table of contents archives/jps 12(3).pdf · 2020. 2. 1. · sos for sms popular mechanics had a...
TRANSCRIPT
-
Table of Contents JournalofPhysicalSecurity,Volume12(3),2019
Availableathttp://jps.rbsekurity.com
Editor’s Comments, pages i-v
C Holder, “Automatic Vehicle Gate Systems Design”, pages 1-3
JT Jackson, “3D Magnetometer Array ReplacesTraditional Balanced Magnetic Switch”, pages4-14
I Urhuogo-Idierukevbe, A Addo, TL Anderson, and FM Khan, “Physical Security Best Practices”, pages 15-29
RG Johnston, “Design Reviews Versus Vulnerability Assessments for Physical Security”, pages 30- 32
-
JournalofPhysicalSecurity12(3),i-v(2019)
i
Editor’sCommentsWelcometovolume12,issue3oftheJournalofPhysicalSecurity(JPS).Inadditiontotheusualeditor’srantsandnewsaboutsecuritythatappearimmediatelybelow,thisissuehaspapersaboutautomaticvehiclesecuritygates,3DmagnetometerarraysasamoresecurereplacementforBMS,bestpracticesinphysicalsecurity,anddesignreviewsvs.vulner-abilityassessments.Allpapersareanonymouslypeerreviewedunlessotherwisenoted.Weareverygratefulindeedtothereviewerswhocontributetheirtimeandexpertisetoadvanceourunder-standingofsecuritywithoutreceivingrecognitionorcompensation.Thisisthetruesignofaprofessional!PastissuesofJPSareavailableathttp://jps.rbsekurity.com,andyoucanalsosignuptheretobenotifiedbyemailwhenanewissuebecomesavailable.Acumulativetableofcontentsfortheyears2004throughMarch2019isavailableathttp://rbsekurity.com/JPSArchives/grand_jps_TOC.pdfJPSishostedbyRightBrainSekurity(RBS)asafreepublicservice.RBSisasmallcompanydevotedtophysicalsecurityconsulting,vulnerabilityassessments,andR&D.(http://rbsekurity.com)Asusual,theviewsexpressedinthesepapersandtheeditor’scommentsarethoseoftheauthor(s)andshouldnotnecessarilybeascribedtotheirhomeinstitution(s)ortoRightBrainSekurity.
*****Don’tPassAlongtheBoardingPassDon’tleaveyourboardingpassontheplaneaftertheflight!Itcontainsalotofpersonalinformation.Seehttps://www.huffingtonpost.ca/entry/hackers-boarding-pass-data_l_5de95730e4b00149f73d9ce3
*****2020VisionBecarefuldatingchecksanddocumentsinthisway:1/15/20.Itmakesthingseasierforbadguystore-dateas“1/15/2000”or“1/15/2021”.Seehttps://www.usatoday.com/story/news/nation/2020/01/02/do-not-abbreviate-year-2020-in-date/2795857001/
*****
-
JournalofPhysicalSecurity12(3),i-v(2019)
ii
CampusSecurity&SafetyCheckoutthiswebpageforsomeinformativeexamplesofcampussafetyandsecurityblundersbyhospitals,schools,anduniversities:https://www.campussafetymagazine.com/safety/ridiculous-campus-security-mistakes/
Onarelatednote,IrecentlyexaminedsomeissuesoftheJournalofHealthcareProtectionManagement,andwasremindedwhatausefulresourceitisforsecurity.Seehttps://www.iahss.org/page/Journal
*****SecretServiceStudyThenewSecretServicereportonschoolviolenceiswelldoneanddefinitelyworthalookandconsideration:https://www.secretservice.gov/data/protection/ntac/usss-analysis-of-targeted-school-violence.pdf
*****
JewelHeistCrooksgotawaywithrobberyoftheGrünesGewölbeMuseuminDresden.Mostorallofthelootwillprobablyneverberecovered:https://www.nbcnews.com/news/world/german-jewel-heist-thieves-walked-49-carat-diamond-authorities-confirm-n1092971
*****MissionCreepAsecurityguardapparentlyattemptedtobreakupanon-fieldfightduringanAustralianRulesFootballgameinTasmaniaandwasmuchridiculed:https://www.foxsports.com.au/afl/afl-2019-vision-emerges-of-security-guard-stepping-onto-blundstone-arena-about-to-break-up-onfield-tussle/news-story/0497f44b6c3c1e121d6868072a47d4a0
*****FreedomDeclines
-
JournalofPhysicalSecurity12(3),i-v(2019)
iii
FreedomHouse’sannualreportonthestateoffreedomintheworldnotesthat68countriesexperiencedadeclineinpoliticalrightsandcivilliberties,whileonly50countriesgained.In2019,lawenforcementin47countriesarrestedcitizensforpostingpolitical,social,orreligiousspeechonline.Seehttps://freedomhouse.org/report/freedom-world/freedom-world-2019
*****NewTechnologyThisarticleinForbesisworthponderingifyouareconsideringincorporatingnewsecuritytechnologyintoyourEnterpriseSecurity:https://www.forbes.com/sites/forbestechcouncil/2019/10/10/eight-key-questions-to-consider-before-adding-new-tech-in-your-organization/#56c38d3428b9
*****Real-IDIrecentlyhadtorenewmydriver’slicenseandgetthenewfederal“REALID”.(Seehttps://www.dhs.gov/real-id)Theamountofdocumentationandpersonalinformationthathastobeprovidedistrulyonerous.(Igottrippeduponmyunderwearsize.)Afternearly2hoursofwaitinginvariouslinesattheMotorVehicleDepartment,Ididgetthroughtheprocess.ThisparticularpieceofinsaneSecurityTheaterfromDHSKeystoneKopsgoesagainsttheentirepurposeofSecurityTheater.SecurityTheaterissupposedtohave“feelgood”attributes,andtobelessworkandlesspainfulforcitizensand/orgovernmentofficialsthanRealSecurity.NoneofthesethingsaretrueforREALIDSecurityTheater.
*****NotSoSmartAfterallComputerscientistsarestrugglingtodealwithhoweasyArtificialIntelligence(AI)systemscanbespoofed:https://www.npr.org/2019/09/18/762046356/u-s-military-researchers-work-to-fix-easily-fooled-aiNothingsurprisinghere.High-techistypicallyeasytospoof,evenwithlow-techmethods.
*****
-
JournalofPhysicalSecurity12(3),i-v(2019)
iv
WanderingDNAAmanwithleukemiahadabonemarrowtransplant,justastensofthousandsofpatientsdoeachyearforavarietyofmedicalaliments.Itturnsoutthatthedonor’sDNAtraveledallthroughouthisbody,creatingrealissuesforusingDNAforensicstosolvecrimes.Seehttps://www.nytimes.com/2019/12/07/us/dna-bone-marrow-transplant-crime-lab.html
*****SOSforSMSPopularMechanicshadagoodarticleonSMStextingandwhyitisnotsecure.See“HowSMSWorksandWhyYouShouldn’tUseItAnymore”,https://www.popularmechanics.com/technology/security/a29789903/what-is-sms/
*****
CyberSecurityBlundersCheckoutthiswebsitethatliststheyear’smostabsurdandineptcybersecurityblunders:https://portswigger.net/daily-swig/the-year-in-stupidsecurity-2019s-biggest-security-and-privacy-blunders
*****
BeautifulSecurityArtistAddieWagenknechhascreatedsomebrilliantvideosteachingwomenaboutonlinesecuritywhileofferingfacetiousbeautyandmakeuptips.Seehttps://www.fastcompany.com/90301667/youtubes-best-beauty-tutorials-dont-teach-you-anything-about-makeup
*****
SecurityforShowTheTVshowTheMaskedSinger,whicheventhehostcalls“themostridiculousshowontelevision”reportedlydeploysserioussecuritytoprotecttheidentityofthemysterysingers:https://www.smh.com.au/culture/tv-and-radio/it-s-tv-s-silliest-show-but-its-extreme-security-measures-are-no-joke-20190927-p52vjx.htmlIt’sgoodtoseepeoplegettingsecurityrightwhenitreallymatters!
