Unit 5 Security Design, Evaluation & Surveying PDF
Document Details
Uploaded by Deleted User
Tags
Related
- SESIÓN 13: Diseño de Programas Educativos en Alimentación, Nutrición y Salud PDF
- Week 2&3 - Building Site PDF
- Empowering Data Mesh with Federated Learning PDF
- Airport Development & Certification Standards (Midterms) PDF
- Understanding Cryptography – A Textbook for Students and Practitioners PDF
- NUCE 304: Evaluative Methods for Nuclear Non-proliferation and Security Lecture 12 PDF
Summary
Unit 5 focuses on security design, evaluation, and surveying for organizations. It covers fundamental principles, baseline measures, and risk analysis, with a significant focus on the design and evaluation of physical security measures. The unit also introduces security terminology.
Full Transcript
Unit 5 – Security Design, Evaluation and Surveying Introduction This unit focuses on how to build security elements into a coherent and symbiotic whole so that risks to the enterprise are minimised. The unit will also introduce you to meth...
Unit 5 – Security Design, Evaluation and Surveying Introduction This unit focuses on how to build security elements into a coherent and symbiotic whole so that risks to the enterprise are minimised. The unit will also introduce you to methods to evaluate the effectiveness of security measures through analysis and survey. By following the practices set out in this unit a more efficient and more cost-effective security regime can be created and maintained. Included will be the fundamental principles on which a security programme should be built, and you will be introduced to several sets of relationships, which, if put into practice, will create a more effective security programme. Much of the unit will focus on physical security design, but where relevant the practice will also be applied to other aspects of security. In Units 1 to 3 you learned that many security programmes are built on a foundation of baseline security measures. These are relatively standard according to the facility under protection. For example, it is normal for an industrial facility to have access management, intrusion detection and CCTV surveillance. In some organisations baseline measures are presented as “packages”. For example, a retail outlet belonging to a chain of stores would have a package of baseline measures that it would be obliged to implement. Sometimes, these measures are also designed to satisfy Security design isn’t just confined to the legislative, insurance or company policy physical. For example, if you are a US-based requirements. Unit 1 also taught you that company planning security for an executive enhanced security measures above and beyond travelling to Paris for a meeting, the overseas the baseline are usually the result of a detailed assignment risk assessment that you would security risk analysis, and once in place, security undertake for that journey would identify the measures should be the subject of vulnerability need for basic (baseline) security analysis. The most common way to carry out a requirements. For this purpose you would vulnerability analysis is by security survey, a have a standard emailed document advising process which is explained in the latter section the traveller of the do’s and don’ts of of this unit. overseas travel, or perhaps this would be outsourced to the travel agent contractor. On In Units 2 and 3 you learned that security the other hand, if the journey was from the measures can be proactive (such as a perimeter US to Karachi in Pakistan, the risk analysis fence designed to deter intruders), or reactive carried out as part of the mandatory (such as an intrusion detection system designed overseas assignment risk assessment would to detect intruders who were not deterred by identify the need for additional security the fence). In this unit we will delve into these measures. aspects more closely. 10 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying SHAPE At its most basic, a security design is often summarised as comprising three elements: people, procedures, and hardware, working in synergy. In simplistic terms, people and hardware combine and procedures are the glue that holds everything together. The acronym SHAPE provides you with an expanded set of components: Security programmes – This includes awareness programmes, incident reporting systems, confidential reporting systems, security risk analysis and resilience building programmes. The application of basic crime prevention methods can also be included in this group. Fundamental to this element is relationship building and winning hearts and minds to get the buy-in from those who are affected by the programme and who can make an effective day-to-day contribution to security risk reduction. Human measures – As well as the obvious use of security staff, human measures should include the appointment of security focal points - local representatives who will report back to their respective line managers that they are compliant with the security programme. The aim is to create a culture in which every employee is cognisant of, and acts on, his or her asset protection responsibilities. There is a strong relationship between this category of measures and the security programmes category. Architectural measures – This means careful design/layout of buildings and interior/external space to increase natural surveillance and reduce opportunities for crime. Much of this was addressed in Unit 2, especially in the section on CPTED. Practical examples are careful siting of loading bays, shipping and receiving, cash handling areas etc. Significant natural improvements in security (and cost savings on security measures) can be achieved if this is addressed at the outset, rather than retrofitted. This is addressed later on Page 51. Procedural measures – Recognising that the way a particular activity is carried out has a significant influence on that activity’s exposure to risk. Simple actions like shredding confidential waste at the end of the day and locking away valuable items are examples of procedural measures. Procedural measures are influenced by the time and place of activities. Equipment measures – These can range from the provision of strong locks to complete physical protection systems, such as an enterprise-wide CCTV system. 11 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying SHAPE is a useful aide memoire to assist us in remembering the various aspects that need to be addressed when putting together a security design. If you refer back to the subject of Situational Crime Prevention (SCP) beginning on Page 30 of Unit 2, you will see a strong relationship between SHAPE and SCP. Cutting through Terminology Having models such as SHAPE to remind us of what we need to consider in security design is useful, but do we all speak the same language? It seems not. This is less an issue of linguistics, ethnicity and national borders and more about the origins of security management professionals, most of whom enter security from a past career in the police, military or national security/intelligence rather than via standardised university degrees, teaching to a standardised curriculum with agreed conventions. Take, for example, the term security surveying. Is this the same as a security audit? And is a security survey a vulnerability assessment? The answer to the first question differs from one company to another (although this unit takes a specific position on Page 13). Even within individual countries there is no agreement on terminology or definitions. National and international standards have done little to influence this, and in a few cases have confused the matter further. The terminology used in the CSMP programme is closely aligned with that of multinational client companies of ISMI. An ISMI glossary of security terminology is under development on the ISMI website. For the time being, however, definitions and explanations that are important to the processes that we have studied so far are provided below: Security Risk Management – The combination of security risk analysis and security risk mitigation. Often included in this is a cost/benefit analysis. Security Risk Treatment – Reducing risks to ALARP. In basic terms risks can be transferred, eliminated, accepted or reduced (TEAR), but there are other options also. These include concentration, dispersal, substitution, contingency, mutual aid, and sharing. Security Risk Analysis – The process of identifying security or crime threats to assets through the determination of three key variables: the likelihood of threat occurrence, potential impact on the asset or the asset’s function, and the asset’s vulnerability to harm. Sometimes this process is mistakenly referred to as threat assessment. Organisations such as the American Petroleum Institute refer to this as a security vulnerability assessment, although a vulnerability assessment is normally regarded as a different process (see following page). Risk Assessment – A health and safety term used to describe actions to formally identify, assess, document and mitigate risks to staff associated with a particular activity. An overseas assignment risk assessment, for example, identifies the risk associated with overseas travel to a foreign country. Staff who work in front-line positions and who handle cash may also require risk assessments. Risk assessments are often mandated by law. (Security) Vulnerability Assessment (or Analysis) – A procedure that looks specifically at the