Meaning of Systems Approach to Physical Security - Research Paper Example

The Theory of Defence in Depth and the Meaning of Systems Approach to Physical Security Student Name: Tutor: Date: The Theory of Defense in Depth and the Meaning of Systems Approach to Physical Security Introduction Information and associated technologies play a major role in the innovations and competitive advantage generation by organizations. The organizations today face a range of security issues especially in the information technology sector. This exposes them to vulnerabilities which would threaten the existence of the organization. Information security forms the major concern to organizations although physical security is also important. Most of these modern organizations are more interested in safeguarding their technology-oriented interests (Harris, 2013). They do this to prevent loss of information through hacking. They overlook the fact that hacking is not the only way to lose information. It is also important to improve on physical security in order to prevent access by unauthorized persons, who may be interested on stealing or undertaking malicious activities. The complexity of ensuring physical security in the modern environment has called for more creative approach to security. Physical security should be ensured for the purpose of safeguarding information, personnel, equipment, facilities and other company assets. The modern organization needs to use the layered approach when implementing security measures. The use of layered approach makes it difficult for any intruder who may wish to gain access to the facilities since they will have to bypass multiple layers. This paper seeks to discuss the concept that asset and property protection makes use of the systems approach which employs other theories like the Defense in Depth, Protection in Depth and Security in Depth. Researchers (Nunes-Vaz et al 2011) have already given their understanding of such terms, though there is no substantive understanding considering the different security approaches that encompass both physical security and information security. Literature Review Brooks (2007) states that understanding security as a whole is difficult considering that it is not only concerned with a single field but an array of concerns in context. The skills and activities entailed in the modern world security is so involving that giving a finite definition will be almost impossible. The security concept involves social contracting relative to international relations and the good functioning of the internal societal organs (Fisher and Green 2004). Manunta (1999) argues that this is necessary for the purpose of preventing crime, both societal and international as well as those involving individuals. Security is considered one of the basic needs of human beings as discussed by Maslow (1970), in his human needs hierarchy. In his hierarchy, Maslow mentioned other needs like dependency, stability, freedom from fear, need for structure and order, protection, law and strength collectively define the term security. This has since been supported by Coole, (2010). Security form the basic part of an organization as its absence leaves the organization too exposed and vulnerable. This can threaten the very existence of the organization (McCrie 2004). The importance of security for the existence of an organization cannot be over-emphasized. It would however raise questions which may lead to the relay and implementation of poor risk concerns if the description above is not carefully approached. Manunta (1999, consents with the fact that there is difficulty in giving a conclusive definition to security, owing to its wide areas and the diversity that comes with it. He argues that all the methodology, decisions and measures of security all lack meaning if security cannot be defined. Manunta goes on to state that the security sector players and stakeholders ought to use specific and understandable language and terms, in order to foster understanding even among the non players. The use of easily understandable language would help to convey meaning and knowledge in all the areas of security study. Nunes-Vas et al (2011) held the same opinion, though with more interest in security in depth. Other key researchers also supported the same but in reference to the closed circuit television. These literatures provide valuable knowledge in a bid to understand the security sector and offer support in mitigation against risk. Although physical security appears to be more elaborate, applying defense in depth on information technology does not have much other than the ability to delay intrusion. There is little that can be offered for the purpose of response. This leaves organizations ignorant of the security of their information since they are sometimes not even aware that their security has been breached and their information is being tapped in to. Mandia (2011) stated that many organizations only learn about the breach of their information security through external parties. Audit was conducted by the auditor general’s office on the ability of the State agencies to deal with cyber threats, the detection and response (Murphy 2011). All but one of the state agencies was able to detect the threats that that their information technology installation was subjected to by the auditors. Most of these state agencies do not apply defense in depth in the various levels of security in their systems. None of these organizations was found to have a well defined procedure on how to deal with cyber security threats. Only one out of the tested organizations had in place a security control measure which would detect that an attack is in progress or an attack had been carried out. Consequently, they all lacked any security layer which would respond and provide remedy for the damage that would have been caused by such an attack. Furthermore, they lacked knowledge on how to respond to an attack if at all it was detected. Lack of a