Physical Security: Best Practices
KeywordsSystem Control Diagnose Inference Treatment Professional Security zones
Best practice in physical security is the professional use of a systems approach, comprising accurate threat and risk assessments (diagnosis), an aligned protection strategy based on sound theory and security principles (inference), and a mitigation system (treatment) that fulfils operational requirements accordant with legislation, standards, and engineering practice to manage the protection of assets, information, and personnel from damage, loss, or unauthorized access against internal and external threats.
It is the duty, as a standard of care, for professionals to exercise diligence in their application of standardized expertise when carrying out work, where professional competence (duty) is judged against the state of knowledge that exists in the form of published methodologies, standards, codes, and research. Consequently, professionals should exercise their professional duty accordant with best practice in order to meet their duty of care obligations in the professional setting.
In considering the public and organizational duty to protect in a professional undertaking, the broad practice of physical security is what many citizens perceive when they consider or pursue day-to-day safety or security, being protected from harm or loss. Physical security includes engineered elements across the built environment that are designed to reduce threats or risks by controlling and managing spatial movement (Parker 2007, p. 233). Therefore, physical security aims to direct environmental control or influence over a defined space. For example, physical security includes protection of the grounds surrounding a facility, and its interior and contents (Fischer et al. 2008). Such control is achieved through the process of layers of physical manipulation measures to mitigate against threats or environmental design facets to reduce opportunistic deviance.
Given the broad usage and associated depth and complexity of physical security’s knowledge basis, it is problematic within the scope of this entry to singularly state what constitutes physical security best practices. Consequently, the entry submits that the best practices in physical security must be grounded in the professional application of a defined body of knowledge. All professionals are required to exercise the skill of an ordinary person within their profession when carrying out work. That is, they are bound to exercise due care, expertise, and diligence (Zipser 1999). The professional is deemed to hold both the knowledge (academic basis) and competence to use held knowledge in accordance with the average field practitioner. Competence is judged against the state of knowledge that exists at the time, recognizing that professional bodies of knowledge continue to advance. As Zipser stated, “the professional should be aware of developments which have entered the general corpus of knowledge relevant to their field” (Zipser 1999, p. 4).
Such competence is demonstrated through the conformity to common practice or norms encapsulated within the defined body of knowledge including where available, research findings, published codes, and standards. As such, the inclusive body of knowledge provides a platform for understanding best practice in physical security. A codified body of knowledge has been established for physical security (See Coole et al. 2018). Such codification had synergies with engineering and embodied a matrix of knowledge categories organized accordant to professional practice modalities, including diagnosing the security problem, inference to reach the optimal mitigation among many options, and finally, implementation of treatment. Therefore, the entry presents the notion of best practice in physical security through the modalities of a practice model. Such a model aligns the body of corpus in which professional duty is judged against the physical security professional tasks of diagnosis, inference, and treatment.
Structure and Application of Physical Security’s Knowledge
Modalities of physical security practice
Identify and articulate the problem/s
Risk context statement
Defining a mitigation solution from many options in articulating the Security Strategy
Defense in depth
Deter, detect, delay and response (D3R)
Protection in depth CPTED
Situational crime prevention
Codes and standards
Design, apply and maintain the physical Security Strategy
Barriers and control portals
Physical Security Diagnosis – The Problem
Regulatory environment – rules defined and controls directed by a body
Advisory environment – controls advised
Self-driven security environment – an industry or organization sets its own risk appetite
Security Risk Management
The professional task of diagnosis is undertaken as security risk management (see “Risk Management” entries in this encyclopedia), an underpinning activity for all security practice (Talbot and Jakeman 2009; Smith and Brooks 2013). Security risk management incorporates data generated from asset identification and evaluation, threat assessment (see “Threat Assessment” entry in this encyclopedia), security survey and vulnerability assessments, and risk assessment. Consequently, for security to be effective, it must target defined threats.
