Here's How Real Security Systems Should Be Designed

By: Carlton Purvis, Published on Nov 13, 2013

One of the best books in our industry is Mary Lynn Garcia's Design and Evaluation of Physical Protection Systems where she expertly argues for rigorous security designs rather than the all too common technique of throwing up devices and hoping to deter adversaries. In this special interview, we speak with Garcia about her approach and how to practically apply it.

Security System Golden Formula

Her formula for a good security system, which is outlined in her book, goes something like this:

Deterrence has little value when it comes to securing an asset. A security system should make the probability of detection high enough and the delay of an attacker long enough to allow an organization sufficient time to respond. One basic design principle is that "delay without detection is not effective (i.e., barriers with no sensors or other high probability of detection components won't offer effective protection)," she says. 

We talked with her about how surveillance fits into this formula and how organizations can make it work with any size enterprise.

Know The Asset You Are Trying to Protect

“To do a good risk assessment you need to look at what threats are going to come and the cost of replacing that asset,” she said. A good risk assessment clearly defines the asset you are trying to protect and the consequences of losing control of that asset.

Know Who May Be Coming for It

“There is a relationship between the solution and the problem you are trying to solve ... You have to look at the consequence of loss, then you want to define the adversary that you expect to be coming after that asset and that will define the type of solution you use for it,” she said.

Why Deterrence Is Not Enough

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

People believe in the deterrent effect of security cameras, but organizations should not rely on deterrence to help keep assets safe. “Deterrence is a psychological tool, but some adversaries are very motivated or mentally unstable so they may not be making logical decisions,” she said. A good security system focuses on doing things to keep an adversary out, she says, you can’t count on a person’s mental state to allow them to respond to your deterrents.

“To the extent that an adversary sees a camera or a guard in the way and see that as it harder to be successful ... that says nothing about the effectiveness of your security system. If you’re not attacked that time then great, but if they go down the street [to attack something else instead],” she said. "In the bigger picture, you're not actually protecting anything." This may not matter to a site, she says, but it does matter to society as a whole. 

Where Surveillance Cameras Fit In this Formula

Garcia says deterrence plays a minor role in this formula, but it is an often cited reason for implementing cameras. And although cameras can be used for detection, most of the value of security cameras comes from footage after the fact, she says. 

So where do video surveillance systems fit? “It plays a role but it is not likely to contribute a lot to a real time event ... For high consequence loss assets, if you can’t afford to lose it and there’s an attack on it and it is imminent that it is going to be lost, then your security system has failed,” she said.

She says a surveillance system can be helpful for those assets that an organization can afford to lose. The recorded footage will provide information on who did it and how and possibly provide clues that can lead to apprehending the person.

A camera’s main worth comes in aiding in investigation and recovery. However they are a more effective resource when paired up with other security tools for detection, she said.

“When I talk about detection, I’m talking about pairing a sensor with a camera and relaying that to a human operator,” she said. “Often you go to these control centers and you see hundreds of cameras generally recording and there is a monitor that breaks it up. And there area four or 16 or 20 images scanned at a time. Then a few seconds later another group comes up. You’re asking a human to stare at a monitor that has 20 images on it. Someone says, ‘Sit here and figure out if something bad is going on and if you do, tell me.’”

Camera Monitoring

"Research shows that a person can monitor up to four monitors for about 20 minutes before they lose effectiveness. Of course, this depends on a lot of other things--how much movement is taking place in the scene, how much clutter there is in the scene, lighting of the scene, resolution, and size of the monitor to name a few," she said. "In addition, the distance the operator is from the monitor and other tasks they may be doing are other factors and this is for static monitors, i.e., there aren't multiple scenes being scanned every 15-20 seconds. I read a recent article that says operator effectiveness actually occurs at 15 minutes or less. Either way, it isn't much compared to the amount of time an operator is assigned to watch monitors." 

Rely On Proven Technology For Detection and Response

Garcia says technologists have spent a lot of time creating and organizations have spent a lot of money on technology that they hope can increase speed of detection through analytics or facial recognition.

“People are spending a lot of time trying to come up with technologies and at some point something might be developed but so far I’m not aware of any that are particularly promising or different,” she said. She says that these new technologies are purchased by security directors and law enforcement after getting a flashy show from a vendor who “convinces them that this technology is going to solve all their problems.” They usually do not have the knowledge to evaluate most of the claims being made.

Some of the technologies she says are reliable and tested are microwave sensors and passive infrared sensors and she is skeptical of effectiveness new technologies that are implemented without being proven in the field. 

“Governments are spending a lot of money on unproven technology ...What we need is a Consumer Reports for security equipment,” she said. Garcia said a place where end users could review systems and post information about what worked and what didn't for their application would be helpful to the industry. 

Technology for Response Time

Agencies use a lot of resources for response and most of the time they are responding to nuisance alarms. Garcia says the impact of smartphones is that text alerts can help push information out a little faster, but she advises people to have multiple forms of communication. Often you see people focusing on technology to be a solution rather than finding an actual solution to the problem, she says.

How This Formula Can Apply to Smaller Enterprises

Looking at Garcia’s past experience with Sandia Labs and the type of things they were assessing -- nuclear facilities and other high security government buildings -- it’s easier to envision how her formula would work.

Those facilities are likely using a number of different devices for detection, have barriers like water or layers of fences to delay an intruder and often had their own security contingent for immediate response.

We asked her how this formula could apply to smaller places like office buildings and mom-and-pop stores -- places where significant barriers are not an option, and the organization has little control over response time of local police.