definite definition for the term security has left researchers and scholars alike at a loss on how to base their arguments. However, people, nations and organizations ought to feel free to exist and act as they wish. The situation is however not the same since the freedom they ought to enjoy is usually at constant risk. This reality is what drove Coole and Brooks (2011) to argue that the concept of security need to be threat driven and risk based. In such a scenario, actions taken for protection purposes will be determined by the risk itself and the situation at hand. The need for security arises when there is imminent threat to the assets. Absence of such threats does not call for security (Manunta 2011). This is supported by Standards Australia HB (2006). The need for security and protection of assets arise in situations where; there is an existence of real or perceived threat to an asset under protection, the control of access to an asset is necessary to ensure it is duly protected, the need to protect an asset from malicious activities and the need to use the systems approach to control access to an asset. The use of systems approach would encompass measures both logical and physical. These considerations formed the basis of Australian Interim Security Professional Task Force (2008) proposal that those tasked with security matters are responsible of ensuring the advice they put forth follows laid down procedures. Such advises should be based on the best practice. Coole and Brooks (2011) also support this approach. It is important to embrace the use of common language bearing common meaning in the bid to present security advice concerning asset protection. In this paper, the focus will be discussion on the theory of defense in depth in relation to the meaning of systems approach to physical security. The Theory of Defence in Depth Smith (2003) defines defence in depth as an approach taken towards protecting assets for security as a domain discipline that embrace certain strategies in order to prevent them from being stolen, facilities being destroyed, protecting information as well as personnel. Defence in depth is widely known as a security theory (Coole and Brooks 2011). Defence in depth is defined by several major functions which include to deter, or detect, delay, respond and recover from an attack (Smith, 2003; Standards Australia HB 167:2006). Defence in depth has for the past decades been applied to protect assets. The theory is based on the argument that any protected asset needs to be enclosed in a particular area, with barriers successively arranged to minimize access by unauthorized persons (Smith 2008). These barriers also have the aim of causing delay to the party trying to gain access to the asset in order to enable authority or persons in charge of security to respond to the intrusion and make any possible recovery (Standards Australia HB 2006). Therefore it is acceptable to argue that defence in depth is a proved theory, theoretically supported by studies and professionals as well as other theories. Routine theory implies to guardian intensity (Reynald 2011). This theory states that the occurrence of an action is determined by the identification of a suitable target, or even the absence of a capable guardian. This motivates the perpetrator since it leads to the perception of reduced difficulty of intrusion and a lesser chance of being found out. Rational theory also comes up within this deviance behavior. This theory defines the process of decision making by the intruder on whether or not to commit the deviant act. This theory further argues that the adversary makes their decision depending on the perceptions they have including the ease of detection, delay, that is, level of difficulty of intrusion and response, that is, the chances of being caught in the act by the security personnel before they succeed in their act. If by considering all the above factors, they find out that there will be ease of intrusion and they have access to the tools they may need to use, and that there is little chances of being apprehended and higher chance of success, the adversary will find it hard to resist the urge of committing the offence. They would however choose to desist from the deviant act if the realize that there is little chance of success and a higher chance of being caught. Considering security systems as a whole, the component values of detecting, delaying and responding all add up to the effectiveness of a security system and thus add to its value of deterrence (Coole 2010). Therefore, Routine activity and rational choice both combine to form the threat to security and subsequently call for the implementation of defence in depth to prevent intrusion and protect assets. Defence in depth is believed to follow a systems approach which is perceived to integrate people, procedures and equipment in to a barrier system (Garcia 2001). The systems approach makes it possible for one to apply systems thinking. This systems thinking states that a set of individual events form part of a series of events Barton and Haslett, 2007). The theory of systems approach argues that analysis should always follow synthesis in order for one to have the ability to understand and appreciate the evaluation in wholeness. For instance, the window of a building is considered as an individual subsystem of the entire building in terms of keeping the intruder at bay. In this situation, analysis is done to the window at an individual level. Analysis may involve inspection to ensure the material used to construct the window is of optimal strength, the hinges that hold the window to the building as well as the manner in which they have been fitted, the mechanisms used to lock the window, the quality of the locking system, ensuring that the window closely fit to the frame as perfectly as possible to minimize the chances of there existing any vulnerabilities that may serve as weak points for an intruder, and the manner in which the frames of