Here's How Real Security Systems Should Be DesignedBy: Carlton Purvis, Published on Nov 13, 2013
One of the best books in our industry is Mary Lynn Garcia's Design and Evaluation of Physical Protection Systems where she expertly argues for rigorous security designs rather than the all too common technique of throwing up devices and hoping to deter adversaries. In this special interview, we speak with Garcia about her approach and how to practically apply it.
Security System Golden Formula
Her formula for a good security system, which is outlined in her book, goes something like this:
Deterrence has little value when it comes to securing an asset. A security system should make the probability of detection high enough and the delay of an attacker long enough to allow an organization sufficient time to respond. One basic design principle is that "delay without detection is not effective (i.e., barriers with no sensors or other high probability of detection components won't offer effective protection)," she says.
We talked with her about how surveillance fits into this formula and how organizations can make it work with any size enterprise.
Know The Asset You Are Trying to Protect
“To do a good risk assessment you need to look at what threats are going to come and the cost of replacing that asset,” she said. A good risk assessment clearly defines the asset you are trying to protect and the consequences of losing control of that asset.
Know Who May Be Coming for It
“There is a relationship between the solution and the problem you are trying to solve ... You have to look at the consequence of loss, then you want to define the adversary that you expect to be coming after that asset and that will define the type of solution you use for it,” she said.
Why Deterrence Is Not Enough
People believe in the deterrent effect of security cameras, but organizations should not rely on deterrence to help keep assets safe. “Deterrence is a psychological tool, but some adversaries are very motivated or mentally unstable so they may not be making logical decisions,” she said. A good security system focuses on doing things to keep an adversary out, she says, you can’t count on a person’s mental state to allow them to respond to your deterrents.
“To the extent that an adversary sees a camera or a guard in the way and see that as it harder to be successful ... that says nothing about the effectiveness of your security system. If you’re not attacked that time then great, but if they go down the street [to attack something else instead],” she said. "In the bigger picture, you're not actually protecting anything." This may not matter to a site, she says, but it does matter to society as a whole.
Where Surveillance Cameras Fit In this Formula
Garcia says deterrence plays a minor role in this formula, but it is an often cited reason for implementing cameras. And although cameras can be used for detection, most of the value of security cameras comes from footage after the fact, she says.
So where do video surveillance systems fit? “It plays a role but it is not likely to contribute a lot to a real time event ... For high consequence loss assets, if you can’t afford to lose it and there’s an attack on it and it is imminent that it is going to be lost, then your security system has failed,” she said.
She says a surveillance system can be helpful for those assets that an organization can afford to lose. The recorded footage will provide information on who did it and how and possibly provide clues that can lead to apprehending the person.
A camera’s main worth comes in aiding in investigation and recovery. However they are a more effective resource when paired up with other security tools for detection, she said.
“When I talk about detection, I’m talking about pairing a sensor with a camera and relaying that to a human operator,” she said. “Often you go to these control centers and you see hundreds of cameras generally recording and there is a monitor that breaks it up. And there area four or 16 or 20 images scanned at a time. Then a few seconds later another group comes up. You’re asking a human to stare at a monitor that has 20 images on it. Someone says, ‘Sit here and figure out if something bad is going on and if you do, tell me.’”
"Research shows that a person can monitor up to four monitors for about 20 minutes before they lose effectiveness. Of course, this depends on a lot of other things--how much movement is taking place in the scene, how much clutter there is in the scene, lighting of the scene, resolution, and size of the monitor to name a few," she said. "In addition, the distance the operator is from the monitor and other tasks they may be doing are other factors and this is for static monitors, i.e., there aren't multiple scenes being scanned every 15-20 seconds. I read a recent article that says operator effectiveness actually occurs at 15 minutes or less. Either way, it isn't much compared to the amount of time an operator is assigned to watch monitors."
Rely On Proven Technology For Detection and Response
Garcia says technologists have spent a lot of time creating and organizations have spent a lot of money on technology that they hope can increase speed of detection through analytics or facial recognition.
“People are spending a lot of time trying to come up with technologies and at some point something might be developed but so far I’m not aware of any that are particularly promising or different,” she said. She says that these new technologies are purchased by security directors and law enforcement after getting a flashy show from a vendor who “convinces them that this technology is going to solve all their problems.” They usually do not have the knowledge to evaluate most of the claims being made.
Some of the technologies she says are reliable and tested are microwave sensors and passive infrared sensors and she is skeptical of effectiveness new technologies that are implemented without being proven in the field.
“Governments are spending a lot of money on unproven technology ...What we need is a Consumer Reports for security equipment,” she said. Garcia said a place where end users could review systems and post information about what worked and what didn't for their application would be helpful to the industry.
Technology for Response Time
Agencies use a lot of resources for response and most of the time they are responding to nuisance alarms. Garcia says the impact of smartphones is that text alerts can help push information out a little faster, but she advises people to have multiple forms of communication. Often you see people focusing on technology to be a solution rather than finding an actual solution to the problem, she says.
How This Formula Can Apply to Smaller Enterprises
Looking at Garcia’s past experience with Sandia Labs and the type of things they were assessing -- nuclear facilities and other high security government buildings -- it’s easier to envision how her formula would work.
Those facilities are likely using a number of different devices for detection, have barriers like water or layers of fences to delay an intruder and often had their own security contingent for immediate response.
We asked her how this formula could apply to smaller places like office buildings and mom-and-pop stores -- places where significant barriers are not an option, and the organization has little control over response time of local police.
She said organizations should look for ways to slow a person down and there is always the option of removing the asset from the situation. “If it takes the police 20 minutes to get then you need more than 20 minutes of delay so you would have to build those barriers,” she said.
Removing the Asset From The Situation
If a mom-and-pop store determined that their most important asset was the money in the cash register and a risk assessment found that there may not be enough resources to sufficiently delay the attacker, they could refrain from leaving money in registers overnight. “That doesn’t require technology,” she said. “That’s just a simple procedural change.”
The owner of a store or office has to decide how much risk they are willing to accept and determine what things are hardest to mitigate, she says. “If you’re worried about cash registers, take the money out. If you’re worried about people wrecking the shop, get insurance,” she said. Some of the more dangerous threats could involve workplace violence that can lead to injury or death. In some cases, a person’s life may be the asset that is most at risk.
She says most bank robberies are low consequence events.
"Most bank robbers come away with less than $5000, so in the big picture, this isn't much money. That number is a few years old so there may be newer data that says more is taken. But, I believe most banks limit the amount of cash they have," she said. "Of course, in a robbery that goes bad, with an armed felon, there could be injuries or deaths, in which case it becomes a much higher consequence event."
Background: Mary Lynn Garcia
Mary Lynn Garcia retired in 2010 from Sandia National Laboratories where she was a principal staff member at the Security and Technology Center. Currently she is an instructor for the ASIS International Assets Protection workshop, sits on the research council for ASIS International and does occasional consulting.