Why Security Systems Should Be Integrated
In order to talk about why security systems should be integrated, we need to first understand the theory of protecting organizations' assets.
Every organization begins with a mission. The organization develops programs in support of its mission. If the organization's mission is banking, depending on the country, they may develop programs to include retail branch banks, a credit card program, loan programs, investment banking program, a real-estate management program, currency, oil or stock trading, and so forth. As they develop programs, the organization will acquire assets in support of its programs. These assets always include:
• Property
• Real Property (Land and Buildings)
• Fixtures, Furnishings, and Equipment
• Proprietary Information
• Patents, Formulas, etc.
• Accounting Records, etc.
• The Organization's Business Reputation
These assets have appropriate and inappropriate users. Appropriate users include those who use the assets for the benefit of and with permission by the organization. Inappropriate users are those who seek to use the organization's assets for their own benefit rather than for the benefit of the organization, or in some cases the assets are used against the benefit of the organization.
Inappropriate users can include employees using a Social Network Web site on company time, too many purchases and returns from some customers, or something more serious. “Threat Actors” are a category of inappropriate users who present a criminal or terroristic threat to the welfare of the organization and they act on that threat. Threat actors include:
Organizations must protect their assets from Threat Actors or face serious reductions in their ability to meet their mission. The role of an organization's Security Program is to improve the likelihood of appropriate use of its assets and reduce the potential for inappropriate use of the organization's assets. They do that by analyzing the risk they face and developing appropriate security countermeasures to balance the risk.
In its simplest form, Risk is a combination of the existence of an active threat actor interested in the organization's assets (probability, P), exploitable vulnerabilities (V), and the degree of consequences (C) of that threat scenario being carried out or R = (P*V*C).
A high probability of a scenario coupled with high vulnerabilities that could result in high consequences represents a high risk. A low probability with low vulnerabilities, resulting in low consequences, represents a low risk. All other things being equal, Threat Scenarios with Low Probability and High Consequences should receive a higher risk score than those with Higher Probability and Low Consequences. For this reason I recommend that one consider risk as R = (P*V), prioritized by Consequences. While similar, the second simple risk formula results in a more accurate risk assessment.
Once risks are assessed, security countermeasures should be developed. These should always begin with a Comprehensive set of Security Policies and Procedures, upon which all other countermeasures are built. This is to ensure that all countermeasures have a practical basis in security policy.
Good Security Programs include all three types of security countermeasures:
Hi-Tech Countermeasures include electronic systems: Alarm/Access Control, Digital Video, Security Intercoms, 2-way Radio, X-ray and Metal Screening, and so forth. Lo-Tech Countermeasures include Locks, Barriers, Lighting, and Signage, and No-Tech Countermeasures include Policies and Procedures, Security Staffing, Dogs, Law Enforcement Liaison Programs, and Security Awareness Programs. These three types of countermeasures should always be used together in a layered approach to reduce risk.
All security countermeasures are intended to
• Deter Unwanted Behavior
• Detect Inappropriate Behavior
• Help Assess what has been Detected
• Help Security Staff Respond to Security Events
• Delay Intrusions and Exits of Offenders
• Gather Evidence of Security Events for Prosecution and Training
Since Deterrence varies substantially depending on the commitment of the Threat Actor, it cannot be accurately calculated, so you should not factor Deterrence into the Countermeasure Balancing formula. Remember, all security programs should be layered such that the most valuable assets are protected by multiple layers of Detection, Assessment, Delay, and Response. That is, a Threat Actor should have to go through multiple rings of detection and barriers to get to an asset and to get that asset back out of the organization's possession, encountering delaying mechanisms along the way in and out. At all times, the Security System should be gathering Evidence.
Designing an effective Electronic Security System is a challenging task. But Electronic Security Systems do their job better when their various components are “integrated” into a single, comprehensive system allowing each part of the overall system to “feed” information to and draw from the other parts of the system to enhance functions and effectiveness.
A well-designed security system should filter unnecessary information; present relevant information in a quick, easy-to-understand format; and provide the Security Console Officer and Supervisor with quick and relevant options to defend the organization's assets.