Informing threat are the theories of Routine Activity, Crime Pattern, and Rational Choice (see “Security Theories” entry in this encyclopedia). Routine Activity highlights how movement and activities of both potential offenders and victims relate to targets, motivated offenders, and an absence of guardians interact with intent and capability. Crime Pattern theory highlights the notion that crime fits patterns which can be understood (Lab 2014). Rational Choice theory, as risk management, is predicated on altering the cost benefit analysis of a rationally adversary (Clarke 1980).
For diagnosis, data is analyzed through the process of Security Risk Management, using assessment Standards (ISO 31000 2018; Risk Assessment ANSI/ASIS/RIMS RA-12015) or guidelines (Standards Australia ASHB167 2006). Such instruments are an aide memoire to ensure assessors consider all facts in a logical process; however, they do have limitations including likelihood ratings that are based on averages and biased by perception of probabilities, and consequences remain an estimated variable.
The art of diagnosis therefore lies in defining the real issue (problem). Consequently, best practice in physical security requires a thorough and documented diagnosis of the security risk problem, undertaken to ensure sound strategy can be directly aligned to threat and risk drivers. Diagnosis is communicated, usually in report format, which go by many names including risk context statement, detailing the key assets at risk, threat drivers, their consequential risk, and business case to protect, designating contextual degree of protection. Therefore, diagnosis is a clinical judgment that is guided by the presence and relevance of risk factors, historical, clinical, and potential management influences.
Physical Security Inference – The Security Strategy
Inference is focused towards establishing the functions of the protection plan (ASIS International’s Physical Security Principles 2015). Professional inference, as a process, may be achieved through excluding what has failed (exclusion) or constructing threat scenarios (construction) relevant to defined threat actors, aligning the mitigation body of knowledge into a systematic strategy. Inference aims to set the security strategy (approach) and operational objectives.
The modality of inference is the use of fused knowledge of security and crime prevention theories and principles along with relevant codes, standards, and guidelines that facilitate the conceptual mitigation of the security problem. The functions of physical security is defined as controlling space, which includes delay, observing an area, situation or event, detecting events, and having an appropriate response to situations. Consequently, it is through the process of professional inference that sound theory and best practice is further layered into physical security best practice.
Function and Components of Physical Security
Situational Crime Prevention. Sound theory embodies numerous theoretical frames including Situational Crime Prevention (SCP), a crime prevention framework of preemptive measures in asset protection. SCP recognizes offenders’ cost benefit choices and decisions in offending and presents a rubric of mitigation techniques. These include the objectives of increasing the effort to offend, increase the risks for offenders or reduce their rewards for offending. Such objectives are braced by prevention measures directed at highly specific forms of crime and involve the management, design, and manipulation of the immediate environment in a systematic and permanent way.
Systems Theory. Noting Situational Crime Prevention includes the systematic manipulation of the physical environment to achieve protection identifies another core theory of physical security, namely, Systems theory. Systems theory is salient within the physical security literature and therefore, of significance for defining best practice. As Underwood (1984, p. x) expressed, security should be designed, implemented, and managed as a system. Such thinking is based on Bertalanffy’s (1950) General Systems Theory, which premised that “there are principles which apply to systems in general, whatever the nature of their component elements, or of the relations or forces between them” (p. 139).
Within the physical security context, Garcia (2008) defined a system as an integrated collection of components or elements designed to achieve an objective according to plan. For example, the systematic plan for physical security is to interrupt and, where necessary, neutralize a malevolent adversary before they achieve their goal (Garcia 2008). Consequently, best practice embeds the principles of Systems theory into the protection solution.
Crime Prevention through Environmental Design. The systematic approach to physical security is also embedded into the theory of Crime Prevention through Environmental Design (CPTED). CPTED seeks to extend the notion of controlling people’s behavior through natural environmental design and management. The premise draws from both social and physical sciences (American Institute of Architects 2003, p. 40) and is a well-established framework for embedding security strategy into environmental architecture.
Jacobs (1961) contended surveillance provided by legitimate users facilitates the keeping of the peace based on an intricate, almost unconscious, interaction of voluntary and enforced controls and standards by the people themselves. Jacobs coined Eyes on the Street to achieve such surveillance. Later, Newman (1972) argued that residential environments can inhibit crime by creating the physical expression of a social fabric that defends itself. Newman (1972, p. 3) defined defensible space as a surrogate term for the range of mechanisms, real and symbolic barriers, strongly defined areas of influence, and improved opportunities for surveillance that combine to bring an environment under control of its residence.
