of the main entrance. Access control Exterior doors, except the emergency room entrance, are locked at 2000 hours and checked by security officers during their patrols. A checklist is used during the patrols for both interior and exterior doors, ensuring that the doors are secure. Some of the doors are key controlled, while others have card key access. Phase 2: Install a uniform card key access system that also allows security officers to scan their card while they patrol. This system should allow “writing” to a main database that will allow analysis of who and when a certain card is scanned. Access is further limited to the property by various fences that form the perimeter of the property. These fences are generally in good repair; however, they are not security height (7 feet) with overhang, and there is no clear zone. Phase 2: Increase fence height to 7 feet with overhang. Security Personnel Two noncommissioned security officers are present on the premises 24 hours per day, 7 days per week. The weekday security force schedule is as follows:
99
Vulnerability Assessments
Personnel
Start
End
Security Security Security Security Security Security
0800 0700 1500 1600 2300 0000
1600 1500 2300 0000 0700 0800
Manager Officer Officer Officer Officer Officer
The weekend shifts are 0800 to 2000 and 2000 to 0800, with two officers on during each shift. The security force is equipped with a golf cart to patrol the grounds and a radio for communications. Phase 1: Do not, except under special circumstances, provide employee escorts, as it takes the security officer away from his duties. Phase 1: Provide reasonable supervision over the security officers. Phase 1: Security personnel should vigilantly inspect and scrutinize visitors, contractors, and other outsiders for possible security breaches. Phase 1: Ensure that security officers are following post orders. Phase 1: Replace burned out light bulbs each morning as reported in the security officer’s DAR. Phase 1: Include a program for periodic Quality Control inspections of security personnel. CCTV Analog closed circuit television is currently utilized at this facility. Phase 1: Install monitors in the security office, allowing for security officers and security managers to monitor the currently installed cameras. Phase 2: Install digital CCTV cameras in strategic locations outside the facility to monitor the parking areas, emergency room areas, and perimeter. Lighting The lighting is generally below standard for parking areas. There are many dark areas outside the facility, including shadows that may be used as cover for a criminal. Phase Phase Phase Phase
1: 1: 1: 1:
Include a nightly light check as part of the security officer’s patrol. Replace lights that are inoperable the following day. Increase lighting to 2.0 fc (foot-candle) in the parking areas. Increase lighting at entrances.
Policies and Procedures AMC has a written security management policy. Phase 1: Monitor that practice follows the written policies and procedures.
100
Strategic Security Management
Phase 1: Ensure that the policies and procedures are fluid in that they can be revised to meet future needs. Quality Control/Performance Monitoring Currently, all supervision is provided by internal management personnel. Phase 2: AMC should include monthly quality control inspections of security operations by an independent, third-party inspector to validate the effectiveness of the security force. Should you have any questions or if I can be of further service to AMC, please feel free to call me at (281) 494-1515. Thank you for the opportunity to serve AMC. Respectfully submitted, Karim H. Vellani, CPP, CSC Licensed and Certified Security Consultant
The Vulnerability Assessment Report The vulnerability assessment report is a critical component of the overall risk assessment and is used to document the assessment activity. While the report may be formatted to fit the needs of the organization under assessment, a typical vulnerability assessment report includes the following sections.
Table of Contents The table of contents is an often overlooked section of the vulnerability assessment report. Each major report section as well as subsection should be identified with its corresponding page number. A comprehensive table of contents is beneficial because an index is rarely included in a vulnerability assessment report.
Executive Summary The executive summary is an overview document used to provide a condensed version of the entire report. It is prepared to cover the highlights of the report for those decision makers who do not have the time to read the full report. Executive summaries tell the report’s audience what is significant within the report and what issues the decision-making readers must respond to. While covering each section of the full report, the executive summary should not be longer than 10 percent of the full report and are often much shorter and should be a stand-alone document. Generally speaking, the executive summary should cover the scope and objectives of the vulnerability assessment, team composition, vulnerability assessment methodology utilized, facility assessed, date(s) of
Vulnerability Assessments
101
assessment, threat assessment information, critical assets assessed, conclusions, and recommendations. The assessment team should take caution with the recommendations within the executive summary since this document does not typically include justifications for each recommendation.
Background The background section of a vulnerability assessment outlines the scope of the assessment, critical assets, and facility characterization, and provides an overview of the assessment methodology and process. A summary of the threat assessment report is also normally included. The vulnerability assessment team’s first on-site task should be to review the facility characterization resulting from the asset identification and threat assessment risk assessment steps. This is an important step to understand the facility, what assets specifically are in need of protection, and the threats posed to those assets. The facility characterization should include a concise description of the organization’s mission, the criticality of the facility under assessment, major functions and processes, and key staff used to ensure that the mission is carried out. Also included in the facility characterization are the geographic location, property boundaries, access points, physical and structural characteristics and condition, and significant features of the facility. Occupant information, traffic patterns, neighboring facilities, and community demographics also should be included. The facility characterization may also address supply chain and transportation information, regulatory and legal requirements that impact the facility, and security policies and procedures in effect. A savvy vulnerability assessment team, especially a team consisting of external personnel, will also seek to understand the organization’s mission so as not to trample on it. The facility characterization will include a review of facility blueprints, site diagrams, and floor plans; identification of property boundaries; location of authorized access points; and maps depicting facility ingress and egress paths. The characterization may also include a description of physical structures, traffic patterns, and neighboring facilities. Reviewing threat information during the facility characterization is advised. This information may come from interviews or from a formal threat assessment report. Internal security records, authorized users lists, and operational logs may also be reviewed. For purposes of understanding operational vulnerabilities, the assessment team should be aware of any differences during different operational shifts at the facility. This includes an awareness of normal activities and functions that occur during each shift as well as traffic levels of employees, contractors, and visitors. Finally, the facility characterization should include a list of critical assets as identified in step 1 (Asset Identification) of the risk assessment process and describe the operational consequences if those assets were to be lost, damaged, or destroyed.
102
Strategic Security Management
Blueprints, site diagrams, and floor plans should be reviewed during the facility characterization because they may be used to identify property borders, ingress and egress routes to the facility, specific vulnerable areas in and around the facility, adjacent facilities, physical structure locations, and features outside the facility such as railroads, waterways, interstate highways, and airports. The assessment methodology and process should include the various types of assessments conducted, including operational, structural, and procedural assessments. The operational assessment may outline the types and lengths of work shifts, activities typical to each shift, security implications, and availability of protection forces. The structural assessment methodology should describe how physical structures were assessed. For example, what type of materials make up the roof, walls, windows, floors, and foundation? How are the heating, ventilation, and air conditioning (HVAC), sewage, and water systems secured? A procedural assessment describes the processes and procedures in place at the facility. This includes the access control procedures for employees, contractors, and other visitors such as delivery people and vendors. How are hazardous materials transported into, out of, and inside the facility? How are vehicles inspected while entering and leaving the facility?
Assessment Overview and Process The assessment overview and process section describes the facility’s critical functions, significant threats, and documentation available. The primary goal of this section of the vulnerability assessment report is to detail comprehensively the major vulnerabilities at the facility. Of primary concern is the functionality of the physical protection system. Typical physical security measures will depend on the nature of the facility. However, many physical security measures are common across various applications. For example, fencing is appropriate at most facilities, even in open campuses such as universities where certain facilities may be fenced. The vulnerability assessment team should identify each component of the physical security system and decide what level of effectiveness is required for the facility and what risks management is willing to accept. Why would the team even consider anything less than maximum effectiveness? No physical security system can maintain maximum effectiveness. Documenting the assumed risks is part of the team’s due diligence effort. The effectiveness level of a physical protection system (PPS) is a factor in its ability to deter potential adversaries, detect those that are not deterred, and delay adversaries until the protection force can respond. Each of these functions should be built into the physical protection system, performed in order, and take less time to activate than it takes for the adversary to reach its intended target. An effective physical protection system provides protection in depth, with multiple layers of security that force the adversary to defeat each layer in
Vulnerability Assessments
103
order, minimize the consequences of individual component failure by having redundancy, and exhibit balanced protection no matter which path of attack the adversary chooses. As discussed earlier, the first function of a physical protection system is to deter the potential adversary. Deterrence is a security strategy designed to discourage adversaries by increasing the risks to the adversary, promoting a sense of security, and instilling doubt on behalf of an adversary. Failing an ability to deter a would-be adversary, the physical protection system should detect the presence of the adversary. Detection is a security strategy designed to assess the threat and alert security personnel of an adversary’s presence. Cameras and sensors are examples of detection measures. Once the adversary has been detected, the physical protection system should delay the adversary from meeting its objectives until the protection force can respond to neutralize or defeat the adversary. Delay, then, is a security strategy designed to slow the progression of adversaries into or out of the facility, and defeat is another security strategy designed to neutralize adversaries before an asset is lost, damaged, or destroyed. Barriers are an example of a delay measure. The physical protection system model described applies to most protection situations, from Fort Knox to home defense. Here again, it is important to note that a common mistake made during the vulnerability assessment is to assume that existing countermeasures are adequate in effectively countering the threat and reducing vulnerabilities. The use of security metrics is helpful in determining whether the system is optimally configured and deployed. Vulnerability of the physical protection system can be both quantitatively and qualitatively measured depending on the nature of the component. False alarm rates (FAR) and nuisance alarm rates (NAR) can be measured quantitatively and compared against industry metrics. Protection force response times can also be measured quantitatively and benchmarked against average response times for different types of threat levels. The vulnerability assessment team should address each physical protection system area separately beginning with deterrence measures. Among the more common deterrence measures are highly visible, uniformed security personnel, lighting, signage, and other countermeasures such as fencing and natural barriers that may intimidate adversaries and tip the risk-reward balance in favor of security. Detection measures present in the physical protection system should be addressed next. Detection security measures should be located throughout the facility but primarily at the perimeter to increase the time between detection and the security force’s response. These measures include both interior and exterior intrusion detection systems, as well as their individual components such as sensors, closed circuit television systems, and clear zones. Among the questions that the vulnerability assessment team should be asking during the security survey are:
104
Strategic Security Management
What is the key control process? How are packages screened prior to entry into the facility? Are X-ray machines and magnetometers used, or are people and packages screened visually? What access control measures are in place to allow entry to only authorized personnel? Are there multiple entry points? Are vehicles screened when leaving sensitive areas? Are perimeter intrusion detection measures such as sensors operating properly? Do environmental factors, such as terrain and weather, negatively impact the ability of sensors to detect intrusion? Have any past attempts to penetrate the facility’s access control systems been successful? Is the physical protection system adequately assessing alarms? Are the false alarm and nuisance alarm rates at a minimum? Are cameras able to adequately detect unauthorized entry at all points around the perimeter? Are CCTV systems monitored by security personnel or electronic means? Are intrusion detection systems, CCTV, and other electronic measures monitored on- or off-site? Are all CCTV components (switching equipment, video monitors, transmission lines) working as designed? Are lighting systems fully functional? Do lighting systems meet the various codes and standards such as the Illuminating Engineering Society of North America’s Guideline for Security Lighting for People, Property, and Public Spaces (IESNA G-1-03)?
The list can go on ad infinitum, but suffice it to say that the security survey items should be comprehensive to meet the facility’s needs and the assets in need of protection. Delay, as we have discussed, is a security strategy designed to slow the progression of adversaries into or out of the facility. Delay comes into play after detection measures have signaled an actual intrusion, effectively blocking out false alarms, and the protection force has been notified. The response team may or may not be located on site. For example, low-security facilities, such as office buildings, may not have a response team on site, but rather may have a team on roving patrol for numerous facilities. Regardless of where the protection
Vulnerability Assessments
105
force is located, the delay security measures should slow the progression of the adversary toward its intended target, allowing enough time for the protection force to arrive and neutralize the threat. Delay measures include locks, doors, walls, fences, and barriers. The United States Army has published numerous penetration times relating to different types of delay measures, and depending on the type of facility under assessment, these standards should be consulted. The protection force is probably the most difficult security measure to address in the vulnerability assessment. Depending on the nature of the facility, there may not be a traditional protection force, but rather designated personnel responsible for responding to distress and alarm signals. The key factor to assess is response times, which is an excellent security metric that the vulnerability assessment team should monitor and evaluate during the vulnerability assessment. On-site personnel responsible for security should also constantly monitor response times to ensure that the protection team is operating at an optimum level. The protection forces should also be evaluated for appropriate equipment and training on any prescribed equipment. Protection force equipment includes communication devices, vehicles, firearms and other weapons, incident reporting mechanisms, personal protection equipment, and so on. The vulnerability assessment team should also evaluate policies and post orders, especially those relating to the use of force. Patrol records and daily activity reports (DARs) can shed light on protection force effectiveness.
Conclusions The conclusion section of the vulnerability assessment report is used to summarize the vulnerabilities and provide the reader with the vulnerability ratings. The vulnerability ratings may be quantitative, qualitative, or a hybrid depending on the nature of the vulnerability. Deficiencies should be noted in sufficient detail to provide justification for the recommendations to follow in the next section.
Recommendations The recommendations section of the vulnerability assessment report includes the assessment team’s suggested changes to the security program. These changes may include the deployment and redeployment of security personnel, additional physical security measures, and updates to security plans, policies, and procedures. The recommendations should be prioritized based on the vulnerability ratings for each asset, allowing the security decision makers to move forward with changes in an appropriate fashion. Cost-benefit analysis and cost estimates should also be included in this section of the vulnerability assessment report. Cost-benefit analysis is important since budget requests will have to be made and costs justified. Recommendations may also be made in phase with threats, and vulnerabilities should be reaassessed between phases.
106
Strategic Security Management
Appendices Appendices may be included in the vulnerability assessment report and usually contain facility and area photographs, blueprints, site diagrams, and floor plans. It is also helpful to the reader to include a copy of the security survey checklist and any cost-benefit analysis documentation.
Vulnerability Assessment Report Outline I. Table of Contents II. Executive Summary A. Vulnerability assessment dates B. Scope of assessment C. Team composition D. Facility characterization E. Critical asset description F. Summary of threat assessment G. Vulnerability assessment objectives H. Summary of conclusions I. Summary of recommendations III. Background A. Scope of assessment B. Facility Characterization 1. Organizational mission 2. Criticality of the facility 3. Key staff 4. Major functions 5. Geographic location 6. Overall physical characteristics and conditions 7. Significant features, including history 8. Occupant information 9. Community demographics 10. Supply chain and transportation system 11. Specific critical assets 12. Security policies and procedures 13. Regulatory and legal requirements 14. Reviewed facility blueprints, site diagrams, and floor plans 15. Identification of property boundaries 16. Location of authorized access points 17. Maps depicting facility ingress and egress paths 18. Descriptions of physical structures 19. Traffic patterns 20. Neighboring facilities
Vulnerability Assessments
C. Assessment Overview and Process 1. Identification of critical functions 2. Significant threats 3. Available documentation 4. Vulnerability assessment team composition and biographies 5. Schedule IV. Major Vulnerability Areas A. Site B. Environmental C. Structural D. Physical Protection Systems (PPS) E. Policies and procedures F. Documentation 1. Security plans 2. Security incident reports G. Security personnel H. Life safety and fire protection systems I. Communications systems J. Information technology security systems V. Conclusions VI. Recommendations A. Prioritized ranking of recommendations B. Cost-benefit analysis of recommended changes VII. Appendices A. Facility and area photographs B. Blueprints C. Site diagrams D. Floor plans E. Security survey checklist F. Cost-benefit analysis documentation
107
This page intentionally left blank
Chapter 6
Risk Assessments
In this chapter . . .
Definition Risk Assessments Qualitative Risk Assessments Quantitative Risk Assessments Specialized Risk Assessment Methodologies Risk Mitigation Risk Assessment Report TAG's Risk Assessment Process® Asset Identification
Policies & Procedures
Current Security Measures
Physical Security
Security Personnel
Threat Assessment
Vulnerability Assessment
Crime Analysis
Risk Assessment
Cost Benefit Analysis
Report and Recommendations
Figure 6-1 Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com.
Definition The risk management process involves assessing threats, vulnerabilities, and risk, evaluating and selecting security measures to reduce identified risks, and
109
110
Strategic Security Management
implementing and monitoring the selected measures to ensure that the measures are effective. Risk management is truly a management process, whereas a risk assessment is simply a component of that continual management process. For many organizations, risk management involves much more than security functions and also includes insurance and legal issues. Risk is a function of threats and vulnerabilities. It is the possibility of asset loss, damage, or destruction. Risk is the result of the likelihood that a specific vulnerability of a particular asset will be exploited by an adversary to cause a given consequence. A risk assessment is a quantitative, qualitative, or hybrid assessment that seeks to determine the likelihood that an adversary will successfully exploit a vulnerability and the resulting impact (degree of consequence) to an asset. A risk assessment is the foundation for prioritizing risks in order to effectively implement countermeasures. No organization is without risk. The risk assessment and management process seeks to reduce risk to a tolerable level. The risk assessment is the culmination of the previous steps discussed thus far beginning with identifying assets, inventorying existing security measures, defining threats, and identifying vulnerabilities. The final step of the process is to calculate risks and make recommendations to reduce them to a level acceptable to the organization. Reducing risk involves identifying countermeasures that can mitigate vulnerabilities through the implementation of additional security measures or changing security measures. Cost estimates and cost-benefit analysis are key to selecting effective and reasonable security measures. Once the proposed recommendations have been selected, risk is recalculated to determine whether the risk has been reduced to an acceptable or tolerable level. Remember, no organization is without risk. The first step in the risk management process is to acknowledge the reality of risk. Denial is a common tactic that substitutes deliberate ignorance for thoughtful planning. —Charles Tremper Recapping the risk assessment steps may be a good idea at this point. Identifying assets is the first step. This is the process of determining which assets are critical to the mission of the organization. Assets include people, property, and information. Critical assets are necessary for the organization to carry out its mission, for without them, functions and processes will fail and cause the mission to fail. The higher the consequence from the loss, damage, or destruction of an asset, the more critical it is. Each organization has different missioncritical assets; thus, no specific list is provided in this text. It is up to the risk assessment team to identify the critical assets of a particular organization. Critical assets are typically determined through interviews and questionnaires of the people charged with carrying out the organization’s mission. For the CocaCola Company, the formula for Coke is a critical asset as it gives Coca-Cola a competitive advantage. For a litigator, his win-loss record is a critical asset. For
Risk Assessments
111
an athlete, her strength, agility, and energy are critical assets. For the security consultant, his integrity is a critical asset. When determining the criticality of an asset, it is important to consider the time and money needed to replace the asset. Reputations may be a critical asset and take a considerable time to develop and replace after negative publicity. A company whose critical assets include their computer network may be able to replace the functionality of that asset rather quickly but with considerable expense. A homeowner whose house is destroyed by fire may be covered financially by insurance (risk transfer), but the time to build or buy a new house may be problematic. A manufacturing firm whose equipment is damaged may suffer downtime until the equipment is restored or replaced. The airport whose metal detectors unknowingly malfunction, though not a terrible development in and of itself, can be detrimental to homeland defense through cascading effects. Here again, asset criticality can be categorized quantitatively by value, replacement cost, and so on, or qualitatively by low, medium, high, or some other relative scale. The second step of the risk assessment process is to inventory existing security measures designed to protect assets. The measures may include policies and procedures, physical security equipment, security personnel, or some combination of these measures. It is important to remember that security measures should not be assumed to be effective in protecting the assets. There are two effective methods for inventorying current security measures: inside-out or outside-in. In the outside-in approach, the assessment team begins at the facility’s perimeter and works its way in toward the asset through each line of defense. The inside-out approach is the opposite with the team starting at the asset and working its way out to the perimeter. In addition to these methods, the inventory process should also include reviewing any available security documentation, including security plans, policies and procedures, the security officer’s post orders, and physical protection system documentation. The third step in the risk assessment process is the threat assessment, whereby threats are identified, characterized and rated on either a qualitative or quantitative scale. Threats are an act or condition that seeks to obtain, damage, or destroy an asset. The most common form of threat assessment is crime analysis. Adversaries can include insiders, outsiders, or a combination of insiders and outsiders. Adversarial capability and motivation should be assessed based on the adversaries’ ability to steal, damage or destroy critical assets. The adversaries’ past methods, equipment, skills, and training should be clearly articulated in the assessment report. Target attractiveness is a key component of the threat assessment. The fourth step of the risk assessment process is the vulnerability assessment wherein weaknesses in the security program are identified via the vulnerability assessment’s primary tool, the security survey. Vulnerabilities are opportunities. They are weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. Vulnerabilities may be
112
Strategic Security Management
structural, procedural, electronic, and human and provide opportunities to attack assets. Existing security measures may or may not address the security program’s weaknesses. Vulnerabilities may also be classified quantitatively or qualitatively. Risk assessment, including the cost-benefit analysis and report with recommendations, is the fifth and final step in the risk assessment process.
Risk Assessments Risk assessments are comprehensive and rational reviews that offer a logical and defensible method for security professionals to make decisions about security expenditures and to select cost-effective security measures that will protect critical assets and reduce risk to an acceptable level. Assessing risk is a dynamic process that involves continuous evaluation of assets, threats, and vulnerabilities. Risk assessments are typically a staged process whereby critical assets are identified, current countermeasures are enumerated, threats are identified, vulnerabilities are defined, and prioritized recommendations are made to protect critical assets based on probabilities of attack. Risk assessments can be both quantitative and qualitative, or a hybrid. Qualitative assessments are based on the data available and on the skills of the assessment team, while quantitative assessments utilize numeric data to evaluate risk. Hybrid risk assessments utilize quantitative data where available and qualitative where metrics are not readily available or insufficient. While assessing risk is more art than science, the risk assessment methodology should be structured so that the results and recommendations can be replicable given a different assessment team. Risk assessments should generally be quantitative to the extent possible, recommendations for additional security measures should be the result of a cost-benefit analysis, and measures should be benchmarked against industry standards.
Qualitative Risk Assessments Qualitative assessments are normally used when the assets in need of protection are of lower value or when data is not available. Qualitative risk assessments may also be used when insufficient historical information or metric data exists, precluding a quantitative approach. The results of qualitative assessments depend on the assessment skills of the people involved in the assessment. Risk levels are normally given in abstract values such as high, medium, or low, or color coded like the Homeland Security Advisory System. The American Society for Industrial Security—International released a security guideline entitled “General Security Risk Assessment” in 2003 which outlined one approach to qualitative risk assessments. The full qualitative approach is included at the end of this chapter.
Risk Assessments
113
Quantitative Risk Assessments Quantitative assessments, on the other hand, are metric based and assign numeric values to the risk level. Overall risk levels are derived from all available security metrics. In physical protection systems, for example, the metrics used in determining the risk level include the threat level, probability of detection, delay times, and response force times. Quantitative assessments are commonly used for the protection of business critical or high-value assets. It should be recognized that security risks are notoriously hard to measure quantitatively because they involve human actions. The general methodology for quantitative risk assessment is to consider the probability of an attack and the expected impact on each critical asset. The probability of attack is based on the adversary’s motivation, capability, and intent. Depending on the type of facility or assets being protected, historical data may also be considered, but a lack of history should not be indicative of a low or nonexistent threat level. One reason a lack of history cannot be used is evident in the September 11 attacks. Had history been the only factor considered, the threat level would have been zero since no similar attack had occurred previously in the United States or anywhere else in the world. Vulnerabilities are calculated using the probability that each specific vulnerability will be exploited by an adversary. Based on the threat and vulnerability calculations, the overall risk level is calculated. In most situations, especially during an initial risk assessment, the risk level will not be acceptable. Thus, security measures must be identified, cost-benefit analyses performed, and the risk recalculated based on the theoretical implementation of these countermeasures. Only after a security mix has been identified and brings the risk level to an acceptable level will the actual implementation begin. In some cases, a phased approach may be used wherein the security decision maker implements certain security measures, allows some time to pass, and then conducts another assessment to see if the measures are effective in reality. If they are not, the next phase of measures is deployed and reassessed. This is similar to the pretest/posttest method used in the scientific and research communities. The American Society for Industrial Security—International includes a quantitative approach to risk assessments in its General Security Risk Assessment guideline. (The quantitative approach is included at the end of this chapter in its entirety.) RISK = THREAT + VULNERABILITY
Specialized Risk Assessment Methodologies A number of specialized risk assessments exist that address the needs of particular industries or specific threats or types of critical assets. Among these specialized risk assessments are:
114
Strategic Security Management
The American Petroleum Institute’s Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries The National Institute of Justice’s A Method to Assess the Vulnerability of U.S. Chemical Facilities Sandia National Laboratories Security Risk Assessment Methodology for Water Utilities (RAM-WTM), for Chemical Facilities (RAM-CFTM), for Communities (RAM-CTM), for Transmission (RAM-TTM), for Prisons (RAM-PTM), and for Dams (RAM-DTM) The American Society for Industrial Security—International’s General Security Risk Assessment Guideline The Federal Emergency Management Agency’s Reference Manual to Mitigate Potential Terrorist Attacks against Buildings The Center for Chemical Process Safety’s Guidelines for Analyzing and Managing the Security Vulnerabilities of Fixed Chemical Sites The National Institute of Standards and Technology’s Risk Management Guide for Information Technology Systems Microsoft’s Security Risk Management Guide Threat Analysis Group’s Risk Assessment Methodology The National Fire Protection Association’s Guide for Premises Security (NFPA 730) Sandia National Laboratories’ Risk Assessment Method—Property Analysis and Ranking Tool (RAMPART) The Illuminating Engineering Society of North America’s Guideline for Security Lighting for People, Property, and Public Spaces (IESNA G-1-03) The United States military’s CARVER Methodology (Criticality, Accessibility, Recoverability, Vulnerability, Effect, Recognizability) The United States Air Force’s DSHARP Methodology (Demographics, Symbology, Historical, Accessibility, Recuperability, Population)
Take calculated risks. That is quite different from being rash. —General George Patton
Risk Mitigation Risk management is the process of anticipating future losses and using risk mitigation strategies for reducing or eliminating that risk. Generally, five strategies may be employed to deal with risk: avoidance, reduction, spreading, transfer, and acceptance. Risk avoidance is an extreme measure since it hampers business. An example may be a department store that chooses not to stock a
Risk Assessments
115
particular brand or style of basketball shoes which are stolen with great frequency. Risk reduction is typically the driving force for security departments whose role it is to provide protection for assets. Risk spreading is a strategy used in moving assets to different geographic areas so that if one area is attacked, the consequence is limited to that area. In today’s business climate, critical documents and information are commonly available electronically. Many companies store these electronic information documents in multiple locations so that if an attack were to occur, a backup of the information would exist. Risk transfer is a strategy used to remove the risk from the owner to a third party. Insurance is the best example of risk transfer in that the business hires the insurance company to assume the risk for a fee. Risk acceptance is another strategy used in mitigating risk. As the name implies, risk acceptance is simply where an organization assumes the risk to an asset. Given a specific threat, many specific risk mitigation strategies are available to the security decision maker. Cost effectiveness is a key component in selecting the best one for the protection of assets. A thorough risk assessment allows security decision makers to prioritize risk reduction activities and adapt to changing and emerging threats. Risk mitigation is a security strategy that is accomplished by decreasing the threat level by eliminating or intercepting adversaries before they attack, blocking opportunities through enhanced security, or reducing the consequences if an attack should occur. Without question, the best strategy for mitigating risk is a combination of all three elements: decreasing threats, blocking opportunities, and reducing consequences. This is the homeland defense strategy used by the United States government and many other governments across the globe in the War on Terror. The United States’ homeland security strategy may be characterized as the three P’s: Prevent, Protect, and Prepare. The Department of Homeland Security’s strategy is to reduce the threat by way of cutting terror funding, destroying terrorist training camps, and capturing terrorists; to block opportunities through enhanced security measures such as increased airport and maritime security; and to reduce the consequences through target-hardening efforts that minimize damage such as window glazing and through shortening response and recovery times. For the security decision maker, specific countermeasures are available for each P. Prevention measures can include psychological measures designed to deter criminals from perpetrating their acts on a given property by increasing the risk of detection and capture. Protection measures include security personnel and vaults. Preparation measures include alarm system monitoring services that respond to alarms. More than one security measure may exist to protect a given asset. As such, for each potential security measure, the risk reduction benefit should also be assessed quantitatively or qualitatively. The measure selected may not necessarily be the most effective; rather, it is preferable to select a cost-effective measure that brings the risk down to a tolerable
116
Strategic Security Management
level. As is often the case with security measures, the sum is greater than the parts in that multiple security measures working in conjunction with one another can reduce risk to an acceptable level. Similarly, one security measure may protect more than one asset. In either case, the overall effectiveness of security measures should be assessed to determine their net effect. As defined above, security measures that provide maximum protection often come at a high price. While maximum protection may be warranted in certain critical infrastructures, it is not the standard for most industries. The typical standard is reasonable. Defining a reasonable level of protection to provide for the protection of people, property, and information is the primary task of most security decision makers. The problem with this standard, however, is that reasonable minds may disagree. Another security strategy is the concept of balanced protection, which simply means that no matter how an adversary attempts to reach the asset, security measures that deter, detect, or delay his advance will be encountered. Balanced protection is accomplished through yet another security strategy called protection in depth. Protection in depth is also known as security layering wherein the asset is behind multiple layers of security measures, each requiring penetration in sequence to reach the asset. Regardless of whether maximum or reasonable protection is required, the cost of each security measure must be determined. Security equipment costs include initial costs, training costs, and ongoing maintenance and repair costs. Security personnel costs include background checks, training and continuing education, uniforms, equipment, and licensing. The rule of thumb for the selection of security measures is that their total cost should not exceed the cost to replace or repair the asset being protected. Another strategy used in the protection of assets is to provide protection only for critical assets, with the anticipation that other assets will be secured through a diffusion of benefits. Diffusion of benefits will be discussed in detail in the prevention chapter.
Risk Assessment Report The risk assessment report is a comprehensive written document that incorporates all elements of the risk assessment methodology. Typical components of a full-scale risk assessment report include a listing of major assets, critical assets, and the facility characterization, a summary of existing security measures, the threat assessment report including supporting documentation with crime analysis charts and graphs, major elements of the vulnerability assessment report with the security survey included as an appendix, and recommendations for security modifications with the cost-benefit analysis. The goal of the report is to highlight the findings of the risk assessment so that those who hold the purse strings are able to make educated risk mitigation decisions that may include one or more of the five risk mitigation strategies (avoidance, reduction, spreading, transfer, and acceptance). The following suggested format builds upon the format used for the risk assessment report.
Risk Assessments
117
Table of Contents The table of contents in a risk assessment report should identify each major section and subsection and be identified by page number.
Executive Summary Similar to the vulnerability assessment report, the executive summary of a risk assessment report is an overview document used to provide a condensed version of the entire report and highlights key issues for decision makers who do not have the time to read the full report. The executive summary should not be longer than 10 percent of the full report and is often much shorter and should suffice as a stand-alone document. The executive summary should list the major assets and critical assets, and should include the facility characterization. It should also summarize the existing security measures, the threats posed to the assets including the relevant information from the crime analysis, and the major vulnerabilities. The executive summary should conclude with the recommendations and a call for action.
Background and Methodology The background and methodology section of the risk assessment report outlines the scope of the risk assessment and defines the methodology. The methodology may be specific to the facility or organization, an industryspecific methodology, or a general methodology. Assessment team members should also be identified along with their credentials in this section of the report. The facility characterization and security inventory are discussed along with the security philosophy of the organization, if one exists. Historical attacks will also be included in this section, along with a general threat overview. Vulnerabilities uncovered during the security survey are outlined, along with any interim remedial measures designed to deter, detect, or delay immediate threats.
Assets and Critical Assets This section outlines the facility’s assets and critical assets, with special attention to defining the extent to which assets are necessary for critical functions or which assets are of a mission-oriented nature.
Existing Security Measures This section of the risk assessment report contains a discussion of the current security policies and procedures, the existence of any security manuals and post orders, types of physical security measures in use at the facility, and documentation concerning the use of armed and unarmed security officers or
118
Strategic Security Management
off-duty police officers. The scheduling practices are of utmost importance in the security personnel discussion, along with hiring standards, background investigation procedures, post orders and training provided, patrol practices, security incident reporting procedures, and equipment and uniform standards.
Threat Assessment and Crime Analysis The threat assessment section’s major component is a review of historical crime data or an in-depth crime analysis. The crime analysis includes spatial and temporal trends, average and mean crime levels, descriptions of the specific types of crime that have occurred, crime totals, violent crime rates, and forecasts or mathematical projections of future crime. The threat assessment may also include a discussion of crime problems in the area and other known threats to the facility.
Vulnerability Assessment The vulnerability assessment section of the risk assessment report outlines the results of the security survey and identifies any opportunities for adversaries to attack. Weaknesses and deficiencies in the security program should be described in sufficient detail to assist in identifying and selecting effective countermeasures.
Risk Assessment and Recommendations This section is the pinnacle of the risk assessment report, representing the culmination of a lengthy, comprehensive process. The beginning of this section presents a discussion of the current risks to the facility and to its assets based on the threats and vulnerabilities previously identified during the respective assessments. These risks may be described quantitatively and/or qualitatively. Recommendations developed by the risk assessment teams are then included along with the cost-benefit analysis for each security measure or security mix. Anticipated risk levels after the deployment of the initial or only phase of security measures are then described. Subsequent security deployment phases are then discussed along with further risk reductions expected. The recommendations should be prioritized based on quantitative or qualitative risk ratings for each asset.
Appendices Appendices should be included in the risk assessment report and should specifically include asset listings and descriptions; existing security inventory documentation; facility and area photographs, blueprints, site diagrams and floor plans; threat assessment and crime analysis information; the security survey instrument or checklist; and cost-benefit worksheets.
Risk Assessments
Risk Assessment Report Outline I. Table of Contents II. Executive Summary III. Background and Methodology A. Risk Assessment Methodology B. Assessment Scope and Objectives C. Team Composition and Qualifications D. Facility Characterization IV. Assets A. Major Assets and Functions B. Critical Assets and Functions V. Existing Security Inventory A. Policies and Procedures B. Physical Security Measures C. Security Personnel VI. Threat Assessment A. Site-Specific Crime Analysis B. Historical Attacks against Similar Facilities VII. Vulnerability Assessment A. Security Survey Process B. Major Vulnerabilities C. Other Vulnerabilities VIII. Risk Assessment A. Current Risks B. Risk Ratings C. Mitigation Strategies D. Prioritized Recommendations E. Cost-Benefit Analysis F. Revised Risk Estimates G. Call for Action IX. Appendices A. Facility and Area Photographs B. Blueprints, Site Diagrams, and Floor Plans C. Facility Personnel Interview Questions D. Complete Asset List and Descriptions E. Existing Security Inventory F. Threat Assessment and Crime Analysis Documentation G. Security Survey Instrument or Checklist H. Cost-Benefit Analysis Worksheets
119
Appendix
ASIS International General Security Risk Assessment Guideline— Qualitative and Quantitative Risk Assessments ASIS General Security Risk Assessment Guidelines The following examples of quantitative and qualitative risk assessment approaches are from the General Security Risk Assessment Guideline, Copyright (c) 2003 by ASIS International. Used by permission.The complete guideline is available from ASIS International, 1625 Prince Street, Alexandria, Virginia 22314 or at http://www.asisonline.org/guidelines/guidelines.htm.
120
Appendix I
Qualitative Approach
Each step of the following seven-step practice advisory includes examples and other relevant information to guide the practitioner in developing a better understanding of the underlying principles to be applied in the assessment. PRACTICE ADVISORY #1 Understand the organization and identify the people and assets at risk. COMMENTARY—“Understand the organization.” The first task of the security practitioner is to develop an understanding of the organization to be assessed. This does not mean that the practitioner must become an expert in the operation of the enterprise to be evaluated, but must acquire enough of an understanding of how the organization operates to appreciate its complexities and nuances. Consideration should be given to factors such as hours of operation; types of clients served; nature of the business activity; types of services provided or products produced, manufactured, stored, or otherwise supplied; the competitive nature of the industry; the sensitivity of information; the corporate culture; the perception of risk tolerance; and so on. The types of information that the practitioner should ascertain are as follows. The hours of operation for each department Staffing levels during each shift Type of services provided and/or goods produced, stored, manufactured, etc. Type of clientele served (e.g., wealthy, children, foreigners, etc.) The competitive nature of the enterprise Any special issues raised by the manufacturing process (e.g., environmental waste, disposal of defective goods, etc.) Type of labor (e.g., labor union, unskilled, use of temporary workers, use of immigrants, etc.)
122
Strategic Security Management
COMMENTARY—“Identify the people and assets at risk.” The second step in the process is to identify the assets of the organization that are at risk to a variety of hazards. People People include employees, customers, visitors, vendors, patients, guests, passengers, tenants, contract employees, and any other persons who are lawfully present on the property being assessed. In very limited circumstances, people who are considered trespassers also may be at risk for open and obvious hazards on a property or where an attractive nuisance exists (e.g., abandoned warehouse, vacant building, a “cut through” or path routinely used by people to pass across property as a short cut). In most states, trespassers need only be warned by the posting of signs of a known dangerous or hazardous condition. Property Property includes real estate, land and buildings, facilities; tangible property such as cash, precious metals, and stones; dangerous instruments (e.g., explosive materials, weapons, etc.); high-theft items (e.g., drugs, securities, cash, etc.); as well as almost anything that can be stolen, damaged, or otherwise adversely affected by a risk event. Property also includes the “goodwill” or reputation of an enterprise that could be harmed by a loss risk event. For example, the ability of an enterprise to attract customers could be adversely affected by a reputation as being unsafe or crime ridden. The third subset of property is information. Information includes proprietary data, such as trade secrets, marketing plans, business expansion plans, plant closings, confidential personal information about employees, customer lists, and other data that if stolen, altered, or destroyed could cause harm to the organization. PRACTICE ADVISORY #2 Specify loss risk events/vulnerabilities. COMMENTARY The second major step in the security risk assessment methodology is to identify the types of events or incidents which could occur at a site based on the history of previous events/incidents at that site; events at similarly situated sites; the occurrence of events (e.g., crimes) that may be common to that type of business; natural disasters peculiar to a certain geographical location; or other circumstances, recent developments, or trends. Loss risk events can fall into three distinct categories: crimes, noncriminal events such as human-made or natural disasters, and consequential events caused by an enterprise’s relationship with another organization, when the latter organization’s poor or negative reputation adversely affects the enterprise. SOURCES OF DATA AND INFORMATION Crime-Related Events There are numerous sources for information/data about crime-related events that may impact an enterprise. The security practitioner may consider any of the following sources in aiding the determination of risk at a given location.
Risk Assessments
123
Local police crime statistics and calls for service at the site and the immediate vicinity for a three-to-five-year period Uniform Crime Reports published by the U.S. Department of Justice for the municipality The enterprise’s internal records of prior reported criminal activity Demographic/social condition data providing information about economic conditions, population densities, transience of the population, unemployment rates, etc. Prior criminal and civil complaints brought against the enterprise Intelligence from local, state, or federal law enforcement agencies regarding threats or conditions that may affect the enterprise Professional groups and associations that share data and other information about industry-specific problems or trends in criminal activity Other environmental factors such as climate, site accessibility, and presence of “crime magnets”
Non-Criminal Events The practitioners should consider two subcategories of non-crime-related events: natural and “human-made” disasters. Natural disasters are events such as hurricanes, tornadoes, major storms, earthquakes, tidal waves, lightning strikes, and fires caused by natural disasters. “Human-made” disasters or events could include labor strikes, airplane crashes, vessel collisions, nuclear power plant leaks, terrorist acts (which also may be criminalrelated events), electrical power failures, and depletion of essential resources. Consequential Events A “consequential” event is one where, through a relationship between events or between an enterprise and another organization, the enterprise suffers some type of loss as a consequence of that event or affiliation, or when the event or the activities of one organization damage the reputation of the other. For example, if one organization engages in illegal activity or produces a harmful product, the so-called innocent enterprise may find its reputation tainted by virtue of the affiliation alone, without any separate wrongdoing on the part of the latter organization. PRACTICE ADVISORY #3 Establish the probability of loss risk and frequency of events. COMMENTARY—Probability of Loss Risk Probability of loss is not based upon mathematical certainty; it is consideration of the likelihood that a loss risk event may occur in the future, based upon historical data at the site, the history of like events at similar enterprises, the nature of the neighborhood, immediate vicinity, overall geographical location, political and social conditions, and changes in the economy, as well as other factors that may affect probability. For example, an enterprise located in a flood zone or coastal area may have a higher probability for flooding and hurricanes than an enterprise located inland and away from water. Even if a flood or hurricane has not occurred previously, the risks are higher when the location lends itself to the potential for this type of a loss risk event.
124
Strategic Security Management
In another example, a business that has a history of criminal activity both at and around its property will likely have a greater probability of future crime if no steps are taken to improve security measures and all other factors remain relatively constant (e.g., economic, social, political issues). The degree of probability will affect the decision-making process in determining the appropriate solution to be applied to the potential exposure. COMMENTARY—Frequency of Events When looked at from the “event” perspective, the practitioner may want to query how often an exposure exists per event type. For example, if the event is robbery of customers in the parking lot, then the relevant inquiry may be how often customers are in the lot and for how long when walking to and from their vehicles. If the event is the rape of a resident in an apartment building, then the inquiry may focus on how often the vulnerable population is at risk. If the event were a natural disaster such as a hurricane, the practitioner certainly would want to know when hurricane season takes place. PRACTICE ADVISORY #4 Determine the impact of the event. COMMENTARY The security practitioner should consider all the potential costs, direct and indirect, financial, psychological, and other hidden or less obvious ways in which a loss risk event impacts an enterprise. Even if the probability of loss is low, but the impact costs are high, security solutions still are necessary to manage the risk. Direct costs may include: Financial losses associated with the event, such as the value of goods lost or stolen Increased insurance premiums for several years after a major loss Deductible expenses on insurance coverage Lost business from an immediate post-risk event (e.g., stolen goods cannot be sold to consumers) Labor expenses incurred as a result of the event (e.g., increase in security coverage post-event) Management time dealing with the disaster/event (e.g., dealing with the media) Punitive damages awards not covered by ordinary insurance Indirect costs may include: Negative media coverage Long-term negative consumer perception (e.g., that a certain business location is unsafe) Additional public relations costs to overcome poor image problems Lack of insurance coverage due to a higher risk category Higher wages needed to attract future employees because of negative perceptions about the enterprise Shareholder derivative suits for mismanagement Poor employee morale, leading to work stoppages, higher turnover, etc.
Risk Assessments
125
PRACTICE ADVISORY #5 Develop options to mitigate risks. COMMENTARY The security practitioner will have a range of options available, at least in theory, to address the types of loss risk events faced by an enterprise. “In theory” alludes to the fact that some options may not be available either because they are not feasible (discussed in Practice Advisory #6) or are too costly, financially or otherwise. Options include security measures available to reduce the risk of the event. Equipment or hardware, policies and procedures, management practices, and staffing are the general categories of security-related options. However, there are other options, including transferring the financial risk of loss through insurance coverage or contract terms (e.g., indemnification clauses in security services contracts), or simply accepting the risk as a cost of doing business. Any strategy or option chosen still must be evaluated in terms of availability, affordability, and feasibility of application to the enterprise’s operation. PRACTICE ADVISORY #6 Study the feasibility of implementation of options. COMMENTARY The practical considerations of each option or strategy should be taken into account at this stage of the security risk assessment. While financial cost is often a factor, one of the more common considerations is whether the strategy will interfere substantially with the operation of the enterprise. For example, retail stores suffer varying degrees of loss from the shoplifting of goods. One possible “strategy” could be to close the store and keep out the shoplifters. In this simple example, such a solution is not feasible because the store also would be keeping out legitimate customers and would go out of business. In a less obvious example, an enterprise that is open to the public increases its access control policies and procedures so severely that a negative environment is created by effectively discouraging people from going to that facility as potential customers and hence, it loses business. The challenge for the security practitioner is to find that balance between a sound security strategy and consideration of the operational needs of the enterprise, as well as the psychological impact on the people affected by the security program. PRACTICE ADVISORY #7 Perform a cost/benefit analysis. COMMENTARY The final step in conducting a security risk analysis is consideration of the cost versus benefit of a given security strategy.The security practitioner should determine what the actual costs are of the implementation of a program and weigh those costs against the impact of the loss, financially or otherwise. For example, it would make no sense to spend $100,000 on security equipment to prevent the theft of a $1,000 item, especially when it may make more sense to purchase insurance or remove the item to a more secure location.
Appendix II
Quantitative Approach
CALCULATING PROBABILITY AND CRITICALITY LOSS EVENT PROFILE Forecasting individual loss events that may occur is the first step in dealing with risk assessment. It requires clear ideas about the kinds of loss events or risks, as well as about the conditions, circumstances, objects, activities, and relationships that can produce them. A security countermeasure can be planned if the loss event has the following characteristics:
The event will produce an actual loss, measurable in some standard medium, such as money; and The loss is not the result of a speculative risk in that nonoccurrence of the event would not result in a gain.
The kinds of events that are loss-only oriented and which involve so called pure risks include crime, natural catastrophe, industrial disaster, civil disturbance, war or insurrection, terrorism, accident, conflicts of interest, and maliciously willful or negligent personal conduct. The recognition of even obvious risks implies some estimate of the probability that the risk actually will produce a loss. To the extent that the risk itself is concealed, the task of estimating probability of occurrence is more difficult. LOSS EVENT PROBABILITY OR FREQUENCY Probability can be formulated as the number of ways in which a particular event can result from a large number of experiments which could produce that event, divided by the number of those experiments. Stated as an equation, this is: P=
f n
where: P = the probability that a given event will occur f = the number of actual occurrences of that event n = the total number of experiments seeking that event
Risk Assessments
127
E.g., the probability of shoplifting at a given location during a given year is determined as: P (probability) = the number of days on which actual shoplifting events occurred during the year divided by 365. Although this simple statement illustrates a direct way to calculate probability mathematically, it is not enough for practical application to security loss situations, because while some events will occur more than once, other events will occur only once, and the reaction will so change the environment that the theoretically probable further occurrences will be prevented. As a basic concept, the more ways a particular event can occur in given circumstances, the greater the probability that it will occur. For effective assessment of probability, as many as possible of those circumstances that could produce the loss must be known and recognized. Probability Factors Conditions and sets of conditions that will worsen or increase asset exposure to risk of loss can be divided into the following major categories: 1. Physical environment (construction, location, composition, configuration) 2. Social environment (demographics, population dynamics) 3. Political environment (type and stability of government, local law enforcement resources 4. Historical experience (type and frequency of prior loss events) 5. Procedures and processes (how the asset is used, stored, secured) 6. Criminal state-of-the-art (type and effectiveness of tools of aggression) Application of Probability Factors Analyses The practical value of loss risk analysis depends upon the skill and thoroughness with which the basic risks to an enterprise are identified. This is the first and most important step in the entire process. Every aspect of the enterprise or facility under review must be examined to isolate those conditions, activities, and relationships that can produce a loss. For an effective analysis, the observer must take into account the dynamic nature of the enterprise on each shift and between daylight and darkness. The daily routine must be understood because the loss-producing causes can vary from hour to hour. Checklists Every enterprise differs from every other, and general recommendations must be modified to meet local needs. Consult the references in this guideline for forms and checklists to use in the initial gathering of loss event data. RISK MATRIX After analysis has identified the specific threats or risks, the details that make occurrence of each event more or less probable can be recorded. The method suggested is a grid or matrix arranged either by asset or by type of risk, setting forth all the factual elements relevant to probability. Matrices describe a particular situation with respect to each of the risks identified in the general fact gathering. Please see Figure 1, infra. The frequent absence or scarcity of historical occurrence data often makes it impossible to calculate probability on a purely quantitative basis and requires some degree of qualitative assessment.
128
Strategic Security Management
Asset Identification and Description CONDITIONS AFFECTING RISK
LOCATION Warehouse
Value ($)
Admittance Controlled (Y/N)
Area Locked (Y/N)
Records Kept (Y/N)
Alarms (Y/N)
Other Etc.
Front Office
Etc.
Laboratory
Etc.
Shipping
Etc.
Manufacturing
Etc.
Etc.
Etc.
Figure 1. Specimen Matrix. Locations and Conditions Affecting Risk Can Be Added and/or Modified to Fit the Particular Asset and Its Environment. (Y/N) = Yes or No for Each Condition Specified. Conditions Should Be Framed Such That a Yes Indicates Better and a No Indicates Poorer Protection.
Probability Ratings After all the available data concerning each risk and its factual circumstances have been gathered, a probability rating can be assigned to that risk. Ratings will not consider any precaution or countermeasure that may later be taken to reduce or eliminate the risk. A primary purpose of such unconditioned ratings is to allow for later priority scheduling in the selection of countermeasures. It may be enough to be able to say that one event is more probable than another. To say this about entire series or categories of events, it must be possible to assign each to some class that can then be compared with other classes to arrive at a conclusion of “more likely” or “less likely.” Five categories of probability can establish useful distinctions among events, as follows: (A) Virtually Certain — Given no changes, the event will occur. For example, given no changes, a closed intake valve on a sprinkler riser will prevent water flow in the event of fire. (B) Highly Probable — The likelihood of occurrence is much greater than that of nonoccurrence. For example, unprotected currency lying visible on a counter is very likely to be taken. (C) Moderately Probable — The event is more likely to occur than not to occur. (D) Less Probable — The event is less likely to occur than not to occur. This does not imply impossibility, merely improbability. (E) Probability Unknown — Insufficient data are available for an evaluation. This approximate system of ratings contains wide latitude for variation. Two observers could assign different probabilities to the same risk, based upon different evaluations of the circumstances. But an advantage of this technique is that absolute precision is not important. If the correct general label can be attached, it does not matter that a highly probable risk might have a ratio of .751 or .853. What is important is to be able to segregate all risks of virtually certain probability from all others and to make similar distinctions for each other general class. Even competent professionals may disagree on what is highly probable and what is moderately probable. To compensate for inexactness, if a rating is in doubt after all available information has been gathered and evaluated, then the higher of two possible ratings should be assigned.
Risk Assessments
129
Rating Symbols. To save time and space, five levels of probability can be assigned the symbols A, B, C, D, and E, ranking downward from “Virtually Certain” to “Probability Unknown.” These symbols later will be combined with symbols representing criticality in the development of priority lists. It should be noted that the probability rating E, or “Probability Unknown,” is merely a temporary rating pending the development of all relevant data. In the construction of threat logic patterns, E ratings will be replaced by one of the definite ratings. The second step in risk analysis is complete when a particular risk, identified in the first level of the survey through the use of forms and checklists, has been assigned a probability rating. No standard recording system is in universal use, and each protection organization making a survey must set up its own recording system to be sure that each risk, once identified, can be found readily again in the growing volume of survey data. A simple method for doing this is to assign a distinctive number to each risk classified. It will be necessary to locate and identify each risk to add a later criticality rating, to rank the rated risk in a table or priority list, and to plot it in a threat logic tree based on relative priorities. LOSS EVENT CRITICALITY Highly probable risks may not require countermeasures attention if the net damage they would produce is small. But even moderately probable risks require attention if the size of the loss they could produce is great. The correlative of probability of occurrence is severity or criticality of occurrence. Assessing criticality is the third step in risk assessment. Criticality is first considered on a single event or occurrence basis. For events with established frequency or high-recurrence probability, criticality also must be considered cumulatively. The criticality or loss impact can be measured in a variety of ways. One is effect on employee morale; another is effect on community relations. But the most useful measure overall is financial cost. Because the money measure is common to all ventures, even government and not-for-profit enterprises, the seriousness of security vulnerability can be grasped most easily if stated in monetary terms. Note that some losses (e.g., loss of human life, loss of national infrastructure elements, or losses of community goodwill) do not lend themselves to ready analysis in financial terms. When events that could produce these types of losses have been identified, some factors other than merely quantitative will be used to measure their seriousness. When tradeoff decisions are being made as part of the risk management process, a very useful way to evaluate security countermeasures is to compare cost of estimated losses with cost of protection. Money is the necessary medium. Kinds of Costs to Be Considered Costs of security losses are both direct and indirect; they are measured in terms of lost assets and lost income. Frequently, a single loss will result in both kinds. 1. Permanent Replacement The most obvious cost is that involved in the permanent replacement of a lost asset. Permanent replacement of a lost asset includes all of the cost to return it to its former location. Components of that cost are (1) Purchase price or manufacturing cost; (2) Freight and shipping charges; and (3) Make-ready or preparation cost to install it or make it functional. A lost asset may cost more or less to replace now than when it was first acquired.
130
Strategic Security Management
2. Temporary Substitute It may be necessary to procure substitutes while awaiting permanent replacements. This may be necessary to minimize lost opportunities and to avoid penalties and forfeitures. The cost of the temporary substitute is properly allocable to the security event that caused the loss of the asset. Components of temporary substitute cost might be (1) Lease or rental; and/or (2) Premium labor, such as overtime or extra shift work to compensate for the missing production. 3. Related or Consequent Cost If other personnel or equipment are idle or underutilized because of the absence of an asset lost through a security incident, the cost of the downtime also is attributable to the loss event. 4. Lost Income Cost In most private enterprises, cash reserves are held to the minimum necessary for shortterm operations. Remaining capital or surplus is invested in varying kinds of incomeproducing securities. If cash that might otherwise be so invested must be used to procure permanent replacements or temporary substitutes or to pay consequent costs, the income that might have been earned must be considered part of the loss. If income from investment is not relevant to a given case, then alternative uses of the cash might have to be abandoned to meet the emergency needs. In either case, use of the money for loss replacement will represent an additional cost margin. To measure total loss impact accurately, this also must be included. The following formula can be used: I=
P×r×t 365
where: I = income earned P = principal amount (in dollars) available for investment r = annual percent rate of return t = time (in days) during which P is available for investment Cost Abatement Many losses are covered, at least in part, by insurance or indemnity of some kind. To the extent it is available, that amount should be subtracted from the combined costs of loss enumerated previously. A Cost-of-Loss Formula Taking the worst-case position and analyzing each security loss risk in light of the probable maximum loss for a single occurrence of the risk event, the following equation can be used to state that cost: K = Cp + Ct + Cr + Ci − I where: K Cp Ct Cr Ci I
= = = = = =
criticality, total cost of loss cost of permanent replacement cost of temporary substitute total related costs lost income cost available insurance or indemnity
Risk Assessments
131
Criticality Ratings It is suggested that the following ratings be used to summarize the impact of each loss event, and interpreted as follows: 1. Fatal — The loss would result in total recapitalization or abandonment or longterm discontinuance of the enterprise. 2. Very serious — The loss would require a major change in investment policy and would have a major impact on the balance sheet assets. 3. Moderately serious — The loss would have a noticeable impact on earnings as reflected in the operating statement and would require attention from the senior executive management. 4. Relatively unimportant — The loss would be charged to normal operating expenses for the period in which sustained. 5. Seriousness unknown — Before priorities are established, this provisional rating is to be replaced by a firm rating from one of the first four classes. The nature and size of the enterprise determines the dollar limits for each of these classes. The value of the rating system is in its relevance to the enterprise. The terms used are not intended to have any absolute significance. This completes the third step in vulnerability assessment. ALTERNATIVE APPROACHES TO CRITICALITY Known Frequency Rate There are other ways in which the weighted importance of a probable risk event can be measured. One is when a historical frequency can be identified. For example, natural catastrophes such as floods and earthquakes are expected to occur a stated number of times per year, based on the number of actual past occurrences. Other events also may have a reliable rate of recurrence. When a frequency rate is known, the single-event criticality can be multiplied by the number of events expected during the period considered, normally the calendar or fiscal year. Thus, if K = $10,000 for an event, and it has a frequency rate of once a year, the weighted impact would be $10,000 × 1. If the same event had a frequency rate of once every three years, the weighted impact would be $10,000 × .333 or $3,333. If it had a frequency of three times a year, the weighted impact would be $10,000 × 3 or $30,000. Nominal Numerical Probability Another technique, useful to convert the symbolic rankings to simple numerical statements, is to assign an agreed real numerical probability to each of four categories below. Thus: A) “Virtually Certain,” might be assigned a numerical probability of .85; B) “Highly Probable” might be assigned .65; C) “Moderately Probable” might be assigned .50; and D) “Less Probable” might be assigned .20. Next, the criticality of any single loss event is multiplied by the agreed value of the probability. Thus, a $10,000 criticality for a moderately probable event would be $10,000 × .50 = $5,000. (Note that this is used hypothetically to arrive at an overall picture of exposure. If the loss occurs at all, it will cost $10,000, not $5,000.) But to permit ranking before loss so as to expedite countermeasures, the technique would preserve the weighted differences.
132
Strategic Security Management
Scatter Plots Another method that can be used to present overall risk is to use a scatter plot. This is a method of plotting each risk on a graph whose axes are cost and frequency. First, the criticality or cost impact is located on the vertical axis. Then, moving right in a straight line, a dot or mark is placed above the frequency rate for that event on the horizontal axis. When all the risks have been plotted on the graph, a smooth curve (a line passing through the areas of highest concentration of dots) can be drawn. This would indicate the approximate distribution of expected losses for the planning period. The countermeasures program would be designed to lower that line as much as feasible. See Figure 2, infra. (K in $) $100 Mil
Criticality
$10 Mil $1 Mil $100,000 $10,000 $1,000 $100 1/100 yr
1/10 yr
1/1 yr
10/1 yr
100/1 yr
1000/1 yr
10K/1
100K/1
Frequency (F) in Times per Year Figure 2. Specimen Scatter Plot; to Show Events Weighted for Criticality (K) (Vertical Axis) and Frequency (Times per Year) (Horizontal Axis). Each Event or Risk Is Plotted at the Intersection of K and F for that Event.
Establishing Priorities The next step is to arrange the entire body of rated risks into a sequence of priority for countermeasures attention. The more serious risks are listed first, followed in descending order of importance by the others until all the risks have been listed. The listing should identify each risk and indicate the combined probability criticality rating that has been assigned. Such an approach would produce a list of all the risks in each of the various rating classes, as follows: A1, A2, A3, A4; B1, B2, B3, B4; C1, C2, C3, C4; D1, D2, D3, D4. When all the risks have been ranked, the formal task of risk assessment is complete and reflects the risk exposure of the enterprise as of the date on which the assessment was made. No risk assessment is permanent and, depending upon the extent and speed of changes within the enterprise, reassessments will be required periodically, at a minimum of at least once a year.
Chapter 7
Information Technology Risk Management Nick Vellani
In this chapter . . .
Why Information Technology Security Is Important Information Technology Risk Management Asset Identification Information Technology Risk Assessment Information Technology System Characterization Threat Assessment Vulnerability Assessment Control Evaluation Likelihood Determination Impact Analysis Risk Determination Control Recommendations Results Documentation Risk Mitigation: Options and Strategies Control Implementation Methodology Control Categories Cost-Benefit Analysis Residual Risk Evaluation and Refinement
Why Information Technology Security Is Important to Traditional Security Decision Makers Most security decision makers have heard the term convergence but are confused about its meaning and application. Convergence is defined as the process of two entities coming together to a common point. For the purposes of risk management, convergence is defined as the process of traditional risk man-
133
134
Strategic Security Management
agement and information technology risk management coming together to a common point where methodologies, ideas, and resources will be shared to create a comprehensive low risk environment. To be able to operate effectively in the dynamic security industry, traditional security decision makers need to understand the information technology risk management methodology outlined throughout this chapter. By understanding the information technology risk management methodology, security decision makers can make better informed decisions, utilize resources more effectively, and begin the process of convergence in their organizations.