the window has been constructed as well as the strength of the material used. The constituent security parameters are individually evaluated to ensure that they are able to offer maximum resistance to any offender with the aim of committing an intrusion. These components must provide the highest level of resistance possible. Taking security measures with the systems approach makes it possible to understand the security layers that subsystem for within the system as a whole. Physical barriers created by this approach determine the chances of effectiveness of the security system. Coole (2010) argues that the effectiveness of a security system can be defined according to the Estimated Adversary Sequence Interruption (EASI) model. This model works consistently with the General Systems Theory (GST) principles to define the relationship between the different constituents of security system in defence in depth system. Together they mathematically articulate the effectiveness of the whole system. The successful integration of people, equipment and procedures can easily be deduced from the manner in which the system successfully detects delays and responds to incursions by adversaries (Jang et al 2008). The ability to detect, delay and respond is used as variables to calculate the possibility of security systems interrupt. All these combined bring about the understanding of the whole system and consequently the understanding needed to make any adjustments to increase the effectiveness of the system. Conclusion Little has been taught and learnt about security as an academic course thus the definition has not been clearly stated thus far. Researchers have tried to come up with different definitions to the term security but none yet has come with a definition which is universally accepted. This has led to a situation where the security language is one that is understood by few and yet the impact is felt by many. It is therefore left to the security professionals to develop clear language on the security as a whole. Defence in depth has been defined in terms of the theory of Rational Choice. It is the choice of the intruder to carry on or desist from acts of deviance. Such decisions are made depending on the ease of intrusion, the delay and possibility of being apprehended. The easier it is to penetrate, lesser delays and the more difficult it is to get caught are arguably the reasons why the intruder may decide to proceed with the offence. Systems approach to physical security encompasses a wide array of factors and together they combine to make the security of an asset better. This approach is implemented by establishing several security layers which makes it more difficult for an intruder by erecting more barriers and thus increasing delay. References Australian Interim Security Professional’s Task Force (2008). Advancing security professionals: Discussion Paper. Retrieved from: http://www.isacaadelaide.org/pd/Discusion_paper_Future_Security_Professionals_March08.pdf [Accessed: 14 October 2016] Brooks, D. J. (2007). Defining security through the presentation of security knowledge categories. Perth, Western Australia. Edith Cowan University, International centre for Security and Risk Sciences Brooks, D. J. (2011). Intelligent buildings: An investigation into current and emerging security vulnerabilities in automated building systems using an applied defeat methodology. Proceedings from the fourth Australian security and intelligence conference. Perth. Western Australia. Retrieved from: http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1013&context=asi [14 October 2016] Coole, M., P. (2010). The theory of entropic security decay: the gradual degradation in effectiveness of Commissioned security systems. A Thesis Submitted to the Faculty of Computing, Health and Science Edith Cowan University. Retrieved from: http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1372&context=theses [14 October 2016] Coole, M., P., & Brooks, D., J. (2011). Mapping the organizational relations within physical security’s body of knowledge: A management heuristic of sound theory and best practice. Proceedings from the fourth Australian security and intelligence conference, Perth, Western Australia. Retrieved from: http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1013&context=asi [14 October 2016] Garcia, M. L. (2001). The design and evaluation of physical protection systems. Boston: Butterworth- Heinemann. Jang S, et al. (2009). Development of a vulnerability assessment code for a physical protection system: Systematic analysis of physical protection effectiveness (SAPE). Nuclear Engineering and Technology. Vol 41 (5). Manunta G. (1999). What is security? Security Journal.12, 57-66. Maslow, A., H. (1970). Motivation and personality. Harper & Row. New York. McCrie, R.D. (2004). The history of expertise in security management practice and litigation. Security Journal 17 (3): 11-19. Nunes-Vaz, et al (2011). A more rigorous framework for security-in-depth. Journal of Applied Security Research, 6 (3), 372-393. Reynald, D., M. (2011). Factors associated with guardianship of places: Assessing the relative importance of the spatio-physical and socio-demographic contexts in generating opportunities for capable guardianship. Journal of Research in Crime and Delinquency, Vol 48 (110). SANS Institute. (2002). A Scalable Systems approach for Critical Infrastructure Security. Retrieved from: http://energy.sandia.gov/wp/wp-content/gallery/uploads/020877.pdf [14 October 2016] Standards Australia. (2006). Security risk management. Sydney: Standards Australia International Ltd. Mandia K. (2011). Cyber threats and ongoing efforts to protect the nation. In P. s. c. o. intelligence (Ed.), (pp.1-7): U.S. House of representatives Dillon, J., A. (1983). Foundations of general systems theory. Intersystem’s Publications. California. Brooks D., & Corkill J. (2012). The many languages of CCTV. Australian Security Magazine, February/March 2012, 57-59 Read More

