Physical Data Security, Defense in Depth Theory - Research Paper Example

Physical Security Student’s Name Student Affiliation Physical Security Introduction The security industry engages in a multi-discipline and diverse knowledge base which involves management of risk as the fundamental aspect to be mitigated. Nevertheless, there is the limited study on understanding and drawing the expert security knowledge to be used in a particular region (Brooks, 2011). The physical security is necessary to assets such as people, information, reputation, and property. Issues arise in the combination of exploring the vulnerability of the building to any threat, thus requiring the security professionals to develop ways of handling security management. Professional security is commonly discussed in the academic circles nowadays. Apparently, professionalism is considered as an agreed knowledge body linked to education standard set by community ideological competencies and confidence levels. However, to date, the society has been unable to establish the right conditions and knowledge for the professional security (Dong et al., 2010). Currently, all the research work has being given to finding accurate definitions and the agreement in pursuit for a common ground where the professionals can communicate, have benchmarks, and standards for carrying out their jobs (Griffiths, Brooks, & Corkill, 2010). This paper analyses the core approach of assets protection through the systems approach which involves defence in depth in the depth and security in depth concepts. As much as Nunes-Vaz, Lord, & Cuik (2011) developed concepts of the professional security, particularly, between the combination of traditional information technology (IT) and physical domains, to date there are fundamental differences in the structural make-up of the definitions and understanding of the security domains. Background The physical security largely composes of locking devices. Depending on the function, there are emergency egress locks, after-hours and day access locks. Such padlocks or high-security combined locks for safes. Locks can be devised as either mechanical, electrical, or a combination. The locks have salient components such as the bolt, keeper, key, or tumbler array. For instance, there is a different Bi-Lock in Australia (Chester, 2010). The physical security aims at reducing the risks through abilities associated with systematic approaches to detecting, deterring, responding, and delaying the different acts that increase the risk. The security management involves many activities and skills across the concepts, thereby making the consistency of the security advice difficult to develop. The issues associated with the security spectrum include social ideas which encompass the international securities and the internal functioning of the security protocols in the attempt to address the crime prevention (Cardenas et al., 2009). Governments at the international, local, and national levels, firms, and individuals must be involved while coming up with the best way forward to protect crime. As a result of all the necessities and needs, it becomes difficult to develop the right standard of professional security. Apparently, theorist such as Maslow’s Hierarchy of needs identifies security as one of the core needs of human existence. Maslow states that security encompasses stability, protection, dependency, fear, anxiety, and chaos freedom, also security involves the necessity of law, order, strength, limits, and structure within a society (Coole, 2011). Furthermore, according to Pathan (2016), no organization can survive at any particular time without strong security. The necessity of safety is not challenged within the literature review. However, there is the disparity in the descriptions given by each author which results to the questioning of the most relevant and functional method of risk mitigation. Also, the academic does not point out any consensual definition of the security due to the diversity, contradicting security models, measures, decisions, and performances (Coole, Corkill, &Woodward, 2012). The security systems are opting for the Defence in Depth (DD) for IT security which is reliable for controlling and delaying with little or no other controls implemented for detecting or responding. Apparently, the DD involves multiple forms of security measures in policies, technology, and practices. The DD theory, therefore, encompasses total defence which most of the authors suggest is just ambitious to achieve (Brooks, 2011). Literature Review All approaches of security aim at one particular thing and that is to protect the assets from theft, destruction of properties, individual, and information protection. The methods are combined to form the Defence in Depth theory. The articulated theory of security carries out the following functions connected; deterrence, response, delay, and recovery (Standards Australia HB 167, 2006). According to Bakolas & Saleh (2011), Defense in Depth has been used for centuries to protect assets, based on the belief that all safe assets should be enclosed by barriers to prevent penetration of unauthorized personnel. As a result, many previous theories argue that the DD method is fit and supported by other theoretical frameworks such as Rational