In every security operation there is an “above the line” and a “below the line”. Above the line is what you are supposed to do, by the book. Below the line is how you actually do the job.” – John Le Carré
Every day, security managers protect wide variety of assets from various types of threats. Billions of dollars and manpower are involved globally, in the process of asset protection of organisations. Although, in Pakistan, the quality of the Physical Security Design has improved over the past few years, but still one can frequently find voids in thorough understanding, and as a result lot of precious lives are lost.
One of the major reasons for loss of life, time and money in security business is the lack of knowledge about the security industry’s “best practices”. In this article, the basic endeavour is to stimulate the thought process of security managers towards acquiring the required professional knowledge, and introduce them with some of the most established and time-tested Physical Security Design Principles.
In order to carry out comprehensive designing of Asset Protection for the facility, one has to thoroughly understand these basic principles of security. One needs to know what assets are, what are the threats to those assets, from where they may come, and what should be done to mitigate them. Once armed with complete understanding, the most appropriate integrated Physical Security Design for any premises can be developed.
Physical Protection System must be matching the “Risks”; and managers should be considerate towards “Residual Risk”
Risk Assessment is one of the initial steps towards designing the Physical Protection System (PPS) of a facility. Moreover, PPS is designed based on the maximum credible threat to the facility, but regardless of that, some residual risk has to be accepted, because, firstly, it is not possible to eliminate all risks, and then it is not logically and financially feasible to do that. The facility threat analysis should be reviewed periodically and updated as deemed necessary.
Taking an example of garments store, where shoplifting is one of the major risks, if the owner of that store increases or places a number of security guards at each segment, that will not only become cost prohibitive, but will also create discomfort amongst the customers. In this case, the best solution would be to use CCTV cam eras with efficient human monitoring. Another option would be to use RFID tags on un-sold clothes to detect shoplifting. Despite all that, there will still be, though decreased, shoplifting incidents (residual risk), which cannot be eliminated completely.
A well-engineered PPS must have “protection-in-depth”; and the innermost layer should be the “strongest” one
PPS is always planned to be “layered” to provide strength and depth to overall security. The number of layers, the components that comprise them, and higher level of resistance against penetration, depends on the threat and the importance of the asset, which is to be protected.
These layers of PPS are placed at increasing distances from the protected asset. Physical security efforts emphasize the concept of protection-in-depth by placing the asset, which is to be protected, at the innermost layer of security. And most importantly, the innermost layer should be the strongest among other layers.
There should be “minimum effect” in case of a PPS component failure; and that protects, must itself be protected
As discussed above, a typical PPS consists of many layers, and each layer may consist of many components – either electrical, physical or both. It should be the utmost endeavour to equally balance the security responsibilities on different components of the PPS. If this principle is followed in spirit, then in case of a component failure, minimum effects on overall security will be experienced. Redundancy in security ensures that critical activities, systems, and capabilities have a secondary or backup system of equal or greater capability, once required. For example, the complete electronic security system of any premises totally depends on electricity. In case of electricity failure, and if there is no backup in the shape of UPS and electric generators, whole security system will lapse and will increase the risk, many folds
It goes without saying that the PPS component, which is protecting, should itself be protected, else it will not be able to yield expected results, once required. Moreover, during the reconnaissance by an adversary, that un-protected components may be marked in-advance to be neutralized first, during the incident. It is a very common practice in Pakistan that during most of the bank robberies, criminals take away CCTV camera-DVR with them. Resultantly, creating a big hurdle in further investigations. The best decision would be to keep cameras hidden and DVRs completely protected.
The best Physical Security Design should be the most appropriate and efficient combination of PPS components
As discussed earlier, Physical Security Design is combination of different PPS components. These PPS components are then integrated in such a manner that they complement and supplement each other to achieve high level of out put for having deterrence, detection, delay, and response processes. Using components that balance each other for their weaknesses is another way to have most efficient designing of security.
The basic and foremost purpose of the PPS components is to deter the potential adversary. For some, just a visible CCTV camera or a “notice”, telling them to keep away from the property, would suffice. But for hardcore criminals, one may have to have chain link, notice, and CCTV camera along with an armed guard. In a nutshell, before commissioning any PPS components for a premise, detailed assessment should be carried out to select most appropriate and efficient components.
Security should not be considered as a financial burden for an organization
Nowadays, during the period of economic crunch, one of the most difficult tasks being faced by security managers is to present a case to management for security budget, while using metrics to quantitatively demonstrate the value of the security requirements. There are many ways in which financial metrics can be demonstrated, but basically it is the Return On Investment (ROI) that will be of greatest interest to any management.
Security is an expensive investment for any organization, irrespective of its size. As a fixed cost, the security related budget has to compete with many other areas of the businesses that have an equally valid case for investment. Making an argument in simplistic terms, “that it would be unrealistic to do businesses without security”, is not perceived by many businesses as a sufficiently intelligent argument. Whatever logic one presents for security budget; from a business perspective, security is usually about reducing losses, but not making profits.