-
JournalofPhysicalSecurity12(3),i-v(2019)
v
*****TheLevelofSophisticationofManySealUsersWhentheyoungmotherreturnedfromthegrocerystore,her7-year-oldsonpulledouttheboxofanimalcrackershehadbeggedfor.Hespreadtheanimal-shapedcrackersalloverthekitchentableandexaminedeachoneclosely.“Whatareyoudoing?”hismomasked.“Theboxsaysyoucan’teatthemifthesealisbroken,”theboyexplained,“SoI’mlookingfortheseal.”
*****
--RogerJohnstonOswego,IllinoisDecember2019
-
JournalofPhysicalSecurity12(3),1-3(2019)
1
ViewpointPaper
AutomaticVehicleGateSystemsDesign
CliffHolder,PSPCertifiedAutomaticGateSystemsDesigner
AutomaticSystems
Over the last 16 years of designing and installing automated vehicle gate entry systems, I’ve seen a wide variety of design mistakes. These mistakes can cost property owners a lot in wasted time and money when the system does not work as planned. The mistakes contributed to user owner frustrations and dissatisfaction. In many instances, these mistake have made vulnerable in many instances the very things they’ve been designed to protect.
It is important to remember that a vehicle entry point is a “hole in your fence line (or perimeter security)” but it should not be your weakest spot.
Here are five of the most common vehicle gate design mistakes I see, and how to best avoid them:
1. Choosing the wrong gate for the application. Like any security project, selection of the right product is critical to ensure the product meets your security requirements. One of the first things I tell everyone is, “don’t cut and paste specifications.” Just because one type of gate worked well on a previous project does not necessarily mean it will be the right product on your next project.
Rememberthatbecauseyourroadwayis30feetwide,youmaynotneeda30footgate.Evaluatingthetypesofvehicles,approachandturningradiusandotherfactors,youmayrequireonlya15footwidesystem.Thelongeragateisopen,thelongeryourfacilityisexposedtorisks. Best practice: Conduct a Threat and Risk Assessment (TRA) and understand the risks to the type of facility and know the security objectives of the project. Seek an industry expert to be educated on the many types of gates on the market today, and learn about the advantages/ disadvantages of each. Never get “sold” by the next cool looking product you see at a trade show. 2. Guessing about the number of vehicles that will use the gate each day. Many people make an “educated guess” on the number of vehicles entering / leaving each day. Often, this results in the wrong automated gate system being used for the application. A system that is designed more for a residential home but put into a commercial application may not be capable
-
JournalofPhysicalSecurity12(3),1-3(2019)
2
of the increased daily cycles, which will result in potential higher maintenance costs and or shorter product life span. It may have a lower capital cost, but Total Cost of Ownership (TCO) could be many times more. Best practice: Install a vehicle counter for three weeks to get an accurate view of expected daily cycles and you will see the peak traffic times which can affect traffic flow, especially if you are planning to cycle the gate for each vehicle. 3. Placing the pedestal in relation to the gate. Sounds simple right? Pedestals provide a mounting solution for your access control devices, such as card readers, intercoms, keypads and security cameras. Allowance needs to be considered for the types of vehicles using the system. You also need to consider the weather conditions—the “skid factor” as I call it when snow or ice conditions which can cause problems. Also, consider if the pedestal will be dual height or single height. Placement is critical so that a driver can pull up parallel beside the device and reach it easily from the vehicle. Best practice: By placing the pedestals directly perpendicular to the gate, and at a distance allowing for the types of vehicles using the gate, a driver will find it easy to use, and the risk of damage to the gate is reduced. It is always important to install bollards to protect your pedestals and the gate. Note - a typical concrete filled bollard is not crash rated. You may wish to invest in tested bollards to protect your investment from accidental damage – it will be your cheapest and best insurance ever. 4. Not calculating how the gate will impact traffic. The installation of an automated gate will, by design, create traffic flow issues. Will the opening/closing for each vehicle create line ups of traffic either inside or outside the property? Proper design must ensure that traffic is not backing up onto a public road when accessing the property. Best practice: By knowing the number of cycles expected per day expected, and identifying if there are peak traffic times, you’ll have the best idea how to determine the correct type of automated vehicle gate system for the project. Review the actual planned locations and see if the gate can be set further into the property. A small time investment is to set up a series of traffic cones, identifying the planned location of the gate and then monitor to see how drivers maneuver through them. If the cones are continually hit, the location may not be best. Allow for turning radius of vehicles on both sides of the gate. Sometimes existing tire tracks on the ground show how vehicles approach and pass through the area. Tracks in snow are even more effective as you can see below!
-
JournalofPhysicalSecurity12(3),1-3(2019)
3
5. Failing to consider how visitors will access a gated property. Due to liability and security issues, it’s a must to design the access in ways to prevent pedestrian access through any automated gate. Always provide a dedicated pedestrian entry portal, such as a full height turnstile, if parking is outside of the facility.
Best practice: Good directional signage showing parking for visitors will help reduce the risk of pedestrian access through an automated gate. Signage also helps prevent the bottle neck at the gate location of the “lost driver” slowing down entry for approved drivers. If access for visitor vehicles is allowed through the gate, if unmanned, provide advance information to them via an email with instructions and location of the intercom to announce themselves when they arrive.
In summary, there is more to a vehicle gate project than meets the eye. A line on a drawing “ Automated Gate -TYP” can provide no performance or specification criteria, which in a bidding environment, will leave the end user with a system that may not meet their needs or security objective. The result can be costly retrofit projects.
These are just some of the most common automatic gate system design mistakes I have seen, and some of the countermeasures I can suggest. There are other considerations on these projects, and I am always pleased to provide advice if you are planning a gate project.
AbouttheAuthor
Cliff Holder is a Regional Sales Manager for Automatic Systems. He can be contacted on LinkedIn or at [email protected].
-
JournalofPhysicalSecurity12(3),4-14(2019)
4
3DMagnetometerArrayReplacesTraditionalBalancedMagneticSwitch
JohnT.Jackson,Jr.,MSJacksonResearch
www.jrmagnetics.com
AbstractTheBalancedMagneticSwitch(BMS)developedandfieldedforhigh-securityapplicationswasrenderedproblematicbythedevelopmentofapreviouslydemonstratedTrivialDefeatMethod. Several attempts to salvage the technology by employing very large actuatormagnetsandUL634ClassIIcertificationhavealsofailed.Theproblemisthattheglassreedarray and other related technologies cannot distinguish one magnet from another. Tocounter this, a 3D magnetometer array with algorithms related to facial recognitionalgorithmsandsomeDigitalSignalProcessing(DSP)isrequired.AnewtypeoftechnologyispresentedherethatreplacestheobsoleteBMSwithanewmagnetometerarrayapproachthatrecognizesunique,complexmagneticfields.IntroductionIt is necessary to update the history of the Balanced Magnetic Switch presentedpreviously.[1] In my view, the traditional Balanced Magnetic Switch (BMS) is not justobsolete,butactuallyasecurityrisk.Thenextstepforimprovingmagneticsecuritysensorsisa3DMagnetometerArrayemployingembeddedsmartalgorithmsanalogoustostate-of-the-artfacialrecognitionalgorithmsusingmodernDigitalSignalProcessing(DSP).ThisnewtechnologyemploysArtificialIntelligence(AI)toobserve,interpretthemagneticfieldshape,anddetectattemptedtamperingorspoofing.Itisidealforusewithencrypted,high-securityRS485serialnetworks.HistoryFigure1showsasingleclassicalglassreedmagneticcontactswitchmountedonasteeldoor.Clearly,asinglepermanentmagnetcanbeattachedtotheswitch,whichwouldgolargelyunnoticed,anddefeatthesensor.Therearenumerousotherexamples,someofwhichincludedefeatingsinglemagneticcontactssimilartothisonethroughwindowglassfromtheoutside.ThisiswhytheBalancedMagneticSwitch(BMS)wasinventedbyHolce
-
JournalofPhysicalSecurity12(3),4-14(2019)
5
[2]inthefirstplaceasabetterapproach.Amoredetailedhistoricalaccountcanbefoundinreference[1].
