Stephen D Green
Stephen D Green
Download PDF version Contact company
A house on sand
The security industry can be like a house built on sand if there's a lack of professional standards set in place

Picture the scene: You’re suffering from a persistent pain and so decide to take a trip to your doctor to get it checked out. You step into the consulting room but, before you can speak, he looks you up and down, haw and hums, and then writes out a prescription. Would you be happy that drugs prescribed in this manner will cure your ailment when your doctor has not even bothered to establish what the problem is? Would you accept this as any sort of professional approach? Of course you wouldn’t, and yet every day, in every corner of the Security Industry, this is exactly what is happening, informs Stephen D Green, Physical Security Sector Champion for the Security Institute Research Directorate Knowledge Centre.

Security Managers, faced with an immediate security problem and Directors screaming for action, over-rely on experience, leap to conclusions as to what the solution should be, reach for the catalogue and start ordering. This is why, for example, all too often I will come across vehicle control points in site perimeters equipped with K12 crash-rated roadblockers, when 10 yards to each side of the entrance is a chain-link fence that my kids could punch through. The Security Managers, like the doctor above, have failed to analyse and diagnose the problem, leaving it to chance that the action taken will fit the need. But when the measures put in place fail, it is the Security Managers competence that is drawn into question.

All security system designs should be risk-based. Such an approach encourages analysis of evaluation of risks such that priorities may be established

Is such criticism fair? After all, Security Managers are only human, and humans use unconscious heuristics, or shortcuts, to achieve their goals. We all have personal biases and comfort-zones (“…it’s what we’ve always done”…), we all benchmark or crib off others (…”it’s what Bill down the road does”…) and we all satisfice (…”it’s good enough and it’s available now”…). And it’s not as if there is a wealth of reliable, independent information out there on which to base procurement decisions; in 2007 Professor Adrian Beck of Leicester University, describing the “data desert” at the heart of the Security Industry, stated that “…if CCTV or EAS were a drug, we would be absolutely appalled at the way it has been introduced and widely used without any rigorous testing of its likely impact on the patient*.I also wonder if the prevalence of second-careerist, ex-armed forces or police officers in the industry has a bearing; General Colin Powell famously once stated that “…if you have between 40 and 70% of the information required to make a decision, go with your gut”. So what can the poor beleaguered Security Manager do to improve this situation? The answer is simple; all security system designs should be risk-based. Such an approach encourages analysis of causality and evaluation of risks such that priorities may be established, leading to problem-oriented solutions which, most importantly, are justifiable before a Company Board being asked to provide funding.

Risk analysis is essential for security
An initial and comprehensive risk analysis assessment should be executed prior to purchasing products for the system

Risk was defined in the seminal 1992 Royal Society report as “..the probability that a particular adverse event occurs during a stated period of time, or results from a particular challenge.”** There are many variants of quantified risk assessment process around the world, including the relatively-new ISO31000 standard, which developed out of the AS/NZS 4360 standard. Alternatively a good method, widely used within the petrochemical industries, is the American Petroleum Institute Security Vulnerability process. All of these various methods share a number of common features:

Risk Identification –Identifying and characterising all critical assets and the specific threats facing them

Risk Analysis – Identifying from the list of all possible risks those which are credible given the existing vulnerabilities , the counter-measures already in place and the capabilities of the adversary

Risk Evaluation – Assigning a numerical, ordinal value against each risk to allow ranking and prioritisation of effort

The level of understanding required to achieve this can only come from careful and continuous stakeholder engagement to ensure a good cross section of views and opinions; it cannot come from one person, or indeed one discipline, in isolation. The perception of risk is influenced by too many factors to describe here, but suffice to say that it is subjective, personal and experiential in nature. This is why some people read a book or walk the dog at weekends whilst others throw themselves out of perfectly good aeroplanes or climb up the side of mountains.

