Here's How Real Security Systems Should Be Designed

By: Carlton Purvis, Published on Nov 13, 2013

One of the best books in our industry is Mary Lynn Garcia's Design and Evaluation of Physical Protection Systems where she expertly argues for rigorous security designs rather than the all too common technique of throwing up devices and hoping to deter adversaries. In this special interview, we speak with Garcia about her approach and how to practically apply it.

Security System Golden Formula

Her formula for a good security system, which is outlined in her book, goes something like this:

Deterrence has little value when it comes to securing an asset. A security system should make the probability of detection high enough and the delay of an attacker long enough to allow an organization sufficient time to respond. One basic design principle is that "delay without detection is not effective (i.e., barriers with no sensors or other high probability of detection components won't offer effective protection)," she says. 

We talked with her about how surveillance fits into this formula and how organizations can make it work with any size enterprise.

Know The Asset You Are Trying to Protect

“To do a good risk assessment you need to look at what threats are going to come and the cost of replacing that asset,” she said. A good risk assessment clearly defines the asset you are trying to protect and the consequences of losing control of that asset.

Know Who May Be Coming for It

“There is a relationship between the solution and the problem you are trying to solve ... You have to look at the consequence of loss, then you want to define the adversary that you expect to be coming after that asset and that will define the type of solution you use for it,” she said.

Why Deterrence Is Not Enough

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

People believe in the deterrent effect of security cameras, but organizations should not rely on deterrence to help keep assets safe. “Deterrence is a psychological tool, but some adversaries are very motivated or mentally unstable so they may not be making logical decisions,” she said. A good security system focuses on doing things to keep an adversary out, she says, you can’t count on a person’s mental state to allow them to respond to your deterrents.

“To the extent that an adversary sees a camera or a guard in the way and see that as it harder to be successful ... that says nothing about the effectiveness of your security system. If you’re not attacked that time then great, but if they go down the street [to attack something else instead],” she said. "In the bigger picture, you're not actually protecting anything." This may not matter to a site, she says, but it does matter to society as a whole. 

Where Surveillance Cameras Fit In this Formula

Garcia says deterrence plays a minor role in this formula, but it is an often cited reason for implementing cameras. And although cameras can be used for detection, most of the value of security cameras comes from footage after the fact, she says. 

So where do video surveillance systems fit? “It plays a role but it is not likely to contribute a lot to a real time event ... For high consequence loss assets, if you can’t afford to lose it and there’s an attack on it and it is imminent that it is going to be lost, then your security system has failed,” she said.

She says a surveillance system can be helpful for those assets that an organization can afford to lose. The recorded footage will provide information on who did it and how and possibly provide clues that can lead to apprehending the person.

A camera’s main worth comes in aiding in investigation and recovery. However they are a more effective resource when paired up with other security tools for detection, she said.

“When I talk about detection, I’m talking about pairing a sensor with a camera and relaying that to a human operator,” she said. “Often you go to these control centers and you see hundreds of cameras generally recording and there is a monitor that breaks it up. And there area four or 16 or 20 images scanned at a time. Then a few seconds later another group comes up. You’re asking a human to stare at a monitor that has 20 images on it. Someone says, ‘Sit here and figure out if something bad is going on and if you do, tell me.’”

Camera Monitoring

"Research shows that a person can monitor up to four monitors for about 20 minutes before they lose effectiveness. Of course, this depends on a lot of other things--how much movement is taking place in the scene, how much clutter there is in the scene, lighting of the scene, resolution, and size of the monitor to name a few," she said. "In addition, the distance the operator is from the monitor and other tasks they may be doing are other factors and this is for static monitors, i.e., there aren't multiple scenes being scanned every 15-20 seconds. I read a recent article that says operator effectiveness actually occurs at 15 minutes or less. Either way, it isn't much compared to the amount of time an operator is assigned to watch monitors." 

Rely On Proven Technology For Detection and Response

Garcia says technologists have spent a lot of time creating and organizations have spent a lot of money on technology that they hope can increase speed of detection through analytics or facial recognition.

“People are spending a lot of time trying to come up with technologies and at some point something might be developed but so far I’m not aware of any that are particularly promising or different,” she said. She says that these new technologies are purchased by security directors and law enforcement after getting a flashy show from a vendor who “convinces them that this technology is going to solve all their problems.” They usually do not have the knowledge to evaluate most of the claims being made.

Some of the technologies she says are reliable and tested are microwave sensors and passive infrared sensors and she is skeptical of effectiveness new technologies that are implemented without being proven in the field. 

“Governments are spending a lot of money on unproven technology ...What we need is a Consumer Reports for security equipment,” she said. Garcia said a place where end users could review systems and post information about what worked and what didn't for their application would be helpful to the industry. 

Technology for Response Time

Agencies use a lot of resources for response and most of the time they are responding to nuisance alarms. Garcia says the impact of smartphones is that text alerts can help push information out a little faster, but she advises people to have multiple forms of communication. Often you see people focusing on technology to be a solution rather than finding an actual solution to the problem, she says.

How This Formula Can Apply to Smaller Enterprises

Looking at Garcia’s past experience with Sandia Labs and the type of things they were assessing -- nuclear facilities and other high security government buildings -- it’s easier to envision how her formula would work.

Those facilities are likely using a number of different devices for detection, have barriers like water or layers of fences to delay an intruder and often had their own security contingent for immediate response.

We asked her how this formula could apply to smaller places like office buildings and mom-and-pop stores -- places where significant barriers are not an option, and the organization has little control over response time of local police.

