2
Safety and Security Principles
Abstract
This chapter discusses safety and security principles that assist in developing and implementing an organizational safety and security program. These principles include familiarity with certain actions that all potential perpetrators take prior to conducting any type of attack against a location, identification of safety and security fundamentals, and the need to balance security measures and initiatives with business operations.
Keywords
Balancing security with business efficiency; Choke points; Critical resources; Defense in depth; Deterrence or deter; Notification; Redundancy; Response; Security fundamentals; Separation of duties; Simplicity; Unpredictability; Weak linksThe primary goal in developing an overall security program within your organization is to protect your critical resources—those people, items, information, and equipment that are vital to the operation of your business. This safety and security program should develop methods to ensure that employees consistently practice the outlined procedures and processes, and acquire the necessary equipment to improve your organization’s security measures. In order to properly maintain your organization’s security program, it is important to ensure that proper procedures and equipment are used and identify the best solutions to mitigate any possible threats. These procedures and equipment should work in concert with one another to ultimately meet the goal of deterring any potential intruder or terrorist from acting against you and your critical assets before they attempt any type of action.
The ability to deter against any potential criminal acts or attacks prior to their actual occurrence is accomplished through the implementation and practice of security plans and procedures, along with safety and security measures put into place to protect the critical resources within your organization. As a result, these safety and security initiatives should make it appear that any potential act or attack will be too difficult to accomplish, and thus the intruder will deem the risks are too great to even attempt any planned action against your organization and instead will decide to look elsewhere. It is important to note that no location can be absolutely impervious to any type of attack, and if an intruder or terrorist wants to attack a specific location; either due to personal grievances that they may have against the target or due to the symbolism or high-profile nature of the location; with this willingness and motivation, the attacker will work that much harder to identify ways around the existing security measures and still attempt the attack. Numerous examples have shown an attack against a specific location can be accomplished if the attackers are motivated and willing to throw their own safety away. Columbine High School, the site of the notorious school shootings in 1999, is one example, since this location was the only target for Dylan Klebold and Eric Harris based on their intention to harm their fellow students at the same school that they attended, and no amount of security at the school would have deterred the attackers from their attempt. Another example can be found in the infamous 9/11 attacks, as Al Qaeda was determined to attack several specific, high-profile buildings within the United States. They were successful in eventually destroying or damaging their primary targets: the World Trade Center and the Pentagon—and although the intended target of the fourth plane that crashed in Pennsylvania was never confirmed (possible targets included the White House, the U.S. Capitol, the Camp David presidential retreat in Maryland, or one of several nuclear power plants along the eastern seaboard) [1], these terrorists succeeded in attacking and destroying facilities that were thought to be extremely invulnerable based on the security measures in place, their sheer size, and their location. In these incidents and many others like them, the perpetrator’s intention to attack a specific facility due to notoriety or personal issues resulted in the perpetrators finding ways around the security measures that were in place for these locations. Unfortunately, there is no perfect or impenetrable security system that can be established—no matter what the cost or inconvenience—to protect a location against a motivated intruder or terrorist. If they have decided upon an attack against a specific location, it is likely that they will be able to find a weakness to exploit in their planned attack. Fortunately, the likelihood of an attacker specifically targeting your particular business organization is small, and proper safety and security procedures and equipment can significantly mitigate the potential for any unwanted action. The bottom line is that, regardless of a motivated criminal intent on acting against a specific location, it is still good practice to provide significant deterrence against any security incident. This will not only stop most, if not all, of the potential actions against your location by many random perpetrators, but it can also minimize damage or injury in the event that your company is attacked.
In addition to helping deter any potential action against your facility, a strong safety and security program will help make your organization better. One of the primary considerations for employees is the need to feel safe and secure within their workplace. By having an active safety and security program in place within your organization, you not only increase the security of your business’s critical resources but also alleviate concerns of your employees regarding their safety when they are at work.
2.1. Overview of Safety and Security Principles
In order to develop an effective and cost-efficient organizational safety and security program, the first and primary task is to consider and become familiar with the principles that are necessary to ensure that such a program is effective and efficient. This should be accomplished even before writing procedures or purchasing security equipment, since these principles will guide you in making the correct decisions when developing appropriate plans and procedures, purchasing security equipment, and integrating these areas into an overall safety and security program that has a positive impact on the protection of your organization’s critical resources.
These principles, which we will look at over the course of this chapter, must serve as the foundation of your plans and procedures—the very documents that will form the most integral part of your safety and security program and provide the specific details necessary for your employees to follow. We will be covering the specific instructions on how to develop your safety and security plans and procedures in the next chapter, but prior to this discussion, we will look at these safety and security principles, since they compose the building blocks necessary to implement a good program. In addition to providing the background to safety and security plans, these principles will also provide the methodology to design an effective schematic of security equipment necessary to protect your critical resources, rather than purchasing and installing items without any good idea of how they will integrate around your overall safety and security program. This pre-planning will ensure that you spend money only on security equipment that directly ties into your overall plans and ultimately saves your organization a great deal of time and money over the long term.