vulnerability of an asset after risks have been identified, or in relation to a baseline level of risk. A 12 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying vulnerability is anything that can be exploited by a threat. Examples of security vulnerabilities include asset behaviour (does the principal travel to the gym at the same time every Thursday taking the same route?), conditions beyond the protector’s control (a coastal area where frequent fog degrades the capability of CCTV), security equipment weaknesses (a perimeter intrusion detection system probability- of-detection value of 0.9 means that theoretically 1 on 10 adversary attempts will be successful), etc. The term is also used by a small number of organisations as an alternative to security risk analysis, although this is outdated. A practical example of a SVA is a security survey or audit. Threat Assessment – A detailed study of potential adversaries, their intentions, their capabilities, their strengths and equipment, and their modus operandi. The analysis may also extend to target behaviour and opportunities. May be undertaken through analysis of past actions or by using intelligence. The term is also used by a small number of organisations as an alternative to security risk analysis, although this is outdated. When designing a physical protection system (PPS) the threat assessment is the starting point for the design basis threat. Design Basis Threat – The potential adverse scenarios, examined in detail, that form the basis of countermeasures solutions. The process may involve several sub-processes, such as adversary path analysis, adversary task time modeling, determination of critical detection points etc. Security Survey – A detailed on-site examination and analysis of a premises or operation to ascertain the effectiveness and condition of existing protective measures and activities, to identify exposures in relation to current and projected risk, to identify vulnerabilities, and to make appropriate recommendations to reduce risk. Security Audit – A documented assessment of the performance of the security programme, including equipment, manpower, procedures, and employee compliance. Security audits are usually carried out against a pre-defined standard. 13 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying Putting the Terminology into Context – A Paradigm Shift The terminology problem is compounded by writers SECURITY APPROACH such as Patterson (2004) who asserts: “To protect a Specific, narrow focus on threats and company and its assets, the very first step is to vulnerabilities. An exclusive approach in perform a threat and vulnerability analysis. Based on which activities usually confined to that analysis, the security team should implement security professionals. physical protection systems (PPS) to provide safeguards that mitigate the threats.” This RISK APPROACH approach is supported by Purpura (2008). The Takes into account organisational context, common thread of these approaches is that they organisational objectives, assets and how they are used, identifies threats to assets characterise protection from the position of and the success of the mission, quantifies controls: “How good are our existing controls the potential impact of those threats, against perceived threats”. This we can call the identifies and addresses vulnerabilities, security approach. and establishes a framework to manage risks to ALARP. An inclusive approach, Fischer, Halibozek and Green (2008), however, designed to involve the business in risk recognise that there has been a paradigm shift in management decision making. Specialist how we view security and risk, and take a more advice provided by security professionals, who lead (own) the process. contemporary approach, which we can call the risk approach: “The first step in security planning is a detailed analysis of potential areas of loss, their probability, and their gravity in terms of business impact should a loss occur that affects corporate goals and assets. Only then can the specific objectives of the security function be defined.” What Fischer, Halibozek and Green (2008) are describing, of course, is the security risk analysis process that was introduced to you in Module 1. According to ISO 31000:2009 Risk Management – Principles and Guidelines (ISO 2009): “Risk analysis involves consideration of the causes and sources of risk, their positive and negative consequences, and the likelihood that those consequences can occur. Factors that affect consequences and likelihood should be identified. Risk is analyzed by determining consequences and their likelihood, and other attributes of the risk. An event can have multiple consequences and can affect multiple objectives. Existing controls and their effectiveness and efficiency should also be taken into account.” These approaches characterise protection from the starting point of risk: “What are the risks that have the potential to impact on our mission and what are we going to do about it.” Standards Australia (Security Risk Management Handbook: HB 167:2006) view this paradigm shift in a holistic context: 14 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) See Background Note Unit 5 – Security Design, Evaluation and Surveying From To Physical security People, property and information security Technical activity Social/political process One way dialogue (communicating Two way dialogue (communicating to stakeholders) with stakeholders) Tactical approach Long term strategic planning Policing/paramilitary view and Holistic approach Approach Conformance criteria Performance criteria Worst case scenario Most credible worst case scenario Threat and hazard focus Risk focus You can find a more detailed explanation of this in Background Note 5.1, in the ISMI Extranet Online Library. There is no doubt that the risk approach is by far the most commonly-used approach, especially in progressively-thinking multinational companies with progressively thinking security managers. The reason is obvious. Security risk 5.1 – Security Risk cannot be viewed in isolation and defined narrowly in terms of threats and Management – A New Paradigm vulnerabilities. Risk to an organisation must be viewed in enterprise context – reflecting the dynamic nature of the enterprise – and there should be common tools, approaches and conventions, irrespective of whether the risk is security, safety, political, investment etc. This is summed up in ISO 31000:2009, which takes the position that risk management can be applied to an entire organisation, at its many areas and levels, at any time, as well as to specific functions, projects and activities. The risk approach includes all of the elements of the security approach but it is presented as part of an enterprise-wide risk analysis, using the language of business. Importantly, it begins by establishing the context in which the organisation, its assets and its mission exist, and concludes with the assumption that while every security risk should be mitigated, there may be risk management alternatives to pure security solutions. 15 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying When to Consider Security Design You may recall from Module 3 that security should be a consideration in any business or business activity at each of the four stages of planning, start-up, operation and discontinuation. Planning This spans a wide range of activities, including working with architects and builders to ensure that physical security is “built in” to new projects (rather than “built on” later), carrying out due diligence on future business partners, working with business strategists and operational managers who are planning new activities, working with procurement to ensure no ethical violations in bid processes, working with HR to ensure effective background screening that can identify criminality, carrying out strategic risk assessments of entries into new markets etc. Start Up During business start-up it is easy in the excitement of a new activity or project to overlook security. It is at this stage that security considerations can easily be overlooked, especially if the operation is rapidly expanding. Most important in this phase is procedural security – ensuring all employees carry out their activities in accordance with procedures that take into account security procedures. This will also be the time to train up security staff on new security equipment. Operation This relates to the risk management and security activities that protect the operation in its day-to-day business. This must take into account all asset groups, static or mobile, including people, property, intellectual property, information, corporate know-how, reputation and brands etc. Proactive security operations are more desirable than reactive. Discontinuation At discontinuation of a business activity a number of hitherto unforeseen risks may manifest themselves. These may range from disgruntled employees who copy information (such as databases, process secrets etc.) as an aid to future employment elsewhere, to scrap thieves who typically target metals such as copper and lead. Discontinuation is a time of confusion and hitherto loyal employees can quickly become the adversary. 