Information Technology Risk Management Risk management is a methodology that allows information technology security decision makers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the information technology systems and data that support their organizations’ missions. A formal risk management program enables businesses to operate in the most cost-effective way with a known level of risk. Risk management also gives businesses the opportunity to prioritize and organize assets and limited resources in order to manage risk. Furthermore, performing a risk management program allows the organization to define critical business processes, assign ownership to business system owners, articulate business priorities, and prepare for regulatory compliance. The objective of performing risk management is to enable the organization to accomplish its mission, first, by better securing the information technology systems that store, process, or transmit organizational information; second, by enabling security decision makers to make well-informed risk management decisions to justify the expenditures that are part of an information technology budget; and finally, by assisting security decision makers in approving the information technology systems on the basis of the supporting documentation resulting from the performance of risk management. The terms risk management and risk assessment are often confused and used interchangeably. Though related, risk assessment is a component of risk management. Risk management is defined as the overall effort to manage risk to an acceptable level across the organization. Risk assessment is defined as the process to identify and prioritize risks to the organization. For information technology security purposes, risk management encompasses three processes: risk assessment, risk mitigation, and evaluation and refinement. The risk assessment process includes identification and evaluation of risks and risk impacts, and recommendation of risk-reducing measures. Risk mitigation refers to prioritizing, implementing, and maintaining the appropriate risk-reducing measures recommended from the risk assessment process. Evaluation refers to the continual process of evaluating the controls implemented during the risk mitigation process.
Information Technology Risk Management
135
Asset Identification In the initial stages of the risk management process, information technology assets must be identified and classified. Generally, assets are defined as people, property, and information. Property assets consist of both tangible and intangible items that can be assigned a value. A tangible asset is a physical asset owned by an organization, which can be seen or touched, such as server hardware, purchased software, and networking equipment. Intangible assets are assets that are nonphysical in form and include reputation and proprietary information. Information may include databases, software code, critical company records, trade secrets, and copyrights. During the asset identification process, it is imperative to identify the asset owner (business owner) and to map the asset to the business processes it supports. This will permit easier asset prioritization during the risk assessment phase and ensure that all business processes are considered. Business owners are the parties held accountable for implementing controls to their protect assets. Once the business owner is identified, assets should be classified. The classification process aids the organization in focusing on the critical assets first. While risk management theories differ as to how they evaluate an asset’s value, most theories classify assets into categories. A simple, but effective, way of categorization is to rank an asset as having Significant Importance, Moderate Importance, or Low Importance. By categorizing assets in this qualitative fashion, prioritization of assets during the risk assessment phase is simplified. An asset categorized as possessing Significant Importance is defined as: the impact on the confidentiality, integrity, or availability (CIA) of one of these assets which could cause catastrophic loss to the organization. This impact can be expressed in terms of direct financial loss, lost productivity, regulatory compliance problems, loss of competitive advantage, or damage to the organization’s reputation. Examples include the following.
Sensitive business data—confidential financial documents and trade secrets Personnel information—names, addresses, social security numbers, and health information of employees Customer information—names, addresses, tax identification numbers, and credit history of customers Authentication information—username and passwords for significant systems, cryptographic keys, and hardware authentication devices
An asset categorized as having Moderate Importance is defined as the impact on the confidentiality, integrity, or availability (CIA) of one of these assets which could cause moderate loss to the organization. This impact can be expressed in terms of direct financial loss, lost productivity, regulatory compliance issues, competitive advantage, or damage to the organization’s
136
Strategic Security Management
reputation, but would not be considered catastrophic. Examples include the following.
Business data—customer billing information and supplier lists Personnel information—phone numbers, employment history, and marital status
An asset categorized as of Low Importance is defined as the remainder of assets that are not classified as of Significant or Moderate Importance. If compromised, these assets could cause immaterial financial loss, minimal lost productivity, and little or no impact on regulatory compliance, competitive advantage, and damage to the organization’s reputation. Examples include the following.
Elevated access to publicly available websites. Basic organization information such as organizational charts, building maps, and emergency contact information.
Once assets have been identified and categorized, they should be inventoried. Inventories of assets help ensure that assets are protected and may also be required for other business purposes, such as health, safety, and insurance reasons. This process of compiling an asset inventory is an important aspect of the risk management program.
Information Technology Risk Assessment Risk assessment, the first process in the risk management methodology, is defined as a quantitative, qualitative, or hybrid assessment that seeks to determine the likelihood that a threat will successfully exploit a vulnerability and the resulting impact to an information technology asset. A risk assessment is the foundation for prioritizing risks in order to effectively implement countermeasures. Organizations use risk assessments to determine the extent of potential threats and the risks associated with an information technology system throughout its life cycle. The product of this process helps identify appropriate controls for reducing or eliminating risk during the risk mitigation process discussed later. Following are some key terms associated with the risk assessment process. Confidentiality—a security principle that works to ensure that information is not disclosed to unauthorized subjects. Availability—the reliability and timely access to information and systems by authorized individuals. Exposure—an instance of being exposed to losses from a threat. A weakness or vulnerability can cause an organization to be exposed to possible damages.
Information Technology Risk Management
137
Countermeasures—security measures that include policies and procedures, physical security equipment and protection systems, and security personnel. The primary purpose of a countermeasure is to mitigate risk through a prevention process that eliminates or neutralizes threats and reduces vulnerabilities. In the information technology security industry, the term countermeasure is used interchangeably with control. Criticality—the operational impact to the organization’s mission due to the loss, damage, or destruction to an asset. Hybrid Assessment—a type of assessment that includes both qualitative and quantitative data. Typically, hybrid assessments numerically measure that which can be measured, such as response times, and assess qualitatively that which cannot be so measured. Integrity—a security principle that makes sure that information and systems are not modified maliciously or accidentally. Qualitative Assessment—a type of assessment that is driven primarily by the assessment subject’s characteristics. Qualitative risk assessments are dependent on the assessor’s skills. Scenario-based risk assessments are typically qualitative. Quantitative Assessment—a type of assessment that is metric based and assigns numeric values to the risk level. Threat—any circumstance or event that may potentially harm an information technology system. The common threats can be natural, human, or environmental. Vulnerability—a weakness or gap in a security program that can be exploited by threats to gain unauthorized access to an asset. Vulnerabilities include design, procedural, electronic, human, and other elements that provide opportunities to attack assets. Risk—a function of threats and vulnerabilities. Risk is the possibility of asset loss, damage, or destruction as a result of a threat exploiting a specific vulnerability. There are numerous risk assessment approaches, but most fall into two categories: qualitative and quantitative risk assessments. Quantitative risk assessment is the approach to risk management in which participants attempt to assign objective numerical values (dollar values) to the assets, risks, controls, and impacts. Assets are viewed in terms of what it would cost to replace them, lost productivity, and other direct and indirect effects of exposing these assets to breaches in confidentiality, integrity, or availability. Although this may seem to be a simple task, consider how difficult it would be to assign a dollar value to a period of lost productivity or damage to the organization’s reputation. Another difficulty associated with quantitative risk
138
Strategic Security Management
assessment is the time and cost required to complete the process. Many quantitative risk assessment projects take a full fiscal year and numerous staff members to gain an understanding of the assets to be protected and the current controls in place, and to assign a dollar value to them. Terms associated with quantitative risk assessment include: Asset value—the value assigned to an asset based on its use within the organization. Value may be expressed in quantitative terms (e.g., monetary value or time the system must be available) or in qualitative terms (e.g., high, medium, or low). Exposure factor—the percentage of loss a realized threat could have on a certain asset. Annualized rate of occurrence (ARO)—the value that represents the estimated possibility of a specific threat taking place within a one-year time frame. Single-loss expectancy (SLE)—a dollar amount that is assigned to a single event that represents the company’s potential loss amount if a specific threat took place. Asset value × Exposure factor = SLE Annualized loss expectancy (ALE)—a dollar amount that estimates the loss potential from a risk over the course of a year. Single-loss expectancy (SLE) × Annualized rate of occurrence (ARO) = ALE In the qualitative risk assessment approach, the participants assign relative values to the assets, risks, controls, and impacts. This approach overcomes the challenge of calculating exact figures for an asset’s value and the ongoing cost of the controls to protect that asset. The process is also significantly less laborious for employees and requires a shorter time frame to begin to see results. The main advantage of the qualitative risk assessment approach is that it prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities. A vulnerability is defined as any weakness or act of physical exposure that makes an information asset susceptible to exploitation by a threat. The disadvantage of the approach is that it does not provide specific quantifiable measurements of the magnitude of the impacts, therefore making a cost-benefit analysis of any recommended controls difficult. The main advantage of a quantitative risk assessment approach is that it provides a measurement of the impact’s magnitude, which can be used in the costbenefit analysis of recommended controls. The disadvantage is that, depending on the numerical ranges used to express the measurement, the meaning of the quantitative risk assessment approach may be unclear, requiring the result to be interpreted in a qualitative manner.
Information Technology Risk Management
139
To determine the likelihood of a future adverse event, threats to an information technology system must be analyzed together with the potential vulnerabilities and the current controls implemented for the information technology (IT) system. Impact refers to the magnitude of harm that could be caused by a threat’s exploitation of a vulnerability. The risk assessment process is broken down into nine subprocesses: 1. 2. 3. 4. 5. 6. 7. 8. 9.
Information Technology System Characterization Threat Assessment Vulnerability Assessment Control Identification Likelihood Determination Impact Analysis Risk Determination Control Recommendations Documentation of Results
Information Technology System Characterization In identifying risks for an information technology system, the first step is to define the scope of the system and the business processes it supports. The boundaries of the IT system are identified, along with the resources and the information that comprise the system. In the process of characterizing an IT system, certain data elements must be defined, notably:
Hardware and software utilized System interfaces Data and information User community Support personnel System purpose Dependent processes Data sensitivity System criticality
All of these elements are essential to defining risk. Most information technology systems do not operate independently; therefore, it is necessary to collect information about the IT environment such as
Security policies and procedures governing the IT environment System security architecture Current network topology (e.g., ingress and egress points)
140
Strategic Security Management
Data backup and restoration processes (e.g., data backup schedules and methods, off-site storage of tape backup media, and periodic integrity testing of tape backup media) System interface mappings Data encryption methods Authentication requirements (e.g., username and password requirements and hardware authentication devices) Physical security environment for systems (e.g., physical locks, key cards, and visitor access logs) Environmental protection for systems (e.g., fire suppression, temperature controls, and humidity controls)
Categorizing an information technology system depends on which phase of the systems development life cycle (SDLC) the system is currently in. The SDLC is comprised of five steps: 1. Initiation and design—The need for an information technology system is expressed and the purpose and scope of the system are documented. 2. Development or Acquisition—The information technology system is designed, purchased, programmed, developed, or otherwise constructed. 3. Implementation—The system security features are configured, enabled, tested, and verified. 4. Operation—The system performs its functions. Typically, the system is being modified on an ongoing basis through the addition of hardware and software and by changes to organizational processes, policies, and procedures. 5. Disposal—This phase may involve the disposition of information, hardware, and software. Activities may include moving, archiving, discarding, or destroying information and sanitizing the hardware and software. For systems that are in the initiation and design phase, system information can be derived from the design or requirements document. For information technology systems currently under development or acquisition, it is imperative to design key security rules and attributes planned for the systems. System design documents and the system security plan can provide useful information about the security of an IT system that is in development. For operational IT systems, data can be collected about the systems in their production environment, including data on system configurations, connectivity, and the policies and procedures that govern the IT systems.
Information Technology Risk Management
141
Information gathering is a vital function of the risk assessment process and is used throughout all subprocesses. Information gathering can be conducted through a number of methods including document reviews, interviewing, questionnaires, and the use of automated scanning tools.
Document reviews include the review of IT policies and procedures, systems documentation, user guides, administrator guides, and previous audit reports. Another set of significant documents are the initial systems requirements documentation for an in-house developed application or an RFP for a purchased system. It is also important to review any business continuity/disaster recovery plans if they exist. Interviews with the business owner, systems support personnel, system users, and management offer a great deal of information if questions are asked appropriately. They also offer the interviewee the opportunity to perform a walk-through of the systems operation, maintenance, and development. Questionnaires are typically used during an interview but can be used independently. Questions must be worded clearly and tailored to specific audiences—for example, business owners, systems support personnel, system users, and management. Automated scanning tools provide a level of detail that is typically used to help design controls and gain deep understanding of a system’s architecture.
Threat Assessment As previously discussed, a threat is any circumstance or event with the potential to cause harm to an information technology system, and a vulnerability characterizes the absence or weakness of a control or safeguard that could be exploited. A threat does not present a risk when there is no vulnerability that can be exploited. Common threats include:
Human threats—acts that are either enabled or caused by human beings, such as unintentional acts (e.g., accidental data changes) or deliberate actions (e.g., installation of a worm on a network, changing data with malicious intent, or destruction of critical resources). Environmental threats—power failure, liquid damage, fire, and smoke damage. Natural threats—hurricanes, flooding, earthquakes, electrical storms, and avalanches.
142
Strategic Security Management
When assessing threats, it is important to consider all potential threats that could cause harm to an IT system and its environment. All critical IT systems should be protected from the following threats:
Fire Water (both flooding and dry/wet-pipe sprinkler systems) Temperature Humidity Power failure Unauthorized physical access Table 7-1 Human Threat Motivation Matrix
Threat
Motivation
Actions
Hacker
• Challenge • Ego
• Social engineering • System intrusion, break-ins • Unauthorized system access
Computer criminal
• Destruction of information • Monetary gain • Blackmail
• Cyber stalking • Fraud (e.g., replay, impersonation, interception) • Spoofing • System penetration
Terrorist
• Destruction • Exploitation • Revenge
• Information warfare • System attack (e.g., distributed denial of service) • System penetration • Data tampering
Industrial espionage
• Competitive advantage • Economic espionage
• • • •
Insiders (poorly trained, disgruntled, malicious, or terminated employees)
• • • • • •
• Blackmail • Browsing of proprietary information • Computer abuse • Fraud and theft • Information bribery • Input of falsified, corrupted data • Malicious code (e.g., virus, logic bomb, Trojan horse) • Sale of personal information • System sabotage • Unauthorized system access
Curiosity Ego Intelligence Monetary gain Revenge Unintentional errors and omissions
Economic exploitation Information theft Social engineering Unauthorized system access (access to classified or proprietary information)
Information Technology Risk Management
143
While human interaction with information technology systems is typically thought of as the smallest threat, it is in fact the highest threat for attacks against the confidentiality and integrity of data. Reviews of the history of system break-ins, security violation reports, incident reports, and interviews with the business owner, systems support personnel, system users, and management during information gathering are imperative in identifying human threats that have the potential to harm an IT system and its data. Once potential threats have been identified, an inventory of motivation, resources, and capabilities that may be required to carry out a successful attack should be developed in order to determine the likelihood of a threat exploiting a vulnerability.
Vulnerability Assessment An analysis of the threat to an information technology system must include an analysis of the potential vulnerabilities associated with the system. A list of system vulnerabilities should be aggregated and paired with the threats identified during the threat assessment subprocess. A vulnerability characterizes the absence or weakness of a control or safeguard that could be exploited. Recommended methods for identifying system vulnerabilities include the development of a security requirements checklist and system security testing. Vulnerabilities vary based on the system’s phase in the systems development life cycle. If a system is in the initiation phase, the search for vulnerabilities should be in the organization’s application development/acquisition policies and procedures. These should include, at a minimum, how data will be secured, how duties will be segregated, and how the application will be maintained. If the system is in the implementation phase, testing should be performed to determine if data integrity is ensured. Finally, if the system is in the operational or maintenance mode, a review of user permissions and tests of security controls should be conducted to ensure they are operating as designed. Much like the threat assessment, vulnerabilities can be discovered using the information-gathering techniques discussed previously. For purchased applications, reviewing the vendor’s website and user forums will offer a great deal of information concerning current vulnerabilities and available patches. This information can be utilized to create interview questions or questionnaires. Other sources include specialized websites like Carnegie Mellon’s Computer Emergency Response Team (www.cert.org) and SecurityFocus (www. securityfocus.com). Both of these are valuable resources that offer up-to-date information on vulnerabilities for a multitude of systems. To develop a security requirements checklist, security decision makers performing the risk assessment must determine whether the security requirements stipulated for the information technology system and collected during the system characterization subprocess are being met by existing or planned security controls. Each requirement is mapped to an explanation of how the
144
Strategic Security Management
Table 7-2 Security Criteria Security Area
Security Criteria
Management Security
• • • • • • • •
Formal policies and procedures Assignment of responsibilities Incident response capability Periodic review of security controls Personnel clearance and background investigations Risk assessment Security and technical training Segregation of duties
Operational Security
• • • • •
Data media access and disposal External data distribution and labeling Controls to ensure the quality of the electrical power supply Humidity control Temperature control
Technical Security
• • • • • • •
Password controls Cryptography Discretionary access control Identification and authentication Intrusion detection Object reuse System audit
controls surrounding the system’s design or implementation either satisfy or do not satisfy the security control requirement. The purpose of the security requirements checklist is to address the basic security standards that should be used to evaluate and identify vulnerabilities in the areas of Management, Operational, and Technical security. The security requirements checklist is used to evaluate current controls and assist in the design of future controls.
Control Evaluation Control evaluation is the process of evaluating existing controls implemented to address a specific risk. Existing controls must be evaluated to be able to calculate the likelihood of a potential vulnerability being exploited by a threat. This subprocess is also the initial step in determining what types of controls should be implemented during the risk mitigation process. Controls are classified into two categories: preventive and detective. Preventive controls are controls designed to prevent an error, omission, or negative act from occurring. They inhibit attempts to violate security policy and include such controls as access control enforcement, encryption, and authentication. Detective controls are controls put in place to detect or indicate that an error has taken place. They warn of violations or attempted violations of security policy and include such controls as audit trails, intrusion detection systems, reconciliations, and checksums.
Information Technology Risk Management
145
As outlined in the vulnerability assessment subprocess, the use of a security requirements checklist will be helpful in evaluating controls. The checklist can be used to validate compliance as well as noncompliance. It is imperative to update these checklists as the environment changes. Changes in policies and procedures may dictate a priority change in assets and business processes and therefore affect control activity.
Likelihood Determination To derive an overall likelihood rating that indicates the probability that a potential vulnerability may be exercised within the associated threat environment, the following material factors must be considered.
Threat motivation and capability Nature and disposition of the vulnerability to be exploited Existence and effectiveness of current controls
The likelihood that a vulnerability could be exploited by a threat can be expressed in terms of high, medium, or low. At a high level, the threat is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exploited are ineffective. At a medium level, the threat is motivated and capable, but controls are in place that may impede successful exploitation of the vulnerability. At a low level, the threat lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.
Impact Analysis An impact analysis aids in determining the potential adverse impact resulting from a successful exploitation of a vulnerability from a given threat. The system purpose, data sensitivity, system criticality, and dependent processes data elements from the information technology system characterization subprocess are key to the analysis. The adverse impact of a security event or vulnerability exploitation is expressed in terms of loss or deterioration of any of the security principles: confidentiality, integrity, and availability. The following list outlines each security principle and the impact of its being compromised. Loss of Confidentiality—the security principle that works to ensure that information is not disclosed to unauthorized subjects. The impact of unauthorized disclosure of confidential information ranges from jeopardizing international borders to disclosure of sensitive data such as trade secrets and personnel information. Unauthorized, unanticipated, or unintentional disclosure of information can result in loss of reputation or legal action.
146
Strategic Security Management
Loss of Integrity—the security principle that ensures that information and systems are not modified maliciously or accidentally. Integrity is compromised if unauthorized changes are made to an information technology system by either intentional or unintentional means. If the loss of system or data integrity is not corrected, continued use of the compromised system or data could result in inaccuracies that could lead to fraud or misinformed decision making. Loss of Availability—the reliability and timely access to information and systems by authorized individuals. Loss of system functionality may impact underlying business processes, therefore resulting in lost production. For the purposes of the impact analysis, tangible assets can be measured quantitatively, such as lost production time, the cost of replacing a system, or the level of effort required to correct issues caused by a successful exploitation of a vulnerability. Intangible assets, such as company reputation and proprietary information, cannot be measured in quantitative terms but can be described in terms of high, medium, and low impacts. Table 7-3 Magnitude of Impact Description Impact Classification
Impact Description
High
Exploitation of the vulnerability may result in the loss of high-cost, mission-critical tangible assets and resources; may significantly harm an organization’s mission and reputation; or may result in serious injury or death.
Medium
Exploitation of the vulnerability may result in the loss of high-cost tangible assets and resources; may harm an organization’s mission and reputation; or may result in injury.
Low
Exploitation of the vulnerability may result in the loss of some tangible assets and resources or may noticeably affect an organization’s mission and reputation.
Risk Determination Risk determination is the process of assessing the level of risk to an information technology system. The determination of risk for a given threat and vulnerability can be expressed as a function of
the likelihood of a given threat attempting to exploit a vulnerability the magnitude of impact should the threat fully exploit the vulnerability the legitimacy of controls designed to reduce or eliminate the risk
147
Information Technology Risk Management
A tool that can be used to determine risk is the risk-level matrix. The risk-level matrix utilizes the likelihood determination and impact analysis data elements to conclude on the probability of a given threat exploiting a vulnerability. Relative numerical values are assigned to the likelihood and impact data elements in the risk-level matrix as seen in the following discussion. Table 7-4 Risk-Level Matrix. Threat Likelihood
Impact Low (1)
Medium (5)
High (10)
High (10)
Low 10 × 1 = 10
Medium 10 × 5 = 50
High 10 × 10 = 100
Medium (5)
Low 5×1=5
Medium 5 × 5 = 25
Medium 5 × 10 = 50
Low (1)
Low 1×1=1
Low 1×5=5
Low 1 × 10 = 10
On the risk-level matrix, a value of 50–100 is high, 10–49 is medium, and 0–9 is low.
The risk scale below expresses the level of risk to which an information technology system might be exposed if a given vulnerability were to be exploited. It also outlines corrective actions for the security decision maker to mitigate the risk. Table 7-5 Risk Scale. Risk Level
Description and Corrective Actions
High
An observation or finding determined to be high risk requires a strong need for corrective measures. Systems may remain operational, but an action plan must be in place as soon as possible.
Medium
An observation or finding determined to be high risk requires a need for corrective measures. Systems may remain operational, and an action plan must be in place within a reasonable time frame.
Low
An observation or finding determined to be low risk requires the security decision maker to either put a corrective plan in place or decide to accept the risk.
Control Recommendations A control is defined as a security measure that includes policies and procedures, physical security equipment and protection systems, and security personnel. The primary purpose of a control is to mitigate risk through a prevention process that eliminates or neutralizes threats and reduces vulnerabilities. The control recommendation subprocess defines controls that
148
Strategic Security Management
could mitigate or eliminate the previously identified risks. For the control recommendation subprocess to be successful, the following factors must be considered when designing controls.
Organizational culture Operational impact Personal safety Information reliability Legislation and regulation
The control recommendations are the sum of the seven previous risk assessment subprocesses and provide input into the risk mitigation process. Risk mitigation is the process of evaluating, prioritizing, and implementing the appropriate risk-reducing controls recommended from the risk assessment process.
Results Documentation Once the risk assessment subprocesses have been completed, the threats and vulnerabilities been identified, the risks assessed, and control recommendations outlined, a risk assessment report should be created. A risk assessment report is a tool that aids business owners and security decision makers in making decisions on policy, procedure, budget, business processes, and operational management. A risk assessment report should not be presented in an accusatory fashion, but as an analytical approach to assessing risk so that business owners and security decision makers can comprehend the risks and allocate appropriate resources to mitigate those risks. Common elements of the risk assessment report include:
Scope Risk assessment approach Information technology system characterization Threats and vulnerabilities identified and evaluated Control recommendations Summarizing comments
Risk Mitigation Risk mitigation, the second process of risk management, is defined as the process of evaluating, prioritizing, and implementing the appropriate riskreducing controls recommended from the risk assessment process. As it is usually infeasible to eliminate all risk, business owners and security decision makers must seek to implement the most appropriate controls at the least cost and with minimal adverse impact on the resources and operations of the business. The risk mitigation process is broken down into six distinct subprocesses:
Information Technology Risk Management
1. 2. 3. 4. 5. 6.
149
Risk Mitigation Options Risk Mitigation Strategy Control Implementation Methodology Control Categories Cost-Benefit Analysis Residual Risk
Risk Mitigation Options Risk mitigation can be achieved through any of the following options:
Risk Assumption/Acceptance—accepting the potential risk and continuing to operate the information technology system or implementing controls to lower the risk to an acceptable level. Risk Avoidance—avoiding the risk by eliminating the risk cause, such as discontinuing use of an information technology system when risks are identified. Risk Limitation—limiting the risk by implementing controls that minimize the adverse impacts of a threat exploiting a vulnerability. This can be achieved through the use of preventive or detective controls. Risk Planning—managing risk by developing a risk mitigation plan that evaluates, prioritizes, implements, and maintains controls. Research and Acknowledgment—lowering the risk of loss by acknowledging the vulnerability and researching controls to protect or remove the vulnerability. Risk Transference—transferring the risk to another party, such as purchasing insurance.
When selecting a risk mitigation option, business owners and security decision makers must consider the goals and values of the organization. Ideally, all risks would be mitigated, but that is typically not feasible or cost effective. Priority must be given to threats that can cause the most significant harm to the organization. While implementing a control environment to protect an organization’s information technology systems and data, it is also important to recognize that each operating environment is different and therefore control requirements and designs may vary.
Risk Mitigation Strategy A risk mitigation strategy aids business owners and security decision makers in determining what controls should be implemented. The following list of rules can serve as a guide to assist in this process.
150
Strategic Security Management
1. When a vulnerability exists, implement assurance techniques to reduce the likelihood of a threat exploiting a vulnerability. For example, review user access rights to critical information technology systems on a periodic basis to determine if access is appropriate. 2. When a vulnerability can be exploited, apply defense in-depth strategies and administrative controls to minimize the risk or prevent the occurrence. For example, layer controls to protect against a single attack. 3. When an attacker’s cost is less than the potential gain from exploiting a vulnerability, reduce motivation by increasing the cost to exploit the vulnerability. For example, implement segregation of duties to increase the amount of time it will take an attacker to subvert security controls. 4. When the loss potential is too great to sustain, apply strong design principles and implement technical and nontechnical controls to limit the extent of the attack, thereby reducing the potential for loss. For example, design processes in the most secure fashion, author strict procedures for operation, and surround the processes with effective technical controls such as data encryption.
Control Implementation Methodology When implementing controls, it is wise to address the greatest risks first, strive for risk mitigation at the lowest cost, and implement controls with the least impact on business operations. Control implementation is a multistep process:
Prioritize Actions—From the risk determination subprocess of the risk assessment, risks have been categorized as high, medium, or low. When allocating resources, unacceptable risks with high ratings should be addressed first. These high-risk areas typically require immediate corrective action to protect a vulnerability from being exploited. Evaluate Recommended Control Options—Controls recommended in the control recommendations subprocess of the risk assessment need to be further analyzed for their fit with the business. Both the feasibility and the effectiveness of the recommended controls should be scrutinized to determine if the control is an appropriate fit and minimizes risk to an acceptable level. Perform a Cost-Benefit Analysis—To assist senior management and business owners in selecting cost-effective controls, a cost-benefit analysis should be performed. Cost-benefit analysis is described in depth later in the risk mitigation process. Control Selection—Using the results from the cost-benefit analysis, management can determine the most cost-effective controls for reduc-
Information Technology Risk Management
151
ing risk to an acceptable level for the organization. To ensure adequate security for the information technology system and the organization, the controls should combine technical, operational, and management control elements. Assign Responsibility—In this step, people with the proper competencies and skill-sets are identified to implement the planned controls. Develop an Implementation Plan—The implementation plan prioritizes the controls to be implemented and lists the project target start and completion dates. The plan should contain the following information at a minimum. Risks and risk levels (output from the risk assessment) Control recommendations (output from the risk assessment) Priority of actions (very-high and high-risk levels get first priority) Planned controls (derived from the risk mitigation strategy) Resource requirements for control implementation Requirements to maintain control integrity Implement planned controls—In this step, all controls are implemented to eliminate or partially mitigate risk.
Control Categories When implementing recommended controls to mitigate risk, an organization should consider different types of controls or a combination of controls to maximize control effectiveness for their information technology systems. The different types of controls include technical, management, and operational security controls. When used appropriately, security controls can prevent, limit, or deter loss caused by a threat exploiting a vulnerability. The control recommendation process involves choosing a combination of technical, management, and operational controls to help mitigate risk and improve the organization’s security posture. When selecting controls, opportunity cost must be measured; consider the example of a system logging off users after a specified period of inactivity. If a system is configured to log off users automatically after 20 minutes of inactivity, a technical control has been implemented. In contrast, a procedural control, communicated through a memorandum or a terms of use document, would require users to log off of systems when leaving for lunch or for the end of the day. Both control types aim to achieve the same result, but the consistency of the control operating as designed and the methodology utilized are very different. A technical control might be more costly initially but will yield better results than a procedural control which will require communication, training, and monitoring as described in this example.
152
Strategic Security Management
Technical controls range from simple to complex and can be configured to protect against given types of threats. Technical controls typically involve system design, system functionality, and security subsystems at the firmware, hardware, and software levels. When operating effectively, these measures work to protect information technology systems, ensure data confidentiality, integrity, and availability, and support critical business processes. Technical controls can be categorized according to their primary function as follows:
Supporting controls are universal and intrinsic to information technology systems. As their name suggests, they support many other controls and are considered the first defense against an attack. The supporting controls are as follows: 1. Identification—This control provides the ability to uniquely identify users and resources. In more general terms, subjects (users) must be identified as they access objects (resources). A precursor to all access control systems is positive identification of both subjects and objects. 2. System Protections—These controls are built into information technology systems during the technical implementation. Both the design processes utilized and the manner in which the implementation was accomplished reflect the quality of the implementation. System protections include the principle of least privilege, separation of duties, and object reuse. 3. Security Administration—Most information technology systems include some sort of security subsystem used to administer access and manage changes in the environment. Security subsystems are typically built into operating systems and individual applications and must be configured properly to meet the needs of a specific implementation for the organization. Preventive controls aim to prevent against threats exploiting vulnerabilities in the first place. Preventive controls are superior to other types of controls, for they stop an action from taking place rather than allowing a negative action to take place and detecting it after the fact. Preventive controls include the following: 1. Authorization—This control enables a business system owner to specify and manage which subjects are allowed access to which objects. For example, the business system owner of an accounting package will authorize an accounts payable clerk to have access to the accounts payable module. The accounts payable clerk will only have access to the modules that have been specified for her use. In this example, the security subsystem for the application enables the business system owner to segregate this authority to the individual modules of the accounting package.
Information Technology Risk Management
153
2. Authentication—This control provides the means for verifying a subject’s identity to ensure that the identity presented is indeed valid. There are a variety of authentication mechanisms, but they can typically be categorized as one of the following: Something you know—a password or personal identification number Something you have—a hardware authentication device or digital certificate Something you are—biometries, such as a fingerprint or retina scan 3. Privacy—This control is designed to protect confidentiality of data and transmissions. Examples of privacy controls include Secure Shell (SSH) and Secure Sockets Layer (SSL), both of which are used for transmitting data in encrypted format. 4. Nonrepudiation—This control offers the ability to ensure that a sender of messages cannot deny sending information and that a receiver of the information cannot deny receiving it. Nonrepudiation is typically implemented through the use of digital certificates (PKI—Public Key Infrastructure). 5. Protected Communications—This control aims to secure the confidentiality, integrity, and availability of sensitive data as it is transmitted across unsecured networks. Common threats to data in transit include packet sniffing, eavesdropping, interception, and spoofing. To protect against these threats, many formats of data encryption can be used, including Internet Protocol Security (IPSEC), Triple Data Encryption Standard (3DES), Advanced Encryption Standard (AES), and Blowfish. Detective controls are controls put in place to detect or indicate that an error or possible error has occurred. Detective controls include: 1. Auditing of Events—This control focuses on reviewing system and security abnormalities on critical applications, servers, and network devices. This review is key in detecting a security breach and recovering from the breach in a timely fashion. 2. Virus detection—This control is a software mechanism used to detect and identify computer viruses. 3. Checksums—This control is a redundancy check used to ensure that data has not changed. A checksum is created when data is created, before it is either transmitted or stored and is then compared at a later time to ensure data integrity.
Management controls focus on communication of security expectations from the top of the organization. These expectations are communicated through policies, procedures, mission statements, and memorandums to
154
Strategic Security Management
business system owners and employees. When combined with technical controls, management controls aim to reduce loss and protect information technology systems. The three categories of management controls are preventive, detective, and recovery:
Preventive controls aim to prevent against threats exploiting vulnerabilities and include: 1. Developing and maintaining security plans to document current controls, implementation strategies, critical assets, and business processes supported. 2. Implementing human security controls such as separation of duties and least privilege. 3. Conducting security awareness training to ensure that end users are aware of their limitations and responsibilities when using critical information technology systems. Detective controls are controls put in place to detect or indicate that an error or possible error has occurred. Detective controls include: 1. Periodic testing of controls to ensure they are operating as designed. 2. Implementing human security controls such as job rotation and periodic background investigations. 3. Reviewing appropriateness of user access periodically. Recovery controls are used to help an organization recover from a successful exploitation of a vulnerability. Recovery controls include: 1. Developing, testing, and maintaining a business continuity plan to aid the business in resuming operations in the event of a catastrophe. 2. Building an incident response team to identify, report, and respond to an incident and return information technology systems to operational status.
Operational controls are used to correct operational deficiencies (vulnerabilities) that could be exploited by potential threats. To ensure consistency and uniformity in security operations, management must define, document, and maintain comprehensive policies and procedures for securing information technology systems. Operational controls include both preventive and detective controls and include the following:
Preventive: 1. Controlling access to data through authorization and authentication. 2. Disposing of data media properly, including low-level formatting and degaussing. 3. Limiting the spread of computer viruses.
Information Technology Risk Management
155
4. Backing up data and storing backup media in a secure, off-site location. 5. Controlling physical access to critical information technology systems. 6. Protecting assets from environmental hazards including fire, flood, and heat. 7. Providing emergency power sources in the event of an outage. Detective: 1. Detecting unauthorized physical access to information technology systems using motion sensors, alarms, and closed circuit television. 2. Utilizing smoke detectors, temperature sensors, and humidity sensors to determine if environmental conditions have exceeded predetermined thresholds.
Cost-Benefit Analysis After identifying all possible controls and evaluating their feasibility and effectiveness for the organization’s environment, a cost-benefit analysis should be conducted for each proposed control to determine if it is cost effective. For example, the organization may not want to spend $1,500 on a control to mitigate a risk with an annual lost expectancy of $300 because it will take five years to break even if the given vulnerability is exploited every year. To perform a cost-benefit analysis for new or enhanced controls, the following items should be reviewed.
Determine the impact of implementing the new or enhanced controls. Determine the impact of not implementing the new or enhanced controls. Estimate the costs of implementing the proposed controls, which may include 1. Additional hardware and software to implement the new or enhanced controls 2. Reduced operating effectiveness if system performance or utilization is negatively impacted due to the installation of new or enhanced controls 3. Cost of additional personnel to manage the new or enhanced controls 4. Cost of training users in security awareness and maintaining the control environment
This information will help security decision makers in determining if new or enhanced controls are cost effective. Security decision makers should also
156
Strategic Security Management
consider that just as there is a cost for implementing a control, so there is a cost for not implementing it. By looking at the opportunity cost of not implementing the new or enhanced controls and how they relate to the organization’s security posture, security decision makers can determine whether it is feasible to forgo its implementation. Using the risk assessment report, security decision makers must also determine what constitutes an acceptable level of risk. Once this process has been completed, they can then assess the impact of the new or enhanced control to conclude if it should be implemented. The following guidelines aid security decision makers in the decision-making process.
If a control reduces risk more than needed, search for a less expensive alternative. If a control does not reduce risk to an acceptable level, search for stronger or additional controls. If a control costs more than the risk it mitigates, search for a less expensive alternative or utilize a combination of less expensive controls. If a control mitigates risk to an acceptable level and is cost effective, implement it.
In most situations, the cost of implementing a control is more discernible than accepting the risk of not implementing it. For this reason, it is the responsibility of security decision makers to decide what controls are to be implemented to reduce the mission risk to an acceptable level.
Residual Risk The risk remaining after the implementation of new or enhanced controls is termed residual risk. In reality, no information technology system is risk free, for not all implemented controls fully eliminate the risk they are intended to mitigate; therefore they do not reduce the risk level to zero. Security decision makers can analyze the extent of risk reduction derived from the new or enhanced controls in terms of the reduced threat likelihood or adverse impact.
Evaluation and Refinement Evaluation and refinement are the final processes in the risk management methodology. They aim to evaluate the controls that have been implemented and to refine them for ongoing use. In addition, evaluation and refinement are considered the maintenance process of the risk management methodology inasmuch as they help incorporate new and changed systems and business processes into the methodology. Change is constant in all organizations, networks will grow, software applications will be upgraded, personnel and competencies will change, and policies, procedures, and ultimately controls must be adapted to fit the ever-changing environment. Along with these changes
Information Technology Risk Management
157
come new risks or previous risks that were once mitigated but need to be readdressed. For these reasons, the risk management methodology should be an evolutionary one. The risk assessment and risk mitigation processes should be completed at least every three years. In addition, the risk management methodology should be incorporated into the systems development life cycle for newly developed information technology systems and into the acquisition process for purchased systems. Furthermore, specific processes for assessing and mitigating risks should be implemented but should allow for flexibility to allow changes where necessary or where new technologies or processes can be leveraged to make the organization more successful. By understanding the information technology risk management methodology, security decision makers can make better informed decisions, utilize resources more effectively, and begin the process of convergence in their organizations. Through the process of asset identification, critical assets and the business processes they support are identified, given priority, and assigned an owner. During the risk assessment process, information technology systems are characterized, threats and vulnerabilities are identified, current controls are evaluated, a likelihood determination, impact analysis, and a risk determination are conducted, and the control recommendations are articulated in the risk assessment report. The risk mitigation process outlines risk mitigation options and strategy, control categories, and implementation methodologies; aids in performing a cost-benefit analysis; and helps determine the residual risk from implementing controls. The final process of risk management is the ongoing evaluation and refinement that outlines how the risk management methodology should be installed into the organization on a go-forward basis to help reduce risk to an acceptable level.
This page intentionally left blank
Chapter 8
Prevention
In this chapter . . .
The Need and Practical Application of Theoretical Study Situational Crime Prevention Rational Choice Routine Activity Crime Prevention Through Environmental Design (CPTED) Crime Displacement and Diffusion of Benefits Prevention Measures
Figure 8-1. Crime Triangle. Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com. The time to repair the roof is when the sun is shining. —John F. Kennedy
159
160
Strategic Security Management
The Need and Practical Application of Theoretical Study While most security decision makers know that lighting or a security officer can prevent crime, the security industry at large would benefit from understanding the established and emerging crime prevention theories that formed the basis for our current security knowledge and strategies, as well as our ability to keep abreast of future protection trends. Although this chapter does not attempt to discuss the various crime prevention theories in depth, it should serve as a primer for the major crime prevention theories, with the hope of leading the reader to seek out more information from other sources. As security professionals continue on the current path of developing the security department into a legitimate business unit, it is less acceptable to prescribe crime prevention measures without first determining precisely what it will accomplish. While only serving as an introduction to crime prevention theories, this chapter will discuss why certain policies, procedures, programs, hardware, or human resources should be implemented, thus enabling security professionals to provide the necessary justifications in the corporate boardroom. Those who can justify their requirements have the best chance to obtain the scarce resources needed to fulfill their security mandate. This chapter provides the theoretical discussion for security professionals to assist them in making practical and logical decisions for a sound security program by building a bridge between crime prevention theorists and security professionals. Crime prevention is the anticipation, recognition, and appraisal of a crime risk and the initiation of some action to remove or reduce it. (National Crime Prevention Institute) What, then, is crime prevention? Crime prevention, according to the National Crime Prevention Institute, is the anticipation, recognition, and appraisal of a crime risk and the initiation of some action to remove or reduce it. This definition meets the needs of the modern practice of security, also known as situational crime prevention, and differentiates it from social crime prevention. While social crime prevention and traditional criminology will not be discussed at any great length in this book, it is sufficient to say that they fall within the realm of government and include such measures as unemployment insurance, welfare, vocational training, and religious institutions that provide spiritual guidance. The role of social crime prevention and traditional criminology is to be offender-oriented and to assist in creating a structure for the citizenry to avoid turning to criminal activity for survival. This chapter does not view traditional criminology as useless or without merit, but rather as a parallel crime prevention construct for government and law enforcement. Situational crime prevention, on the other hand, is target-oriented and as discussed in the chapter on asset identification (Chapter 2), the targets are an organization’s assets, people, property, and information. Situational crime pre-
Prevention
161
Figure 8-2. Crime Triangle. Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com. vention may be contrasted with traditional criminology which focuses on the offender and may also be called alternative criminology (alt-criminology), as its emphasis is on the assets. This type of crime prevention concentrates on the place where an organization’s assets are located and what factors at that facility contribute to asset loss potential and what strategies may be implemented to prevent loss. Reducing the opportunity for crime to occur at a facility is the fundamental goal of situational crime prevention in the private sector. Situational crime prevention is a micro-level analysis of crime as opposed to the macro-level analysis of traditional criminology. Reducing the opportunity for security breaches to occur is a strategic goal of security professionals. This goal arises from the concept of a crime triangle, whereby the elements of motive, desire, and opportunity must exist for a security breach to occur. Opportunities relate to targets in that protecting an asset will lead to elimination of opportunity (target hardening). Before delving deeper into the theoretical underpinnings of modern security practice, it might be beneficial to consider the facility that the security professional is charged with protecting. What is the criminal career of the facility, that is, what crimes have occurred on the premises of the facility? Do potential offenders and potential targets coexist without crime? If so, how does this occur? Through the current use of security measures? Facilities with disproportionately high-crime levels are likely to have high-value targets, have plenty of opportunities (vulnerabilities) due to an ineffective place manager, and may even encourage criminal behavior. Some places, such as bars and nightclubs, are predictably at risk; other places may have more opportunity for crime simply because of the number of attractive targets. In no place are the differences between situational crime prevention practitioners and social crime prevention practitioners more evident than in the business of forensic consulting. Forensic consultants who serve as expert witnesses for security negligence lawsuits are often at odds with one another depending on their perspective. Those with a traditional criminology back-
162
Strategic Security Management
ground, typically law enforcement or criminal justice, tend to evaluate the causation in a security negligence based on the offender profile and characteristics. Where the criminal is known, the forensic consultant schooled in traditional criminology and social crime prevention will study the criminal’s background and opine on whether the offender was deterrable, placing no emphasis on whether the facility could have prevented the crime through the use of crime prevention measures. The forensic security consultant schooled in criminology and modern security, on the other hand, is usually more adept at providing opinions on crime causation at a facility. These individuals normally have education in criminology but have long practiced the art of modern security through their careers as security professionals. While the courts still accept the traditional criminologist as an expert witness, the future of forensic security consulting belongs to the true security professional. Situational Crime Prevention Theories Rational choice theory Routine activity theory Crime Prevention Through Environmental Design (CPTED)
The concept of crime and place is relatively new and forms the foundation for situational crime prevention. Crime and place theories give little attention to the offender and instead seek to prevent crime by emphasizing crime prevention strategies and measures that security professionals may implement to control a facility. Among the situational crime prevention theories are rational choice theory, routine activity theory, and the most well-known of the situational crime prevention theories, Crime Prevention Through Environmental Design (CPTED). Rational choice theory suggests that offenders will select targets and define means to achieve their goals in a manner than can be explained. The task of security decisions under rational choice theory is to select crime countermeasures for the facility which cause offenders to decide that risks are too high and the rewards too low for them to commit the crime at that facility. The basic premise of routine activity theory is that criminals, like everyone else, move among routine, daily activities that may include home, school, work, shopping, and recreation. During these routine activities, a crime may occur if certain components come together at one point in time. These components are a motivated offender, a target, and a place without an effective guardian. The role of the security decision maker is to ensure that the place (facility) has an effective guardian. Crime Prevention Through Environmental Design is a well-established and accepted situational crime prevention theory. According to author Timothy Crowe, CPTED “expands upon the assumption that the proper design and effective use of the built environment can lead to a reduction in the fear of crime and the incidence of crime, and to an improvement in the quality of life.” The role of security decision makers is to environmentally design facilities that deter and prevent crime.
Prevention
163
No problem can be solved from the same consciousness that created it. —Albert Einstein
Situational Crime Prevention Situational crime prevention has four primary components: increasing perceived effort, increasing perceived risk, reducing anticipated rewards, and removing excuses. Each of these components has four associated subcomponents. Increasing perceived effort has the subcomponents of target hardening, access control, deflecting offenders (deterrence), and controlling facilitators. Increasing perceived risk includes entry and exit screening, formal surveillance (monitored CCTV systems), surveillance by employees, and natural surveillance. Reducing anticipated rewards includes the subcomponents of target removal, identifying property (marking), reducing temptation, and denying benefits (dye packs). Finally, removing excuses includes rule setting (signage), stimulating conscience, controlling disinhibitors (alcohol), and facilitating compliance (trash cans).
Situational Crime Prevention Components Increasing perceived effort target hardening access control deflecting offenders controlling facilitators Increasing perceived risks entry and exit screening formal surveillance surveillance by employees natural surveillance Reducing anticipated rewards target removal identifying property reducing temptation denying benefits Removing excuses rule setting stimulating conscience controlling disinhibitors facilitating compliance
164
Strategic Security Management
Security professionals will recognize that situational crime prevention closely follows the risk assessment methodology described in this book and common in the security industry. Situational crime prevention is executed in five steps. The first step includes the collection of data on a specific crime problem, which is basically the threat assessment and crime analysis step of the risk assessment methodology. The second step is similar to the vulnerability assessment and comprises the analysis of the condition that allows or facilitates commission of the crime in question. Step 3 is the systematic study of possible means of blocking opportunities to commit the crime in question and analysis of cost, or the risk assessment and cost-benefit analysis step. Step 4 is the implementation of the best measures, which is the action taken on the security recommendations made in the risk assessment report. The final step is similar to the risk assessment methodology’s feedback loop—monitoring the results. Without realizing it, many security professionals use the situational crime prevention technique during their day-to-day operations. Ten Principles of Opporturity and Crime 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
Opportunities play a role in causing all crime. Crime opportunities are highly specific. Crime opportunities are concentrated in time and space. Crime opportunities depend on everyday movements. One crime produces opportunities for another. Some products offer more tempting crime opportunities. Social and technological changes produce new crime opportunities. Opportunities for crime can be reduced. Reducing opportunities does not usually displace crime. Focused opportunity reduction can produce wider declines in crime.
Rutgers’ School of Criminal Justice professors Marcus Felson and Ronald V. Clarke developed Ten Principles of Opportunity and Crime, which describe how opportunities, or vulnerabilities, are the root cause of crime. The first principle, opportunities play a role in causing all crime, implies that security decision makers can design facilities that either encourage or discourage crime. Their second principle is crime opportunities are highly specific. As discussed in the crime analysis chapter, Chapter 4, the specific nature of each type of crime must be analyzed in order to select proper countermeasures that are custom tailored to the crimes in question. Robberies in a parking lot of a grocery store require different security measures than a robbery of the grocery store’s cashhandling office. Felson and Clarke’s third principle is crime opportunities are concentrated in time and space. This principle emphasizes that dramatic differences in crime levels can be found from one facility to the next even when both are in high-crime areas. The reason for this is that crime shifts temporally (time
Prevention
165
and day) as opportunities change. The fourth principle is crime opportunities depend on everyday movements of activity. Expanding on principle 3, crime shifts are due to criminals and their victims moving about in time (hour of the day, day of the week) doing their routine activities of work, school, home, and recreation. Principle 5, one crime produces opportunities for another, is of primary concern to security decision makers. Repeat attacks by the same or different offenders lead to major increases in risk to the facility. Principle 6 is well known to retailers: some products offer more tempting crime opportunities. Assets high in value and easily accessible are at higher risk than low value or inaccessible assets. Over-the-counter drugs, for example, are often targeted by criminals in grocery stores. Social and technological changes produce new crime opportunities is principle 7. A timely example of this principle is the theft of mp3 players, particularly the Apple iPod. Principle 8 is the basic premise behind vulnerability assessments: crime can be prevented by reducing opportunities. Reducing opportunities is accomplished by increasing risks to would-be offenders and reducing rewards if the crime is successful. Principle 9 (which will be discussed in greater detail later in this chapter) is reducing opportunities does not usually displace crime. Crime displacement means that by blocking crime at one facility, security measures will force crime to another, less hardened facility. While displacement does occur, it is not absolute. Finally, principle 10 is focused opportunity reduction can produce wider declines in crime. This is the concept of diffusion of benefits, which will also be discussed later in this chapter. Diffusion is a process whereby increased security measures at one location may also benefit neighboring facilities.
Rational Choice Adversaries act rationally when planning a crime by weighing the risks, rewards, and effort needed to commit their crimes. The rational choice crime prevention theory, developed in the United Kingdom by Ronald V. Clarke, explains that adversaries using a hedonistic calculus during their decisionmaking process in selecting targets will act in their own best interests. Understanding this calculus enables security decision makers to block opportunities for loss and to protect assets. Rational choice theory states that, like the general public, most criminals act in a rational manner and weigh risks and rewards before taking action or committing a crime. In essence, the criminal uses a decision-making process whereby the positive and negative aspects of committing the offense are weighed. If a crime opportunity is present and there is a reward (fruit of the crime) for committing that crime, and there are low risks, low likelihood of apprehension, then the criminal will commit the crime. The rational criminal’s decision-making process can be limited by time, intelligence, and accuracy of information. It is the last-named element that security professionals should capitalize on. By increasing the perceived level of security, a security professional can block the rational criminal from attacking. Note that the focus
166
Strategic Security Management
is not on the offender but on the facility. Security measures, real or perceived, can force the rational criminal to believe the risk to be too high and therefore, deter his attack. The central themes of rational choice theory are that the human being, including the criminal, is a rational actor. Rational behavior involves a hedonistic calculus of risks and rewards, and based on their calculus, people have free will to choose their behavior, whether it be deviant or conforming. The hedonistic calculus is, in essence, a cost-benefit analysis of pleasure versus pain. Like all people, criminals will make their decisions based on maximizing pleasure and minimizing pain. Finally, security decision makers can control the rational offender’s decisions by controlling the facility through real or perceived risk of detection and capture. The security professional may use all the means at their disposal ranging from procedures, personnel, and physical measures to psychological measures. In summary, criminals, much like everyday people, are opportunistic. Security professionals can block their opportunities. Using the hedonistic calculus, security decision makers can force criminals to see the risks as too high and the rewards as too low. If the risks are perceived to be higher than the perceived reward, the security program will be effective.
Routine Activity Closely associated and complementary to rational choice theory is routine activity theory, which describes how crime is a function of a criminal’s routine, daily activities that may include home, school, work, shopping, and recreation. Routine activity theory demonstrates the method through which motivated adversaries (threats) find suitable targets (assets) and opportunities (vulnerabilities) during the course of their routine activities. For criminal activity to become reality, the adversary, target, and opportunity must converge in time and space in order for the crime to occur. The process of finding opportunities should be familiar to security professionals who have conducted security surveys and vulnerability assessments, as both are characterized by a search of available paths to and through an area (facility) and the targets (assets) along or just off those paths. Those who have actively or passively studied the art of criminal profiling should find the concepts presented in the routine activities theory to be familiar. Adversarial activities are often characterized as modus operandi (MO, or method of operation) and are consistent with most of an adversary’s crimes. The MO is typically called a signature in the profiling arena. In Applied Crime Analysis, the authors described how Jack the Ripper routinely chose his victims from the same London pub from where he stalked them to their homes and ultimately their deaths. Though appearing to be a rather simplistic statement, routine activity requires that for a crime to occur more than just the convergence of criminals
Prevention
167
and targets is necessary. The offender must be motivated and will likely have performed the hedonistic calculus of weighing the risks and rewards. There must be a suitable target that provides the reward, and there must be a lack of guarded space that poses little or no risk to the adversary. Risks can be intensified through an effective guardian. Guardians can be security personnel but are more often simply the legitimate users of the facility who provide the requisite deterrence. Offender motivation may be reduced through an effective handler—a person who has direct influence over an offender and may include parents, teachers, parents, friends, or employers. Most offenders do not have an effective handler, and their motivation is more difficult to thwart; thus, more emphasis must be placed on place guardianship. One of the security professionals’ more common tasks in conducting a risk assessment is to determine what change in the routine of offenders, targets (assets), or guardians may have caused a sudden crime experience. Forensic security consultants, during litigation, will sometimes show that a decrease in security coverage or an increase in available assets led to an increase in crime. Routine activity theory, like much that has been discussed in this book, has a specific crime emphasis. Gaining a thorough understanding of the precise nature of crimes affecting the property enhances the security decision maker’s ability to select and implement specific security measures that address the perpetrated crimes. Felson describes four types of crime that may affect assets: exploitive crimes, mutualistic crimes, competitive crimes, and individual crimes. Exploitive crimes are predatory crimes in which offenders injure or kill a person or seize or damage another’s property. The FBI’s Uniform Crime Report Index Crimes are good examples of exploitive crimes. These crimes include murder, rape, robbery, aggravated assault, burglary, theft, motor vehicle theft, and arson. Mutualistic crimes involve two people or groups engaged in complementary crimes such as drug transactions, prostitution, and gambling. Competitive crimes include those in which two people or groups act in the same capacity and usually involve physical conflicts against each other. Gang crimes exemplify competitive crimes. Lastly, individualistic crimes are illegal acts committed by an individual. These are sometime referred to as victimless crimes and include suicide and drug use.
Crime Prevention Through Environmental Design (CPTED) Crime Prevention Through Environmental Design is the most well-known crime prevention theory. First articulated in Oscar Newman’s books, Architectural Design for Crime Prevention and Defensible Space: Crime Prevention Through Urban Design, CPTED seeks to control crime through the use of natural surveillance, natural access control, and territorial concern. The concept of defensible space, as originally conceived, called for legitimate users
168
Strategic Security Management
of residential space to act as guardians of their living areas. This entails designing the physical environment to enhance the legitimate users’ sense of territoriality, making it possible for them to observe their environment and communicate to illegitimate users (potential criminals) that they are under surveillance. This concept is familiar to those familiar with CPTED, which expands on Newman’s defensible space concept and incorporates the ideas of legitimate users (owners, employees, residents, tenants, etc.) versus illegitimate users (potential criminals), the effective utilization of natural surveillance, and the creation of safe communal havens for legitimate users. Crime Prevention Through Environmental Design has expanded to include other ideas that influence crime. Those with a keen eye on a large property owner’s newer facilities can easily see the impact of situational crime prevention. National retailers Kroger and Target have implemented CPTED concepts into the customer parking lots at their newer stores. Large residential housing companies have implemented the safe haven concept in their apartment complexes. Schools have also designed their campuses to incorporate CPTED concepts.
Key concepts of Crime Prevention Through Environmental Design (CPTED) Natural surveillance Natural access control Territorial reinforcement
The three key concepts of CPTED are natural surveillance, natural access control, and territorial reinforcement. Natural surveillance requires open areas where legitimate users can see and be seen through a visible connection. Natural surveillance is garnered by increasing the ability of legitimate users to see further more easily and decreasing the ability of illegitimate users to hide and carry out their crime without being seen. Locating outdoor activities within sight of the facility’s windows can increase natural surveillance. For example, natural surveillance in an underground parking lot may entail the use of glass walls that allow surveillance and increased visibility when compared to brick or other masonry-type walls. This increased visibility also increases the chances of illegitimate users being subjected to increased scrutiny by legitimate users. The idea of natural access control is to encourage use of the facility or area within the facility by legitimate users while discouraging illegitimate users from staying in the area and reducing opportunities for offender concealment. Key security measures common to natural access control include well-lit walkways and other paths within the facility, fencing around the facility, improved external lighting, and the use of thorny plants and shrubs or dense trees to keep
Prevention
169
illegitimate users out of the area. The third principle of CPTED is territorial reinforcement. Territorial reinforcement attempts to foster ownership and responsibility of an area by legitimate users by reducing unassigned spaces. Reducing unassigned spaces alters the perception of illegitimate users by showing that someone is responsible for the space. Some areas, by their design, have encouraged illegitimate users to take over the area and scared off legitimate users. Property owners may implement territorial reinforcement measures to discourage the illegitimate users and over time encourage legitimate users to return to the area.
Crime Displacement and Diffusion of Benefits Crime Displacement Displacement of crime is a relatively new and controversial topic in the academic crime prevention circles. Crime displacement occurs when security measures are effective in preventing crime where the security measures are in place and forces the criminal to go elsewhere with less security to commit their crimes. The security decision maker must remember that only effective crime prevention can cause displacement. There are six types of crime displacement: temporal, target, spatial, tactical, perpetrator, and offender. Temporal crime displacement entails a shift in the timing of crime to different hours of the day or days of the week when apprehension is less risky. Temporal displacement is one of the key reasons that random security patrols are more effective than scheduled patrols. The randomness does keep the criminals on their toes by not providing them with a set time to commit the crime. Target crime displacement occurs when a criminal, given two equally valuable targets, will select the less risky one. Females are typically perceived as weaker or more vulnerable than males in the criminal mind, and thus the criminal will likely select the female to victimize. Spatial crime displacement is similar to target crime displacement with the exception that the displacement is caused not by the actual target but by the facility itself. An example is two convenience stores located across the street from one another. One is well lit and has good visibility into and out of the store, while the other is poorly lit and has signs in the windows that obstruct visibility. A crime that may have occurred at the more secure store is displaced to the other store. Tactical crime displacement involves the adversary changing his tactics to commit the crime owing to the security measures that are in place. For example, a perpetrator who finds that windows have been secured after previous attacks at a particular facility may shift tactics and find another entry point into the facility. In perpetrator crime displacement, specific offenders are deterred or apprehended and other offenders take their place. An example of this type of crime displacement is law enforcement’s capture of a drug dealer who works a certain corner in a neighborhood and whose place is taken by
170
Strategic Security Management
another dealer. Offender crime displacement is rare but involves an offender who changes the type of crime he commits because of increased security designed to prevent the previous crime type. For example, a facility that has fortified itself against burglary may experience an increase in aggravated robbery against particular assets.
Diffusion of Benefits In some ways, diffusion of benefits is the opposite of crime displacement. Diffusion of benefits occurs when security measures taken at one facility benefit another facility. Specific diffusion occurs when a facility’s security measures directly benefit neighboring facilities. Lighting is an example since it cannot be stopped at the border of the facility and overlaps to provide protection of the facilities next door. General diffusion is similar in that a facility that takes extraordinary security precautions gains a reputation of high risk to the offender, and that reputation spreads to an organization’s other facilities. It is becoming more common for property owners and managers, and specifically their security departments, to work together in solving an area crime problem. For example, chemical facilities that neighbor other chemical facilities may work together to share the costs of security measures since both will benefit from the increased protection. Banks and other financial institutions also have a long history of working together to enhance their overall protection needs.