The safety and security principles that we will look at include:
• Preparatory actions by perpetrators and terrorist prior to incidents or emergency situations
• Primary fundamentals of security
• Balancing the needs of safety and security with business efficiency and effectiveness
The first principle, preparatory actions prior to emergency situations, covers the typical warning signs that occur before any safety and security incident. These signs are inherent in a perpetrator’s planning and are accomplished before any attack or incident. The knowledge of these preparatory actions can greatly assist you in the development of effective measures that mitigate many of these actions, since there are many different security measures that can make this preparation much more difficult. The next principle that we will cover looks at the primary fundamentals of security. These fundamentals include the following considerations necessary to any successful safety and security program:
• Identification of critical resources
• Defense in depth
• Notification
• Response
• Simplicity
• Securing the weakest links
• Use of choke points
• Unpredictability
• Redundancy or separation of duties
Within these fundamentals, we will cover each area in detail, as they should all be considered in order to establish effective and efficient plans and procedures. The third, and last, safety and security principle that we will discuss is the need to balance security measures with convenience and effective business operations that must occur in order to make your safety and security program realistic to meet the business environment that you and your employees need in order to accomplish your daily tasks. As we discussed in the introduction, security by its very nature is inconvenient. Thus, in order to continue to ensure that your employees and senior managers will support any security measures initiatives within your program, it is necessary to balance the inconvenience inherent in most security procedures with the operational needs of your organization, along with the tolerance of your employees to put up with certain inconveniences due to security measures. This balance is critical so that you can provide a safe and secure environment for your employees while ensuring that you do not squash personal initiative at the expense of security; this balance must be achieved so that your organization can continue to be innovative.
2.2. Preparatory Actions to Emergency Incidents
The first safety and security principle looks at specific actions that an attacker will take prior to an incident. Like any military unit, a terrorist or criminal will conduct some type of planning and preparation before the actual event. Knowing these actions can provide you with the awareness of what actions should constitute concern for your organization, and this knowledge will also assist you in planning and developing the security plans and measures that you should implement within your organization.
2.2.1. Reconnaissance
The first and foremost action that will be conducted by potential perpetrators prior to any attempted action is to accomplish some type of reconnaissance of the location that they plan on attacking. The purpose of this reconnaissance is to provide as much information as possible regarding the targeted facility and surrounding terrain, the weather (if this will affect the type of attack being considered by the perpetrator), security measures and personnel who are responsible for protecting the location and targeted assets, and the surrounding people and structures. All of this information is obtained so that perpetrators will better know the layout of the facility or targeted assets and can determine any obstacles that they must overcome, which in turn will allow them to further refine their plans so that they can provide a greater degree of success when they conduct the attack. Depending upon the size of the target facility and levels of security surrounding the resources targeted by the perpetrator, this reconnaissance can take a few minutes, a few months, or even years. Prior to the 9/11 attacks, Al Qaeda conducted reconnaissance for several years, beginning in 2009. This reconnaissance included in-depth studies on airport security, both outside and inside the United States, along with identification of specific flights that met the planned targets and objectives for their attack [2].
In the vast majority of instances of conducting reconnaissance, perpetrators can be identified due to certain suspicious actions. These actions can include taking pictures, making sketches, or taking notes in and around the location they are targeting. At this point in time, perpetrators can be very vulnerable and potentially caught or stopped, as long as this suspicious activity is noticed and reported. If perpetrators are aware that they have been seen and must avoid being caught at this early stage in their planning, it is very likely that they will forgo their attack against that particular location. In order to increase the chances that suspicious activity is noticed and reported, it is vital to involve all of your employees and promote a high level of security awareness throughout your organization. Throughout this book, we will discuss that one of the greatest (and also one of the cheapest and easiest) ways to augment your safety and security program is to develop your employees’ security awareness. As the total number of employees will always outnumber the number of personnel directly tasked with security, if all of these personnel have a heightened awareness to identify suspicious activity—and, more importantly, to report it—your organization will make it very difficult for potential criminals or terrorists from conducting reconnaissance, which could ultimately cause such perpetrators to move to another target or abandon their plans altogether.
2.2.2. Assess the Effectiveness of Security
Another action conducted by potential perpetrators prior to any attack is to attempt to assess the effectiveness and response of the security measures in place. To accomplish this, criminals or terrorists will normally attempt to gain information on two specific areas: security personnel and security measures.
The assessment of the dedicated security personnel—the employees solely responsible for guarding and protecting the location or targeted asset—will normally include determining an accurate count of the number of guards, their methods and procedures, and the time that it takes to respond to an incident. Prior to any type of action against the location, perpetrators will need to identify the number of security personnel that they will have to contend with. Knowledgeable perpetrators will not only identify the number of personnel normally on duty but will also ensure they are aware of the number of any additional response elements for that area. These response elements may include contracted security guards or local law enforcement personnel, should the location not have their own dedicated response force. Depending upon the level of professionalism and the importance that they place on surviving the incident, potential criminals or terrorists may also need to identify the methods and procedures of the security personnel. This information will include the security personnel’s normal duty locations, patrol areas, times for these patrols, and any standard issued equipment (e.g., radios, weapons, uniforms, etc.). Perpetrators will need to assess whether each assigned security guard spends most of the time sitting at a desk, monitoring cameras, or moving about the grounds; and perpetrators will need to determine what each guard’s standard habits might be. For example, some considerations for perpetrator will be whether security guards take their breaks at the exact same time during every shift, whether the guards adhere to a specific schedule when moving about the grounds on a patrol, or whether additional response forces always respond from the same general location. This knowledge can greatly assist potential perpetrators to conduct and, particularly, survive a planned attack.
Perpetrators may also ensure that they know the response time of any additional security personnel who would assist the onsite guard force. This last item of information will typically provide potential criminals with a timeline to accomplish their desired objective, since their plans will normally be to attempt to leave the area rather than having to overcome any additional on-duty security personnel who are responding to the scene. If possible, potential perpetrators will also observe the effectiveness of the responding security personnel to see how quickly they can ascertain the situation and act to avert a potential threat. This information could be obtained by creating a false incident that requires security forces to respond and by observing the location well before the actual planned incident.
The last major piece of information that perpetrators will typically need to know prior to their attack is what security equipment and procedural measures are in place. This knowledge will enable them to know what obstacles will have to be negotiated in order to gain access to the target. If these individuals can obtain specific information on what type of alarm systems, security cameras, door locks, or entry systems are in place; they will be able to prepare exactly how to overcome these obstacles. This information will enable them to enter the location and reach their objective in less time, and, in turn, this quicker entry will make it more difficult for perpetrators to be stopped.