Even risk-based technical counter-measures are only of use when deployed in support of a set of good, well-thought out security policies, procedures and practices on which staff have been trained and exercised
Risk management is inherently a group activity, and should be iterative to reflect the changing nature of threat environments. The outcome of the risk assessment process should be a document, known variously as a security treatment plan or a Concept of Operations, which outlines the way the proposed new counter-measures are intended to work. From this it should be possible to define a detailed Operational Requirement for every device, listing its intended functionality and any technical performance criteria it needs to comply to. Later, following implementation, it is these two documents that will close the circle by verifying the installation delivers that which was intended at the outset. 

Of course, it must be acknowledged that getting the technical element right is only part of the solution. Security is a sociotechnical system; it is made up of technical and human elements. Even risk-based technical counter-measures are only of use when deployed in support of a set of good, well-thought out security policies, procedures and practices on which staff have been trained and exercised. Remove any of these elements and the project can only fail. Therefore, paraphrasing Mathew 7:26, the Security Industry can often be “…likened unto a foolish man, which built his house upon the sand”. If the industry wishes to present itself as professional, it needs to adopt professional standards of evidence-based and methodical design rather than the haphazard guesswork which remains all too prevalent today.

* - Beck, A. (2007a) The Emperor Has No Clothes: What Future Role for Technology in Reducing Retail Shrinkage? Security Journal, Volume 20, pp57–61

** - Royal Society (1992) Risk, Analysis, Perception and Management. London. Author

Download PDF version Download PDF version

Author profile

Stephen D Green
Stephen D Green Physical Security Sector Champion, Security Institute

Related videos

Upgraded feature for Xesar - Now with smartphone as well!

Upgraded feature for Xesar - Now with smartphone as well!
Enhancing government security with proactive threat detection from Wavestore

Enhancing government security with proactive threat detection from Wavestore
Join the biggest hour for Earth

Join the biggest hour for Earth

In case you missed it

What is the expanding role of audio in today's physical security systems?
What is the expanding role of audio in today's physical security systems?

Audio might detect sounds like breaking glass or footsteps before a person even enters the field-of-view of a video camera. Audio also helps to provide context: Someone running in...

Marin Hospital enhances security with eCLIQ access control
Marin Hospital enhances security with eCLIQ access control

The Marin Hospital of Hendaye in the French Basque Country faced common challenges posed by mechanical access control. Challenges faced Relying on mechanical lock-and-key technol...

Climax releases an advanced smart telecare solution with voice control
Climax releases an advanced smart telecare solution with voice control

GX-MAX-DT35B Smart Care Medical Alarm comes with a brand-new case design. The battery level and the cellular signal strength will be indicated through the white bar on the top cove...

Security beat

Indoor drones ready to deploy in multiple security verticals

Indoor drones ready to deploy in multiple security verticals
View all

Round table discussions

What is the expanding role of audio in today's physical security systems?

What is the expanding role of audio in today's physical security systems?
View all

Security bytes

Getting to know Chris Bone, CTO at ASSA ABLOY Group

Getting to know Chris Bone, CTO at ASSA ABLOY Group
View all
Featured white papers
Honeywell GARD USB threat report 2024

Honeywell GARD USB threat report 2024

Download
The role of artificial intelligence to transform video imaging

The role of artificial intelligence to transform video imaging

Download
Access control system planning phase 1

Access control system planning phase 1

Download
Key Findings from the 2024 Thales Cloud Security Study

Key Findings from the 2024 Thales Cloud Security Study

Download
Bank security

Bank security

Download
Quick poll
Which feature is most important in a video surveillance system?
More expert commentary
Rethinking physical access control to operate in an IT-centric environment

Rethinking physical access control to operate in an IT-centric environment
The total cost of security - accounting for all security expenses

The total cost of security - accounting for all security expenses
The benefits of training in the access control market

The benefits of training in the access control market
Featured products
Dahua Starlight Network Panoramic Camera

Dahua Starlight Network Panoramic Camera
All new exacqVision Advantage with Illustra cameras

All new exacqVision Advantage with Illustra cameras
Anviz AI Outdoor Bullet Network Camera

Anviz AI Outdoor Bullet Network Camera