table of contents archives/jps 12(3).pdf · 2020. 2. 1. · sos for sms popular mechanics had a...

Table of Contents JournalofPhysicalSecurity,Volume12(3),2019

Availableathttp://jps.rbsekurity.com

Editor’s Comments, pages i-v

C Holder, “Automatic Vehicle Gate Systems Design”, pages 1-3

JT Jackson, “3D Magnetometer Array ReplacesTraditional Balanced Magnetic Switch”, pages4-14

I Urhuogo-Idierukevbe, A Addo, TL Anderson, and FM Khan, “Physical Security Best Practices”, pages 15-29

RG Johnston, “Design Reviews Versus Vulnerability Assessments for Physical Security”, pages 30- 32

JournalofPhysicalSecurity12(3),i-v(2019)

i

Editor’sCommentsWelcometovolume12,issue3oftheJournalofPhysicalSecurity(JPS).Inadditiontotheusualeditor’srantsandnewsaboutsecuritythatappearimmediatelybelow,thisissuehaspapersaboutautomaticvehiclesecuritygates,3DmagnetometerarraysasamoresecurereplacementforBMS,bestpracticesinphysicalsecurity,anddesignreviewsvs.vulner-abilityassessments.Allpapersareanonymouslypeerreviewedunlessotherwisenoted.Weareverygratefulindeedtothereviewerswhocontributetheirtimeandexpertisetoadvanceourunder-standingofsecuritywithoutreceivingrecognitionorcompensation.Thisisthetruesignofaprofessional!PastissuesofJPSareavailableathttp://jps.rbsekurity.com,andyoucanalsosignuptheretobenotifiedbyemailwhenanewissuebecomesavailable.Acumulativetableofcontentsfortheyears2004throughMarch2019isavailableathttp://rbsekurity.com/JPSArchives/grand_jps_TOC.pdfJPSishostedbyRightBrainSekurity(RBS)asafreepublicservice.RBSisasmallcompanydevotedtophysicalsecurityconsulting,vulnerabilityassessments,andR&D.(http://rbsekurity.com)Asusual,theviewsexpressedinthesepapersandtheeditor’scommentsarethoseoftheauthor(s)andshouldnotnecessarilybeascribedtotheirhomeinstitution(s)ortoRightBrainSekurity.

*****Don’tPassAlongtheBoardingPassDon’tleaveyourboardingpassontheplaneaftertheflight!Itcontainsalotofpersonalinformation.Seehttps://www.huffingtonpost.ca/entry/hackers-boarding-pass-data_l_5de95730e4b00149f73d9ce3

*****2020VisionBecarefuldatingchecksanddocumentsinthisway:1/15/20.Itmakesthingseasierforbadguystore-dateas“1/15/2000”or“1/15/2021”.Seehttps://www.usatoday.com/story/news/nation/2020/01/02/do-not-abbreviate-year-2020-in-date/2795857001/

*****


ii

CampusSecurity&SafetyCheckoutthiswebpageforsomeinformativeexamplesofcampussafetyandsecurityblundersbyhospitals,schools,anduniversities:https://www.campussafetymagazine.com/safety/ridiculous-campus-security-mistakes/

Onarelatednote,IrecentlyexaminedsomeissuesoftheJournalofHealthcareProtectionManagement,andwasremindedwhatausefulresourceitisforsecurity.Seehttps://www.iahss.org/page/Journal

*****SecretServiceStudyThenewSecretServicereportonschoolviolenceiswelldoneanddefinitelyworthalookandconsideration:https://www.secretservice.gov/data/protection/ntac/usss-analysis-of-targeted-school-violence.pdf

*****

JewelHeistCrooksgotawaywithrobberyoftheGrünesGewölbeMuseuminDresden.Mostorallofthelootwillprobablyneverberecovered:https://www.nbcnews.com/news/world/german-jewel-heist-thieves-walked-49-carat-diamond-authorities-confirm-n1092971

*****MissionCreepAsecurityguardapparentlyattemptedtobreakupanon-fieldfightduringanAustralianRulesFootballgameinTasmaniaandwasmuchridiculed:https://www.foxsports.com.au/afl/afl-2019-vision-emerges-of-security-guard-stepping-onto-blundstone-arena-about-to-break-up-onfield-tussle/news-story/0497f44b6c3c1e121d6868072a47d4a0

*****FreedomDeclines


iii

FreedomHouse’sannualreportonthestateoffreedomintheworldnotesthat68countriesexperiencedadeclineinpoliticalrightsandcivilliberties,whileonly50countriesgained.In2019,lawenforcementin47countriesarrestedcitizensforpostingpolitical,social,orreligiousspeechonline.Seehttps://freedomhouse.org/report/freedom-world/freedom-world-2019

*****NewTechnologyThisarticleinForbesisworthponderingifyouareconsideringincorporatingnewsecuritytechnologyintoyourEnterpriseSecurity:https://www.forbes.com/sites/forbestechcouncil/2019/10/10/eight-key-questions-to-consider-before-adding-new-tech-in-your-organization/#56c38d3428b9

*****Real-IDIrecentlyhadtorenewmydriver’slicenseandgetthenewfederal“REALID”.(Seehttps://www.dhs.gov/real-id)Theamountofdocumentationandpersonalinformationthathastobeprovidedistrulyonerous.(Igottrippeduponmyunderwearsize.)Afternearly2hoursofwaitinginvariouslinesattheMotorVehicleDepartment,Ididgetthroughtheprocess.ThisparticularpieceofinsaneSecurityTheaterfromDHSKeystoneKopsgoesagainsttheentirepurposeofSecurityTheater.SecurityTheaterissupposedtohave“feelgood”attributes,andtobelessworkandlesspainfulforcitizensand/orgovernmentofficialsthanRealSecurity.NoneofthesethingsaretrueforREALIDSecurityTheater.

*****NotSoSmartAfterallComputerscientistsarestrugglingtodealwithhoweasyArtificialIntelligence(AI)systemscanbespoofed:https://www.npr.org/2019/09/18/762046356/u-s-military-researchers-work-to-fix-easily-fooled-aiNothingsurprisinghere.High-techistypicallyeasytospoof,evenwithlow-techmethods.

*****


iv

WanderingDNAAmanwithleukemiahadabonemarrowtransplant,justastensofthousandsofpatientsdoeachyearforavarietyofmedicalaliments.Itturnsoutthatthedonor’sDNAtraveledallthroughouthisbody,creatingrealissuesforusingDNAforensicstosolvecrimes.Seehttps://www.nytimes.com/2019/12/07/us/dna-bone-marrow-transplant-crime-lab.html

*****SOSforSMSPopularMechanicshadagoodarticleonSMStextingandwhyitisnotsecure.See“HowSMSWorksandWhyYouShouldn’tUseItAnymore”,https://www.popularmechanics.com/technology/security/a29789903/what-is-sms/

*****

CyberSecurityBlundersCheckoutthiswebsitethatliststheyear’smostabsurdandineptcybersecurityblunders:https://portswigger.net/daily-swig/the-year-in-stupidsecurity-2019s-biggest-security-and-privacy-blunders

*****

BeautifulSecurityArtistAddieWagenknechhascreatedsomebrilliantvideosteachingwomenaboutonlinesecuritywhileofferingfacetiousbeautyandmakeuptips.Seehttps://www.fastcompany.com/90301667/youtubes-best-beauty-tutorials-dont-teach-you-anything-about-makeup

*****

SecurityforShowTheTVshowTheMaskedSinger,whicheventhehostcalls“themostridiculousshowontelevision”reportedlydeploysserioussecuritytoprotecttheidentityofthemysterysingers:https://www.smh.com.au/culture/tv-and-radio/it-s-tv-s-silliest-show-but-its-extreme-security-measures-are-no-joke-20190927-p52vjx.htmlIt’sgoodtoseepeoplegettingsecurityrightwhenitreallymatters!


v

*****TheLevelofSophisticationofManySealUsersWhentheyoungmotherreturnedfromthegrocerystore,her7-year-oldsonpulledouttheboxofanimalcrackershehadbeggedfor.Hespreadtheanimal-shapedcrackersalloverthekitchentableandexaminedeachoneclosely.“Whatareyoudoing?”hismomasked.“Theboxsaysyoucan’teatthemifthesealisbroken,”theboyexplained,“SoI’mlookingfortheseal.”