With all of this information that potential perpetrators may wish to gain prior to any type of incident or attack, it becomes possible that anyone familiar with these types of activities conducted prior to a criminal incident or attack—not just onsite security forces—can be aware of and report them. As we discussed in the previous section on reconnaissance, promoting security awareness among your employees can greatly deter criminals or terrorists from gaining this information without being detected, and this awareness can deter action against your organization.
2.3. Security Fundamentals
Now that we have looked at what actions potential perpetrators will normally take prior to conducting an action against a facility or business, we will discuss the primary fundamentals of security that should be considered when looking at either physical security measures, which describe aspects that protect people and resources within your organization; or information security resources, which. in many cases are synonymous with computer security and the measures taken to protect electronic data and other information. Keep in mind that the main objective of any safety and security program is to ensure that the resources that you are protecting provide the necessary deterrents and look difficult or impossible to damage, destroy, or gain access to by any potential intruder; taking these fundamentals into account while developing your safety and security program can greatly increase its effectiveness and efficiency.
2.3.1. Identification of Critical Resources
Not only is identification of critical resources the first security fundamental, it is also one of the initial tasks that you should undertake when beginning to develop your safety and security program. Before we explain this security fundamental, let us first define the term “critical resource” as we will use it within this book.
Critical resources are any essential resources, assets, equipment, or means and processes that are necessary to ensure that your business capability is fully operational and can meet your key organizational goals and objectives.
This means that the loss of a critical resource should result in failure of your business—either in the short term or in a more permanent loss of productivity. Many individuals will make the error of designating too many items as a critical resource, which will lead to spending far too much time and money protecting items that are not necessarily critical to your business, or spending too much time and money to overprotect an item that could be replaced without any appreciable loss to your business’s activities. It needs to be noted that this definition differs from critical resources that refer to critical paths or bottlenecks in your organization’s processes—these items deal more with operational efficiencies rather than an item’s importance within the safety and security program and their ability to actually conduct operations rather than simply slowing them down. With this definition in mind, a critical resource will typically describe a specific piece of information, a required piece of equipment, or a key individual who cannot be easily replaced.
There are a variety of methods that can identify your organization’s critical resources (we will look at a using a risk assessment matrix in the next chapter to accomplish this identification so we will not go into detail here). Whether you use the risk assessment matrix or another method, it is vital that you accomplish this identification and ensure that this list includes only your truly critical resources, rather than designating every asset or piece of information as critical. In this manner, you can ensure that you spend your limited resources only to protect these assets and not waste time or money on areas that may not be necessary.
Once you have identified your organization’s critical resources, your safety and security program should be built around the protection of these items, followed by protection of other resources. One of the advantages in using a risk assessment matrix is that it not only helps to identify your critical resources but it also has the added benefit of further prioritizing all of your resources and assets. This resulting hierarchy of all of your organization’s resources should be used to determine subsequent security measures once you have adequately accounted for the protection of your critical resources. By using this prioritized list, you can determine the level of effort and costs that you can incur in order to work down this list toward the eventual goal of providing adequate security for all of your resources.
2.3.2. Defense in Depth
Once you have identified your organization’s critical resources, along with the other important resources and assets contained in your prioritized list, it is necessary that security measures are layered around these items in order to effectively protect these items; this is normally termed “defense in depth.” To accomplish this, you should use several different security measures in order to form redundant security systems so as not to rely on one sole protection device to protect an individual resource. In order to provide the most effective security umbrella, it is also necessary that these security measures do not use the same detection capability; such as infrared detectors, motion, microwave, seismic, visual, etc. For example, if you have a room with a safe containing critical resources, having only cameras both inside and outside the room would not be the most effective solution. Instead, using fewer security cameras but augmenting the area with a magnetic alarm on the safe and an intrusion alarm at the door to the room would provide a better defense in depth and result in a much safer and more secure environment.
A good rule of thumb is to attempt to provide a minimum of three security layers when designing protection around your critical resources. Depending on the criticality of the resource and the potential costs due to loss or damage, it may be prudent to place even more layers of security around the asset; however, the number of layers will depend ultimately on the money that you are able to allocate to security, based on cost analyses weighing loss and damage versus costs of the security measures. Regardless of how many layers you are able to employ, providing redundant security measures around your critical resources will ensure defense in depth and will result in mitigating potential threats. Figure 2.1 highlights this process—protecting the asset in layers.
2.3.3. Notification
The next security fundamental that should be considered within any safety and security program is the need for some type of notification method within your security system. Even if an organization has the best security system in the world—computerized access control, high-resolution security cameras, the most expensive high-security doors and windows, and all of the most technologically advanced and state-of-the-art security measures that can be purchased—without some method to notify appropriate individuals of any attempts to gain unauthorized access would render all of this amazing equipment useless. Although the most common type of notification within a security systems is some type of alarm, we will also look at other notification methods that can augment an alarm system and greatly improve notification.
As stated, alarm systems are the most common method for providing notification of unauthorized attempts to gain access to a building, room, or specific piece of equipment. An alarm system’s notification is typically accomplished by detecting changes in the environment around the object or detecting breaks in some type of pathway (e.g., electrical, infrared, etc.) surrounding an area. We will cover specific intrusion alarm systems in great detail within Chapter 6, where we will look at the various considerations in determining when to use an alarm system and what type of alarm systems work best for certain uses. For our purposes now, these alarm systems provide an extremely reliable and the most common method to notify regarding attempts to access your organization’s critical resources.
