Physical Security

Physical security is the foundation of every security program. It is the combination of people, equipment, and procedures into a seamless protection program. 

Physical security focuses on the protection of organizational assets such as people, property, and information.

Security system components tend to fail at the worst possible time; so contingency planning must be assessed and factored into physical security planning.

Physical security starts with the environment and takes a proactive stance to building programs that are both flexible and comprehensive in design. One proactive approach in the planning and design is referred to as Crime Prevention Through Environmental Design.

Crime Prevention Through Environmental Design (CPTED) is a set of concepts based upon the idea that the proper design and use of the environment can reduce the fear, opportunity, and incidence of crime and improve our quality of life. 

Defensible Space, a concept often associated with CPTED, is where the environment is compartmentalized into smaller areas or zones that are clearly defined, making them easier to protect. 

CPTED is best applied using a multi-disciplinary common-sense approach. By involving engineers, architects, designers, security professionals, law enforcement, landscapers, and the end-users of the area/facility, the final application of CPTED concepts will offer a proactive approach in crime prevention. CPTED relies on an awareness of how people will use the space for legitimate and illegitimate purposes.

Physical security assessment plan.

1. Risk assessment models and considerations

2. Qualitative and quantitative assessment methods

3. Key areas of the facility or assets that may be involved in assessment

4. Types of resources needed for assessment

Identify assets to determine their value, criticality, and loss impact.

1. Definitions and terminology related to assets, value, loss impact, and criticality

2. The nature and types of assets (tangible and intangible)

3. How to determine value of various types of assets and business operations

Assess the nature of the threats so that the scope of the problem can be determined.

1. The nature, types, severity, and likelihood of threats and hazards (e.g., natural disasters, cyber, criminal events, terrorism, socio- political, cultural)

2. Operating environment (e.g., geography, socio-economic environment, criminal activity)

3. Potential impact of external organizations (e.g., competitors, supply chain, organizations in immediate 

proximity) on facility’s security program

4. Other external factors (e.g., legal, loss of reputation, economic) and their impact on the facility’s security program

Conduct an assessment to identify and quantify vulnerabilities of the organization.

1. Relevant data and methods for collection (e.g., security survey, interviews, past incident reports, crime statistics, employee issues, issues experienced by other similar organizations)

2. Qualitative and quantitative methods for assessing vulnerabilities to probable threats and hazards

3. Existing equipment, physical security systems, personnel, and procedures

4. Effectiveness of security technologies and equipment currently in place

5. Interpretation of building plans, drawings, and schematics

6. Applicable standards/regulations/codes and where to find them

7. Environmental factors and conditions (e.g., facility location, architectural barriers, lighting, entrances) that impact physical security

Perform a risk analysis so that appropriate countermeasures can be developed.

1. Risk analyses strategies and methods

2. Risk management principles

3. Methods for analysis and interpretation of collected data

4. Threat and vulnerability identification

5. Loss event profile analyses

6. Appropriate countermeasures related to specific threats

7. Cost benefit analysis (e.g., return on investment (ROI) analysis, total cost of ownership)

8. Legal issues related to various countermeasures/security applications (e.g., video surveillance, privacy 

issues, personally identifiable information)

Design, and Integration of Physical Security Systems

1. Design constraints (e.g., regulations, budget, cost, materials, equipment, and system compatibility)

2. Applicability of risk analysis results

3. Relevant security terminology and concepts

4. Applicable codes, standards and guidelines

5. Functional requirements (e.g., system capabilities, features, fault tolerance)

6. Performance requirements (e.g., technical capability, systems design capabilities)

7. Operational requirements (e.g., policies, procedures, staffing)

8. Success metrics 

Determine appropriate physical security measures.

1. Structural security measures (e.g., barriers, lighting, locks, blast migration, ballistic protection)

2. Crime prevention through environmental design (CPTED) concepts

3. Electronic security systems (e.g., access control, video surveillance, intrusion detection)

4. Security staffing (e.g., officers, technicians, management)

5. Personnel, package, and vehicle screening

6. Emergency notification systems

7. Principles of data storage and management

8. Principles of network infrastructure and network security

9. Security audio communications (e.g., radio, telephone, intercom, IP audio)

10. Systems monitoring and display (control centers/consoles)

11. Systems redundancy alternative power sources (e.g., battery, UPS, generators, surge protection)

12. Signal and data transmission methods

13. Considerations regarding Personally Identifiable Information (physical/logical/biometric)

14. Visitor management systems and circulation control

Design physical system and prepare construction and procurement documentation

1. Design phases (pre-design, schematic design, design development, construction documentation)

2. Design elements (calculations, drawings, specifications, review of manufacturer’s submittals and technical data)

3. Construction specification standards (e.g., Construction specifications Institute, owner’s equipment 

standards, American Institute of Architects MasterSpec)