*****

--RogerJohnstonOswego,IllinoisDecember2019

JournalofPhysicalSecurity12(3),1-3(2019)

1

ViewpointPaper

AutomaticVehicleGateSystemsDesign

CliffHolder,PSPCertifiedAutomaticGateSystemsDesigner

AutomaticSystems

Over the last 16 years of designing and installing automated vehicle gate entry systems, I’ve seen a wide variety of design mistakes. These mistakes can cost property owners a lot in wasted time and money when the system does not work as planned. The mistakes contributed to user owner frustrations and dissatisfaction. In many instances, these mistake have made vulnerable in many instances the very things they’ve been designed to protect.

It is important to remember that a vehicle entry point is a “hole in your fence line (or perimeter security)” but it should not be your weakest spot.

Here are five of the most common vehicle gate design mistakes I see, and how to best avoid them:

1. Choosing the wrong gate for the application. Like any security project, selection of the right product is critical to ensure the product meets your security requirements. One of the first things I tell everyone is, “don’t cut and paste specifications.” Just because one type of gate worked well on a previous project does not necessarily mean it will be the right product on your next project.

Rememberthatbecauseyourroadwayis30feetwide,youmaynotneeda30footgate.Evaluatingthetypesofvehicles,approachandturningradiusandotherfactors,youmayrequireonlya15footwidesystem.Thelongeragateisopen,thelongeryourfacilityisexposedtorisks. Best practice: Conduct a Threat and Risk Assessment (TRA) and understand the risks to the type of facility and know the security objectives of the project. Seek an industry expert to be educated on the many types of gates on the market today, and learn about the advantages/ disadvantages of each. Never get “sold” by the next cool looking product you see at a trade show. 2. Guessing about the number of vehicles that will use the gate each day. Many people make an “educated guess” on the number of vehicles entering / leaving each day. Often, this results in the wrong automated gate system being used for the application. A system that is designed more for a residential home but put into a commercial application may not be capable


2

of the increased daily cycles, which will result in potential higher maintenance costs and or shorter product life span. It may have a lower capital cost, but Total Cost of Ownership (TCO) could be many times more. Best practice: Install a vehicle counter for three weeks to get an accurate view of expected daily cycles and you will see the peak traffic times which can affect traffic flow, especially if you are planning to cycle the gate for each vehicle. 3. Placing the pedestal in relation to the gate. Sounds simple right? Pedestals provide a mounting solution for your access control devices, such as card readers, intercoms, keypads and security cameras. Allowance needs to be considered for the types of vehicles using the system. You also need to consider the weather conditions—the “skid factor” as I call it when snow or ice conditions which can cause problems. Also, consider if the pedestal will be dual height or single height. Placement is critical so that a driver can pull up parallel beside the device and reach it easily from the vehicle. Best practice: By placing the pedestals directly perpendicular to the gate, and at a distance allowing for the types of vehicles using the gate, a driver will find it easy to use, and the risk of damage to the gate is reduced. It is always important to install bollards to protect your pedestals and the gate. Note - a typical concrete filled bollard is not crash rated. You may wish to invest in tested bollards to protect your investment from accidental damage – it will be your cheapest and best insurance ever. 4. Not calculating how the gate will impact traffic. The installation of an automated gate will, by design, create traffic flow issues. Will the opening/closing for each vehicle create line ups of traffic either inside or outside the property? Proper design must ensure that traffic is not backing up onto a public road when accessing the property. Best practice: By knowing the number of cycles expected per day expected, and identifying if there are peak traffic times, you’ll have the best idea how to determine the correct type of automated vehicle gate system for the project. Review the actual planned locations and see if the gate can be set further into the property. A small time investment is to set up a series of traffic cones, identifying the planned location of the gate and then monitor to see how drivers maneuver through them. If the cones are continually hit, the location may not be best. Allow for turning radius of vehicles on both sides of the gate. Sometimes existing tire tracks on the ground show how vehicles approach and pass through the area. Tracks in snow are even more effective as you can see below!


3

5. Failing to consider how visitors will access a gated property. Due to liability and security issues, it’s a must to design the access in ways to prevent pedestrian access through any automated gate. Always provide a dedicated pedestrian entry portal, such as a full height turnstile, if parking is outside of the facility.

Best practice: Good directional signage showing parking for visitors will help reduce the risk of pedestrian access through an automated gate. Signage also helps prevent the bottle neck at the gate location of the “lost driver” slowing down entry for approved drivers. If access for visitor vehicles is allowed through the gate, if unmanned, provide advance information to them via an email with instructions and location of the intercom to announce themselves when they arrive.

In summary, there is more to a vehicle gate project than meets the eye. A line on a drawing “ Automated Gate -TYP” can provide no performance or specification criteria, which in a bidding environment, will leave the end user with a system that may not meet their needs or security objective. The result can be costly retrofit projects.

These are just some of the most common automatic gate system design mistakes I have seen, and some of the countermeasures I can suggest. There are other considerations on these projects, and I am always pleased to provide advice if you are planning a gate project.

AbouttheAuthor

Cliff Holder is a Regional Sales Manager for Automatic Systems. He can be contacted on LinkedIn or at [email protected].


4

3DMagnetometerArrayReplacesTraditionalBalancedMagneticSwitch

JohnT.Jackson,Jr.,MSJacksonResearch

www.jrmagnetics.com

AbstractTheBalancedMagneticSwitch(BMS)developedandfieldedforhigh-securityapplicationswasrenderedproblematicbythedevelopmentofapreviouslydemonstratedTrivialDefeatMethod. Several attempts to salvage the technology by employing very large actuatormagnetsandUL634ClassIIcertificationhavealsofailed.Theproblemisthattheglassreedarray and other related technologies cannot distinguish one magnet from another. Tocounter this, a 3D magnetometer array with algorithms related to facial recognitionalgorithmsandsomeDigitalSignalProcessing(DSP)isrequired.AnewtypeoftechnologyispresentedherethatreplacestheobsoleteBMSwithanewmagnetometerarrayapproachthatrecognizesunique,complexmagneticfields.IntroductionIt is necessary to update the history of the Balanced Magnetic Switch presentedpreviously.[1] In my view, the traditional Balanced Magnetic Switch (BMS) is not justobsolete,butactuallyasecurityrisk.Thenextstepforimprovingmagneticsecuritysensorsisa3DMagnetometerArrayemployingembeddedsmartalgorithmsanalogoustostate-of-the-artfacialrecognitionalgorithmsusingmodernDigitalSignalProcessing(DSP).ThisnewtechnologyemploysArtificialIntelligence(AI)toobserve,interpretthemagneticfieldshape,anddetectattemptedtamperingorspoofing.Itisidealforusewithencrypted,high-securityRS485serialnetworks.HistoryFigure1showsasingleclassicalglassreedmagneticcontactswitchmountedonasteeldoor.Clearly,asinglepermanentmagnetcanbeattachedtotheswitch,whichwouldgolargelyunnoticed,anddefeatthesensor.Therearenumerousotherexamples,someofwhichincludedefeatingsinglemagneticcontactssimilartothisonethroughwindowglassfromtheoutside.ThisiswhytheBalancedMagneticSwitch(BMS)wasinventedbyHolce


5

[2]inthefirstplaceasabetterapproach.Amoredetailedhistoricalaccountcanbefoundinreference[1].