In addition to alarm systems, another notification method is to maintain up-to-date inventories and logs that track not only your critical resources but all of your high-dollar equipment. It is normally impractical and cost-prohibitive to install alarm systems throughout the entire facility, particularly in areas that do not contain any critical resources; thus, there will need to be other ways to determine whether unauthorized access has occurred and whether any equipment has been lost or stolen. In order to ensure that your organization has the means to identify any theft or loss, the use of inventories and logs that track your high-value equipment will greatly assist in this task. There are several reasons to maintain these inventories and logs. First, a significant amount of equipment theft and loss occurs from an organization’s own employees. A 2013 study of U.S. retail businesses showed that apprehensions of employees for theft have increased by 5.5% from 2011 [3]. In many cases, the likelihood that these acts can occur will significantly increase when there is no notification method in place to deter employees or other perpetrators. Second, by maintaining up-to-date inventories, your organization can quickly identify exactly what items were stolen, and you can ensure that you are aware of any theft or access not only to critical resources but to other high-dollar assets. Lastly, the available information from an accurate inventory will assist law enforcement personnel in their investigation of any theft and will provide you with an accurate accounting of any missing items for insurance claims and replacement.
Another method to assist in notification is use of security personnel. If your organization uses on-site security guards, one of their primary functions is to identify and notify supervisors of any unauthorized attempts to access your critical resources. Although this can be a very effective method, it can also be costly depending upon the size of your company. Contracting or hiring your own security guard force will be an expensive proposition, especially for smaller businesses; and although a security guard force provides a much higher level of security to your facility and resources, you should look at the long-term costs and weigh these against the risks to determine whether this is the appropriate solution for your organization. We will discuss the various advantages and disadvantages of having your own internal security guard force in Chapter 4.
A last method to augment alarm systems and assist with notification is promoting awareness among all of your employees to report any unauthorized attempts to access your critical resources or to provide information on any loss or theft of company equipment. We have already emphasized the need to gain a high level of security awareness among your employees, as it can help in so many different areas within your safety and security program. The best method to achieve this heightened security awareness is through initial and recurring training, which we will cover in Chapter 10. This high level of security awareness will greatly improve notification regarding any unauthorized attempts to access your critical resources. Employees are much more familiar with their own work areas—more so than any other individuals—and they will be much more likely to determine whether any unauthorized access has occurred. By achieving and maintain a high level of security awareness, you will be more likely to receive notification as quickly as possible, which will enable you to quickly determine necessary actions. Employees’ security awareness can also assist in the event of internal employee theft, since it is much more probable that any notification, either at the time of the incident or prior to it actually occurring, will be more noticeable among co-workers and other employees. It is much more likely that a co-worker will not only notice theft but may even be in the immediate area when an employee attempts to steal company resources, rather than a supervisor or manager. For this reason, developing a high degree of security awareness for all company employees and ensuring that they take ownership of protecting company assets will greatly increase the chances that they will report any questionable actions by other co-workers.
Notification can be achieved not only by alarm systems but by inventories and logs, security guards, and your own employees who practice a high level of security awareness.
2.3.4. Response
The next security fundamental that we will discuss is response, which goes hand-in-hand with notification. This fundamental describes the need to have at least one individual, and, if possible a group of trained individuals or even security personnel, be able to respond to an incident once a notification of a security concern has been received. This is an important security fundamental—especially if the perpetrators have conducted reconnaissance of the location with the intent to assess the response of any security personnel. If potential perpetrators are aware that there is no response force once notification of any attempt to access the location has occurred, there will be no deterrent, and it is very likely that they will proceed with their planned action. Thus, it is important that some type of response occur.
There are various levels of response that your organization can provide in the event of an alarm. These responses range from one employee who goes to the location to assess the situation, all the way to armed security personnel storming the facility in the event of an alarm notification (although some responses later may seem a little extreme depending upon the situation). A first option, due to the lower inherent costs and ease of implementation, is to provide this response capability with a designated employee who receives notification of alarm activation. This individual will assess the situation, either based upon the location and type of alarms that went off, or by their own assessment of the area. If they decide that further action is necessary, they will then make a determination to request local law enforcement or security personnel to respond. Normally, an alarm system will provide initial notification of any situation to the system provider, so it is relatively easy to ensure that this designated employee be notified by the alarm system service provider. Again, the decision to have additional response can be accomplished either by going to the facility to assess the situation in person or through their knowledge of the facility and information on what the location and type of alarms that have been received. For example, if the employee is notified that only one interior alarm has gone off but that all other external alarms have not been triggered, it is likely that the interior alarm may be malfunctioning or providing a false alarm rather than detecting an actual intruder. Since the employee will normally have to make a judgment call on whether to request further response, it is advisable that the individual designated to receive alarm notifications have the appropriate responsibility and authority so as to be able to properly analyze the situation and determine the risks involved between a response by armed security personnel or a nonresponse. This option has the advantage that it is normally the lowest in cost, since many law enforcement agencies may charge for response to a false alarm.
The next option for response is to allow the alarm system service provider to directly notify local law enforcement of any alarm notification for their response. An advantage of this is the greater capability of any police who are going to respond and react to actual breaches to the facility. Another advantage can be the relatively low costs, although, as discussed earlier, many local police have policies and procedures that involve charging costs for response to false alarm notifications due to the loss of time and manpower in the event that law enforcement is continually forced to respond to false alarms. Initially, many local law enforcement agencies will respond to an alarm notification at no charge; however, many departments will begin to charge the business at some point in the event this response is due to false alarms or there is no evidence of any actual intrusion to the location. Should your organization consider this option, it will be necessary to ensure that you understand the local law enforcement department’s policies regarding response so that you are not surprised if they begin to charge your business for false alarm responses.
At the other end of the response spectrum from having one employee receive the notification and determination the appropriate response, the last option is to contract or hire security personnel for full-time response to all of your organization’s alarm notifications and incidents. This will obviously be the most expensive option; however, this option may work if your organization is large or if your critical resources are so expensive or dangerous that the risks of any loss or damage outweigh the costs of having your own dedicated security force.