Prevention Measures Prevention measures may also be called security measures or countermeasures. (The terms are used interchangeably throughout this book.) Security measures may be generally divided into three categories: policies and procedures, physical security measures, and security personnel. Although each of these categories is discussed in individual chapters in this book, this section will provide an introduction to security measures from the philosophical perspective as they flow from their theoretical constructs discussed earlier. Security measures are actions taken or hardware and personnel deployed to reduce or eliminate one or more vulnerabilities at a facility. Policies and procedures are the least expensive and most often overlooked element of a security program. Policies and procedures include the organization’s security manual, security personnel post orders, business continuity plans, crisis and emergency response plans, and other written documents that control the way in which the security program operates. Physical security measures are the hardware that is utilized in the protection program. Physical security measures include the physical protection system, alarm systems, closed circuit television (CCTV) systems, access control systems, and other physical systems utilized in protecting assets. Within these systems are a number of hardware elements such as control
Prevention
171
panels, transmitters, sensors, monitors, cameras, fences, and gates. Security personnel include uniformed security officers, covert officers, security supervisors, and other people who serve in a primary protection role. During the risk assessment process, a vulnerability assessment is employed to determine the effectiveness and reliability of the complete security measure inventory against the threats posed to the assets. During the risk assessment, security breaches are conservatively estimated because the deployment of security measures against one type of attack against the most critical of assets normally prevent attacks against less critical assets. Prevention measures are normally most effective when they are aimed at specific threats. Scenario-based assessments, as discussed previously, are beneficial for this reason. However, insufficient information regarding specific threats and the changing threat dynamic make asset-based assessments advantageous. Several strategies may be employed in selecting security measures and creating an effective security program. These strategies include the elements of deterrence, detection, and delay; security layering (protection in depth); and balanced protection, all of which will be discussed in the next four chapters on security measures.
This page intentionally left blank
Chapter 9
Security Measures: Policies and Procedures
In this chapter . . .
Security Awareness Security Plan Emergency Management Plan Conclusion TAG's Risk Assessment Process® Asset Identification
Policies & Procedures
Current Security Measures
Physical Security
Security Personnel
Threat Assessment
Crime Analysis
Vulnerability Assessment
Risk Assessment
Cost Benefit Analysis
Report and Recommendations
Figure 9-1. Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com. In the security field, three general types of countermeasures are taken to prevent, mitigate, and eliminate risk: policies and procedures, physical security measures, and security personnel. Despite their relative low cost to develop and maintain, and their ability to demonstrate due diligence, policies and procedures are often the most overlooked component of an effective security program. Documentation of the security program is a critical element and includes the identification of critical assets, threats, and vulnerabilities.
173
174
Strategic Security Management
In the real estate business, the mantra for financial success is location, location, location. Similarly, the mantra of security decision makers should be documentation, documentation, documentation. From a liability prevention perspective, documentation of the security program in its entirety, from start to finish, is the best evidence of due diligence. One commonality among all security programs, regardless of industry or company, is that the program is a work in progress. A security program is never finished, never complete, never ending. Documentation of the security program’s current status as well as its strategic direction into the future may also demonstrate due diligence to a jury in an inadequate security lawsuit. Security policies and procedures refer to a wide variety of documents. In the security arena, these documents may include security manuals, standard operating procedures (SOPs), post orders, Occupant Emergency Plans (OEPs), security standards and guidelines, training standards, workplace violence policies, emergency management plans, and disaster recovery plans. Procedures may include access control, weapon and other contraband searches, including the employees’ personal areas such as desks and lockers, and incident reporting methods. The key requirement for security policies and procedures is that they be articulated in writing. Formal, written policies and procedures save security decision makers time, assist in adequate training, and reduce liability by demonstrating due diligence. The general intent of security policies and procedures is to document appropriate behaviors, actions, and responses for and to security events, but each type of policy has a specific purpose. For example, the security plan is a comprehensive document that sets forth the strategic vision of the security organization, while the occupant emergency plan is a specialized document that describes the procedures and protocols used to protect occupants of the facility in an emergency. Security policies and procedures serve as the backbone of any effective security program, and so their importance should not be underestimated. Not only do security policies and procedures guide the day-to-day operation of the security program, but they also move the security organization in the proper direction over the long term. On a practical level, security policies describe the security functions at a facility or for an organization, including how security functions and measures are organized, deployed, and managed. There is always more spirit in attack than in defense. —Titus Livius
Security Awareness A security program is effective when all employees take ownership. Security should be seen as a mission-critical element of the organization. Employee buyin of the security program, as most security professionals are keenly aware, does
Security Measures: Policies and Procedures
175
not come easily but is a necessary requirement for the program to operate at an optimal level. A top-down approach, with a written policy statement from senior management is a good first step in developing the requisite employee acceptance of the security program. The message from upper management should set the tone for the level of adherence to the security measures utilized at the facility or within the organization. While 100 percent compliance is desired, rare is the case when all employees adhere to every security policy and procedure implemented. Alternatively, absolute compliance is necessary for some of the organization’s security measures. These measures should be reinforced through employee orientation, continuing education, and close monitoring by dedicated security personnel. Less restrictive measures may be supported by the organization’s dedicated security personnel on a daily basis. The security manual, which will be discussed later, is of utmost importance in creating an employee base that supports the security program. Employee buy-in can be effectively garnered when return on investment and impact on the organization’s financial condition are demonstrated. Nonsecurity employees will also accept security measures when they are taught that the measures are there for their protection and not just the protection of the organization’s other assets. An effective teaching tool is the case study, whereby employees are briefed on past events that threatened employees. Showcasing past successful security interventions reduces natural employee resistance to security measures that control their actions and behavior. Each measure should be discussed to ensure that employees understand that the measures are not arbitrary and that, rather, they are designed to protect them directly and indirectly. A security program, by its very nature, can and often does create additional steps in normal business functions and operations. A security awareness program should make these additional security actions as natural as putting on a seatbelt before driving. During employee security orientation sessions, material should be prepared and presented to new employees. This material should be designed to stress critical security issues in a manner that can be easily understood and followed by nonsecurity employees. Materials may include the organization’s security manual, PowerPoint presentations, scenarios, and case studies that demonstrate a return on investment (ROI) to the organization. Other means of creating awareness include articles in the company newsletters, company intranet forums, internal e-mail reminders, and security posters and memos. Regardless of the forms of communication, the security awareness effort must be constant and continuous. Whenever a security breach occurs, a thorough analysis of the incident should be undertaken. Employees or departments involved should be debriefed, and security awareness should be reasserted. The security breach, if created by a company employee, should be handled much like any other company policy infraction with all due investigation, supervision, and corrective action. Reprimands by the employee’s immediate supervisor may be
176
Strategic Security Management
necessary; however, the security department employees should not be the people taking the corrective action. The remainder of this chapter discusses two major types of policies and procedures: the security manual and the emergency management plan. While other policies and procedures are important, these two are universal among all types of organizations.
Security Plan The security plan is a written document that defines the organization’s security mission, provides an overview of the complete security program, and identifies all methods in use for the protection of organizational assets. The security plan documents the organization’s security policies, procedures, functions, measures, and strategies for providing a safe and secure environment and preventing crime and other security incidents. It is a living document in that it adapts as the organization’s security needs change and serves as a training aid for security awareness across the organization. The security plan articulates how the security program is usually organized through personnel and function organizational charts, flowcharts, and descriptions of specific countermeasures. Security plans also describe the common security measures utilized throughout the facility or facilities, as the case may be, and how these measures operate on a daily, routine basis. Security responsibilities are clearly delineated, and regulatory compliance measures are described in detail. As described in the preceding section, the security awareness component should also be articulated in the security plan. Threat-dependent measures and activities are enumerated in the security plan. The security plan also sets forth guidelines for quality control, benchmarking against industry best practices, and metric development and analysis. As a written document, the organization’s security plan defines the security mission. What is a security mission? In its most basic form, the mission of any security program is the protection of assets. Depending on the nature of the organization or facility in need of protection, the mission may be more complex or unique. For example, a hospital’s mission statement may encompass not only security for the facility, but also the maintenance of a safe environment for patients and their families. The security plan, as an overview of the complete security program, identifies the many and various ways in which security is provided. These methods include policies and procedures, physical security measures, and security personnel. While a proper balance is ideal, some organizations may rely more heavily on one of these general security measures, and thus the security plan will focus on that measure.
Security Measures: Policies and Procedures
177
Security Policy Statement The St. John’s Hospital Security Department exists to provide for a safe and secure environment in which the hospital and its associated clinics may carry out their mission of patient care, education, and research. The Security Manual is a key component of the Environment of Care program and supports the St. John’s Hospital mission of providing exceptional quality in patient care and sets forth how St. John’s Hospital addresses security and safety issues concerning patients, visitors, and employees.
The organization’s security plan is the document that summarizes known and postulated threats to the organization, which have been identified through the formal process of threat assessment. For each identified threat, the security measures in place are enumerated, with cross reference to other policy and procedure documents that address those measures specifically. For example, in the health care environment, a known threat potential is infant abduction. The security plan would identify that threat potential and spell out the specific policies and procedures created and the measures in place to reduce the risk of infant abduction. In many organizations, all levels of employees from line personnel to senior management are responsible to varying degrees for the security of the facility. The security plan should address those responsibilities, and those groups of employees should be provided with security awareness training on key sections of the plan to ensure they understand their role in security. In the retail environment, for example, cashiers are responsible for cash handling, and sometimes they are also the first responders in shoplifting thefts. These security roles, though secondary to their position and title, are vital to ensure the protection of the retailer’s assets. Organizational charts are common components of the security plan. Although they do not necessarily identify security decision makers by name, they should identify them by title and place in the company hierarchy. Among the more common battles faced by the security industry is their place in the corporate structure. Where it was once common for the security director to report to human resources, the industry has forced a change and security directors are finding a place in the boardroom. While this discussion is ongoing throughout the industry, for purposes of the security plan, the reporting lines need to be identified through organizational charts regardless of whom the Security Director reports to. More importantly, the security plan should graphically portray the reporting lines within the security department. In smaller companies, this may be a one-level organizational chart, while in larger organizations, the organizational chart for the security department may be layer after layer. For example, in large financial institutions, security middle managers are often given the title of vice president, but the organizational chart may indicate multiple layers above the vice president level and many more layers below.
178
Strategic Security Management
Flowcharts depict common functions utilized in the security program. These functions may include security patrols, access control processes, and escort procedures. Flowcharts are useful in identifying how a security function is accomplished in a graphic, easy to understand manner. For example, visitor management at many large facilities is a complex issue. A flowchart may be used to demonstrate how visitors are allowed access to the facility, what security protocols are used, how the visitors are tracked, and how exit from the facility is completed. If I have seen further it is by standing on ye shoulders of Giants. —Isaac Newton In many organizations, regulatory compliance is a fact, and adherence to industry best practices is, well, a good practice. Many companies, especially those in older, well-established, and closely monitored industries, are well versed in the area of regulatory compliance since their livelihoods depend on their ability to operate within their industry’s regulations. As such, their security plans reflect proper policies and procedures for complying with the regulations. Newer requirements or less frequently enforced regulations, however, may not be reflected in the security plan. At the time of this writing, for example, Sarbanes-Oxley was a new requirement that many companies were still challenging. In the fast-changing environment of information technology (IT) security, security plans are more difficult to keep up to date because of the sheer growth and pace of the changes. Threats change over time. The security plan must be able to guide the organization as threat levels rise and fall and as new threats emerge. The security plan should clearly describe security changes implemented when threat conditions are elevated. The threat assessment is the driving force behind this section of the security plan. Not unlike the national threat condition responses, organizations, too, should prepare measures in advance of rising threat levels. The security plan also describes how the organization will measure its security against other similar organizations and against industry best practices. Industry-specific associations normally develop best practices and standards that relate to the security of organizations within their industry. The health care industry, for example, has the Joint Commission on Accreditation of Healthcare Organizations has their Environment of Care standards. The security plan should also describe the data collection and analysis process in order to create a relevant set of security metrics by which to measure the performance of various components of the security program. A common metric used is response time of security personnel to a high-threat situation, for example. While the security plan is intended to be a holistic document, its various components must be comprehensive enough to guide the security program. Supplementary policies may also be utilized, especially in large, wide-scope security programs. Regardless of the size of the security plan, the key to an
Security Measures: Policies and Procedures
179
effective plan is that it be reduced to writing, that it has the support of senior management, and that employees are trained and retrained on its contents as often as necessary.
Sample Security Manual Update Policy Statement The St. John’s Hospital Security Department evaluates and revises the Security Manual on an annual basis for its scope, services, and effectiveness. Any changes in scope and services will be addressed during the annual update of the Security Manual. Effectiveness of the Security Department is assessed on a continual and constant basis with the intent of enhancing the safety and security of the Environment of Care. The effectiveness of the Security Department is assessed through a process of performance based reviews, bench-marking, and metric analysis as defined in the Security Manual. The annual review and Security Manual updates are presented to the St. John’s Hospital Board of Directors via the Hospital’s General Counsel for review and approval during March of each year.
Emergency Management Plan Similar to a security plan, an emergency management plan is a written document that communicates the policies and procedures to be followed in the event of an emergency. Emergency management plans are known under different names throughout the industry. In the private sector they are often called continuity of business plans or crisis management plans. Regardless of the name, the concept is the same. An emergency contingency plan, unlike a security plan, is not executed on a daily or routine basis; rather, it is used only in the event of an emergency or for training purposes. Generally and for purposes of this text, an emergency may be defined as any event or combination of events that have the potential to negatively impact the organization’s mission or components of that mission for a period of time and that require immediate response and action to continue normal mission operations. Emergencies should be defined for the specific organization or industry for which the emergency management plan is written. Although not all types of emergencies can be foreseen, planning for the most predictable crisis will move the organization a long way toward being prepared for unforeseen emergencies. Whereas security plans are proactive, emergency management plans are reactive and should be prepared to address an emergency that is imminent or has already occurred, not to mitigate an emergency that can still be prevented. The role of the emergency management plan, then, is to reduce the effect of the emergency on the organization, also known as mitigation, identify resources to be used in the event of an emergency, or preparedness, take swift action to respond to the emergency, and return the organization to normal operations as soon as possible, also known as recovery.
180
Strategic Security Management
Security and risk management departments are typically the units charged with preparing and maintaining the emergency management plans. The reason for this is simple: the primary objective is the same as the overall mission of the security department, to protect assets. When developing the emergency management plan, priority must be given to protecting life and then protecting critical and other assets. When planning for the protection of life, emergency management planners should consider evacuation routes and timing, identification of shelters, preparation for medical response, and the means to provide food and water. An emergency management plan has several critical elements. These elements may include an organizational chart of key response personnel, resource lists, on-site and off-site shelter locations, critical asset lists, location of vital records, mutual aid agreements, and law enforcement and other emergency response contact information. Facility-specific plans should also include information unique to that facility. For example, plant emergency management plans should include plant emergency shutdown procedures. The organizational chart of key emergency response personnel is essential to the emergency management plan. Since most emergencies are infrequent, the organizational chart should be updated often to reflect the current contact information of key emergency response personnel. Emergency response personnel should also meet on a regular basis to refine the plan, review their roles, and ensure the availability of resources. Resource lists should include the location of each anticipated resource, availability, and quantities. Shelters located on site should be identified. Depending on the nature of the emergency, one or more types of shelters may be necessary. Off-site shelters are more difficult to identify since their availability may change if the emergency is widespread. However, all reasonable attempts to identify that should be undertaken during the planning process. Critical asset lists are normally easily attainable from completed risk assessment reports, as is the location of vital records. Mutual aid agreements are formal agreements between two or more parties who share a similar threat situation or face similar types of emergencies. Mutual aid agreements should be developed with other organizations that can assist in the response and recovery effort if an emergency were to strike one organization. These agreements should be very specific and identify precisely what resources will be provided to the organization in need. While widespread emergencies draw heavily on the resources of law enforcement and other government agencies, liaison with those agencies should be maintained throughout the emergency. Complete and updated contact lists should be available in the emergency plan. Revisions to the emergency management plan and training on the plan’s procedures should be conducted frequently. The training interval will vary depending on the size and type of the organization and may be more or less frequent for individual facilities. However, there are some general guidelines on when the plan should be revised and training conducted. At a minimum, revisions and training should take place once per year. Additional training and revi-
Security Measures: Policies and Procedures
181
sion may be required after an emergency to incorporate the lessons learned, when turnover is high among emergency response personnel, and when significant physical or environmental changes are made to the facility.
Conclusion Although the security manual and emergency management plans serve as the primary policies and procedures of an effective security program, other policies should be developed as needed to address security personnel and physical security measures. These policies may include a workplace violence policy, security personnel policies, and visitor management and access control policies. Other policies may be developed to address specific threats such as bomb threats, weather-related threats, and terrorist threats. Security decision makers should take full advantage of security policies and procedures, if not for their low cost to implement, but also their ability to reduce liability and control other aspects of the security program.
This page intentionally left blank
Chapter 10
Security Measures: Physical Security Brian Gouin
In this chapter . . .
Introduction Types of Physical Security Countermeasures Integration of Multiple Physical Security Countermeasures Integration of Physical Security Countermeasures with Personnel and Policies and Procedures Countermeasures Determining Physical Security Countermeasure Needs Matching Product to Need Defining Cost and Cost-Benefit Analysis Best Practices Codes and Ordinances
TAG's Risk Assessment Process® Asset Identification
Policies & Procedures
Current Security Measures
Physical Security
Security Personnel
Threat Assessment
Crime Analysis
Vulnerability Assessment
Risk Assessment
Cost Benefit Analysis
Report and Recommendations
Figure 10-1. Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com.
183
184
Strategic Security Management
Introduction Physical security countermeasures are the third critical part of an overall physical protection system, in conjunction with personnel and policies and procedures countermeasures discussed in the previous two chapters. It is important not only to have an understanding of the types of physical security countermeasures, but also to learn how they are integrated with each other as well as personnel and policies and procedures to form a complete physical protection system. With an understanding of the options available and of the potential integration of those options, a determination can be made about the physical security needs of a facility or application. These needs should be based on asset identification, threat assessment, and vulnerability assessment, keeping in mind that the object of a physical protection system is to detect, deter, and respond to the threat. Once the needs are defined, products can be found to meet those needs, keeping in mind cost-benefit and industry best practices. He that will not apply new remedies must expect new evils; for time is the greatest innovator. —Francis Bacon
Types of Physical Security Countermeasures In order to determine what, if any, physical security countermeasures are needed in a facility, you first must have an understanding of what countermeasures exist and what their functions are. This is not as easy as it might seem. Not only is the sheer volume of products overwhelming, but marketing material has a tendency to blur the core functions of individual pieces of equipment. Below are types of physical security countermeasures broken down by category along with their individual functions and applications. This is not meant to give details of the workings of each countermeasure or every item required for a functional system, but is merely intended to give an overview of what is available in the market and the general functions of each countermeasure. A security professional; be it consultant, integrator, or whatever other professional, should be consulted for the specific countermeasures required.
Electronic Burglary Systems Burglary systems are what people traditionally think of when they think of security systems. Although security professionals understand that a comprehensive physical protection system is usually much more than a burglary system, this technology still has a prominent place in the protection of assets.
Security Measures: Physical Security
185
Control Panels/Communicators and Keypads A burglary alarm control panel is a circuit board enclosed in a metal (or sometimes plastic) cabinet. This panel is the brains of the system. All the field devices described here, which have their individually specific functions, are either wired to terminal strips on the circuit board or communicate with the control panel through a wireless transmitter and receiver. The control panel interprets the information from the device, which is usually just an open or closed loop, and determines what to do (go into alarm, nothing, etc.). Most control panels can be programmed via a PC or a keypad. Most control panels today include a digital communicator built into the circuit board, which allows the panel alarms to be monitored by a contract or proprietary monitoring station. This is done for the most part over regular phone lines. System tests, open/close reports (who armed and disarmed the system), and power outages can also be monitored in this manner. In addition to digital communication, a siren can be wired to a control panel for audible notification. These sirens can be internal or external to the area being protected and come in a wide variety of shapes, sizes, and enclosures. The most important things to look for in a control panel are number of zones (to make sure the panel can handle the number of devices needed), expandability, and flexibility. Newer control panels come with a myriad of bells and whistles, some of which are helpful in streamlining installation time and making the system more user friendly and others that will probably never be used. Although it is always important to compare features in security equipment, there is little difference in performance between reputable manufacturers. In addition, the cost of control panels is relatively low. The keypad is the device that turns the control panel on and off. This is usually done using a four- or six-digit code. Each individual user can have his or her own code, depending on the number of users and the capacity of the control panel. Keypad versions include digital displays or custom alpha.
Function and Application
The function of a burglary alarm panel is to notify someone, by siren or alarm signal, that an event has occurred at a field device (opening in alarm, motion, fire, shock, etc). Burglar alarm panels are used in a variety of applications: 1. When a building or office needs to be protected after hours. This can be a stand alone or part of an overall physical protection system that includes cameras, access control, and so on. 2. When a particular area needs extra protection for notification to security personnel on or off site.
186
Strategic Security Management
Door and Window Contacts A door or window contact is a device that indicates when the door or window has been opened. These contacts are wired into the control panel for notification and communication. These contacts are typically in the following categories. 1. Magnetic: These contacts consist of a switch and a magnet. When the magnet is removed from the close proximity of the switch, the switch opens. The switch is installed in the jamb of the door or window, and the magnet is installed in the door or window sash. These contacts come in recessed and surface-mount versions. 2. Mechanical: These contacts use some mechanical means of opening the switch rather than a magnet. It may be in the form of a plunger, pull cord, spring-loaded bar, and the like. There are a wide variety of mechanical contacts to fit all types of different applications.
Function and Application
The function of door and window contacts is to operate when the door, window, or other opening being monitored is opened, thereby notifying the control panel of that event. Door and window contacts are used mostly for perimeter protection of the building or room, and so on, that you are protecting. They are widely used because they are very reliable, and forcibly opening a door or window is a common burglary option. Door contacts are also used as a “door ajar” notification in conjunction with an access control system that will be discussed later in this chapter.
Motion Sensors Motion sensors, also called motion detectors and intrusion detectors, are space detectors that detect motion within a certain area. These sensors are wired into the control panel for notification and communication. The most commonly seen types of motion sensors are as follows. 1. Passive Infrared (PIR): Passive infrared detectors sense the movement of infrared radiation through the optical field of view of the detector. This field of view stops at any solid objects and is a function of the range of the sensor. The radiation can come from a human, animal, or other temperature-altering objects or events. As a result, they are susceptible to false alarms and very inexpensive. 2. Microwave: Microwave detectors create a radiofrequency (RF) electromagnetic field in a set frequency range and when there is movement that frequency changes. Microwave detectors are volumetric, so they cover the entire room or area where the detector is located. It is
Security Measures: Physical Security
3.
4.
5.
6.
187
rare to see a stand-alone microwave detector except for certain outdoor applications and indoor high risk areas. Dual-Tech: “Dual-technology” motion detectors are a combination of passive infrared and microwave and are the most common detectors on the market today. Both the infrared and microwave portions of the detector have to be activated for the detector to go into alarm. This allows for the most reliable type of detector while decreasing the potential for false alarms. Tri-Tech: “Tri-technology” motion detectors are the same as dualtechnology motion detectors, with the added feature of pet immunity so that the detector will not go into alarm if a pet up to about 100 pounds goes through its field of view. While this is mostly for residential applications, it is also helpful for commercial or industrial areas where mice or other such creatures are a problem. Ultrasonic: Ultrasonic detectors use a low-frequency sound wave, and when there is movement that frequency changes. These detectors are very rare nowadays, and someone would have a difficult time even trying to find one to purchase. The major problem is that older versions or newer versions that are degrading give off a ringing noise that a small percentage of the population can hear and that gives others headaches. These detectors are even banned in many school systems throughout the country. Photoelectric beams: These detectors shoot an infrared beam that is interrupted when an object breaks the beam. Because of the small detection pattern, they are mostly used for outdoors or to protect a small indoor space.
Function and Application
The function of motion sensors is to detect movement in a defined area, thereby notifying the control panel of that event. Motion detectors are mostly used in conjunction with perimeter protection as a “second wave” of protection in case an intruder gets past the perimeter detectors. Although they can also be the primary intrusion detector, they should not be by industry standards. Infrared detectors are also used as “request for exit” devices in conjunction with an access control system that will be discussed later in this chapter.
Glass Break Detectors Glass break detectors detect, through shock or sound, when glass has been broken within their field of detection. These detectors have sensitivity settings for different environments and are wired into the control panel for notification and communication.
188
Strategic Security Management
Function and Application
The function of glass break detectors is to detect glass breakage within a defined area, thereby notifying the control panel of that event. Glass break detectors are used as a perimeter detection device where there is some amount of fixed glass that cannot be protected by door or window contacts.
Spot (Object) Detectors Spot detectors are sensors that attach directly to the object being detected and activate when the object is touched or moved. These detectors are wired into the control panel for notification and communication. The two main types of spot detectors are as follows. 1. Capacitance/Proximity Detectors: These detectors create an electrostatic field around the object (metal only). When someone or something approaches or touches the object, the field becomes unbalanced and the detector is activated. 2. Vibration Detectors: These detectors sense the vibration of the object when it is moved. They have sensitivity settings for different applications.
Function and Application
The function of spot detectors is to detect when a protected object is touched or moved, thereby notifying the control panel of that event. Capacitance/proximity detectors are used for metal objects only, safes and small expensive machinery being the most common applications. Vibration detectors are used mostly for art objects and the like.
Miscellaneous Detectors The following are other detectors that can be wired into the control panel for notification and communication. 1. Temperature: These detectors are basically thermostats that activate when the temperature goes above or below set points. 2. Water: These detectors activate when water rises to a certain level. 3. Smoke: These detectors are also used in a fire system that can be wired into a burglary control panel. 4. Heat: These detectors are also used in a fire system that can be wired into a burglary control panel.
Security Measures: Physical Security
189
CCTV Systems Closed circuit television (CCTV) systems have become a major, and in many cases indispensable, part of a physical protection system. Technology has improved dramatically over the last 10 years to provide quality video images, storage, and viewing. The technology is actually changing month to month, but the system concepts remain relatively stable.
Cameras Cameras are devices that capture the displayed image. Camera “systems” are actually made up of three components: camera, lens, and housing. There are also different types of transmission for the video signal. Some cameras also have an audio option, although legal advice should be sought before using the audio option on a camera. Camera Options 1. Black and White (Monochrome): This camera provides black and white images. B/W is particularly effective in low-light conditions. 2. Color: This camera provides color images. 3. Day/Night: This camera automatically changes whether the images provided are B/W or color based on the light conditions. 4. All the above camera options are also available in different resolution quality. Standard and High are the common terms, although they may mean different things to different manufacturers. Lens Options 1. Fixed: Lenses are generally available from 2.9 mm to 25 mm. The smaller the lens, the wider and taller the image from the same distance. Tools and charts are available to help determine the correct lens size based on image distance and height and width. 2. Vari-focal: These lenses can be adjusted to the desired size. They are typically available from about 3 mm to 8 mm and 9 mm to 22 mm. These have made it much easier to achieve the desired image size for the camera. 3. Zoom: These lenses have the ability to zoom in and out manually or automatically. They require specific housings and operating equipment. 4. Lenses are also available in manual or auto-iris versions. The iris makes adjustments for light so that the image is not too light or too dark. The auto-iris versions make that adjustment automatically based on light conditions.
190
Strategic Security Management
Housing Options 1. Traditional: These are the housings most associated through the years with cameras. They require some kind of mounting bracket and must be in an environmental enclosure if installed outdoors. 2. Dome: Dome housings have become extremely popular because of their vandalism resistance and clean look. They are available in round, square, corner mount, flush, and gripless varieties. 3. PTZ: Pan/Tilt/Zoom (PTZ) housings are dome housings with the mechanical equipment added necessary to rotate the camera in all directions in order to effectively use the zoom option on the camera. PTZ cameras are largely used only when personnel are on duty to operate the cameras. Although they can be set to automatically pan and tilt, multiple fixed cameras would be better suited for that application. 4. Covert: These housings look like other devices, thereby disguising the fact that they are cameras. They may look like motion detectors, smoke detectors, clocks, exit signs, and other devices. Some of these devices also have a working function to what they look like (i.e., the motion detector is real and also has a camera within). Transmission Options 1. Coax: The traditional and most well-known form of transmission for cameras is coax. Each camera has one piece of coax wired back to the
Figure 10-2. Dome Camera. Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com.
Security Measures: Physical Security
191
“head end” equipment. Power for the camera is through another wire and either runs back to a centralized power supply or to an individual power supply for that camera. 2. Fiber optic: This option uses fiber-optic cable instead of coax. One pair of fiber-optic cable is required for each camera. Power is still handled separately. 3. Unshielded Twisted Pair (UTP): This option uses twisted-pair wiring instead of coax. One pair of twisted wire is required for each camera. Power is still handled separately. 4. Internet Protocol (IP): IP cameras are the newest device on the market. An IP encoder is built into the camera, and it allows the camera to wire directly into a Local Area Network/Wide Area Network (LAN/WAN). A decoder is installed on the network at the “head-end” equipment location. In some instances, power can also come through this network connection.
Function and Application
The function of a camera is to capture images and transmit them to other devices for viewing, recording, and archiving. The applications for CCTV cameras are numerous. They are a staple in security system design both as a deterrent to crime and as a means of identifying people and events. Here are just a few of the possible applications: a. Picture of everyone entering a facility b. Deterrent for crime, including vandalism and employee theft c. Verification that an event did or did not occur d. Identification of crime perpetrators
Termination Options Cameras can be terminated into the following types of devices. 1. Switcher: A switcher is a device that takes one to eight cameras and scrolls through them at a set timed interval. They also can manually hold on one camera. Although they are inexpensive, they can only record what you see, so most images on every camera are permanently lost. They are available in B/W and color versions. Switchers are rarely used today. 2. Quad Splitter: A quad splitter takes four cameras, breaks the screen into four quadrants, and uses one quadrant for each camera image. Although a recorder will record all four images, four cameras is the maximum threshold of the device. They are available in B/W and color versions. Quad splitters are also rarely used today.
192
Strategic Security Management
3. Multiplexer: A multiplexer is a device that takes anywhere from 2 to 16 cameras and allows the user to display the images in a multitude of configurations. Newer versions called duplex multiplexers allow the recording of all cameras regardless of what cameras are currently displayed. They are available in B/W and color versions. Virtually all multiplexers insert a time and date stamp on the video images. Most systems that still use time-lapse recording (explained later) currently use multiplexers. 4. Matrix Switcher Controller: A matrix switcher controller usually takes up to 32 or 64 cameras, including PTZ cameras, and allows personnel to display the images in a multitude of configurations. Included with a matrix is a keypad controller that personnel use to operate the PTZ camera functions. Multiple monitors, recorders, controllers, and alarm inputs can be used with a matrix switcher. Matrix switchers are generally used only where PTZ cameras are used and where personnel are available to operate the system. Matrix switchers also insert a time and date stamp on the video images.
Function and Application
The function of these termination devices is to take more than one camera and consolidate them for viewing and recording. The application of these devices is self evident by their function; a termination device is needed for camera systems with more than one camera.
Monitors Monitors are the device on which the camera images are displayed. The following options are available. 1. CRT monitors: CRT monitors are what traditionally are thought of as monitors. In simple terms, a monitor is a television without the tuner. CRT monitors are available in a wide variety of sizes and come in either B/W or color with or without audio. 2. LCD monitors: LCD monitors, or flat-panel monitors, are similar to computer flat-screen monitors. They take up less space and can be more easily mounted on a wall. However, they are considerably more expensive than their CRT counterparts. They are also available in a wide variety of sizes and come either in B/W or color with or without audio. 3. Computer monitor: Many newer camera systems are completely PC controlled, as will be explained later in this section. In those cases, a standard computer monitor attached to a PC acts as the camera image display.
Security Measures: Physical Security
193
Function and Application
The function of these monitors is to display the images from the cameras as organized by the termination device. The application of these monitors is self-evident by their function; some sort of monitor is needed for the camera system in order to see the images.
Recording Recording options are as follows. 1. Time-lapse recorders: Time-lapse recorders served as the standard for recording for two decades until just a few years ago. They look like a regular VCR, but they compress the video images so that you can fit anywhere from 24 to 168 hours of images on one tape. The inherent problems associated with time-lapse recorders are that the tapes degrade quickly, which affects the image quality, and the number of images per second per camera declines as longer time is compressed onto the tape. Therefore, the video is “choppy,” and many images are simply not recorded. While time-lapse recorders are now very inexpensive and are still in widespread use, most of the new systems designed and installed do not use them because of their inherent deficiencies. 2. Event recorders: Event recorders are similar to time-lapse recorders except they do not record continuously but only when triggered by an alarm event, such as a motion detector being activated. With the dawn of digital recording, event recorders are rarely used today. 3. Digital recorders: Digital recorders store the video images on a hard drive as opposed to a tape. This has many advantages. First, the quality of the digital image is far superior to the tape’s analog counterpart. Second, images can be retrieved by time and date in a split second rather than by playing and rewinding a tape. Third, a high number of images per second per camera are possible because of compression rate technology, making the video more real time and less “choppy.” Digital recorders are a direct replacement for a time-lapse recorder or combination of time-lapse recorder and multiplexer (they are also called digital recorder/multiplexers). As such, they insert a time and date stamp on the video images. When digital recorders were first introduced, they were extremely expensive, but they are not cost effective even for small applications. They have become the industry standard for recording. Digital recorders can be divided into two main categories:
194
Strategic Security Management
1. Stand alone: These recorders are stand alone because they can replace a time-lapse recorder and multiplexer directly and can be controlled right from the recorder. They come in options of 1 to 16 cameras (usually 1, 4, 10, and 16) and 80 gigabyte to 1 terabyte hard drives (varies by manufacturer). Many units are also capable of connecting to a network so that the images can be viewed on a PC on the network with the appropriate software. Most recorders are capable of viewing past images and recording live at the same time. A regular monitor or computer monitor can be used on most recorders. 2. PC based: These recorders are totally PC based and have controls on the unit; instead, a computer keyboard attached to the recorder is used. A computer monitor is also attached to the recorder for viewing. All of these styles of recorders are network compatible. They are available for a larger number of cameras (up to 64) and larger hard drives (many multiple terabytes).
Function and Application
The function of a recorder is to store the video images so that they can be reviewed at a later time. The most obvious application of recorders is to determine if an incident has occurred or to view the details of an incident that has been determined to have occurred. They also are important to determine that an incident did not occur. The storage of video images is helpful to law enforcement for prosecution.
IP Video The newest technology on the market is IP Video systems. It is widely believed that this style of CCTV system will be the standard in a short time, but that remains to be seen. In essence, this is a complete CCTV system that uses a computer network instead of traditional cabling or recording. IP cameras (a camera with an IP encoder installed) are wired directly into the network. Any computer on the network (with the right pass codes) can use the software and view the cameras. Decoders can be installed anywhere on the network if the signal needs to be transferred to analog for viewing on a standard monitor by security personnel and so on. Recording is done using computer hard drive storage methods such as RAIDS. The number of cameras and the amount of data storage for these systems are virtually unlimited.
Security Measures: Physical Security
195
Function and Application
The function of this system is to act as a complete CCTV system using an existing or new computer network. Currently, the application of these systems, which is becoming more popular, is for larger systems with hundreds of cameras and a very large data storage capacity. Also, this system can be used if there are multiple sites in different areas (even countries) that want to have one CCTV system. Because of cost restraints and the specialized knowledge necessary for installation (heavy on IT), these systems are not yet used for small or medium-sized systems. However, as time goes by that may change.
Intelligent Video Intelligent video, or smart video as it is also called, is simply what software technology allows people to do with the video images created. Here are a few examples. 1. Video motion: If there is motion within the video image or a set determined portion of that image, recording can begin, an alarm for notification can happen, and so on. Also, certain tendencies can be programmed so that if a person in the video image performs certain functions or acts in a certain way they are tracked and there is some notification. This sort of detection can be extremely precise and complicated. 2. Tracking: An object or person can be “tagged” by the video system operator, and that object or person can be tracked from camera to camera throughout the system. 3. Facial recognition: This software uses specific points on a person’s face which create unique distances for identification purposes. This information can be inputted into a database for comparison to known criminals, and so on. This software can also be used in access control applications.
Function and Application
The function of intelligent video is to aid CCTV system operators by processing the activities within the video images and giving the operators that information. At this time, the application for this technology is limited to high-risk situations and larger systems, but as time goes by these will become more affordable and common.
196
Strategic Security Management
Electronic Access Control Systems Access control systems have also become a major and indispensable part of a physical protection system. The ability to allow or deny access to facilities or areas within a facility and the ability to track the identity and times of those entries or exits have become critical security tools. The main purpose of an electronic access control system is to allow or deny access to some area based on one or a combination of the following factors: What You Have, What You Know, and Who You Are. The level of security desired determines what combinations of these factors are necessary and therefore what devices are chosen.
Stand-alone Devices Stand-alone devices are keypads or card readers that control only access points (door, gate, etc.). They are generally programmed via a “deck” of programming cards, dip switches, or through the keypad. They are relatively inexpensive but have a limited number of potential users and little to no tracking ability. These devices will determine either What You Have or What You Know in order to allow or deny access.
Function and Application
The function of a stand-alone access control device is to control access to one point where there are a small number of users and tracking is not necessary. The application for these devices is where there is only one access point on the system, such as a gate, and tracking is not important. An additional application may be where there are multiple access points but no viable way to get wiring between the points.
System Controllers Electronic access control system controllers are circuit boards mounted in a metal (or sometimes plastic) cabinet and are the brains of a multipoint access control system. Readers, egress devices, door-ajar contacts, and locking devices are all wired into a controller to form a complete system. Controllers typically come in 2-, 4-, 8-, or 16-point versions where multiple controllers can be interconnected to create as large a system as is required. These systems are PC based and are programmed from software on a computer wired directly to the controller or from a computer on a network where the controller is wired. Typically, this style of system allows or denies access based on access point, card, time, day, or a multiple of those things; reporting of door ajar; anti-
Security Measures: Physical Security
197
passback; and reporting of denied access; and a multitude of reports and charts of user activity based on various criteria. This type of system controller is currently the industry standard for access control systems.
Function and Application
The function of the system controller is to combine multiple access control points into one integrated system controlled via software from one location or network. There are an infinite number of applications for this type of controller, basically anywhere where multiple access points are required and control and monitoring is centralized.
Readers Readers are the electronic devices that accept an input from a user and transmit that information to the controller to allow or deny access. Readers are wired directly into the controller. There are different types of readers, as follows: 1. Magnetic stripe readers: These are readers for magnetic stripe cards, similar to credit cards, which read the information on a magnetic stripe on the back of the card. Because of better technology, these cards and readers are rarely used today. 2. Wiegand readers: Wiegand readers are for Wiegand cards, which use a wire embedded into the card to transmit information. Although the Wiegand protocol is still the industry standard today, the cards and readers are rarely used. 3. Proximity readers: Proximity readers are for proximity cards or key tags that use a chip embedded within the card or tag to transmit information. These are the industry standard for readers and are available in a variety of read ranges and mounting options. This type of reader as well as the magnetic strip and Wiegand readers deal with What You Have. a. These readers are also used with smart cards, a relatively new but promising technology that embeds a great deal of information about the user on the card. In that way, the same card can be used for access, payment on account, personal identification, and more. b. Proximity cards also have the option of Photo ID badging, so that the person’s picture, name, and other vitals are on the card for additional identification by personnel as well as being used for access. 4. Keypads: Keypads usually use a four- or six-digit code to determine access. This type of reader deals with What You Know.
198
Strategic Security Management
5. Combination Card/Keypad reader: This reader combines both a card or key tag proximity reader and a keypad. Both the card or tag and keypad have to be used for access. This type of reader deals with both What You Have and What You Know together. 6. Biometric readers: These readers measure and verify a unique physical characteristic of the individual to determine access. These readers deal with Who You Are. Although they are becoming more popular, this type of reader is not very common and is used almost exclusively in high-risk areas. However, it is recommended that these devices not be on the only access device for a point but rather be used in conjunction with either a card reader or keypad. Here are some types of biometric readers. a. Fingerprint scan b. Retina eye scan c. Hand scan d. Voice recognition
Function and Application
The function of a reader is to accept the inputted information from a user and transmit that information to the controller to determine whether access will be granted or denied. The application of these devices is self-evident by their function. However, the type or combination of types of readers used is determined by the level of security desired based on What You Have, What You Know, and Who You Are.
Locking Devices Locking devices are what keep the door or gate closed and secure until an accepted user activates a reader and the opening is unlocked. Locking devices are generally wired directly into the controller but also usually require their own power source. Common locking devices include: 1. Electric strike: Electric strikes replace the strike plate on a door and keep the door latch from moving until it is activated. This lock is available in fail-safe (releases on loss of power) and fail-secure (remains locked on loss of power) versions. This is the most common locking device. 2. Magnetic lock: Magnetic locks, commonly called mag locks, consist of a large magnet mounted on a door or gate frame and a plate mounted on the door or gate itself. These devices are used where electric strikes are impractical owing to installation difficulties or where sturdier door
Security Measures: Physical Security
199
security is needed. Mag locks require specialized egress devices due to building code regulations. Mag locks are a very popular locking device. 3. Electric panic hardware: These are installed on the inside of a door and retract a latch bolt when activated. They are used primarily for egressonly doors.
Function and Application
The function of a locking device is to secure a door, gate, or other opening until an authorized user activates a reader and releases the locking device. The application of these devices is self-evident by their function. However, the type of door or gate, along with the individual installation issues, will determine the type of locking device used at each opening.
Egress Devices Egress devices allow exit from an opening by releasing the locking device without activating a reader. Keep in mind that some applications will also employ a reader to exit instead of an egress device, although certain building code issues must be dealt with when that is the case. Electric strikes do not require an egress device because using the existing door handle or panic bar will allow exit. Egress devices include the following. 1. Request to Exit motion detectors: This motion detector is installed above the door on the wall or ceiling and is activated when someone walks up to the door. 2. Exit button: This button, when pushed, releases the locking device. 3. Touch sense bar: This device looks somewhat like a crash bar except it is electrically charged. When someone touches the bar, the lock can release, or there can be an alert sounder that someone is trying to exit with a delay time for release. 4. Electric panic hardware: This locking device is also its own egress device.
Function and Application
The function of egress devices is to allow exit from the opening by releasing the locking device without the use of a reader. The application of these devices is self evident by their function. However, which one or combination of these devices varies greatly on specific individual application and is determined by federal, state and local building codes as well as function.
200
Strategic Security Management
Door Hardware Existing door hardware will have to be changed in many cases with the installation of an electronic access control system. A door hardware specialist will need to be involved. If the installation is at a completely new facility, door hardware should be addressed up front when doors are specified.
Turnstiles Turnstiles are an access control device meant only to allow authorized users to enter an area one by one. These devices are commonly seen in subways and stadiums. The popular version of the turnstile for security uses is called an optical turnstile. There is no rotating bar that manually stops entry as in a subway; in fact, there is no manual stop at all. The turnstile reads the access card of the individual before he or she walks through. If the user is authorized, nothing happens and the next person continues. If the user is unauthorized, some sort of alarm goes off, alerting security personnel of the issue. This type of turnstile allows a very good throughput rate (throughput is the number of people who can go through the device in a given time period).
Function and Application
The function of an optical turnstile is to allow people to easily enter a facility but still alert security personnel if an unauthorized person attempts entry. These devices are very popular in corporate offices and similar types of buildings where each individual does not need to be viewed before entering but access needs to be controlled.
Perimeter Security Systems Perimeter security systems are defined for this purpose as systems designed to restrict access to the grounds of a facility.
Fencing Fencing is a very common way of denying access to facility grounds. It generally comes in chain link and ornamental varieties. There are industry standards based on application for the height of the fence, amount buried underground, and so on. The chain link variety also can have barbed wire on its top for extra security, which also has its set of industry standards based on application. Fencing is installed so that there is a “clear zone” between the fence and other objects or buildings on the grounds. This clear zone helps in both detection and delay in order to respond. Fence sensors are available, which sense the movement of the fence, such as someone climbing it, and set off an
Security Measures: Physical Security
201
alarm for notification. Pedestrian and vehicle gates are added within the fence line to allow authorized access to people and vehicles.
Function and Application
The function of fencing is to keep unauthorized people and vehicles off facility grounds. The applications of fencing are many, from government to corporate to housing facilities. Retail would be an obvious application where fencing would not be used.
Gate Operators Gate operators are electronic devices that allow automatic rather than manual operation of gates within the fence line. They include the following categories. 1. Slide gate operators: These operators move a gate made from the same material as the fence side to side to create an opening. They are available in chain- or belt-driven as well as hydraulic versions. 2. Swing gate operators: These operators move a gate made from the same material as the fence in a swinging motion across the ground to create an opening. They are also available in chain- or belt-driven as well as hydraulic versions.
Figure 10-3. Slide Gate Operator. Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com.
202
Strategic Security Management
3. Barrier arm operators: These operators move an arm usually made of wood or aluminum in an upward-swinging motion to create an opening. Gate operators require a variety of safety accessories that could include: 1. Loop detectors: Wire loops are installed by cutting into the pavement, creating an electrical field that is disturbed when a car drives over it. They are used as both safety devices and free exit devices. 2. Photo beams: These are the same as their security versions described in the burglary section of this chapter except they are used as safety devices. 3. Safety edge: This device is installed on the gate itself to reverse the gate operator action if the edge is touched. 4. SOS: These devices automatically open the gate when a siren is activated like the kind used in emergency vehicles. Because the addition of these safety devices can create a potential lapse in security, gate operators are usually manned or have additional electronic systems used in conjunction with them, most notably CCTV cameras. In addition, access control readers are commonly used to open the gate operator. Remote controls similar to garage door openers are also used for this purpose.
Function and Application
The function of a gate operator is to automatically open the gate when it is required so that it can remain closed for security when not in use and does not have to be manually opened when it needs to be. The application of gate operators is found anywhere that a fencing system exists and the gate must be opened and closed multiple times during the day.
Bollards Bollards are physical barriers that are installed on the perimeter some distance from a building. They range in height and in other physical attributes and are generally made of concrete or steel. They can be fixed or hydraulic so that they can be raised or lowered as desired. They are usually installed in bunches in such a manner that a vehicle cannot get between them.
Function and Application
The function of bollards is to prevent a vehicle from getting past them and close to a building.
Security Measures: Physical Security
203
The application of bollards is for facilities where it is a concern that a vehicle filled with such things as explosives would drive into or near a building.
Locks Locks are one of the most basic physical security countermeasures but all the same an important one. They can be used to delay a threat while waiting for response if the threat has already been detected. Otherwise, locks are used mostly as a deterrent. They come in rim-mounted, mortise, tubular, cylindrical and unit types. Here are a few things to keep in mind: 1. Locks are only as good as the door, jambs, and walls around them. A lock does no good if the door can be kicked in easily. 2. Key management is important when dealing with a complete lock system. If anyone with a little ingenuity can obtain or make a key to the lock, it doesn’t do much good. Many manufacturers’ products are designed to improve key management. 3. All locks can be compromised by an expert in a very short period of time. Locks work best as part of the overall physical protection system and not all by themselves. 4. If there is no way to detect a threat in order to create a response and a lock is the only countermeasure being used, the question is not whether the opening will be compromised but how long or short a period of time it will take.
Function and Application
The function of locks is to stop an adversary from easily entering without having to perform another task to do so. The application of locks is widespread—basically any door or window that allows access to a protected area. Locks are best when used in conjunction with other physical security countermeasures.
Lighting Lighting is a critical part of the detection element of a physical protection system. A threat cannot be detected, either by camera or in person, if there is no light. Lighting also helps in response to the threat. Another factor in lighting is deterrence. A threat may be more likely to attack an asset in relative darkness as opposed to in bright light. Long book chapters and whole books have been written about the science of lighting as it pertains to security. Research should be done to determine what
204
Strategic Security Management
type and style of lamp is best for every application. Factors to consider include color of light, re-strike time, efficiency, and brightness. Types of lamps include incandescent, fluorescent, halogen, low-pressure sodium, high-pressure sodium, metal halide, and mercury vapor.
Function and Application
The function of lighting is to illuminate a protected area in order to detect a threat in order to elicit a response. The application for lighting is a part of virtually every physical protection system.
Fire Systems Although fire systems may not be regarded as physical security countermeasures, they are crucial life safety systems and in many cases are integrated with security countermeasures in some form or another, either in some common equipment or through monitoring. In addition, security and life safety functions can be handled by the same department. While fire systems are in some respects a separate discipline, some basic knowledge of the equipment available is important. Here is a very brief and condensed description of fire system devices: Fire control systems are broken down into two major categories: 1. Addressable: Addressable fire systems assign an “address” to each field device in order to program and identify the device in case of an alarm. While the cost of this equipment is higher than that of its counterparts, the money is theoretically made up in lower installation and wiring costs. Addressable panels are used for larger systems and even smaller modern systems. Addressable fire devices are not interchangeable with analog devices or with other addressable devices of different manufacturers. 2. Analog: Analog fire systems use a “zone” approach similar to burglar alarm systems and wire multiple devices onto a zone. All older panels are analog, and still a good many new smaller systems use analog panels. Analog fire devices are generally interchangeable by manufacturer between systems. Here are the more common fire system devices found in the field: 1. Smoke detectors: Smoke detectors come in two major styles: ionization and photoelectric. As a general, but not absolute, rule, ionization smoke detectors are for residential use, and photoelectric smoke detectors are for commercial use. In the general operation of a smoke detector, the air passes through the detector chamber, which senses the presence of smoke.
Security Measures: Physical Security
205
2. Duct smoke detectors: Duct smoke detectors are smoke detectors installed in forced hot-air duct work. A tube is inserted in the duct work that captures the air and brings it to the detector located outside the duct for sensing. 3. Beam smoke detectors: These smoke detectors use beams of light, similar to a motion detector, to sense smoke. They are used to cover larger areas than traditional smoke detectors. 4. Heat sensors: Rather than smoke, these sensors detect either a fixed temperature point or a rate of rise of temperature over a set period of time. 5. Pull stations: These devices feature a lever that can be manually pulled in order to activate an alarm. 6. Sprinkler flow switch: These switches tie into the water feed of the sprinkler system to activate an alarm if the water flows. 7. Sprinkler tamper switch: This switch ties into the sprinkler shutoff valve to sense if the valve is rotated. 8. Horn/strobes: These are signaling devices that use a visual strobe and audible horn when the alarm is activated. 9. Strobes: These are signaling devices that just use the visual strobe. 10. Speaker/strobes: These are signaling devices that use the visual strobe and either a prerecorded announcement or a live announcement when the alarm is activated. They are used in conjunction with a voice evacuation panel. 11. Door magnets: These devices hold open smoke doors, usually located in hallways, and release the doors so that they close when the alarm is activated. The number and location of these devices on a premise are strictly regulated by NFPA 72 National Fire Alarm Code and NFPA 101 Life Safety Code. These systems must be designed by a trained and in some cases licensed professional.
Function and Application
The function of fire alarm systems is to detect the presence of smoke or fire and to alert all the occupants of the facility so that they may exit the facility. Fire systems are required in facilities of minimum sizes and number of occupants depending on the type of facility as described in NFPA 101 Life Safety Code.
Specialized Protection Systems In many cases specialized protection countermeasures are needed in order to combat more serious threats. These needs include explosion protection, bal-
206
Strategic Security Management
listic protection, weapons identification, and chemical and biological protection. The design and installation of these countermeasures is a very specialized field and may include 1. Metal and explosive detectors—to identify weapons and bombmaking material as it enters a facility. 2. Ballistic-resistant rated materials and products—includes such things as window film and special doors and windows. 3. Structural hardening designs and materials.
Function and Application
The function of specialized protection systems is to detect or repel a specific special serious threat. The application of these countermeasures is in high-security applications or any other application that may be deemed a target of terrorism.
Integration of Multiple Physical Security Countermeasures The basic function of a physical protection system is to detect, deter, and respond to a threat. Except for the smallest of systems, this always requires multiple physical security countermeasures. These measures must be integrated in order to form the entire physical security aspects of the protection system. Some manufacturers have already integrated multiple countermeasures into one functional system. For instance, currently some products on the market combine CCTV, access control, burglary, and even fire systems into one software package with compatible head-end equipment. The combination of access control and CCTV or access control and burglary are the most common combinations. The more common method of integration of physical security countermeasures is simply to provide multiple measures and design them in a way in which they work in concert with each other. The more common method of integrating physical security countermeasures is simply to provide multiple measures and design them in a way in which they work in concert with each other. For example, for a whole facility, detection can include a fence detector, CCTV cameras, outdoor motion sensors, a burglar alarm, and lighting. The deterrence can include fence razor wire, a gate operator, door locks, and access control devices. Response can include a guard office with internal monitoring facility. Similar examples can be used for just a building itself or just an area within a building using the same principles as for a whole facility.
Security Measures: Physical Security
207
Integration of Physical Security Countermeasures with Personnel and Policies and Procedures Countermeasures Physical security countermeasures are never used alone; rather, they are always used in conjunction with personnel or policies and procedures countermeasures, or both. While this may be self-evident for large systems, even the most basic stand-alone burglar alarm has a procedure and/or policy for turning the alarm on and off and if it is monitored it now involves personnel. All electronic physical security countermeasures and most mechanical ones are not just installed and expected to work on their own. They require some kind of human interaction, in various degrees, for them to perform their function to their full potential. Therefore, not only must the personnel exist to interact, but they must have an understanding of what to do. Here are just a few examples of that interaction: 1. An access control system cardholder attempts on multiple occasions to enter an area of the building for which he or she is not authorized and is denied access. The system software sets off an alert on the appropriate PC. The person in charge of monitoring and running the system must acknowledge the alert and determine how the situation should be handled. This scenario requires the personnel to monitor the system and the policy and procedure to determine what to do. 2. A retail store has CCTV cameras throughout the store with Pan-TiltZoom (PTZ) capability to identify shoplifting and employee theft. Security personnel are watching the cameras and looking for criminal actions. When a crime is spotted, they must notify the appropriate security personnel and determine the correct course of action. This scenario also requires the personnel, in this case specifically trained personnel, to monitor the system and the policy and procedure to determine what to do. 3. There is a manned security shack on a fence line with an automatic gate operator. Employees of the facility use an ID badge and card reader to open the operator and gain access, but visitors and deliveries must be checked in at the gate and the operator must be opened by the security officer for the person to gain access. Not only must the security officer exist, but a policy and procedure must be in place for the security officer to determine who is allowed access. 4. An electronic turnstile at the employee entrance of a facility reads the employee’s ID card and allows access. Inevitably, some employees will have lost their ID badge or for whatever reason may have a hard time getting through the turnstile. Some personnel must be in place and follow some procedure for such occurrences.
208
Strategic Security Management
5. A security force patrols the grounds and interior of a facility, but that requires adequate lighting for the security officers to effectively see what is happening and an appropriate locking system for the security officer to move around the facility. In addition, they must have a set of policies to deal with situations that arise. Determining how, to what degree, and in what manner there exists a meaningful interaction between physical, personnel, and policies and procedures security countermeasures requires a degree of expertise and experience. Whether that is obtained internally or externally, making this determination is a necessary step taken to determine the exact physical security countermeasure needs.
Determining Physical Security Countermeasure Needs This is the most important step in the process of a physical protection system project. Although it takes skill to determine which products are the best fit for the requirements and needs, if the needs are incorrectly determined, the results are guaranteed to be ineffective. Determining those needs requires that the correct steps have already been taken. Up to this point, there should have already been an identification of the assets that need protecting, an assessment of the threats to those assets, and an assessment of the current vulnerabilities of the facility in protecting those assets against the threats. That information will help determine the overall level of security required. Once all that has been identified, a series of questions should be asked, including (but not limited to) the following. 1. What functions do the physical security countermeasures need to perform in order to counteract the vulnerabilities? For instance: a. Is it necessary to have tight control over access to the facility or parts of the facility? (This would be different for a retail store vs. a corporate headquarters.) b. Is it necessary to have visual identification of people in the building or the actions they take? Again this could be quite different for a retail store vs. a corporate office.) c. Is it necessary to have tight control over access to the entire grounds surrounding the facility? d. Is it necessary to provide additional safety for employees or visitors? e. Does the facility require additional security deterrents after hours? f. Are there specific areas of the facility that require additional security measures?
Security Measures: Physical Security
2.
3.
4.
5.
209
g. Does the specific threat require special considerations (i.e., ballistic, chemical countermeasures)? What number and type of personnel can or will be committed to the overall physical protection system? For instance, if the facility can’t or won’t have personnel to continually monitor CCTV cameras, you would not use PTZ cameras. Will systems be monitored internally or externally? What policies and procedures are acceptable based on the culture of the facility and its management? You would not at this point, for instance, ask employees at a normal corporate office to have their persons and belongings searched every time they enter the building, whereas you would for a sensitive government office. What makes common sense for the facility? Although it would be effective to have an armed security officer posted all night at a secondary school, does that really make sense? By the same token, does it make sense to just have door locks and good lighting at a manufacturing facility? What is a realistic budget for the system? Although to some degree the needs define the budget, in the real world there are constraints and there must be a convergence of meeting the needs of the facility and the money that can be spent.
Physical countermeasures should be designed in layers, with the underlying theme being a combination of measures to detect, deter, and respond. Here are a couple of examples of the thought process. 1. If there is a medical research facility that conducts tests on animals, the threat assessment would determine that radical groups like PETA are a concern. In that case, among other things it would be important to control access to the grounds of the facility as well as the facility itself, to have special security measures in the specific research areas, to provide specific policies for the safety of the employees, and to have some sort of security force in close proximity should a threatening event be detected. 2. If a corporate office houses employees and a data center with sensitive information, among other things it would be important to control access to the building itself, provide special security measures for the data center, provide some surveillance for the safety of the employees, and have a burglar alarm with external monitoring for after hours. Being able to assess the answers to the questions posed earlier and the large number of other questions that need to be asked and from that determining the physical security needs requires skill and should be done by someone trained in that field. If there is any part of the acquisition of a physical
210
Strategic Security Management
protection system process where proven expertise should be sought, this is it. If the needs of the facility are determined incorrectly, nothing else will matter in providing an effective system.