Figure1:ClassicalGlassReedMagneticContactInstallation

My1997BMSpatent[3]wasthefirstdevicetogetaroundtheHolcepatent,anditmettheFederalSpecification[4]thathadbeenwrittenaroundtheHolceswitch.ThoseoriginalUSgovernmentspecificationsremainunchangedtothisday. Anexampledevice istheblackSecuritronBMSshowninfigure2.Afewyearslater,theHolcepatentranoutandseveralothercompaniesintroducedclonesorsimilarimplementations.TheHoneywellswitchalsoshown is Figure 2 is one of the first examples of these. They are based on the sameunderlyingprinciple:triplebiasedglassreeds. TheyareallvulnerabletothedefeatkeysthatIhavebeensellingas“DefeatSticks”.[1] Several companies created BMS type sensors based upon Hall effect magnetic sensors. In every case, they were using either Hall switches with fixed trip points or analog devices in combination with comparators at fixed trip points. This is just a different means of doing the same thing as the glass reed. It is the same operational paradigm, just employing a different type of sensor. The Hall devices are actually directional, which offered some advantage, but failed to resist the “Trivial Defeat Test” [1]. Placing any sensor technology in three locations to detect a specific absolute magnetic potential field can always be triggered by an infinite number of actuator permanent magnets. At that time, supplying 12 volts power to any kind of sensor device at the door was operationally problematic.Therearemanyassemblyandoperationalproblemsassociatedwithglassreadtechnology.ItisbannedforUSmilitaryequipmentandallsatellites. Somethingmorerobustandlessfragilewasrequired.AnewtypeofBMSwasneededthatavoidedconventionalHalleffectsensors.


6

Thisnewapproachisdocumentedinreferences [5]and[6],andculminatedin several novel patented types ofmagnetic contact switches andcorresponding BMS. It was moreresistant to theTrivialDefeat,but stillhadonefatalflaw—itwasstillworkingwith the same operational paradigm.Much later I would discover how todefeat this device using very thinneodymium permanentmagnets in anupgraded version of Defeat Stick forenhancedTrivialDefeat.Another company developed theirown version of this design andeventually discovered that their BMSwas also vulnerable to the TrivialDefeat.Todealwiththisproblem,theymadetheactuatormagnetsolargethatanadversarywouldhavetroublefindingasmallermagnetthatcouldfitintheairgapusingexistingpermanentmagnetmaterials.ThisdesignwasincorporatedintotheUL634ClassIIspecification [20] but only a slightly different approach was needed to defeat even thisapparatus.TrivialDefeatofUL634ClassIIHighSecuritySwitchesAllmagneticcontactsofwhatsoevertypearecanbedefeatedbytheTrivialMeans.Theproblemisthatallmagneticcontactsarepotentialcomparatorsthatmeasuretheabsolutevalueofthemagneticfield. Thereareaninfinitenumberofpermanentmagnetsthatcancreatetherequiredfieldstrengthtoactivatethemagneticcontact.Thisattackreroutestheneodymiumpermanentmagneticfieldthroughahighpermeabilityshunt,1018iron,intothegap. The ideathatUL634Class IIdevicescannotbedefeatedonlyneedsoneexample torenderitinvalid.Figure3demonstratesasuccessfulattack.Thephotoshowsagreenlightonthealarmstatusmeterindicatingasafeorsecurealarmstate.TheVOMmeterverifiesthe indication. Obviously, the large defeat magnet used is inconvenient, but clearlydemonstratesthefeasibilityofcreatingaregulardefeattool.Theactuatormagnethousingusedinthedeviceisthesamesizeastheswitchhousing,showninfigure3. Theneodymiummagnetinsideishuge. Theradiatedmagneticfieldislikewisequiteintense.Severalproblemsariseduetothisexcessivelylargeactuatormagnet.Metaldoorsand framesareparticularlyproblematic for this typeofdevice. Mounting itcreatesforcescapableofcausingseriousinjurytotheinstaller’shandsbecauseofthestrong

Figure 1: Classical Balanced Magnetic Switches (BMS)


7

magneticattractionbetweentheactuatorandtheferromagneticdoormaterial.Moreover,thestrongmagneticfieldbetweenthedoor-mountedactuatorandthemetaldoorcasingmayrequireexcessiveforcetoopenthedoor and may cause the door to slam shutwhen releasing the door handle, or elserequireastrong,deliberatepushtoclosethedoor when the actuator magnet attempts tolatchontothemetaldoorcasing.Theradiatedfieldofsuchlargemagnetsmayviolate EU regulations regarding radiatedstaticmagneticfields,depictedinfigure5.TheGauss Meter Android app downloaded fromGooglePlayStoretoasmartphoneisshowninfigure 4. The app easilymeasures static radiatedmagnetic fields. Themagnet actuatorassociatedwiththeswitchshowninfigure3radiatesafieldinexcessoftheminimumfieldstrengthregulationatchestlevelandexceedsitseveraltimesatheadlevelwhenstandingnearawoodendoorinstallation.

Figure 2: Trivial Defeat of a UL634 Class II Device


8

The UL634 Class II standard requires excessively large actuator magnets to meet thestandard.ThiscreatesotherproblemsanddoesnotmitigatetheTrivialDefeatissue.The3DMagnetometerArrayCountering theTrivialDefeatrequiresanewsensorparadigm. It ishelpful tocreateasensorthatcanseetheshapeofamagneticfieldanddistinguishbetweenmagnetsuniquely,much like facial recognition algorithms. This leads to a device where only one uniquepermanentmagnetactuatorcanoperatethesensor.Exactlyidenticalcopiesofthismagnetactuatorassemblycanoperatethesensor,butnothingelse.Thiscanonlybeachieved,ifanarrayofmagnetometersisusedtomeasurethe3Dfieldshapeinrealtime.Itisanalogoustousingbiometrics,suchasafingerprint.

Figure 3: EU Radiated Electric and Magnetic Field Regulations


9

Figure6showsatypicalBMSactuatormagnet assemblymagnetic field. It istheclassicaltriplebiastypeoffieldusedtopreventtheuseofasinglemagnettotrick the traditional triple balancedsensor.ThefieldplotisgeneratedbyanFEM magnetics program and takes asliceoutof themiddleof the actuator.Differentpermanentmagnetassembliesmayresembletheshapeofthefieldandpresent the correct absolute value ofmagnetic potential field to thetraditionalBMSsensorsfromadifferentphysical position, such as the air gapbetweentheBMSandtheactuator,butnottoaproperlyconstructedmagnetometerarray.Everyuniqueassemblyofpermanentmagnetsgeneratesaunique3Dvectorfield.[7]Orientationandmaterialtypewill determine the shape of the field,distinguishing it uniquely from everyotherassembly.Figure7isanexampleofaspecificcombinationofpermanentmagnets and the 3D field that itgenerates. Making every actuatormagnet assembly unique, like apassword,isnotnecessary.Aduplicateactuator would have to be placed inexactly the same position as theoriginal,whichmeansthedoormustbeopenandcannotbeclosedwithoutamomentarydisruptionforthistowork.Building unique permanent magnet actuators, like a password, can be achieved as apracticalmatterwiththis technology. The intruderwouldneedanexactduplicateof theactuator thatwouldonlyworkwhenthedoor isopen. But, formost installations, this isexcessive.Onlyinrarespecialcasesshouldanythinglikethatbecontemplatedforsecurityswitchdesign.Onepreviousapplicationoftheuniquefieldconceptwasbyameanstoprotectcontainersfromtampering.[7] Instarkcontrasttoasecurityswitchdesign,wherethedetailsofthemagnet structure and the sensor types and positions are well known in advance, thisapproach relies upon complex placement and orientation of magnets and arbitraryplacementofasensor.Thepositionofthesensorandthemagnitudeofthevectorfieldatthatpointmustbetransmittedseparately.

