The design of effective physical security system requires a methodological approach. An effective physical security system integrates people, procedures, and technology for protection of the assets against thefts, sabotage, and malicious human attacks.
Hence, the designer or security director should weigh the objectives of the physical security system clearly against available resources and then evaluate the proposed design to ascertain how well it meets the objectives of the security program.
Comprehensive security risk assessment is the key
A comprehensive security risk assessment is essential prior to design the effective physical security system. The PSS (Physical Security System) might waste valuable capital on unnecessary protection or fail to provide sufficient protection at critical points of the facility if a comprehensive security risk assessment is not carried out.
For instance, it is probably imprudent to protect employee recreation area with the same level of protection that a data center may require. Similarly, maximum security at the main entrance would waste if the entry could also possible from other unprotected points.
As each facility is unique, a proper security risk assessment that evaluates the criticality of assets, threats, vulnerabilities will give a clear picture of risk exposure that gives a baseline for effective physical security system design.
Focus on Performance not on features:
Another important thing to keep in mind is a performance based system design is always effective than compliance or features based system. Because performance-based system design provides clear performance measures that can be validated with numeric characteristic for various system components.
For instance, a Performance based system design allows predicting performance against identified threat in various system effectiveness parameters. In this, we can assess sensors effectiveness under various environmental conditions, video clarity at different illuminating conditions, the response time of guard force etc.
This performance-based system is also quite helpful to build the business case to persuade the business leaders to by highlighting clear cost benefit analysis.
Design Basis Threat:
An effective PSS design should have a process that produces the design as per DBT (Design Basis Threat) and not on mere assumptions or experience of the individual designing the system.
Even though there are a number of security risk assessment and system design methodologies available to adapt, the following 3-step methodology suggested by Mary Lynn Garcia was proven its effectiveness over 3 decades at the critical installations.
1. Determining PSS objectives
2. Design or characterization of PSS
3. Analysis and Evaluation of PSS
1. Design Physical Security System Objectives:
In order to develop the objectives, the designer must accomplish three steps. Those are Facility Characterization, Threat Definition, and Target Identification.
a. Facility Characterization:
It this step, the designer needs to understand the facility itself. He or she needs to assess the facility operations, conditions, operating states and the entire layout of the facility such as site boundary, building location, building interiors floor plans, access points, blueprints, process descriptions, health, safety and environmental analysis reports etc.
Then he or she also needs to assess any additional considerations for any operational, safety, legal liability or regulatory requirements while designing PSS.
In addition, a tour of the sites and interviews with the facility personnel will provide necessary info on the effectiveness of any existing physical protection features.
Involving all-important stakeholders is also necessary for ensuring the business operations are continued in a secure, safe and efficient environment. As each facility is unique, this process should be followed each time a need is identified.
b. Threat Definition:
The second step in determining the objectives is to define the threat. In this step, the designer needs consider the factors about potential adversaries, their class, capabilities and a range of tactics.
He or she must collect information about the adversary Class, Tactics, and Capabilities.
The classes of adversary:
An adversary can be categorized into three classes – outsiders, insiders and outsiders working in collusion with insiders.
Tactics of adversary:
Adversary can use deceit, stealth, force, or any of the combination is the range of tactics each class of adversary can use to defeat PSS. For instance, Deceit is an attempt to defeat a security system by using false authorization or identification. Stealth is an attempt to defeat a security system by using covert means. (Spoofing or bypassing a sensor). Force is an overt, forcible attempt to overcome a security system,
Capabilities of adversary:
The designer needs to identify the most likely threats and should design the system to meet those threats by the keeping their capabilities in consideration. For instance, there may be several threats, any given facility can encounter, such as a criminal outsider, disgruntled employee, competitors or some combination. Hence, an effective physical security system must be designed to protect against all of these threats.
c. Target Identification:
The final step is to perform target identification for the facility. For, this A thorough review of the facility and its assets should be conducted. This may include identifying critical assets, people, information or critical equipment or processes or reputation anything that could impact business operations.
For instance, Determining the negative impact or unacceptable consequence in the event of loss of an asset or sabotage of an equipment or interruption of a business process will help identify critical assets, or equipment, or process that needs to be protected.
Once the designer completes these three steps, he can determine the protection objectives of the physical security system. For example, to intercept a criminal adversary with hand tools and a vehicle before he removes finished goods from the shipping dock.
The threat definition will depend on target identification and vice versa. Since any facility can have any number of threats, the process of determining objectives will be somewhat recursive and requires assessing the complex relationships among the protection system objectives.
2. Design Physical Security System:
Once the designer knows the objectives of PSS that is what to protect against whom, the next step is to design the new system or characterize the existing system.
The primary functions of a physical Security system are
· Detection of an adversary
· Delay of that adversary
· Response by security personnel (Guard Force)
If a new system is to be designed, the designer should better integrate PSS components (people, procedures, and technology) with PSS functions (detect, delay and response) to achieve PSS objectives.
The integration process includes better combining the elements such as barriers, intrusion detection systems, access control systems, video surveillance, communication devices, procedures, and security personnel into a physical security system that can achieve the protection objectives.
An effective PSS should meet protection objectives within the operational, safety, legal and economic constraints of the facility.
The designer should also be aware and implement certain important principles during the physical security design and the close associations between detection, delay, and response functions. For instance,
· A physical security system performs better if detection is as far as from the target as possible and delays are as near as the target.
· Detection without assessment is not detection.
· A response Force cannot respond unless it receives a communication call for a response.
The designer should integrate each system component in combinations that complement each other to protect any weaknesses in the overall PSS.
If the Physical security system already exists, it must be characterized to establish whether it is meeting the protection objectives. If not, it needs to be redesigned.
3. Analysis and Evaluation of PSS:
Once the PSS is designed, it must be analyzed and evaluated to ensure that it is meeting the physical security objectives. To estimate the minimum performance levels achieved by a physical security system more sophisticated qualitative and quantitative analysis techniques can be used.
Generally, quantitative analysis will be used in systems that are designed to protect high-value critical assets and qualitative techniques used in systems that are designed to protecting lower value assets. In order to complete a quantitative analysis, performance data must be available for the system components.
The outcome of this analysis process is a system vulnerability assessment which will find that the design effectively achieved the protection objectives or it will identify weaknesses.
If the protection objectives are achieved, then the design and analysis process completed. However, the PSS should be analyzed periodically to ensure that the original protection objectives remain valid.
If the PPS is found to be ineffective, the designer needs to redesign or upgrade the initial protection system design to correct the identified vulnerabilities. Then, an analysis of the redesigned system is performed. This cycle continues until the outcome indicates the PSS meets the protection objectives.