Security form the basic part of an organization as its absence leaves the organization too exposed and vulnerable. This can threaten the very existence of the organization (McCrie 2004). The importance of security for the existence of an organization cannot be over-emphasized. It would however raise questions which may lead to the relay and implementation of poor risk concerns if the description above is not carefully approached. Manunta (1999, consents with the fact that there is difficulty in giving a conclusive definition to security, owing to its wide areas and the diversity that comes with it.

He argues that all the methodology, decisions and measures of security all lack meaning if security cannot be defined. Manunta goes on to state that the security sector players and stakeholders ought to use specific and understandable language and terms, in order to foster understanding even among the non players. The use of easily understandable language would help to convey meaning and knowledge in all the areas of security study. Nunes-Vas et al (2011) held the same opinion, though with more interest in security in depth.

Other key researchers also supported the same but in reference to the closed circuit television. These literatures provide valuable knowledge in a bid to understand the security sector and offer support in mitigation against risk. Although physical security appears to be more elaborate, applying defense in depth on information technology does not have much other than the ability to delay intrusion. There is little that can be offered for the purpose of response. This leaves organizations ignorant of the security of their information since they are sometimes not even aware that their security has been breached and their information is being tapped in to.

Mandia (2011) stated that many organizations only learn about the breach of their information security through external parties. Audit was conducted by the auditor general’s office on the ability of the State agencies to deal with cyber threats, the detection and response (Murphy 2011). All but one of the state agencies was able to detect the threats that that their information technology installation was subjected to by the auditors. Most of these state agencies do not apply defense in depth in the various levels of security in their systems.

None of these organizations was found to have a well defined procedure on how to deal with cyber security threats. Only one out of the tested organizations had in place a security control measure which would detect that an attack is in progress or an attack had been carried out. Consequently, they all lacked any security layer which would respond and provide remedy for the damage that would have been caused by such an attack. Furthermore, they lacked knowledge on how to respond to an attack if at all it was detected.

Lack of a definite definition for the term security has left researchers and scholars alike at a loss on how to base their arguments. However, people, nations and organizations ought to feel free to exist and act as they wish. The situation is however not the same since the freedom they ought to enjoy is usually at constant risk. This reality is what drove Coole and Brooks (2011) to argue that the concept of security need to be threat driven and risk based. In such a scenario, actions taken for protection purposes will be determined by the risk itself and the situation at hand.

The need for security arises when there is imminent threat to the assets. Absence of such threats does not call for security (Manunta 2011). This is supported by Standards Australia HB (2006). The need for security and protection of assets arise in situations where; there is an existence of real or perceived threat to an asset under protection, the control of access to an asset is necessary to ensure it is duly protected, the need to protect an asset from malicious activities and the need to use the systems approach to control access to an asset.

Read More