Figure 4: Cross Section Magnetic Field Plot of Typical BMS Actuator

Figure 5: 3D Magnetic Field Lines Plot


10

Anexampleofanactual3DmagnetometerarraymountedonaPCBisshowninfigure8.Thismagnetometer array uses the High Security Sensor shown in Figure 9. This arrayincludesathreeaxissensormatrixwithaDSPMCUonthebottomoftheboard(notshown).Thethree-axissensorprovidesthemeasurementofthevectorsat9physicallocationsofamatrixcomposedofx,y,andzvectorcomponents. Asapracticalmatter, this istypicallyadequatetodefinea3Dmagneticfielduniquely.Aslongaswearewithinthesphereofinfluenceofthemagnetometersensorarrayandpermanentmagnetactuator,themagneticfieldwillalwaysbeuniquelydefined.Thisisinstrongcontrasttovariousfacialrecognitionalgorithms.


11

FacialRecognitionAlgorithmsInvirtualrealityconstructionsoftware,rayopticsareusedtocreateuniquereflectionsandshadowswithinascenecomposedof3Dobjectsandconvertthescenetoaflat2Dimage.Facialrecognitionalgorithmsattempttoreconstructthe3Dshapefromthereflectionsandshadowsina2Dphotograph,whichisthereverseoftherayopticsconstruct.Thereversedoesnotalwaysyieldreliableorfunctionallyuniqueresults.Thisprocessusesoneflat2Dimagewhichitcomparestoanotherflat2Dimage.Thismethodof3Dobjectreconstructiondoesnotnecessarilyyieldreliableresults.ThatiswhytheUSgovernmentsolicitsfornewmorereliablealgorithmswithhighermatchstatistics.

Figure10:FacialRecognitionAlgorithms.

Witha3Dmagnetometersensorarray,wearemeasuringa3Dvectorfielddirectly,andcomparingittopreviouslyrecorded3Dvectorfieldmeasurements.Thiseliminatesmuchofthealgorithmiccalculationssincethereisnothingtoreconstruct.Theunique3Dvectorfieldisalreadydefined.Theproblemisreducedtoassuringthatthe3Dmeasuredfieldmatchesthestored3Dfielduniquely.Theseare,nevertheless,nontrivialcalculationswhichmustbeperformed in real time. There is also finite analog-to-digital (A/D) conversion time andstorageaccesstime,inadditiontocomputationtimetomakethealgorithmiccomparisons.TheAImustdecideiftherehasbeenanytamperingbyexaminingfieldaberrations.ComparingtheClassicalBMStothe3DMagnetometerTheclassicalBMSwasadequatebeforethenewrareearthmagnetsbecameavailableandfit the technological era inwhich itwas developed. Itwasmore secure than the single


12

magneticcontactsthatarestillusedtoday. Nowadays,however, theBMSMethodcannolongerbeconsideredsubstantiallymoresecurethanasinglemagneticcontact.Some of the potential advantages of the 3DMagnetometer approach compared to theclassicalBMSapproachincludesubstantiallybettersecurity,fewerMakeorBreakfailures(suchascontactsticking),andpotentiallylowerfalsealarmratesfromshock,vibration,orelectromagneticinterference(suchaslightning). Lawenforcementshouldbeparticularlyinterestedinthefalsealarmreductionrate.NotethatallclassicalBMSandhighsecurityswitchesuseelectricalcontacts.TheoriginalBMS[2]anditssubsequentcompetition[3]usedglassreedmagneticcontacts,whichareasubclassofelectricalcontacts. LaterversionsofBMSusednovelmagneticcontactsbaseduponpermanentmagnets [5] thatbecamepartof theelectricalcontact. But, inallcases,electrical contactshavebeenusedexclusivelyuntil recentyears,whenHall sensorshavebeensubstitutedfortheelectricalcontacts.[8]Theproblemwithelectricalcontactsiswear.ThefamousbookbyR.Holm[9]detailsallof thevariouswearand failuremodes. Aprimary focusofelectrical contactdesign is toretardthewearanddelaytheultimatefailuremodes.

“Reedswitchesorrelayseventuallyfailinoneofthreeways.Theydonotopenwhentheyshould(usuallycalled“sticking”),theyfailtoclosewhentheyshould(“missing”),ortheirstaticcontactresistancegraduallydriftsuptoanunacceptablelevel”.[10]

ExplicitdetailonelectricalcontactwearwaspublishedbyF.LlewellynJones.[11]Thereare numerous plates of wear and several showing electrical arcs resulting in materialtransfer. Thephysicsofelectricalarcscanbe found inThomsonandThomson[12],andCobine[13].VibrationisalsoafundamentalfailuremodeandaprincipalsourceoffalsealarmsintheBMS.

“Next, consider which axis has the strongest opportunity for shock or vibrationsignals. Switch orientation will minimize and sometimes effectively eliminate thepossibilityoffalsesignalsanddamage.”[14]

Shockandvibrationphysicsispresentedinfinedetail,includingreedvibration,byPeekandWagner.[15] More physics on shock impulse can be found in the Engineers’ RelayHandbook.[16]ThisallequatestotheMeanTimeBetweenFailures(MTBF).StandardizeddetailsforthemeasurementandcalculationthereofcanalsobefoundinEngineers’RelayHandbook.[16]MTBFisapurelystatisticalnumberwithadistributioncurveuniquetotheparticularswitch.Theliferatingisalwaysspecifiedatanominalvoltageandcurrent.Ipersonallyhaverunlifetestswhereswitches failedwithin the first10actuations,whenoperatedwellwithin thespecifiedoperationenvelopeandhavinganMTBFof1million.


13

Severalreferencesdiscusssusceptibilitytoelectromagneticinterference(EMI),forwhichlightning,groupedwithElectrostaticDischarge(ESD),isoneexample.NumeroustextsonElectronicCompatibilitydiscussthisingreatdetail.Themajordesignreferencesalladdressthistypeoffailuremodeandfalsecontactgeneration.[15-19]Oneofmycontractorsalwayscomplained about the reed switch false alarm rates in areas with high electrical stormincidence.IhaveexaminedthedesignofallcommerciallyavailableBMSofwhatsoevertypeandhavenotfoundonesingleefforttohardenanyoftheBMSsecuritysensorsagainstanykindofvibrationorEMI,includinglightning. Theyareallbaremagneticcontactswithabsolutelynothingelseonboard.CutoneopenforyourselforhaveitX-rayed!Instarkcontrast,allofmy3Ddesigns incorporatemeans intended topreventanykindof interference,whetherradiatedorconducted.Thisincludescommonmoderejectionandtransientsuppressors.ConclusionInthispaper,IhavebroughtuptodatethehistoryofClassicalBMS’s.TheevolutionofthemagneticsensortechnologyhasbeendriventosomeextentbytheneedtoovercometheTrivialDefeatattack.Basically,theBMSitselfhasnotchanged,onlythesensorsbeingused.yet these did not solve the problem. Many attempts have beenmade to substituteHallsensorsinthisveinwithoutsuccess.Thereisonenewdevicethatwasjustpresentedatatrade show this year which is still going down this same path. The entire BMS deviceoperationalparadigmhastoberethoughtinfavorofacompletelynewapproachtodetectionanddataanalysisdiscussedinthispaper.Inmyview, thebestway to counter theTrivialDefeat is todetect and identify the3Dmagnetic fieldandrecognize ituniquely. There isastronganalogy toFacialRecognitiontechniques,butthesalientfeatureofthenewrecognitionalgorithmsarebasedupondatacollectedby3-dimensionalvectorsensorarrays.Unlikewithbiometrics,dataconversionsbetween2and3dimensionsareunnecessary, savingenormousamountsof computationtime.Themostdifficultaspectiscreatingtheneededalgorithms.Theymustoperateinreal-time,alongwithalltheotheron-boardoperations,tomaintainafullyfunctionaldevice,andstill use minimal microcontroller space. It should also be clear that virtual prototypesoftwareisnecessarytoconstructsuchacomplicateddevice.References[1]JTJackson,“TrivialDefeatofaBalancedMagneticSwitch”,JournalofPhysicalSecurity5(1),1-11(2011),http://jps.rbsekurity.com[2]TJHolce,“MagneticallyActuatedSensingDevice”,USPatent4,210,889,1970.[3]JTJackson,“HighSecurityBalancedTypeMagneticallyActuatedProximitySwitchSystem”,USPatent5,668,533,1997.


