Security Planning and Risk Assessment - Essay Example

Security Planning and Assessment One of the most important, and often overlooked, aspects of security assessment and planning is the human impact that employees and other casual contacts have on the security of an organization. Security threats are often thought of as external, physical threats such as robbery or terrorism, but major organizational losses stem from the "misuse of equipment and facilities, careless handling of raw materials and finished goods, sloppy documentation and poor inventory controls" (ASIS International, 2008, p.2-III-1). The human element is significant for two major reasons. First, the employees are typically responsible for regular loss within an organization and should be the first line of defense against such incidents. And second, the workforce is the most valuable source of intelligence that a manager has concerning threats, vulnerabilities, and alternative security measures. Adequate employee awareness and training are some of the most vital components of risk assessment and planning. Failing to include employee training in risk planning leaves one of the manager's most valuable resources unused. Employees have the best and most current knowledge of security vulnerabilities. Employees will often accept these vulnerabilities as being someone else's job, or fail to recognize their importance. Making employees aware of the problem, and their individual responsibility, can often disclose security risks that might be otherwise overlooked. In addition, they may be a significant source of intelligence concerning an impending, or ongoing, threat. Good employee awareness and communication are the first steps in designing and implementing a risk reduction program within an organization. 2.) The roles that the government and private-sector play in the protection of private-sector critical infrastructure facilities is usually determined by two factors; budgetary concerns, and expertise. Currently the federal government plays a significant part during the mitigation phase to train and organize security for these concerns. This is appropriate, as it insures that executives and managers have the latest information concerning research and threats that are constantly changing. This also gives the public a reassurance that the security of these high value assets is coordinated on the federal level. While the government brings considerable expertise to the scenario, the private concern is expected to assume the budgetary requirements. In a free market economy the private corporation is generally responsible for the immediate security of their assets. This includes physical security and access control. However, the protection of some assets that are critical to the economy, or health and safety, is in the interest of all citizens. The nature of the threat may demand a level of security that is not economically practical for a private business. According to Ortmeier (2008), "Industry standards indicate that the protection cost should be less than 2 percent of the value of the asset to be protected" (p.186). When the cost of security becomes excessive, it is not unreasonable to expect the taxpayer to bear a portion of the cost. Examples would be federal marshals on selected airline flights, or securing material that has a high value to a terrorist for use in explosives. The government should also pass and enforce legislation that mandates security and inspection at critical facilities. The programs that the DEA and EPA currently have that require securing, monitoring, and accounting for drugs and toxic chemicals could be expanded to include other assets. 3.) It is a significant challenge to build employee morale and professionalism in a security organization that has historically suffered from low wages and budget constraints. Maslow's need hierarchy continuum indicates that self-actualization is a higher priority to the individual than wages or a promotion. Self-actualization is achieved when "one's desires for personal growth, self-fulfillment, and reaching one's full potential are realized" (Ortmeier, 2008, p.133). This forms the basis of professionalism that increases an employee's self-esteem and meets their "desire for self-respect, personal; achievement, and recognition from others" (Ortmeier, 2008, p.133). Building professionalism within the group adds uniqueness to the group and gives the individual members a feeling of belonging - a sense of camaraderie. In the absence of higher wages and more money, there are several other methods that can be used to enhance professionalism. Above all, the manager needs to reflect an image of professionalism and leadership. Titles can convey a sense of prestige and can be given to employees to fulfill their need for status, as well as giving them something to strive for. Personal recognition, especially in a public forum, can also boost morale. This can be as simple as recognizing an employee for perfect attendance, or honoring employees for their length of service. Additional training can also give the employee a greater sense of value to the company. This adds to their professional level as well as giving them a validated set of goals and expectations. This can be incorporated as part of a career path development program, which gives the employee a sense of planning their future with the company. These activities can help to develop better morale within an organization, as well as improving productivity and increasing retention rates. 4.1) According to the case study, Jones was hired during a labor shortage and was hired based on his technical expertise. Though the case study was not specific about Jones' problems, in all likelihood adequate pre-screening would have indicated a problem. Psychological tests are available that could have uncovered emotional instability or mental health issues, while Jones' arrest records are open to the public and "criminal history checks are imperative" (Ortmeier, 2008, p.122-123). In addition, a credit check may have also uncovered a pattern of irresponsibility. These checks could have supplemented a thorough check with Jones' previous employers. However, as the study indicates, Jones was not who his credentials indicated, and this would have been discovered with a more complete pre-screening process. 4.2) In retrospect, it is easy to conclude that Apollo exercised poor judgement when hiring Jones. This is indicated by two red flags. First, the company was in a hurry to fill the position and based their judgement solely on Jones' technical ability. If an employee is hired hastily, more people should be involved in the decision, which could have mediated the emotional component that led to the poor judgement. Second, Jones had a history of work experiences that lasted less than one year. Apollo had a responsibility to protect not only their own assets, but also the safety of the other employees. According to Ortmeier (2008), "failure to complete a diligent inquiry into the suitability of persons employed may constitute negligent hiring" (p.126). Apollo certainly falls into the category of failing to complete a thorough investigation into Jones' aptitude and background. 4.3) The first, and most important, action that Apollo should take in regards to Jones is to involve law enforcement. The threats and ongoing danger are a legal matter that needs to be pursued by the legal system. Apollo should address the problem by meeting with the employees, stressing the seriousness of the situation, informing them of the potential for a threat, and educating them in regards to the appropriate response. Employees should know how to report an incident involving Jones, as well as be given phone numbers to call in the case of a crisis (United States Office of Personnel Management, 1998, p.19). Apollo and its employees should keep records of all contact with Jones and give them to law enforcement. It is critical that Apollo handles each incident on a personal level with the employee to assure them that the incident is being followed up on (United States Office of Personnel Management, 1998, p.11). Employees may be reluctant to report an incident if they feel like nothing will be done. 4.4) Workplace violence prevention is primarily the responsibility of the private employer. Police can react to the incident, but the employer needs a prevention plan to reduce the risk of the threat. As we see in this case study, adequate pre-screening is critical. In addition there should be a plan to prevent violence, inappropriate, or other criminal behavior in the workplace. According to the FBI, "Employers have a legal and ethical obligation to promote a work environment free from threats and violence" (Rugala and Isaacs, n.d., p.15). While it is important to work closely with local law enforcement agencies, the primary responsibility for prevention lies with the employer. References ASIS International. (2008). Protection of assets manual. Alexandria, VA: Author. Ortmeier, P. J. (2008). Introduction to security: Operations and management (3rd ed.). Upper Saddle River, NJ: Prentice Hall. Rugala, E. A., & Isaacs, A. R. (Eds.). (n.d.). Workplace violence: Issues in response. Quantico, VA: FBI Critical Incident Response Group. United States Office of Personnel Management. (1998). Dealing with workplace violence: A guide for agency planners. Washington, DC: Office of Workforce Relations. Read More