Matching Product to Need Once you have an understanding of which physical security countermeasures are needed for your protection of assets, you must match the specific product to that need. Notice the wording here: MATCH PRODUCT TO NEED and not NEED TO PRODUCT. This may seem like logical common sense, and it is, but it is here that many critical mistakes are made for various reasons. The best way to avoid falling into this trap is to create an Invitation to Bid rather than an RFP when bidding the installation of these systems. An RFP gives the requirements of the system based on the needs and asks the responders for the equipment solution to the requirements. In an Invitation to Bid, the specific equipment has already been chosen and the bidders are simply being asked to submit a price for its installation. In many cases, particularly public bids, alternative equipment must be allowed to be bid, but if the specifications are written clearly enough, it can be reasonably guaranteed that any equipment bid will meet the requirements and therefore the needs. Note that all products specified in an RFP response or an Invitation to Bid may be equipment that meets the requirements and needs, but not the BEST equipment for the needs. The goal is to choose and provide the best solution for the required needs. If an RFP must be issued for these systems, avoid these pitfalls: 1. Do not rely solely on an integrator to determine which products meet your needs. Integration (installation) companies tend to represent a small number of manufacturers most of the time. This is because they have a comfort level with those manufacturers, volume quotas that need to be met, incentives from manufacturers, and sometimes it’s just easier. Maybe the manufacturer they choose has a piece of equipment that exactly meets your need and maybe the manufacturer does not. An independent review is needed to verify that the equipment bid meets the requirements and needs. 2. Be even more careful with very large companies that manufacture, sell, and install their own equipment. The problem described above becomes even more of an issue, and the “slickness” of these companies makes it difficult to recognize that you are not getting the best product match for your needs. 3. In both of the cases in (1) and (2), beware of equipment that can only be installed by one company in your geographical area. This may not be the best long-term solution for your needs if you become locked in to one integration firm, especially if you are unhappy with them in the
Security Measures: Physical Security
211
long run. You may not have a choice but to choose equipment that only a few integrators in your area can install, but if you can choose equipment that any reputable firm can install that would be best. If an Invitation to Bid is prepared, it is critical that the individual writing the specifications has total independence from any particular manufacturer or equipment supplier to make sure that the equipment chosen is the best fit for the needs. If there is no internal expertise that can wade through the maze of equipment types described in this chapter and make the proper decisions, outside design expertise should be sought. This may come in the form of a security consultant or architect or engineer. Whichever is chosen, the same due diligence and oversight must be applied as is applied with the evaluations of an RFP to make sure the best equipment is chosen. It cannot be stated enough that independence is key for the consultant or architect determining the correct equipment for the needs. These issues should be kept in mind: 1. Some manufacturers have a tendency to wine and dine system designers, particularly architects, with the goal of having the system design specify their equipment almost exclusively. A well-known fire system manufacturer (whose name shall be omitted) is notorious for this behavior. While this manufacturer is not being unethical, it can be legitimately argued that the designer is unethical. Steps should be taken to make sure the chosen designer is not specifying equipment for this type of reason. 2. In addition, some manufacturers will offer to write the specifications for the designer, of course specifying their equipment, at no charge. A well-known burglar alarm manufacturer and installation company (whose name again shall be omitted) does this as part of its normal business operations. The designer’s behavior is definitely unethical because he is charging for work performed by others. This behavior seems to happen more with architects than security consultants or engineers. 3. As with integrators, designers sometimes develop a comfort level with certain manufacturers and specify their equipment regardless. They may not have the same financial obligation that the integrator has with quotas, but they may believe they have a loyalty obligation. This results in not providing the best option for the client. There are plenty of reputable security consultants, architects, and engineers who do not behave in these ways. It is important to make sure that is the case and that the designer is choosing equipment based solely on determined requirements and needs. Whether the equipment choices are being made internally or externally, these criteria should be used when making the choice:
212
Strategic Security Management
1. Function: Does the equipment perform all the functions required to meet the needs? Does the equipment perform considerably more functions than is required, or is another piece of equipment a better match? 2. Reliability: Does the manufacturer have a reputation of reliability in the industry? Is there any track record with this equipment? 3. Compatibility: Is this equipment compatible with the rest of the equipment that will be used for the total physical protection system? If things need to work in concert with each other, will they? 4. Price: Is this equipment within the prescribed budget for the system? 5. Ease of Installation: Will installation costs be reasonable for this equipment, or is the equipment too burdensome? Is there a wide range of integrators that have the ability to install this equipment? 6. User Friendliness: Is this equipment easy to use for the ultimate end user? 7. Expandability: Is this expandable to cover the anticipated potential future requirements? If these general criteria are followed, it is reasonably assured that equipment choices will be based on the product matching the need and not the need matching the product.
Defining Cost and Cost-Benefit Analysis When determining what physical security countermeasures to implement, it is obviously important to have an understanding of what those countermeasures will cost. This is not as simple as finding out how much the products cost to purchase or getting a proposal from an integrator for product installation. The following aspects of cost must be taken into account: 1. System Installation Cost: This is what would normally be considered the cost of the system, what would be put in an Invitation to Bid. When estimating this cost for planning purposes before the bid process, take into account all these components of the installation cost: a. Product costs: This is what the equipment cost is to the integrator. b. Shipping costs: The equipment has to get to the integrator and then to the site. Where is the equipment chosen coming from? c. Labor costs: This is always a major part of the system cost. What is the typical wage rate in your area? Will this be a prevailing wage job? There may be different wage rates for different functions. What must be done for each of these functions with the system chosen? In field supervision Site installation
Security Measures: Physical Security
213
Programming Testing Training d. Fixed costs: There are always fixed costs for a project that could include the following: Material cost Subcontractor cost Engineering Bonding fees Permit fees Taxes Tools e. Profit/Overhead costs: There must actually be a profit made from the installation of the system. 2. System Operation Costs: It is necessary to look at everything that must be done on a regular basis because of the installed system, including how if affects personnel and policies and procedures. All these added functions have a cost associated with them that must be taken into account when determining the overall cost of the countermeasure. For instance: a. Do personnel have to be added in order to operate the system? Security officers or central station personnel? b. Does someone have to regularly review the output of the system? (CCTV images, access control reports, etc.) c. Does a policy or procedure have to be added because of the system that affects someone’s productivity? 3. Maintenance Costs: How much will this system cost to maintain? Does regular routine maintenance have to occur, and if so how often and in what detail? For instance, a gate operator has a far greater need for routine maintenance than a burglar alarm. What is the track record of the equipment from a breakdown point of view? How often will the system not be functional? What extra costs, particularly with personnel and repair costs, will be incurred when the system is down? These are not easy questions to answer, but the analysis must be done. 4. Replacement Costs: What is the life cycle of all the equipment within the system? When will products have to be replaced, and what is the anticipated cost of those products at that time?
Once you have analyzed all of the above costs, you now have the overall cost of the countermeasure and can analyze that cost versus the benefit.
214
Strategic Security Management
Cost-Benefit Analysis It now must be determined if the benefit of protecting the asset is worth the cost. You would not spend $10,000 (as an example) to protect a cash register with $100 in it. However, $10,000 would be a bargain to protect $1 million worth of jewelry inventory. Also, keep in mind that assets are not just property but people and information as well. Is $10,000 worth protecting employees in a parking lot? Is it worth protecting the formula for your signature product? The answers to these questions are determined by simple factors such as the size and budget of the facility and complex factors such as the criticality of the potential loss. The larger the cost the more professional expertise, internally or externally, must be used to evaluate the loss criticality and make the cost-benefit analysis.
Best Practices Best Practices means exactly what it seems—to perform one’s duties in the best manner possible according to industry standards. The first step in the process of applying Best Practices to a physical protection system is to actually want to do so. While that may seem obvious to those of us who want to, the sad fact is many people simply want go through the motions and produce perhaps a workable system but not the best one possible. If an individual performing any of the functions of implementing a physical protection system does not stress the use of Best Practices, find one that does. If it is not possible to hire an external consultant to perform the necessary functions, it will require someone internally to understand the Best Practices. How does one gain Best Practices knowledge when it comes to Physical Security Countermeasures and integrating them with a comprehensive physical protection system? Here are a few ways: 1. Reading: Reading books such as this one and other industry and system-specific books will teach a lot about physical security countermeasures. 2. Seminars/Conferences: Organizations such as the American Society for Industrial Security (ASIS) and the Security Industry Association (SIA) routinely sponsor seminars and conferences that cover a broad range of subjects regarding all aspects of physical protection systems. They are generally taught by well-regarded experts in the security industry. 3. Research: With the Internet and some time, a lot can be learned about any subject, this being no exception. Keep in mind: there is no substitute for experience. All the above education is great, but it must be combined with real-world practices in order to ultimately achieve the use of Best Practices.
Security Measures: Physical Security
215
Codes and Ordinances The government at all levels, federal, state and local, has adopted codes and ordinances relating to the design and installation of physical security countermeasures. The local Authority Having Jurisdiction (AHJ), which could be a building official, fire marshall, or other inspector, verifies that the design and installation of the countermeasures meet or exceed all the applicable codes and ordinances. Regardless of the physical security countermeasures chosen for the facility, it is essential that they meet or exceed the codes and ordinances that apply to the particular application. While this is important for all measures, it is particularly important for access control and fire systems. Following is a list of some of the codes and ordinances that must be adhered to when designing a physical protection system: 1. 2. 3. 4. 5. 6. 7. 8.
NFPA 70 National Electrical Code NFPA 72 National Fire Alarm Code NFPA 101 Life Safety Code Americans with Disabilities Act (ADA) Underwriters Laboratories, Inc., Standard for Safety BOCA Building codes Local and State Building codes All requirements of the AHJ
Summary In order to design and implement the most effective physical security countermeasures as part of the overall physical protection system, security decision makers must first understand what types of countermeasures exist and what their functions are in the larger security program. Then it is necessary to understand how those countermeasures relate and integrate with each other and with both personnel and policies and procedures countermeasures. That knowledge is then used to determine which physical security countermeasures or combination thereof meet the needs for the asset being protected against the threats. Once the type of physical security countermeasure needed is determined, the specific product must be found to match that need. Part of that process is also determining the cost of that countermeasure and analyzing the benefit versus that cost. Finally, both industry best practices and applicable codes and ordinances must be followed in the implementation of those countermeasures.
This page intentionally left blank
Chapter 11
Security Measures: Deploying Physical Security Karl F. Langhorst
In this chapter . . .
Countermeasure Selection Creating Management Buy-In Countermeasure Implementation Auditing Effectiveness TAG's Risk Assessment Process® Asset Identification
Policies & Procedures
Current Security Measures
Physical Security
Security Personnel
Threat Assessment
Crime Analysis
Risk Assessment
Vulnerability Assessment
Cost Benefit Analysis
Report and Recommendations
Figure 11-1. Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com.
Countermeasure Selection Once a risk assessment has been completed and the report recommends that additional physical security measures are needed to help reduce the organization’s exposure, it is time to decide what technology is best suited for the facility. If you are one of the organization’s security decision makers, you are
217
218
Strategic Security Management
undoubtedly inundated daily with mailings and phone calls from companies professing to have the latest and greatest security technology that will solve all of your organization’s problems. While these vendors may have good equipment, it may not be the right equipment for the organization. The first step a security decision maker should take during the selection phase of security equipment deployment is to decide what is to be accomplished. For example, if the security decision maker’s goal is to install a camera system that can capture a license plate number of a car entering or leaving the parking lot of the facility at both day and night, the security decision maker must make sure that this criterion is specified to the vendor that is supplying a bid. That may seem like common sense, but many security equipment vendors will tell you that customers often fail to be specific enough about what they are trying to accomplish and overzealous, inexperienced salespeople don’t ask. More often than not, when the technician comes to install the new equipment, he says, “I can install this but it’s not going to do what you want it to.” In these instances, the security decision maker just wasted valuable time and will more than likely have to start the bidding process over again and probably explain the misstep to management. Be realistic in your assessment of the threat level to the assets in need of protection and the level of damage that could be sustained if in fact an intrusion does occur. If it is the organization’s critical infrastructure in need of protection, security decision makers will certainly have more latitude in spending funds on needed equipment than if they are seeking to secure low-risk, noncritical assets. Rarely are security professionals employed at a company where they have an open checkbook to procure every piece of technology that they desire regardless of cost. More often than not, organizations make security decision makers justify every lock, camera, and alarm component that is being considered. The security decision maker who is not cost conscious during this process will be doing a disservice to the organization and the security program. Just because a certain technology is the latest and greatest does not necessarily make it the right choice for the application. A security professional knows that fiscal responsibility is part of his or her job description as well. Don’t necessarily buy cheaply but do buy wisely. Security professionals manage their security budget as closely as they manage their personal finances. They will quickly get the respect of their supervisors and are more apt to get funding for future security expenditures if they are known to have fiscal restraint when making purchases. A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools. —Douglas Adams One of the best ways to determine what technology works for the organization or facility’s environment and what does not is to see what other secu-
Security Measures: Deploying Physical Security
219
rity practitioners in the industry are using in their facilities. Hopefully, the security decision makers are already networking with these individuals and have established working relationships with them. If not, they are missing a chance to gather invaluable insight into how other companies are addressing some of the same security challenges faced by the security decision maker. Professional security and loss prevention associations, such as the American Society for Industrial Security—International, are ideal venues for networking with peers to both share and hear experiences that can benefit the organization. Obviously, confidential proprietary information should never be shared, but there is a wealth of knowledge that is not confidential that can be gained by interaction with security counterparts. Whenever possible, try to tour the actual facilities of other organizations to see what security measures they have implemented. Security professionals securing public facilities can be sure that others, including competitors, will be looking to see what you are doing to address security concerns. If the facility is not generally open to the public, ask your security counterpart if he or she would give a brief tour so that you can see what they are doing in the way of security. You probably will be pleasantly surprised by the willingness of other professionals in the industry who will provide valuable information to help you determine what equipment is right for your project. Don’t let your pride in being a subject matter expert in every aspect of security get in the way of listening to other professionals in your industry who may have a wealth of information for you. Security decision makers should avoid taking a myopic approach during the selection process of security technology. Usually, many different technologies are available to security decision makers, and thus they have many different ways to protect the asset in question. For example, would a simple singlecylinder deadbolt lock on a door and a motion detector with a local audible alarm satisfy the security requirements for the area you need to protect? Or does it require a more advanced technology, such as a proximity card access control system, with central station alarm monitoring capability? These questions can be answered by reviewing your threat assessment and vulnerability data so that you can formulate a logical, cost-effective solution. If the security solution proposals always reflect a “cost is not a factor” mindset, security decision makers will sooner or later be faced with some push back from management who become concerned about the cost. Remember, in most environments the Loss Prevention and Security departments are cost centers rather than profit centers, and the limited financial resources should be wisely spent. When making a major purchasing decision on rolling out security hardware to multiple locations, a trip to a technology trade show would certainly be warranted. Large shows are held annually throughout the United States which offer security professionals the opportunity to view the latest and greatest in security technology. ASIS holds a yearly conference that features hundreds of exhibitors with displays of everything from locks to windows to alarms. Another major trade show is the International Security Conference (ISC),
220
Strategic Security Management
which holds shows annually both on the West and East coasts of the country. Because of the extremely large number of exhibitors at these shows, security decision makers will probably spend a couple of days visiting with the different vendors, looking at their equipment and asking questions. This can be an overwhelming experience, and security decision makers can leave these trade shows with more questions than when they arrived if they have not prepared adequately. If, for example, you are looking for a digital video recorder (DVR) device to replace your existing VHS system at your facility, it would be advisable to prepare a checklist of the features you desire the system to have. It is not unrealistic to find 30 or 40 different manufacturers of digital recorders at these shows, and after looking at all of them the strength and weaknesses of each one can easily run together. By utilizing a checklist of what your specifications are, you can rate each unit to see how closely the product meets the organization’s needs. After completing a tour of the show, you can then review the checklist for each vendor’s DVR to narrow down which unit warrants a second look. By utilizing the methodology we have outlined, you will quickly be able to examine a wide variety of products in a short period of time, thereby reducing the length of your search process. Security decision makers do not have to become subject matter experts on every piece of security technology that they have in your facility, but they certainly should know how the product is supposed to function if they are going to recommend that the organization purchase it. As previously mentioned, a lot of security equipment providers are trying to sell security decision makers their product. For example, if you are in the market for an alarm system, one decision you will be faced with is whether you want to purchase a proprietary alarm system or a nonproprietary system. Also, you will have to decide whether you want to lease the system or own it. The initial cost of getting a proprietary system and leasing it might appear attractive at the onset and could certainly save you the initial outlay of capital, but upon further examination this could tie you into a service provider that you are not happy with in the long term. By purchasing a nonproprietary system that can be serviced and monitored by several different providers, you are free to switch to a different company should the need arise. Additional consideration must be given to the type of alarms needed at the facility. Fire alarms are typically dictated by the local fire jurisdiction as to the extent and type of coverage required. Your organization’s insurance provider may also have a say as to what type of equipment is required at the facility as well. Burglar alarm systems are typically not regulated by local authorities, except for alarm permit requirements, and therefore can be an area in which a lot of latitude is possible, allowing security vendors to oversell or even undersell. When addressing security needs for multiple locations, it is very easy to fall into a “cookie-cutter” mentality. Busy security professionals can find themselves applying the same security solutions at every site they oversee. Standardization of equipment and how and where it is to be installed in itself is not
Security Measures: Deploying Physical Security
221
necessarily a bad thing. By using the same product throughout your facilities, members of the security department have the ability to familiarize themselves with the nuances of the equipment and are more adept at both utilizing and troubleshooting any problems with it. In addition, in environments where security personnel are not the only user of the security equipment, as is often the case in retail stores, security decision makers stand a much better chance of on-site, facility personnel using the equipment and taking ownership in maintaining its functionality if they are familiar with it. If facility personnel are frequently transferred from site to site, the last thing most of them want to do, or have the time for, is to learn how to operate a different type of security device whether it is CCTV, alarms, or even locks. Great savings in the purchase price of the equipment can also often be realized if security decision makers deal with the same supplier on a repetitive basis. Quite often, security decision makers can fall into a trap that more is better, meaning the more expensive and state-of-the-art equipment they put into a location to harden the target, the better chance they have of preventing losses. Certainly, different layers of protection for a facility should be considered during the security assessment phase. But security professionals would be remiss if they did not propose realistic solutions to address the anticipated threat level. For example, as the security decision maker for your organization, you could propose to have a biometric access control reader on all of your exterior access doors at the corporate office if you so desire. And if your organization was in the business of dealing with government defense contracts, that type of system might not only be warranted but required by the government if you were to do business with them. However, if your organization did not handle top secret government contracts but rather was in the field of distributing car engine parts, would you be able to justify the additional expense and the necessity of a biometric access control system to management over the cost and effectiveness of a proximity card system? You might show management the costs for both systems and then make your recommendation to go with the less expensive but more applicable system for your facility. By taking this approach, you will demonstrate that you have the ability as a manager to make rational, cost-conscious decisions based on the best needs of your organization. This is not to suggest that as a security professional you should always recommend the least expensive alternative to address your security needs—far from it. You have an obligation to your organization and to yourself to always deliver a fair and honest analysis of any security issue you are asked to address. While this may not always be the popular approach, it is the approach that in the long term will earn you the most respect. Another critical component during the selection process of any security hardware for the facility is service. You can select the most user friendly, costeffective security product that you were able to find, but sooner or later, regardless of its dependability, it will break and need service. And when it does break, you need to have a good, reliable provider in place. Otherwise you might have
222
Strategic Security Management
a nice piece of high-tech security equipment that has more value as a door stop than a door lock. When considering making a purchase, the security sales representative for that product will tell you how good their service is and how they are available to you 24 hours a day if need be. That type of verbiage looks good in a sales brochure or in a PowerPoint presentation, but is it true? It is incumbent upon the security decision maker to find out. The old adage of “Let the buyer beware” certainly applies here. You should first ask for references in your industry of those who are using the product. Then you should call those references. Never assume that just because someone is listed as a reference for a vendor they are not going to give you a less than positive opinion of them. Sometimes vendors list references who have not even approved use of their name on such a list. If you run across this while researching the reference list, this should be an immediate red flag to you. But don’t just stop at calling the list the vendor has provided to you. Go back to that group of peers in your industry that was mentioned earlier. They can serve as an invaluable wealth of information about service success stories, as well as dilemmas, involving equipment you are considering purchasing. And if they are not currently using the equipment you are interested in purchasing, odds are they know someone who is. Many questions need to be asked of these professionals to see how closely their answers coincide with those given to you by your sales representative. Have they had to call for service to the product in question on weekends, holidays, and late at night before? If so, how quick was the response time to their call, and how knowledgeable and well equipped with spare parts was the technician that responded to the location to complete the repair? After gathering all of that information, you should personally give the company a service test. Why not try calling that 24-hour service number at 2 a.m. to see if you get a live person as they promised in their sales literature? As a security decision maker, you will be inundated by many companies that are going to compete for your business. In many cases, they will be selling product that closely resembles each other in both performance and pricing. What really sets these products apart in many instances is the service aspect of the company. One of the most frustrating things for an end user of security products is to have a highpriced piece of technology fail and then be informed that the service technician will not be available for 72 hours. If you needed the technology badly enough in the first place to spend your organization’s capital to purchase it, why should you be expected to wait three days to have it repaired? Many security equipment vendors will give a company the opportunity to test their product on a “try buy” basis for a short period of time; 30 to 60 days, for example. In these cases, you agree to test the product and either return it or purchase it at the end of the prearranged time period. While this is not a realistic expectation when dealing with something as complex and permanent as a fire system, for example, it is feasible with a digital recorder, CCTV camera, or maybe even a locking device. What better way to see if the equipment is what you really want in your facility and if it performs to your expectations. And in
Security Measures: Deploying Physical Security
223
the event of an equipment problem, you get the opportunity to see their service personnel in action. Lastly, when it comes to service, if during the purchase phase of your equipment procurement you have difficulty contacting your salesperson and he or she does not return phone calls or show up at appointments in a timely manner, what type of service do you expect you will receive when you have difficulty with the equipment you are trying to purchase? Finally, before deciding on which vendor you want to purchase your equipment from, you should make sure the company you are going to do business with will be there in the future to service your needs. Every year more and more companies enter into the market to sell their newly developed security hardware devices. Most of these companies will do anything to get your business, including giving you rock-bottom pricing. Unfortunately, while their product may be very good, the management of the company may not be. In today’s economic market there are never any guarantees that any company, regardless of its length of operation, will be around tomorrow. But there are signs that you can look for that may indicate a lack of stability within the company. One sign is the continued promise from a salesperson that her company has new technology that is “just about to be released” that is exactly what you need for your application. Inevitably, those promised release dates continue to be pushed back. This could be a warning sign reflecting anything from the company having difficulty obtaining the necessary capital to fund the project to a turnover in engineering personnel to problems developing the technology itself. Another possible red flag of looming difficulty with the company is a continual change in sales representatives or administrative personnel. Quality sales personnel are usually in high demand and therefore will not stay with a company long if they do not feel it is stable. A thorough examination of any company should also include determining if the sale of security technology is even their primary business. During the initial frenzy of the digital video recorder era, there were many start-up companies selling their latest technology. Many of the companies had little if any background in the security industry. While their equipment may have been sound from both a hardware and software point of view, quite often it was not well thought out from the perspective of the intended end user, a security professional. In addition, some hardware developed by companies with little security insight might be easily defeated by an intruder due to lack of knowledge by the designers of the types of threat their product might be vulnerable to. Truly the selection of the company you decide on as your equipment provider can be as important as the equipment itself.
Creating Management Buy-In Once you have cleared the first hurdle of deciding what equipment you want to purchase, the next hurdle, and sometimes the most difficult one, is convincing management that you need it. Depending on the type of facility you are
224
Strategic Security Management
responsible for protecting, this can be a relatively easy task or a difficult one. Some facilities, such as nuclear facilities, are highly regulated and therefore are mandated to have certain security features in place. On the other end of the spectrum, if you are responsible for protecting a chain of convenience stores, which typically have little government oversight as it relates to security, you might have a more difficult time getting all of your security recommendations approved that require capital implemented, even though this can be an inherently dangerous work environment. Hopefully, you have already established a strong working relationship with senior management, and as such they respect your decision-making process and recommendations. This is not to say that this support will gain you instantaneous approval for your proposed expenditures, but it will help lay the groundwork for a more receptive audience. One of the first tools you should utilize in your equipment purchase presentation to management is the risk model that you have compiled. It is of the utmost importance that they understand that you have done your homework before bringing this proposal to them for their consideration. Owing to time constraints, you more than likely will not, and probably should not, review the entire risk analysis model that you have developed for the site but rather present a top-level briefing of the key points of your analysis. At the end of your presentation you can provide a more in-depth response on your analysis if questions are offered to you. Keep in mind that these risk analysis models that you have built, if done properly, will not only be useful in the design and equipment procurement phase of your project but may prove useful in the future to defend your company against civil claims of negligence arising from criminal acts that might occur at your facility. As part of your briefing to management, you should include any relevant internal crime statistics, especially if this is a preexisting site where you may have such data readily available. Many organizations that do not have facility security personnel at every facility struggle with accurately tracking criminal acts that occur on their premises. Quite often they only find out about such incidents when they are contacted by law enforcement, or even worse when they are served with notice of pending litigation from the plaintiff ’s attorney. To help counter this problem of the failure to report relevant incidents, your security department should make sure that they have provided an effective and nonlabor-intensive means in which facility management can do so. Several different methodologies exist that might be suitable for your organization. A call-in phone line to a staffed data center might be an option for a large company whereby operators key in the information to a database as it is relayed to them by the reporting manager. For companies with an advanced intranet network, an online report might be a viable option that can be completed and instantly e-mailed to the appropriate security personnel 24 hours a day with the push of a button. Even a basic pen and paper report completed by management and faxed to the security department can be an effective means of documentation if that is all that is available. Regardless of the methodology used, it is important that constant communication is ini-
Security Measures: Deploying Physical Security
225
tiated by security department personnel to the appropriate operations staff of the need to report criminal acts committed on their premises. Organizations should not rely solely on their internal databases to determine what crime is occurring at their facilities. It is a good idea to check local law enforcement records if they are available to determine the crime statistics for your locations. A note of caution should always be observed, however, when you are strictly using police records for your site security recommendations. In the case of large office complexes or shopping centers, law enforcement officers will sometimes just list the address of the largest facility in the immediate area as the offense location. This is especially true at shopping centers made up of individual retailers that share common parking areas. The end result might be that criminal offenses are recorded as having occurred at your facility when in fact they occurred at a neighboring business. In addition, certain research firms can provide in-depth crime research of law enforcement records reflecting crimes committed in or around your property. Some of these companies take the time to individually review each criminal offense that is listed in police files as having occurred at your location. The particulars of the offenses can be communicated to you (ex: time of offense), and possible patterns of crime may be discerned that may be especially useful to you in the deployment of your security resources. These services can be especially useful in areas where you do not have on-site security department staff to perform an in-person site assessment of the property in question and to consult with local law enforcement officials about area crime statistics. Documentation, including prior premise liability litigation specific to the site under consideration, can most definitely have a positive impact on the approval process if you can tie the security equipment you are proposing to the future reduction of exposure in liability claims of the nature your company has experienced before. During your presentation, it sometimes helps to work in a “war story” if applicable about how the technology under consideration was responsible for either deterring or detecting criminal activity. If you have first-hand knowledge of how the equipment has performed in an incident at a previous employer, at another one of your facilities, or perhaps even at a competitor’s location, this could be an opportune time to let management see the real-life applicability of the equipment. Don’t neglect to utilize the information you hopefully have already gleaned from competitors on the type of equipment they use if you feel it would be beneficial in supporting your proposal. If you are in a business that is under intense public scrutiny, such as a retail establishment or public transportation company, it is especially important to note that your customer base has a certain expectation of security while on your premises or utilizing your services. Whether or not the expectation is a realistic one is often debatable, but the indisputable fact is that they do have that expectation to varying degrees. For example, if your competitor has better lighting than you do in his parking lot, you will inevitably hear about it from your customers and quite possibly your employees. Damage to your public
226
Strategic Security Management
image due to security lapses, especially since the September 11 attacks, is a definite concern that needs to be considered during both the design and approval process involving security equipment. Increasing the value of the security equipment you have proposed to your organization is another way to get management to buy in to the expenditure. For example, if you are trying to get a new CCTV system installed at a facility, look beyond the security applications of the system. Examine other ways the cameras can add value to the organization. For example, if you have a facility that is open to the public, are there any areas of the building in which you have an inordinate number of slip and fall claims by customers? If there are, propose putting a camera there to help capture some of those incidents to see if they’re indeed legitimate claims or fraudulent ones. In today’s litigious society, it would only take a couple of fraudulent claims that could be denied using CCTV footage of the incidents to pay for the proposed CCTV system. You could also make camera surveillance footage available to distribution or operations management if cameras were located in areas in which they wanted to measure worker productivity. Before making your final sales pitch to whomever in your organization is responsible for the equipment expenditure approval process, you should reach out to your counterparts in other departments to see in what way the equipment you are proposing can be of benefit to them. By doing this in advance and including their positive feedback in your presentation, you are building value for the proposed equipment and increasing the likelihood of getting your expenditure approved. Probably the most important part of the proposal process is how you make your presentation. More often than not, depending on your position, your presentation will be before the management of your organization. It is extremely important for the success of your proposal, and quite possibly your career, that you deliver the proposal in clear, concise terms and keep the presentation as brief as possible. Never embellish on the performance or the need of the equipment. That tactic will come back to haunt you. Once your presentation is over, be prepared to answer questions with short answers if at all possible. The managers you are dealing with will more than likely have numerous other matters to address besides your proposal and will generally appreciate your brevity. And finally understand that you will not win every battle. There will be times when you will be told no to your recommendations. While this may be hard to take personally, if you have taken all of the steps you believe necessary to educate your organization’s management on the need for the proposed equipment, then you have done your job. If repeated security expenditures you propose are denied over a period of time, then you should consult with your manager to determine what, if anything, you could do differently in your preparation process or presentations that might have a more positive effect on the outcome. As importantly, you need to reaffirm that your security philosophy parallels that of the organization for whom you work.
Security Measures: Deploying Physical Security
227
Countermeasure Implementation The installation phase of your project will now begin, assuming management has approved your proposal for the expenditure of monies for security equipment. Before delivery of the equipment, every site should have an on-site visit from a member of the security department to make sure the facility is ready for installation of the equipment. Once the equipment arrives, make sure your vendor secures the equipment in a safe place over the course of the install. What could be more embarrassing to explain to your management than that the security equipment was stolen? Even after the equipment is on site, it is imperative that a knowledgeable security representative monitor the progress of the equipment’s installation to ensure that it is being installed according to bid and meets your organization’s expectations. Those who have been involved in the construction of any facility will tell you that it is an evolving process. A blueprint may reflect one thing, but during the actual building of the structure the doors, windows, and even walls can be moved or modified based on revised needs. Whenever this happens, it is imperative that the security needs are reassessed to determine what changes, if any, need to be made in the equipment specifications and installation. To leave this task in the hands of a vendor can lead to ineffective or improper installation of security equipment, and subsequently it could cost more to correct. The old adage of “inspect what you expect” has never been more relevant. This is not micromanaging; it is simply making sure that the resources security decision makers have been entrusted with are being utilized in the most effective manner. In addition, the sooner a needed change in equipment type or location is detected during the construction process, usually the easier it is to effect this change. A wise security decision maker will quickly develop a partnership with his organization’s construction department to enlist their help in monitoring the correct installation of security equipment. Security personnel should attend on-site construction meetings with all of the other vendors during the building process to make sure their needs are being addressed and to help educate the vendors on what those needs are. Communication with the contractor overseeing the entire construction process is also critical. For example, when installing a CCTV system, you probably will want to have it on a dedicated power circuit. This in turn should be connected to an uninterrupted power supply (UPS). There is no more appropriate person than the security representative to ensure that this is communicated to the construction superintendent and the electrical contractor. By building a good rapport with these individuals and letting them know what your needs are, security decision makers are much more likely to have those needs addressed properly and in a timely manner. There are many competing interests during the construction of a facility. If you or a member of your staff are actively involved during the construction
228
Strategic Security Management
process and interact in a positive manner with the construction personnel, you stand a much better chance of developing a long-lasting partnership with them. Another benefit of this interactive approach is that you might possibly develop another “set of eyes” to spot any security-related issues on future building projects. At the end of the installation of the security equipment, it is beneficial, especially on large projects, that you develop a checklist for the security vendor to ensure they have completed the project per your expectations. For example, if you are having an alarm system installed, has the technician walked the system to ensure the motion detectors are providing adequate coverage of the area in need of protection? If a panic or duress button has been installed, has it been tested to make sure that the central monitoring station has received the signal? What could be worse than someone working at your facility pushing a button with the expectation that it will summon help and it does not work. Nothing will make security installers more accountable for their work than having them personally sign off on a checklist that they have completed the installation process in the specific manner that you have previously outlined to them. Once the installation phase of the project is completed, the next step is to make sure that the on-site staff knows how to operate the equipment and utilizes it in the intended manner. Many companies include training sessions on their equipment in the purchase price. The training should be utilized to make sure that the end users of the technology understand all of its features that can assist them in protecting the facility and its assets. This is especially important at locations where there are no on-site security personnel and facility personnel have direct responsibility for utilizing the security equipment. If the security decision maker expects to get buy-in from facility personnel and management to utilize the security equipment that has been put in place, then it only makes sense that the management is trained on how to use it. Management should also be educated as to why the equipment was installed and how it helps them. You do not want to leave the facility personnel and management with the impression that this is just another item they have to take care of or watch over because the corporate office says to. They need to understand the value of the equipment. Much as you had to sell management on the need for the equipment, you now have to sell the end user as well; otherwise your efforts will have been in vain. Maybe you have installed an alarm system at a facility that records data on a printer in the facility manager’s office every time an exit door alarm is deactivated. The facility manager needs to check this log daily to determine if possibly someone has gotten the disarming code and is covertly removing equipment or product from the facility via this exit. Or, for example, you might have an advanced digital CCTV system that the facility manager can use to review not only security concerns but worker safety and productivity issues as well. The more value you can convey to the facility manager regarding the security equipment you provided them, the more likely they are to use it. Facility
Security Measures: Deploying Physical Security
229
personnel should also be convinced of the importance of immediately reporting to security any equipment that is malfunctioning so that repairs can be affected. Although it might be somewhat burdensome for a security department to have to ensure that repairs of equipment are being addressed in a timely manner by security product vendors, the positive result in following this approach is that the repairs can be tracked more efficiently and they will more than likely be completed in a timelier manner given the more focused oversight. In addition, it is also easier for security decision makers to more quickly detect trends in like equipment failures at multiple facilities. This information can then be relayed to the security product vendor to determine whether there is a need to modify existing equipment at other facilities before it encounters the same difficulties. Information of this type would be especially useful if additional equipment was being considered for future purchase from the manufacturer whose equipment was failing.
Auditing Effectiveness To further ensure that the security equipment that has been installed is being utilized as intended, an audit process should be implemented. Security department personnel should regularly check to make sure the equipment is functional and that it is being used according to the organization’s standards. For example, if you have a facility that has a digital CCTV system that you have set up to monitor alarms in high-risk areas at certain times of the day, you more than likely have implemented guidelines that require the facility personnel to regularly check to see if alarms have been generated on the system. As with any other required security standard, simply setting the standard and communicating it to organizational personnel does not ensure compliance. Auditing the use of security equipment greatly increases the likelihood that the equipment is being used to the organization’s standards. Yet auditing just for the sake of auditing can be a waste of time if the security department audits are not backed by the organization’s management and operations team. Too often in the corporate culture, audits are conducted by security personnel and operations responds with “lip-service” promising to correct the problems found in the audit, but rarely following through with those promises. Audits without management support may identify the problems, but rarely do they correct them. This is not to say that security must always go in with a “big stick” or with an “I got you” mentality when conducting audits. To the contrary, security personnel should continually strive to be viewed as part of the team. Whenever possible, audits should be put into the context of an opportunity to educate management on existing security programs. Establishing good rapport with facility management is of the utmost importance if a security program is to be effective. By showing facility management the usefulness and effectiveness of the security tools that have been provided
230
Strategic Security Management
to them, there is a much better chance that you will get their buy-in and compliance with security programs. Crucial elements of any effective security program are buy-in from the end user and support from organizational and facility management not only for the program itself, but also for the appropriate disciplinary action for those who continue to resist adhering to established security practices and protocols. Hopefully, this will not happen very frequently in any organization, but it will inevitably occur, and when it does it needs to be addressed rather than overlooked if the security program is to remain viable. More often than not, if a security decision maker has formulated a program that has been shown to be effective and has partnered with the end user of their services and equipment, those individuals will be reaching out to them for assistance and to discuss security issues. What better compliment to a security program if, for example, you oversee security at multiple facilities and the facility managers at one of those facilities calls to ask you to get the same state-ofthe-art CCTV system installed at his site because he has heard and seen what a great tool it has been for the facility managers of the other locations that have the system. This type of favorable response is a strong indicator that your security program and the technology you are selecting is a value to your company. In most organizations, justifying the need and expense of physical security equipment will always be a continuous effort. Success in getting approval for capital for these projects will hinge on the security decision maker’s expertise in selecting the right equipment and provider as well as in justifying the need for the expenditure. To help gain future approval of projects, it is very important that security decision makers document and share their success stories with organizational management responsible for making the decisions on future purchases. In this way, management will see the positive end results of such expenditures, thereby greatly increasing the possibility that the security decision maker’s future proposals will gain at least a hearing.
Chapter 12
Security Measures: Personnel
In this chapter . . .
Introduction Training Metric-Based Security Deployment Off-Duty Law Enforcement Officers versus Security Officers Contract Security Forces versus Proprietary Security Forces Quality Control and Performance Evaluation The Soapbox: Increasing Professionalism
TAG's Risk Assessment Process® Asset Identification
Policies & Procedures
Current Security Measures
Physical Security
Security Personnel
Threat Assessment
Crime Analysis
Vulnerability Assessment
Risk Assessment
Cost Benefit Analysis
Report and Recommendations
Figure 12-1. Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com.
231
232
Strategic Security Management
Introduction Security personnel are quite easily the most expensive countermeasure available to security decision makers, but have one key characteristic that separates them from other types of security measures—the ability to reason. Reasoning is the ability to think, infer, and comprehend in a rational manner. The ability to reason is a prerequisite for a security officer’s primary task of observing and reporting. Beyond their primary task of observing and reporting, the security force’s secondary responsibilities typically include controlling access by both pedestrians and vehicles to the facility, patrolling the grounds, inspecting physical security measures to ensure proper operation, and special assignments. As the eyes and ears of management, security officers may be stationed at fixed posts or may patrol various locations within the facility. Since many published books discuss security personnel management, this chapter will focus on the more difficult management issues and the latest concepts in security force deployment. Among the issues and concepts addressed in this chapter are metric-based deployment and redeployment of security forces, quantitative and qualitative performance evaluations, security force training, security quality control, increasing professionalism, use of off-duty police officers, and differences between contract security forces and the proprietary security force.
Training Currently, there are no national standards for training security officers, but most states have minimum training requirements and efforts are being made within the industry to establish a national standard from various entities. Among these organizations are the International Foundation for Protection Officers, which provides standardized training for security officers and certification as a Certified Protection Officer (CPO), and the American Society for Industrial Security—International, which published its Private Security Officer Selection and Training Guideline in 2004. National standards are more necessary today than they were in the past because of the increased threat of terrorism and because of wide-scale, devastating national disasters such as Hurricane Katrina along the Gulf coast of the United States in 2005. Some security personnel end users recognized the need for uniform training standards long before the threat of terrorism was so prevalent. For example, one government agency required that its security contractor have 75 percent of its existing security force at other sites be trained in conformity with the government agencies’ current training standard in the event of a wide-scale disaster where up to 50 percent of the existing security force would be needed and available to supplement the existing force. Although the security contractor in this situation was able to commit those personnel, the majority of the officers were deployed in a neighboring state where the state-mandated training requirement was less
Security Measures: Personnel
233
than what was needed. The contractor was able to satisfy its client’s needs by training those officers to the client’s standard. Training is used primarily to provide the security officer with the requisite knowledge to carry out their protection duties in a legal and professional manner. However, the benefits do not end there. Training also increases performance, enhances problem-solving ability, provides continuing motivation, reduces turnover, and provides liability protection in the event of an inadequate security lawsuit. Typically, the security officer has two specific training needs: general security training and training unique to the client’s facility and assets. Clientspecific training criteria should include familiarization with the facility, critical assets and functions, policies and procedures, and physical security measures. Reviewing the organization’s risk assessment reports is also recommended for new security officers at the facility as well as the ongoing training process for other security officers. General training standards typically include the following topics:
Ethics Professionalism Legal Aspects Use of Force Communications Observation Report Writing Basics of Physical Security Measures Policy and Procedures Life Safety
Workplace Violence First Aid and CPR Conflict Resolution Security Awareness Information Protection Fire Prevention Traffic and Crowd Control Emergency Management Bomb Threat and Hazardous Material Response Public Relations
Client-specific training is normally accomplished through an initial orientation and on-the-job training. General training is more diverse and may be completed through classroom sessions, computer-based training, mentoring, field training officers (FTOs), and on-the-job training. Continuing training should be provided annually, with refresher training provided as needed based on legal changes or changes to the client’s needs.
Metric-Based Security Deployment Security personnel are commonly used to reinforce a security program where policies and procedures and the physical security system and measures are unable to counter a high-risk situation alone. Risk, as discussed throughout this book, is the possibility of asset loss, damage, or destruction as a result
234
Strategic Security Management
of a threat exploiting a specific vulnerability. Risk is the most significant factor that drives the deployment and redeployment of security forces. Practically speaking, the most difficult issue facing security decision makers is how and when to deploy and withdraw security officers. What decision process does a security professional use to deploy security personnel? What factors affect the decision? Are security personnel deployed based on gut instincts or assumptions? Are they deployed based on end users who scream the loudest? Security force deployment based on gut instincts is ineffective and costly. Security personnel, because of their cost, should be deployed based on an objective understanding of their function and duties. While quantitative deployment guidelines and models are not absolute, they provide a firm foundation of reliable measures; yet they are still dynamic and flexible enough to change as needs change, as threats and vulnerabilities evolve. The reality in the security management world is that security personnel are rather easy to deploy, with the only major obstacle being cost. Once deployed, however, the withdrawal of security officers brings consternation and angst for the security decision maker. While cost was a consideration when deploying security personnel, it is dangerous to withdraw security personnel based on cost concerns. This danger will be recognized by security decision makers with any amount of seat time in a deposition or trial subjected to questioning by an attorney representing a person victimized on the security decision maker’s property. A number of quantitative factors are used in the deployment of security personnel. The quantitative factors are historical security breaches, call for service frequency, past crime types, and crime rates. Other metrics may include size of the facility and population (employees, visitors, etc). These quantitative factors must be tempered with more qualitative considerations, including organizational culture, industry norms and practices, liability and insurance issues, end user and customer expectations, and the security decision maker’s preferences. Organizational culture has an impact on the security program that must be considered by security decision makers. Is the culture conducive to intrusive security measures, such as protection personnel? Do other organizations within the same industry utilize personnel? Are security personnel a common practice in those other organizations? Liability and insurance issue are also a qualitative consideration for security decision makers. Has the organization been subjected to legal scrutiny in the past for not deploying security personnel? End users and others who visit the facility have expectations as well. Is the expectation that security personnel will be present to control access, to contribute to a feeling of safety, to provide escorts? The opposite might also be true. Do customers and end users expect an open and friendly environment with no desire to have intrusive personnel? Can the security personnel be dressed in softer uniforms, such as slacks and blazers, rather than the standard hard uniform? While taking the qualitative factors under advisement, the ultimate force behind security personnel deployment are the mathematically measurable
Security Measures: Personnel
235
factors. Crime history, crime rates, past security breaches, and call for service are among the metrics that can be utilized in establishing a security personnel deployment protocol. Although no magic number exists, each security decision maker should have a threshold of crimes, security breaches, or threats that determine precisely when security personnel are to be used and withdrawn. To err on the safe side, many security professionals use a liberal approach to deploy and a conservative approach to withdraw. That is, they deploy before threats are actually at the threshold, and they withdraw only after threats have fallen below the established threshold and for a prolonged period of time. When determining the threshold, the security decision maker must evaluate two factors. What policies, procedures, and physical security measures can be implemented to reduce risk before security personnel are considered? The other factor involves the manageable threat norm for the facility or the organization. Even with the deployment of security personnel, crimes can occur. What is the normal and manageable amount of crime and other risks for the facility? As we have seen since the Department of Homeland Security introduced the Threat Advisory System, a middle-threat level is considered normal for the United States. A more practical application will be beneficial to illustrate this point. Take the example of a retail store located in a metropolitan area which experiences two violent crimes on the premises each year even with security personnel present. When security personnel are removed, does the threat decline? After extensive testing and monitoring, it may be found that, even after a reasonable level of security personnel deployment has occurred, crimes will still be perpetrated on the premises. An understanding of the threat norm is critical to a reasonable and effective security program. As discussed earlier, security decision makers will typically deploy personnel before the threshold is reached but will wait longer after the threat has declined below the threat level before pulling out the increased security coverage. What length of time is appropriate? The easy answer is that the security officers are withdrawn only after a reasonable amount of time has passed with no further threat increase. This ensures that the decrease in threat level is not an anomaly. For each organization, the length of time will vary. On a practical level, the effort to constantly monitor threats can be difficult and time consuming. Thus, most organizations will monitor threats on a time frame that does not exceed one year.
Off-Duty Law Enforcement Officers versus Security Officers Security decision makers have a variety of choices as to what type of security personnel to utilize at their facilities. Increasingly, the debate about one of these options has grown in recent years because of the dire consequences associated with its use and recent events. This option is the off-duty law enforcement officer. Police officers and sheriff ’s deputies provide a high level of
236
Strategic Security Management
perceived security when working off-duty on private property. More often than not, they are in full uniform, armed, and carry other law enforcement equipment. Sometimes they are able to use other police resources such as patrol cars, which provide additional deterrent value to the security decision maker utilizing their services. Deterrence is a key element of a crime prevention and security program, and law enforcement officers serve well in this capacity. Police officers also have the power to make arrests for any crime, including major crimes not committed in their presence. Despite their advantages, off-duty law enforcement officers are not without their shortcomings, some of which are highly consequential to those who contract for off-duty police services. Security decision makers need to be aware of these issues before selecting police officers to provide the entire security force or to supplement contract or proprietary security staff. Among the first considerations when selecting off-duty police officers is the type of facility or organization in need of protection by security personnel. Unless the threat level is significantly high, for most apartment buildings, office buildings, hotels and motels, retail stores, and shopping centers, off-duty law enforcement would be overkill and costly. For industrial facilities, hospitals, and government buildings, law enforcement personnel may be the preferred choice for security. However, absent an inordinately high and prolonged threat level, off-duty police officers would not likely be a cost-effective solution. The threat level of a given facility may be high enough to justify the use of police officers to provide protection. However, security decision makers who utilize off-duty police officers to provide security for their facilities have increasingly become aware of the hazards posed by such personnel during wide-scale emergencies such as a terrorist incident or a natural disaster. Many law enforcement officers are considered on-duty 24 hours a day and must be prepared to return to their primary duty with the government they serve on short notice. Security decision makers must recognize that off-duty police officers are not dedicated security personnel and can leave the facility unprotected in the event of such an emergency. Beyond emergencies, other wide-scale events require every available law enforcement officer to return to duty and thus leave the private organization unprotected. Examples include Mardi Gras in New Orleans, the Olympics held in a U.S. city, or Spring Break in South Padre Island, Texas. Even without a major emergency or special event, a police officer may be required to leave his or her security post to respond to a crime off the property. A relevant example of the danger created when a law enforcement officer leaves his security post occurred at a retail store in Texas. A sheriff ’s deputy moonlighting as a security officer for a grocery store was patrolling the parking lot when a young woman entered the store after dark. While the woman was in the store, the sheriff ’s deputy was called away to a gang-related crime miles away from the store. Since the deputy served on the county’s gang task force,
Security Measures: Personnel
237
he had to respond and did so without informing the grocery store’s management. The young woman exited the store after the deputy left, walked through the parking lot to her car, and was abducted and raped repeatedly during the night. Needless to say, the grocery store, having failed to provide protections for its customers, was exposed to liability and was subsequently sued by the victim. Some organizations have attempted to hire off-duty law enforcement officers to protect their assets in the belief that the organization can cloak itself with government powers. This is not the case, however. The reality is that those government powers can be the source of increased liability exposure. The selection of police officers to fill a gap in security exposes the organization to additional liability where they are held to standards normally reserved only for government entities. That standard is Section 1983 of the United States Code and defines constitutional violations committed by the government against individual people. In recent years, this federal statute has been applied to police officers acting under “color of law” who injure or kill an alleged criminal while employed by a private company. In these instances, the alleged criminal may sue the private company under normal premises liability theories, but may also claim constitutional rights violations by the company that employed the officer. The courts have ruled that a privately employed police officer wearing a police uniform, displaying a police badge, driving a police vehicle, or yelling, “Stop, Police!” is acting under “color of law,” and thus the private entity may be held liable (civil and constitutional) for that officer’s actions. The repercussions for a jury finding of guilt of violating a person’s constitutional rights could put many companies in financial jeopardy and harm their reputation beyond repair. For a private company to hire law enforcement officers in order to protect their assets, a conscientious separation of the law enforcement and security functions is required. In a perfect world, the organization’s policies and procedures would dictate that the off-duty law enforcement officers act independently of their public function and not hold themselves out as government officials while working the security detail. Unfortunately for the private organization, many law enforcement departments have changed their policies on how their officers may work extra employment. The policies and procedures of many law enforcement agencies have been revised in recent years, restricting their officers from providing security in the purest sense. These newer policies only allow their officers to work extra employment jobs in their capacity as law enforcement officers. This is a significant change, illustrating that the security decision maker can no longer expect off-duty law enforcement officers to enforce the organization’s policies and procedures and other house rules. For the organization whose entire security force is composed of off-duty law enforcement officers, the result of these department policies is clear. Off-duty officers are at the facility acting in their official capacity as law enforcement officers, no longer able to enforce the organization’s policies which may include writing daily activity reports or
238
Strategic Security Management
conducting inspections of physical security measures such as lighting and alarm systems. This means that the organization must have other personnel assigned to these tasks. When hiring a private security contractor or using a proprietary security force, security decision makers can dictate the level of security intervention at their facility and specify to what degree of scrutiny their customers, employees, and other visitors will be subjected. This is a critical determination, for a careful balance must be drawn between protection of assets and customer service orientation. Off-duty law enforcement officers provide more protection than customer service. With their enforcement of law function, they cannot overlook minor infractions that the organization does not want enforced from a customer service perspective. For example, if a nonhandicapped customer parks in a handicap parking spot and is given a ticket by the off-duty law enforcement police, the organization does not have the discretion to prevent the officer from writing a ticket. Many organizations would prefer to take a customer service approach and provide a verbal warning to their customer rather than take a unconditional law enforcement approach. In this instance, a private security officer would have the discretion to enforce the company’s rules. Similar to other products and services, the cost of private security labor is market driven and subject to competition and other market forces that help to regulate the rates charged by a security services provider. Law enforcement labor rates are at a premium for two reasons. First, competition is almost nonexistent because typically only a handful of law enforcement agencies serve a community, and thus there are only a handful of service providers. Second, there is a strong demand for law enforcement protection for special events such as sporting events, political rallies, funeral processions, and other crowd management events. In some jurisdictions, off-duty law enforcement officers can cost the organization upwards of $30 per hour for their services, while private security companies may charge less than half that amount for an unarmed, uniformed security officer and in the neighborhood of $15 per hour for an armed, uniformed security officer. From the security industry perspective, the financial costs of unequal competition from law enforcement agencies can be detrimental to business, and security experts realize that the training given to public police officers does not relate to security. From the departmental standpoint, police managers have voiced concerns over departmental liability, conflicts of interest, loss of focus on primary duties, and officer fatigue, which may hinder their ability to perform normal duty. Training is another important factor in the security professional’s decisionmaking process in determining whether to use off-duty law enforcement officers or private security officers for the protection of assets. As discussed earlier, national-level training requirements exist neither for security officers nor for
Security Measures: Personnel
239
public law enforcement officers. Training standards do exist, however, for law enforcement officers at the state level and for each law enforcement agency. The general public, including many security decision makers, usually believes that law enforcement officers are better trained. But better trained for what is the critical question. Surely, law enforcement officers are better trained to be police officers, but are they better trained to be security officers? Law enforcement officers, by profession, are charged with the primary duty of apprehending criminal perpetrators. Obviously, that is an important responsibility, and a significant amount of training is required to carry out that responsibility effectively and within the guidelines of the Constitution, state law, and departmental policy. It should be noted that apprehension is a reactive measure once a crime has already been committed. Reaction is not the goal of an effective security program; rather, proactive prevention of crime is the goal. In general, law enforcement officers receive more training than security officers, but their job preparation often includes such topics as constitutional rights, criminal law, traffic law, drug law, use of force, the penal code, arrest, search and seizure, family violence, patrol procedures, and criminal investigation. Although some law enforcement training would be valuable for security officers, the majority is superfluous. Unlike law enforcement officers, security officers typically receive training in security-specific issues such as risk management, physical security planning, alarm and CCTV operation, labor relations, theft of asset deterrence, workplace violence prevention, crisis intervention, and customer service. When considering training item by training item, it becomes evident that law enforcement officers are not adequately trained to execute the duties of a security officer. It should be recognized that the security industry has grown into a diverse profession, with training and certifications available in well-defined and highly specialized areas. When a security professional is faced with the decision to use law enforcement officers or private security personnel as the primary protection force, they should fully understand the implications of each alternative. This pivotal decision may have unwelcome repercussions and a major impact on the organization’s ability to protect assets, provide customer service, and limit liability. Should the security decision maker decide to use private security officers, another question must be answered: Should a contract security force be utilized, or should a proprietary security force be created?
Contract Security Forces versus Proprietary Security Forces Among security professionals, there exists an ongoing, always interesting, and sometimes heated debate about the advantages and disadvantages of contract security forces and proprietary security forces. Which security force
240
Table 12-1 Comparing Basic Security Staffing Models Adapted from Hospital and Healthcare Security, 4th Ed., Russell L. Colling, Comparing Basic Security Staffing Models, Page 128, 2001, with Permission from Elsevier. Staffing Model
Organization
Program
Rating
Proprietary
Outsourced
Combination of Outsourced/Proprietary
Off Duty Law Enforcement
Cost Cost Control Cost Effectiveness Clear Chain of Command Organizational Control Effective Training Effective Supervision Industry Expertise Effecting Program Change Integration into Organization Loyalty to Organization Lack of Turnover Upward Mobility Completing Good Documentation Quality of Investigation Activity Crime Prevention Efforts Officer Image Overall Effectiveness
Fair/Poor Good/Fair Good Very Good Very Good Very Good Good Very Good Good Very Good Very Good Good Fair Very Good
Very Good Very Good Very Good Good Very Good Good/Fair Good Fair Good Fair Fair Fair/Poor Good Fair
Good Good Good Fair Very Good Good Good/Fair Good Good Good/Fair Good Fair Fair Good
Very Poor Poor Poor Poor Fair Poor Very Poor Very Poor Poor Poor Poor Fair N/A Poor
Very Good
Good
Very Good
Fair/Poor
Very Good Very Good Very Good
Good/Fair Good Good
Good Good Good
Fair Fair/Poor Poor
Strategic Security Management
Budget
Security Program Characteristics/Profile
Security Measures: Personnel
241
provides better protection? Which provides better value? These questions are difficult to answer, and they have no right answers since these answers depend on the needs of each specific facility or organization that uses security personnel. In his book, Security Management: Business Strategies for Success, Dennis Dalton discussed three myths that characterize some security buyers’ feelings about the difference between proprietary and contract security officers. The myths are quality of the workforce, loyalty to the client, and turnover rates. It is typically assumed that a proprietary security force is of higher quality than a contract force. This may be evident on the surface when assessing various security forces, but a more thorough analysis yields a number of factors that contribute to a higher level of quality. These factors, which will be discussed in the next section, include higher compensation, more training, more experience, and work environment. This last factor may stand out to some readers inasmuch as the work environment does not change depending on whether a proprietary security force or a contract security force is on duty. Or does it? Obviously, the physical environment does not change, but other factors do change often if a security force is contracted or if the force is made up of actual employees. Does a contracted security officer get treated the same way as other employees of the facility? Is the same sense of ownership harnessed? Very likely, this is not the case with contracted employees unless management makes a concerted effort to treat a contractor’s employees the same way as their own employees. Security force loyalty is another myth in the proprietary versus contract security force debate. By setting the same standards for training, professionalism, and compensation for the contracted force as they would a proprietary force, security decision makers can harness the same level of loyalty to the their facility and the organization from contracted security personnel as they can from a proprietary security force. Turnover among security officers represents a significant cost to an organization, and its control can lead to considerable cost savings to the security department’s budget. With a high-quality and loyal security force, contract or proprietary, security decision makers can also reduce the turnover rate. By working closely, in partnership, with the contract security company, the organization can reduce turnover to a manageable rate and build on the quality and loyalty. As discussed, the contract versus proprietary security force debate does not actually revolve around whether or not a security force is contracted or proprietary. The real issue is professionalism. In today’s world, there are actually three types of security personnel: entry-level security officers, professional security officers, and paramilitary security officers. The next section will discuss the differences and what the industry should do to move toward a more professional officer and a more professional image in the future.
242
Strategic Security Management
Quality Control Inspection Checklist Visit Type (Announced/Unannounced): Date and Time of Inspection: Facility Type and Address: Officer(s) on Duty: Latest Supervisor Inspection: Post Orders: Log Books: Timesheet: Occupant Emergency Plan: ID Badge: State License No. and Expiration: CPR/First Aid Card Expiration: Post Order Knowledge: Security Patrols: Supervisor Interaction: Customer Interaction: Equipment Serviceability and Procedures: Radio Operations: Firearms Safety (visual check only): Uniform: Other Equipment: Security Area/Office Appearance: Appearance/Hygiene: Security Officer Morale: Additional Comments:
Quality Control and Performance Evaluation The quality control function of a security program provides an independent inspection of security force performance. The goal of quality control inspections is to maintain a high-level quality, performance, and compliance with legal and the organizations’ regulations to ensure that deficiencies are detected before they become widespread and jeopardize the security of the organization or facility where security personnel are deployed. As stated, quality control inspections are independent evaluations and should be conducted by those who can perform the inspections at arm’s length, preferably an independent unit of the organization or a separate company contracted to provide quality control inspections. Quality control inspections also ensure that senior management provides the necessary planning and organization to allow the security force to satisfy the needs of the facility. The quality control function also strives to
Security Measures: Personnel
243
achieve continuous improvement of quality in all security-related activities and to maintain compliance with all applicable laws and regulations. Quality control inspectors should be intimately familiar with the duties and responsibilities of the security force, including the officer’s general orders and post orders. For a contract security force, the quality control inspectors also ensure compliance with each contractual obligation and other client mandates, such as training, licensing, uniform, and other hygiene issues. In this regard, a standardized quality control inspection checklist should be utilized to ease the inspection process. While the quality control inspection checklist is used during the inspection, some information that can be gathered during the inspections may not fit the mold of a checklist. For example, the morale of the security force is an issue that is not easily captured on the checklist and can be written up in a text-based summary at the end of the report. The quality control inspections should take place at regular intervals, with typical intervals being monthly or quarterly. These inspections may be announced and/or unannounced depending on the needs of the facility or organization. In some cases, covert quality control inspections are necessary. The quality control reports provide evidence of due diligence in the event of a later dispute and should be maintained in a file. However, the reports should be acted on immediately to correct and prevent deficiencies before they become problems. For example, the quality control inspection may reveal that a security officer’s CPR training expires in two months, but he or she has not yet taken a refresher course to re-certify that credential. The quality control process identifies this issue, and the security officer’s supervisor can take the necessary action to schedule the officer’s training in advance of the certification expiry. Regardless of the type of deficiency, each one must be reported within a reasonable time, though major infractions should be reported immediately so that the problem can be rectified quickly through corrective action. Quality control reports are the result of the inspection and should be submitted through the proper channels as soon as they are complete. It is also common to provide the reports to the client in a contract security force arrangement as well. This allows the client to recognize the security service contractor’s diligence, and it provides the client with the opportunity to provide feedback on the security force’s performance. After a deficiency is noted on the quality control report, the inspection should suspend the item until the next inspection and follow up to ensure that the deficiency is corrected. Corrective action can include additional training, as well as verbal or written reprimands. During the quality control inspection process, the inspector ensures that all the officers have in their possession all required credentials, including badges, identification cards, training cards, and any other documentation required by the organization. Each security post should have a duty book—often a threering binder or folder that contains necessary paperwork and forms, such as time sheets, daily activity reports, patrol logs, and incident reports. Post orders, general orders, occupant emergency plans, and threat advisories should also be
244
Strategic Security Management
maintained in the duty book. The quality control inspector will ensure that all forms are complete, detailed, accurate and legible. The security officer’s uniform should be inspected to ensure that all gear is present and that their overall appearance is professional and within the guidelines of the organization. Security-related equipment, such as CCTV monitors, X-ray machines, and handheld metal detectors, are inspected during the inspection as well. The quality control inspector should also question the officers on specific post order requirements to ensure that the security officers thoroughly understand their duties. The inspector may even patrol the facility with the security officer.
