Most people understand that physical security control measures, such as security alarms, access control and CCTV systems, are a necessary evil in this day and age. However, when it comes to what security measures to install, and to what extent, everyone has a different view. Nobody wants to “undercook” their physical security and risk insufficient protection of their people and assets. But neither does anyone want to throw money away on extensive and expensive systems that are unnecessary.

In this series of blogs, we are laying out a basic process that can be used to help you determine a pragmatic, proportionate and effective physical security solution for your organisation. We started by looking at threat and risk, followed by how to apply threat and risk assessments to your organisation’s physical security environment. In the third instalment we looked at some of the principals of physical security and how these apply to different physical security control measures. In this final instalment, we will pull everything together to present a high-level process for determining an appropriate physical security solution for your business.

It's probably worth noting that the language and terminologies used in this series of blogs has been deliberately simplified so that it can be understood by everyone and not just the technical experts!

In the first two parts of this series, we looked at threat and risk, and assessing the physical security risk to your organisation. In the third part we looked at some of the concepts and principles of physical security and controls. In this part, we bring these threads together to determine effective physical security control to address the identified risks, guided by the relevant concepts and principles.

Firstly, your risk assessment and organisational risk tolerance should highlight the key physical security areas that need mitigation measures. By focusing on the highest risk areas you ensure you are expending effort and resource in the areas where it is most needed to provide a proportionate solution.

Next, determine which physical security controls will provide suitable and effective mitigation against those risks. Before looking at direct controls, think about how the principles of CPTED and using the natural and built environment can be used to your advantage. Then consider each of the direct physical security controls in terms of how they fit into the deter, detect, delay and response framework – which aspects of the framework are required to effectively mitigate the risk and what controls can be applied to each of those aspects. While most controls will span more than one aspect, it is unlikely only one control will give full coverage to mitigate a risk. Which brings us to security-in-depth – think about the process of the threat action or event and how it “interacts” with each security control along with any potential interdependence between controls (for example, a guard force response requires an alarm or other prompt to initiate it).  Ensure you have multiple layers and try and avoid single points of failure.

Once you have mapped out proportionate and effective physical security controls, find the common ground. It is likely many of the controls will overlap different risks and these can be consolidated into a single control specification that covers all the relevant risk mitigation requirements. This provides a pragmatic deployment solution for each control. Alongside this, undertake a gap analysis with your existing physical security controls – look at what you might already have in place that can provide effective mitigation and may reduce the additional controls that need to be installed. This provides a pragmatic deployment solution across all controls.

Finally, take your list of the additional physical security controls required to mitigate your identified risks and develop a deployment plan, looking to link the control and management systems of each control together wherever possible to enable them to work together and to reduce the management burden.

Worked example.

Let’s bring it all together, based on the very basic example used throughout this series.

The identified risk is petty criminals breaking into a storage shed on site, stealing tools that are essential to the operation of the business. As the site has minimal existing physical security controls and the loss of the tools would have a significant impact on business operations, the risk rating is assessed to be high.

There is an overgrown hedge around the site that blocks the view of the shed door from the road. By trimming this hedge, the door can be seen from the road, is better illuminated by the streetlights and makes the site look tidier and well kept (natural surveillance and quality environments).

While the door to the shed is reasonably robust, it opens inwards and is prone to a solid kick or shoulder charge. By converting it to an outwards opening door with hinge bolts, it presents a much tougher target requiring more time to defeat (delay), in full view of the street (deter).

Installing a monitored security alarm in the shed will provides a notification of attempted unauthorised access (detect) and allow a response from the security guard force (respond).

A locked internal cabinet or storage cage can also be installed, providing an extra layer of physical barrier but also providing an additional delay factor after the alarm detection to give the guard force time to respond.

This is just a basic example and there are many other options available to mitigate this type of risk – one of the simplest being to move the tools to a more secure location. However, hopefully this have given you an idea of the process to determine a pragmatic, proportionate and effective physical security solution for your organisation that is a little more robust than just glossy brochures and good ideas.

ICARAS Security Consultants are passionate about keeping New Zealand safe and secure. We are can provide guidance and assistance across the full spectrum of your physical security journey, including threat and risk analysis, physical security assessment and control measure planning.