Figure1:ClassicalGlassReedMagneticContactInstallation
My1997BMSpatent[3]wasthefirstdevicetogetaroundtheHolcepatent,anditmettheFederalSpecification[4]thathadbeenwrittenaroundtheHolceswitch.ThoseoriginalUSgovernmentspecificationsremainunchangedtothisday. Anexampledevice istheblackSecuritronBMSshowninfigure2.Afewyearslater,theHolcepatentranoutandseveralothercompaniesintroducedclonesorsimilarimplementations.TheHoneywellswitchalsoshown is Figure 2 is one of the first examples of these. They are based on the sameunderlyingprinciple:triplebiasedglassreeds. TheyareallvulnerabletothedefeatkeysthatIhavebeensellingas“DefeatSticks”.[1] Several companies created BMS type sensors based upon Hall effect magnetic sensors. In every case, they were using either Hall switches with fixed trip points or analog devices in combination with comparators at fixed trip points. This is just a different means of doing the same thing as the glass reed. It is the same operational paradigm, just employing a different type of sensor. The Hall devices are actually directional, which offered some advantage, but failed to resist the “Trivial Defeat Test” [1]. Placing any sensor technology in three locations to detect a specific absolute magnetic potential field can always be triggered by an infinite number of actuator permanent magnets. At that time, supplying 12 volts power to any kind of sensor device at the door was operationally problematic.Therearemanyassemblyandoperationalproblemsassociatedwithglassreadtechnology.ItisbannedforUSmilitaryequipmentandallsatellites. Somethingmorerobustandlessfragilewasrequired.AnewtypeofBMSwasneededthatavoidedconventionalHalleffectsensors.
-
JournalofPhysicalSecurity12(3),4-14(2019)
6
Thisnewapproachisdocumentedinreferences [5]and[6],andculminatedin several novel patented types ofmagnetic contact switches andcorresponding BMS. It was moreresistant to theTrivialDefeat,but stillhadonefatalflaw—itwasstillworkingwith the same operational paradigm.Much later I would discover how todefeat this device using very thinneodymium permanentmagnets in anupgraded version of Defeat Stick forenhancedTrivialDefeat.Another company developed theirown version of this design andeventually discovered that their BMSwas also vulnerable to the TrivialDefeat.Todealwiththisproblem,theymadetheactuatormagnetsolargethatanadversarywouldhavetroublefindingasmallermagnetthatcouldfitintheairgapusingexistingpermanentmagnetmaterials.ThisdesignwasincorporatedintotheUL634ClassIIspecification [20] but only a slightly different approach was needed to defeat even thisapparatus.TrivialDefeatofUL634ClassIIHighSecuritySwitchesAllmagneticcontactsofwhatsoevertypearecanbedefeatedbytheTrivialMeans.Theproblemisthatallmagneticcontactsarepotentialcomparatorsthatmeasuretheabsolutevalueofthemagneticfield. Thereareaninfinitenumberofpermanentmagnetsthatcancreatetherequiredfieldstrengthtoactivatethemagneticcontact.Thisattackreroutestheneodymiumpermanentmagneticfieldthroughahighpermeabilityshunt,1018iron,intothegap. The ideathatUL634Class IIdevicescannotbedefeatedonlyneedsoneexample torenderitinvalid.Figure3demonstratesasuccessfulattack.Thephotoshowsagreenlightonthealarmstatusmeterindicatingasafeorsecurealarmstate.TheVOMmeterverifiesthe indication. Obviously, the large defeat magnet used is inconvenient, but clearlydemonstratesthefeasibilityofcreatingaregulardefeattool.Theactuatormagnethousingusedinthedeviceisthesamesizeastheswitchhousing,showninfigure3. Theneodymiummagnetinsideishuge. Theradiatedmagneticfieldislikewisequiteintense.Severalproblemsariseduetothisexcessivelylargeactuatormagnet.Metaldoorsand framesareparticularlyproblematic for this typeofdevice. Mounting itcreatesforcescapableofcausingseriousinjurytotheinstaller’shandsbecauseofthestrong
Figure 1: Classical Balanced Magnetic Switches (BMS)
-
JournalofPhysicalSecurity12(3),4-14(2019)
7
magneticattractionbetweentheactuatorandtheferromagneticdoormaterial.Moreover,thestrongmagneticfieldbetweenthedoor-mountedactuatorandthemetaldoorcasingmayrequireexcessiveforcetoopenthedoor and may cause the door to slam shutwhen releasing the door handle, or elserequireastrong,deliberatepushtoclosethedoor when the actuator magnet attempts tolatchontothemetaldoorcasing.Theradiatedfieldofsuchlargemagnetsmayviolate EU regulations regarding radiatedstaticmagneticfields,depictedinfigure5.TheGauss Meter Android app downloaded fromGooglePlayStoretoasmartphoneisshowninfigure 4. The app easilymeasures static radiatedmagnetic fields. Themagnet actuatorassociatedwiththeswitchshowninfigure3radiatesafieldinexcessoftheminimumfieldstrengthregulationatchestlevelandexceedsitseveraltimesatheadlevelwhenstandingnearawoodendoorinstallation.
Figure 2: Trivial Defeat of a UL634 Class II Device
-
JournalofPhysicalSecurity12(3),4-14(2019)
8
The UL634 Class II standard requires excessively large actuator magnets to meet thestandard.ThiscreatesotherproblemsanddoesnotmitigatetheTrivialDefeatissue.The3DMagnetometerArrayCountering theTrivialDefeatrequiresanewsensorparadigm. It ishelpful tocreateasensorthatcanseetheshapeofamagneticfieldanddistinguishbetweenmagnetsuniquely,much like facial recognition algorithms. This leads to a device where only one uniquepermanentmagnetactuatorcanoperatethesensor.Exactlyidenticalcopiesofthismagnetactuatorassemblycanoperatethesensor,butnothingelse.Thiscanonlybeachieved,ifanarrayofmagnetometersisusedtomeasurethe3Dfieldshapeinrealtime.Itisanalogoustousingbiometrics,suchasafingerprint.
Figure 3: EU Radiated Electric and Magnetic Field Regulations
-
JournalofPhysicalSecurity12(3),4-14(2019)
9
Figure6showsatypicalBMSactuatormagnet assemblymagnetic field. It istheclassicaltriplebiastypeoffieldusedtopreventtheuseofasinglemagnettotrick the traditional triple balancedsensor.ThefieldplotisgeneratedbyanFEM magnetics program and takes asliceoutof themiddleof the actuator.Differentpermanentmagnetassembliesmayresembletheshapeofthefieldandpresent the correct absolute value ofmagnetic potential field to thetraditionalBMSsensorsfromadifferentphysical position, such as the air gapbetweentheBMSandtheactuator,butnottoaproperlyconstructedmagnetometerarray.Everyuniqueassemblyofpermanentmagnetsgeneratesaunique3Dvectorfield.[7]Orientationandmaterialtypewill determine the shape of the field,distinguishing it uniquely from everyotherassembly.Figure7isanexampleofaspecificcombinationofpermanentmagnets and the 3D field that itgenerates. Making every actuatormagnet assembly unique, like apassword,isnotnecessary.Aduplicateactuator would have to be placed inexactly the same position as theoriginal,whichmeansthedoormustbeopenandcannotbeclosedwithoutamomentarydisruptionforthistowork.Building unique permanent magnet actuators, like a password, can be achieved as apracticalmatterwiththis technology. The intruderwouldneedanexactduplicateof theactuator thatwouldonlyworkwhenthedoor isopen. But, formost installations, this isexcessive.Onlyinrarespecialcasesshouldanythinglikethatbecontemplatedforsecurityswitchdesign.Onepreviousapplicationoftheuniquefieldconceptwasbyameanstoprotectcontainersfromtampering.[7] Instarkcontrasttoasecurityswitchdesign,wherethedetailsofthemagnet structure and the sensor types and positions are well known in advance, thisapproach relies upon complex placement and orientation of magnets and arbitraryplacementofasensor.Thepositionofthesensorandthemagnitudeofthevectorfieldatthatpointmustbetransmittedseparately.