Choice Theory (RCT) and Routine Activity Theory (RAT) in pursuit of crime protection. RAT focuses on the Guardian intensity which suggests that an action only occurs when the target is identified. Alternatively, it also states that the lack of a guardian acts as a motivator to perpetration and a perception of difficulty which leads to less likelihood f been caught. RCT, on the other hand, considers a process of decision-making of a possible rational adversary in deciding whether or not to engage in a particular behavior (Alpcan & Başar, 2010). RCT states that any criminal first assesses the possibility of being detected, the delay involved in achieving the set target, and the chances of being produced about the conduct. Apparently, if the criminal acknowledges the low possibility of being caught high chances of succeeding, then they proceed carrying out the desired actions. Similarly, if they perceive greater chances of being caught and difficulty in fulfilling the task, the person engages in different activities. Draper (2012) noted that security is the full activity that involves perceived sum of activities which encompasses delay, detect, and response. As a result, DD is a combination of RAT and RCT which increases opportunities reduction framework to allow preventative and protective protocols within the security domain. DD follows a system approach which integrates procedures, people, and equipment into a barrier system (Alpcan & Başar, 2010). The DD method allows application of both policy thinking which uses individual events for analysis and synthesis of the pattern of events (Bakolas & Saleh, 2011). In a systematic protocol, each review is followed by a synthesis which in turn leads to another analysis and a subsequent synthesis (Brooks, 2011). For instance, during construction of a security door, the contractors considers all protocols such as the resistance of an intruder, the hinges, the door material strength, closing mechanism, quality and type of closing mechanism, the frame of the door, and the possible attempts of opening. Notably, each security must be evaluated for its design, effectiveness in providing strength for creating difficulty of any risk by the combination of the most efficient measures. (Cardenas et al., 2009) observed that a DD system creates subsystems for the security layer systems which points out any calculations of a practical means and performance measures. Apparently (Chester, 2010) argued that an effective barrier system when evaluated through Estimated Adversary Sequence Interruption (EASI) which corresponds with general systems theory (GST) statistically describes the relationship between the systems of Defence in depth statistically showing the whole efficiency. Additionally (Coole & Brooks, 2011) supported the system by highlighting that the integration of people, procedures, and equipment can be solved through policy success in enabling delay, detection, and response to the problem incurred. Furthermore, the interruption possibility is also calculated to show the effectiveness of any protocol that is selected against the expected threat. The quantitative methods are therefore considered systematic, objective, valid, and repeatable (Dong et al., 2010). Explicitly, EASI requires input parameters detected, assessed, transmitted, and communicated as probabilities that the whole function is successful. Secondly, the inputs of delay and response are referred to as mean and mean standard deviation in time measurements of each element. EASI is simple to calculate since it uses the probability laws that are combined with quantities performance measures of the system and the subsystems to derive the physical protection system (PPS) macro-state. As a result, the Defence in Depth can be calculated mathematically in EASI. The statistics can be done for one or multiple zones, but the crucial factor is to consider that the offender might think of harming or stealing a safe asset. According to the perceived scenario, the person in charge opts to use interruption neutralization possibility for each zone creating high-security protocols if necessary (Draper, 2012). The process, in turn, enables one individual to move from one secure area to another freely within the protected facility. Nunes-Vaz, Lord, & Ciuk (2011) defined security measures as any physical, technical, procedural, psychological, or device that is used to perform any security function within a zone, zones or protected rings. Apparently, in traditional protections in depth, the rings are referred to as onion ring model which conceptually represented as below; Figure 1 the traditional onion ring of protection in depth (Coole, Corkill, &Woodward, 2012). Nevertheless, (Draper, Ritchie, & Prenzler, 2012) emphasizes that the Security in Depth has several measures that an offender must fight against in a sequence without considering any possibility of a single failure in the protection plan. A successful approach incorporates multiple delay measures, responses capabilities, and detection procedures (Griffiths, Brooks, & Corkill, 2010). Such systems are only implemented to protect unauthorized movements of assets across a single individual security or multiple ones which in turn saves the involved from the potential consequences. Each second there