Does Enterprise Physical Security Count as a ‘Real’ Field?
We define physical security as measures taken to protect tangible physical assets from harm.
With a 10,000+ year history and many tens of thousands of practitioners, it may seem odd to maintain – in a periodical devoted to security no less! – that physical security isn’t a real field. But in many ways, it’s not.
We define physical security as measures taken to protect tangible physical assets (people, buildings, money, drugs, museum artifacts, etc.) from harm. But enterprise physical security also involves deploying corporeal means (access control devices, guards, fences, etc.) to protect intangible assets (intellectual property, PII, sensitive information, digital data, etc.).
In a “real” field – think physics, anthropology or business for example – there is usually a plethora of fundamental principles, experimental and case studies, and models/theories that make specific predictions that can be tested. There are a wide range of available metrics, meaningful standards, licenses and certifications, rigor, ongoing debates and controversies, critical thinking and creativity. Snake oil, product hype, misleading claims and charlatanism, while unavoidably present, tend to get weeded out fairly reliably. Committees, groupthink and linear/concrete thinkers don’t dominate the field.
It would not be fair or accurate to say that enterprise physical security totally lacks these attributes, but it clearly has far less than the much newer field of cybersecurity, for example (not to even mention a field like medicine).
Continuing our comparison with cybersecurity, where are the degrees in physical security from major four-year research universities? Try calling up your closest flagship university and ask for the people who work on cybersecurity. You may be connected with any number of departments doing cybersecurity research: computer science, mathematics, the IT department, electrical engineering, the business school, etc. Ask instead for the people dealing with physical security, and you are likely to put in touch with the folks who arrest those who get out hand.
Certainly, some undergraduate and graduate degrees touch on physical security: degrees in homeland security, criminology, or forensics, for example. But the first is often more about public administration or management than physical security, the second may utilize physical security but isn’t primarily devoted to studying it, and the third is fairly far afield.
And where is the research and development (R&D)? There are many national and international conferences where cybersecurity researchers go to discuss their theories, mathematical models, controlled experiments, double blind tests and rigorous case studies. Most conferences devoted to physical security, on the other hand, primarily entail seasoned security practitioners sharing the “war stories” and vague generalizations about what they have learned over the years.
The table here hints at the lack of enterprise physical security R&D. It shows the number of peer-reviewed journals devoted to various fields. Physical security falls far short of other “fields,” including the field of astrology! (Not that there are a number of excellent trade journals, including this one, that include coverage of physical security, but these are not peer-reviewed and usually not devoted to just physical security.)
Caveats: There may be more peer-reviewed journals than we were able to find (especially in languages other than English), but the table shows at least the minimum number. Note that some peer-reviewed journals count in multiple fields, e.g., the Journal of Hospitality, Leisure, Sport & Tourism Education. A larger number of peer-reviewed journals than shown here may occasionally accept papers in a given field, but aren’t primarily dedicated to that field. Trade journals (typically not peer-reviewed) are not included in the table.
Some people might maintain that physical security is a trade, not something that can be studied in a rigorous or scholarly manner. We disagree. Medicine and Hotel/Motel Management are also trades, but both fields have large amounts of very active and quite rigorous research efforts. In comparison with cybersecurity (which is a real field and has loads of rigorous R&D), physical security is more multidisciplinary, multidimensional and complex. Physical security is also more important. When physical security fails, people may die.
So, what is to be done? We believe we need more emphasis on rigorous R&D and physical security education. We need more enterprise security R&D conferences, and more scholarly peer-reviewed journals devoted to physical security. Importantly, we also need more authors/speakers willing to write/talk about their models, theories, analyses, controlled experiments, speculations and case studies. We need this from both technical and social science specialists.
Ultimately, we need to start thinking about physical security and enterprise security management as something that can be a highly scholarly research subject, interesting not just for its practical applications, but because it is a fundamentally fascinating field for study. Perhaps with more rigor, scholarship and R&D, we can have more effective physical security; as vulnerability assessors, we find remarkably poor practices and hardware on a regular basis, including for very critical security applications.
About the Authors: The views expressed here are those of the authors and should not necessarily be ascribed to Argonne National Laboratory or the United States Department of Energy. Roger Johnston, Ph.D., CPP and Jon Warner, Ph.D. are part of the Vulnerability Assessment Team (VAT) at Argonne. The VAT has provided consulting, training, vulnerability assessments, R&D, and security solutions for more than 50 government agencies and private companies.