Here's How Real Security Systems Should Be Designed

By: Carlton Purvis, Published on Nov 13, 2013

One of the best books in our industry is Mary Lynn Garcia's Design and Evaluation of Physical Protection Systems where she expertly argues for rigorous security designs rather than the all too common technique of throwing up devices and hoping to deter adversaries. In this special interview, we speak with Garcia about her approach and how to practically apply it.

Security System Golden Formula

Her formula for a good security system, which is outlined in her book, goes something like this:

Deterrence has little value when it comes to securing an asset. A security system should make the probability of detection high enough and the delay of an attacker long enough to allow an organization sufficient time to respond. One basic design principle is that "delay without detection is not effective (i.e., barriers with no sensors or other high probability of detection components won't offer effective protection)," she says. 

We talked with her about how surveillance fits into this formula and how organizations can make it work with any size enterprise.

Know The Asset You Are Trying to Protect

“To do a good risk assessment you need to look at what threats are going to come and the cost of replacing that asset,” she said. A good risk assessment clearly defines the asset you are trying to protect and the consequences of losing control of that asset.

Know Who May Be Coming for It

“There is a relationship between the solution and the problem you are trying to solve ... You have to look at the consequence of loss, then you want to define the adversary that you expect to be coming after that asset and that will define the type of solution you use for it,” she said.

Why Deterrence Is Not Enough

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

People believe in the deterrent effect of security cameras, but organizations should not rely on deterrence to help keep assets safe. “Deterrence is a psychological tool, but some adversaries are very motivated or mentally unstable so they may not be making logical decisions,” she said. A good security system focuses on doing things to keep an adversary out, she says, you can’t count on a person’s mental state to allow them to respond to your deterrents.

“To the extent that an adversary sees a camera or a guard in the way and see that as it harder to be successful ... that says nothing about the effectiveness of your security system. If you’re not attacked that time then great, but if they go down the street [to attack something else instead],” she said. "In the bigger picture, you're not actually protecting anything." This may not matter to a site, she says, but it does matter to society as a whole. 

Where Surveillance Cameras Fit In this Formula

Garcia says deterrence plays a minor role in this formula, but it is an often cited reason for implementing cameras. And although cameras can be used for detection, most of the value of security cameras comes from footage after the fact, she says. 

So where do video surveillance systems fit? “It plays a role but it is not likely to contribute a lot to a real time event ... For high consequence loss assets, if you can’t afford to lose it and there’s an attack on it and it is imminent that it is going to be lost, then your security system has failed,” she said.

She says a surveillance system can be helpful for those assets that an organization can afford to lose. The recorded footage will provide information on who did it and how and possibly provide clues that can lead to apprehending the person.

A camera’s main worth comes in aiding in investigation and recovery. However they are a more effective resource when paired up with other security tools for detection, she said.

“When I talk about detection, I’m talking about pairing a sensor with a camera and relaying that to a human operator,” she said. “Often you go to these control centers and you see hundreds of cameras generally recording and there is a monitor that breaks it up. And there area four or 16 or 20 images scanned at a time. Then a few seconds later another group comes up. You’re asking a human to stare at a monitor that has 20 images on it. Someone says, ‘Sit here and figure out if something bad is going on and if you do, tell me.’”

Camera Monitoring

"Research shows that a person can monitor up to four monitors for about 20 minutes before they lose effectiveness. Of course, this depends on a lot of other things--how much movement is taking place in the scene, how much clutter there is in the scene, lighting of the scene, resolution, and size of the monitor to name a few," she said. "In addition, the distance the operator is from the monitor and other tasks they may be doing are other factors and this is for static monitors, i.e., there aren't multiple scenes being scanned every 15-20 seconds. I read a recent article that says operator effectiveness actually occurs at 15 minutes or less. Either way, it isn't much compared to the amount of time an operator is assigned to watch monitors." 

Rely On Proven Technology For Detection and Response

Garcia says technologists have spent a lot of time creating and organizations have spent a lot of money on technology that they hope can increase speed of detection through analytics or facial recognition.

“People are spending a lot of time trying to come up with technologies and at some point something might be developed but so far I’m not aware of any that are particularly promising or different,” she said. She says that these new technologies are purchased by security directors and law enforcement after getting a flashy show from a vendor who “convinces them that this technology is going to solve all their problems.” They usually do not have the knowledge to evaluate most of the claims being made.

Some of the technologies she says are reliable and tested are microwave sensors and passive infrared sensors and she is skeptical of effectiveness new technologies that are implemented without being proven in the field. 