are possible interruptions awaiting an opportunity to enter the security zones if not properly monitored (Kim et al., 2012). However, at the same time, during the working hours, some of the places should be left unrestricted to allow the people working conductively (Kiszelewska, & Coole, 2013). The onion protection rings are used successfully in many facility designs since they provide sufficient restrictions. When any facility has such security protocol, only authorized people can be access all the point, nonetheless the rest will be blocked in one section (Langner, 2011). In reference to the zoning concept, Lord & Nunes-Vaz (2013), noted that there is a difference between the security layer and control. A security layer encompasses the implementation of management sets that can possibly stop an occurrence of a stated event or also completely eliminate the consequences arising from it. A layer, therefore results in using EASI multi-layered defence. In short, if any security code adopted aims at controlling the occurrence of any risk, then it has to apply, the theory of Defence in Depth in detecting, responding and delaying a threat at each security zone without considering the systematic procedure used to ensure safety (Protective Security Policy Framework, 2016). For instance, when protecting a facility, the people must make sure there are two means of detection and delay with a layer that separates both of them. Additionally, the detection devices should be coupled with intrusion technologies and security procedures that recognize the movement of authorized personnel. Alternatively, the facility can use an X-ray machine with n explosive tracking technology that detects the contraband that moves across any secure zone in the staff portal. Therefore, the Defence in Depth is interrelated to the Protection in Depth in a distinct but holistic model. EASI suggests that the people should highly consider the probability of interruption and neutralization at every security zone. As a result, the possibility of disruption must be calculated for the other three variables of delay, detection, and response to as to derive the combined feedback of every stage (Officer, 2016). According to Coole, Corkill, &Woodward (2012), zone effectiveness is a function of P (interruption) and P (neutralization). According to Pathan (2016), Defence in Depth and Security in Depth are used synonymously, however, they are distinct. DD is a theory that suggests that adequate security for any asset or zone must be achieved through the response, detection and delay procedures to inhibit an attempt to enter unauthorized points. To achieve the effectiveness, interruption and neutralization possibilities must be considered before the crossing of the security zone. Nonetheless, in all facilities, the management must formulate a strategy of multiple layers of control that allows only trusted insiders each to access a particular restricted area. Such access in granted depending on the job delegated to each personnel. For instance, only the information technician is allowed to the server room while all the other employees are banned. As a result, it is worthwhile to separate the security zones to facilitate detection, response and delay of any possible threat towards information and physical zones (Rajkumar et al., 2010). Also, according to the common risk, multiple safety systems should be put in place for each area to form stronger layers that keep off intruders. For instance, a person can put mechanical, electrical locks and computerized facial detection on the door that goes to the server room. Apparently, the DD together with Protection in Depth targets to protect individuals and zones within a building and are termed as a PPS. Contrary, the security areas and procedures should consider the threats that target the IT infrastructures when an offender already has the physical entrance to the security zone (Stallings & Brown, 2008). The intrusion in the modern day building allows access to the safe assets in the macro-concept of safety concept. As a result, there should be the maximization of the security layer with intertwined security functions to minimize the chances of the security breach. The Security in Depth concept is therefore depicted s many layers right are build into one perfect layer that aims at making one perfect layer of protection against a particular adversary (Thompson, Ryan, & McLucas, 2015). In this phenomenon, DD is synonymous safety in depth since they give a holistic approach to securing the asset or the zone in that area. Finally, the effectiveness of the physical security protocol is the responsibility of the people involved. The employer and employee have both the duty of care towards each other in prevention, preparedness, response, and recovery from an adversary attempt of harm. For instance, the employer has the responsibility to train their workers about any new security procedure. Additionally, the staff should communicate about any possibility of breach of security within the organization. Each person should not trespass, should have self-defence, and arrest an offender (Tamjidyamcholo et al., 2014). Conclusion Defence in Depth Theory is a security conception that tries to remove all the chances of a possible attack towards an asset. An