14

[4]FederalSpecificationComponentsforInteriorAlarmSystems,BalancedMagneticSwitches,W-A-450/1August28,1990,https://www.jrmagnetics.com/security/specs/wa450-1.pdf[5]JTJackson,“BalancedMagneticProximitySwitchAssembly”,USPatent5,929,731,1999.[6]JTJackson,“TheJacksonHighSecuritySwitchandRadioFrequencySystem”,ThesisUMINumber1389436,1997,www.jrmagnetics.com.[7]RGJohnstonandJSWarner,“UnconventionalSecurityDevices”,JournalofPhysicalSecurity7(3),62-126(2014),especiallypages85-88.[8]MaureenVanDyke,HowanEnvironmentAffectsaMagneticSwitch,MagneLink,Inc.,2019,https://www.magnelinkinc.com/blog/magnetic-switch-environment/[9]RHolm,ElectricalContactsTheoryandApplications,Springer,1958,1967,1981,2000.[10]“TestingReedSwitchesandRelaysforReliability”,CotoTechnology,Inc.,https://www.cotorelay.com/wp-content/uploads/2014/05/Testing_Reed_Switches__Relays_for_Reliability.pdf[11]FLJones,ThePhysicsofElectricalContacts,OxfordattheClarendonPress,1957.[12]JJThomsonandGPThomson,ConductionofElectricityThroughGases,Dover,1903,1928.[13]JDCorine,GaseousConductors,DoverPublications,1941.[14]“ReedSwitchesinShockandVibrationEnvironments”,HSISensing,2017,https://www.hsisensing.com/reed-switches-shock-and-vibration-environments/[15]RLPeekandHNWagar,SwitchingRelayDesign,D.VanNostrandCompany,Inc.,1955.[16]EngineersRelayHandbook,FourthEdition,NationalAssociationofRelayManufacturers,Milwaukee,Wisconsin,1966,1980,1991.[17]JPLockwood,ApplyingPrecisionSwitches,MicroSwitch,1972.[18]Designers’Handbook&CatalogofReedandMercuryWettedContactRelays,MagnecraftElectricCo.,1966.[19]NationalAssociationofRelayManufacturers,Proceedings42ndRelayConference,May9-11,1994,Boston,Massachusetts.[20]UL,“UL634,StandardsforConnectorsandSwitchesforUsewithBurglar-AlarmSystems”,https://standardscatalog.ul.com/standards/en/standard_634


15

PhysicalSecurityBestPractices

IrikefeUrhuogo-Idierukevbe,DBA.*,ArchieAddo,Ph.D.,Timothy.L.Anderson,DBA.**,andFazelMohammedKhan,MBA*

*SchoolofComputerSciences,UniversityoftheCumberlands,Williamsburg,Kentucky

**DeVoeSchoolofBusiness,IndianaWesleyanUniversity,Marion,Indiana

Abstract

Thephysicalsecuritymarketisestimatedtogrowfrom$69.63billionin2016to$112.43

billionby2021(Willemsen&Cadee,2018).Inordertosustainthisgrowth,reliableand

capablesecurityofficersareneeded.Securityofficersareimportantaspectsof

organizations’physicalsecurity.Withoutsecurityofficers,anorganizationcanbe

vulnerabletouninvitedgueststhatmayharmanorganization’sinternalandexternal

environment.Whensecurityofficersarenotmonitoringtheenvironmentstheyaretasked

with,theyneglectimportantdetailsthatmaydetrimentallyaffecttheorganization’s

physicalenvironment.Eventhoughsecurityofficersmaybedistractedwithdifferent

internalandexternalfactorswithintheirworkenvironments,theycannotaffordtopay

littleattentiontotheirsurroundings.Asecurityofficershouldbeabletoaccountforallthe

individualsenteringthepremisesofanorganization.Organizationscanbeinnovativeby

implementingcertainbestpracticesforphysicalsecurity.Thispaperdiscussessomeof

thesebestpracticesforphysicalsecurity.

Keywords:Securityofficers,organizations,commandcenter,innovation,creativity


16

Introduction

Securityofficersworkinawiderangeofenvironmentssuchaspublicandoffice

buildings.Assuch,theyareresponsibleforprotectingandobservingthephysical

environmentsoforganizations(Fennelly,2017;Thomas&Kenny,2018;Willemsen&

Cadee,2018).Physicalsecuritycanbedefinedastheprotectionofassetssuchashardware,

software,networkpersonnel,anddatafromactionoreventsthatcouldleadtosignificant

lossordamagetoanorganization(Johnston&Warner,2014).Thedamagesorlossesfrom

lackofphysicalsecurityinanorganizationincludefire,burglary,vandalism,theft,arson,

andterrorism(Tahir&Malek,2017).Acommonlyadoptedstrategyinimplementing

physicalsecurityiscontrollingaccesstotheorganizationbyusingdifferenttypesof

barrierssuchasgates,walls,andfencesthatareoverseenbysecuritypersonnelstationed

atguardhouses(Tahir&Malek,2017).Eventhoughsecurityofficersmaybedistracted

withdifferentinternalandexternalfactorswithintheirworkenvironments,theycannot

affordtopaylessattentiontotheirsurroundings.Thus,asecurityofficeraccountsforall

theindividualsenteringthepremisesofanorganization.Organizationscanbeinnovative

byimplementingsomebestpracticesforphysicalsecurity.

DutiesofSecurityOfficers

Securityofficerspreventrisks,watchoutfordanger,andreportanycrimetheymay

encounter(Doyle,Frogner,Andershed,&Andershed,2016;Moreira,Cardoso,&Nalla,

2015).Inanemergency,securityofficersmaycallforassistancefromthepolice,fire,or

ambulanceservices.Somesecurityofficersmaybearmedwhileothersmaysimplycarrya

stungun(Fennelly,2017;Moreira,Cardoso,&Nalla,2015).Whetherasecurityofficer


17

worksatashoppingcenterorinabank,heorshehasasignificantjobtodo,whichisto

preventcrimeorharmtotheorganization(Doyleetal.,2016).

Researchshowsthatsomesecurityofficersprovidesurveillancearoundtheclockby

workingshiftsofeighthoursorlongerwithrotatingschedules(Fennelly,2017).Others

spendsubstantialtimeontheirfeet,eitherassignedtoaspecificpostorpatrolling

buildingsandgrounds(Noronha,Chakraborty,&D’Cruz,2018).Suchpatrolroutinesare

especiallyusefulduringholidaysinconjunctionwithvariousfestivalsorschoolvacations

whenmanyresidentsleavetheirhomesempty(Moreira,Cardoso,&Nalla,2015).Because

manyburglariesoccurduringsuchperiods,patrolfrequencyincreases(Tahir&Malek,

2017).