No matter what option you choose, it is necessary there be some type of response by individuals once notification has occurred. Without any type of response, all you would likely have is an alarm sounding which may frighten away teenage vandals, but not a dedicated intruder who truly wants to gain access to your critical resources. This type of perpetrator will quickly discover the lack of any actual response and exploit this discrepancy.
2.3.5. Simplicity
Everyone has heard the saying “Keep it simple.” This adage works well for almost everything, including safety and security programs, and applies to both the type of equipment you are using along with your organization’s safety and security procedures.
2.3.5.1. Simplicity in Regard to Security Equipment
Keeping things simple is a significant determination in the complexity and technology of the security equipment that you are considering in your security system. When deciding what type of security equipment to incorporate, you should look at the following:
• Track record and reliability of the security equipment
• Dependence of the security equipment upon humans
• Ability to integrate newer and more advanced security equipment into an existing system
• Higher cost of more complex and more advanced security equipment technologies
In regard to security equipment, it is normally better to look at purchasing and using good equipment that has been used for a while with a reliable track record rather than using brand-new equipment that incorporates the latest technologies. Security equipment that has been in operation for a while will have a proven track record and the manufacturer will likely have worked out any problems, whereas, in the case of equipment that incorporates state-of-the-art technological advances, the manufacturer has probably not been able to work out many of the bugs that can occur with newer equipment. In addition, many newer technologies may have significant problems integrating with older equipment. This could create significant problems, since most security systems should work together in order to provide an easy-to-understand notification system.
An illustration of using simpler equipment rather than state-of-the-art items can be found in one job in which I was responsible for security within a nuclear storage site. As anyone can imagine, based on the sensitivity of the critical resources that we were charged with protecting, the security measures were designed to be as impenetrable as possible; however, many of these measures used several new technologies as part of the overall security system for the site. One such technology that was incorporated into the security system that at the time was truly state of the art was an early form of biometric identification. This system assisted in the identification and authorization of personnel who were attempting to gain access to the site. The specific type of biometric system that was utilized in this particular system was handprints of the individual. Although the technology for this system was available at this point in time, it was still relatively new, and, as a result, the system encountered a fairly high failure rate when attempting to identify individuals and their authorization. Of course, due to the critical nature of nuclear resources, the system was designed so that failures in the biometric identification would not allow access; but, due to these issues and problems resulting in a high failure rate, the system was almost useless at times, since a security guard had to recheck the authorization of the individual. Add to this the additional monies to fix the problems with the system, and the use of this relatively new (at the time) technology was probably not the best course of action. Over the last several years and with the many advances in technology, handprints and other biometric identification systems have become much more reliable, but at the time, use of this system illustrates the sorts of problems that can occur if you are trying to incorporate the latest technologies in your security system. Based upon the track record of the items’ performance and reliability, it is normally better to use security equipment that is relatively simple to operate rather than brand-new, state-of-the-art equipment that may provide a better level of security but that will be more complex. Although newer and more complex equipment will typically be more sensitive and will utilize better technology, these items can lead to a higher rate of false alarms and downtime.
Another consideration with regard to the need to keep security equipment simple is that most security systems are ultimately dependent on the human factor—not the technology of the equipment. You can have the best security equipment money can buy, but if the individual tasked to observe the equipment or respond to alarms is not paying attention during an actual intrusion or emergency, the higher cost of these systems will not have justified their cost or resulted in any appreciable improvement to security of your critical resources or the facility. With this in mind, it is almost always better to provide more safety and security training to your employees or hire more security guards rather than paying the higher costs of the latest and greatest security equipment technology.
One issue that many organizations overlook when considering incorporating newer technologies is the ability to integrate this upgraded equipment into your organization’s existing security system. An overall security system should integrate all areas and subsystems that compose its associated equipment, to include alarms, cameras, access control, and other items. These integration systems are typically computer operated and should easily show the user alarms across the entire system. If a new piece of hardware incorporates the newest technology, however, the overall integration system may not be able to process the data and other information from this one piece of equipment due to its more advanced technology. Another issue that can occur with higher technologies is a lack of compatibility in the operating system of this newer equipment. These issues could render the newer hardware incompatible with the current integration system, and cause you either to purchase a new integration system or to scrap the new piece of hardware.
The last consideration in regard to advanced technologies is that many security equipment items reach a point of diminishing returns due to the higher costs associated with more complex and newer security technologies. Even if the more complex security equipment has been thoroughly tested and works well, there may only be an incremental increase in its detection capability when compared with its less expensive alternative. One must determine whether the small increase in detection is useful or truly necessary based on any greater costs and complexity when determining what specific piece of security equipment to purchase.
2.3.5.2. Simplicity in Regard to Security Procedures
The other primary area in which to ensure that you keep things as simple as possible is in your security processes and procedures that must be followed by your employees. Let’s face facts—most organizations are too busy working on their day-to-day business operations to allocate a significant amount of time to their safety and security programs. The time that is necessary to train your employees on each and every one of their security procedures and to conduct practice sessions in order to ensure that these procedures are understood to the degree necessary can be staggering if you allow it to be. Unfortunately, some time must be dedicated to your safety and security program, as shown by numerous after-action reports from actual security or terrorist incidents that have highlighted the unfamiliarity of many employees with their organization’s emergency response procedures in the event of an actual emergency. These employees were simply not knowledgeable about the necessary actions or were not prepared to react to the actual incident; as a result, these employees did not know what to do when the actual incident started. For this reason, it is important to keep your safety and security procedures as simple and basic as possible.