She said organizations should look for ways to slow a person down and there is always the option of removing the asset from the situation. “If it takes the police 20 minutes to get then you need more than 20 minutes of delay so you would have to build those barriers,” she said.

Removing the Asset From The Situation 

If a mom-and-pop store determined that their most important asset was the money in the cash register and a risk assessment found that there may not be enough resources to sufficiently delay the attacker, they could refrain from leaving money in registers overnight. “That doesn’t require technology,” she said. “That’s just a simple procedural change.”

The owner of a store or office has to decide how much risk they are willing to accept and determine what things are hardest to mitigate, she says. “If you’re worried about cash registers, take the money out. If you’re worried about people wrecking the shop, get insurance,” she said. Some of the more dangerous threats could involve workplace violence that can lead to injury or death. In some cases, a person’s life may be the asset that is most at risk.

She says most bank robberies are low consequence events. 

"Most bank robbers come away with less than $5000, so in the big picture, this isn't much money. That number is a few years old so there may be newer data that says more is taken. But, I believe most banks limit the amount of cash they have," she said. "Of course, in a robbery that goes bad, with an armed felon, there could be injuries or deaths, in which case it becomes a much higher consequence event." 

Background: Mary Lynn Garcia

Mary Lynn Garcia retired in 2010 from Sandia National Laboratories where she was a principal staff member at the Security and Technology Center. Currently she is an instructor for the ASIS International Assets Protection workshop, sits on the research council for ASIS International and does occasional consulting.

Comments (8) : PRO Members only. Login. or Join.

Related Reports

Casino Surveillance Pro Interview: James Lathrop on Feb 15, 2019
James Lathrop [link no longer available] has been working in casinos for almost 25 years. During that time, he says he has held "just about every...
Verified Response Discontinued in Silicon Valley San Jose on Feb 28, 2019
Almost all security alarms are false. This has driven some municipalities to require verified response before dispatching police. However, now San...
Private School IT Manager Surveillance Interview on Feb 22, 2019
This IT manager describes himself as the "oft-maligned IT person" whose "opinions may not always be appreciated by the integrator crowd." But he is...
Police Department Surveillance Manager Interview on Feb 28, 2019
Former Memphis PD Surveillance Manager, Lt. Joseph Patty retired months ago, but kept busy during his decades on the force, working to build up...
Large US University End-User Video Surveillance Interview on Mar 18, 2019
Schools have become targets in modern days of active shooters and terrorist fears. The need for video and access security is high. Universities...
Large Hospital Security End User Interview on Mar 21, 2019
This large single-state healthcare system consists of many hospitals, and hundreds of health parks, private practices, urgent care facilities, and...
City Physical Security Manager Interview on Mar 14, 2019
This physical security pro is the Physical Security Manager for the City of Calgary. He is a criminologist by training with an ASIS CPP credential....
Kidnapping Victim Rescued With Video From Ring Doorbell Camera on May 24, 2019
A kidnapping victim was rescued within 24 hours, with the police crediting video from a Ring Doorbell camera as key to solving the case. A girl was...
New GDPR Guidelines for Video Surveillance Examined on Jul 18, 2019
The highest-level EU data protection authority has issued a new series of provisional video surveillance guidelines. While GDPR has been in...
First GDPR Facial Recognition Fine For Sweden School on Aug 22, 2019
A school in Sweden has been fined $20,000 for using facial recognition to keep attendance in what is Sweden's first GDPR fine. Notably, the fine is...

Most Recent Industry Reports

Brivo Business Profile 2020 on Jan 27, 2020
Brivo has been doing cloud access for more than 20 years. Is the 2020s the decade that cloud access becomes the norm? CEO Steve Van Till recently...
Favorite VMS / NVR Manufacturers 2020 on Jan 27, 2020
In 2018, a new winner emerged and a former top choice declined. Now, there is a new #1, a new top 5 finisher and 2 major VMSes in decline. Our...
"Hikvision Football Arena" Lithuania Causes Controversy on Jan 24, 2020
Controversy has arisen in Lithuania over Hikvision becoming a soccer team's top sponsor and gaining naming rights to their arena, with one local MP...
Axis and Genetec Drop IFSEC 2020 on Jan 23, 2020
Two of the best-known video surveillance manufacturers are dropping IFSEC International 2020, joining Milestone who dropped IFSEC in 2019. The...
Multipoint Door Lock Tutorial on Jan 23, 2020
Despite widespread use, locked doors are notoriously weak at stopping entry, and thousands can be misspent on locks that leave doors quite...
Avigilon Shifts Cloud Strategy - Merges Blue and ACC on Jan 23, 2020
Avigilon is shifting its cloud strategy, phasing out its Blue web-managed surveillance platform as a stand-alone brand and merging it with its ACC...
Verkada Paying $100 For Referrals Just To Demo on Jan 22, 2020
Some companies pay for referrals when the referral becomes a customer. Verkada is taking it to the next level - paying $100 referrals fees simply...
Camera Analytics Shootout 2020 - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision, Uniview, Vivotek on Jan 22, 2020
Analytics are hot again, thanks to a slew of AI-powered cameras, but whose analytics really work? And how do these new smart cameras compare to top...
Intersec 2020 Final Show Report on Jan 21, 2020
IPVM spent all 3 days at the Intersec 2020 show interviewing various companies and finding key trends. We cover: Middle East Enterprise...
Vehicle & Long Range Access Reader Tutorial on Jan 21, 2020
One of the classic challenges for access control are parking lots and garages, where the user's credential is far from the reader. With modern...