If the results of annual Security Risk Analysis (SRA) are expressed in terms of quantified loss potential, and if likelihood values are also quantified accurately using historical data, and projections to establish frequency or probability, and if monetary values represent both direct and indirect potential losses – are developed for the impact values, very effective potential loss expectancy projections can be developed.
Moreover, diversifying the role of “security manager and team” to involve themselves in other related aspects, like emergency and crisis management, business continuity, Health Safety Environments (HSE), responding to firefighting and first aid, would add on the value of security department.
The “need to go”, “need to know”, and “good to know” rules
In some of the organizations, almost everyone has access to almost all locations. In business, we need to support initiatives so that the business should flourish, but there should be an access management programme in place, with appropriate access privileges, based on a combination of work groups, role or management level. This makes sense not only from the security perspective, but also avoids exposing staff to unnecessary information.
It is quite understandable that business growth depends on sharing information, and organizations which are unnecessarily secretive about information sharing, generally do not create the conducive conditions for business. Access to certain business information, however, should be limited to “need-to-know” rule. But definitely, in order to implement a need-to-know rule, sensitive information must be correctly classified. Moreover, the seniority of an employee in an organization is not necessarily an indicator of need-to-know privileges.
“Good to know” is a phrase which is used to give information to someone, who is not directly required to know that information, and in most of the cases is given “just for information”. There is a very thin line between “need to know” and “good to know”, but one thing is absolutely certain; that on its onset, information should be classified and staff should be clearly identified for receiving information on “need to know” and “good to know” basis.
Non-Disclosure Agreement (NDA) is a legal confidentiality agreement, between employee and employer, not to disclose certain information, which employee receives during his work in that organization. It is an effective tool that is being widely used to stop illegally disclosing the information of one organization to another, especially with bad intent and in business competitive environments.
A security system is only as strong as its weakest point
There are number of ways of looking at this principle. In “protection-in-depth” approach, the idea is to create multiple layers of security by placing different types of PPS components, in order to complicate the adversary’s path, and to force him/her to use multiple tactics and tools for a longer period of time. The desired objective is that the adversary should be either deterred or detected, and the underlying assumption is that a vulnerability in one security layer will be compensated by the strengths of another. Where single-layer security systems are used (which is not advised) there may be circumstances where a single weak point in that layer will compromise the entire system, making it completely ineffective and exposed.
For example, there is a premise where focus of whole security system is towards three directions, but the fourth one is either completely or partially neglected. The components used in other three strong directions will ultimately become useless, as adversary will definitely use the weakest direction for his/her activity. The complete security system has to be balanced in strength, and has to be according to the time required by the response team.
The best security system provides the earliest detection
Physical Security efforts must be designed to deter, detect, delay, and respond to threats/hazards in all directions, at all times, and in all the environments. The security layout should be such that “detection” is placed before delay, as detection is most effective at the outer perimeter, while delay is more useful close to the target. But most importantly, detection is not complete without assessment. It is absolutely certain that humans are poor detectors, equipment is generally good and used for detection, but once detected humans are good at carrying out assessment of security situation. The total time for detection, delay, and response must be less than the adversary’s task time.
As far a response is concerned, contingency planning forms the basis of an effective response forces. Response force strategies include containment, denial, and assault. A vital element of response force’s effectiveness is communication.
Security systems should contain an element of surprise
Deterrence is an important objective of the Physical Security Design, and mostly achieved through visible security PPS components. But it would be quite unwise to reveal the entire spectrum of deter, detection, delay and response measures in use, to potential adversaries.
As far a response is concerned, contingency planning forms the basis of an effective response force. Response force strategies include containment, denial, and assault. Another vital element of response force’s effectiveness is communication.
Using varied and not too visible security measures along the adversary path will complicate things for an adversary, and he/she will need to constantly change tactics, and would require different tools and methods to overcome each obstacle. CCTV, if properly monitored, in particular, lends itself to this concept. Covert cameras can be deployed, long-range thermal imaging cameras can detect an adversary long before he/she reaches the target, and Pan-Tilt-Zoom (PTZ) cameras with built-in radar can be used very effectively on a perimeter, which are not very clearly visible to an adversary, but constantly monitors the area for any movement.
This principle is quite commonly practiced in highly sensitive premises, where covert security measures such as CCTV are ready to surprise and respond to any unsuspecting adversary.
Security is a consistently evolving profession, and presently is going through an era of paradigm shift from human involvement to technology. Most of the related research work is oriented towards development of technology; as in the long-run, equipment will be far cheaper than human resource. But as said earlier, the final assessment has to be done by humans, which mandatorily requires an in-depth knowledge about the subject, and for that security managers should be abreast with the latest trends.
Physical Security efforts must be designed to deter, detect, delay, and respond to threats in all directions, at all times.