Post Orders POST ORDERS FOR UNARMED SECURITY OFFICERS DEPARTMENT OF ENVIRONMENTAL SERVICES (DES) ANYTOWN, NORTH CAROLINA SECURITY FORCE Security Force. The Security Force for this operation consists of two uniformed, unarmed security officers (two part-time/reserve officers). These officers will be responsible for manning one visitor screening post at the main entrance of the Mecklenburg County Department of Environmental Services (DES) facility located at 1240 Government Center Road, Charlotte, NC. In addition to performance of the primary duty of personnel screening and access control, the security officer assigned to the post may also be employed from time-totime, based upon visitor flow and/or as may be directed by the Director, DES or their representative, to execute the following additional security functions:
Roving Patrol—random walking patrol throughout the interior of the facility, around the exterior perimeter of the building, and through the parking areas immediately adjacent to the facility Security Escort—accompany client employees, case workers, and other government officials to designated interview areas and/or office spaces to provide a physical presence for deterrence and control of disgruntled, violent, or uncontrollable visitors or personnel who have a known or presumed potential to create disturbances to the normal operation of the facility Provide Assistance/Information—officers will possess a basic knowledge of the Department of Environmental Services, its operations, key staff personnel, and rules/regulations to the extent that they can provide basic assistance and information to the general public and visitors in order to direct them to the appropriate locations and personnel within the facility Law Enforcement Interface and Cooperation—while not charged nor vested with the jurisdiction to enforce any civil laws, security officers may observe, report and document breaches of security within the facility and refer the same to local authorities as may be warranted by the severity of the incident and as consistent with the guidance provided by the Director of the facility or their designated representative
Security Measures: Personnel
245
POST OPERATIONS Post Description. Security officers will man one fixed post located inside the front doorway at the entrance foyer into the facility where a single public access point into the facility has been established. This post is designated as Post #1. Post #1—VISITOR SCREENING POINT, MAIN ENTRANCE FOYER, CCDES BLDG The officer assigned to this post has the primary responsibility for performing all aspects of access control for visitors. Functional tasks associated with access control through this post encompass:
Visitor Screening—The officer will operate a client provided Garrett Model CS5000 walk-thru magnetometer screening system for screening and clearing visitors into the lobby area of the facility. The officer will use the magnetometer to identify and locate any concealed weapons, contraband, or dangerous items that a visitor may be attempting to unlawfully introduce into the facility. In addition to operation of the magnetometer screening system, the officer may also be required to use a hand-held screening wand to conduct detailed inspections of personnel who may require a more thorough inspection than that afforded by the walk-thru screening portal. Inspection of Bags and Personal Effects—The officer will also be responsible for conducting a limited inspection of all bags, briefcases, backpacks, purses, and similar items being carried into the facility by visitors. If a prohibited or dangerous item is discovered during this inspection process, the visitor will be afforded an opportunity to remove the item from the premises. A list of items prohibited from being introduced into the facility will be provided by the Director, DES or their designated representative and will be periodically updated as may be required but at least on an annual basis.
Hours of Operation. Post #1 will be manned from 08:15 until 17:30, Mondays through Fridays, excluding holidays. Post Equipment The client will provide the magnetometer, hand-held screening wands (to include batteries), and a table for the inspection of bags at Post #1. Additionally, the client will, within their capabilities, provide the following support:
a small office area, cubicle, or at a minimum a lockable storage container (e.g., file cabinet or locker-style cabinet) in close proximity to Post #1 so that officers may store necessary administrative supplies and contractor provided post equipment a telephone with local service connection at Post #1 or in close proximity for use by the security officer in emergency situations either a dedicated or designated workspace with computer access so that security officers may complete required reports, timesheets, and official paperwork associated with the performance of security duties in support of the client make available a designated break area out of public view where the officer may take relief and eat lunch away from their post of duty
246
Strategic Security Management
The contractor will provide the security officer with the uniforms and personal equipment listed in Appendix 1 to these post orders. In addition to these items, Post #1 will retain the following post equipment for use by the officer assigned to this post:
First Aid Kit with latex gloves and CPR masks Extra batteries for flashlights (contractor provided) and search wands (client provided) Pens, pencils, notepads, report forms, timesheets, and similar administrative items necessary for the orderly and efficient performance of security duties
OFFICER DUTIES The officer serves as a uniformed, unarmed security officer and will perform his/her duties in a professional manner in accordance with the contractor’s Protective Forces Policy and Procedures Manual. The officer will log in/out using a contractor provided “Record of Time of Arrival and Departure” and record all hours worked on a contractor provided Non-Exempt Employee Timesheet. These forms will be completed in a timely and accurate fashion on a daily basis by the officer. The officer will record all significant events using a contractor provided “Security Officer’s Operations Log.” This form will be completed daily and serves as a chronological record of any significant events or unusual activity (e.g., alarm system activation, fire/EMS response, etc.) that occurs during the officer’s tour of duty. The officer will visually screen visitors to the agency. The officer will answer questions as appropriate and offer assistance where practical. The officer will not conduct any Department of Environmental Services related business or answer agency specific questions. Visitors carrying visibly prohibited items will be asked to remove the items from the agency facility. If the officer discovers that a visitor has a dangerous weapon or item, such as a firearm or explosive device, he/she will take practical steps to secure the visitor and dangerous item. The officer will immediately notify the Mecklenburg County Sheriff’s Department and the Director, DES or their designated representative. At the discretion of the Director, DES or their designated representative, personnel making deliveries may be required to present valid company or state issued identification and may be required to submit packages for inspection. Additionally, when directed by the Director DES or their designated representative, delivery personnel may be logged in/out using the “Record of Time of Arrival and Departure” during periods of increased threat or heightened security operations. The officer will not open sealed packages unless specifically requested by the Director, DES. In the event of an emergency evacuation of the building, the officer will assist with the evacuation of DES visitors and personnel as appropriate. The officer will report all significant security issues to the Director, DES or their designated representative. Based on the urgency of the situation, the officer may contact the appropriate law enforcement agency if, in the judgment of the officer, a situation requires an immediate law enforcement response in the interest of preservation of life or property. In such urgent situations, the officer will contact the Mecklenburg County Sheriff’s Department and then, as soon as possible thereafter, notify the Director, DES or their designated representative. The officer will record all security issues on the “Security Officer’s Operations Log” form and will complete a
Security Measures: Personnel
247
“Security Officer Incident Report” on all incidents that require either physical intervention by the officer and/or response by local law enforcement authorities. Other reportable incidents may include any unusual or serious event that occurs within the DES facility or its adjacent parking areas and include but are not limited to the following:
all incidents requiring emergency response (i.e., law enforcement, ambulance or fire/rescue) verbal or physical altercations building alarm events observations of unusual activity to include suspicious persons/packages the failure of client or contractor provided equipment
As it is not possible to give complete guidance or written instruction for every possible situation which might arise, the officer must conduct himself or herself in an appropriate manner at all times. Common sense and professionalism should govern all decisions, actions, and communications. Source: Post Orders, Copyright ©2007 by Security Consultants Group, Inc. Used by permission. Additional information available from Security Consultants Group, Inc. via www. scgincorp.com.
Benchmarking is also a key quality control function that can help security decision makers determine baseline performance measurements by which security officers can be assessed. Quality control inspectors can analyze the performance of security personnel by identifying the security force’s critical duties and responsibilities, and identifying the best practices used by superior security officers in executing their duties. This information can then be used to set performance objectives for other security officers to strive for. The functions that can be benchmarked depend on the nature of the duties and responsibilities of the security officers. Security personnel assigned to monitor closed circuit television monitors can be benchmarked by the frequency of correct response procedures used when alerted by the CCTV system. Officers assigned to an X-ray machine can be similarly benchmarked by the rate at which they catch prohibited items from passing through security via the X-ray machine. Response times after being alerted to an intruder are also a common benchmark for security personnel. Regardless of what is measured, the benchmark system should follow the SMART method described in the Data-Driven Security chapter, Chapter 1.
248
Strategic Security Management
SMART Metrics Good metrics are attainable when security professionals strive for SMART metrics. SMART stands for Specific, Measurable, Actionable, Relevant, and Timely. Specific—a metric must measure a specific variable. Measurable—a metric measures what is measurable. Not all components of a security program are measurable. For example, morale among security forces is often “measured,” but would not in a quantitative manner. Actionable—a metric should not measure variables which cannot be acted upon. If a security decision maker cannot remedy a problem, there is not much sense in wasting time on that variable. Relevant—a metric that fails to provide any information to improve the security program should be avoided. If the metric cannot tell us where we can improve, it is not relevant. Timely—metrics have expiration dates. Historical data is an excellent indicator of the future; however, the older the data, the less important they may be. A metric system incapable of assessing the latest data is useless.
The Soapbox: Increasing Professionalism In recent decades, the security industry as a whole has lifted itself from a blue-collar occupation to a true profession. Through the difficult process of earning certifications and education, and demonstrating value to their organizations, security directors have earned their proper place in the corporate boardroom, and their departments have followed suit as profit centers through cost avoidance. While a distinct level of professionalism has been earned and granted to security directors and managers, the same cannot be said for the specific role of the security officer, still relegated the title of the “guard” in many places. The following is not a discussion of how the role of the security officer must be raised to a white-collar profession, for that would be unrealistic and would leave a significant gap in the security of all organizations that utilize a security force. Instead, the following discussion opens a new line of thought, of logic, of reason of why the guard of old must be replaced with security officers of tomorrow. It is hoped that this discussion will also open the door to how to reach a new level of professionalism. Most in the security industry should know why a new level of professionalism is sought for line security personnel; still, it might be beneficial to discuss the reasons, both the altruistic ones and the economic ones. The security officer is the most visible member of the security department and is a product of the security management. When the security officer is seen as being on the same level as the janitor or maintenance personnel, it speaks poorly of the department’s professionalism. When the security officer is viewed as a valued member of the organization, it reflects well on the security management team. Eco-
Security Measures: Personnel
249
nomically, security officers are the most expensive element of a security program and often the most difficult to justify. The return on investment of a security officer is not easy to calculate in many situations, yet security directors are forced, based on their risk assessments, to request funding for additional or new security personnel deployment. However, when a security decision maker can adequately calculate a return on investment, the return can be even greater to the security department in terms of its growth as a business unit. With the larger business unit comes a larger budget, additional management personnel, and higher salaries for all involved. Ultimately, once the dollars have been spent on security personnel, the next biggest cost is security officer turnover. If turnover can be brought down to manageable levels, the cost savings can be significant for the department, which can then use those dollars to fund other security projects. The other economic factor is that which came to light on September 11, 2001. On that fateful Tuesday morning, the security industry was changed forever . . . for the better. As difficult as it is for most security professionals to admit, though they know it is true, the industry benefited by being forced to the forefront of the antiterrorism effort, to prevent future attacks. And at the ground level, hopefully, trained, professional security officers provided security on a minute-to-minute basis. How does the security industry accomplish the task of enhancing professionalism among the lower ranks in a post-September 11 world? The first and most basic concept is for the industry, and eventually its client base, to accept the title of security officer. The term guard should be dropped from its collective vernacular, and people outside the industry who use the term should be corrected. This small, seemingly insignificant change, will accomplish two things. First, calling a security officer by that title raises morale, and with morale comes loyalty and professionalism. For those in the security industry who have not called a security officer in this way, try it. Second, once a client organization’s employees, the ones in need of protection, witness the use of the formal title, Security Officer, they too will follow suit and give the respect due to the industry’s most visible participants. Fundamental fairness has long been a concern among the rank-and-file security officers. Those who come into the industry with a good amount of optimism and hope for their futures are often left jaded and skeptical after only a short amount of time on the job. This is the inevitable result of extraordinarily long hours, be they at an X-ray machine or sitting in front of a bank of CCTV monitors, fewer breaks, and low wages. A general decline in morale is common as a result of the lack of fairness, and a larger drop in morale is fueled by the all too prevalent militant (not military) management style of many security supervisors. Security officer training is also a force that drives a lack of professionalism in the security industry. The security departments of some organizations do not require any training beyond what the contractor already provides, and most contractors rarely provide any more training than what is required by law.
250
Strategic Security Management
Although it is commonly accepted that proprietary security forces receive more training than their contract counterparts, the level of training is still low overall. With a hint of optimism, the industry may turn this problem around since its major associations are now pushing forward with training guidelines and standards. The final factor in the professionalism equation is compensation. For most of the security industry, pay scales for security officers are not much higher than for those who flip burgers for a living. As the old adage goes, you get what you pay for. Security officers, even those who protect critical infrastructure, are not compensated as well as they could and should be. The idea of total compensation goes beyond their hourly wage and also takes into account their other benefits such as a retirement plan and health insurance. While most security operations managers would argue that many security officers would prefer to take their benefits as cash, that is short-term thinking on the part of both the officers and the management. Fairness, training, and total compensation are critical issues that, if addressed by the security industry as a whole, can raise the level of professionalism and work ethic of the ground-level security officer, and in turn, raise the true security of the United States.
Chapter 13
Project Management
In this chapter . . .
The Security Project Manager The Security Project Team Security Project Management Success: Subjective and Objective Criteria Financial and Resource Management Return on Security Investment
Figure 13-1. Maslow’s Hierarchy of Needs. Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com.
251
252
Strategic Security Management
Across the broad range of industries in which security decision makers find themselves employed, invariably, the need to manage large security projects arises. For some security professionals, a number of projects may be in progress simultaneously, while for others, security projects occur less frequently. For an organization, project success is a major factor in cost savings. Those projects that are implemented efficiently cost less; those that are inefficient cost more. Because of the need to control costs and the increasing technological complexity of security projects, today’s security professionals need project management knowledge and skills. Simply stated, whenever a security project is undertaken, there is a strong need for effective management to move the project to successful completion. Success in a project may be defined in a number of ways, and the most common factors, of course, are being on time and on budget. Through the use of effective project management skills, security decision makers can ensure that the project comes in on time and on budget (or preferably under budget). Project management is defined as the planning and execution of all aspects of a security project, management of needed project resources, and application of skills, knowledge, and methods to achieve the project’s objectives, goals, and requirements on time, within budgetary limitations, and with a high level of quality. The project’s level of quality is a function of time, cost, and scope, and any changes to one element can affect the overall level of quality and the other elements as well. Project management, in its most basic form, consists of four distinct phases: development, planning, executing, and conclusion. For the security project manager working for his or her employer, development is the process of obtaining the requisite approvals to undertake the security project, delineating the scope of the project, and deciding whether to use internal resources, external resources, or a combination of both. For the security consultant hired by an organization, the development phase is simply the contracting process. Once the initial development of the security project is complete and necessary approvals are granted, the planning process begins. Depending on the nature of the project, planning may be an extensive, time-consuming process or it may be a simple, streamlined process. Typical planning components include scheduling personnel and the time needed for the project execution phases, finding and obtaining vital resources, and sorting the project’s financial aspects. Execution is the implementation of the project plan and is typically the focal point of everyone involved in the project and is, more often than not, the longest phase of the project. Execution components vary with the nature of the security project but normally include project team meetings, on-site work, resource management, quality control and assurance, and documentation. The final phase of a project is the conclusion phase, also called project close-out. The conclusion phase ensures that the scope and each objective of the security project have been met, that the end user is satisfied with the quality of the work performed, and that all required documentation has been completed.
Project Management
253
Project Strategy Development Identify tasks to complete the project. Define priority and order of tasks. Determine time needed for each task. Select project team members suited to each task. Determine project deliverables. Define project milestones and methods to meet deadlines. Establish project cost projections.
Early in the project management process, after project approval has been gained and planning has begun, a project implementation strategy must be developed. The implementation strategy is a visionary process by which the project team outlines the work plan, typically by working backward from the end result through each project objective. This process often gives the project manager the opportunity to gain some insight into the project team member’s strengths and weaknesses and allows appropriate delegation of specific components of the project. It is the responsibility of the security project manager to ensure that each member of the project team shares the same vision for the project’s end result and understands their specific goals and tasks; accordingly, the project manager should closely monitor the team members throughout the project. In addition to the actual project goals, the project can be divided into several administrative tasks that can be delegated to team members by the project manager if he or she chooses not to manage them personally. These tasks include business matters, legal and regulatory compliance, quality control, communications, and unique characteristics of the project. During the planning stage, the project team should also ask several basic questions to better define the project, such as:
What are the objectives of the project? How will the project management team achieve the stated objectives? What resources are necessary to ensure that the project is a success? Given the proper resources, how long will the project take to complete? What obstacles must the team overcome in order to achieve the objectives?
Great leaders are almost always great simplifiers, who can cut through argument, debate, and doubt to offer a solution everybody can understand. —Colin Powell
The Security Project Manager The security project manager is an integral factor in the project’s success. In this responsibility, the project manager is ultimately charged with not only
254
Strategic Security Management
managing, directing, and coordinating the project team’s efforts, but he or she is also responsible for planning and organizing the project, defining the scope of services, overseeing the technical aspects of the security project, negotiating project terms with his organization’s management or his client (if the security project manager is a consultant), ensuring efficient performance in all projectrelated operations, and financial management. The security project manager position is a challenging job that requires management skills, knowledge of security principles, and the ability to communicate effectively. For larger security projects and even smaller ones, technical proficiency is not as important as management and administrative competence. In this regard, the security project manager must be able to manage the project to a successful conclusion by effectively managing resources, the client organization or their employer, the project team, the project finances, and the relationship between parties. At the end of the project, the security project manager will be evaluated and be held responsible for the success or failure of the project. To establish a solid foundation for project success, the security project manager should have specific knowledge, skills, and characteristics. Knowledge is a key ingredient in effective and successful project management in the security industry. Those with an encyclopedic awareness of security best practices and standards are rightfully perceived as the best and brightest and are given the frequent opportunity to lead security projects. A keen understanding of basic security principles, best practices, and security industry standards promulgated by industry associations, such as the American Society for Industrial Security—International (ASIS) and the International Association of Professional Security Consultants (IAPSC), and those developed by associations outside the security industry, such as the National Fire Protection Association (NFPA), can set the bar for security expertise and effective project management. Similarly, experience is an integral factor in successful project management. Those with experience working on projects for different companies and even different industries often yield the greatest results from a project. This is why so many companies turn to the outside, independent security consultant to lead a project; these consultants have experience with numerous companies and are able to decipher the best practices from those practices that are less successful. Education also plays a critical role in project management. Today, security management degrees are becoming more common in universities and colleges across the world. Those with graduate degrees in security management and criminal justice bring unparalleled and sometimes necessary philosophical knowledge to advanced security projects. Ultimately, however, knowledge of the project’s end users’ needs is the most valuable. For the security consultant, critical skills are active listening and a thorough understanding of what the client’s desires are. Once the security project manager understands the project needs, analytical and conceptual skills are utilized to develop a course of action to bring the project to a successful conclusion. Other skills needed by the project manager
Project Management
255
include strong decision-making and problem-solving ability, multitasking, organization, coordination, and delegation. As the leader of a project, the security project manager serves as the primary point of contact for project-related issues, and as such, written and verbal communication and presentation skills are of utmost importance. When managing a large project with many project team members, conflict resolution and interpersonal skills are also useful talents for a project manager. As discussed earlier, a project’s success is dependent on two of the primary factors that lead to success—the project should come in on time and stay on budget. Thus, time management, fiscal sense, and performance management skills are critical for the security project manager. Contrary to mainstream thought, technical skills are not consequential to a successful project outcome, especially in larger projects where subject matter experts and others provide the requisite technical skills. Beyond the skills and knowledge, yet other characteristics set the good project manager apart from the rest. Because of the nature of the security industry, two characteristics stand out, especially among security consultants and those who hire them. These two characteristics are ethical behavior and the ability to be discreet and treat the client’s information as confidential. Most independent security consultants live by a code of ethics that outlines how they will respond in various scenarios where they may be put to the test. The International Association of Professional Security Consultants’ Certified Security Consultant (CSC) Code of Ethics is included among the appendices of this book for use as a guide in establishing a guiding framework. Assertiveness, flexibility, and proactiveness are other characteristics that describe successful project managers. An assertive project manager is needed to manage a project team, working in a dynamic environment favors flexibility in thought and action, and a proactive nature tempers the dynamic environment where project-related issues are addressed before they become problems. The project’s success is often judged over a long period of time, well after the project team has disbanded. Those project managers who are conscientious and creative in thwarting problems before they affect the project over the long term will be judged more favorably. From the project team’s perspective, the project manager leads by example, is responsive to their needs, is a good listener, and is aware of all aspects of the project. Project team members also expect the project manager to be fair, ethical, and supportive of their decisions. Arguably, the project manager’s most important job is to select project team members who add value to the project, contribute in a meaningful way to the project’s success, and bring necessary knowledge and skills to the project.
The Security Project Team The security project team, under the direction and control of the project manager, is charged with executing the project plan. Depending on the nature, scope, and size of the security project, the project team might consist of only
256
Strategic Security Management
a couple of people, or it might be an extensive team with specialists, subject matter experts, consultants, and subcontractors. When managing larger security projects, the project manager may have dedicated team members for singular tasks or team members who are responsible for multiple tasks. For the independent security consultant working in the role of project manager, the project team may benefit from including the client organization’s own employees to round out the skills and knowledge of the team. For example, in a largescale physical security project, a client organization will hire an independent security consultant to upgrade the physical and electronic security portion of its security program at one facility. The client organization’s security staff does not have the time or the resources needed to undertake the project on their own. In this instance, the client organization hires the independent security consultant to develop a project plan and then organize a team of physical security specialists, integrators, and installers to execute the plan. The consultant, acting as security project manager, understands that the client uses a specific software application to control most of the physical security measures currently in place and also those that are planned during this phase of the security program’s development. Rather than go outside the organization, a cost savings and subject matter expertise advantage accrue by utilizing one of the client’s own employees, a lower level security technician who works with the software application on a day-to-day basis. The client’s employee also provides the security escort required by the client organization for outsiders. The consultant also knows that he or she will also need a security systems integrator who can create the necessary functionality between the client’s existing physical security measures and the new countermeasures being implemented as part of the current project. For this expertise, the security consultant selects, with the consent of his or her client, a qualified integrator who provides the best value to the client organization. Since the physical security measures are the single most expensive element of the current security project, the consultant and his small team, consisting of the client organization’s employee and the integrator, develop a detailed set of specifications to put the hardware and installation out to bid. After receiving and reviewing bids from several installers, the project team selects the best value bid and adds the installation company to the security project team. While this scenario is uncommon in smaller projects, it does demonstrate the wide range of possibilities when organizing a security project management team and the range of specializations and responsibilities for individual project team members. Most security project teams are unique, organized specifically for a particular project, and the team members typically have not had the opportunity to work together often enough to create a cohesive unit. Beyond ensuring that the team brings the needed skills, part of the project manager’s responsibility is to develop an environment conducive to teamwork, an accelerated learning curve,
Project Management
257
and increased performance. In attempting to create this environment, the project manager must understand how a project team matures and develops competence, which will eventually lead to a successful project. The initial stage of project team development is the formative stage, wherein team members begin to understand each other’s strengths and weaknesses, learn what knowledge and skill each team member brings to the project, and generally get to know one another. The project manager facilitates this process by establishing specific expectations of each member, including initial identification of objectives and delegation of tasks to specific members. Not unlike a young sports team, personality conflicts and alliances develop between team members after the team members have had a chance to build relationships. During this formative stage, the project manager may need to step in and resolve power struggles and enhance the strengthening of the team as a whole rather than individual alliances between members. A climate that reinforces open communication between project team members expedites the process of team building and an overall commitment to the team, its project manager, and the project itself. The project manager will find that, through ample support and intervention early in the team’s formation, less intervention will be necessary as the team matures into the desired project team, which has its own unique team identity, needed to execute a project plan. A project manager can expect the team members to begin to work out their own problems, take the initiative to assist each other, and hopefully challenge each other to grow and learn. Not unlike Maslow’s Hierarchy of Needs, the team will self-actualize and create an aura of energy and enthusiasm where trust and confidence are cornerstones of each member’s feeling about the team. The project manager’s goal in developing a successful project team is simple: synergy.
Security Project Management Success: Subjective and Objective Criteria While project success is fundamentally rooted in timeliness and cost control, successful security projects are also defined in subjective terms by the end users. For end users, the project manager should be prepared to meet and exceed the individual end user’s expectations. What is each end user expecting at the completion of the project? For some, it might be less work on their task lists, while others seek streamlined processes to maximize their efficiency. For a security consultant, an outsider to the organization, it is even more important, for business relationship and development reasons, to make sure each end user is satisfied with the results of the project. It is fair to ask how the project fits into the client’s career objectives. How will the client be judged within his own organization? If the new project requires major changes in the way end users do their jobs, the project manager should prepare them for an easy and smooth transition.
258
Strategic Security Management
Your most unhappy customers are your greatest source of learning. —Bill Gates
Subjective Criteria An example might better illustrate the subjective way in which the project and its manager might be judged. The security director of an organization was coming under increasing scrutiny to ensure that his department was doing everything it could to provide an appropriate level of security at the organization’s facilities. The environment is unique, and an off-the-shelf risk assessment methodology did not exist in their industry that met all their needs. While the security director’s staff had the skills and knowledge to develop the risk assessment methodology on their own, they did not have the time to perform their normal duties and spend the weeks needed to develop the methodology. The security director, after careful consideration, decided to hire an independent security consultant to develop the risk assessment methodology. Hiring a consultant also allowed the security department to keep the project at arm’s length, also ensuring an unbiased, fresh perspective of the organization and its risks. The consultant was also not hampered by organizational politics, which could conceivably skew the risk assessment methodology. The consultant, understanding the subjective terms in which the project would be judged by those who work within the security department, scheduled some extra time to spend with individual end users to better understand their needs. Thus, development of the risk assessment methodology was judged in two ways: objective, in that it was developed on time and on budget; and subjective, wherein the end users were satisfied by the methodology. One member of the security staff, among many other responsibilities, was responsible for the organization’s internal security reporting mechanism. He had spent a considerable amount of time and departmental resources to build an accurate database of security incidents and breaches occurring at the organization’s facilities. Policies and procedures had been written to support the reporting system, the organization’s employees had undergone security awareness training, and the security force had been trained in the basics of the new internal reporting system. At the time the security consultant was hired to develop the risk assessment methodology, the database was shaping up, but what was lacking was a proper system to analyze the information in the database. Since the risk assessment methodology had a threat identification component that also included the analysis of internal security report information, the security consultant also developed a streamlined approach to analyzing the internal security reporting database. The security consultant’s extra effort not only improved the risk assessment methodology, but it also saved the member of the security staff a fair amount of time and effort. Some would argue that this extra step was outside the scope of services that the security consultant was hired to perform. Technically this is true, but taking the time to further develop the relationship
Project Management
259
results in a more successful project and often yields more business. The real question is, how will the security consultant be judged by this end user? The difference between ordinary and extraordinary is that little extra. —Jimmy Johnson
Financial and Resource Management As mentioned earlier, the two objective factors in evaluating the project manager are cost control and time management. By the competitive nature of the business, security consultants are judged on their ability to be both cost effective and responsive. Those who can meet and exceed both criteria are usually the most successful. What about the project managers who work for the organization for which they are managing a project? They, too, are judged by their ability to complete the project on time and on budget. Their distraction may even be greater than the consultants’ as their other duties interfere with their ability to execute the project plan. Regardless of whether the project manager is an independent security consultant or an internal employee, the most significant document for financial control over the project is the budget. A budget is simply the project plan stated in financial terms. A well-defined budget, one that takes into consideration all the project details and every possible contingency, can assist the project manager in keeping the project costs under control. Beyond financial considerations, time management is crucial to the success of a security project and can positively or negatively impact the financial aspects of the project. For some security projects, people are the primary resource, whereas in other security projects, security hardware is the major resource. In either case, the project manager must exercise control over the human and physical resources through effective coordination and scheduling. Schedules are a management tool used to achieve project objectives. Specifically, a schedule outlines when each objective will be met, in what order, and how much time is available for each objective. Schedules may be a simple document that names each objective and the date of completion, or they may be more comprehensive and developed in a software application such as Microsoft Project. Comprehensive schedules consist of a master schedule and smaller schedules within each objective that define the time constraints imposed on project team members and installations associated with the project deployment. The master schedule incorporates each element outlined in the scope of services, as well as key metrics used along the way to evaluate the security project’s milestones. Contingencies should also be included in the master schedule with dead days, or catch-up time periods, to allow for any delays in the timing of the projects. The schedule should be shared with the project team and the end users to ensure that it meets everyone’s needs. If the project manager is an outsider to the organization, a security consultant for example,
260
Strategic Security Management
the project schedule should be discussed with the client organization on a regular basis. The effective security project manager will periodically review the objectives contained within the schedule and anticipate any delays that might occur. This allows the project manager to plan around the delayed objective and move on to other independent objectives that can be completed early until the delay in the current objective is rectified. Doing so will allow the overall project to continue on track. Although they can be time consuming, meetings are an excellent way to ensure that both the objective and subjective project success criteria are being met as the project progresses. The project kick-off meeting, for example, sets the tone for project implementation, gives the project manager and his or her team the opportunity to learn more about the project, plan for contingencies and delays, and officially launch the project. Project team meetings, on the other hand, are objective driven, in that they are used to ensure that all necessary resources are available when project team members need them. During the project team meeting, the project manager should identify the phase of project, where the project is on the schedule, upcoming activities and objectives, and upcoming project deliverable due dates. Project issues and problems that have been identified since the last meeting should also be discussed and solutions sought. Depending on the size and time frame of the project, a review of the project schedule is important for the project team members to keep abreast of upcoming tasks and deliverables. The project manager should continue to maintain an environment of open communication and idea sharing that was developed during the initial team organization. In between meetings, the security project manager should maintain a task list and carefully monitor specific project factors. Among the factors to be continually monitored are enduser satisfaction, relationships between project team members, the budget, and the project schedule. The successful project manager knows that managing expectations is his or her most important task. Underpromising and overdelivering are crucial. Keys to Successful Project Management
Understand both the objective and subjective project evaluation criteria. Establish accurate metrics and milestones for the project. Benchmark the performance of the project team. Keep end users involved in the project and seek feedback. Hold regular meetings to discuss project objectives. Maintain quality throughout the project cycle. Be proactive and mitigate issues before they become obstacles to project success. Stay ahead of the project. Underpromise and overdeliver.
Project Management
261
Return on Security Investment For most organizations, security expenditures are typically considered resources that could be used elsewhere in the organization to enhance profitability or for direct use in furthering the organization’s mission. The organization’s senior management needs valid metrics that provide evidence that security implementation positively impacts the organization’s profit and/or mission success. Because a security program has to make business sense, the organization’s leaders need practical assessments of the return on security investments possible in order to create an effective security program. When determining the impact of the security program on profits and mission success, the organization’s senior management will want some critical questions answered during the process of analyzing return on security investment and whether the security investments are justified in any way. These questions may include:
What financial impact does inadequate security have on the organization? On average, what is the cost of financial losses without adequate security? What is the worst case scenario of financial loss without adequate security? How does the organization protect its assets? How much security is appropriate? What security measures are most cost effective? What types of security measures are needed? What impact will security have on the productivity of the organization’s employees?
The security project manager, unlike project managers in other industries, is often in the position of justifying the project even after it has been authorized and work has started. Rather than begrudge this situation, security project managers should relish the opportunity to provide a return on investment analysis for the project. For security consultants, the willingness to provide this analysis will set them apart from other security consultants and often provides the foundation for repeat business on other security projects. For the internal security professional, conducting a return on security investment analysis increases trust and support from senior management to whom the security professional reports. A return on security investment methodology that produces consistent results is important to senior executives, security decision makers, and end users. While it is a difficult task to quantify savings generated by security measures, especially the intangible costs, there are some proven methods for
262
Strategic Security Management
justifying the deployment of security and there are security components that lend themselves to return on investment studies. Among the factors that can be used quantitatively in a return on security investment analysis are shrink and loss rates, asset recoveries, security personnel hours and rates, physical security measures and packages, and employee productivity. Another factor that may be used in a return on security investment analysis is liability and insurance costs associated with security and premises liability litigation. The costs of shrink and asset losses are common security metrics used in the security industry. Shrink and loss rates can be trended over time, and a Pretest/post-test analysis of security measures can be performed to determine effectiveness of the countermeasures along with any reductions in shrink and loss rates. Cost avoidance is the process of identifying losses that would likely have occurred without the implementation of security measures. A cost avoidance analysis that show that there was a reduction in shrink and loss after the deployment of effective security measures means that the organization has achieved a return on security investment. Similarly, analysis of asset recovery efforts can demonstrate a return on security investment. Asset recovery analysis is the process of identifying asset recoveries that were made as a result of security measures. As the single biggest cost in a security program, probably the largest return on investment is achievable through metric-based deployment of security personnel. With physical security measures close behind security personnel in terms of cost, risk assessments can help security decision makers deploy the proper security package for their facilities. Nonsecurity employee productivity can also be a significant factor in achieving a return on security investment. Depending on the organization in need of security protection, nonsecurity employees are often compensated at much higher rates than security personnel. Loss of their time due to security-related incidents can decrease productivity and cost the organization substantially. For example, a law firm’s employees who rely on computers to perform their duties can suffer substantial productivity loss and therefore billing time when the office is burglarized and computers are stolen. Regardless of the type of security measure or security package under consideration, the most basic formula for calculating return on security investment is: ROI = Sevings Generated or Anticipated − Cost of Security Measures The cost of physical security measures includes the initial cost of the equipment, installation costs, and the cost of ongoing maintenance. A more accurate calculation would also include the cost of personnel time to manage, monitor, and maintain the physical security measures. The cost for a closed circuit television system, for example, would begin with the equipment, installation, and maintenance costs, and would also include the cost of personnel if
Project Management
263
the system is monitored. The cost of a proprietary security force would include payroll costs, insurance, licensing, uniforms, equipment, supervision, training, benefits, and turnover. Ultimately, security decision makers must determine if the overall cost of implementing security measures is less than the cost associated with accepting the risk. Anticipated savings, as discussed in this chapter, can include cost avoidance, asset recoveries, security personnel costs, physical security measures, and employee productivity. Savings are based on the returns generated over the life of the security measure. While the cost of new security equipment and personnel costs are relatively easy to calculate, determining the real value of savings generated by security measures is more challenging. However, accurate historical data that reflects a consistent risk trend can be very beneficial in accurately assessing future savings after security deployment. Historical data for the organization is most relevant; however, industry data can also assist in establishing a baseline from which to extrapolate information. Certainly, retailers can fall back on their shrink data to establish the loss benchmark, while insurance companies can determine the monies spent to settle lawsuits for inadequate or negligent security. Other organizations can also look to historical data to calculate the cost of security breaches. Once the number and types of anticipated savings factors are identified, the annual total can be calculated. What was the cost to the organization’s bottom line for each security incident? What was the cost in reduced productivity? What was the settlement and jury award cost for inadequate security lawsuits? Wise security professionals never fail to recognize the last question, the cost of security-related litigation, where one unfavorable jury award can have severe repercussions. While it may not reflect directly on their security budgets, they know that, ultimately, senior management holds them accountable for the mess even when the insurance company picks up the tab for the settlement. Again, once each savings metric is identified and totaled on an annual basis, the simple ROI formula can be applied. The accuracy of the data is important, but more important is the consistency of the factors and data over time. As long as security decision makers are using the same formula, comprised of the same factors, the return on security investment can be fairly accounted for and compared to the return on alternate security investments. In true risk management terms, each security breach is termed single-loss exposure (SLE) and is multiplied by the number of times it occurs, annual rate of occurrence (ARO), and the result is the yearly total called annual loss exposure (ALE). Beyond the traditional responsibilities of planning and execution, the security project manager has a unique opportunity to provide senior management with a return on security investment analysis. The analysis not only allows the calculation of savings after the project is complete, but also the occasion to showcase the security project manager’s commitment to the security budget for the current project as well as future projects.
This page intentionally left blank
Chapter 14
Premises Security Liability Norman D. Bates
In this chapter . . .
Premises Security Law Plaintiff’s Theories Security Officer Misconduct Negligent Hiring Liability Reducing the Risk of Liability—Evaluating the Security Program Crime Risk Analysis—An Initial Step The Role of Statutes, Ordinances, and Regulations National Security Standards “Standards” versus “Guidelines” The Rationale for National Standards Security Risk Assessments
Premises Security Law Basic Principles Premises security liability is the application of principles in the tort of negligence. It arises when a business is sued by an individual who was the victim of a violent crime on the property of the business and is claiming that the lack of security was a factor in allowing the crime to occur. A common example of a premises security liability claim involves a situation where the resident of an apartment complex or the guest of a hotel is sexually assaulted by a criminal who was able to gain access to the victim via a defective door lock. The fact that the intruder actually committed the sexual assault is not overlooked. If that intruder was caught, he, too, could be liable civilly (and criminally, of course) but under different legal principles. A claim made against the assailant would be brought in the tort of battery.
265
266
Strategic Security Management
A claim for inadequate security states that the property owner failed to provide a reasonable level of security, given the risk of crime at the property during the time of the attack. What constitutes “risk” will be discussed in the Foreseeability section of this chapter. The claim against the property owner is made pursuant to the laws of negligence for the particular state where the incident occurred. The laws of each state may vary somewhat, and, as such, businesses and other private institutions that operate in more than one state will need to know each of those states’ rules if negligent security liability is to be avoided. Be mindful that this area of law continues to evolve and can change drastically with any new appellate decision addressing this area of law. The tort of negligence, as with all other tort claims, contains a number of elements or components that plaintiffs must show by the preponderance of the evidence to prove their case. The basic elements of the tort of negligence are duty, breach of duty, injury, and causation.
Duty “Duty” is the legal responsibility requiring a property owner to maintain reasonably safe premises. The extent of the duty, or what is required of the property owner, is directly tied to the level of risk (foreseeability) of crime. Absent a legal duty imposed by operation of a statute, ordinance, or code, the burden on the property owner is to provide reasonably safe premises proportionate to the level of risk at the property at any given point in time. This means that the extent of the responsibility can change over time as the level or risk of crime increases or decreases. A property owner’s legal duty to provide reasonable security can be imposed in several different ways. A duty may arise by operation of a statute, ordinance, or code, through case law, under the terms of a contract, where a special relationship between the plaintiff and defendant exists (e.g., student and university), or where the defendant has voluntarily undertaken the responsibility. A duty created by statute or code is one where the property owner is required by legislative action or regulations of a state or federal agency to provide certain measures. As examples, in South Carolina the state law requires hotel and motel rooms to be equipped with certain specified locking devices, and in Pittsburgh, Pennsylvania, public garages are required to be outfitted with panic alarms and minimum stated lighting levels. A duty arising from case law tends to be more general in nature in that one or more appellate opinions of a jurisdiction will state that certain types of property owners (e.g., hotels, office buildings, residential landlords, etc.) have a legal duty to provide reasonable levels of security. Case law that imposes a legal duty often fails to provide clear details of what specific actions are required in contrast to a building code or regulation that usually states the specific requirement (e.g., type of locking device to be used).
Premises Security Liability
267
When a contract between the parties (e.g., landlord–tenant) includes terms that the landlord will provide specified security measures, the duty exists by operation of that agreement and may be enforced in contract law as well as in tort law. Occasionally, a special relationship that exists between the plaintiff and defendant gives rise to a special duty of care. In some cases, a student in a college may be found to have a special relationship with the college owing to the student’s dependency on the college to provide security measures. A duty is commonly found when the defendant has voluntarily undertaken the responsibility to provide certain security measures. If a hospital’s security staff provides additional protection to a patient/victim of domestic violence in order to prevent a subsequent attack by the offending spouse, a duty voluntarily assumed is likely to be found. Generally, the rule of law states that a duty undertaken voluntarily must be performed with the same care as if that duty were imposed by law.
Breach of Duty Breach of duty is typically the most easily understood element in the tort of negligence. Breach simply means failure. It is the failure of a defendant in a civil action to perform the duty that was imposed either by law or when assumed voluntarily. For example, a hotel may either be required by law or voluntarily decides to provide deadbolt locks on all guest rooms. The innkeeper who fails to keep these locks working properly has breached the duty of care. In another example, a hospital’s administration has decided to employ a security staff to provide protection to the hospital facility. The security department, however, is poorly trained and understaffed to handle the problems of the institution. Poor training and insufficient staffing levels may also be “breaches” in the hospital’s duty to provide reasonable security measures.
Injury Injury in the legal context includes the more obvious physical injuries one may suffer as a crime victim, as well as less obvious mental trauma frequently resulting from an attack. Injuries also include financial losses sustained from damage to property and lost income.
Causation Causation or proximate cause is probably the most difficult concept to understand. Simply stated, in order for a defendant to be found negligent, a connection or link must exist between the failure of the defendant property owner to meet the duty of care and the ultimate harm suffered by the
268
Strategic Security Management
plaintiff. The law of negligence requires that the failure or deficiency (breach) be a cause or substantial factor leading to the plaintiff ’s injuries. However, there may be more than one cause of an injury, and it is in this respect that the law of negligence can be confusing. Examples of which failures are causally related to an injury and which are not may help illustrate the concept. Example—A man is assaulted and robbed in a parking lot. Investigation reveals that the parking lot was poorly lit. In fact, in the area of the assault, there was no measurable (with a lightmeter) light. A local municipal ordinance requires all parking lots to have illumination of at least 1.0 foot candles. The deficiency in the parking lot lighting would constitute a breach in the duty of care imposed on the defendant property owner by the local ordinance. However, if this assault occurred during daylight hours, artificial lighting meant for nighttime use would be irrelevant or not causally related to the plaintiff ’s case. Should the incident have occurred at night, the lack of lighting may be related to the assault if, for example, the assailant used the cover of darkness to hide and wait for the victim. Example—A woman is raped in her apartment by an intruder who gains access to her unit via the ground floor window. The lock on the window was broken, and the victim had complained previously to the management company. The defendant management company would most likely have a duty to provide reasonably operating locking devices on unit windows as a matter of law (e.g., building code). The failure to repair the lock in a timely manner would arguably constitute a breach of duty. The question is whether the broken lock is causally related to the plaintiff ’s injuries. If the intruder was able to enter the windows because the plaintiff could not lock it, then the answer most likely is yes. If the plaintiff left the window open for ventilation, would the broken lock have been a contributing factor? Maybe. Some might argue that the broken lock is irrelevant or not causally related to the assault. The analysis does not stop here, however. The plaintiff ’s response to the defendant’s argument might be that other secondary locks (i.e., ventilation locks) should have been provided to accommodate the resident’s need for fresh air without someone being able to access the unit. Ultimately, the question that arises is as follows: had the deficiencies complained of by the plaintiff been corrected, would they have prevented the assault? Under the law of negligence, the plaintiff does not have to prove that correcting a deficiency would have absolutely prevented the crime, only that the deficiencies, more likely than not, contributed to the crime.
Premises Security Liability
269
Foreseeability—The Risk of Crime The element of foreseeability is essentially a question of whether the criminal act was one that a reasonable person would have foreseen or reasonably anticipated, given the risk of crime that existed at the time of the assault at the property in question. Ultimately whether a crime is considered legally foreseeable will depend on the court, the jury, and the laws of the state involved. Property owners are not expected to predict with absolute certainty when someone may be victimized, by whom, or exactly how the crime will occur. However, owners are expected to take into consideration the various factors that constitute risk at their properties according to the law of negligence in their jurisdiction. This risk factor is referred to as “foreseeability.” As a matter of law, a property owner is not usually held responsible for those events that could not have been reasonably foreseen. In contrast, the higher the risk of crime, the more foreseeable it is and, hence, the greater the duty imposed on the owner. What constitutes a foreseeable criminal event, legally, varies from state to state. Some states follow two basic approaches to this concept, with some minor variations. Other states, however, have yet to adopt a position due to a lack of sufficient case law on the subject in their jurisdiction. The two most common rules followed by most states are the prior similar crime rule and the totality of circumstance rule. The prior similar crime rule is the older, more conservative approach and requires that there be some evidence of prior crimes that are similar to the crime complained of in the plaintiff ’s case. Under this rule, a plaintiff who was robbed and physically assaulted in the parking lot of a shopping center must provide evidence of some type of prior robbery before the case can reach a jury. If there were no prior robberies, the defendant may be able to get the case dismissed before trial in that state. The major problems with the prior similar crime rule is the lack of clear direction on what constitutes “similar,” how far back in time the prior crime occurred, or how close/far geographically the prior crime must be to make the current crime foreseeable. Currently, no state law requires evidence of absolutely identical prior crimes. The legal effect of the prior similar crime rule is to take a black and white position on the issue, that either there was a risk of a certain type of crime or there was not. However, the risk of crime is not black and white. The more contemporary approach to analyzing foreseeability is the totality of circumstances rule. Many courts throughout the country have adopted the rule that property owners should consider other factors beyond prior crimes to determine the level of risk. Under this rule, evidence is typically allowed to show the existence of prior dissimilar crime, crime in the neighborhood and other risk factors (see below) to determine whether a crime was foreseeable. By using the totality of circumstances approach to evaluating the level of risk, owners and managers will be better able to assess the risk of crime at
270
Strategic Security Management
their properties than if they had restricted their analysis to only prior crime at that site.
Other Risk Factors Practitioners may consider a number of factors or sources of information that may affect the risk of crime at a property. The following factors are representative of the most common sources of crime risk data; however, one should be aware that additional sources may be identified, especially as new risks are developed (e.g., domestic terrorism).
Prior Crime at the Site Both property and violent crime should be considered when evaluating risk. Both security and police practitioners accept the notion that an environment conducive to criminal activity in the form of property crimes (e.g., theft, vandalism, burglary, etc.) creates a higher risk of more serious crime. The rationale for this belief is two part. First, some property crimes could either be a “threshold” offense for the violent crime (e.g., a burglar enters a hotel room and subsequently rapes the guest), or the property crime could escalate to a more serious violent crime (e.g., a thief caught attempting to steal a car subsequently assaults the person who caught him).
Crime History of Neighborhood/Immediate Vicinity Defining what constitutes the “neighborhood” or “immediate vicinity” is difficult because of differences in geographical terrain, economic status, or other demographic factors. The local law enforcement agency may be helpful in defining the neighborhood or immediate vicinity geographical area where the subject property is located, based on their experience and knowledge of the area. Once the geographical boundaries are defined, crime data for that area can be obtained and analyzed for type and frequency of criminal activity.
Crime in Similar Business Establishments It is well known that certain types of establishments are prone to the same kinds of criminal activity. For example, nightclubs frequently have problems with assault-type behavior and disorderly conduct; parking lots and garages frequently have car theft problems; convenience stores and fast-food restaurants generally experience higher rates of robbery; and apartment complexes, along with hotels, have to address the risk of burglary. This area of risk analysis requires managers to keep current on crime trends affecting their type of business. By reviewing reported cases and trade journals and through interaction with their peers in professional associations, managers
Premises Security Liability
271
can learn about developing crime problems as well as potential security solutions.
Prior Complaints Prior complaints made to a property owner about problematic residents, unsafe conditions, suspicious activity, and others may indicate the propensity for a security problem or crime to occur. For example, a resident in an apartment community complains to the security decision maker about high levels of foot traffic in and out of an adjacent apartment at all hours of the day and night. The resident also adds that these “visitors” appear to stay for only a short period of time. Although there may be a legitimate reason for the activity at the apartment; a property owner may want to investigate the circumstances, seeking out the aid of the police to help determine whether or not drug or other criminal activity is occurring.
Knowledge of Crime and Acknowledgment of the Risk Frequently in negligent security lawsuits, defendants will claim that they were unaware of the existence of certain criminal activity or other significant problems that could establish the “foreseeability component” of the plaintiff ’s case. Where it can be shown, however, that the defendant had actual knowledge of a particular risk and took no action to address it, that evidence can have a significant impact on the case. “Acknowledgment” of the risk may be more subtle than just a history of prior crimes. It could include evidence of the defendant’s awareness of the potential for problems when the security program was designed. The following two examples illustrate this point. In the case of Mullins v. Pine Manor College, 389 Mass. 47, (1983), 449 N.E. 2nd 331 (Mass 1983), the Massachusetts Supreme Judicial Court ruled that the college recognized the risk of rape on the campus of an all-women’s school because the college provided rape prevention programs during new student orientations. The court indicated that the rape of the plaintiff was not only foreseeable generally, but was actually foreseen (acknowledged) by the college because the college had addressed the risk in its orientation program. In a second Massachusetts case, Roe v. The Marriott Hotel, 1997 (an unreported trial-level case), the plaintiff who was raped in the defendant’s parking lot sought to introduce evidence of the foreseeability of the crime through the hotel’s own security manual. A portion of the manual outlined the security staff ’s responsibility for external patrol and, most significantly, the reasons for such patrol. Among the reasons for patrol cited were the prevention of crime such as auto theft or “rape.” While the hotel’s documented history of crimes in its parking lot was limited to property crimes, such as theft and vandalism, the hotel’s patrol guide acknowledged the risk of rape in the parking lot.
272
Strategic Security Management
Plaintiff’s Theories Most inadequate security cases fall into three categories: defective equipment/devices, crime deterrence theory, and operational failures. Defective equipment/devices are fairly self-evident. They include issues such as broken locks, inoperative alarms, or defective cameras. Deterrence theory cases are those where the plaintiff asserts that the assailant would have been deterred from committing the crime had certain security measures been in place at the time of the incident. Under this theory, a claim is asserted when, for example, the plaintiff is assaulted in a parking lot in an area where security has not been patrolling regularly. The deterrence theory argument in this instance would likely claim that had the defendant’s security staff been patrolling as it should have, then the assailant would have been deterred from committing the crime. The plaintiff may seek to introduce evidence of the assailant’s behavior prior to, during, or after the assault that demonstrates his deterrability. Efforts to plan the crime in advance, conceal one’s identity (e.g., wearing a mask or using a condom in a rape to avoid DNA detection), or trying to evade capture may be evidence to be considered by the jury when deciding whether the assailant was deterrable and whether the defendant property owner’s failure to provide security patrols amounts to negligence. The third category of plaintiff theories, operational failure, is a fairly broad category and can include several different deficiencies in an organization’s security program alleged simultaneously. Operational failures include such issues as failure to train, failure to supervise, inadequate preemployment screening (negligent hiring), lack of specific policies and procedures or violation of one’s own policies, and inadequate staffing levels. Example—Policies and Procedures—The defendant has a policy and procedure that requires regular accounting of master keys and distribution of such keys on a controlled basis. If the evidence in the plaintiff ’s case indicates that an intruder gained access to the plaintiff ’s apartment using an unauthorized master key, the failure to comply with one’s own key control procedures becomes a central argument in the plaintiff ’s case.
Security Officer Misconduct While most civil claims of inadequate security stem from the failure to provide reasonable security measures (e.g., lack of locking devices, insufficient number of security officers on patrol, etc.), potential for liability claims may arise from the misconduct of security personnel. These claims typically occur when the officer has either used too much force, has unlawfully detained someone, or has conducted an unlawful search of the person.
Premises Security Liability
273
Most often, the allegations for misconduct are based on the arguments that the security officer was overzealous, used too much force, and caused an injury as a result. The allegations may claim that the officer lacked sufficient legal basis to detain and/or search a person who was suspected of a crime. These allegations commonly cite a lack of sufficient training, the improper selection of a candidate who lacked the appropriate experience, a failure to supervise, or, despite the officer’s previously demonstrated propensity for excessive force/ violence, his continued retaining by the employer. Example—Failure to Train—A security officer uses force during a detention of a shoplifting suspect. The plaintiff incurs injuries during the detention process. In this situation, the plaintiff will often argue that the officer was not adequately trained for the position. However, the alleged failure to train must be shown to be the cause of the injury. Furthemore, the actions or behavior of the injured person will also be considered during the liability analysis.
Negligent Hiring Liability Negligent hiring is a claim that the defendant business failed to exercise reasonable care in the selection and hiring of an employee through proper preemployment screening to avoid hiring an individual with an unsuitable background and where that employee subsequently injured the plaintiff. Traditionally, employers have been held responsible for the actions of their employees under the legal doctrine of respondeat superior, which operates on the principle that employers are responsible for the acts of their employees when tasks are performed on behalf of the employer’s interests. If, through the employee’s carelessness or negligence a member of the public is injured, the employer is held financially and, occasionally, criminally responsible vicariously (e.g., a moving van driver causes an accident and injures others). This doctrine has its limitations, however. If the employee committed a harmful act outside the scope of his employment and not in the interests of the employer, the company would not likely be held responsible. If the harmful conduct clearly falls outside the scope of his employment, then the doctrine of respondeat superior does not apply, and no recovery can usually be made against the employer under that legal theory. Negligent hiring liability, however, is the failure of an employer to exercise reasonable care in selecting an applicant in light of the risk created by the position to be filled. This means employers must screen individuals adequately before they are hired. Employers are not always exposed to liability just because they failed to check an applicant’s background. Liability usually results only when an inadequate screening effort is logically connected to the wrongful conduct. If a reasonably conducted investigation reveals facts indicating the applicant was
274
Strategic Security Management
undesirable, the failure to obtain the information may be considered negligence. Conversely, if a reasonable background check does not reveal any negative information about the applicant, then liability will not likely result. The legal cases emphasize that the amount of screening to be conducted on an applicant should be proportionate to the degree of risk presented by the position to be filled. Hence, the greater the risk, the greater the effort to investigate a potential employee’s background. The case law is also helpful in identifying what constitutes risk. It suggests that the risk posed by a particular position depends on access. If employees are able to subject others to harm as a result of having unsupervised access to them, then risk exists. Access is the focal point. To determine risk factors in employment, the focus must be on the position to be filled, not the applicant, the job title, or the wage rate. When conducting background checks, employers should consider an employee’s unsupervised access to vulnerable people or dangerous instrumentalities such as
children elderly persons persons who are disabled (mentally or physically) patients private homes master keys narcotics (licit or illicit) explosives dangerous chemicals weapons/ammunition
Security employees who exercise arrest power, use force, or carry weapons should also be included, although generally employees who misuse their authority or force subject their companies to respondeat superior liability as well. The concept of negligent hiring also encompasses incompetent conduct that causes harm, as illustrated by the overzealous security officer, bouncer, or doorman. Documentation and consistency are the keys to avoiding negligent hiring liability. Whatever options an employer chooses to use for screening, all information gathered from legitimate sources should be well documented. Since most litigation is not resolved for years after the employee has been hired, the written word becomes invaluable. Consistency in preemployment screening practices is also important because of the evidentiary effect a company’s practices can have at trial. For example, if a decision was made to obtain criminal history data on all positions of risk, be sure to conduct such a search for each and every applicant who becomes an employee.
Premises Security Liability
275
Employers tend to become lax, especially when they have not experienced any problems. Once a plan is adopted, it represents a self-imposed standard. The failure to follow one’s own plan becomes evidence of negligence for a jury to consider.
Reducing the Risk of Liability—Evaluating the Security Program The adequacy of a security program is evaluated in one of two scenarios— either in the context of a negligent security lawsuit or in a general assessment for planning purposes. The analysis of a security program in a lawsuit is conducted using the specific set of facts about the crime and an identified risk level, compared to actual security measures employed by the property owner. In a civil suit, only a portion of the defendant’s security program is usually examined as it relates to the criminal event. For example, if the assault occurred outdoors during daylight hours, exterior lighting would not be evaluated. In the nonlitigation context, a general security risk assessment is conducted when the property owner wants to determine whether the security program is sufficient for the facility’s overall needs, given the types of crime risks existing at that time. While there are numerous parallels to the case analysis approach, a security program evaluation looks at broader issues and is not limited to a single criminal event or set of circumstances. In this broader approach, general security risk assessments usually consider the four basic components of a program: crime risk analysis, management practices, security equipment, and security staffing.
Crime Risk Analysis—An Initial Step A typical crime risk analysis considers a variety of sources to identify the potential for criminal activity, including prior violent and property crime at the site, crime in the surrounding community, crimes common to that type of business or institution, prior complaints by guests, tenants, or customers, and other factors that may be identified during the evaluation process. Sources of data used to conduct the crime risk analysis are numerous. At the site level, security incident reports, daily logs, complaints, previous claims of inadequate security, and periodic summary reports (e.g., monthly, annual, etc.) may all be helpful to the practitioner in identifying both previous incidents and potential threats. In addition to the records of the individual site, the manager will want to obtain and consider data from the local law enforcement agency for the site (not all crimes get reported to site management) and the area considered to be the neighborhood or immediate vicinity around the site. Computer printouts of reported crime and calls for service can typically be obtained from the records division of the local police agency.
276
Strategic Security Management
Although some confusion often exists about the availability of such records to the public, these records are usually considered to be in the public domain. As such, the law enforcement agencies generally provide this information on request. The protocol in obtaining these printouts will vary from jurisdiction to jurisdiction, and most agencies charge a nominal fee.
The Role of Statutes, Ordinances, and Regulations Throughout the United States, there are numerous examples of laws in the form of statutes, ordinances, and codes that require specific security measures. In some municipalities, minimum measurable lighting levels are required. In others, certain types of locking devices may be required. One of the most important questions security decision makers should ask is whether any portion of their security program is subject to any statutes, codes, ordinances, or regulations. If so, they seek to satisfy the criteria of the applicable law. Unfortunately, laws are frequently written with a degree of ambiguity. An ordinance may require “reasonably secured windows and doors” without specific indication of what constitutes “reasonable.” Interpretation may be required by counsel and/or an experienced consultant. In addition to codes and regulations, most states have case law that may help explain or specify the nature of the legal responsibility (i.e., duty) of the property owner with respect to these security measures. The failure to meet the minimum requirements of a law can be strong evidence of negligence in a lawsuit and may subject the business to civil fines as well.