Contemporary CPTED aims to achieve security through reducing opportunities for individuals to successfully engage in deviant behavior (Fennelly and Crowe 2013). CPTED aids the security strategy through using natural surveillance, natural access control, and territorial reinforcement measures, coupled with image maintenance to maintain an expression of defended space. These overlapping and interrelated concepts employ physical and spatial factors, including situational and architectural strategies to ensure environmental context is designed to deter crime while supporting the intended purpose of a space. In many town planning environments, CPTED is captured in jurisdictional Planning Codes and guidelines, and best practice in physical security embeds this theoretical framework into the physical security strategy.
Deterrence – psychological measures to deter offenders from deviant acts
Detection – means to alert that an unauthorized access is underway
Delay – physical means to retard progress of an unauthorized access
Response – means of interrupting and neutralizing an unauthorized access
Recovery – planned approach to reactivating during or after a realized event to return to a priori state
The Systems approach to Defense in Depth interrelates the functions of detect, delay, and response into an effective security system, referred to as a Physical Protection System (Garcia 2008).
Best practice also embeds well-established physical security principles. For instance, not all areas or protective contexts require the same level of physical security or complexity of system integration. Consequently, physical security strategy requirements are compartmentalized, based on the demarcation and division of space accordant with risk, generally referred to as security zoning. Security zoning holds that different levels of protective elements should be concentrated accordant with a cost benefit analysis based on risk. Diagnosis bounds the security assessment and such bounding is used to articulate the environmental limitations of the protection program, setting security zone that focuses the security strategy.
Balanced Protection . Best practice also embeds the principle of layers into the security strategy and includes protection in depth within Defense in Depth. This approach includes layering distinct security measures an adversary must defeat in sequence and considers the avoidance of single point failure in any protection plan (American Institute of Architects 2004, p. 11; Garcia 2008, p. 6; Williams 1981, p. 143), considered the “rings of protection” (Higgins 1989, p. 229).
Protection in depth incorporates the design philosophy of multiple detection, delay, and response capabilities (Williams 1981, p. 143; Garcia 2008, p. 6) that complement each other at each layer. Such an approach overcomes individual weaknesses and minimizes the consequences of individual component failure (Garcia 2008, pp. 5–6). The aim is to achieve what Wyss (2009) termed balanced protection, achieved when every scenario pathway into a protection environment presents the same level of difficulty.
Best practice within inference refers to setting the protection strategy and supporting operational objectives for the physical plan to achieve, documented as the security management plan. Such a plan is informed by the security risk context and directs the final design and commissioning of the physical security system and program. The security plan establishes the security zones and develops protection objectives to achieve a best practice principles framework within physical security’s body of knowledge.
Physical Security Treatment
Treatment constitutes how the security strategy is functionally achieved through the commissioned components of the physical system. Treatment functionally achieves the elements of Defense in Depth including deterrence, intrusion and tamper detection, physical delay, access control, surveillance, and response capabilities (Fennelly 2003; Garcia 2008; Williams 1981). Therefore, treatment draws on a security professional’s operational and technical (engineering) body of knowledge. These are applied to system variables as either human practices or individual situational controls, or environmental design measures or interrelated subsystems, combined as a complex physical security system.
In this context, treatment aims to commission the structural or operational components ensuring compliance with the regulatory framework, codes of practice, and other technical specifications to meet the operational objectives set in the inference phase. Such an approach also recognizes the hierarchical structure of complex engineering systems, in which subsystems are themselves comprised of components that are interrelated. At the treatment level, a physical security system constitutes an engineering solution interrelated accordant with scientific principles of analysis and synthesis to understand component and system efficacy.