16 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) P olitical factors E conomic factors S ocietal factors T echnical factors Unit 5 – Security Design, Evaluation and Surveying What to Consider in Security Design There are many considerations in a security design. These include: The Physical Environment. The site itself, its neighbours and their operations, local facilities, geographic conditions, topological conditions, climatic conditions etc. For example, has the correct kind of intrusion detection been selected or will local climatic conditions render it ineffective. The Financial and Economic Environment. Is there sufficient capital to invest in expensive security measures, and can the return on investment be quantified? Can the security manager present a sound financial case without falling back on FUD - “if you don’t do this that threat may happen etc.”? Would the enterprise be better spending its money elsewhere? Is a phased introduction of security measures, with regular reviews, an option? The Corporate Environment. Company culture, sensitivities and personalities. The security measures chosen must be harmonious with the culture of the enterprise. Perhaps, for example, exit searching without good cause runs contrary to company values, attitudes and beliefs. Moreover, security must never become an obstacle which hinders the achievement of the core business objectives. Culture can be changed, but only if staff feel they have input to the deliberation process and buy-in to the solutions. The Technical Environment. It is an uncomfortable truth that with the migration of traditional security hardware to IP-based platforms, and with the inexorable advance of digitisation, integration and convergence, some security managers are not sufficiently technology-savvy to make the best decisions regarding deployment of new technology. There can be no doubt that tomorrow’s security professionals will have to be as conversant with advanced technology and IT infrastructure as they are today with guard force management, as technology and convergence is moving ever forward. It is therefore important when choosing hi-tech security An alternative approach to “environments” is to use the acronym systems that not only should there be PESTEELO, which stands for: appropriate local skills to maintain the system, but security staff should have the necessary technological knowledge as well. The Social Environment. While it is E nvironmental factors inaccurate to draw a correlation between E thical factors poverty and crime, empirical evidence L egal or regulatory factors suggests that there is often an increased O rganisational factors victimisation of premises which are sited in socially deprived areas. This is especially Source: PAS 200:2011. Crisis Management Guidance and Good Practice true of European and North American settings. There is also a very strong correlation between general population poverty and the extent to which corruption exists within government structures. In some environments – and business sectors – petty theft 17 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying is almost perceived as an employee right. Here, detailed analysis is required. For example, in the retail sector in the UK it wouldn’t be wise to spend the entire security budget on defending against outsiders when many of the threat sources are trusted employees. The Political Environment. In developed countries this is closely linked to the legal and regulatory environment. In countries with less stable economic or political conditions the interpretation of this consideration may be the necessity to design in security elements, plans and protocols to monitor and respond to a deterioration of a given political situation. Such security measures usually take the form of evacuation / relocation plans. The Legal and Regulatory Environment. Restrictions and benefits that come from various laws, viz: Local laws applied to, for example, planning and construction – lighting restrictions, fence and wall heights are common constraints. Laws relating to the regulation of security industry suppliers, contractors and consultants. National laws to do with the powers of arrest and carrying and use of firearms. Data processing and information storage laws, for example, CCTV data. Legislation regarding investigation and interview conduct. International laws and agreements covering such issues as maritime protection (eg ISPS). Privacy laws. Labour relations laws. Immigration and customs agreements. Working hours directives. Employment laws. Laws relating to disabled employees. Laws relating to the covert monitoring of employee activity, such as email monitoring. Laws relating to the use of technical security countermeasures. 18 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying Security Design Objectives A security design should be oriented towards minimising: Specific design objectives will vary according to the nature of the site. Harm to people. A government or military facility, for Damage to the enterprise or its assets. example, may focus on: Theft (from both insiders and outsiders). Safeguarding personnel. This requires consideration of a range of security Preventing unauthorized access measures that can be: to equipment, installations, material, and documents. Preventative – this is very difficult to achieve. The only Safeguarding against espionage, sure way to prevent an incident is to cease the activity sabotage, damage, and theft. (or remove or make a substitute for the asset) that is the source of the risk. Think of the E in TEAR (Unit 1 Security Source: FM 3-19.30. US Army Risk Analysis) and also Felson and Cohen’s opportunity in Physical Security Field Manual the Routine Activity Theory (Unit 2 Crime Prevention). Deterring – Once an incident occurs there is an associated cost. Therefore, deterrence is best. Cameras, patrolling, fences and signage are used to deter, but there are more subtle methods. Deterrence, of course, is not an exact science and cannot be determined quantitatively. Controlling – Closely related to the above. Procedures are the basis for control. Care should be taken not to try to control the activities of employees to the extent that freedoms and initiative are stifled. This was a key point addressed in the Introduction section of Unit 3 Managing the Security Function (Page 9). Detective – Despite efforts to prevent and deter, some incidents will happen. Systems need to be designed to detect as early as possible. Intrusion detection is an obvious example, but detective measures should also extend to other areas of misconduct, such as fraud and corruption. Detective measures should, wherever possible, be designed not only to detect abnormal or malevolent activities, but also to recognise known adversaries and identify unknown adversaries. Delaying – This is achieved by placing obstacles between the adversary and the target. The basic principle of delays is that they should create time to allow for accurate detection and timely disruption by a response force. Defeating – This concept is closely related to preventing, but assumes the attack has been initiated and the delays have been effective. Disrupting – This is defined as the time to accurately report and assess an adverse event and the time taken to respond to and neutralise the cause of that event. Recovery – Depending on the nature of the event, recovery may be necessary. This could include recovery of stolen property, restoration of business operations, rescue of casualties etc. Physical security systems, especially, are often defined and performance-measured in terms of detection, delay and disruption, which we can call the “three D’s”. The Basic Functions of Physical Protection Systems (PPS) 19 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying Examples of some of the main categories of PPS and their functions: System Functions Intrusion To deter Detection To detect To communicate for assessment To delay To respond and neutralise CCTV To deter To provide assessment for intrusion detection To provide reassurance and confidence To monitor for deviations To record evidence Lighting To deter To support assessment of intrusion detection by CCTV To provide reassurance To aid in patrolling and response Automated To facilitate authorised access Access Control To prevent unauthorised access Systems To prevent the introduction of prohibited items To prevent the unauthorised removal of property Contraband To deter, prevent and detect attempts to introduce prohibited items Detection Wherever possible, PPS should be selected for their ability to protect against a range of different risks. This allows for savings in cost and a greater return on investment. CCTV is an example of a good, all-round measure. There will, of course, always be circumstances where special measures are required to protect against specific risks. 