National Security Standards Historically, the private security industry has been poorly regulated. Frequently, such regulation has only taken the form of limited state statutes that set forth licensing requirements and on rare occasions, minimum training standards for contract security agencies or so-called guard companies. Proprietary security staff—individuals who are the direct employees of, for example, a hotel, shopping center, or office building—traditionally have not been regulated by states or municipalities. Since the early 1970s, when the Connie Francis rape case against a motel in New York received widespread publicity, there has been a multitude of civil litigation alleging inadequate security against privately owned businesses. With many verdicts of more than one million dollars and increased public awareness of this alternative remedy for victims of crime, business owners have become motivated to improve the quality of their security services to guests, tenants, visitors, and employees. Unfortunately, with a dearth of standards guiding property owners on how much or what type of security to provide, many of them have failed to take the appropriate steps to properly analyze the risks of crime associated with their businesses. As a consequence, these busi-
Premises Security Liability
277
nesses have failed to provide adequate protection for the public despite their legal duty to do so. After 30 years of claims against property owners for poor security, a public outcry for nationwide security standards requiring some minimal measures to prevent crime would seem inevitable. In fact, during that 30-year period, only a handful of technical standards were developed by standard-setting organizations. However, these standards typically have been limited to technical items such as locks, fencing, safe construction, or lighting levels. There were no standards or guidelines for the management of security services or the use of security devices in any given application. This means that the landlord of an urban apartment building or the general manager of a downtown hotel would not be able to refer to a written standard regarding what type of locks should be installed on sliding glass doors. The liability of the motel in the Connie Francis case was predicated on the poor-quality locks that were provided for the singer. She was raped in her room by an unknown intruder who gained access via a defective locking device on a sliding glass door. As recently as the early 1990s, three major industries opposed the development of any type of security standard or guideline. The apartment, hotel, and shopping-center industries, through their respective trade groups, fought an effort by ASTM (the American Society for Testing and Materials) to develop minimum guidelines for security measures in all types of privately owned businesses open to the public. A three-year effort to develop the guidelines dissolved with threats to the nonprofit ASTM that it was working outside its charter. Although it is doubtful that any charter violation took place, the organization could not afford the cost of litigation and, consequently, disbanded the committee. In 2001, two national organizations started the process of developing national security standards. The American Society of Industrial Security, now known as ASIS International, and the National Fire Protection Association (NFPA) both established committees that were charged with the task of identifying the types of security standards needed and writing them. Subsequently, ASIS International has published several guidelines, including the General Security Risk Assessment Guideline, Private Security Officer Selection and Training Guideline, and numerous others. The NFPA published two guidelines, NFPA 730 and 731, which recommend a variety of minimal security measures in a number of business settings and guidelines for the installation of security equipment, respectively.
“Standards” versus “Guidelines” The difference between standards and guidelines is to some degree a matter of semantics, and yet, there are important distinctions between them. A standard usually refers to an adopted standard of practice for the construction, design, use, or application of a product or service. For example, there are national standards for the manufacturing of certain types of locking devices.
278
Strategic Security Management
An adopted standard usually goes through a time-consuming consensussetting process in which all interested parties have input on the content. Words such as “shall” are frequently used. Standards can be and are often adopted by municipalities in codes or ordinances, such as a building code, and as such they become law. Guidelines are generally less restrictive than standards, using language such as “it is recommended” or “courses of action may include.” By definition, guidelines are meant to provide guidance to the end user, the private business owner, or manager who needs help in identifying options that may be available for a certain type of application. The legal implications of a standard versus a guideline can be somewhat blurry. While a standard is developed over a longer period of time and goes through a more rigorous process, the effect in the courtroom of invoking standards or guidelines is not likely to be very different. For the plaintiff who is introducing a guideline, the objective is to show a jury that the defendant company should arguably have followed a certain business practice in this case. The alleged failure to adhere to that practice or guideline becomes evidence of negligence in most jurisdictions. Standards are a measure of a security program, but they should not in themselves be taken as proof of a program’s adequacy. And conversely, the failure to comply with a standard does not necessarily translate into liability. Standards need to allow for variation not previously anticipated such as an emerging threat or crime trend.
The Rationale for National Standards At least two views have emerged on whether standards or guidelines that attempt to regulate the security of private organizations should be adopted. The more conservative view is that no standards or guidelines can be written to fit all circumstances. The “one-size-does-not-fit-all” argument has been made numerous times, including during the early 1990s ASTM effort. However, this argument is misleading. It fails to recognize that any size organization can undertake many efforts to improve the quality of its security program. The more progressive view on standards development is that they are necessary to ensure a higher level of professionalism within the security industry and to render a more consistent approach to the provision of security measures in any private-sector application. Security standards or guidelines can be written to apply in any given setting or circumstances.
Security Risk Assessments Conducting a security risk assessment of a facility is a common practice that helps managers identify crime risks and other threats (e.g., natural disasters) to the organization and the various options available to address those risks.
Premises Security Liability
279
These evaluations typically include physical surveys of the property and a review of the practices and procedures followed at the management level. The areas covered include crime risk analysis, management practices, access control/physical security measures, and security staffing/administration. ASIS International developed the General Security Risk Assessment Guideline to establish a standardized approach to conducting security risk assessments. Regardless of the application or the business or organization type, there is a long-recognized, logical method of analyzing security risks and identifying the options available to manage security-related problems. The Guideline is described as being “applicable in any environment where people and/or assets are at risk for a security-related incident or event that may result in human death, injury, or loss of an asset,” The phrase “a securityrelated incident or event” is not limited to criminal activity. It also includes natural disasters, war, and other activities that could result in loss of life or property. The Guideline is a “seven step process that creates a methodology for security professionals by which security risks at a specific location can be identified and communicated, along with appropriate solutions.” It also includes definitions, a flowchart, appendices, and a bibliography. The Guideline’s sevenstep framework for conducting a security risk assessment is broken down as follows:
Understand the Organization and Identify the People and Assets at Risk The first objective for a security practitioner in the risk assessment process is to understand the nature of the organization being evaluated, including its peculiarities, business purpose, methods of operating, and corporate goals. In addition, the nature of the assets and the type of people at risk are essential pieces of information in a proper risk assessment. The Guideline’s appendices include two sections: a qualitative approach to risk assessment and a quantitative approach. In the first appendix which addresses the qualitative approach that will be described further in this article, numerous examples are used to illustrate such issues as what constitutes an “asset” or the type of “people” that the practitioner should consider when making the assessment.
Specify Loss Risk Events/Vulnerabilities The Guideline defines risks or threats as “those incidents likely to occur at a site, either due to a history of such events or circumstances in the local environment. They can also be based on the intrinsic value of assets housed or present at a facility or event.” For clarification of this definition, the reader can again refer to the appendices. For example, the concept of “loss risk” events includes prior crimes at the site or in the immediate vicinity and crimes that may be common to that type of industry (e.g., robberies in convenience stores
280
Strategic Security Management
or burglaries in apartment communities). Loss risk events are not just crimeor security-related problems. They also include noncriminal events such as human-made or natural disasters such as storms, power outages, and labor disputes.
Establish the Probability of Loss Risk Events and Frequency of Events In establishing the probability of loss, one should consider such factors as prior incidents, trends, warnings, and threats. The probability is not based on mathematical certainty, but is simply a consideration of the likelihood that an event will occur, based on historical data, events at similar establishments, and so forth. For instance, it is well known within the industry that convenience stores are targets for armed robbery. This is primarily because they are cash businesses, often are open 24 hours a day, frequently have only one clerk, and commonly are located at major intersections that offer more escape routes for the criminal. The security practitioner would take this “inherent risk” into account when assessing the probability of future robberies in similar establishments and would provide the appropriate recommendations.
Determine the Impact of the Events The impact of an event refers to financial, psychological, and other related costs incurred by an organization. “Other related costs” may not be so obvious. The appendix to the General Security Risk Assessment Guideline describes a number of issues raised by certain loss events, such as negative media coverage, poor consumer perception, inability to obtain insurance coverage (e.g., in the wake of the recent terrorist attacks), or poor employee morale which affects worker productivity.
Develop Options to Mitigate Risks It is understood and accepted within the security industry that one cannot eliminate all risks or prevent all losses. Frequently, however, several options or security solutions can be applied to the same set of factors. Examples of security solutions include staffing, security equipment (e.g., card access systems, closed circuit television cameras, alarms, lighting, and locks), transference of financial risk of loss through insurance coverage, indemnification agreements with security service providers, and a number of creative approaches to address a problem. Security solutions often involve a compromise arising out of the long-standing conflict between security and “convenience.” Convenience is the argument that “We have always been doing it that way, and it wouldn’t be convenient to change the way we operate.” The example of forcing employees to use a single entrance to a facility to enhance access control illustrates the problem.
Premises Security Liability
281
Study the Feasibility of Implementing Options The questions are whether the security measures available are feasible for an organization and whether the measures would substantially interfere with the organization’s operation. If they do substantially interfere, the security measures may not be practical. As an absurd example, if a retail store had severe shoplifting problems, one possible “solution” would be to simply lock the doors of the store. In doing so, the shoplifters would be prevented from stealing the merchandise. Of course, legitimate shoppers would also be prevented from purchasing the merchandise, and the store would go out of business. The “solution” here would obviously substantially interfere with the operation.
Perform a Cost-Benefit Analysis Security measures should be proportional to the risks against which they are designed to protect. The impact of a loss that involves the death or injury of people can be substantial in a variety of ways from the obvious emotional costs to the economic harm caused by the loss of key employees. On the other hand, some property losses are more bearable than others, and, as such, the security practitioner would be expected to compare the cost of the various options against the cost of the loss. While many people would insist that no cost is too great to save a human life, most would also concede that it makes no sense to spend $100,000 on security equipment to prevent the loss of $1,000 of property.
Hypothetical Parking Garage Assault/Robbery The Facts: Two elderly women are walking to their car on the fourth floor of a garage in a downtown location on a Saturday afternoon. Shortly after they arrive at the vehicle, a tall male approaches the driver as she opens the door. He grabs her handbag, and in the struggle she falls to the ground breaking her hip. The other woman comes to her aid and is slightly injured in the process. An action is pursued on behalf of the women. Is the level of security in the garage at the time of the incident adequate? Applying the risk analysis approach to this problem raises the following issues and questions. 1. What are the assets of the garage? Two categories will usually arise— people and property. In this situation, the “people” are employees of the garage and patrons or other lawful visitors. We already know that the “asset” is the patron, so now the potential threats/risks must be identified. 2. What are the risks? In this environment, the obvious risks to a patron include robbery, assault, and theft of property. To the employees, similar risks exist due to the presence of cash on the site.
282
Strategic Security Management
3. What is the probability of loss and the frequency of exposure? The frequency of exposure is simple. Every time a patron enters the garage, there is a theoretical exposure. In this hypothetical, the garage is open to the public seven days a week from 7:00 a.m. to 11:00 p.m. The exposure to the particular threat, therefore, is during business hours only. The probability of loss is more difficult. Probability is based on the same concepts as foreseeability, and, as such, one factor (there are many) would be the existence of prior crime at this facility. In this example, the garage has a history of numerous thefts and damage to parked vehicles showing a presence of criminal activity inside the facility. There have also been a few robberies and assaults during a threeyear period prior to the incident. Given the history of crime and location of the garage in an urban setting, it is more probable than not that an incident such as this could occur. 4. What is the impact of such a loss (injury)? In this instance, the damages incurred by the patrons and the cost of negative publicity and litigation all make this type of loss substantial and should be weighed when considering possible solutions to prevent the risk from occurring. 5. What potential solutions could have been used to prevent this crime? Simply controlling access to the facility and patrolling the interior spaces where patrons are exposed are the most logical solutions. 6. Is it feasible to use access controls and patrol? Do the solutions substantially impair the normal operation of the facility? If not, then they may be feasible. In contrast, the doors could be closed and crime eliminated, but then the garage would be out of business, making this “solution” not feasible. 7. What is the cost versus benefit (burden of the defendant)? In this hypothetical, the garage had only one security officer on duty at the time of the assault. During regular business hours, Monday through Friday, two security officers were on duty. The question remaining is—Was it feasible and cost effective to have a second security officer on duty when the assault occurred? Since there is no interference with the operation of the facility, the remaining issue is one of cost. Based on the cash flow of the garage, the business could well afford the minor expense of a second security officer, and thus the burden to the defendant was slight.
Conclusion There is an acute public awareness of the right to seek civil recovery for injuries sustained as a result of a criminal act committed by a third party or as
Premises Security Liability
283
a result of the misconduct of an employee. However, the right to sue does not necessarily automatically translate into the fault of the property owner. Effective security planning goes beyond the establishment of a security program to protect employees, customers, and others from crime. Effective planning to reduce an organization’s risk of liability includes consideration of the issues discussed in this chapter. Furthermore, documentation, consistency, and follow-through are essential to ensure that a liability prevention program works.
Sources Cited ASIS International. (2003). General Security Risk Assessment Guideline. Alexandria, VA: ASIS International. Bates, Norman D. (2004). Major Developments in Premises Security Liability III. Bates, Norman D. (2003, Fall). “Recent Developments in Nationwide Security Standards: The General Security Risk Assessment Guideline.” Victim Advocate 4(2). Bates, Norman D. (1990, July). “Understanding the Liability of Negligent Hiring.” Security Management.
This page intentionally left blank
Chapter 15
Forensic Security Charles A. Sennewald
In this chapter . . .
Premises Liability Matters Tortious Conduct Qualifications for Forensic Security Consulting Strategies to Market One’s Forensic Practice The Retention Process Assessing the File The Consultant Forms a Supportive Opinion Security Premises Liability Forensic Consulting The Defense Expert’s Opinions
Consulting in the security and loss prevention industry is generally divided into three major categories: security management consulting, technical security consulting, and forensic security consulting. The categories are not exclusive as such but represent the principal focus of one’s consulting practice. Examples are as follows: security management consultants who work primarily with corporate management in assessing existing protection programs and make recommendations for more cost-effective and improved operations may (and do) serve as experts in litigation because of their experience and depth of knowledge about such matters as policy and procedures. Technical security consultants, typically engineering oriented practitioners who design protection systems, also may serve from time to time as forensic consultants in a lawsuit that deals with the adequacy or inadequacy of a security system, which allegedly failed. Forensic security consultants typically commenced their consulting careers as management or technical specialists and gravitated to this forensic category, more often than not, because of recognized strengths in the demands of this specialty. These strengths are discussed later in this chapter.
285
286
Strategic Security Management
If one could compress the definition that best describes a forensic security consultant’s work, it would be the engagement in liability litigation, the reactive side of security consulting. Whereas the management consultant’s work is proactive, that is, developing, modifying, or improving a security program to prevent loss or crime, and whereas the technical consultant designs or modifies a security system, such as a closed circuit television surveillance system or access control system aimed at preventing unauthorized entry or other crimes, is also proactive, the work of the forensic consultant is reactive; his expertise is called into play because an unwanted event has already occurred. The forensic consultant’s task is to analyze what went wrong, after the fact, and to arrive at an opinion as to civil liability. There are two types of lawsuits that require the expertise of a security consultant: 1. Premise liability cases, typically involving third-party crimes. 2. Alleged tortious conduct by a security or loss prevention practitioner or other defendant/s engaged in security or loss prevention practices.
Premises Liability Matters Premises liability lawsuits that revolve around security issues are typically the result of a third-party crime. For clarification: the first party is the owner/manager of the property on which the crime occurred; the second party is an invitee or person who comes onto the property, like a customer who parks in a shopping center’s parking lot; and the third party is a person who attacks the invitee, that is, forces the woman customer into her car as she’s about to enter and drive away, and rapes the woman there in the lot, or drives her away and rapes her elsewhere. The victim then files a lawsuit against the shopping center for not having an adequate security program in place and not maintaining a safe environment for women to park and shop. The security consultant’s task is to determine if the security program was adequate. The issues that must be addressed and answered are as follows. 1. 2. 3. 4.
Was the event (the criminal attack) foreseeable? Did the shopping center have a duty to provide security? Was there a breach of that duty? If there was a breach of that duty, was the breach the proximate cause of the crime (and her injuries)? 5. As a result of the incident (rape), was the woman damaged (injured)? The consultant is obliged to address these issues. The issue of damages is the responsibility of a different type of an expert, such as a physician. How the consultant arrives at his opinions will follow later in this chapter.
Forensic Security
287
Tortious Conduct Lawsuits that claim tortious conduct allege negligence committed (or omitted) by the defendant. The example cited in Security Consulting, 3rd edition, is one in which a person was arrested by a loss prevention agent for shoplifting, and then the agent subsequently released the shoplifter after obtaining a written admission of guilt. The party alleges that he didn’t steal anything and that he was falsely accused of shoplifting, but he was released after being forced to sign a statement admitting guilt. The party claims he was told the police would be summoned and he would be jailed if he did not sign the admission. The consultant’s task in this type of lawsuit is to determine the answers to such questions as: 1. Was the loss prevention agent who made the stop adequately trained? 2. Did the person unlawfully remove merchandise from the store? 3. Was the stopping of the customer appropriate under the circumstances? 4. Did the agent comply with written policy and procedures? 5. Were there other witnesses besides the arresting agent? 6. Were there witnesses to the admission in the store’s office and to the preparation and signing of the statement admitting theft? 7. Was merchandise recovered and then returned to stock? 8. Is such a return documented? 9. Was the event memorialized? The list of alleged tortious acts committed in the private sector (apart from police/law enforcement conduct) includes, but is not limited to:
Excessive use of force by nightclub “door hosts” (bouncers) by retail loss prevention agents in making detentions of shoplifters by security officers at major “events” (concerts, ballgames, etc.) and so on. “Invasion of privacy” by loss prevention officers monitoring dressing rooms by employees surreptitiously viewing into ladies restrooms by employees surreptitiously viewing into motel/guest rooms and so on. Wrongful terminations based on alleged poor security investigations
288
Strategic Security Management
based on alleged entrapment based on alleged unsubstantiated information and so on
Clearly, there is a huge arena from which complaints develop and subsequently drive lawsuits. And, clearly, expertise is required to sort out which claims have merit and which ones do not. The conclusion of this “sorting out” process, the consultant’s final determination, is known as the expert’s “opinion” or “opinions.” That brings us to the question of who is qualified to make such determinations. Who is qualified to arrive at such momentous “opinions” that are allowed to be expressed, under oath, in our courts of law?
Qualifications for Forensic Security Consulting On first blush it would appear an easy matter for one to distinguish between an expert in a given field and someone who is not. But it is not! You be the judge. You’re sitting on the jury in a “false arrest” lawsuit against a major retailer in civil trial. The plaintiff has her expert, and the store (the defendant) has an expert. The court rarely declares an expert unworthy of that designation; he or she leaves the decision up to the jury, and they will decide which expert to rely on in their ultimate decision. The plaintiff ’s expert informs the jury that his qualifications are as follows: I’m the retired chief of police. I served as a police officer for 33 years, the last 10 of which I was the chief. I had 321 police officers at my command, and I was directly responsible for their training. Every shoplifter ever arrested in this city required my officers to respond and investigate to insure there was a lawful arrest. I saw to it that their training qualified them to do so. We cannot rely on private store detectives to fully understand our laws of this state, nor can we allow them to enforce the laws. My staff makes the lawful arrests. Private store detectives only make detentions. I and my officers have been responsible for many thousands of shoplifting arrests in this city. I consider myself an expert in shoplifting. The defendant’s expert informs the jury of his qualifications as follows: I’m an independent security consultant and have been so engaged for 20 years. Prior to becoming a consultant I was the security director for the World Department Stores for 5 years and before that the assistant director for 13 years. Prior to working in the retail security industry I was a police officer. I understand the law and what the law requires with respect to shoplifting detentions and arrests. I have consulted with 30 different nationally known retailers across the land and helped them develop proper policy and proce-
Forensic Security
289
dures for dealing with shoplifters. I have developed structured training programs for store detectives. I have personally trained and worked with store detectives. I have written several articles and one book on shoplifting. I have personally reviewed thousands of shoplifting arrests in my career. I’m recognized in the security and loss prevention industry as an expert on shoplifting. Which witness is an “expert” in shoplifting? The chief of police makes a persuasive case to support his claim of expertise, as do thousands of others, but in truth, the poor chief is no more an expert in shoplifting than his wife, who happens to be a school math teacher. The point is: in the real world of courtroom litigation, expertise, like beauty, is in the eyes of the beholder. One can manage one’s history and work experience to suit the needs of the moment. And, regrettably, it’s an abuse prevalent in our court system. That said, and because there are no specific guidelines or written criteria about which defines the qualifications, this author submits the following: A forensic security consultant must have sufficient experience and credentials connected with the expertise in which she or he claims, including but not limited to:
First-hand line or first-level supervisory experience in the specific subject area (shoplifting detection). Management responsibilities in the specific subject area (retail loss prevention managerial position). Structured training and/or formal education in the general subject area (seminars in and for LP industry/BA or BS degree in Security Management or Criminal Justice). Classroom instructor or seminar presenter experience in the general subject area (college instructor or seminar presenter in security/law enforcement). Authored publications that address the specific subject area or at least in the general subject area (security/loss prevention industry/trade magazine articles or publication on the industry in other publications. Book authorship). Experience as a security management or technical consultant conducting surveys/assessments of organizations or institutions whose affairs touch on the general subject area (retailers, or a museum or a hospital with a gift shop) and making recommendations based on the findings. Experience as a percipient witness in criminal trials. Experience as an expert witness in civil trials.
290
Strategic Security Management
Granted, not every security expert, especially those relatively new to the consulting profession, can or will have all of the specified areas of experience listed here, but if one was to attach points to each area listed, the higher the score the better, and, although it’s unspoken, the higher the score, the higher the fee the expert can demand.
Daubert Factors Two Supreme Court cases guide the use of expert testimony in court proceedings: Daubert v. Merrell Dow Pharmaceuticals, 509 US 579 (1993) and Kumho Tire Company, Ltd v. Patrick Carmichael, 119 S.Ct. 1167 (1999). The Kumho case made the Daubert applicable to nonscientific testimony. Commonly referred to as the Daubert Factors, the questions asked by the court include:
Can the relied upon theory/technique be tested and has it been tested? Has it been subjected to peer review and publication? What are the known or potential error rates? What is the degree of the theory/technique’s acceptance within the relevant field?
Strategies to Market One’s Forensic Practice Authorship In view of the foregoing, it should be apparent that the more one enhances one’s credentials, the more marketable they become. The primary building block is the work experience. Clearly, if one is to be a forensic consultant/expert witness in the general area of “shopping centers” or “parking lot crimes,” one must have worked where either of those issues was a work-a-day reality and the consultant had clear involvement in and/or responsibility for crime prevention or security in that environment (i.e., was an employee of a shopping center management company or worked for an anchor store in a center). Interestingly, one’s effort to enhance one’s credentials can simultaneously prove to be a marketing tool. For example, each time a consultant writes an article, that very article can be a vehicle or instrument leading to an assignment. I personally have been specifically retained as an expert based on what I’ve published. The security consultant’s work is invariably connected with crime, one way or another, and articles about crime are welcomed by many publications. The very title of an article can attract attention and eventual acceptance. “Are Shopping Centers Really Safe at Night?” can prove irresistible for a “sexy” inside story. Law firms with a new client and matter involving a victim of a crime in the parking lot of a shopping center typically launch a search for as much information as feasible, looking for similar events and seeking the expert who might
Forensic Security
291
contribute to their cause of action. The more one writes, the more one adds to the portfolio of credentials that enhances one’s reputation and attracts business.
Public Speaking The same is true for public presentations. Most service clubs are always looking for interesting speakers. Speakers who can discuss crime (assuming one can speak well) get invited to speak at other venues. It’s a cheap way to expose one’s knowledge in one’s specialized area and add to one’s professional portfolio. Speaking within the industry is another form of exposure and recognition as an “expert.”Certainly, one should seek opportunities to speak at the local, county, or state bar association’s luncheons or meetings.
Advertising Most, if not all, major metropolitan cities have business and legal journals. One should advertise, even if it’s just a classified ad. Each state has a state bar association magazine. Research those states in which you have an interest, see the kinds of expert witness ads, and consider placing your own ad in one or more. There are also a couple of very reputable national legal journals. Indeed, I advertised in one as a “Parking Lot Crime Expert” very early in my career, and it brought me assignments in various states across the country.
Website All consultants should have their own professional website that markets their services. I would suspect that more talent is found on Internet searches today than through any other single source of information. Caution: the website must be professionally prepared.
Professional Referrals Consultants have little control over this particular area, other than to fully understand and be aware of the fact that the quality of work in assisting counsel in preparing for trial, and workup for and effectiveness of deposition testimony and actual trial testimony, can provide a priceless advantage in obtaining more work. Lawyers share information, good and bad, and if you’re good, you’ll get work.
Prior Testimony Referred to in Appellate Decisions Case law changes resulting from a security consultant’s testimony can also increase the likelihood of increasing your forensic practice. By the same token, mistakes you make can be referred to in court opinions and can hamper your forensic practice.
292
Strategic Security Management
The Retention Process The overwhelming percentage of contacts by an attorney seeking an expert is made by phone. Attorneys want to hear the expert’s voice, how he or she articulates, how he or she constructs and expresses thoughts. Attorneys will identify themselves, and their firm, and explain that they represent either the plaintiff or defendant/s, name them, and ask if there is any possible conflict of interest with any of those parties. Then he’ll ask if the expert has expertise in, for example, “use of force.” If the answer is yes, the attorney typically will give a brief scenario of the event that is driving the lawsuit. For example: I represent a nightclub, called Heaven’s Lounge. A patron became intoxicated and abusive and our security people asked him to leave. He responded by striking the doorman with a beer bottle, crushing his nose. The other security people seized him and while they were escorting him away from the bar and gathering crowd, to hold him in the office for the police, they all fell and that fall resulted in the patron breaking his neck. He’s now paralyzed. Do you have experience in nightclub security and the use of force? If so would you be interested in assisting us? If the consultant recognizes that he or she does not have the requisite expertise needed in this lawsuit, it must be disclosed at this time. It calls for this kind of response: I’m sorry, I’m not qualified to assist in this particular action; my expertise in the use of force is limited to apprehensions that are being made of retail customers suspected of theft, an entirely different environment than that of nightclubs, rife with wine, women, and song. But I do know a couple other consultants who have experience in cocktail lounge, bar, and nightclub settings and I’d be happy to refer you to them. So this rejection of involvement has nothing to do with the merit of the case. On occasion an attorney will describe a scenario that the consultant may reject off-hand, because he or she feels it lacks merit. For example, I was contacted by an attorney defending a national drug store chain that was being sued by an elderly lady for “excessive use of force” by the loss prevention agent. The old lady had been observed stealing a pack of cigarettes. She was escorted up the stairs to the office for processing. It was very difficult for her to ascend the stairs; she had asthma, and the exertion of the climb affected her breathing to the point that she and the agent had to stop a number of times for her to catch her breath. Once in the office, the agent handcuffed her. It was this handcuffing that drove her to file the lawsuit and was the heart of the case. I told the attorney that I couldn’t help him; I would never look the jury in the eye and tell them that handcuffing this old lady was necessary or appropriate, company
Forensic Security
293
policy notwithstanding. He thanked me, and that job went out the window. And I’d turn it down again. If the consultant claims expertise, he will most likely be asked if he has been involved in similar lawsuits and to identify them. Some continued interest is evident if the attorney asks for a copy of the consultant’s CV and fee schedule (which includes the amount of the retainer required. If the consultant is interested in the case and believes it may be meritorious, and feels he can competently address the various issues inherent in this case, as represented by the attorney, he will send the requested documents as either U.S. mail, fax, or e-mail attachment. One note of caution here: the attorney is an advocate and may (and often does) provide a one-sided and not particularly objective recital of the case facts. Some careful questioning of the attorney is appropriate here if there’s the slightest doubt, and a statement by the consultant that the case as presented sounds meritorious should be qualified by stating that that belief is based on the attorney’s representations (i.e., “Based on your representation, Mr. Miller, the case sounds meritorious”). The attorney must obtain authority to retain a given consultant, and in defense cases the decision comes from the insurance carrier (unless a company or entity is self insured). Upon approval of the retention, the attorney sends the consultant a letter stating that the relationship now exists (or words to that effect) and that the retainer check is included in the letter. In plaintiff matters, the attorney may or may not seek his client’s permission to retain and incur the requisite expense, depending on his relationship with his client. Following the receipt of the letter of retention and retainer, the various and many times numerous documents pertaining to the issue of liability arrive, and the forensic consultant can open the case file.
Assessing the File The documents and records initially forwarded by the law firm may or may not be complete. Many times the consultant must request additional material. Following is a sampling of documents that might comprise the file, as it pertains to the case involving Heaven’s Lounge:
A copy of the complaint or most recent amended complaint The answer to the complaint A copy of the police report memorializing the incident Copies of any reports generated by defendant’s employees following the incident. Any follow-up investigative reports by police detectives All legal “moving documents” (motions) exchanged between law firms (e.g., requests for production and response to request for production, interrogatories, etc.)
294
Strategic Security Management
Copies of all depositions so far taken (as they pertain to liability, not damages), including the plaintiff ’s and plaintiff ’s expert witness In this Heaven’s Lounge case (a security negligence case), the security officer’s personnel file including all records pertaining to his training A copy of the security department or company’s (Heaven’s Lounge) security policy and procedure manual A copy of the security department or company’s training manual and training materials Photographs of the interior of the nightclub, including the location where the fall occurred A schematic or diagram of the nightclub’s interior Statements of all participants in and witnesses to the event in question A copy of the 911 call reflecting timeline A copy of the ER (emergency room) report A copy of the local police “calls for service” printout Copies of all prior police reports generated as a consequence of a call for their presence, and/or a report of all known crimes at the location for the three-year period prior to the incident in question Records of all employees who attended training classes for early detection of excessive consumption of alcohol Any videotapes that may have captured the event or portions of the event Copies of any reports and/or complaints against the defendant to the state licensing agency prior to the incident Any other documents the consultant identifies as being of value in the defense of the lounge. For example, review of the deposition testimony of one of the lounge or door hosts (security personnel) disclosed a statement that the number of “hosts” in this lounge far exceeded that of a neighboring lounge. Various documents pertaining to the other lounge and a comparison of the two could be insightful.
As the forensic consultant reviews the file, he or she is progressively developing an opinion as to the merits of the plaintiff ’s complaint against the merits of the defense. If, during the review, the consultant begins to feel he cannot support the Lounge’s theory of defense (i.e. the lounge was most likely negligent because of its failure to properly train its security staff, or the hosts failed to use reasonable care and used excessive force), the consultant must stop all further work and report his findings/suspicions to the attorney managing the file. Notice: this is perhaps the most valuable message in the chapter. Bear this in mind at all times: the forensic security consultant’s role and mission is not
Forensic Security
295
to buttress his or her client’s case, but rather, to make an objective assessment, arrive at an objective opinion, and share that opinion, with (1) the client, and if it’s supportive of the client’s position, (2) both adversarial parties, and (3) the deciders of the fact (i.e., the court and/or the jury). Those expert witnesses who become advocates for their clients lose respect in the legal profession. While this tactic can generate substantial income for a while, but in the long run they suffer the fate of having no gedibility. Following is a classic example of a plaintiff ’s expert who became a disreputable witness: The lawsuit was aimed at a department store inside of which an armored car employee, who was delivering and picking up funds from the cashier’s office, was accosted by two robbers, was shot to death, and the “coal bag” was stolen. The widow of the deceased armored car employee filed an action against the store with three “causes of action”: (1) store detectives had observed the robbers before the crime and should have ejected them for loitering (they were in the store for over a half hour and made no purchases); (2) store detectives should have been armed because their job deals with crime and apprehending criminals; and (3) the store arranged for the armored car service to come at a regular time, making the robbery easy (i.e., the store should have had unpredictable and random pickups). The security expert for the plaintiff was a college professor who taught criminology and criminal justice courses. I was the expert for the store. I testified in deposition that (1) so-called loitering is not unusual in large stores; many people “window shop,” browse, kill time waiting for someone else shopping elsewhere in a big store, and ejecting customers who spend time inside a department store, unless some untoward act is committed, is highly unusual; (2) store detectives throughout the United States do not carry guns, period, and in virtually every state store detectives who might carry weapons would be in violation of gun laws to do so; and (3) all armored car pickup schedules are routinely established to occur at a specified time, it’s the orderly nature of the relationship between the armored car business and its customers, and a pickup must be subsequent to the preparation required to have a deposit ready to go. The defense attorney felt that his position, as supported by my deposition testimony, was so obvious and of such general knowledge and belief that he opted not to call me to testify in trial. The plaintiff ’s expert did testify, and his opinion was diametrically opposed to mine. Because I wasn’t scheduled to appear, I went out of town. The defense couldn’t contact me to come in and rebut the professor’s ludicrous position. The jury found for the plaintiff! This was a colossal strategic error by the defense counsel, but more importantly, in context of this writing, there are those who will take a position, any position, to satisfy the one who pays them. Their actions become obutoris as being based on a pay check rather than an expect opinion. And clearly there’s another message in this vignette: experts’ opinions can prove critical in the litigation process. When the consultant finds that he or she cannot proceed on a file (which is not common because the case is “screened” and discussed by phone prior to
296
Strategic Security Management
the retention) and then becomes the bearer of bad news back to the client, one of three things will happen: 1. In defense cases, the attorney may not be happy but will be grateful for the candor, terminate the relationship, and seek out another expert who may have a different view of the case. 2. In plaintiff cases, the attorney may be very unhappy because he and/or his client must bear the expense, and bad news just means the costs have increased. 3. Again in defense cases, the attorney may be happy to have the professional support of an expert because the attorney was of the same opinion, who felt the case was not defensible but was obliged to proceed at the behest of his client, the insurance carrier. The attorney will then be in a better position to urge that the matter settle or otherwise be disposed of. Happy or unhappy as the attorney may be, the issue is really the professional reputation of the consultant. Trial lawyers work and live in a win or lose world. A lawyer’s success is measured by wins (favorable settlements are jury awards). Consultants work in a credibility world; for them success is measured in terms of one’s reputation.
Keys to Success
Only use theories that have been tested. Specify known error rates—this is difficult in the security field since it’s nonscientific, but some factors might be scientific or mathematical. Use peer-reviewed and published sources. Use methods that are generally accepted in the security industry.
The Consultant Forms a Supportive Opinion Once the consultant has reached a supportive opinion, some jurisdictions, the federal court system for example, require that the opinion be reduced to writing, each opinion be identified, and all reference and resource materials relied upon in arriving at such opinion be identified. An opinion could be that use of force in the apprehension of a shoplifter was reasonable and in keeping with industry standards, per written company policy. Some states have a similar requirement. The written opinion, in the form of a letter, report, affidavit, or declaration is then provided to the opposing counsel. Next, the opinion is evaluated, and
Forensic Security
297
if the lawsuit advances, the opposing counsel will use that document to prepare for the oral disposition. The deposition is that form of discovery by which the opposing side can learn of the expert’s opinion first hand, prior to that opinion being shared in trial. It’s not uncommon for an expert’s opinion to be so persuasive as to merit or lack of merit that a settlement is achieved and trial is avoided. Typically, those present at a deposition include the opposing attorney, who does the interrogation, the attorney you are assisting, a court reporter who records every word spoken, and any others deemed appropriate by either counsel. In recent years there’s been an increasing trend to have a videographer tape the deposition to capture not only the event, and to ensure its availability in the event of the witness’s death (or other reasons for not being present in court) and, to a lesser extent, to study for any interesting or unusual characteristics of the witness that might be exploited while in trial. On occasion, the consultant/ expert on the opposing side may sit in. The testimony offered at the deposition is given under oath much as though the witness was in a court of law. The results are printed and bound, and the witness is obliged to read and correct any errors. Changes to the testimony may be challenged in front of the jury. Once it’s reviewed, corrected, and signed, the testimony becomes an important document in trial. If the witness changes any answers in trial, the opposing attorney can impeach or otherwise attempt to impeach the witness, or otherwise raise some question in the juror’s minds about the witness’s objectivity and credibility. If the matter is not settled following all discovery, the matter will go to trial. The plaintiff puts on his or her case first, including the testimony of their witness. The defense then puts on its case and expert. Trial testimony is where the “proof is in the taste of the pudding” or “where the rubber meets the road.” True professionalism, best exhibited by appearance, articulation, clear objectivity, self-confidence, mastery of the material in the file, and the event in question can contribute to the success of the case. Once the testimony is concluded and the witness is excused by the court, the expert should thank the court, leave the stand, and promptly exit the courtroom and, in my view, the courthouse itself. An otherwise impressive presentation from the witness stand could be tainted if the jury were to take a recess and discover the expert hanging around to talk to counsel, hence demonstrating a personal and/or lingering interest in the matter.
Security Premises Liability Forensic Consulting The reader should understand that there are various types of premises liability cases that have nothing to do with security. For example, if a construction company digs a hole in the parking lot and fails to cover or otherwise
298
Strategic Security Management
prevent people (or vehicles) from falling into that hole, and someone is consequently injured, it’s most likely that a “premises liability” suit will follow. Those kinds of cases are commonly called personal injury suits. Our interest is focused on incidents in which the injury was caused by a crime committed by a known or unknown third party and in which the crime commenced or occurred completely on someone’s property other than the victim’s property. The examples given earlier in this chapter were of security negligence cases. Of course, much of what we do is common to both types of security-related litigation (i.e., the process of retention); as much of the documentation is similar as well as the dealing with and exposing the opinion/s formed. The primary difference between the two has to do with the first three of the five elements necessary for a successful premises liability lawsuit. Here they are again, to put them into proper perspective. Was the event (the criminal attack) foreseeable? Did the shopping center have a duty to provide security? Was there a breach of that duty? If there was a breach of that duty, was the breach the proximate cause of the crime (and her injuries)? As a result of the incident (rape), was the woman damaged (injured)? Let’s use the following actual crime as a point of reference: In December during a particularly cold winter, where the temperatures were below zero, a customer happened to observe a car parked in the mall parking lot containing a woman who appeared dead, seated in her car behind the steering wheel, with her right leg propped-up on the dash board. Time of discovery was 11:00 a.m. The customer ran into the mall, reporting his sighting to the first security officer he found. Two security officers ran outside and discovered the condition, and noted that the woman was frozen solid. The police and paramedics were summoned. The forensic security consultant retained to assist in the defense of this shopping center followed the strategy of gathering and analyzing all available information so as to arrive at an opinion. Was the mall liable for this terrible crime? In recognition of the magnitude of such cases, the International Association of Professional Security Consultants formed a committee to develop a methodology for the best practice to follow in determining liability. Here is that Best Practice in its entirety. As the reader reads through this methodology, he or she should consider how such documentation and action can contribute to gathering the answers to obvious questions and how the answers can lead to the formation of an opinion.
Forensic Security
299
IAPSC Forensic Methodology Best Practice # 2: FORENSIC METHODOLOGY June 2000 The International Association of Professional Security Consultants is issuing this consensus-based and peer-reviewed Best Practice for the guidance of and voluntary use by businesses and individuals who deal or may deal with the issues addressed herein. POSITION STATEMENT The International Association of Professional Security Consultants does hereby recognize that, on occasion, its members will be called upon to perform as “Forensic Consultants” and serve as “Expert Witnesses” in a court of law. It should be recognized that the Forensic Consultant’s task is one of education. The consultant will provide his opinion(s) to the client, to opposing counsel during deposition, in response to written interrogatories, in required reports, and to the judge and jury at trial or in any other lawfully convened hearing. This is done with the goal of making others aware of the security issues and leading to a just and proper conclusion of the litigation. The responsibility of the Forensic Consultant lies with our system of justice and the ethics of the security profession. The Forensic Consultant is to be totally independent of any outside pressures or financial considerations conceived to influence the consultant’s evaluation of the case at issue. The Forensic Consultant will at all times be forthright, honest and precise in evolving the ultimate conclusion(s) and opinion(s). The opinion will be the result of a review of all documentation, discovery material, site inspections and testing procedures presented by all parties to the litigation. The following is to be used in a typical premises security case. It is reasonable to expect variations of the steps, and some steps deleted and others added as the facts and circumstances of the cases warrant. I.
RISK ASSESSMENT A. Review all relevant material that provides information on the premises and surrounding area. 1. Discovery a. Interrogatories b. Requests for production c. Affidavits d. Expert witness reports e. Depositions f. Interviews 2. Police a. Calls for Service (grid report) b. Reports of relevant crimes on the premises (three to five years prior to the date of the incident)
300
Strategic Security Management
c. Reports of relevant crimes in the surrounding area (two to three years prior to the date of the incident) d. Other relevant crime history information 3. Media 4. Other sources B. Inspect site where the incident occurred and the surrounding relevant area. 1. Determine layout of the premises. 2. Evaluate relevant factors (lighting, lines of sight, places of concealment, remoteness, accessibility, security measures, conditions, etc.) 3. Interview those with knowledge of the incident and/or the premises/surrounding area (this is often covered in depositions, police interviews and private investigators’ investigations). 4. Review relevant documentation (lease, contract, diagram, map, etc.). 5. Assess the characteristics of the surrounding area. C. Analyze incident. 1. Police report 2. Proprietary incident report 3. Discovery information (see IA1 above) 4. Medical records (emergency room and/or autopsy) 5. Media information 6. Assess for corroboration of plaintiff’s story and how the incident occurred. II. SECURITY SURVEY Conduct an extensive physical survey of the scene of the incident and areas/functions that are applicable to the incident to achieve a meaningful understanding of information that has potential application. A. Security Personnel 1. Review security officer(s) actions, staffing levels, post orders, duty hours, equipment provided, tours, evaluations, training, hiring procedures and supervision. 2. Review law enforcement presence and action, 3. Review roles and actions of nonsecurity-related persons who may have affected the security posture. 4. Assess the qualifications and performance of owner/management personnel. B. Security Program 1. Review security-related policies and procedures. 2. Review all risk assessments performed prior to the date of the incident. 3. Review security officer logs, job descriptions, incident reports, and internal correspondence. 4. Review security officer contract. 5. Review corporate security manuals.
Forensic Security
301
6. Review training manuals and materials. 7. Interview parties/review depositions regarding employees’ understanding of their duties, and all customs and undocumented practices. 8. Review changes to security prior to the incident. 9. Evaluate the qualifications and experience of security management and supervisory personnel. C. Security Equipment 1. Review building design and site plans. 2. Inspect all security devices related to the incident. 3. Inspect all structural security features. 4. Determine the position, function, and maintenance status of the relevant security equipment and features. 5. Determine level of illumination. III. ANALYSIS Determine the level of adequacy of security at the location of the incident on the date and at the time the incident occurred. This will be based on the information obtained in the risk assessment and security survey, and the application of a qualitative analysis based on experience, education, and training. IV. CONCLUSION Based on the analysis, reach conclusions on the issues of foreseeability, preventability, and causation (as used in the security profession). At this point, the expert has formed opinions and is prepared to provide a written report, be deposed, and/or testify at trial. V.
REPORT Write a report with opinions of foreseeability/preventability/causation when requested by counsel or required by the court. Include detailed bases of findings.
Following the Best Practice as closely as possible, the review disclosed the following facts: 1. The victim had died of a gunshot wound to her chest. 2. No purse was in the vehicle. 3. Purchases by the woman revealed receipts for purchases made the evening before; the last purchase was at 8:44 p.m. 4. The mall closed at 9:30 p.m. 5. A customer was located who happened to be conducting a transaction at an outside ATM, and the records reflect that transaction occurred at 9:33 p.m. That customer heard what he thought was a gunshot not far from his location, but not seeing anything unusual, he dismissed the thought.
302
Strategic Security Management
6. The victim’s auto was within 50 yards of the ATM. 7. The parking lot surrounded the enclosed shopping center, accommodating some 5,000 vehicles. 8. The extremely cold temperatures, despite the Christmas season, significantly reduced traffic and customer shopping, and witnesses claim there were very few autos in the lot. “It was too cold to go shopping.” 9. Four security officers were scheduled to work that afternoon/ evening, but only three reported for duty. The security staff is reduced to two men after the mall closes to the public. 10. According to mall management, one officer is assigned to patrol the lot, and the other three patrol the interior of the mall, until 10:00 p.m. After 10:00 p.m. the officers take turns patrolling outside. 11. There was no mechanical or electronic supervisory patrol system in place. The only control in place was a log onto which an officer was supposed to note his exterior patrol times. 12. There were entries in the log reflecting hourly patrols. 13. The security officers claimed they took turns patrolling the outside lots around the complex but simply failed to note anything unusual. 14. Patrol of the lot was done by foot because the patrol vehicle was being repaired. 15. Security officers claimed they had patrolled the lot continually until 10:00 p.m. and thereafter spent 30 minutes on exterior patrol, commencing each hour on the hour. 16. Patrol of the lot was deemed necessary because of prior incidents of vehicle theft, theft from vehicles, vandalism to vehicles, teens drinking and using dope in the lot, purse snatches from customers, incidents of indecent exposure, racing in the lot, and two prior robberies of customers (one by knife, one by what appeared to be a handgun). 17. Management of the lot had changed early in the year, and new management reduced the security budget by 15 percent, causing a reduction of the staff.
The Defense Expert’s Opinions “The woman, obviously the victim of a robbery, apparently entered her vehicle in preparation for leaving the parking lot when an assailant opened the passenger side door and demanded her purse. A struggle ensued, in which the victim attempted to kick the assailant and resulted in her being shot. The autopsy report reflects she became unconscious as a consequence of being
Forensic Security
303
struck by the bullet, the bullet wound was not fatal, but she froze to death. The shooting occurred at approximately 9:33 p.m. The robber took her purse, closed the door, and departed the scene. Security officers testified they took turns patrolling the parking lot and pointed to the shift log as evidence of such activity. It’s this expert’s opinion the logs were falsified. It would seem to this expert that had the officers indeed patrolled the lot, the very few vehicles in this large expanse would arouse some curiosity as to their presence and cause a reasonable security officer to at least look inside the vehicle. Clearly, no one looked into the car. Clearly, no patrol ever occurred in that lot. According to the security officers, they patrolled every hour on the hour after the mall closed; hence nine alleged patrols occurred in that lot, but here sits a sole auto only 50 yards from the mall structure and the extraordinary sight of a frozen women, seated in a bizarre position, went unnoticed by patrolling officers. This consultant can not help but believe that indeed, no patrols ever occurred that afternoon, evening or night because management required them to walk an immense lot in subzero temperatures without the benefit of an enclosed and heated patrol vehicle. I’m confident if I sat down and talked to each of these officers, on a one-on-one basis I could obtain admissions from each one that no exterior patrols were actually conducted. The parking lot in question had a significant history of crimes, including crimes against persons, and every effort should have been made to ensure a constant presence of security in that lot until the lot was essentially vacated. That duty was breached. The security director testified that he asked the shopping center manager if security could use one of the maintenance department’s vehicles to patrol because of the weather, but the request was denied without explanation. In my opinion, had their been adequate security staffing with an officer dedicated to exterior patrol and had the officers’ been provided with a heated vehicle, more likely than not the victim would have been observed shortly after the shooting and medical care could have been summoned. “In my opinion the crime was foreseeable. In my opinion there was a duty to provide security, but the security was inadequate; hence the duty was breached. In my opinion the security officers’ failure to be present in that lot, as they had been for over a week, failed to provide a deterrent presence and most likely contributed to the criminal event. People don’t commit conspicuous and violent crimes in an area constantly patrolled by vigilant security officers.” Note: The preceding opinion is indeed the defendant’s expert, not the plaintiff ’s expert. It’s presented here to dramatize how professionally objective the forensic consultant’s work must be, regardless of which “side” has retained the expert. If fault is found, if a “bump in the road” is detected, it must be made known to counsel. The above “bad news” is the exception, not the rule. The ultimate decision to pursue or settle this matter was based, in large measure, on the assessment made by a professional and ethical forensic security consultant.
304
Strategic Security Management
Topics Likely to Be Covered in Cross Examination of Forensic Witnesses: Level of Expertise and Qualifications Publications Other testimony (past cases) Compensation for testimony Sources of information Basis for each opinion Time when each opinion was formed Assumptions on which the opinions are based Alternative opinions that were considered, but rejected Degree of flexibility Degree of certainty Methodology employed Documents used Documents not used Equipment used (lightmeters, measuring tapes, camera, etc.)
Forensic security consulting is that consulting niche area that directly addresses the need for security expertise in the legal community and civil judicial process. Both security management consultants and technical security consultants also serve, on occasion, as expert witnesses. Care must be taken to accept only those assignments that one is fully qualified to undertake. Both security negligence and security premises liability cases require an exhaustive, impartial, and thorough review of all possible sources of information to arrive at an objective and professional opinion. The International Association of Professional Security Consultant’s 2000 Best Practice #2, Forensic Methodology, is an important source document in guiding an expert in arriving at his or her opinion.
Chapter 16
Ethics in Security Consulting James H. Clark
In this chapter . . .
Introduction Ethics in Practice Walk-Away Value Advocate versus Educator Rules to Live By Forensic Consulting/Easy Conflicts
Introduction The all-time best eulogy this author ever heard was in honor of a former boss who was described as a man who always did the right thing, even when no one was looking. What a fine tribute to a good man. What a great way to be remembered. This author used to believe that one could apply instincts to his or her consulting practice and generally be okay when it came to the issue of professional ethics. After all, parents, teachers, and other caregivers taught us such value considerations. This thinking works well for those who were brought up by parents who not only preached, but lived the golden rule—teachers, caregivers, and others who lived exemplary lives and demonstrated the right way to interact with others. Unfortunately, not everyone grew up that way or was exposed to the same value system. Nor were they taught the value of fair play in a world that isn’t always fair. And, of course, not everyone plays well with others even under the best of circumstances. In many instances, people simply don’t have someone to demonstrate ethical values for them. In other instances, going along to get along is seen as the only way to survive in a corrupt environment. Moreover, there are those who have
305
306
Strategic Security Management
learned to overlook their values in the name of personal or financial advancement in a highly competitive business world. So, while it is good to trust one’s instincts, there is more to consider. How does one deal with people in a world where there are competing values and different understandings of moral codes? This chapter does not offer all the answers. What it does offer is some food for thought as the twenty-first century security consultant plies his skills ethically in a world minefield of corruption, greed, “me-first” thinking, and ignorance. It must be recognized that there are also many corporate, institutional, and government people out there who are looking for an ethical security consultant to help them get past all of that. Your response to ethical dilemmas can help create an environment where ethical behavior is expected, if not required, and where the consultant sets the ethics bar at an appropriately high level. The title security consultant is not the sole property of the independent practitioner. It is a term shared with vendor salespeople, security company operations managers, and others. Rather than get upset with that notion, it is better to focus on the differences: independence and objectivity. A well-known security consultant set out to start his own practice. The consultant was looking for a catchy name that would generate interest and identify him as a viable “brand” in the security consulting marketplace. His father, a successful salesman and long-time entrepreneur, offered some simple advice. First, people who seek out consultants don’t seek to buy a name; they seek to establish a relationship based on trust that will serve them and their company. Second, if the consultant uses his own name, he will always work to protect its integrity. The consultant took that advice and soon understood the message. The people who retained him early on were people who knew him and his reputation from previous work. As time went on, those client relationships turned into referrals and more trusted relationships. Putting one’s own name on the cover of a report heightens awareness about the advice offered because people well beyond one’s control read the report. When reflecting on that, the consultant realizes that his name is on the line every time, all the time. Over the years, this consultant has had the opportunity to work with other consultants. Most were highly ethical; some were not so ethical. Some consultants have been known to change their reports to such an extent that they don’t honestly reflect the findings of their work product. Sometimes clients ask for things that no professional consultant in her right mind would ever put in writing. There are vendors who unabashedly offer favors to a consultant to get their product bid, specified, or approved. These are some of the challenges that the professional security consultant faces. How does one address these types of challenges that establish the consultant’s value system? How do you handle the client that wants you to do something you think is inappropriate?
Ethics in Security Consulting
307
How do you handle the vendor who is trying to influence your decision in ways that are inappropriate?
Ethics in Practice Independence of thought and objective analysis are the two great commandments of the independent security consultant and are prominent in the International Association of Professional Security Consultant’s Code of Ethics. For purposes of this discussion, ethics can be defined simply as the principles or values by which one conducts himself or herself in practice. You cannot transform the world into a population of ethical beings. It’s too late for that. The guy who cheats the IRS and says he would never do that to a client is no different than the bank teller who uses her customer overages to buy lunch. They have found a way to justify theft. What can be done, however, is to create an environment where people behave ethically in their dealings with you. It is important for the modern-day security consultant dealing with risk issues on a global scale with many diverse cultures and values to understand that not everyone has the same value system as they, or is interested in fair play. This chapter does not presume to teach others to be ethical. It offers guidelines for maintaining vigilance in one’s own practice and for avoiding getting caught in someone else’s ethical lapses. It also offers guidelines for sending out the right signals to create a set of expectations for ethical behavior when dealing with the consultant. Just because there are unethical people in the business world is no reason to quit and walk away. On the contrary, there is more work to be done, and perhaps even a marketing opportunity. Engaging in ethical behavior is more complicated than simply understanding the difference between right and wrong. In their book, Moral Intelligence, Doug Lennick and Fred Kiel describe moral intelligence as knowing what to do, and moral competence as the skill required to actually do the right thing. Obviously, moral competence is needed to uphold the values in one’s life. So, it isn’t enough to simply understand “it.” The ethical security consultant has to be competent enough to practice “it” once “it” is understood. Security consultants often work alone. If one is frequently praised for one’s work product, it is easy to see how that consultant can develop an all-knowing omnipotent aura. Of course, no one is always right. Indeed, it is easy to get caught up in the notion that everything one does is for the good of the client. A little humility is in order, and there is need for some outside perspective. In addition, opportunities can come fast and furiously, and are not always offered by those who share the consultant’s values. What is one to do? Take a step back and ask some questions:
Who is making the request or providing the opportunity? Who will benefit from the opportunity?
308
Strategic Security Management
What is the expected outcome of the consulting assignment? Does the service the consultant offers provide value to the client? Will this opportunity allow the consultant to maintain objectivity? Does this opportunity allow the consultant to maintain independence? Are you providing genuine value, or are you simply lending credibility to someone else’s agenda?
These questions are usually easy to answer but not always. It is the wise consultant who continues to check himself. The very best and brightest consultants are constantly talking to one another, asking tough questions of themselves or asking their peers to do the same. It is important to talk with a colleague or friend who is not afraid to respond honestly. This person can ask objective questions with perspective without the excitement of the opportunity or the cloud of vagueness. A sharp question from an objective colleague is often just the thing needed to see through the cloud. Not surprisingly, these questions resolve themselves not through a black and white decision, but often through spirited discussion and the blending of multiple points of view. Such discussions are valuable to all as they further hone the quality of the process, and the ease with which the consultant arrives at a reasoned decision. It is the wise consultant who calls on friends and colleagues to ask the tough questions and to challenge his or her comfort level with a situation.
Who is making the request or providing the opportunity? It has always been interesting to observe the number of companies or agencies that offer solicitations, especially in competitive bid situations asking for all manner of consulting references and then sometimes never bother to check them. Or they may ask for so many and so much that it becomes burdensome to one’s client references. Why should the consultant treat prospective clients any differently? Every time the consultant receives an inquiry from a company or institution, it is imperative that that prospect also be put through a vetting process. What if that particular company is unethical in its dealings with consultants and vendors? What if it is a slow payer? What if the company is in a state of financial ruin and is about to file for bankruptcy protection? The consultant might want to know this information if he or she wants to get paid. It might also be of interest to know who within the company or agency you will be working for. The consultant might be stuck with someone she really doesn’t want to be working with. Most importantly, the consultant might be tainted by the relationship.
Who will benefit from the opportunity? Sometimes consultants are referred by vendors or other contractors. Clients will ask for the vendor to refer an independent consultant, and a contractor
Ethics in Security Consulting
309
will sometimes refer the consultant with the understanding of a quid pro quo. “I refer you, you refer me.” That is not what an independent consultant does, and it needs to be made clear to all vendors or contractors that they should have no expectation of exclusivity, should the client require a product or service such as one that the vendors offer. If the client asks the consultant about a particular vendor, the consultant can tell him what he or she knows. If the client is asking the consultant to do a bid review or to evaluate several vendors, then that vendor must be treated as the others. This should always be made clear to the referring individual so that there is no expectation of preferential treatment. Righteous vendors understand this and are only asking for a level playing field. Once the consultant is retained by the client to whom he was referred, he is working exclusively in the interests of that client, regardless of who referred him.
What is the expected outcome of the consulting assignment? This is perhaps the most important question of all. What are the client’s expectations, and will the consultant be able to meet them? A detailed discussion needs to be had in every such situation so that the consultant knows exactly what the client wants and articulates it back to the client in the scope statement of the proposal. If the consultant is asked to do something that is outside of his expertise, or not within the realm of his understanding, then it behooves him or her to explain and discuss until there is either an agreement or the consultant decides that this is not a good project to pursue.
Does the service the consultant offers provide value to the client? At times a consultant’s work offers little or no value to the client. For example, in many instances consultants are asked to provide ongoing services under a retainer relationship. Under such agreements, consultants typically provide a fixed number or sliding number of hours for an agreed to monthly fixed fee. In a perfect world, the value to the client is a ready resource for response and services within the consultant’s expertise. The value to the consultant is a steady income stream from the client. The savvy consultant is ever vigilant that the services being offered provide value to the client for the fee paid. The danger with these arrangements is that the client sometimes doesn’t have regular and consistent needs and doesn’t manage the consulting relationship well. Or conversely, the consultant gets comfortable with the steady income stream and neglects to maintain a viable schedule that continues to offer the client ongoing value. The other danger is that the client demands begin to exceed the consultant’s ability to provide needed services. This is particularly difficult for a one-person consultancy that has multiple clients and whose clients are constantly demanding more and more of the consultant’s time. The consultant always needs to know when it is time to change the relationship or to walk away while he or she still offers value. If the consultant misses that
310
Strategic Security Management
signal, then the client is the one who walks away. Why? Because the client perceives that the consultant no longer offers value. It is far better for the consultant to wean himself from the client than it is for the client to terminate the relationship.
Will this opportunity allow the consultant to maintain objectivity? Many enticing consulting opportunities come along that test the independent consultant’s ability to remain objective. Recent trends in larger consulting projects sometimes require consultants to work directly with vendors in a project and can take away the consultant’s ability to look objectively at product applications. This in and of itself is not unethical. But a regular practice of working with a particular vendor or the same products might make the consultant appear to be an extension of that product. If the client or prospective client doesn’t think that the consultant can be objective in such circumstances, then the consultant may lose the opportunity to perform his services objectively when it comes to product evaluation on behalf of a client. Not being viewed as being objective is just as bad as, if not worse than, not being objective.
Does this opportunity allow the consultant to maintain independence? Some time ago, I did some work for a product manufacturer in the design and development of new products for a particular industry. The work involved a series of discussions and brainstorming sessions with a group of development engineers to engineer new products for an industry that had a particular vulnerability that was not being addressed in the marketplace at the time. A year later, the manufacturer came back to the consultant and asked that the firm work with them to “beta test” the new product at several of the consultant’s client sites. The products showed great potential, and if they worked out they would certainly fill a need in a particular industry and hopefully would overcome an existing vulnerability in a particular market. But the fee that the consultant would receive for exposing clients to this new product, however beneficial, looked very much like a product endorsement, and the consultant decided to introduce the vendor to the clients and walk away without a fee. In the first instance, the consultant made a valuable contribution to the vendor client and to a particular segment of the industry because the consultant had brought real-world experience to their product development process in the abstract. The consultant received a fee and provided value to the vendor client and to the industry by helping them in the development of viable product that had the potential to solve a particular vulnerability. In the second instance, the consultant’s “independence” was threatened by the concept of bringing these particular products, no matter how valuable, to clients and getting paid by the manufacturer for doing so. That would have
Ethics in Security Consulting
311
made the consultant look very much affiliated with that product, and not very much like an independent security consulting firm. Even with the purest of intentions, receiving a fee for bringing a client together with a particular product is a prima facie endorsement of that product. At the very least, it calls the consultant’s independence into question. If the product is successful, the consultant will be forever linked with its success to that client. If the product is a failure, then the consultant will be forever linked to its failure.