4. Systems integration (technical approach, connecting with non-security systems)

5. Project management concepts

6. Scheduling (e.g., Gantt charts, PERT charts, milestones, and objectives)

7. Cost estimation and cost-benefit analysis of design options

8. Value engineering

Outline criteria for pre-bid meeting to ensure comprehensiveness and appropriateness of implementation.

1. Bid package components

2. Criteria for evaluation of bids

3. Technical compliance criteria

4. Ethics in contracting

Procure system and implement recommended solutions to solve problems identified. 

1. Project management functions and processes throughout the system life cycle

2. Vendor pre-qualification (interviews and due diligence)

3. Procurement process

Conduct final acceptance testing and implement/provide procedures for ongoing monitoring and evaluation of the measures.

1. Installation/maintenance inspection techniques

2. Systems integration

3. Commissioning

4. Installation problem resolution (punch lists)

5. Systems configuration management

6. Final acceptance testing criteria

7. End-user training requirements

Implement procedures for ongoing monitoring and evaluation throughout the system life cycle.

1. Maintenance inspection techniques

2. Test and acceptance criteria

3. Warranty types

4. Ongoing maintenance, inspections, and upgrade

5. Ongoing training requirements

6. Systems disposal and replacement processes

Develop requirements for personnel involved in support of the security program.

1. Roles, responsibilities, and limitations of security personnel (including proprietary (in- house) and contract security staff)

2. Human resource management

3. Security personnel training, development, and certification

4. General, post and special orders

5. Security personnel uniforms and equipment

6. Personnel performance review and improvement processes

7. Methods to provide security awareness training and education for non-security personnel

Risk management: (A business discipline that consists of three major functions: 1) loss prevention, 2) loss control, and 3) loss indemnification). can be defined as the systematic approach that identifies risk, calculates the impact of the risk, and eliminates or minimizes the risk to an acceptable level. Another way to define risk management is making the most efficient before-the-loss arrangement for the after-the-loss continuation of the business. It uses a rational approach and is defendable in a court of law. 

Risk management is an ongoing process that must be re-evaluated on a regular basis. Risk should be the driving factor of the organization’s asset protection program. An ongoing risk assessment program is the best tool for monitoring the changing threat and risk environment, and proactively preparing to respond to it.

Risk can be simply defined as the potential for damage to an asset or loss of an asset. Risk is the most important driver of security measure choice and deployment. Security’s primary objective is to manage risks by balancing the cost of protection measures to the benefit of those measures. 

The goal is to eliminate or reduce the number of incidents leading to a loss. The organization’s risk management program should be similar to a computer’s operating system, it should be running in the background and driving security decisions and actions. 

Most security programs are reactive in nature, meaning that they only deploy security measures after a loss has occurred. Risk management is the process that can help the organization develop a comprehensive protection strategy based on sound practices. 

The risk assessment process can be divided into six basic steps:

• Identify and value assets.
• Identify threats.
• Determine the vulnerabilities.
• Impact of a loss event
• Analysis and prioritization
• Mitigation baseline approach

Assets

The first step in risk assessment is to identify and value the assets. This should help to identify what is being protected and what needs to be protected. Such information allows for the prioritization of assets. Not all assets are of equal value to the organization.

Assets can be divided into three categories:

• Tangible Assets: (Assets that can be seen and felt).
• Intangible Assets: (Assets that are not seen or felt, such as reputation, good will, etc).
• Mixed Assets: (Assets with both qualities, such as humans, clientele, etc).

Most organizations focus their physical security protection program on tangible assets only; however, the security professional should also incorporate the protection of intangible assets into the process. There are other factors that must be considered when assessing the value of assets, mainly the indirect costs of an asset.

A Few Examples of Indirect Costs Are:

• Equipment rentals
• Leased facilities
• Counseling/benefits
• Loss of market share
• Public relations
• Increased insurance premiums
• Alternative suppliers and vendors
• Temporary workers and administrative     support
• Additional security (officers, equipment, etc.)

Threats

Physical security programs should look to build their programs using an all-hazards approach to threats, which provides a context to risk. By using a holistic, full-scope, and balanced approach to the threat, the security professional will be able to understand that some threats are prevalent at certain times and some in certain places.