Figure 4: Cross Section Magnetic Field Plot of Typical BMS Actuator
Figure 5: 3D Magnetic Field Lines Plot
-
JournalofPhysicalSecurity12(3),4-14(2019)
10
Anexampleofanactual3DmagnetometerarraymountedonaPCBisshowninfigure8.Thismagnetometer array uses the High Security Sensor shown in Figure 9. This arrayincludesathreeaxissensormatrixwithaDSPMCUonthebottomoftheboard(notshown).Thethree-axissensorprovidesthemeasurementofthevectorsat9physicallocationsofamatrixcomposedofx,y,andzvectorcomponents. Asapracticalmatter, this istypicallyadequatetodefinea3Dmagneticfielduniquely.Aslongaswearewithinthesphereofinfluenceofthemagnetometersensorarrayandpermanentmagnetactuator,themagneticfieldwillalwaysbeuniquelydefined.Thisisinstrongcontrasttovariousfacialrecognitionalgorithms.
-
JournalofPhysicalSecurity12(3),4-14(2019)
11
FacialRecognitionAlgorithmsInvirtualrealityconstructionsoftware,rayopticsareusedtocreateuniquereflectionsandshadowswithinascenecomposedof3Dobjectsandconvertthescenetoaflat2Dimage.Facialrecognitionalgorithmsattempttoreconstructthe3Dshapefromthereflectionsandshadowsina2Dphotograph,whichisthereverseoftherayopticsconstruct.Thereversedoesnotalwaysyieldreliableorfunctionallyuniqueresults.Thisprocessusesoneflat2Dimagewhichitcomparestoanotherflat2Dimage.Thismethodof3Dobjectreconstructiondoesnotnecessarilyyieldreliableresults.ThatiswhytheUSgovernmentsolicitsfornewmorereliablealgorithmswithhighermatchstatistics.
Figure10:FacialRecognitionAlgorithms.
Witha3Dmagnetometersensorarray,wearemeasuringa3Dvectorfielddirectly,andcomparingittopreviouslyrecorded3Dvectorfieldmeasurements.Thiseliminatesmuchofthealgorithmiccalculationssincethereisnothingtoreconstruct.Theunique3Dvectorfieldisalreadydefined.Theproblemisreducedtoassuringthatthe3Dmeasuredfieldmatchesthestored3Dfielduniquely.Theseare,nevertheless,nontrivialcalculationswhichmustbeperformed in real time. There is also finite analog-to-digital (A/D) conversion time andstorageaccesstime,inadditiontocomputationtimetomakethealgorithmiccomparisons.TheAImustdecideiftherehasbeenanytamperingbyexaminingfieldaberrations.ComparingtheClassicalBMStothe3DMagnetometerTheclassicalBMSwasadequatebeforethenewrareearthmagnetsbecameavailableandfit the technological era inwhich itwas developed. Itwasmore secure than the single
-
JournalofPhysicalSecurity12(3),4-14(2019)
12
magneticcontactsthatarestillusedtoday. Nowadays,however, theBMSMethodcannolongerbeconsideredsubstantiallymoresecurethanasinglemagneticcontact.Some of the potential advantages of the 3DMagnetometer approach compared to theclassicalBMSapproachincludesubstantiallybettersecurity,fewerMakeorBreakfailures(suchascontactsticking),andpotentiallylowerfalsealarmratesfromshock,vibration,orelectromagneticinterference(suchaslightning). Lawenforcementshouldbeparticularlyinterestedinthefalsealarmreductionrate.NotethatallclassicalBMSandhighsecurityswitchesuseelectricalcontacts.TheoriginalBMS[2]anditssubsequentcompetition[3]usedglassreedmagneticcontacts,whichareasubclassofelectricalcontacts. LaterversionsofBMSusednovelmagneticcontactsbaseduponpermanentmagnets [5] thatbecamepartof theelectricalcontact. But, inallcases,electrical contactshavebeenusedexclusivelyuntil recentyears,whenHall sensorshavebeensubstitutedfortheelectricalcontacts.[8]Theproblemwithelectricalcontactsiswear.ThefamousbookbyR.Holm[9]detailsallof thevariouswearand failuremodes. Aprimary focusofelectrical contactdesign is toretardthewearanddelaytheultimatefailuremodes.
“Reedswitchesorrelayseventuallyfailinoneofthreeways.Theydonotopenwhentheyshould(usuallycalled“sticking”),theyfailtoclosewhentheyshould(“missing”),ortheirstaticcontactresistancegraduallydriftsuptoanunacceptablelevel”.[10]
ExplicitdetailonelectricalcontactwearwaspublishedbyF.LlewellynJones.[11]Thereare numerous plates of wear and several showing electrical arcs resulting in materialtransfer. Thephysicsofelectricalarcscanbe found inThomsonandThomson[12],andCobine[13].VibrationisalsoafundamentalfailuremodeandaprincipalsourceoffalsealarmsintheBMS.
“Next, consider which axis has the strongest opportunity for shock or vibrationsignals. Switch orientation will minimize and sometimes effectively eliminate thepossibilityoffalsesignalsanddamage.”[14]
Shockandvibrationphysicsispresentedinfinedetail,includingreedvibration,byPeekandWagner.[15] More physics on shock impulse can be found in the Engineers’ RelayHandbook.[16]ThisallequatestotheMeanTimeBetweenFailures(MTBF).StandardizeddetailsforthemeasurementandcalculationthereofcanalsobefoundinEngineers’RelayHandbook.[16]MTBFisapurelystatisticalnumberwithadistributioncurveuniquetotheparticularswitch.Theliferatingisalwaysspecifiedatanominalvoltageandcurrent.Ipersonallyhaverunlifetestswhereswitches failedwithin the first10actuations,whenoperatedwellwithin thespecifiedoperationenvelopeandhavinganMTBFof1million.
-
JournalofPhysicalSecurity12(3),4-14(2019)
13
Severalreferencesdiscusssusceptibilitytoelectromagneticinterference(EMI),forwhichlightning,groupedwithElectrostaticDischarge(ESD),isoneexample.NumeroustextsonElectronicCompatibilitydiscussthisingreatdetail.Themajordesignreferencesalladdressthistypeoffailuremodeandfalsecontactgeneration.[15-19]Oneofmycontractorsalwayscomplained about the reed switch false alarm rates in areas with high electrical stormincidence.IhaveexaminedthedesignofallcommerciallyavailableBMSofwhatsoevertypeandhavenotfoundonesingleefforttohardenanyoftheBMSsecuritysensorsagainstanykindofvibrationorEMI,includinglightning. Theyareallbaremagneticcontactswithabsolutelynothingelseonboard.CutoneopenforyourselforhaveitX-rayed!Instarkcontrast,allofmy3Ddesigns incorporatemeans intended topreventanykindof interference,whetherradiatedorconducted.Thisincludescommonmoderejectionandtransientsuppressors.ConclusionInthispaper,IhavebroughtuptodatethehistoryofClassicalBMS’s.TheevolutionofthemagneticsensortechnologyhasbeendriventosomeextentbytheneedtoovercometheTrivialDefeatattack.Basically,theBMSitselfhasnotchanged,onlythesensorsbeingused.yet these did not solve the problem. Many attempts have beenmade to substituteHallsensorsinthisveinwithoutsuccess.Thereisonenewdevicethatwasjustpresentedatatrade show this year which is still going down this same path. The entire BMS deviceoperationalparadigmhastoberethoughtinfavorofacompletelynewapproachtodetectionanddataanalysisdiscussedinthispaper.Inmyview, thebestway to counter theTrivialDefeat is todetect and identify the3Dmagnetic fieldandrecognize ituniquely. There isastronganalogy toFacialRecognitiontechniques,butthesalientfeatureofthenewrecognitionalgorithmsarebasedupondatacollectedby3-dimensionalvectorsensorarrays.Unlikewithbiometrics,dataconversionsbetween2and3dimensionsareunnecessary, savingenormousamountsof computationtime.Themostdifficultaspectiscreatingtheneededalgorithms.Theymustoperateinreal-time,alongwithalltheotheron-boardoperations,tomaintainafullyfunctionaldevice,andstill use minimal microcontroller space. It should also be clear that virtual prototypesoftwareisnecessarytoconstructsuchacomplicateddevice.References[1]JTJackson,“TrivialDefeatofaBalancedMagneticSwitch”,JournalofPhysicalSecurity5(1),1-11(2011),http://jps.rbsekurity.com[2]TJHolce,“MagneticallyActuatedSensingDevice”,USPatent4,210,889,1970.[3]JTJackson,“HighSecurityBalancedTypeMagneticallyActuatedProximitySwitchSystem”,USPatent5,668,533,1997.