20 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying The Key Components of a Successful PPS PPS Design Objectives We have learnt that the objectives of generic security measures can be preventative, deterring, controlling, detective, delaying, disruptive and recovering. PPS objectives are narrower and usually combine the “three D’s” of detection, delay and disruption. Focusing on “three D’s” specifically allows for quantitative measurement to be made. For example: Detection can be measured in terms of the probability of detection Pd, expressed as a decimal. Delays can be measured in terms of penetration time. Disruption can be measured in terms of the time taken to respond to the event and the probability of neutralisation (Pn). The “three D’s” form the quantifiable core of PPS design objectives, but deterrence is often added as a fourth objective, and defeating as a fifth. Although not quantifiable, deterrence is obviously a desirable objective as it represents the ideal situation. Defeating is second best; if the adversary can’t be deterred, at least try to stop him/her. Deterrence Deterrence is achieved by implementing measures that are perceived by potential adversaries as undesirable to attempt to defeat (cost, time, difficulty, surveillability etc.). Deterrence can be very helpful in discouraging attacks by casual adversaries, who may be displaced onto a less well protected target. However, deterrence is ineffective against a determined adversary who is set on specifically attacking you. For example in anti-terrorism, estimates have rated the deterrence value of security systems deployed against determined terrorist adversaries often as low as 20%. The Boston Marathon attack in 2013 is testament to the fact that determined adversaries will not be deterred by the presence of armed police and thousands of surveillance cameras. This is why security measures should also be designed to defeat. Some specific points on deterrence are: The objective of any system should be to deter the adversary from committing an act. In essence, risks should be made to appear greater than potential rewards, or the barriers should be perceived by the adversary as too difficult to defeat. Intrusion detection systems, per se, combine the three elements of detection, delay and disruption to create deterrence. When these elements are known to exist (or suspected to 21 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying exist) by the adversary, the adversary action can often be deterred (but note the terrorism- context exceptions). Deterrence may sometimes create deflection. This means that the adversary is deflected onto a less well protected target. This is a well-known concept in anti-terrorism, in which an adversary will sometimes pre-select a secondary target in the event of the primary target being unreachable. But deflection onto another target within the same enterprise is obviously undesirable. Here there is a need for balanced protection (discussed later on Page 33). Detection A PPS should be designed to detect. From a cost and business interruption perspective, detection is better when it takes place before an undesirable event rather than after. The emphasis in corporate security is first and foremost to try to prevent the undesirable event. Catching the adversary red- handed is secondary to this. Patterson (2005) draws specific attention to the use of PPS subsystems which employ technology to help detect the means that perpetrators use to carry out an attack on a facility. Security subsystems at facilities include display and assessment, intrusion detection, identification, centralised monitoring, access control, CCTV, communications and search. Early detection of an adversary is essential. Early detection at the site perimeter increases the available response force time after detection. Adversary paths (typical routes taken by the adversary to reach an asset) should be anticipated, and detection elements deployed along that path with specific consideration given to how the chosen technology works in relation to the direction of movement. For example, a microwave beam in a bistatic microwave system must cross the adversary path to be most effective, whereas a monostatic microwave sensor should look directly at the adversary path as it approaches the target. You will study these technologies in more depth later in the programme. The best system is that which provides the earliest detection, and strong delays can significantly assist in assuring that detection takes place, and that there is sufficient time to detect it effectively. Detection is more than just sensing adversary action. For effective interdiction the information communicated to the response force should include details of at least the adversary: Strength. Nature and sophistication. Weapons. Direction of travel. Indication of the intended adversary action and target. This is why detection should always be augmented by assessment. The most common form of assessment is video surveillance (CCTV). The quantitative measurement for detection systems is probability of detection Pd. A Pd of 0.95 (95%) under most normal circumstances is reasonable for an intrusion detection system, for example. Manufacturer and installers will often list a Pd in the equipment specification but you will get more 22 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying realistic results if you develop your own through on-site penetration testing by an independent contractor, during which testing takes place under a range of normal and abnormal conditions. It is unwise to attribute a quantitative delay value to detection systems because, under some attack scenarios, the adversary may carry out a force attack with little or no concern about detection. Detection should take place at the earliest point along the adversary path, or better still in the planning stages by means of intelligence. Delays Delays provide time for detection to take place. The terms delays and barriers are often used interchangeably, but are A barrier is a natural or not synonyms as the latter may sometimes infer an ability to manufactured obstacle to the prevent an adversary action. Types of barriers include: movement of persons, animals, vehicles or materials. Fences (including electrified) and gates. It defines physical limits to and Guards (static or patrolling) or armed forces. delays or prevents penetration Employee activity. of an area. Dogs. Natural surveillability. A basic security concept is to design a series of layers, or Perimeter walls and signage. concentric circles, so that Building walls, roofs, floors etc. highly protected assets are Natural physical barriers and distance. within a configuration of Locks, doors and associated construction. multiple barriers. Compartmentalised (and locked) building Source: ASIS Protection of interiors. Assets Manual: Barriers (2004) Glazing. Lockable cabinets, safes, and vaults. There are four main ways to defeat a barrier, summed up by the acronym FADS: Some adversarial actions favour one type of attack over another, or may use a combination of approaches. A shooter, for example, may initially conceal his presence, but use force as his primary attack mode. Conversely, espionage tends to be carried out by stealth in order to conceal the act after it has been undertaken. More commonly, stealth may be the primary tactic employed by the 23 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying adversary until he or she is detected, at which point the tactic may change to force in order to minimise the chances of disruption. The PPS must be designed to address this and must always cater for worst-case scenario adversary task times. Security systems should be designed to address all four approaches. It should also be remembered that many barriers need to operate in both directions: outwards as well as inwards. Barriers should be designed to prevent, or at least impede, the removal of the organisation’s assets by dishonest employees or others that have penetrated the barrier system. Given time, most delays can be defeated by a determined or unobserved adversary. Take, for example, the following: Example Delay 2.4m perimeter fence with razor wire topping. 5 to 20 seconds for a fit, practiced adversary. Industrial-grade pedestrian door. 30 seconds to 6 minutes. Laminated glass. No more than 1 minute with a fire axe. 5-pin tumbler security lock. 1 minute for a skilled locksmith. 10 minutes on average for others. Source: Sandia National Laboratories Ideally, a PPS should be designed to defeat an adversary, but assurance of defeat is very difficult to achieve. The delay should be sufficient not only to allow for assessment, but also to hold back the adversary at the point of detection until the intervention of a response force to neutralise the adversary (disruption). It is important not to overestimate the delay value of a physical barrier. Chain link fences have a delay value measured in seconds, not minutes. Doors and windows without ironwork are similarly weak, and locks can be defeated often in under a minute. Analysis of various thefts of laptop computers by external adversaries have typically revealed an adversary task time (time to reach the target and escape after successful completion of the action) of just two minutes. Delays may be structural (fences, doors, locks etc.), human (guards), and logical (passwords). Detection and surveillance systems are not normally regarded as delays, as the adversary may choose to carry out the act by force, with little consideration to their existence. The weakness of delays such as perimeter fences cannot be overstated. In fence penetration testing by the US Army in the 1960s, typical 2.4m chain-link fence penetration times ranged from 6 seconds to 25 seconds. The implication of this is that if response does not reach the point of intrusion before the adversary has crossed the barrier, it may be impossible to find and stop the adversary if the site is large or diverse. When there is more than one adversary – and especially if sabotage is the motive – the adversary action will likely succeed. 