A hazard is a contributing factor to a peril. For example, a hazard is a condition that makes it more likely a peril will occur such as mental illness or stress. If an active shooter incident is used as the peril in this example, the hazard of stress or mental illness caused the loss.

Threats can be divided into three additional characterizations:

1. Natural

2. Intentional (man-made) 

3. Inadvertent (accidents, errors and omissions)

When it comes to physical security planning for threat, an All-Hazards approach should be taken to ensure all risk is accounted for.

An All-Hazards approach means that risk is considered from a full-scope perspective (big-picture) and uses a realistic and balanced approach when assessing threat. 

Physical security is mostly concerned with intentional threats and, to a smaller degree, natural threats. However, peripheral threats do exist and although usually inadvertent in nature, they should also be considered. Neighboring facilities or operations, environmental issues, public roadways, trains, and utilities are all examples of peripheral threats that could adversely affect an organization.

Vulnerabilities

A vulnerability (A weakness or organizational practice that may allow a threat to be realized or increases the magnitude of a loss event). is a gap or weakness that allows a threat to compromise an asset or function.

The difference between a vulnerability and a threat is that a vulnerability allows the organization some level of control over it. Conversely, threats are typically outside of the control of the organization. 

Although there are many methods that can be used to calculate vulnerabilities, a simple method is to measure the vulnerability in terms of observability and exploitability. Observability is the ability for an adversary to visually see the vulnerability, such as through an open window or door.

Exploitability is the ability for the adversary to take advantage of the vulnerability once aware of it. Exploitability, for natural threats, is based on the ability for the natural event to damage the facility, operation, or mission.

When It Comes to Inadvertent Threats, There Are Two Simple Questions That Need to Be Answered: (Is security aware of the vulnerability?

Is there a potential for a loss event?).

Impact

Accordion. Select each button to expand the content.

Impact refers to the severity of the situation when an incident occurs. Impact is usually measured in financial terms. In addition to impact, many risk management models will assess the likelihood or probability that a loss event will occur.

The Likelihood of Occurrence and an Asset’s Risk Exposure is Based on Many Factors but Often is Related to: Historical events

• Physical environment 
• Political environment 
• Social environment
• Procedures and processes
• Criminal capabilities.

Risk analysis

Risk analysis is the process of identifying potential areas of loss (at a specific time and place) and implementing countermeasures to mitigate the potential for the loss. Analyzing risk can be achieved in two basic steps: Calculation of impact and prioritization of the identified risks.

(Often, organizational leadership only wants to discuss the most likely risks; however, it is important to analyze high consequence loss events even if there is a low likelihood that they may occur). 

It is important to note that the evaluation levels for threat, vulnerability, and impact should be decided by a multidisciplinary team of experts in a collaborative manner not by an individual. This is especially true when using a quantitative method

The goal of risk analysis is to give management information on which they can make decisions. It is not practical to eliminate all risk, so it is important to prioritize risk based on the criticality to the organization.

Mitigation measures:

Determining which protective measures to implement in the effort to mitigate risk can be a difficult task. It is important to consider budgetary constraints and available resources; however, it is more common to consider the potential adverse effect each strategy may have on the operations of the organization.

It should also be balanced using sound strategies and operational requirements and should consider the psychological impact it may have on people.

• Select - options and alternatives (capabilities, cost, urgency, convenience, aesthetics, etc.)
• Test - environmental conditions, integration with other systems, does the solution work, etc.
• Implement - disruption, costs, notifications, policy and procedure changes, time required to implement!
• Train - staff and maintenance personnel.

Protective measures, a physical security professional should consider the following:

• As the sophistication of the adversary increases, the effectiveness of the countermeasures must increase, or the additional risk must be managed in another way. This often results in making a higher investment in security measures.
• The adversary’s capabilities will determine the effectiveness of the chosen security measure.
• Different security measures and levels of effectiveness/performance are required to address different types of threats.

Physical security measures should be scalable and agile and constantly evolving and improving. There are many protective elements that must work together to protect assets in our constantly changing world. Complacency is the greatest enemy of progress.

Qualitative and quantitative assessments

When it comes to assessments there are two main types; qualitative and quantitative. Which method to use is based on the risk assessor’s style and the organization’s executive decision maker. Some professionals prefer a blended approach, using a combination of both types. The most important aspect is to ensure that the information entered into either method is accurate and up to date.