She said organizations should look for ways to slow a person down and there is always the option of removing the asset from the situation. “If it takes the police 20 minutes to get then you need more than 20 minutes of delay so you would have to build those barriers,” she said.

Removing the Asset From The Situation 

If a mom-and-pop store determined that their most important asset was the money in the cash register and a risk assessment found that there may not be enough resources to sufficiently delay the attacker, they could refrain from leaving money in registers overnight. “That doesn’t require technology,” she said. “That’s just a simple procedural change.”

The owner of a store or office has to decide how much risk they are willing to accept and determine what things are hardest to mitigate, she says. “If you’re worried about cash registers, take the money out. If you’re worried about people wrecking the shop, get insurance,” she said. Some of the more dangerous threats could involve workplace violence that can lead to injury or death. In some cases, a person’s life may be the asset that is most at risk.

She says most bank robberies are low consequence events. 

"Most bank robbers come away with less than $5000, so in the big picture, this isn't much money. That number is a few years old so there may be newer data that says more is taken. But, I believe most banks limit the amount of cash they have," she said. "Of course, in a robbery that goes bad, with an armed felon, there could be injuries or deaths, in which case it becomes a much higher consequence event." 

Background: Mary Lynn Garcia

Mary Lynn Garcia retired in 2010 from Sandia National Laboratories where she was a principal staff member at the Security and Technology Center. Currently she is an instructor for the ASIS International Assets Protection workshop, sits on the research council for ASIS International and does occasional consulting.

Comments (8) : Members only. Login. or Join.

Related Reports

Latest London Police Facial Recognition Suffers Serious Issues on Feb 24, 2020
On February 20, IPVM visited another live face rec deployment by London police, but this time the system was thwarted by technical problems and...
London Live Police Face Recognition Visited on Feb 13, 2020
London police have officially begun using live facial recognition in select areas of the UK capital, sparking significant controversy. IPVM...
Covert Elevator Face Recognition on Oct 24, 2019
Covert elevator facial recognition has the potential to solve the cost and complexity of elevator surveillance while engendering immense privacy...
Kidnapping Victim Rescued With Video From Ring Doorbell Camera on May 24, 2019
A kidnapping victim was rescued within 24 hours, with the police crediting video from a Ring Doorbell camera as key to solving the case. A girl was...
Bank Security Manager Interview on May 15, 2019
Bank security contends with many significant threats - from fraudsters to robbers and more. In this interview, IPVM spoke with bank security...
San Francisco Face Recognition Ban And Surveillance Regulation Details Examined on May 14, 2019
San Francisco passed the legislation 8-1 today. While the face recognition 'ban' has already received significant attention over the past few...
Hikvision AI Problems Criticized By Chinese Publication on Apr 09, 2019
Hikvision's facial recognition works poorly, causes delays and worsens learning, according to a new investigation by one of China's leading...
Casino Security Consultant Carl Lindgren Interview on Mar 26, 2019
For more than 20 years, Carl Lindgren worked as a casino surveillance pro, while being active (and sometimes outspoken) on various online video...
IBM / Genetec Surveillance System Investigated Over Philippines Human Rights Abuses on Mar 22, 2019
A lengthy investigation into an IBM video surveillance project in the Philippines, raising concerns IBM helped local police conduct a bloody...
Large Hospital Security End User Interview on Mar 21, 2019
This large single-state healthcare system consists of many hospitals, and hundreds of health parks, private practices, urgent care facilities, and...

Most Recent Industry Reports

Dahua Faked Coronavirus Camera Marketing on Apr 01, 2020
Dahua has conducted a coronavirus camera global marketing campaign centered around a faked detection. Now, Dahua has expanded this to the USA,...
Video Surveillance Trends 101 on Apr 01, 2020
This report examines major industry factors and how they could impact video surveillance in the next 5 - 10 years. This is part of our Video...
USA's Seek Scan Thermal Temperature System Examined on Apr 01, 2020
This US company, Seek, located down the road from FLIR and founded by former FLIR employees is offering a thermal temperature system for the...
Terrible Convergint Coronavirus Thermal Camera Recommendation on Apr 01, 2020
A week after Convergint disclosed falling revenue, pay and job cuts, Convergint is touting 'extensive research' that is either grossly incompetent...
The IPVM New Products Online Show April 2020 Opens With 40+ Manufacturers on Mar 31, 2020
IPVM is excited to announce the first New Products Online show, with 40+ manufacturers, to be held April 14 to the 16th, free to IPVM members,...
USA's Feevr Thermal Temperature System Examined on Mar 31, 2020
This US company has burst on to the scene, brashly naming itself 'feevr' and branding itself as a "COVID 19 - AI BASED NON CONTACT THERMAL...
JCI Coronavirus Cuts on Mar 31, 2020
JCI has made coronavirus cuts, the company told employees in an email that IPVM has reviewed. Inside this note, we examine the cuts made, the...
Add Door Operators To Fight Coronavirus on Mar 31, 2020
IPVM recommends that integrators advocate and end-users consider adding door operators to fight the spread of coronavirus. This delivers...
Video Surveillance Business 101 on Mar 30, 2020
This report explains the fundamental elements of the video surveillance business for those new to the industry. This is part of our Video...
FDA Gives Guidance on 'Coronavirus' Thermal Fever Detection Systems on Mar 30, 2020
The US FDA has given IPVM guidance on the use of thermal fever detection systems being marketed for coronavirus, as an explosion of such devices...