24 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying The equation (Π x r2) ÷ 2 helps us to understand this problem more graphically. Let’s base our calculation on the assumption that a fit, knowledgeable and determined intruder, having penetrated the perimeter fence delay, can proceed at a rate of 300m in a minute. The diagram below illustrates this concept. If the guard force arrives one minute late, for example, the adversary could be up to 300m in any direction from the point of intrusion. This area is represented by pink in the diagram. To calculate this area we use (Π x r2) ÷ 2. Π (Pie) is a constant, which we will shorten to 3.14. r is the radius of the pink area, which in our case is 300. > 3002 = 90,000. > 90,000 x 3.14 = 282,600 > 282,600 ÷ 2 = 141,300 square metres. This means that the security force will have to search 14.13 hectares after just one minute following intrusion! And for every second wasted in search of the initial area, the area is getting exponentially bigger. A minute later (2 minutes after intrusion) and the area increases to 56 hectares. Three minutes after intrusion and the response force would have to search an area the equivalent of almost 200 New York-size blocks! 25 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying Disruption Disruption is a measure of the effectiveness of response in neutralising the adversary and ideally preventing the undesirable event. You will recall earlier that for effective interdiction the information communicated to the response force should include details of the strength, nature and sophistication of adversary, weapons, direction of travel and an indication of the intended adversary action and target. In the case of a perimeter intrusion, for example, accurate assessment allows for the response to: Arrive at the correct location. Arrive in the correct strength. Arrive within a defined timeframe, which should be less than the minimum delay value of the barrier. Some important points about adversary disruption are as follows: Disruption is a combination of assessment, response and deployment, and neutralisation. For response to be effective it must be completed before action has been completed and ideally before the penetration of the barrier has taken place. We noted earlier that the adversary task time in relation to theft can be defined as “the time to reach the target and escape after successful completion of the action”. This is, however, not the case if the adversary objective is sabotage or violence, when the adversary task time is usually “the time it takes the adversary to reach the target”. Irrespective of escape, once the adversary reaches the target the action element of the adversary task is usually complete. This can be summed up by the equation Tp>Td+Tr, where: Tp = time of penetration. Td = time of detection. Tr = time of response. This is explained in greater detail later, as “Principle 8”, on Page 53. There are various ways to improve response effectiveness, viz: - Zoning of intrusion detection systems allows for accurate assessment of the point of attempted penetration. - CCTV assessment allowing for an accurate assessment of the adversary nature and strength, tools and tactics, so that an appropriate response force can be deployed. - Providing response personnel with rapid response means, appropriate to site conditions. - Providing response personnel with appropriate means to subdue, neutralise and detain an adversary. - Relocating the response base to a point closer to obvious adversary targets. The relationship between all of the above elements must be symbiotic and constantly tested. A weakness in any one element will compromise the effectiveness of the whole. In this relationship, security personnel are particularly versatile. They can serve as barriers, effective 26 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying against intrusion by force, stealth, deceit and by accident. They are an effective means of detection, and they are able to respond to, and neutralise, an adversary. One of the primary decisions facing the security designer is the nature of the response force. Options include, but are not limited to: On-site, dedicated. Proprietary, in proximity. Contracted. Law enforcement only (where such provision exists). The starting point, as always, is the design basis threat (defined later on Page 33 and in much greater detail in Unit 6) and the security risk analysis (SRA). The SRA in particular, will assist you in determining how serious the risks are. For facilities with an unacceptably high consequence of loss, even when the likelihood of adversary action is low, (for example, critical national infrastructure - CNI) Garcia (2008) recommends a quantitative analysis, in which impact is expressed in financial terms or some other form of quantitative measurement, such as injuries and fatalities, operational downtime etc. The response strategy usually applied to these assets is an immediate on-site response. Many facilities have satellite sites (flow stations on a pipeline, for example) which are critical but for which on-site response cannot be economically justified. Here, it is often that the remit of the proprietary force is extended, usually by vehicle. This is a form of “in proximity” response. A contracted response is often the solution for facilities where there is a lower consequence of loss, or for which a dedicated on-site response cannot be economically justified. Small businesses, retail sites, residences, restaurants, cinemas etc. are examples that fall into this category. Contracted responses services routinely visit the site, and have agreed response target times in the event of an incident. This is a form of law enforcement force substitute, and is often employed in areas of mass private property, and where the forces of law enforcement cannot be relied upon for rapid response either through inefficiency or overstretch. In some cases, especially with critical national infrastructure, banks, and for specific types of adversary action – such as terrorism, barricade and hostage taking, and armed robbery – law enforcement forces are the primary means of response and usually assume command and control. 27 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying Siting the response force is also an important consideration. Instinctively, response forces are located at the main entrance. This may seem logical but this strategy has two main disadvantages: 1. In the event of a terrorist attack – or other armed attack – the entire security force could be eliminated very quickly. 2. The facility main entrance is often not where the most critical assets are located. Point A in the diagram to the left indicates where many facilities site their security response – at the main entrance. Detailed adversary path modeling, however, will often indicate that the adversary target and paths to the targets are often some distance from the main entrance – in the case of the diagram at the other end of the site. Many CNI sites have been successfully invaded by activists who have exploited this common weakness. Activists have been able to enter the site and disrupt core processes before the security team has arrived at the critical asset cluster location. Extending this weakness to the concept of terrorism and sabotage, a determined adversary could enter a site, plant a device and successfully leave without interdiction, presenting the security force with the dilemma of whether to shut down and evacuate the facility to search for suspected IEDs. A more effective security response can often be achieved by relocating the core of the security response to the centre of the site – represented in the diagram by Point B –, closer to critical assets, and by reducing the function of the security presence at the main entrance to entry management. This significantly reduces the response time to critical assets, facilitates patrolling and creates more credible deterrence. 28 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying Detection in a Non-PPS Context Detective mechanisms are a key element of any security programme. They help discover attacks and activate appropriate preventive or corrective measures (Patterson, 2005). While physical (PPS) examples of common detective mechanisms include perimeter intrusion detection systems, building intruder detection systems, CCTV, access control systems, contraband detection systems etc, detection can also be applied to non-PPS elements of a security system. These include: Routine security checks. Background screening. Substance abuse screening. Audits, inspections, surveys and visits. Visual observation and surveillance. Threat assessments. Following up threats and malicious statements. Security officers. Staff. Neighbours. Investigations. Specialist contracted services (eg: Technical Surveillance Countermeasures teams). Military and police agencies. Checking loading and delivery manifests. Key registers. Review of patrol and guard shift reports, and occurrence book. In some non-PPS circumstances it will be the threat (or threat source) that is detected at a point before the adversary has begun his/her action. In these circumstances there may be no delay element and the security or organisational response will move direction to the disruption phase. This is discussed more fully overleaf. 