Physical Security Risk and Countermeasures: Information Requirements

Also see "What Kind of Metrics Can Help Us Analyze Security Program Effectiveness?" from the same chapter.

What Kind of Information Do We Need to Evaluate to Determine Security Effectiveness?

Security managers need to know:

Asset Locations

People

Property

Proprietary information Vulnerabilities

Intrusions

—Where intrusions are possible

—Where intruders are likely to travel where they can be delayed or interrupted

—Where intruders can be detected along the way to valuable assets

Direct attacks

—Where direct attacks from the perimeter can be conducted

Removals/misappropriations

—Where assets are readily available that can be stolen or misused Countermeasures

Locations and types of countermeasures

—Entry control points

—Detection systems

—Assessment systems

—Delaying systems

—Evidence-gathering systems

—Response systems

a. Technologies

—Communications systems

—Guards

—Transportation

—Weapons

—Tactics

b. Functions

—Detect intrusion

—Verify intrusion

—Assess intentions

—Delay intrusion

—Intervene

—Defeat aggression

—Identify intruder

Vulnerabilities they can address (a matrix of vulnerabilities and countermeasures)

Probable effectiveness of countermeasures in addressing the type of vulnerability

—Detection

—Assessment

—Delaying

—Responding

a. Deterrence (e.g., patrols and intercom response)

b. Denial (delaying systems and respond and defeat force)

c. Containment (prevent the adversary from leaving with the asset)

d. Recovery (after the loss of the asset)

e. Observe and report

f. Respond and defeat

—Evidence gathering Remaining Vulnerabilities —Remaining percentage of vulnerabilities addressed inadequately by existing countermeasures