Finding sensible PHYSEC solutions - Part 3
Most people understand that physical security control measures, such as security alarms, access control and CCTV systems, are a necessary evil in this day and age. However, when it comes to what security measures to install, and to what extent, everyone has a different view. Nobody wants to “undercook” their physical security and risk insufficient protection of their people and assets. But neither does anyone want to throw money away on extensive and expensive systems that are unnecessary.
In this series of blogs, we are laying out a basic process that can be used to help you determine a pragmatic, proportionate and effective physical security solution for your organisation. We started by looking at threat and risk, followed by how to apply threat and risk assessments to your organisation’s physical security environment. In this instalment we will look at some of the principals of physical security and how these apply to different physical security control measures. Finally, we will pull everything together to present a high-level process for determining an appropriate physical security solution for your business.
It's probably worth noting that the language and terminologies used in this series of blogs has been deliberately simplified so that it can be understood by everyone and not just the technical experts!
In the last two parts of this series, we looked at threat and risk, and applying a risk assessment to your organisation. In this part we will take a small sidestep and look at some of the key concepts and principles in physical security and physical security control measures.
Deter, Detect, Delay and Respond.
Physical security measures can mitigate risks through one or more of deterring, detecting, delaying, or responding to threat actions:
Deter. The aim of deterrence is to stop or displace an intrusion before it has taken place. This is the primary goal of the whole physical security system – the best outcome is always to stop a threat action from happening when possible. For example, a sign stating an area is under CCTV surveillance may make a criminal think twice before breaking into a shed to steal tools.
Detect. The primary purpose of detecting a threat action or event occurring is to initiate a timely response, which may reduce the impact of the event. For example, a fence alarm may detect an unauthorised intruder entering your site, prompting a security guard response which may disrupt an attempt to break into the shed to steal the tools.
Delay. Measures that are put in place to delay, or slow down, the intrusion. This decreases the chances of the intruder reaching their target before being apprehended or giving up. For example, a high quality lock on the storage shed may be beyond the capability of many criminals to defeat or take a determined criminal some time to bypass.
Respond. The response to an intrusion should ensure that the incident is stopped or, at a minimum, cannot progress any further. Also, a post-incident response can provide information that enables additional control measures to be employed that reduces the risk of the incident occurring again. For example, the arrival of a security guard on site will likely cause a criminal to cease their attempts to break into the storage shed and leave as quickly as possible.
It is important to understand what domains a security measure operates within to determine how effectively it will mitigate a specific risk, if at all. For example, a CCTV camera will deter but not delay an intruder, a mechanical lock will delay but not detect an intruder, an alarm system will detect and instigate a response but not delay an intruder.
Crime Prevention Through Environmental Design (CPTED).
CPTED provides a framework for incorporating crime prevention within quality urban design by focusing on reducing the opportunity to commit crime, therefore lessening the motivation to offend. The natural and built environment can help or hinder physical security. While the origins of CPTED are in urban design, there are elements that are applicable to many other types of site.
There are four key overlapping CPTED principles:
Surveillance. People are present and can see what is going on. For example, ensuring your storage shed is well lit and visible to passers-by on the street will increase the chances of a criminal trying to break into that shed being seen.
Access management. Methods are used to attract people and vehicles to some places and restrict them from others. For example, closing off your site carpark to vehicles after hours will discourage people from congregating, which may in turn reduce the risk of opportunistic targeting of your storage shed.
Territorial reinforcement. Clear boundaries encourage community ‘ownership’ of the space. For example, a clearly marked boundary around your site will discourage people from entering and loitering, which may in turn reduce the risk of opportunistic targeting of your storage shed.
Quality environments. Good quality, well maintained places attract people and support surveillance. For example, a poorly maintained storage shed suggests a lack or care or concern for it, which in turn may lead to a potential criminal believing their risk of being caught is reduced.
Security in depth.
'Security-in-Depth' involves layering multiple security measures to make unauthorised access difficult. These measures should complement and support one another. A visual representation of this is shown in Figure 2.
Figure 2 – Layered approach to physical security.
Each individual layer represents a set of security controls or obstacles that any threat or attacker would need to breach in order to compromise the asset(s), with the layers operating cumulatively towards the total effective protection. Layers of security controls also provide redundancy, reducing the risk of compromise should a single layer fail.
For example, a criminal may need to pass through multiple layers, include a perimeter fence, security lighting, a robustly constructed storage shed and a high quality lock, before getting access to the tools in the shed to steal them.
In this blog we have looked at some of the concepts and principles of physical security and how they may relate to physical security control measures. In the final part of this series, we will take everything we have covered so far and see how together they can direct us towards a pragmatic, proportionate and effective physical security solution.