29 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying Delays in a Non-PPS Context Garcia (2008) provides a good example of where non-PPS delays are important. You will recall from Modules 1 and 2 that emphasis was placed on protecting assets not just from external adversaries but also internal adversaries. The rationale is that in some sectors losses at the hands of employees can be greater than losses from outsiders. To add to this there is the problem of colluders. Colluders provide information to outsiders to help the latter carry out an adversary action. They leave doors unlocked to facilitate unauthorised access, and sometimes steal to order on behalf of an outside adversary. The problem is that for employees to carry out their roles they must have accessibility to assets, and as you learnt in Module 2 accessibility (in VIVA) can be the catalyst for temptation (motivation in the Routine Activity Theory) to steal. PPS are the primary means of protecting desirable assets against outside adversaries, but Garcia offers the following comprehensive approach that addresses both external and internal threat sources in tandem: The diagram is intended to show the protection approaches used across the entire threat spectrum. It shows that outsiders acting alone are deterred or delayed by physical protection (PPS), while insiders are primarily delayed (and hopefully thwarted) through materials accountancy - additional procedural measures related to accounting for and tracking of critical assets (eg. inventories, random searches, or scans). While physical protection (PPS) is the primary defence (delay) against outside adversaries, materials accountancy should be employed as the primary means of defence (delay) against inside adversaries. Garcia (2008) recommended that materials accountancy is accomplished through the use of procedures, audits, and inventory management. Additional procedural protection includes the use of personnel security assurance programmes, such as pre-employment background checks and periodic updates and separation of job responsibilities, so that two or more employees are required to complete sensitive tasks. This will decrease the probability of insider adversary success, because the cooperation of others is required and, as more people are aware of an imminent adverse action (theft, loss, destruction, damage, harm, compromise or denial), there is a higher likelihood of it being reported. 30 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying In the case of collusion between outsiders and insiders, the approach is a combination of physical protection and materials accountancy. Here additional access controls and specific controls are placed on the movement of assets around or out of a facility. For example, in a manufacturing plant, an assembly worker may collude with a third-party contractor to remove finished goods. This act may be countered by eliminating the capability of the employee to move items out of the production area or by tracking production items manually or automatically. Garcia’s “protection approaches” diagram reminds us that security is a responsibility which must be shared between security professionals, management and all employees and contractors. This should be underscored in writing, by means of policies, management performance criteria and the procedures which govern the activities of every employee. Disruption in a Non-PPS Context The information provided by the security risk analysis will be important in determining whether a formal reaction capability, or at least plan, is necessary; in some cases, especially when addressing very serious risks, the response must include a contingency plan. In other cases it may simply be an insurance claim. Some responses, such as following a terrorist attack, require the raising of the alert level and the concomitant activation/deployment of additional security measures. And there are some situations, especially in national security, where disruption of the threat source may be proactive rather than reactive, without waiting for the threat to manifest into an adverse event. The same parallel exists in a corporate setting where individuals with a propensity to do harm can be disrupted by an appropriate form of intervention before an intention develops into an adverse action. By means of illustration only, typical reaction and response scenarios to different scenarios might be as follows (overleaf): 31 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying Event Reaction Disruption (Intervention) Hotel – Theft of guest property Complaint communicated to Security manager and guest search security manager room and begin to assemble evidence Office Block - Car bomb Staff instructed to deploy to Security team conduct “safe” search of detonates at neighbouring safe internal refuges for 1 parking areas to identify suspicious facility hour in case of second vehicles detonation Manufacturing - Possible Control room Quick reaction force deploys to area for intruders detected outside the communicated details to pre-emptive intervention site perimeter quick reaction force Refinery - Contract department Line manager, human Employee suspended and investigation employee suspected of receiving resources and security begun kick-back from supplier manager meet to consider options Pipeline Terminal - Fishing boat Report communicated to Border guards deploy fast craft to strays into restricted marine marine border guards interdict and arrest tanker loading area Pharmaceutical Industry - New Evaluate possible reasons Investigate for leak of sensitive R&D product life cycle collapse for product life cycle information to competitor following simultaneous collapse competitor launch of analogous product at significantly reduced cost Business Travel – Executive Executive moves in direction Police called to intervene and arrest overseas walking in street is of nearby pre-identified safe aggressor subject to continuous abuse and haven threats of violence by local Pent-up frustrations of an HR notified HR investigates and possible counseling employee begin to manifest or - if threats considered real - dismissal themselves as bouts of anger and vocal threats of harm to supervisors and colleagues Overseas Operation – Alert state raised to highest Evacuation of all expatriates Parliament building seized by level armed insurgents 32 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying Optimising the PPS Balanced Protection The nature of the PPS required will be determined by the design basis threat. The design basis threat is a summary description of the threat assessment which you studied in Module 1 (The Three A’s and the intelligence-based threat assessment questions on Page 14). The security risk analysis will determine the priority you allocate to mitigating each individual threat profile within the summary design basis threat, based on a consideration of the likelihood of occurrence, potential impact on the organisation, and the existing ability of the organisation to control that threat, or its vulnerability to that threat. When producing a proposal for a PPS the above factors should form the starting point for the business case. There is no point, for example, in specifying a $100,000 perimeter CCTV surveillance system if the greater part of the threat comes from within. The concept of balanced protection has many interpretations: The PPS must be balanced against the design basis threat – For example, if the threat is from a suicide VBIED the greater part of the emphasis must be on delays, designed to stop a fast-moving vehicle with great momentum from penetrating a barrier, such as a perimeter fence or building frontage (Refer to UK standards PAS 68 and PAS 69 for more details, or to US DOS K-series specifications). Detection is always desirable, but in the case of an attack of this nature the time between detection and assessment may be too little to initiate an active delay. If this is the design basis threat then the emphasis needs to be on passive delays, such as bollards, jersey barriers, ditches and berms and fully-deployed rising curb barriers at entrance points. The issue of balance is often overlooked when protecting facilities that are at risk of walk-in suicide attacks, especially where unarmed security officers are the norm. While great emphasis is placed on detection and delays, little advice or means is given to security officers to delay or disrupt the adversary once detected. It is likely, for example, in the event of an attempt to attack a function in a well-protected hotel in a high-risk area that the access control system (officers, X-Ray and metal detection) would detect an adversary. But in the absence of a balanced approach to include disruption (neutralisation), the adversary would likely be able to complete his/her action, rendering what appeared to the layperson to be a good defence as ineffective. An adversary path is an ordered series of actions against a facility, which, if There must be balance within the individual completed, results in successful theft, elements of a PPS – For example, there is little point sabotage or other malevolent outcome. in fitting a door with an expensive lock to delay if the gap between the door and the jamb allows the door In any single facility there are likely to be multiple adversary paths relating to many to be pried open with relative ease. Equally, there is a different assets. lack of balance if there is no key control. Mapping out likely adversary paths in the form of adversary task (or Source: Garcia - The Design and path) diagrams (discussed on Page 42) for each Evaluation of Physical Protection Systems scenario helps you to better balance a protective (2008) system. 