Best practice applies components and subsystems that achieve the functions of physical security through their ability to collectively deter, or sequentially detect, delay, and respond against unauthorized actions. Treatment elements are evaluated using relevant codes, standards, and defined performance metrics. The use of and compliance with Codes and Standards is well supported in the security literature (See Atlas 1981; Craighead 2003). For example, Atlas (1981, p. 89) highlighted that codes are written as either performance or design specifications, identifying performance as statements of contextual achievement, for instance, delaying a defined attack type for a defined period, whereas design specifications establish building construction requirements, referencing particular material selection and methods of construction.
Therefore, best practices method in physical security treatment epitomizes the engineering design process, which includes project realization through system definition and modelling, environmental design, product design and selection, component evaluation, installation, integration, and commissioning based on established criteria. Collectively, these processes functionally achieve the security strategy, which must comply with the operational regulatory environment.
The technical subsystem of detection is the Intrusion Detection System (IDS), designed and commissioned accordant with established security zones (see “Intrusion Detection System” entry in this encyclopedia). The IDS is supported by other subsystems, such as active and passive electronic surveillance technologies for assessment and awareness purposes, lighting infrastructure and other security technologies. Also captured within the technological design component is the electronic communications system, which facilitates the linking of human operators and technical componentry. The performance measures for this subsystem draw on various codes and standards within a jurisdictional context, and probability theory calculated as the likelihood of threat detection.
Another technical subsystem of control is the Access Control System (ACS). ACS is used for controlling movement of people and objects, including portal entry and egress, credentials and barriers, and other delay components. Theoretical underpinnings include principles such as credentials that provide something you have (encoded key or card), know (identification code), or are (biometrics) (Smith and Brooks 2013, pp. 159–171).
The situational crime prevention measure or integrated engineered physical protection system are commissioned to facilitate an effective response against a defined threat. Garcia (2008) states this may include immediate on-site response or after the event recovery. Nevertheless, response relates to the performance measures set following diagnosis. The evaluation of on-site response is based on defined performance measures including the denial level and corresponding probability of interrupting and, where necessary, neutralizing the defined threat. Jurisdictional legal frameworks will guide the setting of response standards and therefore, best practice; however, all response behaviors lie on a continuum. Response must be legal and as a minimum considered against a reasonably foreseeable defined threat but may also include extraordinary events.
Modelling Physical Security Best Practice Treatment
Best practices in physical security treatment involve systems modelling, which seeks to develop a simplified, idealized representation that mimics the behavior of the real system to an acceptable level of accuracy (Dandy et al. 2018). Modelling may occur for individual treatment measures or for a large-scale physical protection system, with a focus on evaluation of effectiveness against a defined threat.
Garcia’s (2008) publication of the Estimate of Adversary Sequence Interruption (EASI) model for physical security system evaluation highlighted this view into the idea of best practices for physical security. EASI represents a deterministic system, aiming to achieve the same outcome consistently and drawing on probability theory. Such mathematical modelling studies the behavior of existing systems or proposed systems to identify a system state and possible improvements (Dandy et al. 2018).
Physical Security System Management
The physical security strategy is commissioned compliant with performance or technical specifications in a manner that meets operational objectives; nevertheless, it must be managed and maintained as a system. Therefore, best practices would have physical security managed as a system, based on the efficacy of its objectives being to deter, detect, delay, and respond against defined threats. Consequently, once individual security elements have been systematically commissioned, the measurable processes that ensure efficacy need to be maintained at their commissioning levels. As such, best practice in physical security must also include system decay theory (Coole 2010).
Best practices in physical security draw on its body of knowledge (academic basis) to diagnose the security problem, infer to set the protection strategy and operational objectives, and treat to achieve optimal mitigation with physical components that comply with relevant codes, standards, and guidelines. Diagnosis commences with a threat assessment of adversary groups or individuals, their intent, and capability. Then, a vulnerability assessment ensures that the system is threat driven, supported by risk assessment to understand the significance of the threat within the defined context.