asset is considered as a person, information, property, or reputation in this case that requires to be protected against any unnecessary attack. Under this theory, there must be a constructed layered defence, for each security zone that can be compromised. The framework uses detect, response, and delay variables while dealing with any possible action. The theory works in collaboration with Protection in Depth, and Security in Depth in articulation of the security zoning and asset protection. Together with them, the Defence in Depth theory suggests that the security protocols utilize the multiple layers of different constituents of delay, response, and delay variables against any adversary for efficient security protocol. Additionally, during formulation of these layers, the designer should consider the possibility of interruption and neutralization and involve them during calculation of the effective security layer for each zone. Most importantly, security discipline and industry is still limited and requires more research to come up with quality information. The definition of terms, and language is still ambiguous, therefore confusing the learner and professionals. For instance, the traditional definition of security is still used to date to describe the modern security systems. Also, the description of Defence in Depth corrodes with the descriptions of the other concepts, thus making it complicated for the organizations, governments, and individuals to understand. Finally, the physical security defers from the other forms of security because it incorporates tangible locks which are either mechanical or electrical. References Alpcan, T., & Başar, T. (2010). Network security: A decision and game-theoretic approach. Cambridge University Press. Bakolas, E., & Saleh, J. H. (2011). Augmenting defense-in-depth with the concepts of observability and diagnosability from control theory and discrete event systems. Reliability Engineering & System Safety, 96(1), 184-193. Brooks, D. J. (2011). Security risk management: A psychometric map of expert knowledge structure. Risk Management, 13(1-2), 17-41. Cardenas, A., Amin, S., Sinopoli, B., Giani, A., Perrig, A., & Sastry, S. (2009, July). Challenges for securing cyber physical systems. In Workshop on future directions in cyber-physical systems security (p. 5). Chester, L. (2010). Conceptualising energy security and making explicit its polysemic nature. Energy policy, 38(2), 887-895. Coole, M., Corkill, J., & Woodward, A. (2012). Defence in depth, protection in depth and security in depth: a comparative analysis towards a common usage language. Coole, R., & Brooks, D. J. (2011). Mapping the organizational relations within physical security’s body of knowledge: a management heuristic of sound theory and best practice. Dong, L., Han, Z., Petropulu, A. P., & Poor, H. V. (2010). Improving wireless physical layer security via cooperating relays. IEEE Transactions on Signal Processing, 58(3), 1875-1888. Draper, R. (2012). Standards, regulations and guidelines: Compliance and your secirty program, including global resources. Effective physical security, 283-293. Draper, R. R., Ritchie, J., & Prenzler, T. (2012). Making the Most of Security Technology. In Policing and Security in Practice (pp. 186-203). Palgrave Macmillan UK. Griffiths, M., Brooks, D. J., & Corkill, J. (2010). Defining the security professional: definition through a body of knowledge. Kim, T. H. J., Brancik, K., Dickinson, D., Lee, H., Perrig, A., & Sinopoli, B. (2012). Cyber–physical security of a smart grid infrastructure. Proceedings of the IEEE, 100(1), 195-209. Kiszelewska, A., & Coole, M. (2013). Physical Security Barrier Selection: A Decision Support Analysis. Langner, R. (2011). Stuxnet: Dissecting a cyberwarfare weapon. IEEE Security & Privacy, 9(3), 49-51. Lord, S., & Nunes-Vaz, R. (2013). Designing and evaluating layered security. International Journal of Risk Assessment and Management, 17(1), 19-45. Mandatory requirements. (2016). Protective Security Policy Framework. Retrieved 14 October 2016, from https://www.protectivesecurity.gov.au/overarching-guidance/Pages/Mandatory-requirements.aspx Nunes-Vaz, R., Lord, S., & Ciuk, J. (2011). A more rigorous framework for security-in-depth. Journal of Applied Security Research, 6(3), 372-393. Officer, A. (2016). Protocol for Security Risk Management and Asset Protection. Pathan, A. S. K. (Ed.). (2016). Security of self-organizing networks: MANET, WSN, WMN, VANET. CRC press. Rajkumar, R. R., Lee, I., Sha, L., & Stankovic, J. (2010, June). Cyber-physical systems: the next computing revolution. In Proceedings of the 47th Design Automation Conference (pp. 731-736). ACM. Standards Australia. (2006). Security Risk Management. Sydney: Standards Australian International Ltd Stallings, W., & Brown, L. (2008). Computer security. Principles and Practice. Tambe, M. (2011). Security and game theory: algorithms, deployed systems, lessons learned. Cambridge University Press. Tamjidyamcholo, A., Bin Baba, M., Shuib, N., & Rohani, V. (2014). Evaluation model for knowledge sharing in information security professional virtual community. Computers & Security, 43, 19-34. http://dx.doi.org/10.1016/j.cose.2014.02.010 Thompson, M., Ryan, M., & McLucas, A. (2015). A Proposed Resilience Framework. Read More

