Physical Security

Does Enterprise Physical Security Count as a ‘Real’ Field?

We define physical security as measures taken to protect tangible physical assets from harm.

May 1, 2014
Trans

With a 10,000+ year history and many tens of thousands of practitioners, it may seem odd to maintain – in a periodical devoted to security no less! – that physical security isn’t a real field.  But in many ways, it’s not.

We define physical security as measures taken to protect tangible physical assets (people, buildings, money, drugs, museum artifacts, etc.) from harm. But enterprise physical security also involves deploying corporeal means (access control devices, guards, fences, etc.) to protect intangible assets (intellectual property, PII, sensitive information, digital data, etc.).

In a “real” field – think physics, anthropology or business for example – there is usually a plethora of fundamental principles, experimental and case studies, and models/theories that make specific predictions that can be tested.  There are a wide range of available metrics, meaningful standards, licenses and certifications, rigor, ongoing debates and controversies, critical thinking and creativity.  Snake oil, product hype, misleading claims and charlatanism, while unavoidably present, tend to get weeded out fairly reliably. Committees, groupthink and linear/concrete thinkers don’t dominate the field.

It would not be fair or accurate to say that enterprise physical security totally lacks these attributes, but it clearly has far less than the much newer field of cybersecurity, for example (not to even mention a field like medicine).

Continuing our comparison with cybersecurity, where are the degrees in physical security from major four-year research universities? Try calling up your closest flagship university and ask for the people who work on cybersecurity. You may be connected with any number of departments doing cybersecurity research: computer science, mathematics, the IT department, electrical engineering, the business school, etc.  Ask instead for the people dealing with physical security, and you are likely to put in touch with the folks who arrest those who get out hand.

Certainly, some undergraduate and graduate degrees touch on physical security: degrees in homeland security, criminology, or forensics, for example. But the first is often more about public administration or management than physical security, the second may utilize physical security but isn’t primarily devoted to studying it, and the third is fairly far afield.

And where is the research and development (R&D)?  There are many national and international conferences where cybersecurity researchers go to discuss their theories, mathematical models, controlled experiments, double blind tests and rigorous case studies.  Most conferences devoted to physical security, on the other hand, primarily entail seasoned security practitioners sharing the “war stories” and vague generalizations about what they have learned over the years.

The table here hints at the lack of enterprise physical security R&D. It shows the number of peer-reviewed journals devoted to various fields. Physical security falls far short of other “fields,” including the field of astrology! (Not that there are a number of excellent trade journals, including this one, that include coverage of physical security, but these are not peer-reviewed and usually not devoted to just physical security.) 

Caveats: There may be more peer-reviewed journals than we were able to find (especially in languages other than English), but the table shows at least the minimum number.  Note that some peer-reviewed journals count in multiple fields, e.g., the Journal of Hospitality, Leisure, Sport & Tourism Education.  A larger number of peer-reviewed journals than shown here may occasionally accept papers in a given field, but aren’t primarily dedicated to that field. Trade journals (typically not peer-reviewed) are not included in the table.

Some people might maintain that physical security is a trade, not something that can be studied in a rigorous or scholarly manner. We disagree. Medicine and Hotel/Motel Management are also trades, but both fields have large amounts of very active and quite rigorous research efforts. In comparison with cybersecurity (which is a real field and has loads of rigorous R&D), physical security is more multidisciplinary, multidimensional and complex. Physical security is also more important. When physical security fails, people may die. 

So, what is to be done?  We believe we need more emphasis on rigorous R&D and physical security education. We need more enterprise security R&D conferences, and more scholarly peer-reviewed journals devoted to physical security. Importantly, we also need more authors/speakers willing to write/talk about their models, theories, analyses, controlled experiments, speculations and case studies. We need this from both technical and social science specialists.

Ultimately, we need to start thinking about physical security and enterprise security management as something that can be a highly scholarly research subject, interesting not just for its practical applications, but because it is a fundamentally fascinating field for study. Perhaps with more rigor, scholarship and R&D, we can have more effective physical security; as vulnerability assessors, we find remarkably poor practices and hardware on a regular basis, including for very critical security applications.

 

About the Authors: The views expressed here are those of the authors and should not necessarily be ascribed to Argonne National Laboratory or the United States Department of Energy. Roger Johnston, Ph.D., CPP and Jon Warner, Ph.D. are part of the Vulnerability Assessment Team (VAT) at Argonne.  The VAT has provided consulting, training, vulnerability assessments, R&D, and security solutions for more than 50 government agencies and private companies. 

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Roger Johnston

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

August 2014

2014 August

In the August issue of Security Magazine, read about the public-private partnerships and the future of DHS with Frank Taylor, sneak a peek at the ASIS 2014 security products, and read a special report on cyber risk and security. Also in this issue find out why America is in desperate need of a CSO and the most common mistakes in Cyber incident response. The security game has dramatically changed since September 11th, read about what enterprises are doing to keep Americans safe and sound.

Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+