Due to the myriad emergencies and incidents that could occur in any organization, keeping your organization’s security procedures simple may seem difficult to accomplish, but let me promise you—it is not. Even with the many different types of incidents that could occur, there are basically only two different types of possible actions, and two actions only, that most of your employees would need to take in the event of an emergency. Although there are going to be more actions for senior leaders in order to manage and direct the response, the only two actions for employees are either evacuation or remaining in place (sometimes termed “lockdown”). We will cover both of these actions in detail in Chapter 9—Emergency and Contingency Planning, but by focusing your training efforts within your organization on these two simple procedures, rather than getting bogged down in the minutiae of the vast amount of security processes and procedures that are available, it will become much easier for your employees to understand what they need to accomplish in the event of an actual emergency.
2.3.6. Securing the Weakest Links
When evaluating your safety and security program, it is always a good idea to identify and strengthen the weakest links in your organization’s overall security system, which is the next security fundamental that we will cover. This fundamental is particularly necessary if any of these weak links in your security system can lead directly to access of a critical resource within your organization.
The best method to determine what areas are the weakest links in your security system is to have an objective assessment of the equipment and procedures used within your safety and security program. This assessment can be accomplished either by hiring outside consultants or by asking an expert on security within your own organization to evaluate the overall system, identify the weak links, and provide solutions and areas for improvement. If you opt to use an internal expert to accomplish this assessment, it is best if that individual is not associated with security within your organization, in order to obtain an unbiased, more valid and true evaluation. It should be pointed out that the process of fully evaluating a security system can be lengthy; however, the dividends that will be gained by the identification of weak links that will lessen risks and result in cost savings from averted incidents will make it well worth the time.
Once the weak links within your security system have been identified, it is possible to ensure that these areas are strengthened through either equipment or procedures. Many organizations will first look at solving these issues with the purchase of additional security equipment in order to provide greater protection to these problem areas; however, it should be noted that many times there may be no-cost options that resolve these issues. These no-cost options can normally be accomplished by revising or augmenting existing procedures within a safety and security program. By identifying the weak links and providing corrective action, your safety and security program will be greatly enhanced.
2.3.7. Use of Choke Points
Choke points are another security fundamental that, once identified, will assist in the development of your organization’s safety and security program. Choke points are areas that will narrow access into your facility for both personnel and packages that enter your business. The purpose in narrowing, or funneling, traffic through these locations has two purposes. First, it helps to better identify the locations where security measures are needed and should be focused. Second, by identifying the choke points, you may be able to limit the number of security equipment items required, since they will be implemented primarily at these funnels.
These purposes—the ability to minimize the number of entry points and the ability to funnel individuals (whether employees or visitors) through choke points onto your grounds and into the facility—are key factors in limiting possible vulnerabilities and deterring actions by criminals or terrorists. Quite simply, the fewer entry points into your business, the less money and time you will be required to spend on security measures. Fewer entry points also result in a much greater ability to identify people attempting to access your organization, as well as packages that may be suspect. In Chapter 6, in which we look at physical security measures, we will emphasize that the ability to control access to your facility is one of the most significant aspects that will have a positive impact on your organization’s overall physical security system. In this chapter, we will go into the specifics of how to accomplish proper access control; however, this process ultimately utilizes the security fundamental of choke points to see that entry points are kept to a minimum, to better ensure the ability to monitor and secure these locations.
2.3.8. Unpredictability
Unpredictability can greatly enhance security. Most of us have seen movies in which intruders want to gain access into a restricted area and, in order to do so, they are able to time a security guard’s patrol route down to the minute; although this level of predictability rarely happens in real life, any security guard that uses the exact same route movements and patrol zones day after day can make it very easy for potential perpetrators to time their entry when there is little chance of detection.
During my security training in the military, I was taught about the significant impact of unpredictability through an interview conducted with a Viet Cong general after the conclusion of the United States’ participation in the Vietnam War. The general was part of a panel discussion with several senior American military officers from all the different U.S. uniformed services—the Army, Marines, Navy, and Air Force. When asked what forces had posed the greatest problems to the Viet Cong, most of the U.S. officers thought that it was obviously their service that had achieved this distinction and had been the most difficult to overcome for the enemy. The Army officer thought it might have been his normal soldiers, but more likely the Army Special Forces personnel, that would be singled out by the General. The Marine officer believed that his marines would be named due to their esprit de corps and training. Even the Naval officer expected that his sailors would be singled out, in significant part based upon the accomplishments of the SEALs. Surprisingly, though, the Viet Cong General stated that the most difficult troops that they had had to contend with were U.S. Air Force Security Forces personnel, who were primarily tasked to guard air bases in Vietnam. When asked why he had named this group, the General stated that it was due to their unpredictability. These forces never defended the base in the same way on any given day. One day, they would be posted in only a few locations with small numbers of defenders. On other days, they would have large numbers of personnel located at every security post along the perimeter of the base. Still other days, the Air Force Security Forces troops would be moving about the base perimeter in vehicles and foot patrols that were not fixed at any specific locations. Although this unpredictability may not have always been planned (it may have depended on the size of the party the night before or how many troops had a pass to go off base the day before), the Viet Cong General stated that these unpredictable actions made it extremely difficult for his forces to locate the exact number of defenders and to neutralize them.
Unfortunately, unpredictability can be difficult to achieve and can also become a double-edged sword. Although unpredictability makes it difficult for an adversary to anticipate your actions, being unpredictable can make security processes and procedures much more complex, which violates our earlier-discussed fundamental—that of simplicity. This complexity is created by multiple procedures for security personnel to accomplish, in order to allow for several different methods that will equate to more unpredictability. This paradox results in the need for your organization to create a balance between simplicity and unpredictability, while taking into account the level of knowledge and training of the employees who are the primary individuals who must implement and practice security procedures on a daily basis. A good rule of thumb is that any security procedures that apply to employees who are not primarily tasked to conduct security duties should emphasize simplicity; however, if your organization has employees who are tasked to conduct security duties on a full-time basis, such as an internal guard force or dedicated security department, it may be possible to place more emphasis on the unpredictability of security procedures with these individuals. By trying to implement many different options for any given security procedure in order to promote unpredictability, it will be likely that employees who are not directly tasked with security duties will begin to be confused. Since full-time security personnel will have additional time to train on a variety of different procedures that will result in more unpredictable security behaviors, it is possible to consider implementing various procedures.
