LUSAX Security Informatics - Experts & Thought Leaders

Since 2006, the LUSAX research program at Lund University in Sweden has investigated the effects of digitisation on the physical security industry. This article will look into the forces driving digitisation, and how those forces broadly translate and impacts the physical security industry. Historically, physical security systems have moved from purely mechanical systems into systems holding both mechanical and electronic low-voltage circuit-based components. Development was pushed further forward when digital components emerged in the late 1980’s with the introduction of Digital Video Recorders (DVRs). And from 1996, when Sweden-based Axis Communications claims to have introduced the first network-enabled surveillance camera, digital components were further introduced into physical security systems. From a strategic business point of view, the digital shift most importantly brought with it new ways of doing business. Currently it is more common to observe novel and potentially more efficient business models challenging the proprietary and integrated one-brand manufacturer-distributor-integrator model historically associated with the industry. However, from an end-user point of view, the primary objective of a security system is still to protect organisational assets from harmful action. Preferably this is achieved by means of pro-active deterrence, and secondarily by direct prevention. Any change in the underlying technology – mechanical or digital – needs to be evaluated against these objectives. In order for technological advancements to be value adding, it needs to either strengthen the overall performance – both in terms of functional and non-functional requirements – of the current system, or lower costs for the same performance. In the case of a video surveillance system, the purpose of the system could be to decrease the number of shoplifting incidents at a store by means of temporarily storing the snapshots or shorter video sequences of customers visiting the store. Two examples of advancements associated with digital surveillance cameras may for example be superior performance in terms of picture quality and ease of access to the recorded material compared to previous generations of surveillance cameras. But, it could also be to protect assets against unintended harmful actions, for example in protecting co-workers from exiting areas with sensitive business information. Furthermore, digital systems have been suggested to have potential value in improving core value-adding operations. A prime example of this feature is the track-and-trace functionality in parcel shipment. Finally, the potential of pre-programmed self-diagnostics is another example of feature associated with future digital systems. Why digitisation happens When Sweden-based Axis Communications claims to have introduced the first network-enabled surveillance camera, digital components were further introduced into physical security systems More broadly, digitisation is tightly coupled to what is referred to as Moore’s Law within the computing industry. First formulated by Gordon Moore at Intel in the early 1960’s, it proposed that computing capacity doubles every 12 months. Put in other terms, if we enter a computer store to buy computing power in June 2013 for one dollar, we would receive double the amount of computing power in June 2014 for the same amount of dollar. Gordon Moore was proven right, although slight modifications to the law have been added. The current doubling-speed in terms of computing power happens every 24 months. While this is merely a computational law, the business-consequences are important. Assuming a doubling of computing power every 24 months creates business opportunities for entrepreneurs that can translate the computing power into business-serving concepts at a low cost. This creates a strong cost-pressure on firms to consider digitising and even automating parts of the value-adding process. Examples of professional categories that have been affected by automation are for example secretaries, travel agents and bank tellers. Moore’s law may impact industries in mainly two distinct manners: The first being digitisation that enhances the physical and manual activities – referred to as a kind of digital overlay to the current activities. The second one having more fundamental impact on an industry in the form of automation – simply substituting manual labour with (digital) machines, like in the case of the professions mentioned earlier. Reasons for a slower pace of digitisation Consequently, the key decision is not to ignore digitisation as a mere ‘gadget shift’, but rather to ask the question - in what way will Moore´s law impact my industry sector? Will Moore’s Law digitally reinforce and complement current work-practices according to the digital overlay-scenario, or will it simply substitute manual security labour gradually? The evidence the LUSAX-team has collected the past 9 years suggests a slower than expected, gradual and complementary development compared to other industries. We see three main reasons to a slower development speed. The first (1) being the nature of security systems, they are to deter harmful action that is based on non-standardised behaviour. The intruder is actively attempting to outsmart the system. Routine business tasks, like registering invoices is a routine that once established may easily be duplicated and lends itself easily to digitisation and automation. Quite the opposite – and due to the variation in the intruder’s behaviour –duplication of the external qualities of a security system across an organisation would represent a risk in itself. In the case of the physical security industry, the evidence collected by the LUSAX group suggests a more slow-moving digitisation more associated with the digitally enhancing scenario Secondly (2), the service-level of security systems should be near fail-safe. Everyday use of IT-based services is associated with a higher degree of acceptance to operational disruptions, meaning users and organisations tolerate a lower than fail-safe performance-level compared to security systems. This is sometimes refereed to as the Beta-culture of the IT-industry. In turn, this generates a more conservative approach to experimentation with new technologies among security practitioners that makes digitisation a slower-moving process compared to other sectors. Third (3) and finally, while it is true that security management has increased in importance from a corporate point of view the past decades, security management still is redundancy and contingency-centric. This in turn hampers a rapid diffusion of digital security innovations. On the other hand, strategic management more generally concerns itself with achieving organisational goals by actively taking risks in a lean and non-redundancy direction. This orientation lends itself more compatible with the automation scenario, for example reducing the need to keep parts of the corporate accounting, marketing or R&D staff internally. Summary In this article we have briefly introduced Moore’s Law as a broad driver of digitisation. The effects of digitisation may impact industries differently. Either disruptively - basically gradually reducing the need for manual execution of current work practices, or enhance activities by means of digitisation. In the case of the physical security industry, the evidence collected by the LUSAX group suggests a more slow-moving digitisation more associated with the digitally enhancing scenario.

