Here's How Real Security Systems Should Be Designed

By: Carlton Purvis, Published on Nov 13, 2013

One of the best books in our industry is Mary Lynn Garcia's Design and Evaluation of Physical Protection Systems where she expertly argues for rigorous security designs rather than the all too common technique of throwing up devices and hoping to deter adversaries. In this special interview, we speak with Garcia about her approach and how to practically apply it.

Security System Golden Formula

Her formula for a good security system, which is outlined in her book, goes something like this:

Deterrence has little value when it comes to securing an asset. A security system should make the probability of detection high enough and the delay of an attacker long enough to allow an organization sufficient time to respond. One basic design principle is that "delay without detection is not effective (i.e., barriers with no sensors or other high probability of detection components won't offer effective protection)," she says. 

We talked with her about how surveillance fits into this formula and how organizations can make it work with any size enterprise.

Know The Asset You Are Trying to Protect

“To do a good risk assessment you need to look at what threats are going to come and the cost of replacing that asset,” she said. A good risk assessment clearly defines the asset you are trying to protect and the consequences of losing control of that asset.

Know Who May Be Coming for It

“There is a relationship between the solution and the problem you are trying to solve ... You have to look at the consequence of loss, then you want to define the adversary that you expect to be coming after that asset and that will define the type of solution you use for it,” she said.

Why Deterrence Is Not Enough

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

People believe in the deterrent effect of security cameras, but organizations should not rely on deterrence to help keep assets safe. “Deterrence is a psychological tool, but some adversaries are very motivated or mentally unstable so they may not be making logical decisions,” she said. A good security system focuses on doing things to keep an adversary out, she says, you can’t count on a person’s mental state to allow them to respond to your deterrents.

“To the extent that an adversary sees a camera or a guard in the way and see that as it harder to be successful ... that says nothing about the effectiveness of your security system. If you’re not attacked that time then great, but if they go down the street [to attack something else instead],” she said. "In the bigger picture, you're not actually protecting anything." This may not matter to a site, she says, but it does matter to society as a whole. 

Where Surveillance Cameras Fit In this Formula

Garcia says deterrence plays a minor role in this formula, but it is an often cited reason for implementing cameras. And although cameras can be used for detection, most of the value of security cameras comes from footage after the fact, she says. 

So where do video surveillance systems fit? “It plays a role but it is not likely to contribute a lot to a real time event ... For high consequence loss assets, if you can’t afford to lose it and there’s an attack on it and it is imminent that it is going to be lost, then your security system has failed,” she said.

She says a surveillance system can be helpful for those assets that an organization can afford to lose. The recorded footage will provide information on who did it and how and possibly provide clues that can lead to apprehending the person.

A camera’s main worth comes in aiding in investigation and recovery. However they are a more effective resource when paired up with other security tools for detection, she said.

“When I talk about detection, I’m talking about pairing a sensor with a camera and relaying that to a human operator,” she said. “Often you go to these control centers and you see hundreds of cameras generally recording and there is a monitor that breaks it up. And there area four or 16 or 20 images scanned at a time. Then a few seconds later another group comes up. You’re asking a human to stare at a monitor that has 20 images on it. Someone says, ‘Sit here and figure out if something bad is going on and if you do, tell me.’”

Camera Monitoring

"Research shows that a person can monitor up to four monitors for about 20 minutes before they lose effectiveness. Of course, this depends on a lot of other things--how much movement is taking place in the scene, how much clutter there is in the scene, lighting of the scene, resolution, and size of the monitor to name a few," she said. "In addition, the distance the operator is from the monitor and other tasks they may be doing are other factors and this is for static monitors, i.e., there aren't multiple scenes being scanned every 15-20 seconds. I read a recent article that says operator effectiveness actually occurs at 15 minutes or less. Either way, it isn't much compared to the amount of time an operator is assigned to watch monitors." 

Rely On Proven Technology For Detection and Response

Garcia says technologists have spent a lot of time creating and organizations have spent a lot of money on technology that they hope can increase speed of detection through analytics or facial recognition.

“People are spending a lot of time trying to come up with technologies and at some point something might be developed but so far I’m not aware of any that are particularly promising or different,” she said. She says that these new technologies are purchased by security directors and law enforcement after getting a flashy show from a vendor who “convinces them that this technology is going to solve all their problems.” They usually do not have the knowledge to evaluate most of the claims being made.

Some of the technologies she says are reliable and tested are microwave sensors and passive infrared sensors and she is skeptical of effectiveness new technologies that are implemented without being proven in the field. 

“Governments are spending a lot of money on unproven technology ...What we need is a Consumer Reports for security equipment,” she said. Garcia said a place where end users could review systems and post information about what worked and what didn't for their application would be helpful to the industry. 

Technology for Response Time

Agencies use a lot of resources for response and most of the time they are responding to nuisance alarms. Garcia says the impact of smartphones is that text alerts can help push information out a little faster, but she advises people to have multiple forms of communication. Often you see people focusing on technology to be a solution rather than finding an actual solution to the problem, she says.

How This Formula Can Apply to Smaller Enterprises

Looking at Garcia’s past experience with Sandia Labs and the type of things they were assessing -- nuclear facilities and other high security government buildings -- it’s easier to envision how her formula would work.