Even without full-time security personnel, unpredictability can be achieved simply by emphasizing a certain aspect of your safety and security program throughout your organization over the course of any given year. Although there has been no change in any security procedure, this emphasis will result in your employees focusing on a variety of particular procedures over a period of time, which will be seen as unpredictable behavior within your safety and security program by an outsider.
2.3.9. Separation of Duties
The last security fundamental that we will look at is separation of duties. This concept is much like a check and balance system, since it avoids the possibility of one individual being fully responsible for different functions within an organization, which, when combined, may result in an undetected security violation. Separation of duties is all about validation…in fact, there is an old Russian proverb (which was also used by President Ronald Reagan) that sums up the concept: “Trust, but verify.” [4] Understanding the meaning behind that saying is very important when it comes to understanding the principle of separation of duties.
When separation of duties is first introduced into organizations, there can be some significant discomfort—sometimes from trusted employees and other times from employees who have not had to undergo any type of check and balance process to review their actions; however, there are several reasons to implement this concept. First, any individual can make a simple error or accomplish a task incorrectly with the best of intentions, and it is unlikely that even the most conscientious of workers will catch their own errors. By implementing a check and balance system in order to separate these duties, a second individual who is verifying the task will provide the organization with assurance that the processes are being carried out accurately and correctly. The second reason is to ensure that employees are not taking advantage of their authority and responsibilities. An example would be having only one employee responsible for both maintenance and tracking of all funds within the organization. In this case, the one employee would easily be able to embezzle funds from the company, since there is no other individual who checks, or is even aware, of the status of the funds. By dividing tasks involved in obtaining, tracking, and spending money, it becomes more difficult for the organization to lose funds and makes it easier to identify concerns.
2.4. Balancing Security Measures with Business Operations
As we have discussed earlier, security is inconvenient, so it is necessary that your organization strike the correct balance between implementation of security measures and their effects upon business operations. This is the last security principle that we will cover: balancing these measures and procedures with your own business operational requirements. Within this principle, there are three areas that must be taken into account when attempting to balance these specific security measures and the procedures for your organization and its business needs. These three areas—effectiveness of security measures, business environment, and employee willingness—form a triangle that should describe the balance between these areas in order to produce the right mix for your particular organization (Figure 2.2).
It is not necessary that the three sides of this triangle be equal, since each area’s individual weight and importance can vary greatly from organization to organization based upon the specific needs of that company in its business and operating environment.
2.4.1. Factors that Affect the Security Measures versus Business Operations Triangle
In order to determine the importance of each of these three areas within your particular organization, it is useful to consider the following factors specific to your business:
• Senior management emphasis on safety and security
• Cost and importance of your organization’s critical resources
• Organizational culture
The first factor to consider is what level of emphasis the organization’s senior management places on safety and security. This is a critical factor, as the level of emphasis and involvement in safety and security from your organization’s senior management will directly influence another factor—the overall culture of the organization. It is vital that senior management within your organization be honest and truthful in how much importance is placed upon safety and security, since it can have an impact on so many other areas within the company. For example, if a high level of security is desired or necessary within your organization, this will lead to more stringent security practices and, in turn, to a higher level of inconvenience. Thus, this factor not only shows the level of risk that senior management is willing to take, but it also affects the amount of inconvenience caused by these additional security measures that your employees must work around in order to carry out their normal duties. This higher level of inconvenience will lead to complaints and additional explanation of security procedures to employees, so if the high level of emphasis on safety and security by senior management is simply “lip service,” it will become apparent, and many areas—in addition to your safety and security program—will suffer. It is important to note that most employees will go along with the implementation of more stringent security processes; however, senior management must truly believe in their decision regarding the level of importance of safety and security and be behind this decision.
The next factor to consider when determining the level of emphasis of each of the three areas contained within the triangle is the cost and importance of your organization’s critical resources. If your critical resources are so vital that any attempt against them would be catastrophic (nuclear weapons or components would be a perfect example of this), then the level of security that you will need to implement will be much different from a business that manufactures low-cost items. The company that works with nuclear components will be required to place a huge emphasis on the effectiveness of the security measures that are put into place, based on the potentially catastrophic consequences of any action against the business and its critical resources. In this example, the other factors—business environment and employee willingness to work around inconvenience—become secondary due to the criticality of the business’s critical resources.
The last factor that should be considered when determining the level of importance and how to balance each area within the triangle is the culture within your organization. As we discussed earlier, emphasis by senior management on safety and security can influence this factor; however, this emphasis can influence the organizational culture only in incremental degrees over time. Normally, an open corporate culture will not embrace strict security measures as much as an organization that is more autocratic. For example, if the current organizational culture is extremely open and easy-going (Google is a company that comes to mind to use as an example with this type of company culture), it will be very difficult to immediately initiate a large number of security measures that create a great deal of inconvenience to the employees. If it is determined that an open and easy-going organization needs to implement more controls and more stringent security measures, the culture of the company will need to be addressed; but it should be noted that these initiatives should be introduced over time in order to ease employees into the newer and more strict procedures.
Now that we have provided an overview of the three factors—senior management emphasis on safety and security, the organization’s critical resources, and organizational culture—we will look at each of these factors in more detail in order to better enable you to determine how to balance the three areas within the Security versus Business Operation Triangle within your particular organization.