Asecurityofficerisresponsibleforensuringthatallindividualswithinapremiseare

properlyidentified(Noronhaetal.,2018).Anunobservantofficermighteasilyoverlook

somethingthatcouldputlivesindangerormissoutonwitnessingacrime(Willemsen&

Cadee,2018).Oftenanorganization’spersonnelaregivenanidentificationcardorbadge

thatverifiestheiridentityandpermitsthemtoaccesstheorganizationbuildings(Fennelly,

2017).Guestsaresometimesprovidedwithaguestpassthatwouldallowthemtemporary

accesstofacilitiesintheorganizations(Rowland&Coupe,2014).FigureIoutlinesomeof

theresponsibilitiesofsecurityofficers.


18

Figure1.SecurityOfficersResponsibilities

BestPracticesforPhysicalSecurity

Inasmuchassecurityofficers’taskscanberepetitiveinnature,securityofficersneedto

beinnovativeintheirvariousresponsibilities.Physicalsecurityhascomealongway,

especiallywiththeinnovationofinformationandartificialintelligence(Fennelly,2017).

Theapplicationofphysicalsecurityhasthepotentialtopreservesecurityandpeaceof

mindinabusinessenvironment.Indeed,businessinnovationisvitaltothesuccessofany

organization.Fororganizationstomeetglobaldemandandtrends,organizational

managementneedstobeinnovativeinordertomeetthegrowingneedsoftheir

customers.Innovationisnotrestrictedtoonlythebusinessaspectoforganizations;itis


19

alsovitaltothephysicalsecurityaspectofanorganizationaswell.Someways

organizationscanbeinnovativeareinvestinginportablesecuritydevices,investingina

comprehensivesecuritysystem,andprovidingcustomizedtrainingforallsecurity

officers.Thissectionsuggestsfourwayssecurityofficerscanbeinnovative.

PortablePhysicalSecurity

Whilesecurityofficersareexpectedtobevigilant,theycannotbeeverywhereatthe

sametime.Forinstance,ifsecurityofficersneedtocheckanofficeoranareainthe

building,theyshouldbeabletouseportablevisualsurveillancetosupervisetheother

locationsastheymaketheirwaytotheirdestination.Securityofficersneedportable

technologicaldevicesthatwouldenablethemtosuperviseareasandlocationsthatare

insideandoutsideoftheorganization.Whenathreatisdetected,suchofficerscanreach

outtoothersecurityofficersforhelptocheckthelocationsthatneedattention(Rowland&

Coupe,2014).Bydevelopingasecurityservicethatisbuiltonmobilesurveillanceunits,

securityofficerscanmovearoundtheirorganizationfreelywithouthavingtorushbackto

thecommandpostinordertoobserveactivitiesinotherareasoftheorganization.The

portablesurveillancetechnologyshouldnotreplacetheorganization’scurrentsurveillance

technology,butrathercomplementthesurveillancesystemthatisalreadyinplace.

Usingalocationtrackerforguardscanincreasesecurityteamaccountability.Thiswould

increasereal-timereportingandcommunication(Wang,2018).Incaseofanincident,the

incidentscanbereportedwithsupportingevidence.Thisapproachcansavetimeandextra

effortingatheringdetailsofanincident(Fennelly,2017).Photosandvideoscanbeloaded

quicklyandeasilytosupportincidentalreporting.Real-timecommunicationsallowthe


20

securityofficerstoquicklyassessthesituationtonotifythemanagementofthe

organization.

Anotherbestpracticeincludesimplementingrobotstocarryoutsurveillancerounds

withouthumanintervention.Thisapproachcanhelpsecurityofficerswithtouringthe

facilityorcampus,whichcanbemonotonousworkthatoftenleadstofatigueandboredom.

Forlargeorganizations,aland-baseddronecanbeusedonsiteforemergencies.Thedrone

cangettoasitefasterthansecurityofficers.Theuseofdronescanalsoleadtominimizing

harmwhensecurityofficersarephysicallymonitoringadangeroussituation.

Consideringthatsecurityofficersaretaskedwithmonitoringtheenvironmentof

organizations,itisimportantforsecurityofficerstobealertandobservantoftheactivities

intheirorganization’senvironments(Moreira,Cardoso,&Nalla,2015;Noronhaetal.,

2018).Securityofficersviewhundredsoflivefeedsfromtheircontrolcenterdaily.As

such,theyareexpectedtorecognizeunwantedintrudersorthreatsbeforethethreat

becomesaproblem.Whenathreatisdetected,securityofficersoftenusethecamerain

theircommandcentertonavigatetheenvironmentofthethreat(Saarikkomäki&

Kivivuori,2016).Whennavigatingthecamerafromthecontrolcenter,securityofficers

focusontheareaofthethreattoseewhatishappening.Insomecases,itmightjustbethat

someoneleftanunidentifiedpackage,whileotherthreatsmightsimplybeabuildingthatis

leftopenbyemployees.Whateverthethreatmaybe,thecommandcenterneedstousethe

camerasintheirposttoinvestigatethethreatbeforegoingouttothesiteofthethreatin

person.

ComprehensiveSecuritySystem


21

Justasportablesecuritysystemscanmakeaccesstoaremotelocationeasierforsecurity

officers,acomprehensivesecuritysystemcanreducetheworkloadofsecurityofficers.

Oneofthebestpracticestoconsiderintermsofphysicalsecurityisinvestinginsecurity

systemsthatwouldhelpanorganizationtokeeptrackofincidentreportsoralertsintheir

businessenvironment.AsecuritysystemsuchasSecuritas’Connect/Visioncanhelp

managementdetermineincidentstatusandthedailyorganization’sactivitiesintheir

businessenvironmentsimplybyloggingintoSecuritas’website.Becausedifferentpeople

maygoinandoutofaroomorbuildingoften,itisimportantthatsecuritypersonnelareon

highalertforuninvitedguests.Whenthecommandcenternoticesanymovementthatis

suspicious,theyneedtocheckitatoncetoensureitisnotathreatthatwouldpotentially

affectthedailyoperationoftheorganization.Allpotentialthreatsinaworkenvironment

shouldbeinvestigated;nothreatshouldbeconsideredinsignificanttobe

investigated(Rowland&Coupe,2014).ByloggingintoSecuritas’website,management

canrecognizeareasinwhichsecurityneedstobestrengthened.Consideringthatphysical

securityinaworkenvironmentisvitaltothedailyoperationofanorganization,itis

importantforleadersoforganizationstoinvestintechnologythatwouldhelpthemtobe

innovativeandonethatwouldsetthemapartfromtheircompetitors.

Anotherbestpracticeforphysicalsecurityisensuringthatthecommandcenter

operatorskeepdetaileddocumentationoftheincidentsandthreatstheyobserveor

witnessinperson.Becausesecuritycommandcenteroperatorsobservedifferentlive

incidentsastheyhappen,theyareinabetterpositiontoprovidedetailsofwhathappened

(Toetal.,2018).Asthreatsaredocumentedandrecorded,securityofficerscanrevisitthe

eventbyreviewingtherecordingssothattheywillhaveallthedetailstheyneedto


22

documenttheincidentforuppermanagementorthepoliceincasetheyneedwritten

documentationoftheevents(Rowland&Coupe,2014).Eventhoughwritten

documentationofthefootagemaybeneeded,theorganizationmayhaveawrittenpolicyof

howlongthecommandcenteristokeepthefootage.Someorganizationsmaykeepfootage

forsixmonths,whileothersforayear.Thedutiesindifferentworkenvironmentscanbe

challengingforsecurityofficers(Botacin,2018).Fromschedulingshiftstosendingreports

toorganizationalmanagement,thiscanbeoverwhelming.Amonitoringsoftware

applicationcandecreasetheoverwhelmingtasksbystreamliningadministrationduties.