Are you providing genuine value, or are you simply lending credibility to someone else’s agenda? The answer to this question would seem to be fairly straightforward as the installation of a video surveillance system can be beneficial in many environments. But there are dangers here as well. Take the example of a security director who is looking to justify the installation of a new state of the art surveillance system. His boss tells him to get the insight of an “independent” security consultant. The consultant performs his assessment and discovers that the installation of a surveillance system will not address the threats and vulnerabilities identified in the assessment. In fact, the assessment determines that the issues have more to do with inadequate security staffing, ill-defined policy, and perhaps a desire to solve security issues with technology when there are many more basic needs that need to be put in place first. What to do? The consultant could give the director what he wants, knowing that it will make the person happy, but not solve the problems. Or he could articulate a game plan that prioritizes the threats, vulnerabilities, and solutions that would need to be put into place before a surveillance system is considered. Obviously, the latter is the proper course. The director may not be happy, but his boss will have gotten a fair and valid assessment of the state of security in his facility. It is far better to be remembered for making the security director unhappy than for providing the ammunition that led to installing an ineffective video surveillance system. For it is often easier to fight for principles than to live up to them. —Adlai Stevenson
Walk-Away Value One of the primary reasons security professionals get into the practice of consulting is for the freedom that it gives them in choosing assignments and in choosing the people with whom they wish to work. When working in the corporate, institutional, or government world, trouble comes your way and you are expected to resolve it. Difficult people come your way, and you are expected to deal with them. Imagine the freedom of being able to examine a situation and saying, “No, that’s not in my business model.” Or in meeting an
312
Strategic Security Management
unscrupulous individual who is looking for a dog to kick and saying, “No thanks; I can’t take on a situation like that right now.” It’s a great freedom. Sometimes the consultant can predict how a project is going to go when he sees the inept or unprofessional way in which the process of identifying a consultant was handled before he was hired. Sometimes that offers a snapshot of how he or she will be treated once retained. If a prospective client behaves badly before the consultant is retained, it is reasonable to expect that the behavior will continue and probably worsen after they start paying him. When the consultant sees this happening, it is wise to ask whether the project is worth taking on and whether he or she wants to spend the extra time to educate the client about appropriate behavior and business ethics. If the client is simply inexperienced or arrogant and the consultant needs the work, he might accept the challenge. If, however, the consultant has seen this behavior before or the person is a seasoned incompetent, the consultant might just be inclined to say no thanks. It’s a great freedom, and once the consultant gains the confidence to say no, it can be quite exhilarating. Most experienced consultants will admit to having accepted clients they should never have taken on. Many will say that given the choice, they would not do it again.
Advocate versus Educator In the business of forensic security consulting, ethical dilemmas can and do arise in the course of providing security. Two experts, both well qualified and given the same set of facts, can and do often arrive at two completely different opinions. This is acceptable as long as each consultant does proper due diligence, follows established protocols, and qualifies their respective opinion. On the other hand, some consultants don’t understand their role and put themselves in the position of advocate. As an illustration, consider a forensic security consultant who was involved in a campus rape case, working for the attorney defending the university. The opposing plaintiff ’s expert was a former police officer who had no experience with campus security and little practical security experience. The plaintiff ’s attorney, looking for an “expert” in support of his negligence position, hired this fellow without a good understanding of the difference between law enforcement and security and without an understanding of the discrete aspects of campus security. In short, the fellow was retained to formulate an argument in favor of the plaintiff ’s position. The plaintiff ’s expert wrote a report pointing out the usual issues of inadequate police or security patrols, the absence of surveillance cameras, and the lack of proper instruction to the student victim. There were enough descriptive adjectives in the report to cause the uninformed to think that the university itself had advocated the rape. To the uninformed, it was a convincing report on the foreseeability of such an event and the inadequacy of security at this location. And then came the deposition, where it was
Ethics in Security Consulting
313
learned that the “expert” had no experience with campus security, had never recommended or worked with video surveillance in a security application, and had no idea what instructions students had been given regarding crimes on campus and how they could protect themselves. The day after his deposition, the case was dismissed, and it was later re-filed with the use of another security expert, who was much more savvy but still lacked significant security experience and had limited institutional security expertise, especially on college campuses. This fellow articulated a crime report that specified crime within proximity to the campus, which was situated on the edge of downtown in a major metropolitan area. This fellow’s assessment included crimes from a nearby hospital emergency room where many crimes were reported but few had occurred on the premises; a public housing project on the other side of a ten-lane freeway; and a temporary employment agency where assaults were common. In spite of his police experience, this fellow also exhibited little security expertise and possessed no understanding of security on an urban college campus. He relied exclusively on crime statistics that were not relevant to the environment at issue. In the end, the defense prevailed. This was not because of the defense expert’s knowledge, but because of the incompetence of the two experts retained by the plaintiff ’s attorney. The plaintiff never had a chance because her attorney hired one incompetent and one fraud, and not necessarily in that order. Neither of these fellows did anything to qualify themselves as security experts, and the attorney didn’t care. These are flagrant ethical lapses, beginning with the attorney who was paying for testimony, not a reasoned assessment resulting in the truth. That being said, it is easy to see how a security consultant can become confused over his or her role and more importantly, confused about what is right and what is wrong. Security consultants are regularly asked to “help” attorneys with a case. Often it is assumed that because a person is a security expert, and because the attorney who retains that consultant is working for a client, the consultant is part of the advocacy that the attorney avows. This is a fallacy and needs to be addressed up front before the consultant agrees to be retained. The consultant’s role is to investigate the facts and circumstances objectively as an industry or subject matter expert, not as an advocate. Only after careful analysis should the consultant formulate a reasoned opinion about the case and then determine whether sworn testimony will be helpful or harmful to the attorney’s case. The attorney has the right to know the consultant’s views and experience, and where he can expect the expert to come down on a particular set of facts and circumstances. A good attorney will vet the consultant to see what his or her understanding is of security standards and practices, and learn the consultant’s position on issues such as foreseeability and negligence. Moreover, the attorney should be familiar with the consultant’s understanding of such terms as Proximate cause, security adequacy, and others. If the attorney doesn’t take this seriously or isn’t smart enough to ask the right questions, then the respon-
314
Strategic Security Management
sibility falls to the consultant to make certain that he or she asks the right questions to ensure that there are no misunderstandings or preconceived expectations at the outset. A consultant who doesn’t exercise these cautions runs the risk of misleading the attorney and calling his or her own integrity into question. If the consultant takes a case that he is not comfortable with, and runs the risk that he won’t be subjected to sworn testimony in deposition or trial, he is gambling for a quick buck. This is a huge risk. The consultant must be committed to explaining and later testifying to the security aspects of a situation based on a forensic methodology and a reasoned opinion. If he is not, then he is doing the attorney, the industry, all other forensic security experts, and himself a disservice. That is unethical behavior and what follows is often disastrous for both the case and the consultant. If the attorney asked the hard questions, and the ethical consultant made sure they were asked every time, all the time, there would be far fewer security experts retained in frivolous cases. Yet time and time again, security consultants allow themselves to be retained in cases where they are caught up in the attorney’s advocacy for a client, rather than in fulfilling the true role of forensic expert as educator to a judge and jury. The consultant may not have a good understanding of the expert’s role, and may attempt to solve a problem for the attorney’s client, when he should be expressing an opinion as a subject matter or industry expert. The so-called experts who don’t follow this ethical course often self-destruct in depositions or in trial testimony. Some learn from the experience and become smarter about their profession or stop calling themselves experts. Others repeat the behavior, betting that in most cases they will not be called to testify. Some argue that as the security expert one can always help an attorney with a case. That is probably true, but if a consultant does not identify either negligence themes that he can support or security principles that he can defend, then the expert needs to define his role up front before committing himself as an “expert” with all the accompanying expectations. That is not to suggest that a security consultant cannot help an attorney to find his way through the issues of a particularly difficult case, as long as it is understood that the security consultant is being retained as a consultant and not as an expert who will provide testimony in support of a particular point of view. Sometimes a consultant is asked to work for an inexperienced or even incompetent lawyer. When that occurs, the consultant has several decisions to make. First, how will the consultant be portrayed by the lawyer to other lawyers, to the court, or to a jury? It can be an interesting experience to work with an inexperienced or novice lawyer, and the consultant may accept the challenge. On the other hand, it may prove more trouble than it is worth, if the incompetent or unscrupulous lawyer learns little from the consultant or makes the consultant look bad by projecting his own unethical behavior. The consultant
Ethics in Security Consulting
315
needs to be true to his profession and should articulate a reasoned opinion rather than an advocacy point of view. Competent attorneys appreciate being asked questions by consultants. They want to know what they are up against, and they want to know the truth about their case as viewed by a competent security professional.
Rules to Live by: Ask the right questions, and make certain the right questions are asked of you. Never agree to testify to something for which you haven’t offered a reasoned independent opinion based on your own research and knowledge. Make certain that you understand the premise of the case for which you are being solicited as an expert and that you can support the attorney’s assertions at least in principle. Avoid the advocacy trap. The security consultant is an industry or subject matter expert, not an advocate.
Forensic Consulting/Easy Conflicts For years, we have been taught that the role of a forensic security consultant is to investigate circumstances and facts and be a teacher of security principals. It is well established that the forensic security expert’s role is to “educate” a judge and or jury, not to advocate a plaintiff ’s or defendant’s position. Yet, every once in a while, we hear “security experts” say that a good consultant should be able to help any attorney with a case regardless of which side of the bar he represents. This may be true but not if the attorney is expecting the expert to honestly articulate a reasoned position of security principals and best practices. Why do they have that expectation? Because some experts are more eager to sell the “help” and get the retainer than they are to consider the consequences of their actions. It is always interesting to see how far some experts will go in their opinions to make the case for their clients.
Conclusion So, a security consultant doesn’t have to get down in the dirt to practice his trade. The ethical consultant can and should create high expectations for those who look to this industry for help. It is up to the consultant to raise the bar and create an environment where people are willing to work at a high ethical level because the security expert brings value to the process and because most people value a positive outcome or an honest assessment over unethical behavior. A written code of ethics, such as the International Association of
316
Strategic Security Management
Professional Security Consultants Code of Ethics, is not only a great marketing tool, but it is a good way to conduct one’s practice. It brings value to the client, respects the industry, and demonstrates integrity in the practice of security consulting.
Sources Cited Lennick, Doug, and Kiel, Fred. (2005). Moral Intelligence: Enhancing Business Performance and Leadership Success. Philadelphia, PA: Wharton School Publishing.
Please visit www.ssminfo.com for more information, helpful resources, and the latest information on Strategic Security Management!
This page intentionally left blank
Appendix A
Certified Security ConsultantSM Code of Ethics
Certified Security ConsultantSM Code of Ethics, Copyright © 2006 by the International Association of Professional Security Consultants. Used by permission. CSCSM Code of Ethics This Code of Conduct and Ethics signifies a voluntary assumption by members of the obligation of PROFESSIONAL BEHAVIOR AND SELF DISCIPLINE above and beyond the requirements of the law. Thus, it notifies the public PROSPECTIVE CLIENTS AND CLIENTS that CERTIFIED SECURITY CONSULTANTSM (CSCSM) maintains a high level of ethics and professional service, and proclaims that, in return for the faith that the public AND CLIENTS places in them, the CERTIFIED SECURITY CONSULTANTSM accepts the obligation to conduct their practices in a way that will be beneficial to society. A. GENERAL 1. CERTIFIED SECURITY CONSULTANTSSM will view and handle as confidential all information concerning the affairs of the client. 2. CERTIFIED SECURITY CONSULTANTSSM will not take personal, financial, or any other advantage of inside information gained by virtue of the consulting relationship. 3. CERTIFIED SECURITY CONSULTANTSSM will inform clients and prospective clients of any special relationship or circumstances that could be considered a conflict of interest. 4. CERTIFIED SECURITY CONSULTANTSSM will never charge more than a reasonable fee; and, whenever possible, the consultant will agree with the client in advance on the fee or basis for the fee. 5. CERTIFIED SECURITY CONSULTANTSSM will neither accept nor pay fees or commissions, for client referrals.
319
320
Strategic Security Management
6. CERTIFIED SECURITY CONSULTANTSSM will not accept fees, commissions or other valuable considerations from any individual or organization whose equipment, supplies or services they might or do recommend in the course of his or her services to a client. 7. CERTIFIED SECURITY CONSULTANTSSM will only accept assignments for and render expert opinions on matters they are eminently qualified in and for. B. PROFESSIONAL 1. CERTIFIED SECURITY CONSULTANTSSM will strive to advance and protect the standards of the security consulting profession as represented in this code of ethics. 2. CERTIFIED SECURITY CONSULTANTSSM recognize their responsibility to our profession to share with their colleagues general information and strategies in the form of books, articles and presentations which enhance the profession and benefit the client. 3. CERTIFIED SECURITY CONSULTANTSSM will not use or reveal other consultant’s proprietary data, procedures, or strategies without permission unless same has been released, as such, for public (or all consultants) use. 4. CERTIFIED SECURITY CONSULTANTSSM will not accept an assignment for a client while another consultant is serving that client unless assured that any conflict is recognized by and has the consent of the client. 5. CERTIFIED SECURITY CONSULTANTSSM will not review the work of another consultant who is still engaged with the client, without such consultant’s knowledge. 6. CERTIFIED SECURITY CONSULTANTSSM will strive to avoid any improprieties or the appearance of improprieties. 7. CERTIFIED SECURITY CONSULTANTSSM will never misrepresent their qualifications, experience, or professional standing to clients or prospective clients. 8. The professional certification referred to in this Code of Ethics is forthwith forfeited upon conviction of any felony or misdemeanor involving moral turpitude. C. FORENSIC 1. CERTIFIED SECURITY CONSULTANTSSM fees will never be contingent upon the outcome of a case. 2. CERTIFIED SECURITY CONSULTANTSSM, when testifying, will carefully avoid taking the position of an advocate or appearing to take such a position; for justice requires the professional expert witness to be neutral with no personal interest in the outcome of the case. 3. If, after reviewing a case, it is apparent that the CERTIFIED SECURITY CONSULTANTSM cannot provide testimony or assistance helpful to the case, the consultant will make this known to the client. If he withdraws from or his services are discontinued from the case, he will not testify for the opposing side unless compelled to by subpoena. 4. The CERTIFIED SECURITY CONSULTANTSM will not sign written opinions or affidavits prepared by clients. Testimony or report preparation, including the preparation of oral reports, will not occur until the consultant has performed
Certified Security Consultantsm Code of Ethics
321
a thorough evaluation of the circumstances, evidence, scene or other pertinent materials or places as he deems necessary to render a learned opinion. D. ENFORCEMENT IN THAT THE CERTIFICATION IS ADMINISTERED UNDER THE AUSPICES OF THE INTERNATIONAL ASSOCIATION OF PROFESSIONAL SECURITY CONSULTANTS (IAPSC) ANY formal complaint issued against any CERTIFIED SECURITY CONSULTANTSM or other person indicating a violation of any section of this Code of Conduct and Ethics, the Ethics Committee OF THE IAPSC will investigate the allegations and make KNOWN, WITH ANY recommendation to the Board of Directors OF SUCH ASSOCIATION regarding any action to be taken against the accused CERTIFIED SECURITY CONSULTANTSM. AN “ACTION” may range from a LETTER OF DISAPPROVAL and warning to a PUBLIC STATEMENT OF FORFEITURE OF THE CERTIFICATION.
This page intentionally left blank
Appendix B
Best Practice #2, Forensic Methodology of the International Association of Professional Security Consultants Best Practice #2: Forensic Methodology The International Association of Professional Security Consultants is issuing this consensus-based and peer-reviewed Best Practice for the guidance of and voluntary use by businesses and individuals who deal or may deal with the issues addressed herein. Position Statement The International Association of Professional Security Consultants does hereby recognize that, on occasion, its members will be called upon to perform as “Forensic Consultants” and serve as “Expert Witnesses” in a court of law. It should be recognized that the “Forensic Consultant’s” task is one of education. The consultant will provide his opinion(s) to the client, to opposing counsel during deposition, in response to written interrogatories, in required reports, and to the judge and jury at trial or in any other lawfully convened hearing. This is done with the goal of making others aware of the security issues and leading to a just and proper conclusion of the litigation. The responsibility of the “Forensic Consultant” lies with our system of justice and the ethics of the security profession. The “Forensic Consultant” is to be totally independent of any outside pressures or financial considerations conceived to influence the consultant’s evaluation of the case at issue. The “Forensic Consultant” will at all times be forthright, honest and precise in evolving the ultimate conclusion(s) and opinion(s). The opinion will be the result of a review of all documentation, discovery material, site inspections and testing procedures presented by all parties to the litigation. Best Practice #2: Forensic Methodology, Copyright © 2004 by the International Association of Professional Security Consultants. Used by permission.
323
324
Strategic Security Management
The following is to be used in a typical premises security case. It is reasonable to expect variations of the steps, and some steps deleted and others added as the facts and circumstances of the cases warrant. I. RISK ASSESSMENT A. Review all relevant material that provides information on the premises and surrounding area 1. Discovery a. Interrogatories b. Requests for production c. Affidavits d. Expert witness reports e. Depositions f. Interviews 2. Police a. Calls for service (grid report) b. Reports of relevant crimes on the premises (three to five years prior to the date of the incident) c. Reports of relevant crimes in the surrounding area (two to three years prior to the date of the incident) d. Other relevant crime history information 3. Media 4. Other sources B. Inspect site where the incident occurred and the surrounding relevant area 1. Determine layout of the premises 2. Evaluate relevant factors (lighting, lines of sight, places of concealment, remoteness, accessibility, security measures, conditions, etc.) 3. Interview those with knowledge of the incident and/or the premises/surrounding area (this is often covered in depositions, police interviews and private investigators’ investigations) 4. Review relevant documentation (lease, contract, diagram, map, etc.) 5. Assess the characteristics of the surrounding area C. Analyze incident 1. Police report 2. Proprietary incident report 3. Discovery information (see IA1 above) 4. Medical records (emergency room and/or autopsy) 5. Media information 6. Assess for corroboration of plaintiff’s story and how the incident occurred
Best Practice #2
325
II. SECURITY SURVEY Conduct an extensive physical survey of the scene of the incident and areas/functions that are applicable to the incident to achieve a meaningful understanding of information that has potential application. A. Security Personnel 1. Review security guard(s) actions, staffing levels, post orders, duty hours, equipment provided, tours, evaluations, training, hiring procedures and supervision 2. Review law enforcement presence and actions 3. Review roles and actions of non-security related persons who may have affected the security posture 4. Assess the qualifications and performance of owner/management personnel B. Security Program 1. Review security related policies and procedures 2. Review all risk assessments performed prior to the date of the incident 3. Review guard logs, job descriptions, incident reports, and internal correspondence 4. Review guard contract 5. Review corporate security manuals 6. Review training manuals and materials 7. Interview parties/review depositions regarding employees’ understanding of their duties, and all customs and undocumented practices 8. Review changes to security prior to the incident 9. Evaluate the qualifications and experience of security management and supervisory personnel C. Security Equipment 1. Review building design and site plans 2. Inspect all security devices related to the incident 3. Inspect all structural security features 4. Determine the position, function and maintenance status of the relevant security equipment and features 5. Determine level of illumination III. ANALYSIS Determine the level of adequacy of security at the location of the incident on the date and at the time the incident occurred. This will be based on the information obtained in the risk assessment and security survey, and the application of a qualitative analysis based on experience, education and training. IV. CONCLUSION Based upon the analysis, reach conclusions on the issues of foreseeability, preventability and causation (as used in the security profession). At this point the expert has formed opinions and is prepared to provide a written report, be deposed and/or testify at trial.
326
Strategic Security Management
V. REPORT Write a report with opinions of foreseeability/preventability/causation when requested by counsel or required by the court. Include detailed bases of findings. LEGAL NOTICE/DISCLAIMER: Copyright © 2002–2004 The International Association of Professional Security Consultants (IAPSC), All Rights Reserved. The IAPSC makes no representations concerning the guidelines contained herein which are provided for informational and educational purposes only, and which are not to be considered as legal advice. The IAPSC specifically disclaims all liability for any damages alleged to result from or arise out of any use or misuse of these guidelines.
Appendix C
Risk Assessment Report
The following is a sample risk assessment report written by Karim H. Vellani, CPP, CSC, Brian Gouin, PSP, CSC, and Ralph Witherspoon, CPP, CSC. It should be noted that the report was written based on specific criteria developed by the client for whom it was written. While a security professional may have a preferred format for a risk assessment report, it is common to have a particular report format requested by the client.
Risk Assessment Report April 21, 2006 for Public Housing Authority City of ____________, CA prepared by
Threat Analysis Group, LLC P.O. Box 16640 Sugar Land, TX 77496 (281) 494-1515 www.ThreatAnalysis.com
327
328
Strategic Security Management
Table of Contents Executive Summary, 328
Highlands, 336
Background, 328
Heritage Gardens, 337
Administration Building, 329
Miller Gardens, 339
Hockanum Park, 331
Hutt Heights, 340
Shea Gardens, 332
Veterans Terrace, 341
Rochambeau, 333
Appendix: Threat Assessment
Meadow Hill, 334
Appendix: Design Specifications
Elms Village, 335
Appendix: Riser Diagrams
Executive Summary Threat Analysis Group, LLC (TAG) was contracted to perform a Risk Assessment for ten (10) municipal low income housing facilities and one (1) administrative office in the City of _________. Using a team of four (4) security consultants, critical assets were identified, threat and vulnerability assessments were performed, risks were calculated, and recommendations with cost estimates were provided for each of the eleven (11) facilities. Background The City of _________ is a suburb of _________ and has a population of about 135,000 residents. It is mostly a bedroom community with small retail and manufacturing and one large manufacturer, _________. The City’s Housing Department consists of an office building and ten low income housing facilities which are managed by the City. These facilities range from ten-story apartment buildings to dozens of two-family apartment buildings at one facility. The names, locations and tenant population of the facilities are as follows: 01. 02. 03. 04. 05. 06. 07. 08. 09. 10. 11.
Administrative Offices Hockanum Park Shea Gardens Rochambeau Meadow Hill Elms Village The Highlands Heritage Gardens Miller Gardens Hutt Heights Veterans Terrace
_________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________
22 (employees) 124 82 36 166 65 245 181 345 42 288
Threat Analysis Group, LLC (TAG) was contracted to perform a risk assessment for the eleven facilities. This included interviews with key City personnel, critical asset identification, a threat assessment including crime analysis, a vulnerability assessment, recommendations, and cost estimates for recommended security changes. The threat
Risk Assessment Report
329
assessment included a review of historical crime data for the eleven facilities including crime trending, identification of crime patterns, and calculation of crime rates. The vulnerability assessment included reviews of policies and procedures, security force, security supervision, and physical protection systems including electronic security measures. This report is the result of the risk assessment. Risk Assessment During April 6–8, 2006 a Security Survey was conducted of the City’s Community Housing’s eleven (11) facilities. After an initial meeting with senior management, day and night surveys were conducted at each of the facilities, which included the Administration building. Interviews were conducted with selected non-management employees, tenants at various properties, and management and individual security officers at _________ (the contract security company utilized by the Housing Department). As a result of the survey and the original crime threat assessment the following vulnerabilities were identified at the individual properties. Recommendations for correction and estimated costs are given. (Note: Security personnel are addressed separately at the end of this section). 01—Administration Building The Department’s administrative office building is a two-story office building located on a busy street in the downtown business district. It has parking lots on two sides. The employees of the Department are the most critical assets. Tenants pay their rent and counsel with Department employees, while potential tenants make application—all at this facility. Belligerent tenants are not uncommon. Employees park in the back lot and walk in through the back door to get to their office. There is no congregation of people around this building. There are a great number of property assets of importance in this facility. There is cash on hand from payment of rent, about 20 PC’s, a network server, and all the normal office equipment and supplies. Central supplies for the various properties are maintained in a storeroom that is accessed by individual property custodians.
Figure C-1. Venn Diagram—assets, threats, and vulnerabilities Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group, LLC. Used by permission. Additional information available from Threat Analysis Group, LLC via www.threatanalysis.com.
330
Strategic Security Management
There is also a great amount of information assets in this facility. All of the Department’s records, both hard copy and electronic, are stored here. These range from personal tenant information and payment records, to confidential Department information. Threat Assessment Property crimes, including vandalism, theft, and auto thefts are the primary concerns at the administrative offices. During the three years analyzed, no crimes against persons occurred on the premises, although robbery is a possibility due to the large amounts of cash on hand from rent payments near the end of each month. Existing Security Security Policies & Procedures Occupant Emergency Plan Security Manual Physical Security Measures
One fixed camera in vestibule looking at front door. One CCTV monitor at receptionist desk. Burglar alarm system with all doors and windows armed for opening, four motion detectors, and two keypads (front and back doors).
Security Personnel
None
Vulnerabilities 1. Keypad locks are used on the front and rear doors requiring the code be issued to all 22-employees plus the field maintenance workers who must access the central supply storage area.The current code has been in use for over three years. 2. A burglar alarm system covers all exterior doors and windows, but it is not in good working order with some devices not having worked for years. There is no interior motion detection. 3. One black + white CCTV camera covers the front door, but it is not recorded, and is actually monitored only when the receptionist is actually at her desk (approximately 66% of the time). Recommendations 1. A policy and practice should be implemented changing the access code every six months. 2. A separate key-locked door should be installed permitting access by custodial personnel to the supplies stored in the basement without permitting access to the entire building. 3. The burglar alarm should be repaired and/or replaced. Interior motion detection should be installed in the main hallway off which all but two offices are accessed. The system should be “walk-tested” every three months, and inspected by the installer annually.
Risk Assessment Report
331
4. The CCTV camera should be upgraded to a color camera with the activities, including rent payments digitally recorded and saved in a secure cabinet for at least 30-days. Estimated Costs 1. The estimated cost for the key-locked door is $300. 2. The estimated cost for the burglar alarm system is $3,000. There is also a yearly recurring cost associated with the alarm for monitoring, between $240 and $420 a year. 3. The estimated cost for the camera replacement and addition of a digital recorder and cabinet is $5,500. 02—Hockanum Park This housing unit consists of ten free standing housing units, each containing four apartments. The tenants are the most critical assets. The only common area of the facility is the community room building, a basketball/picnic area, and the parking lots. There is a laundry room in each building. Tenants park in the lot closest to their building or arrive by bus and walk into the hallway of their building into their apartment. There is usually a great deal of congregation of people outside these buildings, particularly at night and in the parking lots and recreation areas. Threat Assessment Hockanum Park is a medium population facility located on the City’s west side. There have been a number of violent crimes, primarily robberies, at this location, however there has been a significant downward trend since 2002. Property crime is considered low at Hockanum Park despite the violent crime level. Crime rates for this property were calculated using the facility’s population and violent crimes for each year analyzed. In 2002, the violent crime rate was 54.8 violent crimes per 1,000 persons, while 2003 marked the beginning of the downward trend to 30.8 per 1,000 persons, and 2004’s rate of 24.2 per 1,000 persons. Existing Security Security Policies & Procedures
Occupant Emergency Plan
Physical Security Measures
No electronic measures
Security Personnel
None
Vulnerabilities 1. Exterior lights at parking lots and near unit entry doors are not bright enough, and numerous fixtures are broken or not working. Parking lots should have a minimum of three foot-candles (3-fc) of light. Interior hallways should have a minimum of 5-foot candles, while the laundry rooms and community room should have a minimum of 10-fc of lighting.
332
Strategic Security Management
2. The access door to the Community Center is accessed by a sub-set of the keys of all the tenants. This means that a compromised key of any present or former tenant can still access the Community Center resulting in theft, vandalism or potentially an attack on a tenant. Recommendations 1. Exterior lights should be repaired, cleaned, or replaced as necessary. A weekly inspection of all exterior/common area lights should be implemented. 2. Install an access control locking system using a “key-fob” device issued to each tenant. Key fobs not turned in when a tenant leaves can be easily deleted from the stand-alone system. Estimated Costs 1. The estimated cost to replace any required exterior lamps is between $300 and $500. 2. The estimated cost for a one-door access control system with appropriate number of key fobs is $5,500. 03—Shea Gardens This property consists of 12—two- and four-unit buildings. The tenants are the most critical assets. The only common area of the facility is the community room building, a basketball/picnic area, and the parking lots. There is a laundry room in each building. Tenants park in the lot closest to their building or arrive by bus and walk into the hallway of their building into their apartment.There is usually a great deal of congregation of people outside these buildings, particularly at night and in the parking lots and recreation areas. Threat Assessment Shea Gardens, a medium population facility centrally located, which has seen a remarkable drop in crime in 2004 with no violent crimes occurring during the past year. This is likely the result of enhanced security measures implemented at the facility in 2003. Burglaries of motor vehicles (BMV’s) and acts of vandalism have also decreased. Existing Security Security Policies & Procedures
Occupant Emergency Plan
Physical Security Measures
No electronic measures
Security Personnel
None
Vulnerabilities 1. The access door to the Community Center is accessed by a sub-set of the keys of all the tenants. This means that a compromised key of any present or former tenant can still access the Community Center resulting in theft, vandalism or potentially an attack on a tenant.
Risk Assessment Report
333
2. Interior lighting is adequate, however, parking lot lighting is inadequate and spotty, with several non-working lights. Recommendations 1. Install an access control locking system using a “key-fob” device issued to each tenant. Key fobs not turned in when a tenant leaves can be easily deleted from the stand-alone system. 2. Parking lot lighting should be increased to a minimum of 3-fc. A weekly inspection of all exterior/common area lights should be implemented. Estimated Costs 1. The estimated cost to replace any required exterior lamps is between $300 and $500. 2. The estimated cost for a one-door access control system with appropriate number of key fobs is $5,500. 04—Rochambeau The tenants are the most critical assets. The only common area of the facility is the community room building, a basketball/picnic area, and the parking lots. There is a laundry room in each building. Tenants park in the lot closest to their building or arrive by bus and walk into the hallway of their building into their apartment. There is usually a great deal of congregation of people outside these buildings, particularly at night and in the parking lots and recreation areas. Threat Assessment Rochambeau is a low population facility located on the City’s south side. There have been very few violent crimes on the premises, and none occurred in 2004. Property crimes, on the other hand, are still prevalent. Existing Security Security Policies & Procedures
Occupant Emergency Plan
Physical Security Measures
No electronic measures
Security Personnel
None
Vulnerabilities 1. The access door to the Community Center is accessed by a sub-set of the keys of all the tenants. This means that a compromised key of any present or former tenant can still access the Community Center resulting in theft, vandalism or potentially an attack on a tenant. 2. Interior lighting is adequate, however, parking lot lighting is inadequate and spotty, with several non-working lights.
334
Strategic Security Management
Recommendations 1. Install an access control locking system using a “key-fob” device issued to each tenant. Key fobs not turned in when a tenant leaves can be easily deleted from the stand-alone system. 2. Parking lot lighting should be increased to a minimum of 3-fc. A weekly inspection of all exterior/common area lights should be implemented. Estimated Costs 1. The estimated cost to replace any required exterior lamps is between $300 and $500. 2. The estimated cost for a one-door access control system with appropriate number of key fobs is $5,500. 05—Meadow Hill This seven-story mid-rise building is located on the West side of the City. The tenants and their visitors are the most critical asset. The only common areas of the building the tenants congregate in are the community room and laundry room. Other than that, tenants park their cars in the lot or arrive by bus, walk into the building to the elevator, and then walk through the hallway to their apartment. There is little to no congregation of people outside these facilities. The property assets important to the City are the items in the community room and laundry room such as television,VCR, couches, laundry equipment, and kitchenette equipment. Although general vandalism of the building itself is always a concern, there seems to be little of this in these facilities. The property assets in the individual apartments are of low priority and are the responsibility of the tenants. Threat Assessment This facility received additional security measures in 2003 and both violent and property crime declined substantially in 2004. The violent crime rate dropped from 30.7 in 2003 to 6.0 per 1,000 persons in 2004. Existing Security Security Policies & Procedures
Occupant Emergency Plan Security Manual Post Orders
Physical Security Measures
Telephone entry system with electric strike on interior front vestibule door. One fixed camera in hallway looking into vestibule. One fixed camera in community room. One monitor and VCR in wall mount cabinet in community room.
Security Personnel
One security officer 24-hours per day, seven days per week
Risk Assessment Report
335
Vulnerabilities 1. Exterior lighting is spotty. Recommendations 1. Lighting in the parking lot should be a minimum of 3-fc. Lighting for a distance of twenty feet from the front door should be a minimum of 2-fc. to enhance pedestrian safety and security. Estimated Costs 1. The estimated cost to replace any required exterior lamps is between $300 and $500. 06—Elms Village This five-building unit is located in a changing neighborhood of the City. The tenants are the most critical assets. The only common area of the facility is the community room building, a basketball/picnic area, and the parking lots. There is a laundry room in each building. Tenants park in the lot closest to their building or arrive by bus and walk into the hallway of their building into their apartment. There is usually a great deal of congregation of people outside these buildings, particularly at night and in the parking lots and recreation areas. Threat Assessment Purse snatch robberies are the primary crime occurring at Elms Village. While the rate of violent crimes dropped in 2004, there is still a high threat level due to a deteriorating neighborhood. In fact, property crime escalated significantly in 2004. Despite a decrease since 2002, the threat level is notable considering this is a low population facility. Existing Security Security Policies & Procedures
Occupant Emergency Plan
Physical Security Measures
No electronic measures
Security Personnel
None
Vulnerabilities 1. Lighting is inadequate for the parking areas, the entryways and the interior common hallways. 2. Waist-high shrubbery interfere with lines of sight and offer concealment to criminals.
336
Strategic Security Management
Recommendations 1. As a deterrent measure, we recommend that parking lot, entryways and interior hallways be lit to a minimum of 5-fc. 2. Shrubs should be cut so as not to exceed 18″ in height, while tree branches and leaves throughout the property should not be lower than 8′ above ground level. Estimated Costs 1. The estimated cost to replace any required exterior lamps is between $300 and $500. 2. The shrub issue is a regular maintenance department cost. 07—Highlands This twelve-story building is located in the downtown area. The tenants and their visitors are the most critical asset. The only common areas of the building the tenants congregate in are the community room and laundry room. Other than that, tenants park their cars in the lot or arrive by bus, walk into the building to the elevator, and then walk through the hallway to their apartment. There is little to no congregation of people outside these facilities. The property assets important to the City are the items in the community room and laundry room such as television,VCR, couches, laundry equipment, and kitchenette equipment. Although general vandalism of the building itself is always a concern, there seems to be little of this in these facilities. The property assets in the individual apartments are of low priority and are the responsibility of the tenants. Threat Assessment The Highlands is a high population facility with a high threat level. Thirty percent of all the robberies at the ten facilities occurred at The Highlands. Though the crime rate has dropped from 2002, the threat level is still significantly high. In addition to the high robbery rate at this location, two rapes occurred, though one incident was domestic in nature and posed no threat to other residents. One murder also occurred at The Highlands and is still under investigation by the Police Department. Note that about 40% of the residents in this 12 floor mid-rise building located in the downtown area are “special needs” persons considered physically or mentally challenged, or both. The building has a large lobby located next to the front door and equipped with chairs and couches. Numerous residents congregate there for hours each day. When the security officer is not present, residents will often open the door to anyone seeking entry, even if they don’t know the person. This resulted in the rape in a laundry room of one mentally challenged resident by a stranger, who was apparently admitted by a resident during the absence of the security officer. Existing Security Security Policies & Procedures
Occupant Emergency Plan Security Manual No post orders
Risk Assessment Report
337
Physical Security Measures
Telephone entry system with electric strike on interior front vestibule door. One fixed camera in hallway looking into vestibule. One fixed camera in vestibule looking at front door. One fixed camera in community room One monitor and VCR in wall mount cabinet in office off community room.
Security Personnel
One security officer 24 hours per day, seven days per week, plus one security officer from 1600–2400, seven days per week (added after the stranger rape)
Vulnerabilities 1. Three of the four exterior doors (not including the lobby door) are inadequate in that they are composed of rusting metal that could be forced open. 2. There is a conflict between the access control duties of the security guard and his interior patrol duties. The security officer is required to control access to the building plus patrol all twelve floors each hour. He can’t be in two places at once. The newly added security officer only covers one shift each day. Recommendations 1. Repair/replace the four doors. 2. Install CCTV in the hallways on each of the twelve floors with a monitor in the security officer station by the front door. This will permit the security officer on duty to both control access and monitor the floors. This will permit the elimination of the second security officer. 3. Alternatively the second security officer coverage could be increased to 24 hours per day and that Security officer could remotely monitor CCTV cameras at all the other facilities that have them, now or in the future. The two security officers should change duties every 45 minutes. Estimated Costs 1. The estimated cost for replacing the doors is $300 each. 2. The estimated cost for installing two cameras on each of the twelve floors with a digital recorder is $54,000. 3. The estimated cost for increased security officer coverage is $15 per hour. 08—Heritage Gardens This seven-story building is located on the North side of the City. The tenants and their visitors are the most critical asset. The only common areas of the building the tenants congregate in are the community room and laundry room. Other than that, tenants park their cars in the lot or arrive by bus, walk into the building to the elevator, and then walk through the hallway to their apartment. There is little to no congregation of people outside these facilities.
338
Strategic Security Management
The property assets important to the City are the items in the community room and laundry room such as television,VCR, couches, laundry equipment, and kitchenette equipment. Although general vandalism of the building itself is always a concern, there seems to be little of this in these facilities. The property assets in the individual apartments are of low priority and are the responsibility of the tenants. Threat Assessment Heritage Gardens is a medium population facility located on the north side. Similar to Elms Village, purse snatch robberies are the primary concern, however, the violent crime rate is relatively low. BMV’s are also a concern as most thefts occurring on the property are burglaries of motor vehicles. The violent crime rate doubled in 2004, however, it was still a relatively low level of crimes of violence. Existing Security Security Policies & Procedures
Occupant Emergency Plan Security Manual Post orders
Physical Security Measures
Telephone entry system with electric strike on interior front vestibule door. One fixed camera in hallway looking at vestibule. One camera in community room One exterior fixed camera in housing looking at parking lot. One monitor and VCR in wall mount cabinet in maintenance shop.
Security Personnel
One security officer 24 hours per day, seven days per week, one security officer from 1800–0200, seven days per week
Vulnerabilities 1. Exterior lighting around the building and in the parking lot is inadequate for safety or security. 2. Surveillance of the parking lot and exterior areas is inadequate. Recommendations 1. Lighting around the base of the building should be increased to not less than 2-fc. Lighting in the parking lot should be increased to 3-fc. 2. The CCTV camera covering the parking lot should be changed to pan/tilt in a smoked dome. Signs should be placed in the parking lot and at its entrances stating that CCTV recording is in effect in the parking lot for use in later criminal prosecutions. 3. The second security officer will not be needed after the above recommendations are implemented. Access control is not a problem and one security officer is sufficient for continuous patrol.
Risk Assessment Report
339
Estimated Costs 1. The estimated cost to replace any required exterior lamps is between $300 and $500. 2. The estimated cost to add a PTZ dome camera with necessary controllers and digital recording is $16,000. 3. The estimated cost savings for reducing security officer coverage is $15 an hour. 09—Miller Gardens This nine-story building is located on the South side of the City. The tenants and their visitors are the most critical asset. The only common areas of the building the tenants congregate in are the community room and laundry room. Other than that, tenants park their cars in the lot or arrive by bus, walk into the building to the elevator, and then walk through the hallway to their apartment. There is little to no congregation of people outside these facilities. The property assets important to the City are the items in the community room and laundry room such as television,VCR, couches, laundry equipment, and kitchenette equipment. Although general vandalism of the building itself is always a concern, there seems to be little of this in these facilities. The property assets in the individual apartments are of low priority and are the responsibility of the tenants. Threat Assessment Miller Gardens is the highest population facility of the ten sites analyzed. Given this high population, the violent crime rate is relatively low in comparison to the other sites, however the crimes tend to be more violent in nature, with two rapes and numerous car-jacking robberies. Domestic assaults are also prevalent as are BMV’s. Existing Security Security Policies & Procedures
Occupant Emergency Plan
Physical Security Measures
Telephone entry system with electric strike on interior front vestibule door. One fixed camera in hallway looking at vestibule. Two exterior fixed cameras in housings looking at parking lot. One monitor and VCR in wall mount cabinet in maintenance shop.
Security Personnel
None
Vulnerabilities 1. Surveillance of the (three) parking lots where one of the rapes and all of the car-jackings occurred.
340
Strategic Security Management
Recommendations 1. Two additional CCTV cameras (pan/tilt in smoked domes) should be placed to cover each of the parking lots. Signs should be placed in the parking lot and at its entrances stating that CCTV recording is in effect in the parking lot for use in later criminal prosecutions. Coverage of the cameras could be from the Highlands if that recommendation is implemented. Estimated Costs 1. The estimated cost to add two PTZ dome cameras with necessary controllers and digital recording is $29,000. 10—Hutt Heights This is a small five-unit cluster of community-type buildings. The tenants are the most critical assets. The only common area of the facility is the community room building, a basketball/picnic area, and the parking lots. There is a laundry room in each building. Tenants park in the lot closest to their building or arrive by bus and walk into the hallway of their building into their apartment. There is usually a great deal of congregation of people outside these buildings, particularly at night and in the parking lots and recreation areas. Threat Assessment Hutt Heights is a low population facility located on the City’s east side. No violent crimes occurred during 2004 on this property. Thefts are a major concern on this property, with the vast majority being BMV’s. Existing Security Security Policies & Procedures
Occupant Emergency Plan
Physical Security Measures
No electronic measures
Security Personnel
One security officer 24 hours per day, seven days per week
Vulnerabilities 1. The access door to the Community Center is accessed by a sub-set of the keys of all the tenants. This means that a compromised key of any present or former tenant can still access the Community Center resulting in theft, vandalism or potentially an attack on a tenant. Recommendations 1. Install an access control locking system using a “key-fob” device issued to each tenant. Key fobs not turned in when a tenant leaves can be easily deleted from the stand-alone system.
Risk Assessment Report
341
2. Given the low level of crime, the security officer coverage appears excessive. We recommend it be reduced to eight hours per day (2000-0400). Estimated Costs 1. The estimated cost for a one-door access control system with appropriate number of key fobs is $5,500. 2. The estimated cost savings for reducing security officer coverage is $15 an hour. 11—Veterans Terrace This 25-building community-housing unit is located on the City’s North side. The tenants are the most critical assets. The only common area of the facility is the community room building, a basketball/picnic area, and the parking lots. There is a laundry room in each building. Tenants park in the lot closest to their building or arrive by bus and walk into the hallway of their building into their apartment. There is usually a great deal of congregation of people outside these buildings, particularly at night and in the parking lots and recreation areas. Threat Assessment Veterans Terrace is considered by residents and management to be a crime prone property given its size. UCR crime data confirms that this is a high violent crime rate property when compared to the other residential properties. One rape and a significant amount of robberies and aggravated assaults in the past three years have led to a high threat level and a general fear of crime by residents. Existing Security Security Policies & Procedures
Occupant Emergency Plan
Physical Security Measures
No electronic measures
Security Personnel
None
Vulnerabilities 1. Lighting is inadequate for the parking areas, the entryways and the interior common hallways. 2. Waist-high shrubbery interferes with lines of sight and offers concealment to criminals. 3. The access door to the Community Center is accessed by a subset of the keys of all the tenants. This means that a compromised key of any present or former tenant can still access the Community Center resulting in theft, vandalism or potentially an attack on a tenant. 4. There is inadequate surveillance of the parking lots. 5. There is no security presence on the property.
342
Strategic Security Management
Recommendations 1. As a deterrent measure, we recommend that parking lot, entryways and interior hallways be lit to a minimum of 5-fc. 2. Shrubs should be cut so as not to exceed 18″ in height, while tree branches and leaves throughout the property should not be lower than 8′ above ground level. 3. Install an access control locking system using a “key-fob” device issued to each tenant. Key fobs not turned in when a tenant leaves can be easily deleted from the stand-alone system. 4. A CCTV camera (pan/tilt in a smoked domes) should be placed to cover each of the parking lots. Signs should be placed in the parking lot and at its entrances stating that CCTV recording is in effect in the parking lot for use in later criminal prosecutions. Coverage of the cameras could be from the Highlands if that recommendation is implemented. 5. In the short term a 24/7 security presence on the property is essential to reduce the violent crime. We recommend one armed security officer (preferably a trained, off-duty police officer). While the police officer would cost approximately $26 per hour as opposed to approximately $15 for a private security officer, the additional training and experience of the police officer would be invaluable. Estimated Costs 1. The estimated cost to replace any required exterior lamps is between $300 and $500. The estimated cost to replace any required interior lamps is $100. 2. The shrub issue is a Department maintenance issue. 3. The estimated cost for a one-door access control system with appropriate number of key fobs is $5,500. 4. The estimated cost to add eight PTZ dome cameras with necessary controllers and digital recording is $140,000.
Appendix D
343
2/27/2006 14:45:57
Strategic Security Management
Sites: 10 Crimes: 1,2,3,4,5,6,7,8 Days: All Date: 01/01/2004-12/31/2004 Time: All
344
Incident Report
Incident Report 2/27/200614:45:56 Offense Report #
Location
Victim
Day
Date
Time
Comments
02—Rape 03—Robbery 03—Robbery 03—Robbery 03—Robbery 03—Robbery 03—Robbery 04—Aggravated 06—Theft 06—Theft 06—Theft 06—Theft 06—Theft 06—Theft 06—Theft 06—Theft 06—Theft 06—Theft 06—Theft 06—Theft 06—Theft 06—Theft 06—Theft
Outside Outside Inside Outside Outside Outside Outside
Person Person Business Person Person Person Person
Monday Wednesday Thursday Wednesday Thursday Tuesday Thursday Monday Monday Saturday Saturday Saturday Tuesday Thursday Wednesday Friday Wednesday Sunday Wednesday Saturday Sunday Wednesday Tuesday
07/12/2004 03/24/2004 07/29/2004 09/22/2004 10/28/2004 11/30/2004 12/09/2004 07/26/2004 01/19/2004 01/24/2004 02/14/2004 02/28/2004 03/23/2004 04/08/2004 04/21/2004 04/30/2004 06/02/2004 08/15/2004 08/18/2004 09/04/2004 09/12/2004 09/29/2004 12/07/2004
23:58 22:51 11:30 10:00 9:18 9:32 5:34 18:02 18:02 20:35 15:35 12:04 0:30 23:08 18:40 21:57 14:08 4:45 16:25 10:00 23:21 23:17 14:56
Interpersonal Aggravated Robbery Aggravated Robbery Purse natching Aggravated Robbery Purse Snatching Aggravated Robbery Interpersonal
Copyright © 2000–2006 by Threat Analysis Group. All Rights Reserved.
Page
2
of
3
345
Incident Report
10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10
Crime Type
Appendix D
2004-05795 2004-00110 2004-00266 2004-00361 2004-00463 2004-00512 2004-00531 2004-02352 2004-00017 2004-00028 2004-00055 2004-00071 2004-00107 2004-00127 2004-00144 2004-00159 2004-00202 2004-00284 2004-00291 2004-00332 2004-00345 2004-00374 2004-00520
Site ID
346
Incident Report 2/27/200614:45:56 Offense Report #
Incident Report
10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10
Crime Type 06—Theft 06—Theft 07—Auto Theft 07—Auto Theft 07—Auto Theft 07—Auto Theft 07—Auto Theft 07—Auto Theft 07—Auto Theft 07—Auto Theft 07—Auto Theft 07—Auto Theft 07—Auto Theft 07—Auto Theft 07—Auto Theft 07—Auto Theft 07—Auto Theft 07—Auto Theft 07—Auto Theft 07—Auto Theft
Location
Victim
Day
Date
Time
Sunday Friday Wednesday Sunday Thursday Wednesday Tuesday Tuesday Thursday Thursday Saturday Thursday Thursday Sunday Tuesday Wednesday Thursday Tuesday Wednesday Monday
12/12/2004 12/17/2004 01/07/2004 01/25/2004 03/04/2004 03/24/2004 04/20/2004 06/15/2004 08/05/2004 08/19/2004 08/28/2004 09/23/2004 09/30/2004 10/03/2004 10/05/2004 10/20/2004 10/28/2004 11/23/2004 12/15/2004 12/20/2004
12:05 8:28 18:40 9:18 8:23 8:28 8:45 8:01 13:47 16:45 15:00 16:15 8:00 4:18 20:23 15:24 8:01 11:25 15:01 8:37
Copyright © 2000–2006 by Threat Analysis Group. All Rights Reserved.
Comments
Strategic Security Management
2004-00538 2004-00547 2004-00006 2004-00031 2004-00077 2004-00109 2004-00142 2004-00214 2004-00274 2004-00293 2004-00320 2004-00362 2004-00379 2004-00393 2004-00397 2004-00437 2004-00461 2004-00507 2004-00543 2004-00557
Site ID
Page
3
of
3
Crime Rate Report 2/27/2006 14:47:40
Sites: Crimes: Days: Date: Time:
10,20,30,40,50 1,2,3,4 All 01/01/2002–12/31/2004 All
Appendix D
347
348
Crime Rate Report 2/27/2006 14:47:40 Description
Year
Annual Transactions
Total Violent Crime
Violent Crime Rate
10
Total Violent Crime
2002
623,761
10
0.0160
10
Total Violent Crime
2003
667,458
7
0.0105
10
Total Violent Crime
2004
714,748
8
0.0112
20
Total Violent Crime
2002
445,644
8
0.0180
20
Total Violent Crime
2003
476,839
4
0.0084
20
Total Violent Crime
2004
512,051
3
0.0059
30
Total Violent Crime
2002
498,723
4
0.0080
30
Total Violent Crime
2003
533,633
6
0.0112
Crime Rate Report
Copyright © 2000–2006 by Threat Analysis Group. All Rights Reserved.
Page
Strategic Security Management
Site ID
2
of
3
Crime Rate Report 2/27/2006 14:47:40 Description
Year
Annual Transactions
Total Violent Crime
Violent Crime Rate
30
Total Violent Crime
2004
570,987
0
0.0000
40
Total Violent Crime
2002
731,099
8
0.0109
40
Total Violent Crime
2003
782,548
5
0.0064
40
Total Violent Crime
2004
837,545
5
0.0060
50
Total Violent Crime
2002
549,324
3
0.0055
50
Total Violent Crime
2003
587,766
4
0.0068
50
Total Violent Crime
2004
628,909
3
0.0048
Copyright © 2000–2006 by Threat Analysis Group. All Rights Reserved.
Page
3
of
3
349
Crime Rate Report
Appendix D
Site ID
2/27/2006 14:48:48
10 All All 01/01/2002—12/31/2004 All
Strategic Security Management
Sites: Crimes: Days: Date: Time:
350
Forecast Report
Forecast Report 2/27/2006 14:48:48 Crime Type
Min (68% confidence level)
Max (68% confidence level)
Min (95% confidence level)
Max (95% confidence level)
10
01—Murder
0
0
0
1
10
02—Rape
1
1
0
2
10
03—Robbery
5
7
4
8
10
04—Aggravated Assault
1
1
1
1
10
05—Burglary
0
0
0
0
10
06—Theft
14
20
11
23
10
07—Auto Theft
15
21
12
24
10
08—Arson
0
0
0
0
10
09—Other Assaults
0
1
0
2
10
10—Forgery and Counterfeiting
30
60
16
74
Copyright © 2000–2006 by Threat Analysis Group. All Rights Reserved.
Page
2
of
4
351
Forecast Report
Appendix D
Site ID
352
Forecast Report 2/27/2006 14:48:48 Max (68% confidence level)
Min (95% confidence level)
Max (95% confidence level)
11—Fraud
2
4
1
5
10
12—Embezzlement
0
0
0
0
10
13—Stolen Property—Buy, Receive, Possess
0
0
0
0
10
14—Vandalism
5
7
4
8
10
15—Weapons—Carrying, Possessing, etc.
0
0
0
0
10
16—Prostitution and Commercialized Vice
0
0
0
0
10
17—Sex Offenses
0
0
0
0
10
18—Drug Abuse Violations
0
2
0
4
10
19—Gambling
0
0
0
0
10
20—Offense Against the Family and Children
0
0
0
0
Crime Type
10
Forecast Report
Copyright © 2000–2006 by Threat Analysis Group. All Rights Reserved.
Page
Strategic Security Management
Min (68% confidence level)
Site ID
3
of
4
Forecast Report 2/27/2006 14:48:48 Max (68% confidence level)
Min (95% confidence level)
Max (95% confidence level)
21—Driving Under the Influence
0
0
0
1
10
22—Liquor Laws
0
0
0
0
10
23—Drunkenness
1
3
0
4
10
24—Disorderly Conduct
6
12
3
15
10
Total Crime Index
0
0
0
0
10
Total Property Crime
0
0
0
0
10
Total Violent Crime
0
0
0
0
Crime Type
10
Copyright © 2000–2006 by Threat Analysis Group. All Rights Reserved.
Page
4
of
4
353
Forecast Report
Appendix D
Min (68% confidence level)
Site ID
354
Strategic Security Management
Site Summary Report 2/27/2006 14:50:16
Sites: Crimes: Days: Date: Time:
10 All All 01/01/2002–12/31/2004 All
Crime Trend Year 2002 2003 2004 Temporal (Day) Day Sunday Monday Tuesday Wednesday Thursday Friday Saturday
Site Summary Report
Violent
Property
Total Index
Other
Total
10 7 8
32 34 35
42 41 43
95 112 65
137 153 108
3 4 2 4 5 3 4
14 5 9 16 22 14 21
17 9 11 20 27 17 25
39 21 20 22 65 53 52
56 30 31 42 92 70 77
Copyright © 2000–2006 by Threat Analysis Group. All Rights Reserved.
Page
1
of
2
355
Appendix D
Temporal (Time) Time Range 00:00–00:59 01:00–01:59 02:00–02:59 03:00–03:59 04:00–04:59 05:00–05:59 06:00–06:59 07:00–07:59 08:00–08:59 09:00–09:59 10:00–10:59 11:00–11:59 12:00–12:59 13:00–13:59 14:00–14:59 15:00–15:59 16:00–16:59 17:00–17:59 18:00–18:59 19:00–19:59 20:00–20:59 21:00–21:59 22:00–22:59 23:00–23:59
Site Summary Report
Violent
Property
Total Index
Other
Total
1 0 0 0 0 1 0 0 2 3 2 3 1 0 1 0 2 0 1 1 1 1 2 3
1 0 0 0 2 2 1 3 20 8 5 7 3 3 9 9 5 3 6 2 3 2 4 3
2 0 0 0 2 3 1 3 22 11 7 10 4 3 10 9 7 3 7 3 4 3 6 6
1 0 0 0 1 2 1 17 79 45 5 14 5 2 28 14 15 10 5 11 4 5 3 5
3 0 0 0 3 5 2 20 101 56 12 24 9 5 38 23 22 13 12 14 8 8 9 11
Copyright © 2000–2006 by Threat Analysis Group. All Rights Reserved.
Page
2
of
2
This page intentionally left blank
Bibliography
ASIS International. (2004). Chief Security Officer Guideline. Alexandria, VA: ASIS International. ASIS International. (2004). Private Security Officer Training and Selection Guideline. Alexandria, VA: ASIS International. ASIS International. (2003). General Security Risk Assessment Guideline. Alexandria, VA: ASIS International. Bates, Norman D. (2004). Major Developments in Premises Security Liability III. Bates, Norman D. (2003, Fall). “Recent Developments in Nationwide Security Standards: The General Security Risk Assessment Guideline.” Victim Advocate 4(2). Bates, Norman D. (1997). “Forseeability of Crime and Adequacy of Security.” Accident Prevention Manual for Business & Industry. Security Management, National Safety Council. Bates, Norman D. (1990, July). “Understanding the Liability of Negligent Hiring.” Security Management. Blake, William F. and Bradley, Walter F. (1999). Premises Security: A Guide for Security Professionals and Attorneys. Woburn: Butterworth Heinemann. James F. Broder (2006). Risk Analysis and the Security Survey, 3rd Ed. Woburn, MA: Butterworth-Heinemann. Clarke, Ronald V. (1997). Situational Crime Prevention: Successful Case Studies. Albany, NY: Harrow and Heston.
357
358
Strategic Security Management
Clarke, Ronald V. and Felson, Marcus (1993). Routine Activity and Rational Choice. Advances in Criminological Theory, Volume 5. New Brunswick, NJ: Transactions Publishers. Colling, Russell L. (2001). Hospital and Healthcare Security. 4th ed. Woburn, MA: Butterworth-Heinemann. Cornish, D. and Clarke, R.V. (1987). Understanding Crime Displacement: An Application of Rational Choice Theory. Criminology. 25:933–947. Crowe, Timothy D. (1991). Crime Prevention Through Environmental Design. Woburn, MA: Butterworth-Heinemann. Dalton, Dennis. (2003). Rethinking Corporate Security in the Post 9/11 Era. Woburn, MA: Butterworth-Heinemann. Dalton, Dennis. (1995). Security Management: Business Strategies for Success. Woburn, MA: Butterworth-Heinemann. Eck, John E., and Weisburd, David. (1995). Crime and Place. Monsey, NY: Criminal Justice Press (Police Executive Research Forum). Eck, John E. (1993). The Threat of Crime Displacement. Criminal Justice Abstracts. 25:527–546. Eck, John E. (1997). Preventing Crime at Places. Preventing Crime: What Works, What Doesn’t, What’s Promising: A report to the United States Congress. Washington, DC: U.S. Department of Justice, Office of Justice Programs, National Institute of Justice. Felson, Marcus K. (2002). Crime and Everyday Life, 3rd ed. Thousand Oaks, CA: SAGE Publications. Felson, Marcus K. and Clarke, Ronald V. (1997). Business and Crime Prevention. Monsey, NY: Criminal Justice Press (Police Executive Research Forum). Felson, Marcus, and Clarke, Ronald V. (1998). Opportunity Makes the Thief: Practical Theory for Crime Prevention. Policing and Reducing Crime Unit: Police Research Series. Gottlieb, Stephen, Arenberg, Sheldon, and Singh, Raj. (1998). Crime Analysis: From First Report to Final Arrest. Montclair, CA: Alpha Publishing. Kaminsky, Alan (1995). A Complete Guide to Premises Security Litigation. Chicago, IL: American Bar Association. Lee, W. Dean. (2005, July). “Risk Assessments and Future Challenges.” The FBI Law Enforcement Bulletin 74(7). U.S. Department of Justice, Federal Bureau of Investigation, Washington, DC 20535-0001. Lennick, Doug, and Kiel, Fred. (2005). Moral Intelligence: Enhancing Business Performance and Leadership Success. Philadelphia, PA: Wharton School Publishing.
