As a security systems designers, when we specify that a particular area needs a turnstile rather than a mechanical key based lock, or why a fixed camera is needed in addition to a 180- degree camera in the same area, it needs to be justified and there needs to be a thought process behind it.
To do this, you need to have a clear and robust basis for making that decision, simply placing a camera in a specific area because “that’s the way we’ve always done it” doesn’t work anymore.
In this article I explore the relationship between risk assessment and placement of electronic security equipment and the process to get from start to finish.
Security has to start with a risk assessment.
Unless there is a clearly defined picture of what is at risk and what it as risk from, we cannot design physical or electronic security solutions to mitigate the risk.
Risk assessments are made up of four different elements.
Assets can be people, physical objects, or information on paper or electronic media – we clearly need to identify what we are protecting.
What will happen to the organisation if the asset we are protecting is lost or stolen?
It could mean a slight inconvenience with a small replacement cost, or it could cause an organisation to cease production for several weeks, or to cease trading altogether.
What are the chances it will happen?
If the impact is high and the asset is very valuable, it may be of a higher priority to protect, however if the chances of it happening are one in ten million, then we don’t need to place as much emphasis on it.
What is already in place? Is there a policy or procedure, such as two different people take the cash takings from a small shop to the bank night safe together to ensure that they get their safely? the procedure may mean we do not need to pay a cash handling service to pick it up for us
At the end of this stage, we have a clear picture of what we are protecting and what we should prioritise protection for.
Geographical and Political Conditions
Where is the organisation geographically?
What is the local crime rate?
What is the emergency services response like?
Are you operating in a region where local law enforcement officials may be corrupt or willing to turn a blind eye?
Are firearms easily accessible, or are they really difficult to get hold of?
If they are well controlled, we need less physical protection against an armed attack.
Design basis threat
At this point, we take what we have learned so far and add more detail.
This would include information on how we expect the attackers to act, what equipment they have access to, their level of knowledge or skills, how many of there are, what they will most likely target.
This builds up a more detailed picture of what we expect the attacks to look like if they did occur.
Example 1 – Corporate Espionage on a pharmaceuticals site
The risk assessment indicates that a pharmaceutical company is at a high risk of intellectual property being stolen by a competitor.
This competitor is likely to be well funded and therefore resourced, but may not have people with a sufficient level of technical security knowledge to bypass an access control system, they also know that getting to a building to do so is difficult.
Pharmaceutical sites are generally well protected physically with perimeter fencing and good video surveillance coverage, so the attacker may be more likely to target an employee through in-person bribes, social engineering or a phishing attack to obtain information.
Example 2 – Petty theft from a small law firm
Similarly the primary risk to a local law firm in an area where crime related to drugs and alcohol is rife would be opportunist theft of computer and office equipment equipment, using a hammer or brick to break through a glass window to gain entry.
In this case, strong window and door locks along with acoustic glass break detectors, or perhaps a roller shutter covering the front facade would be more worthwhile.
This is a short introduction to a much larger, detailed and complex process, especially when working on large estates or master planning, however it’s clear to see that analysing the needs of an organisation or site is vital.
Without this analysis, the client either spends too much money on unnecessary protection measures, giving them a false sense of security, or worse, or having the correct measures in the correct places when the worst does happen.