Law enforcement and pure problem-solvingskills will play less of a role for the futuresecurity director Much effort has been put down in the professionalisation of security work. Not only is it a recurring topic of conversation at events for security professionals, but also a formal topic of concern for ASIS – having active task forces devoted to the promotion of professionalisation and academisation of security practice as well as a recently updated standard (ANSI/ASIS CSO.1-2013) describing the competence profile of a Chief Security Officer (CSO). The outer driving forces for this effort are well-known; for example the increase of uncertainties relating to cyber-security threats, industrial espionage, activism and business-related risks when operating in hostile environments. In parallel with this trend, the demands for a formal, ongoing and cost-effective coordination of security work has further increased. Also on the list of organisational demands are clearer and improved business processes that cut across functional and operational value-creating activities, and increased use and sharing of security-supporting technologies. Furthermore, our research shows that physical security since long is a well-established business process within larger firms and a further development of security management would seem a natural development. Distinctive for well-established professions are commonly agreed methodologies, techniques and terminology among professionals. Furthermore, a uniform and considerable quality assurance process is often in place in the form of higher education and/or formal licencing. Prime examples of professions often referred to are medical doctors and lawyers. In short, a professional from one country should more or less be able to communicate with colleague in another part of the world. There is an uncertainty regarding the academic orientation that security management should have For security management there exists no such well-established equivalent. Institutions of higher education that offer security management are Edith Cowan University in Australia and the specialisation in Security Management that is offered at Wharton at University of Pennsylvania with ASIS as supporting body. Engineering, criminology or business/management? For any higher education with a clear identity and recognition the fundamental (research) question of whom or what we are is agreed upon. In effect, establishing a higher education in security management is tightly coupled with the question on what would be general research direction for security management. This is an important question – both short-term and long-term. In the short-term it is important to know what universities and schools to target, and long-term to guarantee the profession a development in the right direction and with the intended legitimacy. A crude division can be made by dividing research and higher education into three general orientations; the first (1) being an orientation towards engineering and problem-solving; the second (2) being social scientific and criminology orientation that concerns itself with addressing overarching crime development and underlying structure and motives for criminal behaviour; and third (3), a business/management orientation that is concerned with balancing and setting business priorities in a corporate landscape of limited resources. None of these orientations are mutually excluding of one another – all higher education is a mix of a major subject and support subjects. However, some form of declaration of will and consensus about the general orientation is necessary. Worst-case effect might be that security management ends up being academically and institutionally weak as is sometimes the case with over-specialized degrees. When educating security managers, should the general orientation be on of engineering/problem-solving, criminology or business and management? In Sweden, the Higher Education Authority have for example assessed the Security Management degree in Australia as being one in engineering (assessment made 08/05/2008). More business, management and new technology From the research conducted within the LUSAX research program at the Institute of Economic Research at Lund University a clear majority of survey respondents working corporate security management expresses a need for increased skills of business and management, but also a need to understand novel technology to some extent. Law enforcement and pure problem-solving skills will play less of a role for the future security director. If asking security directors, the answer would be to follow the business/management orientation. Some form of declaration of will and consensus about the general orientation is necessary. Worst-case effect might be that security management ends up being academically and institutionally weak as is sometimes the case withover-specialised degrees A third possibility is to position security management as focusing mainly on criminology and behavioural sciences. No explicit and direct demand from security directors was made regarding the need for criminology. However, we believe criminology and behavioural science is an important support subject to security management. A final alternative would be to position security management as a corporate legal activity, but we argue that the legal alternative is one that can be considered of being constraint or factor within the business and management orientation. Also, some security directors have expressed concerns in sorting security management under the legal corporate branch due possible risks of conflicts of interests. Our research further suggests that the security manager needs further resource enforcement for areas like budgeting, procurement, cost-benefit analysis, new technology and business to mention a few examples. From that point of view, the choice of orientation clearly points to a direction of hosting security management within a business and management orientation. All in all, this could be described as the will for professionalisation from the ones within