33 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying Likewise, with detection, all of the likely adversary paths (the route taken by the adversary to compromise the asset) must be identified and there should be no weak points. A non-PPS example is protecting information. You can employ various means to prevent bad employees from using flash drives to syphon off sensitive company data, but if you allow unrestricted access to the internet employees can simply upload the target data to personal cloud storage sites. There must be balance across a series of layers of protection between the adversary and the target – This is discussed in greater detail shortly. The PPS must be in balance with the organisational culture – There have probably been many times you have wanted to install covert CCTV to catch a thief, or locked up laptops left out on desks unsecured by employees who have gone to lunch, but you have been told that “we don’t do it like this around here”. This is organisational culture in action. Most contemporary organisational cultures reject the Orwellian approach of a restrictive, controlling, all-seeing security regime, in which everything is forbidden unless expressly permitted (default deny). Instead, they adopt an approach whereby everything is permitted unless expressly forbidden (default permit), requiring a more subtle security approach. Layering Security In the previous section you learnt how protection must be balanced in various meanings of the word. Another dimension to a security system (or progamme) is that it must be configured to provide protection in depth, as indicated in the diagram below. The best security systems are those that are comprised layers that include different kinds of measures, designed to complicate the adversary path. Protection in depth is easy to conceptualise in a PPS context. For example: 34 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying Layer 1 - Perimeter, Layer 3 – Inner space, comprising CCTV comprising staff or IDS (detection), fence (delay) (detection), staff, and nearby security force compartmentalisation (response) and safes (delays) and staff or nearby security force (response) Layer 2 – Building shell, comprising IDS (detection), walls and strong doors (delays), and nearby security force or staff (response) No single security measure should be relied on to protect an asset. In terms of facility protection, layers might include: The area beyond the perimeter that needs to be monitored. Security in depth is a traditional designation of a series of barriers in a The perimeter itself. protection plan. Compartmentation is The area inside the perimeter but another term that describes the use of outside buildings. barriers to segregate and physically Building perimeters. protect valuable material or information. Building interior space. Besides preventing physical penetration, barriers may be used to prevent visual Special areas within buildings. access or the introduction of clandestine Safes, stores and cabinets, and listening devices. In this day and age, specific objects. access to the most vital corporate assets —information—does not even require gaining access to a company Web site. A key underlying assumption of any protection-in- Intruders can now gain access to a depth configuration is that physical barriers should company’s computer system from a site become stronger the closer we get to the asset. For anywhere in the world. example, a typical perimeter fence can be penetrated in seconds, a door perhaps in a minute, and a safe Source: ASIS Protection of Assets Manual: may provide a delay of up to 60 minutes. This will be Barriers (2004) discussed in greater detail later. The strength of a security system, especially a security layer, can be measured by the layer’s weakest point, so Garcia (2008) recommends multiple layers of different barrier types and detection systems along the adversary path in order to complicate the adversary’s progress by requiring a variety of different tools and skills. The design objective is to create deterrence by complicating the adversary’s preparation. The role of barriers is therefore to increase the adversary task time following detection by introducing impediments along the adversary path. 35 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) by non-disclosure Unit 5 – Security Design, Evaluation and Surveying The same basic principles of layered protection (protection in depth) can be applied to a non-PPS context. Let’s take sensitive information as an illustration, where differing levels of trust should be given to those with access to sensitive information. For example, a member of the maintenance staff or janitorial team will have a lower level of access than the Head of Research and Development for the company. This can, again, be represented by concentric rings of protection, with those with the greatest access (the smallest number) in the centre ring. Layer 1 - Janitorial staff, Layer 3 – Management security staff, catering team and R&D staff, staff etc should not have who are background- access to sensitive R&D screened and bound information agreements Layer 2 – Regular employees who may, by virtue of their work, be required to have access to certain sensitive R&D information As well as determining levels of access, the concept of protection in depth can apply to the use of complementary and diverse technologies and measures, with the aim of filling any gaps in protective coverage. Here, benefits must be weighed against costs as it is easily possible to exceed budget. However, with highly critical assets identified in the risk analysis as particularly vulnerable, it may be necessary to employ not only diverse and complementary systems, but also systems that have inherent redundancy in case the adversary is able to circumvent the regular measures. ASIS (2008) emphasises the importance of redundancy in security systems. According to the ten principles of probability developed by the French mathematician and astronomer Marquis de Laplace (1749-1827), when events are independent of each other the probability of their simultaneous occurrence is the product of their separate probabilities. Meaning that the probability of one detection system in the security system being circumvented is high, but the probability of all the detectors and barriers in an in-depth or redundant security scheme being compromised is very low. Thus, if the individual probabilities of defeat of two separate layers of security are each 0.1, the theoretical probability of failure of both systems when challenged by an adversary is 0.1 x 0.1 = 0.01. This is obviously the absolute theoretical minimum probability and will depend on the adversary, the adversary tactics and tools, and the extent to which the two layers of security are different and complementary. Layering security to provide protection in depth requires access control and delays and discourages an intruder through the use of multiple, concentric layers of barriers and we have noted that security should grow progressively harder to defeat as the adversary approaches the centre (or most valuable 36 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying asset). This can be likened to an onion skin. Peeling off each layer reveals another layer. The layers closest to the centre are the thickest. At the outermost layer, physical controls should be optimised to deter, detect, delay and disrupt, since it is here that any adversary should be stopped. If the adversary succeeds in getting past this point, it may be difficult to stop them from completing the adversary task, especially if the site is large and dispersed. This concept was discussed in greater detail on Page 25. Controls at this point are often assumed to have the ability to stop the adversary, but in reality they usually do little more than define the property line and channel legitimate users through controlled entrance points. On exceptionally high risk sites where critical assets are stored in a variety of easily penetrated buildings, Garcia (2008) advises using a positive protection zone, incorporating detection and assessment, delay, and disruption (guards) at the perimeter. She stresses that if a meaningful delay of the intruder at the perimeter can be achieved, and the response force responds promptly to the assessed alarm it can intercept the intruder near the point of the alarm. However, it is difficult to define a perimeter barrier that will delay for a period of several minutes (see Page 24) and positive protection zones are usually only found on specific high security sites and military installations. Note that some barriers, such as emergency exits, provide delay from the outside, but must allow rapid exit from the inside. Protection Regimes It is important to note that the type of protection employed will be dependent on whether the facility is in working-hours or after-hours mode. Working Hours Quiet Hours Emphasis on layered access management and Emphasis on strong barriers, intrusion detection compartmentation, and monitoring for and response. deviance. In working-hours mode emphasis should be on strong access control, with means to identify any deviance (or attempts to deviate) from the established pattern. In this regard, layered access management and compartmentation are important. Access privileges are based on the need-to-go principle (discussed in detail on Page 55). Working-hours protection places a high reliance on staff to contribute to the overall protective effort so developing a security culture in which staff “buy in” to the security programme is important. After working hours the emphasis switches to barriers (locks, doors, gates), supported by intrusion detection systems, CCTV and credible response. Patrolling