Qualitative Assessment

Uses a general range or description such as high, medium, and low to describe asset value and risk element calculations. This is typically used for low-value assets or operations and to describe basic security applications. It offers a quicker process and is less expensive to perform than a quantitative assessment.

Quantitative Assessment

Uses specific numerical values and scientific formulas to describe asset value and risk element calculations. This is typically used for high-value assets or operations, and to describe PPS values such as detect, delay, and response.

Addressing risk

There are five methods to address the identified risk within an organization. Despite best efforts, there are always residual risks that must be analyzed and accounted for within the organization’s comprehensive risk management program. Most organizations use a combination of some, or even all the five mitigation methods.

Five methods of addressing risk.

Risk avoidance is the most direct way to remove risk; however, many times the organization cannot avoid risk due to the mission or objectives. 

Risk Assumption or Acceptance the organization liable for loss.

Risk spreading often increases the cost of operations, but also may have a good return on investment due to the reduction of risk to the organization.

Risk transfer can be through the purchase of an insurance policy, but a portion of risk may also be transferred by contracting with third-party consultants, suppliers, and vendors to perform certain functions.

Risk reduction is the goal of the security practitioner and it is the most direct means of reducing risk by reducing the vulnerability of assets.

Risk reduction includes site-hardening and often is considered to be the most expensive method in reducing risk.

Physical security measures, policies and procedures, education, and awareness all play a part in reducing risk.

A security survey is a thorough examination of a facility, its operations, and systems and procedures that is conducted to assess the current level of security and determine any vulnerabilities and assess the level of protection needed to address those vulnerabilities.

Security survey is an on-site examination, which often can take up to 50 percent of the time required to complete a survey report.

The Purpose of the Survey is to:

• Determine the existing level or posture of security.
• Identify any vulnerabilities or deficiencies in current security measures.
• Compare the current level of security with the appropriate level of protection needed.
• Make recommendations to improve security and address any vulnerabilities.

The main difference between a comprehensive risk assessment and a security survey is that a security survey focuses more on the vulnerability aspects.

• Items to Look for When Completing a Security Survey in Relation to Vulnerabilities Are
• Ease of access to the site or area
• Inadequate existing security measures 
• Lack of redundant security measures or critical function back-ups
• Single points of failure (example: a lock is the only protection measure)
• Storage of hazardous materials 
• Collateral damage risk (example: site is adjacent to train tracks that transport dangerous chemicals)
• Lack of an effective response and recovery

Although providing just the cost of a security measure is generally not part of the security survey report (cost of security measure with no analysis), a cost-benefit analysis may be appropriate. A cost-benefit analysis is where you assess the cost of a security measure against the benefit derived from implementing the measure.

A Cost-benefit Analysis Typically Consists of Three Factors:

• Cost - acquisition, operational, and replacement costs.
• Reliability - demonstration of technology and benchmarking with others who have already implemented the solution.
• Delay - costs associated with delay and time it takes to make it fully operational.

When performing a survey, a checklist may be helpful to ensure that you do not miss any important elements. It also helps to keep the process performed sequentially; however, a checklist is not recommended as the only tool used when performing an assessment. The assessor needs to have the experience to be flexible in their approach. Interdependencies should also be considered as you perform a survey.

Typically, there are several approaches to performing a security survey:

Outside-In Approach

• The assessor begins the survey from outside the perimeter and moves inward towards the assets. This approach considers security measures from an attacker’s point of view and is considered a “free reign” approach.

Inside-Out Approach

• The assessor begins at the asset and works their way outward towards the unprotected or public area. This approach is from a “defender” point of view.

Functional (Security Discipline) Approach

This is where the assessor addresses each security function individually. The survey should include environmental factors, neighboring operations, and policies and procedures as part of the analysis. It considers assessing security functions in the following order:

• Security Architecture and Engineering
• Structural Security Measures
• Crime Prevention Through Environmental Design (CPTED)
• Electronic Security Systems
• Security Officers and the Human Element

Whatever security survey method is used, it should be systematic in approach, constant, and repeatable.

SWOT analysis

A SWOT Analysis is a tool that can support the security survey process that focuses on the Strengths, Weaknesses, Opportunities, and Threats. It is a situational business process that can be adapted to security, which focuses on internal and external factors.

Outside support

The use of consultants or third-party vendors when it comes to the risk assessment process is commonplace within the industry. Consultants can bring a fresh perspective and can offer collective knowledge that is up to date.