-
JournalofPhysicalSecurity12(3),4-14(2019)
14
[4]FederalSpecificationComponentsforInteriorAlarmSystems,BalancedMagneticSwitches,W-A-450/1August28,1990,https://www.jrmagnetics.com/security/specs/wa450-1.pdf[5]JTJackson,“BalancedMagneticProximitySwitchAssembly”,USPatent5,929,731,1999.[6]JTJackson,“TheJacksonHighSecuritySwitchandRadioFrequencySystem”,ThesisUMINumber1389436,1997,www.jrmagnetics.com.[7]RGJohnstonandJSWarner,“UnconventionalSecurityDevices”,JournalofPhysicalSecurity7(3),62-126(2014),especiallypages85-88.[8]MaureenVanDyke,HowanEnvironmentAffectsaMagneticSwitch,MagneLink,Inc.,2019,https://www.magnelinkinc.com/blog/magnetic-switch-environment/[9]RHolm,ElectricalContactsTheoryandApplications,Springer,1958,1967,1981,2000.[10]“TestingReedSwitchesandRelaysforReliability”,CotoTechnology,Inc.,https://www.cotorelay.com/wp-content/uploads/2014/05/Testing_Reed_Switches__Relays_for_Reliability.pdf[11]FLJones,ThePhysicsofElectricalContacts,OxfordattheClarendonPress,1957.[12]JJThomsonandGPThomson,ConductionofElectricityThroughGases,Dover,1903,1928.[13]JDCorine,GaseousConductors,DoverPublications,1941.[14]“ReedSwitchesinShockandVibrationEnvironments”,HSISensing,2017,https://www.hsisensing.com/reed-switches-shock-and-vibration-environments/[15]RLPeekandHNWagar,SwitchingRelayDesign,D.VanNostrandCompany,Inc.,1955.[16]EngineersRelayHandbook,FourthEdition,NationalAssociationofRelayManufacturers,Milwaukee,Wisconsin,1966,1980,1991.[17]JPLockwood,ApplyingPrecisionSwitches,MicroSwitch,1972.[18]Designers’Handbook&CatalogofReedandMercuryWettedContactRelays,MagnecraftElectricCo.,1966.[19]NationalAssociationofRelayManufacturers,Proceedings42ndRelayConference,May9-11,1994,Boston,Massachusetts.[20]UL,“UL634,StandardsforConnectorsandSwitchesforUsewithBurglar-AlarmSystems”,https://standardscatalog.ul.com/standards/en/standard_634
-
JournalofPhysicalSecurity12(3),15-29(2019)
15
PhysicalSecurityBestPractices
IrikefeUrhuogo-Idierukevbe,DBA.*,ArchieAddo,Ph.D.,Timothy.L.Anderson,DBA.**,andFazelMohammedKhan,MBA*
*SchoolofComputerSciences,UniversityoftheCumberlands,Williamsburg,Kentucky
**DeVoeSchoolofBusiness,IndianaWesleyanUniversity,Marion,Indiana
Abstract
Thephysicalsecuritymarketisestimatedtogrowfrom$69.63billionin2016to$112.43
billionby2021(Willemsen&Cadee,2018).Inordertosustainthisgrowth,reliableand
capablesecurityofficersareneeded.Securityofficersareimportantaspectsof
organizations’physicalsecurity.Withoutsecurityofficers,anorganizationcanbe
vulnerabletouninvitedgueststhatmayharmanorganization’sinternalandexternal
environment.Whensecurityofficersarenotmonitoringtheenvironmentstheyaretasked
with,theyneglectimportantdetailsthatmaydetrimentallyaffecttheorganization’s
physicalenvironment.Eventhoughsecurityofficersmaybedistractedwithdifferent
internalandexternalfactorswithintheirworkenvironments,theycannotaffordtopay
littleattentiontotheirsurroundings.Asecurityofficershouldbeabletoaccountforallthe
individualsenteringthepremisesofanorganization.Organizationscanbeinnovativeby
implementingcertainbestpracticesforphysicalsecurity.Thispaperdiscussessomeof
thesebestpracticesforphysicalsecurity.
Keywords:Securityofficers,organizations,commandcenter,innovation,creativity
-
JournalofPhysicalSecurity12(3),15-29(2019)
16
Introduction
Securityofficersworkinawiderangeofenvironmentssuchaspublicandoffice
buildings.Assuch,theyareresponsibleforprotectingandobservingthephysical
environmentsoforganizations(Fennelly,2017;Thomas&Kenny,2018;Willemsen&
Cadee,2018).Physicalsecuritycanbedefinedastheprotectionofassetssuchashardware,
software,networkpersonnel,anddatafromactionoreventsthatcouldleadtosignificant
lossordamagetoanorganization(Johnston&Warner,2014).Thedamagesorlossesfrom
lackofphysicalsecurityinanorganizationincludefire,burglary,vandalism,theft,arson,
andterrorism(Tahir&Malek,2017).Acommonlyadoptedstrategyinimplementing
physicalsecurityiscontrollingaccesstotheorganizationbyusingdifferenttypesof
barrierssuchasgates,walls,andfencesthatareoverseenbysecuritypersonnelstationed
atguardhouses(Tahir&Malek,2017).Eventhoughsecurityofficersmaybedistracted
withdifferentinternalandexternalfactorswithintheirworkenvironments,theycannot
affordtopaylessattentiontotheirsurroundings.Thus,asecurityofficeraccountsforall
theindividualsenteringthepremisesofanorganization.Organizationscanbeinnovative
byimplementingsomebestpracticesforphysicalsecurity.
DutiesofSecurityOfficers
Securityofficerspreventrisks,watchoutfordanger,andreportanycrimetheymay
encounter(Doyle,Frogner,Andershed,&Andershed,2016;Moreira,Cardoso,&Nalla,
2015).Inanemergency,securityofficersmaycallforassistancefromthepolice,fire,or
ambulanceservices.Somesecurityofficersmaybearmedwhileothersmaysimplycarrya
stungun(Fennelly,2017;Moreira,Cardoso,&Nalla,2015).Whetherasecurityofficer
-
JournalofPhysicalSecurity12(3),15-29(2019)
17
worksatashoppingcenterorinabank,heorshehasasignificantjobtodo,whichisto
preventcrimeorharmtotheorganization(Doyleetal.,2016).
Researchshowsthatsomesecurityofficersprovidesurveillancearoundtheclockby
workingshiftsofeighthoursorlongerwithrotatingschedules(Fennelly,2017).Others
spendsubstantialtimeontheirfeet,eitherassignedtoaspecificpostorpatrolling
buildingsandgrounds(Noronha,Chakraborty,&D’Cruz,2018).Suchpatrolroutinesare
especiallyusefulduringholidaysinconjunctionwithvariousfestivalsorschoolvacations
whenmanyresidentsleavetheirhomesempty(Moreira,Cardoso,&Nalla,2015).Because
manyburglariesoccurduringsuchperiods,patrolfrequencyincreases(Tahir&Malek,
2017).
