Every organization begins with a mission, which may be healthcare, mercantile, financial, education or something else. Each organization establishes programs in support of its mission. If healthcare, it may establish a hospital, outpatient clinics, and a pharmacy. If financial, it may establish a retail bank, investment bank, or stock brokerage. Each type of mission produces different types of programs in support of the mission.

Once the mission and programs are determined, the organization will set about to acquire assets to support the programs. There are only four types of assets (Figure 2.2) common to all types of organizations, missions, and programs:

People include employees, contractors, vendors, and visitors. Property may include real estate, fixtures, furnishings, and equipment. Proprietary Information is information that is unique to the organization and necessary for it to function and is not common to other organizations. This may include information such as the formula for Coca-Cola, vital records, customer lists, and accounting records. Finally, the organization will establish and try to grow its Business Reputation. Indeed, its future is tied intrinsically to the success of this effort, for any organization that loses its Business Reputation is going to suffer badly, almost always in ways that fundamentally affect its ability to carry out its core mission. Every organization of every type has these four types of assets, and they are what the security program is designed to protect.

The organization's assets become the targets of those who oppose the organization's mission.

Each organization has three types of users (people who use the facility). In the first category are people who intrinsically share and support the mission of the organization. In the second category are people who oppose the mission of the organization. In the third category are people who sometimes work in support of the mission and sometimes work in opposition to the mission of the organization.

The smallest number of users is those who either totally support or totally oppose the mission of the organization. Those who totally support the mission typically include shareholders, founders, and owners. Those who oppose typically include competitors, predatory criminals, and so forth. By far the largest segment among these is the third — those who sometimes work in support of and sometimes work in opposition to the mission of the organization.

This typically includes almost all employees, contractors, vendors, and visitors. As long as the mission of the organization aligns (in that moment) with the needs of the individual, then the individual supports the organization's mission. Where there is no alignment, the individual does not support the mission.

It is this vast third group that comprises most of the people who occupy the organization's facilities. Security Programs must effectively allow the normal operation of the organization and deal effectively with those who oppose (however temporarily) the mission's organization.

The purpose of the Security Program is to help ensure that all activity within the organization's facilities supports the organization's mission to the greatest extent possible, and works in opposition to the mission to the smallest extent possible.

A threat is any person who can create a man-made danger to the organization's security. A hazard is a natural or man-made equivalent of a threat where there is no intent to do harm, but harm nonetheless can result. Hazards include storms, earthquakes, fires, and safety risks. Threats include bombings, weapons usage, theft, diversion of assets, and undermining the organization's Business Reputation.

There exist only four types of security threat actors (Figure 2.3):

Terrorists are at the extreme end of the spectrum and have the greatest capacity to harm life and property. Although the probability of a terrorist event is very low, the consequences are high. Terrorists do not care about being quiet; quite the opposite. They often do not care about escaping with their lives. They only care about inflicting the maximum amount of death, injury, and damage possible at the least financial cost to themselves. Their only real concern is about not succeeding in their attack. Terrorism typically involves substantial planning; acquisition of weapons, chemicals, or explosives; and conducting surveillance. Sometimes there is a practice run and then the terrorists go operational.

Violent Criminals want to inflict control, injury, and/or death on their victims. If they care at all about economic benefit, then their violence is seen as a means to control their victims. Those with a tendency toward violence often prefer confrontation to a quiet economic crime. Violent criminals may be controlled or emotionally erratic. They may incorporate planning or spontaneously combust into violence without apparent reason or in response to an innocent comment or minor insult. Once violence ensues, all participants tend toward emotional responses. As emotional responses are not conducive to carrying out a plan, plans often go awry and the situation escalates. Escape may or may not be a part of the violent criminal's plan, and his actions may or may not allow for escape.

Economic Criminals are after money or goods. They do not want to be caught, and they place this goal above all others. Economic criminals may be strategic (planning, acquisition of tools and weapons, conduct surveillance, plan their escape, perhaps a practice run and then they go operational), or they may be opportunistic, striking when the opportunity presents itself. Many economic criminals do not put much effort into planning. Only a few are strategic and methodical. Generally, the higher the risks, the greater the planning. Relatively few economic criminals are strategic enough to fully plan a crime from inception to escape in any methodical way. Economic criminals may work alone or in a group. Better group criminals have an established hierarchy of leadership that is followed unquestionably. Most groups are haphazard and members of the group will quickly turn on the others when their own life or freedom is at risk. Some economic criminals are also violent criminals. In such cases their “lean” may be either toward a successful economic crime or their violent side may prevail such that they will quickly abandon the economic crime and go to violence when confronted. Many economic criminals do not want to encounter anyone in the commission of their crime. However, a significant number of economic criminals intentionally encounter victims and often use violence to control their victims to get them to comply with their directions. In such cases, some intend to leave their victims alive and others wish to leave no witnesses.

Petty Criminals are individuals who commit petty crimes such as graffiti, drunken disturbances, loud behavior, and prostitution. Petty criminals reduce the attractiveness of the environment to normal behavior and create an environment that encourages unacceptable behavior.

