Silva Consultant's Blog

Archive for category Basic Concepts

Point of Diminishing Returns in Security Investments

Feb 8

Posted by masilva in Basic Concepts, Security Management | No Comments

Good security management practices require balancing the amount of money spent on security improvements with the level of security risk. While almost any security problem can be solved by spending enough money, it often does not make sense to do so. As in many other areas of business, there comes a point of “diminishing returns” in investments in security improvements. This is shown graphically in the chart below.

When you begin to improve to security at a facility, there are many simple and inexpensive things that can be done. During the first stage of security improvement, you can do things such as create good security policies and procedures, conduct security awareness training for employees, and make simple improvements in physical security that can greatly enhance security with very little investment. Because of the ease in which security can improved at minimal cost at this stage, it is often called the “low-hanging fruit” stage.

The second stage of security improvement often requires major capital investments or making commitments for significant ongoing security operating costs. This can involve things such as hiring an on-site security staff, installing card access control or video surveillance systems, or remodelling the lobby to better control the flow of visitors. These things can increase security significantly, but cost substantial money to install and maintain.

The final stage of security improvement is the most expensive. This stage usually involves making investments in things that increase security incrementally, but at a very great cost. This can involve installing biometric access devices, weapon screening equipment, biological agent detection systems, or blast resistant rooms. Often, only those facilities with the highest level of security risk can justify making these investments.

The key decision is deciding when there is “enough” security and when you are about to pass the point of diminishing returns. Any investments made beyond this point won’t reduce your risk by any appreciable amount and are probably a waste of money.

A common mistake is for a facility owner to jump right to the second stage of security improvement without harvesting the “low-hanging fruit” available during the first stage. An example of this would a facility manager who installs a video surveillance system before he has developed good security policies or provided adequate security training for his employees.

The critical factor in deciding what security investments to make is a good understanding of your specific security risks. Every security improvement made should be in direct response to one or more of your specific risks, starting with your highest priority risks, and working your way down to your lowest priority risks.

For example, if your risk assessment shows that the theft of trade secrets is your greatest risk, the greatest emphasis of your security program should be in protecting trade secrets. This could involve installing better filing cabinets, more effective shredders, or enforcing a clean-desk policies for employees. Installing cameras in the parking lots would not be a effective measure to offset this type of risk and should only be considered after your trade secrets risks have been mitigated.

Many facility owners make bad security investment decisions because they really don’t know what their security risks are or how to prioritize them. As a result, they spend a lot of money solving problems that are unimportant, and completely ignore problems that are critical. Formal Security Assessments are one way to properly identify and prioritize your security risks. Having a Security Assessment conducted is often the best first step in improving security at a facility and should be considered before making any substantial investments in security improvements.

To learn more about managing your security risks in the most cost-effective manner, or if you have any questions, please Contact Us.

 

Concentric Circles of Protection

May 3

Posted by masilva in Basic Concepts | No Comments

An underlying principal for providing good security involves a concept called “Concentric Circles of Protection”, sometimes also called “Security in Depth”. This concept involves the use of multiple “rings” or “layers” of security. The first layer is located at the boundary of the site, and additional layers are provided as you move inward through the building toward the high-value assets.

Rather than placing full reliance on a single layer of defense, these layers require an intruder to penetrate a series of layers to reach his goal. The more layers that exist between the outside world and a high-value asset, the better the security. The Concentric Circles of Protection concept is similar to the “multiple lines of defense” strategy employed by many military planners.

This concept is illustrated in the diagram below. Please note that at the boundaries of each layer, those people who belong within the next layer can be separated from those who don’t belong. Also, at each boundary, there is an opportunity to deter, detect, and delay an intruder. This allows intruders attempting to penetrate the layer to be detected and intercepted with an appropriate security response.

The logic behind having multiple layers of security is simple: having multiple layers eliminates total reliance on any single layer and provides redundancy. For example, in the diagram above, an intruder who “tailgated” through an exterior door would need to breech two additional layers of security before he could reach the high-value asset. While the chances of breeching any single layer may be good, the chance of breeching three or more successive layers becomes exponentially more difficult.

The multiple layers concept also provides redundancy in case there is a breakdown in procedures. For example, an employee may fail to lock a valuable piece of equipment in a cabinet as per established procedures, but instead leaves the equipment lying out openly on a desk. If the employee’s office is locked, and access to the department is controlled, the equipment is still protected.

Conversely, if a janitor were to inadvertently leave an individual office door unlocked while cleaning, the valuable equipment would still be afforded some protection by the locked door that controls access into the department, and the secured cabinet in the office where the equipment is stored. Again, while the chance of a breakdown in any single procedure may be good, the chance of a breakdown in three or more successive procedures is considerably less likely.

An absolute minimum of three layers should exist between the outside world and any type of high-value asset; with five or more layers being desirable.

Basic Principals of Security Layers

  • Having multiple layers decreases the probability that the intruder will be able to gain access.
  • You can decrease the intruder’s chance of success by adding layers, or by increasing the effectiveness of each layer, or by doing both.
  • Relying on a single layer to provide security is almost never effective because it requires a level of perfection that is unattainable.
  • Simple procedures, such as the locking of file cabinets and offices, can provide additional security “layers” at little or no cost.
  • Employee security awareness can create an invisible, yet very effective, security “layer”.