Asecurityofficerisresponsibleforensuringthatallindividualswithinapremiseare
properlyidentified(Noronhaetal.,2018).Anunobservantofficermighteasilyoverlook
somethingthatcouldputlivesindangerormissoutonwitnessingacrime(Willemsen&
Cadee,2018).Oftenanorganization’spersonnelaregivenanidentificationcardorbadge
thatverifiestheiridentityandpermitsthemtoaccesstheorganizationbuildings(Fennelly,
2017).Guestsaresometimesprovidedwithaguestpassthatwouldallowthemtemporary
accesstofacilitiesintheorganizations(Rowland&Coupe,2014).FigureIoutlinesomeof
theresponsibilitiesofsecurityofficers.
-
JournalofPhysicalSecurity12(3),15-29(2019)
18
Figure1.SecurityOfficersResponsibilities
BestPracticesforPhysicalSecurity
Inasmuchassecurityofficers’taskscanberepetitiveinnature,securityofficersneedto
beinnovativeintheirvariousresponsibilities.Physicalsecurityhascomealongway,
especiallywiththeinnovationofinformationandartificialintelligence(Fennelly,2017).
Theapplicationofphysicalsecurityhasthepotentialtopreservesecurityandpeaceof
mindinabusinessenvironment.Indeed,businessinnovationisvitaltothesuccessofany
organization.Fororganizationstomeetglobaldemandandtrends,organizational
managementneedstobeinnovativeinordertomeetthegrowingneedsoftheir
customers.Innovationisnotrestrictedtoonlythebusinessaspectoforganizations;itis
-
JournalofPhysicalSecurity12(3),15-29(2019)
19
alsovitaltothephysicalsecurityaspectofanorganizationaswell.Someways
organizationscanbeinnovativeareinvestinginportablesecuritydevices,investingina
comprehensivesecuritysystem,andprovidingcustomizedtrainingforallsecurity
officers.Thissectionsuggestsfourwayssecurityofficerscanbeinnovative.
PortablePhysicalSecurity
Whilesecurityofficersareexpectedtobevigilant,theycannotbeeverywhereatthe
sametime.Forinstance,ifsecurityofficersneedtocheckanofficeoranareainthe
building,theyshouldbeabletouseportablevisualsurveillancetosupervisetheother
locationsastheymaketheirwaytotheirdestination.Securityofficersneedportable
technologicaldevicesthatwouldenablethemtosuperviseareasandlocationsthatare
insideandoutsideoftheorganization.Whenathreatisdetected,suchofficerscanreach
outtoothersecurityofficersforhelptocheckthelocationsthatneedattention(Rowland&
Coupe,2014).Bydevelopingasecurityservicethatisbuiltonmobilesurveillanceunits,
securityofficerscanmovearoundtheirorganizationfreelywithouthavingtorushbackto
thecommandpostinordertoobserveactivitiesinotherareasoftheorganization.The
portablesurveillancetechnologyshouldnotreplacetheorganization’scurrentsurveillance
technology,butrathercomplementthesurveillancesystemthatisalreadyinplace.
Usingalocationtrackerforguardscanincreasesecurityteamaccountability.Thiswould
increasereal-timereportingandcommunication(Wang,2018).Incaseofanincident,the
incidentscanbereportedwithsupportingevidence.Thisapproachcansavetimeandextra
effortingatheringdetailsofanincident(Fennelly,2017).Photosandvideoscanbeloaded
quicklyandeasilytosupportincidentalreporting.Real-timecommunicationsallowthe
-
JournalofPhysicalSecurity12(3),15-29(2019)
20
securityofficerstoquicklyassessthesituationtonotifythemanagementofthe
organization.
Anotherbestpracticeincludesimplementingrobotstocarryoutsurveillancerounds
withouthumanintervention.Thisapproachcanhelpsecurityofficerswithtouringthe
facilityorcampus,whichcanbemonotonousworkthatoftenleadstofatigueandboredom.
Forlargeorganizations,aland-baseddronecanbeusedonsiteforemergencies.Thedrone
cangettoasitefasterthansecurityofficers.Theuseofdronescanalsoleadtominimizing
harmwhensecurityofficersarephysicallymonitoringadangeroussituation.
Consideringthatsecurityofficersaretaskedwithmonitoringtheenvironmentof
organizations,itisimportantforsecurityofficerstobealertandobservantoftheactivities
intheirorganization’senvironments(Moreira,Cardoso,&Nalla,2015;Noronhaetal.,
2018).Securityofficersviewhundredsoflivefeedsfromtheircontrolcenterdaily.As
such,theyareexpectedtorecognizeunwantedintrudersorthreatsbeforethethreat
becomesaproblem.Whenathreatisdetected,securityofficersoftenusethecamerain
theircommandcentertonavigatetheenvironmentofthethreat(Saarikkomäki&
Kivivuori,2016).Whennavigatingthecamerafromthecontrolcenter,securityofficers
focusontheareaofthethreattoseewhatishappening.Insomecases,itmightjustbethat
someoneleftanunidentifiedpackage,whileotherthreatsmightsimplybeabuildingthatis
leftopenbyemployees.Whateverthethreatmaybe,thecommandcenterneedstousethe
camerasintheirposttoinvestigatethethreatbeforegoingouttothesiteofthethreatin
person.
ComprehensiveSecuritySystem
-
JournalofPhysicalSecurity12(3),15-29(2019)
21
Justasportablesecuritysystemscanmakeaccesstoaremotelocationeasierforsecurity
officers,acomprehensivesecuritysystemcanreducetheworkloadofsecurityofficers.
Oneofthebestpracticestoconsiderintermsofphysicalsecurityisinvestinginsecurity
systemsthatwouldhelpanorganizationtokeeptrackofincidentreportsoralertsintheir
businessenvironment.AsecuritysystemsuchasSecuritas’Connect/Visioncanhelp
managementdetermineincidentstatusandthedailyorganization’sactivitiesintheir
businessenvironmentsimplybyloggingintoSecuritas’website.Becausedifferentpeople
maygoinandoutofaroomorbuildingoften,itisimportantthatsecuritypersonnelareon
highalertforuninvitedguests.Whenthecommandcenternoticesanymovementthatis
suspicious,theyneedtocheckitatoncetoensureitisnotathreatthatwouldpotentially
affectthedailyoperationoftheorganization.Allpotentialthreatsinaworkenvironment
shouldbeinvestigated;nothreatshouldbeconsideredinsignificanttobe
investigated(Rowland&Coupe,2014).ByloggingintoSecuritas’website,management
canrecognizeareasinwhichsecurityneedstobestrengthened.Consideringthatphysical
securityinaworkenvironmentisvitaltothedailyoperationofanorganization,itis
importantforleadersoforganizationstoinvestintechnologythatwouldhelpthemtobe
innovativeandonethatwouldsetthemapartfromtheircompetitors.
Anotherbestpracticeforphysicalsecurityisensuringthatthecommandcenter
operatorskeepdetaileddocumentationoftheincidentsandthreatstheyobserveor
witnessinperson.Becausesecuritycommandcenteroperatorsobservedifferentlive
incidentsastheyhappen,theyareinabetterpositiontoprovidedetailsofwhathappened
(Toetal.,2018).Asthreatsaredocumentedandrecorded,securityofficerscanrevisitthe
eventbyreviewingtherecordingssothattheywillhaveallthedetailstheyneedto
-
JournalofPhysicalSecurity12(3),15-29(2019)
22
documenttheincidentforuppermanagementorthepoliceincasetheyneedwritten
documentationoftheevents(Rowland&Coupe,2014).Eventhoughwritten
documentationofthefootagemaybeneeded,theorganizationmayhaveawrittenpolicyof
howlongthecommandcenteristokeepthefootage.Someorganizationsmaykeepfootage
forsixmonths,whileothersforayear.Thedutiesindifferentworkenvironmentscanbe
challengingforsecurityofficers(Botacin,2018).Fromschedulingshiftstosendingreports
toorganizationalmanagement,thiscanbeoverwhelming.Amonitoringsoftware
applicationcandecreasetheoverwhelmingtasksbystreamliningadministrationduties.
