Physical Security Risk and Countermeasures: Information Requirements

What information does a security manager need in order to select countermeasures? Thomas Norman spells out the details.

Also see "What Kind of Metrics Can Help Us Analyze Security Program Effectiveness?" from the same chapter.

What Kind of Information Do We Need to Evaluate to Determine Security Effectiveness?

Security managers need to know:

    Asset Locations



    Proprietary information


    —Where intrusions are possible

    —Where intruders are likely to travel where they can be delayed or interrupted

    —Where intruders can be detected along the way to valuable assets

    Direct attacks

    —Where direct attacks from the perimeter can be conducted


    —Where assets are readily available that can be stolen or misused Countermeasures

    Locations and types of countermeasures

    —Entry control points

    —Detection systems

    —Assessment systems

    —Delaying systems

    —Evidence-gathering systems

    —Response systems

    a. Technologies

    —Communications systems





    b. Functions

    —Detect intrusion

    —Verify intrusion

    —Assess intentions

    —Delay intrusion


    —Defeat aggression

    —Identify intruder

    Vulnerabilities they can address (a matrix of vulnerabilities and countermeasures)

    Probable effectiveness of countermeasures in addressing the type of vulnerability





    a. Deterrence (e.g., patrols and intercom response)

    b. Denial (delaying systems and respond and defeat force)

    c. Containment (prevent the adversary from leaving with the asset)

    d. Recovery (after the loss of the asset)

    e. Observe and report

    f. Respond and defeat

    —Evidence gathering
    Remaining Vulnerabilities —Remaining percentage of vulnerabilities addressed inadequately by existing countermeasures

Copyright © 2010 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)