Risk Assessment for Effective Physical Security - Essay Example

Risk Assessment for Effective Physical Security and Introduction Physical security threats are a significant threat for all organizations. Physical security is especially important for organizations that have an information technology system that stores the organization’s sensitive data.1 As the information experts continuously design ways to counter data breaches, intruders increasingly find it hard to access data through technical means. These criminals have now turned to physical infiltration and intrusion to gain access to privileged facilities and data that they are not authorized to. Physical intrusion is, however, not treated with the same magnitude as technical intrusions such as hacking, computer virus and invasion of spyware programs.2 What many security strategists fail to understand is that both attacks carry the risks of equal magnitudes. Whether the intruder gained the unauthorized access by physically bypassing the security systems or electronically infiltrating the firewalls and other measures the potential detrimental effects of having the organization’s data or other possession in the wrong hands is the same. 3 To that end, physical security threats should be treated with the same magnitude as other non-physical security threats. Physical security measures are the measures instituted to prevent any unauthorized access of the organization’s property, secure facilities, data, and resources from damage. These damages could be in form of data or property theft, espionage, vandalism and even gross terrorist attack. The physical security measures, therefore, is a combination of multi-layered security systems which operate independently to prevent physical security threats. This paper will analyze the importance of physical security measures then the critical considerations used for physical security risk assessment in order to institute an effective physical security system. Physical Security Systems Physical security systems appear in different forms and perform different tasks. It is important to note that none of the systems is capable of independently and effectively protecting the organization against physical intrusion.4 The various systems operate independent of one another, but cooperate with each other in order to form an effective whole. The doctrine of synergy, which implies that the whole is better than the sum of its individual components, has great relevance and application in designing an effective physical security system. In order to ascertain an effective physical security system, it is imperative to determine the different types of systems that interact to create an effective whole. The first type of physical system is meant to deter intruders. An effective physical system employs the use of warning signs placed at conspicuous places and the use of perimeter fences sometimes complemented with barbed wires or steel blades. These systems are meant to discourage a potential intruder. These measures may not be able to protect the organization, but they can have a psychological impact of discouraging prospective intruders.5 The second type is supposed to differentiate between authorized and unauthorized personnel. This employs the use of access cards and electronic keycards to access the cordoned areas. The third type is meant to delay or even prevent physical intrusion. This may involve measures such as the use of padlocks or electronic locks to deter entrance into unauthorized areas. Storing the organization’s documents in a safe, for example, necessitates the intruder to crack the safe. The experienced intruders may be able to crack it while the inexperienced ones may fail to crack it and leave it. The safe may also crack at the end, but it is frustrated by the intruder and even bought some time, thus, increasing the chances that the intrusion is detected before the intruder gets away. The fourth type of system is meant to detect intrusions and give the necessary authorities an indication of an unauthorized entry attempt. This employs devices such as tamper stickers, disguised alarm systems and even closed circuit television camera surveillance. These devices, ordinarily, are further enabled to raise alarm though others are purely for detecting intrusion. The CCTV cameras, for example, cannot be useful by themselves if there is no security guard manning the control room in real time. If there is no one looking at the footage in real time, then the recorded footage can only be useful in identifying the criminals, but not in the apprehension of the intruder. Tamper stickers can also detect intrusion, but cannot raise an alarm in real time. However, some intrusion detection measures such as heat sensors, smoke sensors, grass breaking sensors and many others can raise an alarm when tripped and elicit real time responses by the security guards and the police.6 Physical Security Systems Risk Assessment The most crucial of consideration for an organization as far as developing an effective physical security system is the cost benefit analysis, and rightly so. Most of these physical systems are expensive and represent a significant undertaking in terms of the capital investment.7 However, if the entirety of the risk assessment is based on the benefits versus the cost of installing such a system, then the organization may end up making a faulty decision. There are other significant factors that should be assessed for the risks they possess such as the requirements determination, the ease of installation of the system and its maintenance, the degree of disruption of the organization’s routines, the complexity of the systems’ operations and control and the flexibility of the physical system, just to mention a few. a) Requirements definition It is imperative to assess the risks associated with correct definition of the problem at hand. If the diagnosis is wrong, the treatment would also be wrong meaning that the physical system instituted may not be as effective as had been envisaged. The requirements definition seeks to establish the specific threats that the physical system is meant to protect against. It also determines the extent to which this system is capable of protecting the subject.8 The risk assessment involves assessing the vulnerabilities of the system. For example, if the system is meant to protect unauthorized personnel from accessing the organization’s server room, then the location of the server room in the organization’s complex or campus would determine its vulnerability to attacks. Experts advise that in order to reduce