When there’s an internal or external event on the horizon, physical security is crucial. The best strategy is to conduct a comprehensive physical security threat assessment well before the event to evaluate the threats that face the enterprise and develop contingency plans to secure the organization before, during and after events.
“It’s better to have a plan in place that has been created in a non-stressful situation,” says Jack Leskovar, Director of Security and Risk Management at Edgewood College in Madison, Wisconsin. “We try to come up with every complication that we can think of prior to an incident actually happening because the worst thing would be for something bad to happen and you’re trying to devise the plan as you go along.”
A comprehensive physical security threat assessment is a complex project, but “it’s worth its weight in gold,” says Anthony Brown, Director of Risk and Emergency Management at Gonzaga University in Spokane, Washington, and Owner of S5 Risk Management LLC. “Risk is a result of thousands of small factors. The trick is to identify as many factors as possible to accurately reflect risk, as well as all the opportunities to manage that risk. A threat assessment is an effective tool for providing that context in an efficient manner.”
1. Identify threats and hazards
In every threat assessment, Brown says a skillful assessor will consider factors such as insider threats, external threats, natural disasters, cyber threats, active shooter threat, criminal behavior in the region, and legislation that impacts the ability to prevent and respond to threats or that increases the likelihood of events.
One standard threat assessment process to consider is the Threat and Hazard Identification and Risk Assessment (THIRA), which divides threats and hazards into three categories: natural, technological and human-caused. THIRA uses “objective analysis to build a comprehensive view of threats the organization faces, and the impacts should those threats occur,” says Brown.
The security team may already have a baseline list of security threats thanks to regular general risk assessments or yearly events. However, this will need to be updated for each event to keep up with current events, points out Harris D. Schwartz, a strategic security advisor in Las Vegas.
Gather as much data as possible. “As trivial as that information may seem, it’s going to be important to put that full picture together of what you’re dealing with,” Leskovar says.
Include other departments
A threat assessment should involve every department that either contributes to or is impacted by any risk factors. “Every department has value to add to a comprehensive threat assessment and can inform it with concerns, incidents and ongoing issues,” says Brown.
At Edgewood College, the threat assessment team involves people from Residence Life, Student Development, the Wellness Center, and Student Inclusion and Involvement.
“We meet weekly to address the students that may have some issues or stressors so we can prevent incidents and help them be successful,” Leskovar says. “It’s almost like a mentorship process, and it has been phenomenal.”
Gather threat intelligence
Schwartz says it’s a good idea to collect threat intelligence prior to and during the event, and in some cases after the event too. “If people are talking about it, especially special interest groups and other threat actors, it’s important to have a full picture, especially because you’re most likely going to be holding that event again,” he says.
"Every department has value to add to a comprehensive threat assessment.”
— Anthony Brown, Director of Risk and Emergency Management at Gonzaga University
2. Assess vulnerabilites
A comprehensive threat assessment should include a vulnerability assessment “because it will identify the factors that are contributing to risk and therefore identify opportunities for improvement,” says Brown. This includes identifying at-risk assets and the financial losses should the specific threat occur, as well as evaluating the target’s appeal while also considering the current security countermeasures that are in place.
Review access control
Schwartz stresses the importance of evaluating access control. Onsite events give you better control over physical access, but in an external venue, it’s essential to review all the potential ways that someone could access the event. “There could be access points that you’re not even aware of, so ensure that you’ve done a full review,” Schwartz says.
“We look at the buildings and event sites here and what would be the most reasonable way that an attacker could access a building or an event undetected,” says Leskovar. “We’re in a college environment and the doors are all open in public spaces, so we have to find other solutions to mitigate threats.”
A threat assessment should identify existing physical security components, along with how effective they are in decreasing the likelihood of or the impact of a threat against your organization, Brown says. This allows you to pinpoint vulnerabilities and decide which mitigation projects are a high priority.
Perform an advance survey
If the event is external, Schwartz believes an advance assessment of the location is essential, though he acknowledges that not all organizations do this. “You’re assessing where the event is actually going to take place and building your understanding of the surroundings in the area, including knowing where hospitals are and meeting with local law enforcement,” says Schwartz. Security teams can also check lighting, maintenance and other environmental factors.
Innocent situations can quickly be spun into major issues via gossip and rumors, especially in educational environments. Because of this, Leskovar believes that an effective, complete threat assessment should involve a focus on behavior. “If we skip the behavioral side of it, we’re missing a lot,” he says. This is why changes in behavioral patterns are critical to the prediction and mitigation of incidents.
Survey the security climate
“The largest weakness in most security systems is people. Conversely, people are the most important asset organizations employ to reach their goals,” Brown says. In other words, any threat assessment should include the people in your enterprise.
Brown believes understanding the security culture is vital to finding strengths and weaknesses in an organization and that it can give valuable insight into risk factors, especially when it comes to the vulnerability assessment. Survey questions should be deliberately worded so that security is able to discern between relevant factors such as security awareness, compliance and weaknesses, Brown says.
3. Make a plan
Once threats and vulnerabilities have been assessed, you need to have a well-documented plan in place regarding areas such as crisis communication and incident response, Schwartz says.
This plan should be as simple and clear as possible. “I can give you a telephone book full of rules and regulations and then an incident occurs and no one’s looking at that book,” Leskovar says. “If an incident occurs, (the team) is going to be under a tremendous amount of stress and they’re going to be relying on very basic information in steps that they can follow.”
Brown says generating a risk analysis from the data security has collected can give the function an opportunity to educate stakeholders on risk factors. “By including the vulnerability rankings of each threat into a single chart, a threat assessment can also provide a by-default prioritization list of threats,” he says.
A comprehensive security assessment is not only an opportunity to engage stakeholders, Brown says it’s also an opportunity to educate security officers in the organization. In another role, “I had an expectation that every officer of a certain rank and above should be able to clearly articulate the why behind their tasks,” he says. “Performance improved dramatically from a connection to this higher perspective, as did job satisfaction and employee retention.”