the profession. Security Management and its corporate environment For a more complete analysis it is not sufficient to include only the within-professional will for professionalisation. External forces outside the control of security professionals also govern the answer for the development of the profession. Since the start of LUSAX in 2006 we have repeatedly experienced corporate recruitment of security managers being mainly driven by a corporate interest searching for senior security candidate with a clear and solid law-enforcement background. This is more noticeable in North America and in the United Kingdom where Executive Protection often lies within the scope of security management. This is evident also in industry sectors where physical security is not typically part of the core business – like media, banking and consultancies. In summary, in this article we have pointed out that there is an uncertainty regarding the academic orientation that security management should have. We are saying that it is necessary to choose a purposeful academic platform that over times generates the positive effects of professionalisation, for example wide corporate influence, clearer career paths and increased rewards in term of salary and perks. Our answer is to aim for security management to be positioned within a business and management orientation. Finally, we have also pointed out the importance of changing the environmental attitudes concerning security management. We believe the main hurdle for professionalisation is one mainly hampered by established notions about what background a security manager should have. These notions lies outside the control span of the typical security manager, but are pivotal for the professionalisation of the profession.

   Network-enabled "intelligent" security components increasingly have better computational and memory capacity The use of Internet Protocol (IP), or networking, is commonly associated with convergence. In this article, Markus Lahtinen of Lund University's LUSAX project, contends that the shift to network-enabled "intelligent" security components which increasingly have better computational and memory capacity has a significant impact on the present and future dynamics of the security industry, whether it be in the realms of digital video surveillance or electronic access control.    Network security products are increasingly characterised by decentralised processingThe aforementioned shift is clearly visible when we compare a digital network camera with an analogue surveillance camera. Apart from the fact that a digital network camera may be connected to existing Internet cabling for transmission and power supply, the network camera in itself is also a computer with a central processing unit, functioning as an IP-addressable web server. The typical analogue setup was to allow for computational processing at the recording unit, meaning the Digital Video Recorder (DVR). However, the computational capacity has spread to the camera-unit with digital network cameras enabling real-time processing of image (video) data. As a result of this shift, end users clearly benefit with significantly better image quality provided by the digital network cameras.From a security end-user's point of view, the change is often behind the curtain, as there is little in terms of increased overall security effectiveness. Yet, the impact of the shift is significant from an industry perspective. Not only are security cameras becoming computerised, but computerisation is also taking place in the electronic access control market First and foremost, the change of cabling for transmission between the security camera and the recording unit has generated a fierce and lengthy industry debate under what conditions the cost of the digital setup outperforms the typical analogue setup. It is also clear that this debate has been further bolstered by the intrinsic nature of what is security effectiveness, spurring an even more intense cost-comparison debate.Secondly, firms previously offering internet network services have potentially been able to leverage their network skills by entering into the market space of offering surveillance systems. From the research my colleagues and I have made within the framework of the LUSAX project, it is clear that there are instances where pure-play network companies have been bidding for the same contracts as the firms offering traditional analogue surveillance systems. We have no clear evidence as to the size and scope of this competition.However, it cannot be ruled out that the increased competition and the fierce debate on analogue versus digital cameras have positively spilled over to the end user-side of the market, enabling for a mutually beneficial expansion of the video surveillance market. This could be referred to as the "first wave" of convergence, mainly characterised by a change towards the Internet as transmission medium for security applications.Computerisation of security products on the rise   By virtue of the decentralisation process, the computational capacity spreads to the camera-unit Understanding that computational and memory capacity lie at the heart of the matter, it is clear that the technological change is only in its infancy. Not only are security cameras becoming computerised, but computerisation is also taking place in the electronic access control market. A few examples that are commercially available within the door entry market include self-diagnosing door entry systems where products can enable efficient expansion of legacy access control systems based on wireless networking technology and keys having built-in memory units in the plastic enclosure.Harnessing the power of computational and memory capacityTo summarise, the "second wave" of convergence is the key success recipe for the security business of the future. This entails creating end user value by harnessing, coordinating, and building entry-barriers around the computational and memory capacity located in network-enabled security.       Markus LahtinenLUSAX projectLund University