Bibliography
359
Maguire, Mike, Morgan, Rod, and Reiner, Robert (1997). The Oxford Handbook of Criminology. New York: Oxford University Press. Messner, Steven F. and Rosenfeld, Richard (1994). Crime and the American Dream. Belmont: Wadsworth Publishing Company. Miethe, Terance D., and McCorkle, Richard. (1998). Crime Profiles: The Anatomy of Dangerous Persons, Places, and Situations. Los Angeles: Roxbury Publishing Co. National Crime Prevention Institute. (1986). Understanding Crime Prevention. Stoneham, MA: Butterworth Publishers. Newman, Graeme, Clarke, Ronald V., and Shoham, S. Giora (1997). Rational Choice and Situational Crime Prevention. Brookfield, Vermont: Ashgate Publishing Company. Roper, Carl A. (1999). Risk Assessment for Security Professionals. Woburn, MA: Butterworth-Heinemann. Sennewald, Charles A. (2003). Effective Security Management. 4th ed. Woburn, MA: Butterworth-Heinemann. Sennewald, Charles A., and Karim H. Vellani (2004). “Consultants as a Protection Resource,” Protection of Assets Manual. Alexandria, VA: ASIS International. Sonnenreich, Wes. (2006, February). “Return on Security Investment (ROSI): A Practical Quantitative Model.” The Journal of Research and Practice in Information Technology 38(1):1–7. United States Army Physical Security Field Manual/FM 3-19.30. Vellani, Karim H. (2004). “Achieving Return on Investment from Crime Analysis.” Security Business Practices Reference, Vol. 6. ASIS Council on Business Practices, ASIS International. Vellani, Karim H. (2004). “Boosting Performance and Morale.” Security Business Practices Reference, Vol. 6. ASIS Council on Business Practices, ASIS International. Vellani, Karim H. (2004, Fall). “Crime and Foreseeability Analysis.” The Independent Security Consultant. International Association of Professional Security Consultants. Vellani, Karim H. (2003). “Statistics as a Security Management Tool,” Effective Security Management. 4th ed. Woburn: Butterworth-Heinemann. Vellani, Karim H. (2002). “Crime Analysis: The First Step in Creating an Effective Crime Prevention Program.” Security Business Practices Reference, Vol. 5. ASIS Council on Business Practices, ASIS International. Vellani, Karim H. (2001, October). “Don’t Let Your Guard Down.” Security Management.
360
Strategic Security Management
Vellani, Karim H. (2000, May/June). “Security + Service = Satisfaction: The Perks of Private Security.” Journal of Property Management. Vellani, Karim H. (1999, September/October). “Crime Stoppers.” Journal of Property Management. Vellani, Karim H., and Batterson, Mark. (2003). Security Solutions for Banks. Threat Analysis Group, LLC. Vellani, Karim H., and Nahoun, Joel D. (2001). Applied Crime Analysis. Woburn, MA: Butterworth-Heinemann.
Recommended Reading
Anselin, L., Cohen, J., Cook, D., Gorr, W., and Tita, G. (2000). “Spatial Analysis of Crime.” Measurement and Analysis of Crime and Justice 4:213–262. Atkins, Stephen, Hussei., Sohail, and Storey. (1991). The Influence of Street Lighting on Crime and Fear of Crime. Crime Prevention Unit Paper No. 28. London: Home Office. Babitisky, Steven, Mangraviti, James J., and Todd, Christopher J. (2000). The Comprehensive Forensic Services Manual: The Essential Resources for All Experts. Falmouth, MA: S-E-A-K, Inc. Legal and Medical Information Systems. Barnes, Geoffrey C. (1995). “Defining and Optimizing Displacement.” In John E. Eck and David Weisburd (eds.), Crime and Place. Monsey, NY: Criminal Justice Press and Police Executive Research Forum. Barr, Robert, and Pease, Ken (1990). “Crime Placement, Displacement, and Deflection.” In Michael Tonry and Norval Morris (eds.), Crime and Justice: A Review of Research, Vol. 12. Chicago: University of Chicago Press. Bellair, Paul E. (February 2000). “Informal Surveillance and Street Crime: A Complex Relationship.” Criminology. Blake, William F., and Bradley, Walter F. (1999). Premises Security: A Guide for Security Professionals and Attorneys. Woburn, MA: Butterworth Heinemann. Block, C. R. (1998). “The GeoArchive: An Information Foundation for Community Policing.” In: J. E. Eck and D. Weisburd (eds.), Crime and Place. Crime Prevention Studies, Vol. 4. Monsey, NY: Criminal Justice Press and Police Executive Research Forum, pp. 26–81.
361
362
Strategic Security Management
Boba, Rachel. (1999, October). “Using the Internet to Disseminate Crime Information.” FBI Law Enforcement Bulletin, Federal Bureau of Investigation. BOMA. (1995). Security Planning Guidebook: Safeguarding Your Tenants and Property. Washington, DC: Building Owners and Managers Association International. Bottoms, A. E., and Wiles, P. (1997). “Environmental Criminology.” In: M. Maguire, R. Morgan, and R. Reiner (eds.), The Oxford Handbook of Criminology. 2nd ed., Oxford: Clarendon Press, pp. 305–359. Bouloukos, Adam C., and Farrell, Graham. (1997). “On the Displacement of Repeat Victimization.” In Graeme Newman, Ronald V. Clark, and S. Gloria Shoham (eds.), Rational Choice and Situational Crime Prevention: Theoretical Foundations. Dartmouth, NH: Dartmouth University Press. Brantingham, P. L., and Brantingham P. J. (1984). Patterns in Crime. New York: Macmillan. Brantingham, P. L. and Brantingham, P. J. (1995). “Location Quotients and Crime Hot Spots in the City.” In: C. R. Block, M. Dabdoub, and S. Fregly (eds.), Crime Analysis Through Computer Mapping. Washington, DC: Police Executive Research Forum, pp. 129–150. Brantingham, P. L., and Brantingham, P. J. (1996). The Theory of CPTED, November 1996, http://www.arch.vt.edu/crimeprev/pages/hdevbody.html, October 16, 2000. Brantingham, P. L., and Brantingham P. J. (1998). “Planning Against Crime.” In: M. Felson and R. B. Peiser (eds.), Reducing Crime Through Real Estate Development and Management. Washington, DC: Urban Land Institute, pp. 23–38. Broder, James F. (1999). Risk Analysis and the Security Survey. 2nd ed. Boston: Butterworth-Heinemann. Buerger, M. E., Cohn, E. G., and Petrosino, A. J. (1995). “Defining the ‘Hot Spots of Crime’: Operationalising Theoretical Concepts for Field Research.” In: J. E. Eck and D. Weisburd (eds.), Crime and Place. Washington, DC: Criminal Justice Press and Police Executive Research Forum, pp. 237–258. Bureau of Justice Assistance. (1997). Crime Prevention and Community Policing: A Vital Partnership (NCJ 166819). Washington, DC: U.S. Department of Justice, Office of Justice Programs, Bureau of Justice Assistance. Burrows, B. (2001, February 1). “Research & Development Analyst.” Research & Development Section: Calgary Police Service. Burrows, John. (1991). Making Crime Prevention Pay: Initiatives from Business. Crime Prevention Unit Paper No. 27. London: Home Office.
Recommended Reading
363
Burrows, John. (1988). Retail Crime: Prevention through Crime Analysis. Crown. Campbell, J. K. (1998, June). “Solid Security at Rockefeller Center.” Security Management 42(6):32–38. Canter, P. (1995). “State of the Statistical Art: Point-Pattern Analysis.” In: C. R. Block, M. Dabdoub, and S. Fregly (eds.), Crime Analysis Through Computer Mapping. Washington, DC: Police Executive Research Forum, pp. 151–160. Canter, P. R. (1998). “Geographic Information Systems and Crime Analysis in Baltimore County, Maryland.” In D. Weisburd and T. McEwen (eds.), Crime Mapping and Crime Prevention. Crime Prevention Studies 8, Monsey, NY: Willow Tree Press, pp. 157–190. Cantor, D., and Lynch, J. P. (2000). “Self-Report Surveys as Measures of Crime and Criminal Victimisation.” Measurement and Analysis of Crime and Justice 4:85–138. Carey, C. (2000, September). “Towering Team Leader.” Access Control & Security Systems Integration 43(10): 1, 41–48. Christman, John H. and Charles A. Sennewald (2006). Shoplifting: Managing the Problem. Alexandria, VA: ASIS-International. Clarke, Ronald V. (1993). Crime Prevention Studies, Volume 1. Monsey, NY: Criminal Justice Press. Clarke, Ronald V. (1994). Crime Prevention Studies, Volume 2. Monsey, NY: Criminal Justice Press. Clarke, Ronald V. (1994). Crime Prevention Studies, Volume 3. Monsey, NY: Criminal Justice Press. Clarke, Ronald V. (1997). Situational Crime Prevention: Successful Case Studies. 2nd ed. Albany, NY: Harrow and Heston. Clarke, Ronald V., and Felson, Marcus. (1993). Routine Activity and Rational Choice. Advances in Criminological Theory, Volume 5. New Brunswick, NJ: Transactions Publishers. Clarke, Ronald V., and Felson, Marcus. (1997). Business and Crime Prevention. Monsey, NY: Criminal Justice Press. CMRC. (1998). Why Map Crime?, http://www.ojp.usdoj.gov/crmc/faq. September 31, 2000. Community Policing Beat Book. (1997). National Institute of Justice, http:// www.ojp.usdoj.gov/crmc/tools/welcome.html#beatbook. October 10, 2000. Cornish, D., and Clarke, R. V. (1987). “Understanding Crime Displacement: An Application of Rational Choice Theory.” Criminology 25:933–947.
364
Strategic Security Management
Craighead, G. (1996). High-Rise Security and Fire Life Safety. Boston: Butterworth-Heinemann. CrimeStat. (1997). “Ned Levine and Associates.” National Institute of Justice, Grant Number 97-IJ-CX-0040, Office of Justice Programs. Washington, DC. http://www.ojp.usdoj.gov/cmrc/tools/welcome.html#crimestat. October 10, 2000. D’Addario, Francis James. (1989). Loss Prevention through Crime Analysis. National Crime Prevention Institute. Boston: Butterworth-Heinemann. Dantzker, M.L. (1999). Readings for Research Methods in Criminology and Criminal Justice. Boston: Butterworth-Heinemann. DeFrances, Carol J., Smith, Steven, K., and Langan, Patrick A. (1995). Civil Justice Survey of State Courts, 1992: Civil Jury Cases and Verdicts in Large Counties, 1992 (NCJ 154346). Washington, DC: U.S. Department of Justice, Office of Justice Programs, Bureau of Justice Statistics. DeFrances, Carol J., and Litras, Marika F.X. (1996). Civil Justice Survey of State Courts, 1996: Civil Jury Cases and Verdicts in Large Counties, 1996 (NCJ 173426). Washington, DC: U.S. Department of Justice, Office of Justice Programs, Bureau of Justice Statistics. Doenges, Georjeanna W. (2000, September). “An Exploration of Sense of Community and Fear of Crime in Gated Communities.” Environment and Behavior, Sage Publications. Douglas, John E., Ann W. Burgess, Allen G. Burgess, and Robert K. Ressler. (1997). Crime Classification Manual: A Standard System for Investigating and Classifying Violent Crimes. San Francisco: Jossey-Bass. Duffee, D., McDowall, D., Mazerolle, L. G., and Mastrofski, S. D. (2000). “Measurement and Analysis of Crime and Justice: An Introductory Essay.” Measurement and Analysis of Crime and Justice 4:1–31. Eck, John E. (1993). “The Threat of Crime Displacement.” Criminal Justice Abstracts 25:527–546. Eck, John E. (1997). Preventing Crime at Places. Preventing Crime: What Works, What Doesn’t, What’s Promising: A report to the United States Congress. Washington, DC: U.S. Department of Justice, Office of Justice Programs, National Institute of Justice. Eck, J. E. (1998). “What Do Those Dots Mean? Mapping Theories with Data.” In: J. E. Eck and D. Weisburd (eds.), Crime and Place. Crime Prevention Studies, Vol. 4. Monsey, NY: Criminal Justice Press and Police Executive Research Forum, pp. 379–406.
Recommended Reading
365
Eck, J. E., and La Vinge, N. G. (1994). Using Research: A Primer for Law Enforcement Managers. 2nd ed. Washington, DC: Police Executive Research Forum. Ekblom, P. (1988). Getting the Best Out of Crime Analysis. Crime Prevention Unit: Paper 10. London: Home Office. Ettouney, M., Smilowitz, R., and Rittenhouse, T. (1996, February). “Blast Resistant Design of Commercial Buildings.” Practice Periodical on Structural Design and Construction: 31–39. Federal Bureau of Investigation. (1966). UCR Handbook. Washington, DC: U.S. Department of Justice. Felson, Marcus, and Clarke, Ronald V. (1997). Business and Crime Prevention. Monsey, NY: Criminal Justice Press (Police Executive Research Forum). Felson, M., and Clarke, R.V. (1998). “Opportunity Makes Thief: Practical Theory for Crime Prevention.” Police Research Series Paper 98, London: Research, Development and Statistics Directorate. Felson, M., and Peiser, R. B. (1998). Reducing Crime Through Real Estate Development and Management. Washington, DC: Urban Land Institute. Fennelly, L. J. (1997). Effective Physical Security. 2nd ed. Boston: ButterworthHeinemann. Fennelly, Lawrence J. (1995). Handbook of Loss Prevention and Crime Prevention. 3rd ed. Boston: Butterworth-Heinemann. Flanagan, Timothy J., and Longmire, Dennis R. (1996). Americans View Crime and Justice: A National Public Opinion Survey. Thousand Oaks, CA: Sage Publications. FOIP (2001). Freedom of Information and Protection of Privacy Act, 1995, http://www.gov.ab.ca/foip/, February 12, 2001. Garland, D. (1997). “Of Crimes and Criminals: The Development of Criminology in Britain.” In: M. Maguire, R. Morgan, and R. Reiner (eds.), The Oxford Handbook of Criminology, 2nd ed. Oxford: Clarendon Press, pp. 11–56. Garner, Bryan A. (1999). Black’s Law Dictionary. Eagan, MN: West Group. Gebhardt, Christopher S. (1999, April). “Crime Analysis: The Next Phase.” The Police Chief. April, pp. 33. Gill, M. (1998). “Introduction.” In: M. Gill (ed.), Crime at Work: Increasing the Risk for Offenders, Vol. II. Leicester: Perpetuity Press, pp. 11–23. Gips, M. A. (2000, May). “Building in Terrorism Shadow.” Security Management 44(5):42–50.
366
Strategic Security Management
Gordon, C. L. and Brill, W. (1996, January). The Expanding Role of Crime Prevention Through Environmental Design in Premise Liability. National Institute of Justice Journal in Brief. Washington, DC: U.S. Department of Justice. Gravetter, Frederick, and Wallnau, Larry B. (1995). Essentials of Statistics for the Behavioral Science, 2nd ed. New York: West Publishing Co. Groff, E. (1998). A Multi-Method Exploration of Crime Hot Spots: An Evaluation of the “Repeat Places” Mapping Technique. Washington, DC: Crime Mapping Research Center, National Institute of Justice. Hailey, K., Todd, J., and Stallo, M. (2000). Crime Analysis and the Struggle for Legitimacy, 1998, http://www.iaca.net/Resources/FAQs.htm, May 20, 2000. Harries, K. (1990). Geographic Factors in Policing. Washington, DC: Police Executive Research Forum. Harries, K. (1999). Mapping Crime: Principle and Practice. Crime Mapping Research Center, National Institute of Justice, Rockville, MD: National Criminal Justice Reference Service. Henry, Stuart, and Einstadter, Werner. (1998). The Criminology Theory Reader. New York: New York University Press. Hinman, E. E., and Hammond, D. J. (1997). Lessons from the Oklahoma City Bombing: Defensive Design Techniques. New York: ASCE Press. Hyatt, R. A., and Holzman, H. R. (1999). Guidebook for Measuring Crime in Public Housing with Geographic Information Systems. Washington, DC: U.S. Department of Housing and Urban Development, Office of Policy Development and Research. International Foundation for Protection Officers. Protection Officer Training Manual. Stoneham. MA: Butterworth Heinemann (1992). Jacobs, J. (1961). The Death and Life of Great American Cities, New York: Vintage Books. Jupp, Victor. (1989). Methods of Criminological Research. New York: Routledge. Kaminsky, Alan. (1995). A Complete Guide to Premises Security Litigation. Chicago: American Bar Association. Kennedy, D. M., Braga, A. A., and Piehl, A. M. (1998). “The (Un)Known Universe: Mapping Gangs and Gang Violence in Boston.” In: J. E. Eck and D. Weisburd (eds.), Crime and Place. Crime Prevention Studies, Vol. 4. Monsey, NY: Criminal Justice Press and Police Executive Research Forum, pp. 219–262. Kitteringham, Glen W. (2001). “Security Management Co-operation.” Security Business Practices References, Vol. IV. American Society for Industrial Security, ISBN Number 1-887056 45-49.
Recommended Reading
367
Kitteringham, Glen W. (2001). “A Study of Two Types of Vertical Crime Pattern Analysis in the Commercial Multi-Tenanted High-Rise Structure.” University of Leicester, United Kingdom. Kitteringham, Glen W. (2001, June/July). “The X Generation.” Canadian Security, 23, No. 5. KRA Corporation. (1997). A Guide to Evaluating Crime Control of Programs in Public Housing. Washington, DC: U.S. Department of Housing and Urban Development, Office of Policy Development and Research. LeBeau, J. L. (1995). “The Temporal Ecology of Calls for Police Service.” In C. R. Block, M. Dabdoub, and S. Fregly (eds.). Crime Analysis Through Computer Mapping. Washington, DC: Police Executive Research Forum, pp. 111–128. Leesfield, Ira H., and Gross-Farina, Sally. (1994, October). “Innkeeper Liability for Sexual Assaults.” Trial, Association of Trial Lawyers of America. Lehrer, Eli. (2000, Fall). “Crime-Fighting and Urban Renewal.” Public Interest. Levine, N. (1998). “ ‘Hot Spot’ Analysis Using Both the Systat ‘K-Means’ Routine and a Risk Assessment.” Annandale, VA: Ned Levine and Associates. Lockwood, Daniel. (1997). Violence among Middle School and High School Students: Analysis and Implications for Prevention (NIJ Research in Brief). Washington, DC: U.S. Department of Justice, Office of Justice Programs, National Institute of Justice. Maguire, Mike, Morgan, Rod, and Reiner, Robert. (1997). The Oxford Handbook of Criminology. New York: Oxford University Press. Maxwell, David A. (1992). Private Security Law: Case Studies. Boston: Butterworth-Heinemann. Mazerolle, L. G., Bellucci, C., and Gajewski, F. (1998). “Crime Mapping in Police Departments: The Challenges of Building a Mapping System.” In: J. E. Eck and D. Weisburd (eds.). Crime and Place. Crime Prevention Studies, Vol. 4. Monsey, NY: Criminal Justice Press and Police Executive Research Forum, pp. 131–155. Mazerolle, L. G., and Conover, T. E. (1998). A Multi-Method Exploration of Crime Hot-Spots: Spatial and Temporal Analysis of Crime (STAC). Prepared for: Academy of Criminal Justice Sciences Conference. Albuquerque, NM, March 11, 1998. Mazerolle, Lorraine, and Green, Jan Roehl. (1998). Civil Remedies and Crime Prevention. Vol. 9. Monsey, NY: Criminal Justice Press. McEwan, J. T. and Taxman, F. S. (1995). “Applications of Computerised Mapping to Police Operations.”In J. E. Eck and D. Weisburd (eds), Crime and Place. Crime Prevention Studies, Vol. 4. Monsey, NY: Criminal Justice Press and Police Executive Research Forum, pp. 259–284.
368
Strategic Security Management
Messner, Steven F., and Rosenfeld, Richard. (1994). Crime and the American Dream. Belmont, WA: Wadsworth. Mitchell, A. (1999). The ESRI Guide to GIS Analysis. Vol. 1 Geographic Patterns and Relationships. Redlands, CA: Environmental Systems Research Institute. Module 1. (1998). Introduction to Security and Crime Risk Management: Unit 5 Criminological Theory 1: Determinism: 179–218, The Scarman Centre for the Study of Public Order: University of Leicester. Module 1. (1998). Introduction to Security and Crime Risk Management: Unit 7 Criminological Theory 2: Rational Choice Theory: 289–316, The Scarman Centre for the Study of Public Order: University of Leicester. Module 3, (1999). Research Methods in Security and Crime Risk Management: Unit 1 Introduction—Philosophy: 3–36, The Scarman Centre for the Study of Public Order: University of Leicester. Module 3. (1999). Research Methods in Security and Crime Risk Management: Unit 2 Social Surveys: 37–92, The Scarman Centre for the Study of Public Order: University of Leicester. Module 3. (1999). Research Methods in Security and Crime Risk Management: Unit 4 Secondary Analysis: 121–160, The Scarman Centre for the Study of Public Order: University of Leicester. Module 5. (1998). Applied Crime Management: Unit 1, Applied Crime Management: 1–26, The Scarman Centre for the Study of Public Order: University of Leicester. Module 5. (1998). Applied Crime Management: Unit 3, Crime Pattern Analysis: 113–149, The Scarman Centre for the Study of Public Order: University of Leicester. Moore, Mark H. (1999). “Manager’s Journal: Private-Sector Lessons for New York’s Finest.” Wall Street Journal, April 12, 1999. Moore, Merlyn D., and Bieck, William H. (1995). Case Analysis: Establishing Foreseeability of Crime; Actual Notice of Prior Criminal Incidents; Constructive Notice of Crime Risk. Texas Premises Liability: Inadequate or Negligent Security. Professional Education Systems, Inc. Moran, Richard. (1996, Spring). “Bringing Rational Choice Theory Back to Reality.” Journal of Criminal Law and Criminology. National Research Council. (1988). The Protection of Federal Office Buildings Against Terrorism. Washington, DC: National Academy Press. Newman, Graeme, Clarke, Ronald V., and Shoham, S. Giora. (1997). Rational Choice and Situational Crime Prevention. Brookfield, VT: Ashgate Publishing Co.
Recommended Reading
369
Newman, O. (1971). Architectural Design for Crime Prevention. National Institute of Law Enforcement and Criminal Justice, U.S. Department of Justice Law Enforcement Assistance Administration. Newman, O. (1972). Defensible Space: Crime Prevention Through Environmental Design. New York: Macmillan. Newman, O. (1996). Creating Defensible Space. Washington, DC: U.S. Department of Housing and Urban Development, Office of Policy Development and Research. O’Brien, Robert M. (1985). Crime and Victimization Data. Beverly Hills, CA: Sage Publications. Olligschlaeger, A. M. (1998). “Artificial Neural Networks and Crime Mapping.” In M. Weisburd and T. McEwen (eds.), Crime Mapping & Crime Prevention: Crime Prevention Studies. Vol. 8. Monsey, NY: Willow Tree Press, pp. 313–347. Openshaw, S., and Turton, I. (1998). Application of GAM to Crime Analysis Data. Centre for Computational Geography, School of Geography: University of Leeds. Page, Joseph A. (1988). The Law of Premises Liability. 2nd ed. Cincinnati: Anderson Publishing Co. Painter, K., and Farrington, D. P. (1999). “Improved Street Lighting: Crime Reducing Effects and Cost-Benefit Analysis.” Security Journal 12(4):17–32. Parham, D.W. (1995). “Crime Prevention through Real Estate Development and Management.” In: D.W. Parham (ed.). Washington, DC: ULI Education Policy Forum Series No. 650. Partridge, W. (1999). BOMA Building Guide: Calgary 1999. Calgary: BOMA Calgary. Pease, K. (1997). “Crime Prevention.” In: M. Maguire, R. Morgan, and R. Reiner (eds.). The Oxford Handbook of Criminology. 2nd ed. Oxford: Clarendon Press, pp. 963–995. Perry, L. G. (2000). Are Your Tenants Safe? BOMA’s Guide to Security and Emergency Planning. Washington, DC: BOMA International. Phillips, C., and Axelrod, A. (2000). Cops, Crooks and Criminologists: An International Biographical Dictionary of Law Enforcement. Updated Edition. New York: Checkmark Books. Piper, L., Lucas, R., Shirley, J., and Rohe, W. (1997). How to Conduct Victimisation Surveys: A Workbook. Washington, DC: U.S. Department of Housing and Urban Development, Office of Policy Development and Research.
370
Strategic Security Management
Purpura, Philip P. (1998). Security and Loss Prevention: An Introduction. 3rd ed. Boston: Butterworth-Heinemann. Ramsay, Malcolm, and Newton, Rosemary. (1991). The Effect of Better Street Lighting on Crime and Fear: A Review. Crime Prevention Unit Paper No. 29. London: Home Office. Read, T., and Oldfield, D. (1995). Local Crime Analysis. Police Research Group, Crime Detection and Prevention Series: Paper No. 65, London: Home Office Police Department. ReCAP SDE. (1997). Crime Mapping Research Centre, National Institute of Justice, program by ESRI, http://www.ojp.usdoj.gov/cmrc/tools/welcome. html#recap-sde, October 10, 2000. Rengert, G. F. (1995). “More than Just a Pretty Map: How Can Spatial Analysis Support Police Decisions?” In: C. R. Block, M. Dabdoub, and S. Fregly (eds.), Crime Analysis Through Computer Mapping. Washington, DC: Police Executive Research Forum, pp. xiii–xiv. Rengert, G., Mattson, M., Lowell, R., and Henderson, K. (1999). Using a High Definition GIS to Enhance Community Policing on College Campuses. Final Report. Philadelphia: Center for Public Policy. Rengert, G. F., and Pelfrey, W. V., Jr. (1998). “Cognitive Mapping of the City Center.” In: J. E. Eck and D. Weisburd (eds.), Crime and Place. Crime Prevention Studies, Vol. 4. Monsey, NY: Criminal Justice Press and Police Executive Research Forum, pp. 193–218. Retail Week. (1999). “Designing out Crime.” Retail Week, September 24. Rich, T. F. (1995). The Use of Computerized Mapping in Crime Control and Prevention Programs. Washington, DC: National Institute of Justice, Research in Action. Rosenbaum, D. P., and Lavrakas, P. J. (1995). “Self-Reports about Place: The Application of Survey and Interview Methods to the Study of Small Areas.” In: J. E. Eck and D. Weisburd (eds.), Crime and Place. Crime Prevention Studies, Vol. 4. Monsey, NY: Criminal Justice Press and Police Executive Research Forum, pp. 285–314. Rossmo, Dr. Kim (2000). Geographic Profiling. Boca Raton, FL: CRC Press. Rossmo, Dr. Kim (1995). “Overview: Multivariate Spatial Profiles as a Tool in Crime Investigation.” In: C. R. Block, M. Dabdoub, and S. Fregly (eds.), Crime Analysis Through Computer Mapping. Washington, DC: Police Executive Research Forum, pp. 65–98. Rossmo, Dr. Kim (1995). “Strategic Crime Patterning: Problem-Orientated Policing and Displacement.” In: C. R. Block, M. Dabdoub, and S. Fregly (eds.),
Recommended Reading
371
Crime Analysis Through Computer Mapping. Washington, DC: Police Executive Research Forum, pp. 1–14. Sampson, R. J. (1986). “The Effects of Urbanization and Neighborhood Characteristics on Criminal Victimization.” In: R. M. Figlio, S. Hakim, and G. F. Rengert (eds.), Metropolitan Crime Patterns. Monsey, NY: Criminal Justice Press, 3–26. San Luis, E., Tyska, L. A., and Fennelly, L. (1994). Office and Office Building Security. Boston: Butterworth-Heinemann. Sennewald, Charles A., and Christman, John H. (1992). Shoplifting. Boston: Butterworth-Heinemann. Sevin, E. (1995). Protecting Buildings from Bomb Damage: Transfer of Blast-Effects Mitigation Technologies from Military to Civilian Applications. Washington, DC: National Academy Press. Sherman, Lawrence W. (1997). Communities and Crime Prevention. Preventing Crime: What Works, What Doesn’t, What’s Promising: A Report to the United States Congress. Washington, DC: U.S. Department of Justice, Office of Justice Programs, National Institute of Justice. Smith, Mark S. (1996). Crime Prevention Through Environmental Design in Parking Facilities (NIJ Research in Brief). Washington, DC: U.S. Department of Justice, Office of Justice Programs, Bureau of Justice Assistance. Sorensen, S. L. (1998). “SMART Mapping for Law Enforcement Settings: Integrating GIS and GPS for Dynamic, Near-Real Time Applications and Analysis.” In M. Weisburd and T. McEwen (eds.), Crime Mapping and Crime Prevention. Crime Prevention Studies, Vol. 8. Monsey, NY: Willow Tree Press, pp. 349– 378. Spelman, W. (1988). Beyond Bean Counting: New Approaches for Managing Crime Data. Washington, DC: Police Executive Research Forum. Stambough, H., Tillery, C., and Schaenman P. (1999). “Inventory of State and Local Law Enforcement Technology Needs to Combat Terrorism.” National Institute of Justice Research in Brief, January. Washington, DC: U.S. Department of Justice. Stangeland, Per. (1998). “Other Targets or Other Locations?: An Analysis of Opportunity Structures.” The British Journal of Criminology. Oxford: Oxford University Press. Statistics Canada (2000). Criminal Victimisation 1999. http://www.statcan.ca/ Daily/English/001102/d001102a.htm. February 10, 2001. Swetnam, D. (2000). Writing Your Dissertation, Plymouth, MA: How to Books.
372
Strategic Security Management
Sykes, J. B. (1981). The Concise Oxford Dictionary. Oxford: Clarendon Press. Taxman, F. S., and McEwan, T. (1998). “Using Geographical Tools with Interagency Workgroups to Develop and Implement Crime Control Strategies.” In J. E. Eck and D. Weisburd (eds.), Crime and Place. Crime Prevention Studies, Vol. 4. Monsey, NY: Criminal Justice Press and Police Executive Research Forum, pp. 83–111. Taylor, Ralph B., and Harrell, Adele V. (1996). Physical Environment and Crime (NIJ Research Report). Washington, DC: U.S. Department of Justice, Office of Justice Programs, Bureau of Justice Assistance. Taylor, R.B. (1997). Crime and Small-Scale Places: What We Know, What We Can Prevent, and What Else We Need to Know. Washington, DC: U.S. Department of Justice. Texas Department of Public Safety. (1994). Crime in Texas, 1994. Austin, TX: Crime Records Service. Toft, B., and Reynolds, S. (1997). Learning from Disasters: A Management Approach. 2nd ed. Leicester: Perpetuity Press. U.S. Department of Justice. (2000). “Geocoding in Law Enforcement, Final Report.” Office of Community Orientated Policing Services, August: Prepared by the Crime Mapping Laboratory Police Foundation, http://www.usdoj.gov/ cop/, November 15, 2000. United States Marshals Service. (1995). Vulnerability Assessment of Federal Facilities. Washington, DC: U.S. Department of Justice. Vold, George B., Bernard, Thomas J., and Snipes, Jefferey B. (1998). Theoretical Criminology. 4th ed. New York: Oxford University Press. Walsh, Ellen M. (1999, July/August). “Crime Prevention through Environmental Design.” Journal of Housing and Community Development, National Association of Housing and Redevelopment Officials. Walsh, J. (2000). “Chapter 1, Part II, Trends and Patterns in Security.” In J. Walsh (ed.), Protection of Assets Manual: Los Angeles: Merritt Publishing. Walsh, J. (2000). “Chapter 19, Part VII, High-Rise Structures, Section B Security Considerations.” In J. Walsh (ed.), Protection of Assets Manual: Los Angeles: Merritt Publishing. Walsh, J. (2000). “Chapter 23, Part III, Systematic Loss Reporting.” In J. Walsh (ed.), Protection of Assets Manual. Los Angeles: Merritt Publishing. Weisburd, David, and McEwen, Tom. (1998). Crime Mapping and Crime Prevention. Crime Prevention Studies, Vol. 8. Monsey, NY: Criminal Justice Press.
Recommended Reading
373
Whitehead, P., and Gray, P. (1998). Pulling the Plug on Computer Theft. Police Research Series 101. London: Policing and Reducing Crime Unit. Williamson, D. (1998). A Multi-Method Exploration of Crime Hot-Spots: Summary of Findings Utilising the IDRISI Software Package. http://www.ojp.usdoj.gov/cmrc/pubs/hotspot/hotspot.html, October 21, 2000.
This page intentionally left blank
Index
Page numbers followed by “f ” denote figures; those followed by “t” denote tables A Access control systems, 23, 196–200 Action plan, for security metrics, 8 Addressable fire systems, 204 Adversary asset knowledge by, 38–39 capability of, 32–33, 38, 41, 111 definition of, 12 historical data regarding, 30, 37 motivation of, 21, 31–32, 41 profiling of, 38 target selection factors by, 45–46 threats vs., 28 tools and weapons accessed by, 39 types of, 111 Aggravated assaults, 42–43 Alarm systems communicators and keypads, 185 control panels, 185 door contacts, 186 glass break detectors, 187–188 motion sensors, 186–187 proprietary vs. nonproprietary, 220 spot detectors, 188 window contacts, 186
al-Qaeda, 18, 30, 32, 35 Alternative criminology, 160 American Society for Industrial Security—International description of, 5, 113, 254 General Security Risk Assessment Guideline, 279–282 guidelines of, 277 security risk assessment guideline, 120–132 American Society of Industrial Society, 277 Analog fire systems, 204 Annualized loss expectancy, 138 Annualized loss exposure, 263 Annualized rate of occurrence, 138, 263 Assault-type crimes, 42–43 Assessments hybrid, 13, 137 risk. See Risk assessment security areas addressed by, 24 threats. See Threat assessments types of, 23 vulnerability. See Vulnerability assessment
375
376
Index
Asset(s) adversary knowledge about, 38–39 as targets, 17–18 categorizing of, 135 consequence analysis, 18–20 critical. See Critical assets criticality assessments of, 19, 111 definition of, 12, 110, 135 identification of, 17, 20, 135–136, 279 information, 15, 17 intangible, 135, 146 of Low Importance, 136 of Moderate Importance, 135–136 of Significant Importance, 135 owner of, 135 people as, 15 prioritizing of, 19 property as, 15, 135 protection of, 16, 21 tangible, 135, 146 threat assessment considerations, 29–30 value of, 165 vulnerability assessments for, 90–91 Asset classification definition of, 15–17 in information technology risk management, 135 in threat assessment, 28 Asset recovery analysis, 262 Asset value, 138 Attack probability, 113 Auditing, 229–230 Authentication, 153 Authorization, 152 Auto theft, 44–45 Automated Teller Machine Act, 5 Availability definition of, 136 loss of, 146 B Balanced protection, 116 Bank robberies, 43 Barrier arm operators, 201
Beam smoke detectors, 205 Beats, 71 Benchmarking, 7–8, 247 Benchmarks, 7–8 Best practices definition of, 214 in forensic security consulting, 299–303 International Association of Professional Security Consultants, 321–324 bin Laden, Osama, 45 Biometric readers, 198 Bollards, 202 Breach of duty, 267 Burglary systems, electronic communicators and keypads, 185 control panels, 185 door contacts, 186 glass break detectors, 187–188 motion sensors, 186–187 proprietary vs. nonproprietary, 220 spot detectors, 188 window contacts, 186 Business continuity planning, 18–19 Business-critical assets, 15–16 C Calls for service accuracy of, 66 description of, 64 elements of, 64, 66 offense reports and, 67–69, 68f, 73 reliability of, 66–67 request for, 65f Cameras, 189–192 Capability assessment of, 34–35, 38 definition of, 12 of adversary, 32–33, 38, 41 Case law, 266 Causation, 267–268 CCTV systems cameras, 189–192
Index
costs of, 262–263 description of, 22, 189 deterrence value of, 41 integration of, 206 intelligent video, 195 IP video, 194–195 management buy-in for, 226 monitors, 192–193 recording options for, 193–194 Census tracts, 70 Certified security consultant Code of Ethics for, 317–319 description of, 255 Checksums, 153 Chief security officer, 2 Coax cable, 190 Code of ethics Certified Security Consultant, 317–319 International Association of Professional Security Consultants, 315–316 Competitive crimes, 167 Computer criminals, 142t Computer monitor, 192 Confidentiality definition of, 136 loss of, 145 Consequence analysis, 18–20 Consequences categorizing of, 19 definition of, 12 Consulting divisions of, 285 forensic security. See Forensic security consulting Continuity of operations, 12 Contract security officers, 239–241 Control(s) categories of, 151–155 costs of implementing, 155–156 definition of, 147 detective, 144, 153–155 implementation of, 150–151, 155–156 management, 153–154
377
operational, 154–155 opportunity cost considerations, 151 preventive, 144, 152–155 procedural, 151 purpose of, 147 recovery, 154 selection of, 150–151 supporting, 152 technical, 151–152 Control evaluation, 144–145 Control recommendations, 147–148 Convenience, 280 Convergence, 133 Cost avoidance, 262 Cost-benefit analysis description of, 12, 105, 150, 155–156, 281 for physical security countermeasures, 212–214 Countermeasures. See also Security measures crime analysis used to select, 55–56 definition of, 12, 137 existing, 20–21, 92, 103 implementation of, 227–229 inventory of, 20–23 management buy-in, 223–226, 261 physical security. See Physical security countermeasures policies and procedures. See Policies and procedures testing of, 92 CPTED. See Crime prevention through environmental design Crime business establishments susceptible to, 270 clustering of, 81 competitive, 167 components necessary for, 54 exploitive, 167 external sources of, 57 individualistic, 167 internal sources of, 57
378
Index
knowledge of, 271 location-specific questions regarding, 56 logical examination of, 55 method of operation for, 57 mutualistic, 167 prior, 270 risk factors for, 270–271 temporal elements of, 56 temporal shifts in, 164–165 third-party, 286 threshold for, 235 Crime analysis census tracts, 70 countermeasure selection based on, 55–56 data sources for city data, 71 county data, 71 hierarchy of, 69f law enforcement data. See Law enforcement data national data, 71 security reports, 58–60 state data, 71 definition of, 55, 111 description of, 12–13, 28–29, 275–276 elements of, 55 facilities, 70–71 forecasting, 81–82 geographic levels, 69–71 methodology for annual traffic level at site, 74 database collection, 73–74 overview of, 72–73 modus operandi analysis, 81 outsourcing of, 55 purpose of, 54–58 questions answered by, 56–58 reporting area, 70 return on security investment, 82–83 risk model integration of, 52 social disorder models vs., 61 spatial analysis, 78–81
summary of, 56 temporal analysis, 77–78 Crime displacement, 165, 169–170 Crime in the United States, 62–63 Crime opportunities principles regarding, 164–165 rational choice theory of, 165 reducing of, 165 routine activity theory of, 166–167 Crime prevention definition of, 160 measures for, 115, 170–171 situational crime. See Situational crime prevention theoretical study for, 160–162 Crime prevention through environmental design description of, 98, 162 natural access control, 168–169 natural surveillance, 168 principles of, 167–168 territorial reinforcement, 169 Crime rate analysis, 75–77 Crime risk analysis. See Crime analysis Crime triangle, 53–54, 54f, 159f Crime-specific analysis, 74–75 Criminal profiling, 166 Criminals computer, 142t motivation of, 53 types of, 57 Criminology, 160 Critical assets backup for, 17 business, 15–16 criteria for, 15–16 definition of, 110 examples of, 110–111 identifying of, 17 protection of, 16 replacement time for, 16–17 types of, 15 Criticality definition of, 13, 137 of assets, 16, 111
Index
Criticality assessment description of, 19 in threat assessment, 28 CRT monitors, 192 D Data-driven assessments, 8–10 Data-driven security, 1–4 Daubert v. Merrell Dow Pharmaceuticals, 290 Defeat, 13 Defensible space, 167 Delay definition of, 13, 103–104 measures, 103, 105 Deposition, 297 Design basic threat, 33 Detection definition of, 13, 103 measures, 103 Detective controls, 144, 153–155 Deterrence definition of, 13, 103 law enforcement officers as, 236 lighting as, 203 measures used for, 41 Deterrence theory, 272 Diffusion of benefits, 170 Digital recorders, 193–194 Districts, 71 Dome housings, 190 Door contacts, 186 Door hardware, 200 Door magnets, 205 Dual-technology motion detectors, 187 Duct smoke detectors, 204 Duty breach of, 267 definition of, 266 from case law, 266 E Earth Liberation Front, 32 Economic criminals, 32 Egress devices, 199
379
Electric strikes, 198 Electronic access control systems, 196–200 Electronic burglary systems communicators and keypads, 185 control panels, 185 door contacts, 186 glass break detectors, 187–188 motion sensors, 186–187 proprietary vs. nonproprietary, 220 spot detectors, 188 window contacts, 186 Emergency, 13 Emergency management plan, 179–181 Emergency response personnel, 180 Employees negligent hiring of, 273–275 unsupervised access by, 274 Environmental criminals, 32 Environmental threats, 141 Equipment. See also Physical security countermeasures effectiveness of, 229–230 implementation of, 227–229 management buy-in, 223–226 monitoring of, 227 Ethics code of. See Code of ethics definition of, 307 dilemmas involving, 312–315 guidelines for, 315 independence of consultant, 310–311 objectivity of consultant, 310 outcome expectations of assignment, 309 overview of, 305–307 in practice, 307–311 value of service to client, 309–311 who will benefit from opportunity, 308–309 Event recorders, 193 Executive summary of risk assessment report, 117
380
Index
of vulnerability assessment report, 100–101 Exploitive crimes, 167 Exposure, 13, 136 Exposure factor, 138 F Facial recognition software, 195 Facilities assessment of, 161 characterization of, in vulnerability assessment report, 101 construction of, 227–228 crime analysis, 70–71 crime rates for comparison purposes, 75 low-security, 104 off-duty law enforcement officers vs. security officers for, 236–237 security levels at, 24–25 situational elements of, 40 vulnerability rating scale for, 94 Facility, 13 False alarm rates, 103 FBI uniform crime reports, 62–64, 167 Fencing, 200–201 Fiber-optic cable, 191 Financial management, 259–260 Fire alarms, 220 Fire systems, 204–205 Fixed lenses, for camera, 189 Flowcharts, 178 Force protection programs, 9 Forecasting, 81–82 Forensic security consultant advertising by, 291 authorship by, 290–291 deposition of, 297 differing educations for, 161–162 education role of, 312–315 experience and qualifications of, 289 file assessment and review by, 293–296
independence of, 310–311 marketing by, 290–291 objectivity of, 310 opinion by, 296–297 public speaking by, 291 referrals, 291 responsibilities of, 286 retention of, 292–293 role of, 294–295, 315 supportive opinion by, 296–297 trial testimony by, 297 walking away from assignment, 311–312 Forensic security consulting benefactor of, 308–309 best practices methodology, 299–303 description of, 285 ethics in, 305–316 outcome expectations, 309 premises liability, 297–298 qualifications for, 288–290 request for, 308 value of service to client, 309–310 Foreseeability, 269–270 G Gate operators, 201–202 General Security Risk Assessment Guideline, 279–282 Glass break detectors, 187–188 Guidelines, 277–278 H Hacker, 142t Heat detectors, 188 Heat sensors, 205 Hedonistic calculus, 165–166 Hierarchy of needs, 251f Homeland security characteristics of, 115 Threat Advisory System, 46–47, 235 Hot spot analysis, 79–80 Human threats, 30–31, 141, 142t Hybrid assessment, 13, 137
Index
I Ideological motivations, 32 Impact classification of, 146t definition of, 139, 280 Impact analysis, 145–146 Incident report, 58, 59f–60f Incompetent lawyer, 314 Individualistic crimes, 167 Industrial espionage, 142t Information assets, 15 Information gathering, 141 Information technology risk assessment definition of, 136 terminology associated with, 136–137 Information technology risk management. See also Risk management asset identification, 135–136 definition of, 134 evaluation, 156–157 refinement, 156–157 Information technology security importance of, 133–134 security assessment methodologies for, 24 Information technology system characterization of, 139–141 threats to, 142 vulnerabilities for, 143 InfraGard, 34 Infrastructure, 13 Inside-out approach, to security measure inventorying, 111 Insider threats, 31, 142t Intangible assets, 135, 146 Integrity definition of, 137 loss of, 146 Intelligent video, 195 International Association of Professional Security Consultants code of ethics, 315–316
381
description of, 254 forensic methodology of, 299–301, 321–324 International Foundation for Protection Officers, 232 Internet protocol, 191 Internet protocol video, 194–195 Interpersonal assaults, 43 IP video, 194–195 K Keypads for electronic access control systems, 197–198 for electronic burglary systems, 185 L Law enforcement data calls for service. See Calls for service crime analysis using, 61–69, 225, 275 offense reports, 67–69, 68f, 73 uniform crime reports, 62–64 Law enforcement officers, 235–239 LCD monitors, 192 Lighting, 203–204 Likelihood determination, 145 Location-specific threat assessments, 29 Locks and locking devices, 198–199, 203 Loss rates, 262 Loss risk events, 279–280 Low Importance asset, 136 Low-security facilities, 104 M Magnetic locks, 198–199 Magnetic stripe readers, 197 Management audit support from, 229 buy-in by, 223–226, 261 Management controls, 153–154 Management security, 144t
382 Maslow’s hierarchy of needs, 251f Matrix switcher controller, 192 McVeigh, Timothy, 45 Metrics. See Security metrics Metropolitan statistical area, 71 Microwave detectors, 186 Misconduct, by security officers, 272–273 Mitigation definition of, 13, 179 risk. See Risk mitigation Moderate Importance asset, 135 Modus operandi analysis, 81, 166 Monitors, 192–193 Moral intelligence, 307 Motion detectors, 199 Motion sensors, 186–187 Motivation creation of, 53 of adversaries, 31–32, 41 of offenders, 167 Mullins v. Pine Manor College, 271 Multiplexer, 191–192 Murder, 42–43 Mutual aid agreements, 180 Mutualistic crimes, 167 N National Fire Protection Association, 254 National Institute of Standards and Technology, 5 National security standards, 276–278 Natural access control, 168–169 Natural surveillance, 168 Natural threats, 30–31 Negligence in hiring, 273–275 torts of, 266, 287 Networking, 218–219 Nonrepudiation, 153 Nuisance alarm rates, 103 O Off-duty law enforcement officers, 235–239
Index
Offender crime displacement, 170 Offender motivation, 167 Offense reports, 67–69, 68f, 73 Oklahoma City bombing, 45 Operational controls, 154–155 Operational failure, 272 Operational security, 144t Opportunity cost, 151 Opportunity reduction for assault-type crimes, 43 examples of, 39 for robberies, 44 strategies for, 41 for theft, 45 Organizational charts, 177 Outside-in approach, to security measure inventorying, 111 Outsider threats, 31 P Pan/tilt/zoom housings, 190 Passive infrared detectors, 186 People, as assets, 15 Perimeter security bollards for, 202 description of, 23 fencing for, 200–201 gate operators for, 201–202 systems for, 200–202 Perpetrator crime displacement, 169–170 Personnel. See Security personnel Photoelectric beams, 187 Physical protection system, 102–103 Physical security countermeasures best practices, 214 CCTV systems. See CCTV systems codes and ordinances regarding, 215 cost considerations, 212–214, 262–263 cost-benefit analysis, 212–214 description of, 21, 102, 170–171 effectiveness of, 229–230 electronic access control systems, 196–200
Index
electronic burglary systems communicators and keypads, 185 control panels, 185 door contacts, 186 glass break detectors, 187–188 motion sensors, 186–187 spot detectors, 188 window contacts, 186 equipment for, 22 fire systems, 204–205 implementation of, 227–229 integration of, 206 justifying of, 230, 261 layering of, 209 lighting, 203–204 locks, 203 management buy-in, 223–226, 261 needs determination of, 208–210 product matched to, 210–211 request for proposal to meet, 210–211 perimeter security, 200–202 policies and procedures integrated with, 207–208 security personnel and, 207–208 selection of, 217–223 service considerations, 221–222 specialized systems, 205–206 standardization of, 220–221 technology and trade shows to view, 219–220 vendor considerations, 223 Plaintiff ’s theories, 272 Police data. See Law enforcement data Police officers. See Law enforcement officers Policies and procedures description of, 170, 173–174 importance of, 174 physical security countermeasures integrated with, 207–208 security plan, 176–179 Post orders, 243–247
383
Precincts, 71 Premises security liability causation, 267–268 duty breach of, 267 description of, 266–267 forensic security consulting, 297–298 foreseeability element, 269–270 General Security Risk Assessment Guideline, 279–282 injury, 267 lawsuits for, 72, 265, 286 negligent hiring, 273–275 plaintiff ’s theories, 272 principles of, 265–266 prior similar crime rule, 269 reducing the risk of, 275 in return on security investment, 262 risk factors for, 270–271 totality of circumstances, 269–270 Preparation measures, 115 Prevention. See Crime prevention Prevention measures, 115, 170–171 Preventive controls, 144, 152–155 Prior similar crime rule, 269 Privacy, 153 Procedural control, 151 Project implementation strategy for, 253 quality level of, 252 success of, 252 Project close-out, 252 Project management conclusion phase of, 252 definition of, 13, 252 development phase of, 252 execution phase of, 252 financial management, 259–260 phases of, 252 planning phase of, 252 resource management, 259–260 return on security investment, 261–263
384
Index
subjective criteria for, 258–259 success of, 257–260 Project manager financial management by, 259–260 resource management by, 259–260 responsibilities of, 253–255 Project team description of, 255–257 meetings of, 260 Property assets, 15, 135 Proprietary security officers, 239–241, 250, 263 Protected communications, 153 Protection balanced, 116 level of, 116 measures for, 115 Proximate causation, 267–268 Proximity readers, 197 Pull stations, 205 Q Quad splitter, 191 Qualitative assessments advantages of, 138 American Society for Industrial Security—International, 120–125 definition of, 13, 137 description of, 9–10 of assets, 16 of criticality, 19–20 of risk, 112, 137 of threats, 35 Qualitative vulnerability rating scale, 93–94 Quality control inspections, 242–243 Quantitative assessments American Society for Industrial Security—International, 126–132 definition of, 13, 137 description of, 9 of risk, 112–113, 137–138 of threats, 36–37 terminology associated with, 138
R Rational choice theory, 162, 165–166 Readers, 197–198 Recovery controls, 154 Reporting area, 70 Reports incident, 58, 59f–60f offense, 67–69, 68f, 73 quality control, 243 risk assessment, 116–119, 148, 325–340 security survey, 95–100 uniform crime codification system, 66, 73 description of, 62–64 vulnerability assessment. See Vulnerability assessment report Request for proposal, 210–211 Request to Exit motion detectors, 199 Residual risk, 156 Resource management, 259–260 Respondeat superior, 273 Return on security investment formula for, 262 importance of, 261–263 nonsecurity employee productivity, 262 for security measures, 82–83 for security officers, 249 Risk acknowledgment of, 271 definition of, 9, 14, 110, 137, 233, 279 matrix for, 147t residual, 156 Risk acceptance, 115, 149 Risk analysis models of, 224 requirements of, 270–271 Risk assessment American Society for Industrial Security—International, 120–132 asset identification, 110–111 components of, 275
Index
control evaluation in, 144–145 crime risk analysis, 275–276 definition of, 14, 110, 112, 134, 136 description of, 9–10 documentation of results, 148 existing security measures, 111 frequency of, 157 General Security Risk Assessment Guideline, 279–282 hybrid, 13, 112, 137 impact analysis, 145–146 information gathering for, 141 likelihood determination in, 145 purpose of, 24, 110, 278–282 qualitative, 112, 137 quantitative, 112–113, 137–138 risk management vs., 134 schematic diagram of, 12f, 20f, 27f, 51f, 85f, 109f, 217f, 231f situational crime prevention and, similarities between, 164 specialized methodologies, 113–114 stages involved in, 112 steps involved in, 110–111 threat assessment as part of, 111, 141–143 vulnerability assessment as part of, 111–112, 118, 143–144, 171 Risk assessment report description of, 116–119, 148 sample, 325–340 Risk assumption, 149 Risk avoidance, 114–115, 149 Risk determination, 146–147 Risk limitation, 149 Risk management convergence, 133–134 definition of, 14, 114, 134 elements of, 110 evaluation, 156–157 information technology. See Information technology risk management purpose of, 110, 134 refinement, 156–157 risk assessment vs., 134
385
Risk mitigation control recommendations for, 147–148 definition of, 114–116, 148 frequency of, 157 for information technology, 134 options for, 149, 280–281 strategy for, 149–150 subprocesses in, 148–149 Risk planning, 149 Risk reduction, 115 Risk scale, 147t Risk spreading, 115 Risk transfer, 115 Risk transference, 149 Robbery bank, 43 situational elements of facility associated with, 43 types of, 43 Roe v. The Marriott Hotel, 271 Routine activity theory, 53, 162, 166–167 S Sarbanes-Oxley, 178 Scenario-based vulnerability assessments, 90–91 Security convenience vs., 280 facility, 24–25 national standards, 276–278 ordinances regarding, 276 perimeter. See Perimeter security physical. See Physical security countermeasures policies and procedures, 22 regulations for, 276 statistics use in, 52 statutes regarding, 276 top-down approach to, 175 Security administration, 152 Security assessments risk. See Risk assessment security areas addressed by, 24 threats. See Threat assessments
386 types of, 23 vulnerabilities. See Vulnerability assessment Security awareness, 174–175 Security breaches description of, 160–161 estimating of, 171 procedures after, 175–176 Security consultant. See Forensic security consultant Security consulting. See Forensic security consulting Security decision makers countermeasures offered by, 52 definition of, 14 goals of, 30 information needed by, 52 networking by, 218–219 physical security countermeasure selection by, 217–223 Security industry associations, 254 growth of, 1–2 Security layering, 116 Security management, 52–53 Security management consulting, 285 Security measures. See also Countermeasures classification of, 170 cost of, 116 diffusion of benefits, 170 existing identification of, 92, 111 in risk assessment report, 117–118 inventorying of, 111 physical. See Physical security countermeasures policies and procedures. See Policies and procedures security personnel. See Security personnel types of, 22–23 Security metrics action plan for, 8 data collection for, 7
Index
definition of, 4 deployment of security personnel based on, 233–235, 262 description of, 4–6 formal system review for, 8 goals of, 6 reporting system for, 8 SMART, 6–8, 248 steps used in, 6–8 strategies for generating, 7 uses of, 5 Security mission, 176 Security officers benchmarking of, 247 compensation for, 250 contract, 239–241 metric-based deployment of, 233–235, 262 misconduct by, 272–273 negligent hiring of, 273–275 off-duty law enforcement officers vs., 235–239 private, 238 professionalism of, 248–250 proprietary, 239–241, 250, 263 quality control, 242–248 return on investment for, 249 training of, 232–233, 249–250 turnover of, 241 types of, 241 Security personnel description of, 171 metric-based deployment of, 233–235, 262 off-duty law enforcement officers, 235–239 physical security countermeasures and, 207–208 reasoning ability of, 232 responsibilities of, 232 training of, 232–233 types of, 23 Security plan, 176–179 Security programs adequacy of, 275 anticipated savings from, 263
Index
effectiveness of, 174 evaluation of, 275 justifying of, 230, 261 litigation-related evaluation of, 275 ongoing nature of, 174 organizational culture effects on, 234 purpose of, 11–12 quality control function of, 242 return on security investment, 261–263 Security project implementation strategy for, 253 quality level of, 252 success of, 252 Security project manager financial management by, 259–260 resource management by, 259–260 responsibilities of, 253–255 Security project team description of, 255–257 meetings of, 260 Security reports, 58–60 Security requirements checklist, 143–145 Security survey description of, 14, 87–88 hospital areas for, 94–95 report, 95–100 Security vulnerability assessment. See Vulnerability assessment Shrink rates, 262 Signature, 81, 166 Significant Importance asset, 135 Single-loss expectancy, 138 Single-loss exposure, 263 Situational crime prevention components of, 163–164 definition of, 160 risk assessment and, similarities between, 164 social crime prevention vs., 161 steps involved in, 164 theories
387
crime prevention through environmental design. See Crime prevention through environmental design overview of, 162 rational choice, 162, 165–166 routine activity, 162, 166–167 Situational elements assault-type crimes and, 42 definition of, 40 for robberies, 43 for theft, 44 Slide gate operators, 201 SMART metrics, 6–8, 248 Smoke detectors, 188, 204–205 Social crime prevention, 161 Social disorder models, 61 Spatial analysis, 78–81 Spatial crime displacement, 169 Spot detectors, 188 Sprinkler flow switch, 205 Sprinkler tamper switch, 205 Standards guidelines vs., 277–278 national, 276–278 Statistical data, 52 Strobes, 205 Supporting controls, 152 Swing gate operators, 201 Switcher, 191 System controllers, 196–197 Systems development life cycle, 140 T Tactical crime displacement, 169 Tangible assets, 135, 146 Target(s) assessment of, 90 assets as, 17 hardening of, 161 motivation created by, 53 of assault-type crimes, 42 rewards and, 41 selection of, 17–18, 41, 45–46 value of, 18
388 Target characteristics in assault-type crimes, 42–43 description of, 40 in robberies, 43 Target crime displacement, 169 Technical controls, 151–152 Technical management consulting, 285 Technical security, 144t Technology shows, 219–220 Temperature detectors, 188 Temporal analysis, 77–78 Temporal crime displacement, 169 Territorial reinforcement, 169 Terrorism contingency plans for, 39 definition of, 45 description of, 4 funding of, 38 Homeland Security Advisory System, 46–47 situational elements of facility associated with, 45 Terrorists, 33, 142t Theft automobile, 44–45 situational elements of facility associated with, 44 Theoretical study, 159–160 Third-party crime, 286 Threat(s) adversaries vs., 28 classification of, 30–31 definition of, 8, 14, 28, 137, 141 design basic, 33 dimensions of, 40 dynamics of, 39–46 emerging, 37–39 environmental, 141 everyday types of, 39–40 formula for, 28–30 Homeland Security Advisory System, 46–47 human, 30–31, 141, 142t information sharing about, 30
Index
information technology system, 142 insider, 31, 142t natural, 30–31, 141 types of, 141 vulnerabilities and, 9 Threat Advisory System, 46–47, 235 Threat assessments asset attractiveness and, 29–30 assets identified as targets through, 18 crime analysis. See Crime analysis definition of, 9, 14, 28, 111 elements of, 28 goal of, 34 historical information used in, 28 location-specific, 29 prior, review of, 34 purpose of, 28 qualitative, 35 quantitative, 36–37 realistic approach to, 218 report of, 47–50 in risk assessment, 111, 141–143 threats evaluated in, 29 Threat identification, 28 Threat information from onsite personnel, 33–34 industry sharing of, 32 sources of, 33–34 updating of, 37 Threat specialists, 34 Timberwalk v. Cain, 5 Time-lapse recorders, 193 Tort of negligence, 266 Tortious conduct, 287–288 Totality of circumstances, 269–270 Trade shows, 219–220 Training of law enforcement officers, 238–239 of security officers, 232–233, 249–250 Trial testimony, 297 Tri-technology motion detectors, 187 Turnstiles, 200
Index
U UCR. See Uniform crime reports Ultrasonic motion detectors, 187 Uniform crime reports codification system, 66, 73 description of, 62–64 index crimes, 167 United States Army Training and Doctrine Command Regulation 525–13, 9 Unshielded twisted pair, 191 V Vari-focal lenses, for camera, 189 Venn diagram, 21f Violent crime rate, 77 Vulnerability definition of, 8–9, 14, 86, 111–112, 137–138, 279–280 determination of, 87 information technology system, 143 likelihood determination for, 145 operational, 86 physical, 86 security survey for identifying, 87–88 technical, 86 threats and, 9 Vulnerability assessment asset-based, 90–91 definition of, 14
389
description of, 9 goal of, 86 mission statement for, 88 project management, 89 reasons for, 86–87 in risk assessment, 111–112, 118, 143–144, 171 scenario-based, 90–91 scope of, 88–89 steps involved in, 91–93 team involved in, 88 Vulnerability assessment report appendices, 106 assessment overview and process, 102–105 background of, 101–102 conclusions section of, 105 executive summary of, 100–101 facility characterization in, 101 outline of, 106–107 recommendations section of, 105 table of contents of, 100 Vulnerability rating scale, 93–94 W Water detectors, 188 Weapons of mass destruction, 35 Wiegand readers, 197 Window contacts, 186 Z Zoom lenses, for camera, 189