Thebenefitsofthisapproachincludeavoidingshiftschedulingerrors,communication

mishaps,andothercommonproblemsthatcandisrupttheabilitytodeliverreliable

securityservice.

Asecurityguardmonitoringsystemcanensurethattheguardsandtheorganizationare

protected(Fennelly,2017).Atypicalexampleisapushnotificationindicatingthata

securityofficerfailedtoarriveatacheckpoint.Thiscouldprovideanalertofamedical

emergencybeingexperiencedbyoneoftheemployees.Theguardrecordingviavideocan

linktolawenforcementtoidentifyandquicklyapprehendintruderswhomaybreakinto

theorganizationpremises.Trackingandcommunicationsarecriticalelementsofahigh-

qualitymonitoringsystemthatcanleadtophysicalandfinancialsafetyforthe

organization.

Anotherbestpracticetoconsiderintermsofphysicalsecurityisinvestinginapatrol

monitoringsystem.Thissignificantlyincreasesaccountability.Othertoolscontributeto

accountabilityincludeautomatictimekeeping,GlobalPositionsSystem(GPS)trackingfor

specificlocations,andelectroniccheckpointstoensurethatthesecurityofficersare


23

followingshiftprocedures,showingupfortheirpatrolsontime,andperformingallother

duties.Suchhigh-techsystemsshouldsendautomaticalertswhenaguardfailstoreportat

strategiclocationsinatimelymanner.

SecurityCurriculum

Anorganization’smanagersneedtooutlinethetrainingcurriculumfortheirsecurity

officers,andalsoidentifyappropriateeducationinstitutionstohelptrainfuturesecurity

guardsfortheorganization.Eventhoughsecurityofficersaretrainedusingabasic

curriculum,everyorganizationisdifferentandassuch,one-size-fits-allsecuritytraining

maynotbeenoughforeveryorganization.Thus,creatingastandardtrainingguidelinefor

allsecurityofficerscanhelpanorganizationhireandretainqualifiedsecurityofficers.

Abestpracticetoconsiderintermsofphysicalsecurityistrainingphysicalofficerson

howtoavoidphysicalbreacheswithinanorganization.Oftenthedamagesfromlackof

physicalsecurityareoverlookedbyanorganization’suppermanagement.Ifaproper

approachistaken,damagecanbepreventedormitigated.Securityofficersneedtoensure

obstaclesareplacedinthewayofpotentialintruders.Physicalsitesneedtobe

safeguardedtoavoidaccidents,attacks,andenvironmentaldisasters.Theseobstaclescan

includelocks,fencing,accesscontrolsystems(includingbiometrics),andfiresuppression.

Figure2depictshowinnovationisapplicabletoanorganization’sphysicalsecurity.Figure

3conveysamodelforanorganization’sphysicalsecurity.


24

Figure2:InnovationandOrganization’sPhysicalSecurity.


25

Figure3:Organization’sPhysicalSecurityModel

Education

Becausesecurityofficers’jobsrequiresubstantialresponsibilitiesandskills,thereisa

needtotrainsecurityofficersappropriately.Forlearningtobeeffectiveandrelevantto

real-worldsituations,itisessentialtofollowthepropercontentdesignandteaching

practices.Thereshouldbeanestablishedprocesstohelpsecurityofficerseffectively

transfertheinformationtheylearnedtotheirworkresponsibilities.Weber(2014)noted

thatleadersofanorganizationneedtobuildapplicationobjectivesandtransferprocesses


26

thatwouldsupportthelearningtransferprocess.Educationandtrainingpresentaprime

opportunitytoexpandtheknowledgeofallsecurityofficers.

Educationandtrainingprovideboththeorganizationasawholeandsecurityofficers

withbenefitsthatmakethecostandtimeaworthwhileinvestment.Providingthe

necessarytrainingcreatesknowledgeablestaffwhocantakeoverforoneanotheras

neededastheorganizationseesfitandstaffwhocanworkonteamsorindependently

withoutconstanthelpandsupervisionfromothers(Fennelly,2017).Educationand

trainingalsobuildsecurityofficers’self-relianceasaresultofdevelopingarobust

understandingofthesecurityindustryandtheresponsibilitiesoftheirjobs.Thisself-

assurancemotivatessecurityofficerstoperformtheirdutiesbetterandthinkofnewideas

thatwouldhelpthemadvanceintheircareers.Continuoustrainingalsokeepssecurity

officersinformedofindustrydevelopments.

Summary

Inordertoensurethatanorganization'sphysicalenvironmentissecure,organizational

managementneedstoensurethattheyintroducebestpracticesforphysicalsecurity.The

bestpracticesthatareintroducedwithinanorganizationshouldcorrespondwiththe

organization'sgoalsandobjectives.TheInternetofThings(IoT)isgrowingveryquickly

andthereisevenagreaterneedtoprotectorganizations.Organizationshaveadutyto

protectanorganization’sinfrastructureanddevicesintheorganization's

environment.Afterthoroughidentificationofphysicalsecurityrisks,thereisaneedto

provideappropriatetrainingtotheorganizations’securityofficersthatareassignedto

specificsposts(Klein,Ruiz,&Hemmens,2019).


27

AbouttheAuthors

IrikefeUrhuogo-IdierukevbeisaprofessorofinformationtechnologyattheUniversity

ofCumberlands.Shehasbeenwiththeuniversityforthreeyears.Herareasofresearch

includebusinessadministration,informationtechnologyandinformationsystem

management

ArchieAddoisaprofessorofinformationtechnologyattheUniversityofthe

Cumberlands.Hehasbeenwiththeuniversityfortwoyears.Hisareasofresearchinclude

bigdata,informationtechnology,informationsystemmanagement,datascience,and

informationsecurity

TimothyL.AndersonisaprofessorofbusinessatWesleyanUniversity.Hehasbeen

withtheuniversityfor3years.Hisareaofresearchincludesbusinessadministrationand

management

FazelMohammedKhanisanExecutiveMasterLevelStudentattheSchoolof

ComputerSciences,UniversityoftheCumberlands,Williamsburg,Kentucky.

References

Ardic,C.,Usta,O.,&Ozturk,G.Z.(2018).Therelationshipbetweenthesituationofbeing

exposedtoviolenceandtheburnoutinsecurityguardsworkinginthe

hospital.KonuralpMedicalJournal/KonuralpTipDergisi,10(2),153–159.

Botacin,M.;DeGeus,P.L.;Grégio,A.(2018)WhoWatchestheWatchmen:ASecurity-

focusedReviewonCurrentState-of-the-artTechniques,Tools,andMethodsfor

SystemsandBinaryAnalysisonModernPlatforms.ACMComputingSurveys1(51),p.

1–34.


28

Doyle,M.,Frogner,L.,Andershed,H.,&Andershed,A.-K.(2016).Feelingsofsafetyinthe

presenceofthepolice,securityguards,andpolicevolunteers.EuropeanJournalon

CriminalPolicy&Research,22(1),19–40.

Fennelly,L,J.,(2017).Effectivephysicalsecurity,(5thed).ElsevierInc.

Johnston,R.G.,&Warner,J.S.(2014).Isphysicalsecurityarealfield?JournalofPhysical

Security,7(3),13–15.

Klein,M.S.,Ruiz,L.,&Hemmens,C.(2019).Astatutoryanalysisofstateregulationof

securityguardtrainingrequirements.CriminalJusticePolicyReview,30(2),339–356.

Moreira,S.,Cardoso,C.,&Nalla,M.K.(2015).Citizenconfidenceinprivatesecurityguards

inPortugal.EuropeanJournalofCriminology,12(2),208–225.