It is important to understand how each type of potential threat actor can affect the facility to be protected. One must develop scenarios for each type of threat actor and evaluate vulnerabilities and develop countermeasures based on such scenarios. Effective security managers understand threat scenarios and run them through their heads effortlessly. It is a good skill to develop as a form of very practical and effective game theory.

Not all assets are equal. Some are more critical to the operation of the facility than others. Entire factory operations have stopped because of the failure of a 25 cent part. Such assets are called critical assets. A critical asset is any asset that is critical to the flow of operations or down-line operations. Factors affecting criticality include the importance of its role in the operation of the organization and whether or not it is deployed in a non-redundant manner and also how difficult or time-consuming is it to repair or replace the asset to get the operation going again. Criticality assessment is the skill of assessing how critical assets are to the mission of the organization. Similarly, the loss of some assets has a higher consequence than others. The loss of any human is devastating, but the loss of the person with the necessary skills to maintain the organization's viability is a greater loss and therefore more consequential. The loss of a critical asset is more consequential than the loss of a non-critical asset.

The loss of some assets may present a higher consequence to the organization or to the community than others; for example, an accident in the manufacture or storage of methyl isocyanate gas represents a very high consequence not only to the organization but to the community where it might occur. ¹ Many organizations have fallen due to the loss of their Business Reputation. Most of those organizations did not consider their Business Reputation to be either critical or of significant consequence before the event. Consequence analysis is the skill of determining which assets have the greatest potential for consequence.

Security Programs should be designed to protect those assets with the greatest consequence first.

A vulnerability is an attribute of a facility that a threat actor can exploit to carry out a threat action. Vulnerabilities may include opportunities for entry, for access to assets, for concealment of activities or staging of stolen items prior to taking from the facility, for diversion of attention, for taking control of an area, or for escape. Vulnerabilities may be physical or procedural. Vulnerabilities exist in every facility and every security system and cannot be completely eliminated; however, it is imperative to mitigate vulnerabilities that could be easily exploited.

Vulnerabilities can be mitigated through physical, procedural, or electronic measures, or a combination of these. Vulnerability equals opportunity.

Probability is the likelihood of an event occurring. Probability is a key factor in determining risk, and equally it is a key factor in determining how best to mitigate risk. Probability can be affected by the number of employees, contractors, vendors, and visitors; by the frequency of occurrence of an action such as an access control event; by the number of items affected; and by the environment.

Probability and consequence often go hand in hand. High-probability, low-consequence events present relatively minor risk whereas low-probability, high-consequence events may present very high risk.

Factors affecting probability include:

Risk is the potential for a threat action to occur. Risk factors include Probability, Vulnerability, and Consequences. Risk is the final calculation taking into concern the potential threat actors, their potential interest, and available vulnerabilities to exploit. Risk works both ways. An organization can be at risk of theft of an asset and the thief can be at risk of not succeeding or being discovered and prosecuted.

A key factor in the risk formula is consequences. The higher the possible consequences, the higher the risk. Thus, low-probability, high-consequence threat scenarios rank higher on risk than high-probability, low-consequence threat scenarios. Although terrorism is low in probability, its consequences make it a higher risk.

See the author's earlier book Risk Analysis and Security Countermeasure Selection for a complete discussion on risk.

Risk can be managed by reducing the potential number of threat actors who have access to a given asset, reducing the vulnerabilities related to the asset, or reducing the potential consequences of the asset being attacked. Risk may also be reduced by increasing the risk to the potential threat actor. These may be achieved by modifying the physical, electronic, or procedural environment.

For example, by placing an asset in a more physically protected environment, risk is reduced. By requiring greater scrutiny of persons entering the area of the asset to be certain that they do not pose a threat, risk is reduced. By placing video cameras along the pathway to and from the asset and around the asset and recording those cameras, risk is reduced because it creates a higher risk to potential threat actors and provides evidence for investigations and prosecution if the asset is taken or damaged.

Organizations develop Security Programs to manage risk in an organized and methodical way. By assigning a manager who is competent in security matters and also a competent personnel manager, the organization can organize the security process into a business process that supports the goal of protecting the assets of the organization while not interfering with the natural business of the organization.

Effective Security Programs use a layered approach to protecting the organization's assets. The most critical and consequential assets are the most protected, and a threat actor must engage multiple layers of physical, procedural, and electronic security measures to acquire such assets.

A good security manager will develop a Security Program that:

A good Security Program will include all of the following elements:

It is surprising how many Security Programs are developed and run without a comprehensive Risk Analysis. Any Security Program that is not based on a comprehensive Risk Analysis will have unknown vulnerabilities. Unknown vulnerabilities present unknown risk that can be easily exploited by a thoughtful threat actor.

Security Programs that are not based on a proper Risk Analysis are virtually certain to cost more and be less effective than programs based on a proper Risk Analysis.

Running a Security Program without a proper Risk Analysis is analogous to running a business without an accounting system or audit. The business will go broke, and the Security Program will fall victim to security exploits.