Those facilities are likely using a number of different devices for detection, have barriers like water or layers of fences to delay an intruder and often had their own security contingent for immediate response.

We asked her how this formula could apply to smaller places like office buildings and mom-and-pop stores -- places where significant barriers are not an option, and the organization has little control over response time of local police.

She said organizations should look for ways to slow a person down and there is always the option of removing the asset from the situation. “If it takes the police 20 minutes to get then you need more than 20 minutes of delay so you would have to build those barriers,” she said.

Removing the Asset From The Situation 

If a mom-and-pop store determined that their most important asset was the money in the cash register and a risk assessment found that there may not be enough resources to sufficiently delay the attacker, they could refrain from leaving money in registers overnight. “That doesn’t require technology,” she said. “That’s just a simple procedural change.”

The owner of a store or office has to decide how much risk they are willing to accept and determine what things are hardest to mitigate, she says. “If you’re worried about cash registers, take the money out. If you’re worried about people wrecking the shop, get insurance,” she said. Some of the more dangerous threats could involve workplace violence that can lead to injury or death. In some cases, a person’s life may be the asset that is most at risk.

She says most bank robberies are low consequence events. 

"Most bank robbers come away with less than $5000, so in the big picture, this isn't much money. That number is a few years old so there may be newer data that says more is taken. But, I believe most banks limit the amount of cash they have," she said. "Of course, in a robbery that goes bad, with an armed felon, there could be injuries or deaths, in which case it becomes a much higher consequence event." 

Background: Mary Lynn Garcia

Mary Lynn Garcia retired in 2010 from Sandia National Laboratories where she was a principal staff member at the Security and Technology Center. Currently she is an instructor for the ASIS International Assets Protection workshop, sits on the research council for ASIS International and does occasional consulting.

Comments (8) : Members only. Login. or Join.

Related Reports

Breaking Into A Facility Using Canned Air Tested on Jan 28, 2020
Access control is supposed to make doors more secure, but a $5 can of compressed air may defeat it. With no special training, intruders can...
Securing Access Control Installations Tutorial on Oct 17, 2019
The physical security of access control components is critical to ensuring that a facility is truly secure. Otherwise, the entire system can be...
Fail Safe vs. Fail Secure Tutorial on Oct 02, 2019
Few terms carry greater importance in access control than 'fail safe' and 'fail secure'. Access control professionals must know how these...
Security Fence Guide on Oct 24, 2018
Fences, while a low tech barricade, are a cornerstone of good security. Few physical security elements are as effective at keeping threats away as...
Drain Wire For Access Control Reader Tutorial on Sep 04, 2018
An easy-to-miss cabling specification plays a key role in access control, yet it is commonly ignored. The drain wire offers protection for readers...
Opposing the Hikvision / Dahua Ban on Aug 22, 2018
Here is a case against the US government ban of Dahua and Hikvision. IPVM collected 160+ responses from integrators, dozens of which opposed the...
Genetec CEO Warns Against Insider Threats on Sep 21, 2017
With Dahua and Hikvision cybersecurity issues becoming indisputable, a new counter has emerged. Just put them behind a firewall, buy cheap...
Competing Against G4S on Aug 09, 2017
G4S Secure Solutions [link no longer available] is a global company, operating in multiple countries and offering a suite of products and services...
Anti-Hack Access Card Shields Tested on May 26, 2017
Keeping your access control card information secure is becoming a big priority, especially since cheaper copiers can hack details easily. Multiple...

Most Recent Industry Reports

Verkada: "IPVM Should Never Be Your Source of News" on Jul 02, 2020
Verkada was unhappy with IPVM's recent coverage declaring that reading IPVM is 'not a good look' and that 'IPVM should never be your source of...
Vintra Presents FulcrumAI Face Recognition on Jul 02, 2020
Vintra presented its FulcrumAI face recognition and mask detection offering at the May 2020 IPVM Startups show. Inside this report: A...
Uniview Wrist Temperature Reader Tested on Jul 02, 2020
Uniview is promoting measuring wrist temperatures whereas most others are just offering forehead or inner canthus measurements. But how well does...
Dahua USA Admits Thermal Solutions "Qualify As Medical Devices" on Jul 02, 2020
Dahua USA has issued a press release admitting a controversial point in the industry but an obvious one to the US FDA, that the thermal temperature...
Access Control Online Show - July 2020 - With 40+ Manufacturers - Register Now on Jul 01, 2020
IPVM is excited to announce our July 2020 Access Control Show. With 40+ companies presenting across 4 days, this is a unique opportunity to hear...
Hanwha Face Mask Detection Tested on Jul 01, 2020
Face mask detection or, more specifically lack-of-face-mask detection, is an expanding offering in the midst of coronavirus. Hanwha in partnership...
UK Government Says Fever Cameras "Unsuitable" on Jul 01, 2020
The UK government's medical device regulator, MHRA, told IPVM that fever-seeking thermal cameras are "unsuitable for this purpose" and recommends...
Camera Course Summer 2020 on Jun 30, 2020
This is the only independent surveillance camera course, based on in-depth product and technology testing. Lots of manufacturer training...
Worst Over But Integrators Still Dealing With Coronavirus Problems (June Statistics) on Jun 30, 2020
While numbers of integrators very impacted by Coronavirus continue to drop, most are still moderately dealing with the pandemic's problems, June...