“Governments are spending a lot of money on unproven technology ...What we need is a Consumer Reports for security equipment,” she said. Garcia said a place where end users could review systems and post information about what worked and what didn't for their application would be helpful to the industry. 

Technology for Response Time

Agencies use a lot of resources for response and most of the time they are responding to nuisance alarms. Garcia says the impact of smartphones is that text alerts can help push information out a little faster, but she advises people to have multiple forms of communication. Often you see people focusing on technology to be a solution rather than finding an actual solution to the problem, she says.

How This Formula Can Apply to Smaller Enterprises

Looking at Garcia’s past experience with Sandia Labs and the type of things they were assessing -- nuclear facilities and other high security government buildings -- it’s easier to envision how her formula would work.

Those facilities are likely using a number of different devices for detection, have barriers like water or layers of fences to delay an intruder and often had their own security contingent for immediate response.

We asked her how this formula could apply to smaller places like office buildings and mom-and-pop stores -- places where significant barriers are not an option, and the organization has little control over response time of local police.

She said organizations should look for ways to slow a person down and there is always the option of removing the asset from the situation. “If it takes the police 20 minutes to get then you need more than 20 minutes of delay so you would have to build those barriers,” she said.

Removing the Asset From The Situation 

If a mom-and-pop store determined that their most important asset was the money in the cash register and a risk assessment found that there may not be enough resources to sufficiently delay the attacker, they could refrain from leaving money in registers overnight. “That doesn’t require technology,” she said. “That’s just a simple procedural change.”

The owner of a store or office has to decide how much risk they are willing to accept and determine what things are hardest to mitigate, she says. “If you’re worried about cash registers, take the money out. If you’re worried about people wrecking the shop, get insurance,” she said. Some of the more dangerous threats could involve workplace violence that can lead to injury or death. In some cases, a person’s life may be the asset that is most at risk.

She says most bank robberies are low consequence events. 

"Most bank robbers come away with less than $5000, so in the big picture, this isn't much money. That number is a few years old so there may be newer data that says more is taken. But, I believe most banks limit the amount of cash they have," she said. "Of course, in a robbery that goes bad, with an armed felon, there could be injuries or deaths, in which case it becomes a much higher consequence event." 

Background: Mary Lynn Garcia

Mary Lynn Garcia retired in 2010 from Sandia National Laboratories where she was a principal staff member at the Security and Technology Center. Currently she is an instructor for the ASIS International Assets Protection workshop, sits on the research council for ASIS International and does occasional consulting.

Comments (8) : Members only. Login. or Join.

Related Reports

Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Breaking Into A Facility Using Canned Air Tested on Jan 28, 2020
Access control is supposed to make doors more secure, but a $5 can of...
Vehicle Gate Access Control Guide on Mar 19, 2020
Vehicle gate access control demands integrating various systems to keep...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
Multipoint Door Lock Tutorial on Jan 23, 2020
Despite widespread use, locked doors are notoriously weak at stopping entry,...
HID Presents Mercury Security & Aero Access Controllers on Aug 25, 2020
HID presented Mercury Security & Aero Access Controllers at the 2020 IPVM...
Security Sales Course January 2020 - Last Chance on Jan 02, 2020
Notice: This is the last chance to register for the course. This sales...
Delayed Egress Access Control Tutorial on Feb 04, 2020
Delayed Egress marks one of the few times locking people into a building is...
ZKTeco Presents SpeedFace Recognition + Body Temperature Detection on Apr 21, 2020
ZKTeco presented its SF1008+ reader with body temperature and face mask...
The Insecure Verkada Access Control System on Jun 25, 2020
While Verkada touts the security of its system and that how their new door...
China Surveillance Vulnerabilities Being Used To Attack China, Says China on Apr 07, 2020
While China video surveillance vulnerabilities have been much debated in the...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
Access Visitor Management Systems Guide on Jul 22, 2020
"Who are you, and why are you here?" Facilities that implement Visitor...
Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
Securing Access Control Installations Tutorial on Oct 17, 2019
The physical security of access control components is critical to ensuring...

Recent Reports

Hanwha AI Object Detection Tested on Sep 28, 2020
Hanwha has added detection and classification of people, cars, clothing...
Favorite Access Control Manufacturers 2020 on Sep 28, 2020
200+ Integrators told IPVM "What is your favorite access control management...
New Products Show Fall 2020 Starts Tomorrow! on Sep 27, 2020
Tomorrow, IPVM's sixth online show will feature New Products from over 25...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...
Installation Course Fall 2020 - Save $50 - Last Chance on Sep 22, 2020
This is a unique installation course in a market where little practical...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...