It is equally surprising how many Security Programs are run haphazardly without a formal set of Security Policies and Procedures. Security Policies and Procedures are the foundation documents of a good Security Program. Without Policies and Procedures, the program will necessarily be haphazard and disorganized. Without policies, every response is spontaneous and based solely on the judgment of the individual security officer or manager. There is no continuity. Such programs are a wellspring of litigation opportunities, because there is no consistency and the judgment of individual security officers is rarely based on criminal law or company policy.

Further, the lack of security policies and procedures is a vulnerability due to the uneven approach of patrols, investigations (if any), and enforcement. In such cases the program generally swings toward accommodating employees and visitors to the detriment of the security of the organization, because individuals' complaints against individual security officers cannot be refuted.

Such programs often depend heavily on electronic systems to “enforce” security, and such systems are developed to address the most urgent security issues without regard to dozens or hundreds of other vulnerabilities that remain unaddressed. Thus money spent on electronics is money wasted.

No Security Program can succeed without proper Security Policies and Procedures.

Hi-Tech systems include all electronic systems. Typically these include Alarm/Access Control Systems, Video Systems, Communications Systems, Integrated Security Systems, Specialized Detection Systems, and Computerized Systems.

Hi-Tech systems serve to automate repetitive functions, monitor continuously without error, and report to and facilitate communication and coordinated response by security staff.

Increasingly, Hi-Tech systems are used to handle vast amounts of information that could never be handled cost-effectively by humans. Examples of these include intelligent video analytics that analyze a video scene evaluating human activity for unwanted behaviors and integrated systems that use multiple credential methods (such as a card reader and facial recognition), automated weapons screening, and package X-ray screening to allow entry to a high security area via an automated portal.

Although there is an increasing focus on Hi-Tech systems in Security Programs, they should be the last element considered. Lo-Tech and No-Tech elements form the basis for an effective Security Program and Hi-Tech elements amplify the capabilities of the Lo-Tech and No-Tech elements. No matter how elegant an Integrated Electronic Security System may be, they cannot substitute for a solid security program based upon physical (Lo Tech) and procedural (No Tech) countermeasures.

Lo-Tech elements are physical security elements that are usually among the most cost-effective security measures any organization can employ. Lo-Tech elements include such things as Locks and Barriers, Lighting, Fencing, Signage, Other Physical Barriers, and Crime Prevention Through Environmental Design (CPTED) measures. CPTED is an architectural discipline that involves creating architectural spaces that encourage appropriate behavior and discourage inappropriate behavior. It comprises three basic elements:

Lo-Tech elements are effective because in most cases they represent a single one-time investment that works daily without fail. Lo-Tech elements can be used to funnel people to controlled access points, alert visitors to security policies, prevent entry to unauthorized people, provide a deterrent, and stop intruders cold with unexpected barriers.

No-Tech elements are those security elements that have no technology:

No-Tech elements are among the most effective due primarily to their active nature. No-Tech elements are the parts of the security program that users notice most. Every interaction with a Security Officer is somehow memorable; the same cannot be said for every interaction with a card reader. Users are more likely to criticize or complain to or about their interactions with Security Officers than their interactions with technology.

Successful Security Programs mix Hi-Tech, Lo-Tech, and No-Tech countermeasures to achieve an effective and cost-effective program. Each element has its strengths and weaknesses, and each element has its own effect on the organization's business culture. By mixing Hi-Tech, Lo-Tech, and No-Tech approaches, a security program is more likely to achieve repeatable desired results.

Layering means that an asset is protected by multiple layers of countermeasures from the outside in. To get to a valuable asset such as the Information Technology Server Room, a threat actor must encounter a number of security elements, each one a risk to his success. The more layers, the less likely it is that a threat action will succeed.

Layers should use mixed technology approaches. At the outside, the threat actor encounters the outer fence, then lights, then perimeter sensors, then cameras, then the building boundary, then door/window detection, then more cameras, then motion alarms, then the department perimeter with its alarms and access control and cameras, and finally, the controls in the Server Room. The threat actor will encounter all of these countermeasures on the way out as well, further reducing the likelihood of a successful exit and unnoticed escape (Figure 2.4).

Typical Access Control System users include management, employees, contractors, vendors, and visitors. Each of these is given access to areas as they are needed and for times as may be appropriate.

Most Access Control Systems define access portals according to a logical grouping. This might include grouping by departments, buildings, or functions (janitorial employees). Thus, a janitorial employee might have access to all floors and the service lift of the building to which he/she is assigned. Certain users may be authorized for all areas.

Most access credentials are authorized on a schedule. The schedule may correlate to the user's working hours or some other reasonable program. Certain employees (management, maintenance, etc.) may be authorized for all hours.

Schedules may also include holiday and special events schedules. Most systems accommodate seven-day schedules and are programmed around the annual calendar. Some systems are also flexible enough to handle special schedules; for example, offshore oil rigs may work on a ten day on/ten day off schedule.

Typically each portal is assigned to an Access Group, such as a department or an elevator bank.

Typically each user's credential is assigned to a user group. This simplifies programming so that each user does not have to be assigned to individual doors and schedules.

Access Portals and Users can be assigned to Access Portal Groups or Access User Groups, the combination of which allows for simplified system programming. Otherwise, every user would have to be programmed for access to each individual portal on individual schedules.