Also, the academic does not point out any consensual definition of the security due to the diversity, contradicting security models, measures, decisions, and performances (Coole, Corkill, &Woodward, 2012). The security systems are opting for the Defence in Depth (DD) for IT security which is reliable for controlling and delaying with little or no other controls implemented for detecting or responding. Apparently, the DD involves multiple forms of security measures in policies, technology, and practices.

The DD theory, therefore, encompasses total defence which most of the authors suggest is just ambitious to achieve (Brooks, 2011). Literature Review All approaches of security aim at one particular thing and that is to protect the assets from theft, destruction of properties, individual, and information protection. The methods are combined to form the Defence in Depth theory. The articulated theory of security carries out the following functions connected; deterrence, response, delay, and recovery (Standards Australia HB 167, 2006).

According to Bakolas & Saleh (2011), Defense in Depth has been used for centuries to protect assets, based on the belief that all safe assets should be enclosed by barriers to prevent penetration of unauthorized personnel. As a result, many previous theories argue that the DD method is fit and supported by other theoretical frameworks such as Rational Choice Theory (RCT) and Routine Activity Theory (RAT) in pursuit of crime protection. RAT focuses on the Guardian intensity which suggests that an action only occurs when the target is identified.

Alternatively, it also states that the lack of a guardian acts as a motivator to perpetration and a perception of difficulty which leads to less likelihood f been caught. RCT, on the other hand, considers a process of decision-making of a possible rational adversary in deciding whether or not to engage in a particular behavior (Alpcan & Başar, 2010). RCT states that any criminal first assesses the possibility of being detected, the delay involved in achieving the set target, and the chances of being produced about the conduct.

Apparently, if the criminal acknowledges the low possibility of being caught high chances of succeeding, then they proceed carrying out the desired actions. Similarly, if they perceive greater chances of being caught and difficulty in fulfilling the task, the person engages in different activities. Draper (2012) noted that security is the full activity that involves perceived sum of activities which encompasses delay, detect, and response. As a result, DD is a combination of RAT and RCT which increases opportunities reduction framework to allow preventative and protective protocols within the security domain.

DD follows a system approach which integrates procedures, people, and equipment into a barrier system (Alpcan & Başar, 2010). The DD method allows application of both policy thinking which uses individual events for analysis and synthesis of the pattern of events (Bakolas & Saleh, 2011). In a systematic protocol, each review is followed by a synthesis which in turn leads to another analysis and a subsequent synthesis (Brooks, 2011). For instance, during construction of a security door, the contractors considers all protocols such as the resistance of an intruder, the hinges, the door material strength, closing mechanism, quality and type of closing mechanism, the frame of the door, and the possible attempts of opening.

Notably, each security must be evaluated for its design, effectiveness in providing strength for creating difficulty of any risk by the combination of the most efficient measures. (Cardenas et al., 2009) observed that a DD system creates subsystems for the security layer systems which points out any calculations of a practical means and performance measures. Apparently (Chester, 2010) argued that an effective barrier system when evaluated through Estimated Adversary Sequence Interruption (EASI) which corresponds with general systems theory (GST) statistically describes the relationship between the systems of Defence in depth statistically showing the whole efficiency.

Read More