2.4.2. Effectiveness of Security Measures Portion of the Triangle
Effectiveness of the security measures describes the level of detection that the security system protecting a specific item should achieve. This level of detection will depend on the criticality of the resources that you are securing and what repercussions would occur to your business or reputation if any loss or damage were suffered with these items. For example, the repercussions based upon the loss of the weekly coffee fund are going to be dramatically different from the repercussions due to any security breach that would occur with any type of biological or chemical material. These repercussions lead to a very different level of detection necessary to protect either item. In the case of the coffee fund, it may be determined that you need to detect loss or theft only 50% of the time; however, with biological or chemical materials, the level of detection may need to exceed 99%.
Due to the significantly different repercussions and, conversely, the vastly different levels of detection necessary to protect the two items in our example, the other areas within the Security Measures versus Business Operations triangle will be affected. In cases in which a very high level of detection is necessary, there will be less consideration of the business environment or employee willingness areas that you should consider. For this reason, the effectiveness of security measures area forms the base of the triangle; and, as we discussed earlier, this triangle will likely not be equilateral, since this one area can dictate the impact and importance of the other areas.
2.4.3. Business Environment Portion of the Triangle
As in our earlier example, the type of business and the resulting company culture within your organization will have an impact on the level of security within your organization and, in turn, will affect the other areas within the triangle. For example, if your business depends upon customers who must visit and have access to your facility, the level of security that you will need to establish will be different from that of a manufacturing business that does not require any outsider access and sells only to suppliers located off-site. Another way to illustrate this point is to use retail business as an example. A retail store will not be able to implement significant security measures, since these could make it difficult for customers even to gain access into the facility and would likely result in the customers simply going elsewhere. This point should be obvious, but any security measures that are implemented should ensure that they do not take away from your primary business function. In the case of your particular business, you will need to look at what accommodations must be made in order to ensure the least amount of impact on your customers and implement appropriate security measures around these considerations.
2.4.4. Employee Willingness Portion of the Triangle
Employee willingness to work around inconvenience is the last side of the Security Measures versus Business Operations Triangle. It is necessary that employees be willing to work around the security measures that have been implemented, and your organization must work to ensure that your employees are satisfied with the working conditions. As we have discussed earlier, there are several factors that can have an impact on this willingness of employees. First, by placing a high level of emphasis on safety and security by senior management, it is likely this will lead to an increase in the amount of inconvenience that employees are willing to endure. Second, the culture of your organization will have a direct impact on the amount of inconvenience that employees are willing to work around—an open and free organization will have a different level of support in regard to safety and security initiatives, when compared to an organization that follows a strict hierarchy and is autocratic in nature.
One of the primary areas to consider when looking to implement changes in your organization’s safety and security posture is to consider the impact upon your existing employees, as these are the personnel who will need to be sold on any modifications. There are several options that you can use to ensure success when discussing this with your employees. One option is providing several communications that notify employees of any upcoming changes in safety and security well before they are to occur. These communications should not only include the changes in security procedures that will be taking place but also why these changes are occurring (e.g., correcting current deficiencies in the organization’s safety and security program, mitigating risks or vulnerabilities in the organization, saving money, etc.). Another option is to conduct group meetings with employees to discuss the changes and to answer any questions or concerns. A final option is walking around the various offices within your organization and talking with individuals or small groups to alleviate concerns and to answer questions. Any of these options will help employees to better understand these changes in your safety and security program and will result in greater success.
Fortunately, new employees who come on board after any modifications to your safety and security program will adapt to the existing procedures and the current environment; however, it will be necessary to spend time with the current employees as you implement any new safety and security initiatives. Ultimately, employees will learn to work under the new processes and procedures as long as senior management shows their support.
2.5. Summary
The primary goal in any security program is to protect your organization’s critical resources by implementing security measures, which can include equipment, processes, and procedures. To accomplish this goal; we have looked at safety and security principles that included actions by potential perpetrators before an incident, the primary fundamentals of security, and balancing safety and security with business efficiency and effectiveness.
The first safety and security principle is to be familiar with certain actions that all potential perpetrators take prior to conducting any type of attack against a location. These actions include reconnaissance of the location prior to an attack, and assessing the security measures such as equipment, size, and capability of the on-site security force (if any), and what type of response occurs in the event of an attack. Knowing these actions can strengthen the security measures of your organization and assist in the ability of your employees to identify these actions through training.
The next safety and security principles that we covered were several security fundamentals that need to be taken into account when developing a safety and security program. These fundamentals include:
• Identification of critical resources
• Defense in depth
• Notification
• Response
• Simplicity (of both equipment and procedures)
• Securing the weakest links
• Use of choke points
• Unpredictability
• Separation of duties
The last safety and security principle that we covered in this chapter was the need to balance security measures and initiatives with your business operations. It is imperative that this balance be achieved, since security is going to create inconveniences with some processes and your employees. The main areas that affect this balance include:
• Effectiveness of security measures, or the level of detection necessary to protect your organization’s critical resources
• Business environment, or type of business that your organization is in
• Employee willingness to work around the inconveniences created by the safety and security program
We introduced how these three areas form a triangle—although not necessarily an equilateral triangle—that should illustrate your organization’s unique solution in balancing these three areas to ensure that you can maintain business efficiency while ensuring safety and security.
2.6. Safety and Security Principles Checklist
| Yes | No | |
| Does your initial employee training include security awareness? | ||
| Do you train your employees on potential actions by perpetrators and terrorists prior to an attack, to ensure that employees are aware of and can possibly identify such actions? | ||
| Do your safety and security plans and procedures take into account the nine fundamentals of security? | ||
| Have you sketched out your organization’s Security Measures versus Business Operations Triangle? |
Note: All items are listed in priority order, so you should ensure that each answer is “Yes” prior to expending funds or effort on addressing the next question. This ensures that an executive with minimal security expertise can easily move down the list in order to implement an adequate security program.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.