Inference sets the physical security strategy, which demarcates and divides space into security zones of protection, sets the level of protection across these zones based on risk (consequences), and establishes system performance measures. Such a security strategy is realized through treatment, where the engineering design process defines the operational standards, facilitates the design and selection of components, their installation and integration, and ultimately their commissioning. However, consistent with decay theory, the system must be managed as an open system, where decay is identified and counted to maintain the security systems commissioned state or updated accordant with the changing threat environment. The benefits for professionals in undertaking their occupational work accordant with best practice is that they will mitigate the threats which pose a risk to the best of their ability within the corpus of knowledge available at that time; therefore, meeting reasonable care requirements under their professional duty obligations.
- American Institute of Architects. (2003). Security planning and design: A guide for architects and building design professionals. Hoboken: Wiley.Google Scholar
- ASIS International. (2015). Physical security principles. Alexandria: ASIS International.Google Scholar
- Coole, M. P. (2010). Theory of entropic security decay: The gradual degradation in effectiveness of commissioned security systems. Masters of Science, Edith Cowan University.Google Scholar
- Craighead, G. (2003). High-rise security and fire life safety (2nd ed.). Woburn: Butterworth-Heinemann.Google Scholar
- Dandy, G., Daniell, T., Foley, B., & Warner, R. (2018). Planning and design of engineering systems (3rd ed.). Boca Raton: CRC Press.Google Scholar
- Fennelly, L. J. (2003). Effective physical security (4th ed.). Waltham: Butterworth-Heinemann.Google Scholar
- Fennelly, L. J., & Crowe, T. (2013). Crime prevention through environmental design (3rd ed.). Oxford: Elsevier Science & Technology.Google Scholar
- Fischer, R. J., Halibozek, E., & Green, G. (2008). Introduction to security (8th ed.). Burlington: Butterworth-Heinemann.Google Scholar
- Higgins, C. E. (1989). Utility security operations management: For gas, water, electric and nuclear utilities. Illinois: Charles C Thomas Publisher.Google Scholar
- ISO. (2018). ISO 31000 risk management – guidelines. Geneva: International Organization for Standardization.Google Scholar
- Jacobs, J. (1961). The death and life of great American cities. New York: Modern Library.Google Scholar
- Lab, S. P. (2014). Crime prevention: Approaches, practices and evaluations (8th ed.). Waltham: Elsevier.Google Scholar
- Newman, O. (1972). Defensible space: People and design in the violent city. London: Architectual Press.Google Scholar
- Parker, M. (Ed.). (2007). Dynamic security: The democratic therapeutic community in prison. London: Jessica Kingsley.Google Scholar
- Sennewald, C. A. (2013). Security consulting (4th ed.). Waltham: Butterworth-Heinemann.Google Scholar
- Smith, C. L. (2003). Understanding concepts in the defence in depth strategy. School of Engineering and Mathematics. Edith Cowan University, Perth.Google Scholar
- Smith, C. L., & Brooks, D. J. (2013). Security science: The theory and practice of security. Burlington: Butterworth-Heinemann.Google Scholar
- Standards Australia. (2006). AS/NZS HB167, security risk management. Canberra: Standards Australia.Google Scholar
- Talbot, J., & Jakeman, M. (2009). Guide to SRMBOK physical security specifications and postures. Canberra: Jakeman Business Solutions.Google Scholar
- The American Institute of Architects. (2004). Security Planning and Design: A guide for architects and building design professionals. Hoboken, NJ: John Wiley & Sons.Google Scholar
- Underwood, G. (1984). The security of buildings. London: Butterworths.Google Scholar
- Wyss, G. D. (2009). Quantifying the degree of balance in physical protection systems. Presented at the INMM 50th annual conference, Tucson, AZ: U.S. Deptartment of Energy.Google Scholar
- Zipser, B. (1999). Professionals and the standard of care. Torts Law Journal, 7(2), 167.Google Scholar
- ASIS International. (2009). Facilities physical security measures guideline. Alexandria: ASIS International.Google Scholar
- Attorney-General’s Department. (2015). Physical security management guidelines: Security zones and risk mitigation control measures. Barton: Australian Government.Google Scholar
- O’Shea, L. S., & Awwad-Rafferty, R. (2009). Design and security in the built environment. New York: Fairchild Books.Google Scholar