Consultants should be able to demonstrate their expertise, have verifiable references, and should be licensed or certified to perform the assessment. When it comes to regulatory compliance and government oversight, using a consultant to perform the assessment may strengthen the organization’s position that the assessment is unbiased and comprehensive.

Survey systems tests

During the security survey process, the assessor should consider applying certain tests to ensure the systems are operable and effective.

• There Are a Few Tests to Consider:
• Testing shipping and receiving controls.
• Testing intrusion detection alarms and the response to the alarms.
• Computer lab/Data room security measures during working and non-working hours. 
• Testing access controls by trying to gain unauthorized access during working and nonworking hours.

The security survey report.

The survey report is designed to communicate the facts of the findings and then to persuade the organization to mitigate the identified vulnerabilities. The report should apply the following criteria:

Accurate

facts with proper perspective

Clear

communicate with understanding.

Concise

eliminate the unnecessary, not overly wordy

Timeliness

current information

Consider Slant or Pitch

tone of the report, no pettiness

A good survey report will include positive findings along with any negative findings of the program and will be tailored to the intended audience. The security process is enhanced by the reporting, sharing, and use of the report results.

The goal of a security survey is to provide actionable intelligence, for both the short and long term, to leadership so that informed decisions can be made in relation to risk.

Automated assessment tools.

Automated assessment tools can be of assistance when you are processing, analyzing, comparing, and storing large amounts of data. Automation allows you to compare results and prioritize findings easily. It also is a great tool when you have numerous sites to assess simultaneously, which requires a standardized systematic and repeatable process. 

The software may also allow for a rapid calculation of the benefits of protection measures or a combination of protection options.

However, automated tools should not be relied on as the sole process in conducting a physical security assessment. Automated tools are not good at assessing the intangible factors in the assessment process and are only as good as the program inputs. 

The adage, “garbage in, garbage out” can be applied when it comes to automation of results.

A Few Other Considerations That May Affect the Effectiveness of Automated Assessment Tools Are

• The assessor may not be qualified to perform the assessment. 
• Cost can be high for commercial tools.
• Software can be overly complex.
• Computer programs are poor at assessing intangible factors and unquantifiable characteristics.

Key Points. 

• Security’s primary objective is to manage risks by balancing the cost of protection measures to the benefit of those measures.
• There are six steps in the risk assessment process:
• Identify and value assets.
• Identify threats.
• Determine the vulnerabilities.
• Impact of a loss event
• Analysis and prioritization
• Mitigation baseline approach
• Assets can be categorized into three categories: 1) tangible, 2) intangible, and 3) mixed.
• Assets can be valued using two methods: 1) relative value, and 2) cost-of-loss formula.
• Threats can be characterized as:1) natural, 2) intentional, and 3) inadvertent.
• The difference between a vulnerability and a threat is that a vulnerability allows some level of control. Threats are typically outside of the control of the organization.
• Impact is usually measured in financial terms.
• Analyzing risk can be achieved in two basic steps: 1) calculation of impact, and 2) prioritization the identified risks.
• When choosing mitigation measures, it is important to consider the potential adverse effect each strategy may have on the operations of the organization.
• One approach to determining risk results uses a basic Risk Formula: (Threat x Vulnerability x Impact)1/3 = Risk
• Determining mitigation measures can be done using four steps: 1) select, 2) test, 3) implement, and 4) train.
• The difference between qualitative and quantitative assessments:
• Qualitative Assessment - uses a general range or description such as high, medium, and low to describe asset value and risk element calculations. Typically used for low-value assets or operations.
• Quantitative Assessment - uses specific numerical values and scientific formulas to describe asset value and risk element calculations. Typically used for high-value assets or operations.
• Five methods of addressing risk: 1) risk avoidance, 2) risk spreading, 3) risk transfer, 4) risk reduction or 5) combination of any or all methods.
• A security survey is a thorough examination of a facility, its operations, systems, and procedures. It is conducted to assess the current level of security, determine any vulnerabilities, and assess the level of protection needed to address those vulnerabilities.
• A cost-benefit analysis typically consists of three factors: 1) cost, 2) reliability, and 3) delay.
• Three survey approaches: 1) outside-in approach, 2) inside-out approach, and 3) functional (Security Discipline) approach
• A SWOT Analysis focuses on Strengths, Weaknesses, Opportunities, and Threats.
• Criteria of a Security Survey Report:
• Accurate
• Clarity
• Concise
• Timeliness
• Consider slant or pitch.

                                                                                              Top Of Page