and visits by a security contactor are important, but they don’t replace intrusion detection. This point is important with larger facilities to which there might be an irregular pattern of out-of-hours access by staff. Small- to medium-sized facilities are much more likely to have strong after-hours intrusion detection than are large corporate offices, where staff may be required to attend after hours. In such cases security officers are the 37 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying mainstay of intrusion detection. Given the high level of reporting by security managers of dishonesty among security officers this situation is not desirable. To the extent possible, a facility should be zoned and alarmed, and every “legitimate” deactivation of a zone alarm during after-working hours should be accompanied by an audit trail. CCTV is no substitute. Thefts are much more likely to occur in facilities which rely solely on internal CCTV as the main after-hours electronic protection means than in facilities with good compartmentalisation (locked doors), supported by zoned access management. With many seemingly pure security problems, the best solution may not rest with security measures alone. In the case of a corporate headquarters building, a more secure regime can often be created by giving staff the electronic and communications means to become less dependent on having to come into the facility if the need arises after normal working hours, thereby allowing the facility to be locked down and alarmed. Validity and Reliability For a PPS to remain optimised it should be regularly assessed and audited for validity and reliability. Validity is a measure of the PPS’s performance against the design basis threat. Does the measure actually do what it is supposed to do? Reliability may be defined as the consistency with which the countermeasure achieves its designed objective over a large number of similar cases. One way to achieve high levels of reliability in security systems is, as discussed, to create redundancy and protection in depth. These concepts are studied in greater detail later in this unit in the System Testing sub-section of Security Surveying, beginning on Page 63. Controls and Procedures Deterrence, detection, delays and disruption are the core building blocks of security system design, but it is controls and procedures which are the “cement” that bonds them together into a symbiotic relationship. Controls allow authorised activities to take place by authorised persons at authorised locations and authorised times, and should have the inherent ability to detect, delay and report deviations. Procedures (Assignment Instructions) were discussed in Module 3. For controls and procedures to be effective, there should be regular checks and audits to ensure compliance, and follow-up action if weaknesses are identified. 38 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying Seven Essentials for Security No one approach, such as the 3D’s, has the monopoly on security design. Cumming (1992), for example, presents seven essentials for security as follows: Deter the Potential Design the building to appear strong and solid. Make it self-evident Attacker/Intruder that the structure is guarded, occupied and equipped with a security system. This need not detract from the company image or architectural aesthetics. Demarcate Establish defined boundaries. Do not allow the site to become an open house, shortcut, play area, or attraction to vandals. Create a defendable space with fences, hedges, gates etc. Prohibit Only allow entry or exit to the premises through a limited number of doors, gates, and barriers. Always make people establish their right to be in that area. Never leave any area open during times of risk (eg. night, shift changes). Delay Create a sound, solid structure that will delay unauthorised entry for sufficient time (minutes rather than seconds) to significantly increase the risk of intruder detection. Detect If, despite, the strength of your physical barriers, the intruder gains entry, ensure that the entry is to areas patrolled by the guards or monitored by the intruder detection system and that his route to his objective will result in his being monitored by that detection system for the longest period possible. Communicate Make sure that somebody who is prepared to react is extremely likely Alarm to hear the alarm that has been raised. Send the signal to the security company or police, ring multiple local bells etc. Deny Deny easy access to information, keys, ladders, plans, computers, switch rooms, etc., all of which might prove to be of use to a potential intruder. 39 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying Situational Crime Prevention A good security design will always take into account situational crime prevention, addressed in detail in Unit 2. You will recognise many of the situational elements below as being integral security design elements. Target Entry/Exit hardening screening Access control Formal Deflecting or surveillance channelling Surveillance by offenders employees Controlling Natural facilitators Increasing Increasing surveillance Perceived Perceived Effort Risk Reducing Inducing Anticipated Guilt or Rewards Shame Target removal Rule setting or substitution Facilitating Property compliance marking Monitoring Denying Moral benefits condemnation 40 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying Crime Prevention through Environmental Design To the extent possible, security designs should incorporate the best principles of CPTED, discussed in Unit 2 – Crime Prevention. CPTED is built on Newman’s (1972), concept of defensible space, which has at its core: Territoriality – the idea that one's “space” is sacred. Natural Surveillance – the link between an area's physical characteristics and the occupants' ability to see what is happening. Image – the capacity of the physical design to impart a sense of security. Milieu – other features that may affect security, such as proximity to security or busy area. Creating natural surveillance is paramount. The image left illustrates how, for example, tree canopies should be maintained at a height of at least 2m from the ground, and how bushes and shrubs should not be allowed to exceed 1m in height. This then creates a 1m plane of surveillability through which unauthorised activity can be observed through natural surveillance. However, it still poses difficulties for CCTV surveillance and careful siting of cameras is required. Natural surveillance can be impeded by poor design elements such a recessed doorways (right), which allow adversaries to attack security mechanisms unobserved. Crowe (in Fennelly, 2004) identifies the following as important elements that contribute to good natural surveillance: Provide clear border definition of controlled space. Relocate gathering areas to locations with natural surveillance and access control, or to locations away from the view of would-be offenders. Place safe activities in unsafe locations to bring along the natural surveillance of these activities (to increase the perception of safety for normal users and risk for offenders). Place unsafe activities in safe spots to overcome the vulnerability of these activities with the natural surveillance and access control of the safe area. Overcome distance and isolation through improved communication and design efficiencies. 41 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying Adversary Path Modelling Logic Diagrams It is axiomatic that the more ways in which an asset can be compromised, the more vulnerable it is to theft, destruction, damage, harm, compromise or denial. Adversary path diagrams in the form of logic diagrams are a useful tool in helping the security professional analyse the various ways by which an asset may be compromised and in developing the design basis threat. Logic diagrams depict a sequence of events along envisaged adversary paths. Some of these are either/or events (the adversary can use one or the other tactic), and some are events sets (the adversary must complete all actions in a set) at a certain stage of the path for the action to continue. The either/or events are represented by an “or” gate, while the event sets are represented by an “and” gate. “or” gate “and” gate The starting point for each event is represented in a standard logic diagram by a circle. A diamond shape represents an event which hasn’t yet been fully analysed and requires further development. A logic diagram should at least be developed to model the most serious risk(s), as embodied in the design basis threat. Sell Secrets to Adversary Take Obtain Photographs Information with Mobile Phone Defeat Main Remain Walk around Socially Go through Pay Cleaner Entrance Undetected R&D Engineer Trash Bins to Plant Unchallenged Employee to Listening Disclosure Device 42 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 5 – Security Design, Evaluation and Surveying The above example depicts the compromise of information from an R&D department. The left-hand side of the diagram (components feed into an “and” gate) represents events that all have to be completed in order to progress to the next level, which is gaining access to the R&D department to physically compromise information. The right-hand side of the diagram (components feed into an “or” gate) represents a range of events, any one of which may lead to See Background Note successful compromise of the information. This is a very simple depiction. Very 5.2