Thebenefitsofthisapproachincludeavoidingshiftschedulingerrors,communication
mishaps,andothercommonproblemsthatcandisrupttheabilitytodeliverreliable
securityservice.
Asecurityguardmonitoringsystemcanensurethattheguardsandtheorganizationare
protected(Fennelly,2017).Atypicalexampleisapushnotificationindicatingthata
securityofficerfailedtoarriveatacheckpoint.Thiscouldprovideanalertofamedical
emergencybeingexperiencedbyoneoftheemployees.Theguardrecordingviavideocan
linktolawenforcementtoidentifyandquicklyapprehendintruderswhomaybreakinto
theorganizationpremises.Trackingandcommunicationsarecriticalelementsofahigh-
qualitymonitoringsystemthatcanleadtophysicalandfinancialsafetyforthe
organization.
Anotherbestpracticetoconsiderintermsofphysicalsecurityisinvestinginapatrol
monitoringsystem.Thissignificantlyincreasesaccountability.Othertoolscontributeto
accountabilityincludeautomatictimekeeping,GlobalPositionsSystem(GPS)trackingfor
specificlocations,andelectroniccheckpointstoensurethatthesecurityofficersare
-
JournalofPhysicalSecurity12(3),15-29(2019)
23
followingshiftprocedures,showingupfortheirpatrolsontime,andperformingallother
duties.Suchhigh-techsystemsshouldsendautomaticalertswhenaguardfailstoreportat
strategiclocationsinatimelymanner.
SecurityCurriculum
Anorganization’smanagersneedtooutlinethetrainingcurriculumfortheirsecurity
officers,andalsoidentifyappropriateeducationinstitutionstohelptrainfuturesecurity
guardsfortheorganization.Eventhoughsecurityofficersaretrainedusingabasic
curriculum,everyorganizationisdifferentandassuch,one-size-fits-allsecuritytraining
maynotbeenoughforeveryorganization.Thus,creatingastandardtrainingguidelinefor
allsecurityofficerscanhelpanorganizationhireandretainqualifiedsecurityofficers.
Abestpracticetoconsiderintermsofphysicalsecurityistrainingphysicalofficerson
howtoavoidphysicalbreacheswithinanorganization.Oftenthedamagesfromlackof
physicalsecurityareoverlookedbyanorganization’suppermanagement.Ifaproper
approachistaken,damagecanbepreventedormitigated.Securityofficersneedtoensure
obstaclesareplacedinthewayofpotentialintruders.Physicalsitesneedtobe
safeguardedtoavoidaccidents,attacks,andenvironmentaldisasters.Theseobstaclescan
includelocks,fencing,accesscontrolsystems(includingbiometrics),andfiresuppression.
Figure2depictshowinnovationisapplicabletoanorganization’sphysicalsecurity.Figure
3conveysamodelforanorganization’sphysicalsecurity.
-
JournalofPhysicalSecurity12(3),15-29(2019)
24
Figure2:InnovationandOrganization’sPhysicalSecurity.
-
JournalofPhysicalSecurity12(3),15-29(2019)
25
Figure3:Organization’sPhysicalSecurityModel
Education
Becausesecurityofficers’jobsrequiresubstantialresponsibilitiesandskills,thereisa
needtotrainsecurityofficersappropriately.Forlearningtobeeffectiveandrelevantto
real-worldsituations,itisessentialtofollowthepropercontentdesignandteaching
practices.Thereshouldbeanestablishedprocesstohelpsecurityofficerseffectively
transfertheinformationtheylearnedtotheirworkresponsibilities.Weber(2014)noted
thatleadersofanorganizationneedtobuildapplicationobjectivesandtransferprocesses
-
JournalofPhysicalSecurity12(3),15-29(2019)
26
thatwouldsupportthelearningtransferprocess.Educationandtrainingpresentaprime
opportunitytoexpandtheknowledgeofallsecurityofficers.
Educationandtrainingprovideboththeorganizationasawholeandsecurityofficers
withbenefitsthatmakethecostandtimeaworthwhileinvestment.Providingthe
necessarytrainingcreatesknowledgeablestaffwhocantakeoverforoneanotheras
neededastheorganizationseesfitandstaffwhocanworkonteamsorindependently
withoutconstanthelpandsupervisionfromothers(Fennelly,2017).Educationand
trainingalsobuildsecurityofficers’self-relianceasaresultofdevelopingarobust
understandingofthesecurityindustryandtheresponsibilitiesoftheirjobs.Thisself-
assurancemotivatessecurityofficerstoperformtheirdutiesbetterandthinkofnewideas
thatwouldhelpthemadvanceintheircareers.Continuoustrainingalsokeepssecurity
officersinformedofindustrydevelopments.
Summary
Inordertoensurethatanorganization'sphysicalenvironmentissecure,organizational
managementneedstoensurethattheyintroducebestpracticesforphysicalsecurity.The
bestpracticesthatareintroducedwithinanorganizationshouldcorrespondwiththe
organization'sgoalsandobjectives.TheInternetofThings(IoT)isgrowingveryquickly
andthereisevenagreaterneedtoprotectorganizations.Organizationshaveadutyto
protectanorganization’sinfrastructureanddevicesintheorganization's
environment.Afterthoroughidentificationofphysicalsecurityrisks,thereisaneedto
provideappropriatetrainingtotheorganizations’securityofficersthatareassignedto
specificsposts(Klein,Ruiz,&Hemmens,2019).
-
JournalofPhysicalSecurity12(3),15-29(2019)
27
AbouttheAuthors
IrikefeUrhuogo-IdierukevbeisaprofessorofinformationtechnologyattheUniversity
ofCumberlands.Shehasbeenwiththeuniversityforthreeyears.Herareasofresearch
includebusinessadministration,informationtechnologyandinformationsystem
management
ArchieAddoisaprofessorofinformationtechnologyattheUniversityofthe
Cumberlands.Hehasbeenwiththeuniversityfortwoyears.Hisareasofresearchinclude
bigdata,informationtechnology,informationsystemmanagement,datascience,and
informationsecurity
TimothyL.AndersonisaprofessorofbusinessatWesleyanUniversity.Hehasbeen
withtheuniversityfor3years.Hisareaofresearchincludesbusinessadministrationand
management
FazelMohammedKhanisanExecutiveMasterLevelStudentattheSchoolof
ComputerSciences,UniversityoftheCumberlands,Williamsburg,Kentucky.
References
Ardic,C.,Usta,O.,&Ozturk,G.Z.(2018).Therelationshipbetweenthesituationofbeing
exposedtoviolenceandtheburnoutinsecurityguardsworkinginthe
hospital.KonuralpMedicalJournal/KonuralpTipDergisi,10(2),153–159.
Botacin,M.;DeGeus,P.L.;Grégio,A.(2018)WhoWatchestheWatchmen:ASecurity-
focusedReviewonCurrentState-of-the-artTechniques,Tools,andMethodsfor
SystemsandBinaryAnalysisonModernPlatforms.ACMComputingSurveys1(51),p.
1–34.
-
JournalofPhysicalSecurity12(3),15-29(2019)
28
Doyle,M.,Frogner,L.,Andershed,H.,&Andershed,A.-K.(2016).Feelingsofsafetyinthe
presenceofthepolice,securityguards,andpolicevolunteers.EuropeanJournalon
CriminalPolicy&Research,22(1),19–40.
Fennelly,L,J.,(2017).Effectivephysicalsecurity,(5thed).ElsevierInc.
Johnston,R.G.,&Warner,J.S.(2014).Isphysicalsecurityarealfield?JournalofPhysical
Security,7(3),13–15.
Klein,M.S.,Ruiz,L.,&Hemmens,C.(2019).Astatutoryanalysisofstateregulationof
securityguardtrainingrequirements.CriminalJusticePolicyReview,30(2),339–356.