risks, physical location of important elements should be optimal.9 For example, the items should be located at the highest possible floor and in the inner most part of the organization’s building. If possible, all these materials should have their value ascertained and then located as close as possible to each other. Although this seems like concentrating the risks, which to some security experts is unwise, it actually aids in concentrating the efforts and resources of the physical system thus making it better and more effective. The requirement definition also analyzes the impact of failure of the system. It assesses the risks and probability of the system failing. These risks are the ones that will later be used to weigh in on the cost-benefit analysis. b) Cost The costs under consideration are the acquisition costs, installation costs, the training costs, the maintenance costs and the failure costs. The cost benefit analysis is the ultimate determinant of the effectiveness of a system.10 It, however, should not be used in isolation to determine this effectiveness. An organization should conduct a risk analysis based entirely on the possibility of the sunk cost going to waste. If there is a probability that the system will fail to meet the intended targets then it is a risky undertaking to use noteworthy amount of money on it. Apart from the risk of its failure against the sunk cost, a risk assessment on the cost of the physical system versus the value of the components the system is meant to protect should also be carried out. If the cost of the system is more than what is being protected, then the risks and costs associated with the system’s failure are heightened.11 c) Disruption of the organization’s processes The process of purchasing, installation and maintenance of the physical security system will most likely disrupt the way the organization operates at those specific moments. It is during these installations and maintenance processes that the risks of attacks are heightened.12 Security experts have identified that there are three types of physical attacks. The first type is the one that use outright overwhelming force to gain access into an organization. The second type usually prefers stealth to gain entry. The third type is the most prevalent; these attackers try to blend into the organization’s way of operation disguising themselves as bona fide employees to gain entry into the organization from where they can make their move.13 These blenders prefer to strike at the moment when the organization’s processes have been disrupted for them to attempt the unauthorized entry. For example, some robbers attack a bank when the bank is installing high speed internet cables or is fixing its electricity circuit boards among many other installation and maintenance processes. At this transitioning period, an organization’s security is at its lowest and, therefore, this is the riskiest time. The risk assessment should come up with recommendations to strengthen the security system, for example, by changing the access protocols at the time of such activities or cordoning the surrounding area to prevent any confusion that may lead to intrusion. d) Ease of installation and maintenance of the system As indicated earlier, an organization’s security status may be at its lowest during the installation and the maintenance processes. It is crucial that these processes are easily conducted and in the shortest time possible. However, the risk assessment of the effectiveness of the system should not be entirely based on the ease of installing them.14 For example, it may be easy to install cameras on the perimeter fences in a day, but not disguising them. The intruders may find it easy to destroy them and then gain entry. In the short run, it is the most effective practice, but it may necessitate frequent replacements and maintenance from time to time. This may end up being the riskiest and the costliest undertaking. The alternative is to take time, may be a week, to carefully install them and disguise them properly. It may be useful, in the long run, in that it may not necessitate frequent maintenance. The risk of being noted is also reduced. The intruders do not become aware of them and do not devise ways to avoid them. e) Complexity and control The metrics here should measure the risks associated with the difficulty of controlling the system. The system should be easy to control, but should not water down the array of functions it performs. The complexity of the security system eventually affects the reliability of the system.15 The reliability determines the level of risk of the security system. f) Flexibility and scalability An effective security system should be based on the unforeseeable future of the company. The risk assessment should determine whether the system is capable of changing with the changing circumstances and size of the organization as it expands. It should be consistent over a long period of time. The designing and the rebuilding of the system as time changes determines the effectiveness of the system and its associated risks of failure in the long run.16 Conclusion Contrary to popular beliefs, physical security threats are just as detrimental to an organization as non-physical attacks. There are many physical security measures that can be taken to prevent an organization from physical attacks. It is imperative that risk assessment be conducted on the various security measures that can be undertaken. When these risks are effectively gauged and addressed, an effective physical system can be guaranteed for the organization. References Baker, Paul., and Benny, Daniel. The complete guide to physical security. New York: CRC Press, 2012. Erbschloe, Michael. Physical security for IT. London: Digital Press, 2004. Fennely, Lawrence. Effective physical security. Portland: Heinemann, 2012. Klinem.com. The most critical considerations for physical security systems. Kline Technical Consulting LLC. Available at http://www.klinenm.com/uploads/common/The_7_Most_Critical_Considerations_for_Physical_Security_Systems.pdf, accessed 3rd March 2014. Norman, Thomas. Physical security risk and countermeasures: Effectiveness metrics. CSO. Available at http://www.csoonline.com/article/540063/physical-security-risk-and-countermeasures-effectiveness-metrics, accessed 4th March 2014. Usgc.gov. Planning and administration. USGC. Available at http://www.usgs.gov/usgs-manual/handbook/hb/440-2-h/440-2-h-ch3.html, accessed 3rd March 2014. Whitman, Michael., and Mattford, Heibert. Principles of information security. New York: Cengage Learning, 2011. Read More