Physical Security Risk and Countermeasures: Effectiveness Metrics
Is your security program working? Here's how to establish metrics for systematic measurement and improvement of countermeasures.
By Thomas L. Norman
February 22, 2010 —
Excerpted from Risk Analysis and Security Countermeasure Selection by Thomas Norman (CRC Press 2010), also available directly from the publisher.
What Kind of Metrics Can Help Us Analyze Security Program Effectiveness?
There are several possible metrics to use. Each metric evaluates a different factor in security program effectiveness. These can be used in combination to achieve a complete picture of overall system effectiveness. Some metrics are useful for both new and existing security facilities, and others are only applicable to existing facilities.
- Metrics usable for proposed security programs include:
—Adversary Sequence Diagrams
- Metrics usable for existing security programs include:
—Adversary Sequence Diagrams
—Security events logs
—Patrol logs (vulnerabilities spotting/violations spotting)
—Annual risk analysis
Each of these are explained below.
Adversary Sequence Diagrams
Adversary Sequence Diagrams relate to a specific type of threat actor—those who use intrusion to gain access to their target asset. The most valuable assets of organizations are not located at their front gate at street side. In order for an intruder to get to the target, the intruder must make his or her way from outside the property through various gates, doors, corridors, and then finally to the target. This is true whether the attacker is a terrorist, criminally violent threat actor, or economic or intellectual property criminal. It is true for all burglars, attackers using force or subversives. Whether the threat actor is breaking in, breaking down doors, or secretly making his or her way to an office during working hours to steal money or information, there is a common factor. Each attacker must make entry, make his or her way through passages and barriers, and arrive at the target. For most attackers, the plan is also to make their way back out again, without detection, if possible.
Intrusion attackers come in three types:
1. Those using overwhelming force to make entry.
2. Those using stealth to make entry.
3. Those using the organization's normal business operations to make entry.
Obviously, each of these types presents different requirements for detection, assessment, and response. These three types also present themselves as two main types when encountering a response force:
- Those who will surrender peacefully or try to flee (mostly economic criminals, petty criminals, and some violent criminals).
- Those who will resist:
—Those who will resist with moderate force (any threat actor except terrorists).
—Those who will resist with overwhelming force (all terrorists and some violent criminals—only a few economic or petty criminals).
Intrusion threat actors can be further categorized into two broad groups:
1. Sophisticated criminals following an organized plan.
2. Opportunistic criminals mostly following their instincts (spontaneous planning).
Sophisticated criminals present special challenges for the following reasons:
- Intrusions are generally well planned.
- Sophisticated criminals know their target (its value, its location, the paths to the target, protective measures they will encounter on their way in and out).
- Sophisticated criminals know your facility, including its daily operations.
- They know your detection capabilities.
- They know your security force quality, quantity, training, force capabilities, and weaknesses.
- They can generally predict what your security response will be.
- Except for terrorism, from an evidence standpoint, sophisticated criminals usually leave little evidence.
Unsophisticated criminals also present special challenges:
- Unsophisticated criminals exhibit little or no preplanning, usually responding to opportunities without knowing much about their target, its detection capabilities, occupants, or its response capabilities.
- Poor planning means they may not act predictably either in terms of what direction they go and in how they will respond when encountered by a response officer.
- Unsophisticated criminals rarely make a prolonged entry for fear of detection and response.
- From an evidence standpoint, unsophisticated criminals often leave a chaotic crime scene.
The key to dealing with intrusion threat actors is to detect them as early as possible and intercept them with a superior response before they can make their way to their intended target. Failing that, you can detect them and present a superior response on their exit.
This is where the design basis threat becomes relevant again. The quality of detection, assessment, and response should be proportionate to the level of threat actor and their worst-case scenario. Countermeasure selection must be appropriate to the sophistication and force of the design basis threat.
The Adversary Sequence Diagram (Figure 18.1) is used to evaluate the possible points of entry and the paths that a threat actor could take to his or her target, and then to the exit. This, of course, will result in multiple Adversary Sequence Diagrams, one for each entry/target combination.
The next type of metric is the Vulnerability/Countermeasure Matrix.