Moreira,S.,Cardoso,C.,&Nalla,M.K.(2015).Citizenconfidenceinprivatesecurityguards
inPortugal.EuropeanJournalofCriminology,12(2),208–225.
Noronha,E.,Chakraborty,S.,&D’Cruz,P.(2018).‘Doingdignitywork’:Indiansecurity
guards’interfacewithprecariousness.JournalofBusinessEthics.
https://doi.org/10.1007/s10551-018-3996-x
Rowland,R.,&Coupe,T.(2014).Patrolofficersandpublicreassurance:Acomparative
evaluationofpoliceofficers,PCSOs,ACSOsandprivatesecurityguards.Policing&
Society,24(3),265–284.
Saarikkomäki,E.,&Kivivuori,J.(2016).Encountersbetweensecurityguardsandyoung
people:theextentandbiasesofformalsocialcontrol.Policing&Society,26(7),824–
840.
Tahir,Z.,&Malek,J.A.(2017).Elementsofsecurityforagatedandguardedcommunityin
thecontextofsmartliving.E-BANGIJournal,12(3),1–11.
Thomas,S.A.;Kenny(2018)Modernizingthecoastguardfinancialcommunity.Armed
ForcesComptroller,1(63),p.39–40.
-
JournalofPhysicalSecurity12(3),15-29(2019)
29
To,W.-M.,Lee,P.K.C.,&Lam,K.-H.(2018).Buildingprofessionals’intentiontousesmart
andsustainablebuildingtechnologies–Anempiricalstudy.PLoSONE,13(8),1–17.
Wang.J.,Hong.Z,Zhang.Y,andJin.Y.(2018).Enablingsecurity-enhancedattestationwith
intelSGXforremoteterminalandIoT.IEEETransactionsonComputer-AidedDesign
ofIntegratedCircuits&Systems,1(37),p.88–96.
Weber,E.(2014).Turninglearningintoaction:Aprovenmethodologyforeffectivetransfer
oflearning.London,England:KoganPage.
Willemsen,B.,&Cadee,M.(2018).Extendingtheairportboundary:Connectingphysical
securityandcybersecurity.JournalofAirportManagement,12(3),236–247.
-
JournalofPhysicalSecurity12(3),30-32(2019)
30
ViewpointPaper
DesignReviewsVersusVulnerabilityAssessmentsforPhysicalSecurity*
RogerG.Johnston,Ph.D.,CPPRightBrainSekurityhttp://rbsekurity.com
AVulnerabilityAssessment(VA)involvesidentifyingandperhapstesting/demonstratingsecurityflawsandlikelyattackscenarios,thenrecommendingchangestohowthesecuritydevice,system,orprogramisdesignedorused.Thisisdoneinhopesofimprovingsecurity.GettingsecuritymanagersandorganizationstopursueaVAcanbechallenging.Foronething,VAsoftengetconfusedwithother,morefamiliarandcomfortableanalysistechniqueswhicheither(1)aren'tprimarilyaboutvulnerabilitiesatall,or(2)thatdohavesomethingminortosayaboutvulnerabilitiesbutaren'ttypicallyverygoodatprofoundlyuncoveringnewvulnerabilities.[1,2]Forexample,aVAisnota“test”ora“certification”processforasecurityproductorprogram.Itissomethingquitedifferentfrom“RedTeaming”,penetrationtesting,securitysurveys,ThreatAssessments,RiskManagement,fault/eventtrees,andDesignBasisThreat—thoughthesethingsmightwellbeworthdoing.AnotherimpedimenttoarrangingforVAsisthataretypicallytime-consumingandrelativelyexpensive.ThisisespeciallytruegiventhatVAsshouldideallybedoneperiod-icallyanditerativelyfromtheearliestdesignstagethroughmarketinganddeploymentofanewsecurityproduct,system,strategy,orprogram.Perhapsmoredaunting,VAsareoftenfearedbysecuritymanagersandorganizationsbecauseaneffectiveVAwillinevitablyuncovermultiplevulnerabilities.Inmyview,thisisthewrongmindsetforthinkingaboutsecurity,butitneverthelessisquitecommon.Findingavulnerabilityisactuallygoodnewsbecausevulnerabilitiesarealwayspresentinlargenumbers,andfindingonemeanswecanpotentiallydosomethingaboutit.Moreover,itismyexperiencethatseriousvulnerabilitiescanoftenbemitigatedoreliminatedwithsimplechangestothedesignofasecurityproduct/program,orhowitisused.Butthesecurityimprovementsaren’tpossibleifthevulnerabilitiesgounrecognized!Ihavefoundthatmanysecuritymanagersandorganizationsaremuchmorecomfortablewitha“DesignReview”,ratherthanaVulnerabilityAssessment.Arrangingforareviewofthedesignofasecurityproduct,system,strategy,orprogramismorefamiliar—andawholelotlessscary—thantargetingsecurityflaws.InaDesignReview,thereisabrief________________*Thispaperwasnotpeerreviewed.
-
JournalofPhysicalSecurity12(3),30-32(2019)
31
reviewofthedesignandengineeringissues,andthenrecommendationsareofferedforimprovingthedesignortheuseprotocol.Fewervulnerabilities,attackscenarios,andcountermeasuresaredevelopedinaDesignReviewthanforaVA,andtheyaretypicallynottestedordemonstratedlikeinaVA.WhileaDesignReviewwillnotpermitasdeepanunderstandingofvulnerabilityissuesasaVA,itstilloffersthesecuritymanagerororganizationtheopportunitytoimprovetheirsecurityatmodestcostinashortperiodoftime.Moreover,inmyexperience,abouthalfoftheorganizationsthatarrangeforaDesignRevieweventuallycommissionaRudimentaryVulnerabilityAssessment(RVA)oraComprehensiveVulnerabilityAssessment(CVA)oncetheyseetheresultsandrecommendationsfromtheDesignReview,andthatthoseresultsaren’tallthatfrightening.MostoftheworkthatwentintotheDesignReviewisdirectlyapplicabletoconductingeitheraRVAoraCVA.ThemaindifferencesbetweenaRVAandaCVAaretime,cost,andthenumberofvulnerabilities,attacks,andcountermeasuresthatcanbefoundanddemonstrated.AnalternativetoaDesignReviewisaMarketAnalysiswhereanewsecurityproductiscomparedtoexistingproducts.Potentialapplicationsandendusersarealsoidentified.AMarketAnalysiscanbearelativelynon-frighteningwaytointroducesomevulnerabilitiesissuesandpotentialcountermeasureswithoutseemingtoovertlycriticizethesecurityproductorservice.Thebottomline:sometimesaDesignRevieworaMarketAnalysiscansneakininformationaboutvulnerabilities,attackscenarios,andpossiblecountermeasuresinamorepalatablewaythanaVulnerabilityAssessment.Thiscanbehelpfulforsecuritymanagersandorganizationswhoarehesitantorfearfuloflearningabouttheirsecurityvulnerabilities,ordon’thavethetimeorfundingforatrueVulnerabilityAssessment.AbouttheAuthorRogerG.Johnston,Ph.D,CPPisheadofRightBrainSekurity(http://rbsekurity.com),acompanydevotedtodesignreviews,vulnerabilityassessments,marketanalyses,andR&Dforphysicalsecurity.LinkedIn:http://www.linkedin.com/in/rogergjohnston.References1.RGJohnston,“BeingVulnerabletotheThreatofConfusingThreatswithVulnerabilities”,JournalofPhysicalSecurity4(2),30-34,2010,http://jps.rbsekurity.com.2.RGJohnstonandJSWarner,“DebunkingVulnerabilityAssessmentMyths”,SecurityInfoWatch,August6&13,2013,Part1:
-
JournalofPhysicalSecurity12(3),30-32(2019)
32
http://www.securityinfowatch.com/article/11078830/experts-discuss-commonly-held-misconceptions-about-vulnerability-assessmentsPart2:http://www.securityinfowatch.com/article/11108983/experts-discuss-the-characteristics-of-good-vulnerability-assessors