Noronha,E.,Chakraborty,S.,&D’Cruz,P.(2018).‘Doingdignitywork’:Indiansecurity

guards’interfacewithprecariousness.JournalofBusinessEthics.

https://doi.org/10.1007/s10551-018-3996-x

Rowland,R.,&Coupe,T.(2014).Patrolofficersandpublicreassurance:Acomparative

evaluationofpoliceofficers,PCSOs,ACSOsandprivatesecurityguards.Policing&

Society,24(3),265–284.

Saarikkomäki,E.,&Kivivuori,J.(2016).Encountersbetweensecurityguardsandyoung

people:theextentandbiasesofformalsocialcontrol.Policing&Society,26(7),824–

840.

Tahir,Z.,&Malek,J.A.(2017).Elementsofsecurityforagatedandguardedcommunityin

thecontextofsmartliving.E-BANGIJournal,12(3),1–11.

Thomas,S.A.;Kenny(2018)Modernizingthecoastguardfinancialcommunity.Armed

ForcesComptroller,1(63),p.39–40.


29

To,W.-M.,Lee,P.K.C.,&Lam,K.-H.(2018).Buildingprofessionals’intentiontousesmart

andsustainablebuildingtechnologies–Anempiricalstudy.PLoSONE,13(8),1–17.

Wang.J.,Hong.Z,Zhang.Y,andJin.Y.(2018).Enablingsecurity-enhancedattestationwith

intelSGXforremoteterminalandIoT.IEEETransactionsonComputer-AidedDesign

ofIntegratedCircuits&Systems,1(37),p.88–96.

Weber,E.(2014).Turninglearningintoaction:Aprovenmethodologyforeffectivetransfer

oflearning.London,England:KoganPage.

Willemsen,B.,&Cadee,M.(2018).Extendingtheairportboundary:Connectingphysical

securityandcybersecurity.JournalofAirportManagement,12(3),236–247.


30

ViewpointPaper

DesignReviewsVersusVulnerabilityAssessmentsforPhysicalSecurity*

RogerG.Johnston,Ph.D.,CPPRightBrainSekurityhttp://rbsekurity.com

AVulnerabilityAssessment(VA)involvesidentifyingandperhapstesting/demonstratingsecurityflawsandlikelyattackscenarios,thenrecommendingchangestohowthesecuritydevice,system,orprogramisdesignedorused.Thisisdoneinhopesofimprovingsecurity.GettingsecuritymanagersandorganizationstopursueaVAcanbechallenging.Foronething,VAsoftengetconfusedwithother,morefamiliarandcomfortableanalysistechniqueswhicheither(1)aren'tprimarilyaboutvulnerabilitiesatall,or(2)thatdohavesomethingminortosayaboutvulnerabilitiesbutaren'ttypicallyverygoodatprofoundlyuncoveringnewvulnerabilities.[1,2]Forexample,aVAisnota“test”ora“certification”processforasecurityproductorprogram.Itissomethingquitedifferentfrom“RedTeaming”,penetrationtesting,securitysurveys,ThreatAssessments,RiskManagement,fault/eventtrees,andDesignBasisThreat—thoughthesethingsmightwellbeworthdoing.AnotherimpedimenttoarrangingforVAsisthataretypicallytime-consumingandrelativelyexpensive.ThisisespeciallytruegiventhatVAsshouldideallybedoneperiod-icallyanditerativelyfromtheearliestdesignstagethroughmarketinganddeploymentofanewsecurityproduct,system,strategy,orprogram.Perhapsmoredaunting,VAsareoftenfearedbysecuritymanagersandorganizationsbecauseaneffectiveVAwillinevitablyuncovermultiplevulnerabilities.Inmyview,thisisthewrongmindsetforthinkingaboutsecurity,butitneverthelessisquitecommon.Findingavulnerabilityisactuallygoodnewsbecausevulnerabilitiesarealwayspresentinlargenumbers,andfindingonemeanswecanpotentiallydosomethingaboutit.Moreover,itismyexperiencethatseriousvulnerabilitiescanoftenbemitigatedoreliminatedwithsimplechangestothedesignofasecurityproduct/program,orhowitisused.Butthesecurityimprovementsaren’tpossibleifthevulnerabilitiesgounrecognized!Ihavefoundthatmanysecuritymanagersandorganizationsaremuchmorecomfortablewitha“DesignReview”,ratherthanaVulnerabilityAssessment.Arrangingforareviewofthedesignofasecurityproduct,system,strategy,orprogramismorefamiliar—andawholelotlessscary—thantargetingsecurityflaws.InaDesignReview,thereisabrief________________*Thispaperwasnotpeerreviewed.


31

reviewofthedesignandengineeringissues,andthenrecommendationsareofferedforimprovingthedesignortheuseprotocol.Fewervulnerabilities,attackscenarios,andcountermeasuresaredevelopedinaDesignReviewthanforaVA,andtheyaretypicallynottestedordemonstratedlikeinaVA.WhileaDesignReviewwillnotpermitasdeepanunderstandingofvulnerabilityissuesasaVA,itstilloffersthesecuritymanagerororganizationtheopportunitytoimprovetheirsecurityatmodestcostinashortperiodoftime.Moreover,inmyexperience,abouthalfoftheorganizationsthatarrangeforaDesignRevieweventuallycommissionaRudimentaryVulnerabilityAssessment(RVA)oraComprehensiveVulnerabilityAssessment(CVA)oncetheyseetheresultsandrecommendationsfromtheDesignReview,andthatthoseresultsaren’tallthatfrightening.MostoftheworkthatwentintotheDesignReviewisdirectlyapplicabletoconductingeitheraRVAoraCVA.ThemaindifferencesbetweenaRVAandaCVAaretime,cost,andthenumberofvulnerabilities,attacks,andcountermeasuresthatcanbefoundanddemonstrated.AnalternativetoaDesignReviewisaMarketAnalysiswhereanewsecurityproductiscomparedtoexistingproducts.Potentialapplicationsandendusersarealsoidentified.AMarketAnalysiscanbearelativelynon-frighteningwaytointroducesomevulnerabilitiesissuesandpotentialcountermeasureswithoutseemingtoovertlycriticizethesecurityproductorservice.Thebottomline:sometimesaDesignRevieworaMarketAnalysiscansneakininformationaboutvulnerabilities,attackscenarios,andpossiblecountermeasuresinamorepalatablewaythanaVulnerabilityAssessment.Thiscanbehelpfulforsecuritymanagersandorganizationswhoarehesitantorfearfuloflearningabouttheirsecurityvulnerabilities,ordon’thavethetimeorfundingforatrueVulnerabilityAssessment.AbouttheAuthorRogerG.Johnston,Ph.D,CPPisheadofRightBrainSekurity(http://rbsekurity.com),acompanydevotedtodesignreviews,vulnerabilityassessments,marketanalyses,andR&Dforphysicalsecurity.LinkedIn:http://www.linkedin.com/in/rogergjohnston.References1.RGJohnston,“BeingVulnerabletotheThreatofConfusingThreatswithVulnerabilities”,JournalofPhysicalSecurity4(2),30-34,2010,http://jps.rbsekurity.com.2.RGJohnstonandJSWarner,“DebunkingVulnerabilityAssessmentMyths”,SecurityInfoWatch,August6&13,2013,Part1:


32

http://www.securityinfowatch.com/article/11078830/experts-discuss-commonly-held-misconceptions-about-vulnerability-assessmentsPart2:http://www.securityinfowatch.com/article/11108983/experts-discuss-the-characteristics-of-good-vulnerability-assessors

table of contents archives/jps 12(3).pdf · 2020. 2. 1. · sos for sms popular mechanics had a...

Documents