To most people, the term “access control” refers to beeping key-card readers, little lights turning from red to green, doors unlocking and turnstiles opening, but access control also happens to be one of the most important duties that a security officer is tasked with. Whether access control is carried out by electronic means, human actions, or both, the idea is quite simply to control the access of individuals into restricted or controlled areas. There is a human factor of access control, and a correct way to train your enterprise’s security officers to perform this vital task.
First consider where access control should begin. Most people, when thinking about the dynamics of access control, picture it as a verbal and visual interaction between a visitor and a security officer or receptionist – questions and answers might be exchanged, identification might be verified, appointments or guest lists might be consulted. In short, access control appears to take place right at the entrance, at a distance of a few feet between the two parties. And though this type of dynamic is a crucial part of access control, it is only the last part of it.
One of the most important things to teach is that access management should ideally begin as soon and as far away as possible – as soon as a person is first seen to be heading towards the access point. An ideal situation would depend on the access point being configured, and the officer or receptionist being positioned, in a way that would allow a wide field of vision, but the point still remains even in closer quarters – an enterprise’s gatekeeper should begin his or her assessment of an individual as soon as possible, from as far away as possible. This will give them valuable time and distance (even if it is only seconds and feet) to better assess the individual, and act quickly if necessary, before the individual reaches the access point. After all, people do not simply materialize in front of secured entrances; they have to come from somewhere.
As officers screen approaching individuals from a distance, training programs should emphasize the two main visible factors: general appearance (clothing, bags, objects being carried, etc), and body language (stride, demeanor, interaction with environment, focus, etc). It is important to keep in mind that appearance and body language must be assessed within the context of their environments before any determinations of suspicion are made – what might seem suspicious in one area during the day, might be very normal in another part of town at night. Enterprise security leaders should tailor their training programs for each location.
As the distance decreases, the assessment becomes finer and more detailed. A good analogy here is that of a classic filter design – starting with a coarse screening on its exterior, which becomes increasingly finer as you near its center. Access control should be seen in much the same way, beginning with a more general assessment of the individual, and screening increasingly finer details as the individual gets closer. At shorter distances, appearance and body language are still the two most important categories, but as more features become visible, smaller details like bulky items inside pockets, contents of bags (if they are searched), forms of identification and minute signs of nervousness can be assessed as well. Some of the most common indicators of nervousness that can be detected from shorter distances include: sweating, redness or paleness of the face, fast breathing, dryness of the mouth, nervous swallowing of saliva, fidgeting or clasped fingers.
When noticing any item or feature, officers should be trained to ask themselves two questions: “What does this mean about where the person is coming from?” and “What does this mean about where this person is going?” In other words, where and for what reason does the person have or display such a thing, and what might this person’s motivations be, in light of such a thing being brought to this place at this time? These questions should be asked about anything the officer sees, from a large gym bag, to expensive Italian leather shoes, to nervous body language. Each thing says something about the visitor, and though we cannot guarantee that we will get all the answers, the more officers see and the more they ask themselves, the more likely they are to understand what it going on and act on that information to protect the enterprise.
Just like with a jigsaw puzzle, within a few seconds, you will not have enough time to get a perfect picture, but the more pieces you detect and understand, the better idea you will get. Whoever coined the term “You can’t judge a book by its cover” must not have been talking about people approaching a secured access point, because there is a great deal that can be understood about them, as long as you are observant enough, and can ask the right questions.
When close enough to question the person, it is usually a good idea to begin with general open ended questions like “How are you?” and “How may I help you?,” and then, depending on the replies, to follow up with more detailed questions if necessary. In some relatively rare cases, when the person’s replies seem to make sense but sound somewhat rehearsed or strangely nervous, it might be worth asking what I like to call a “silly question.” This type of question is “silly” because it is irrelevant to the situation, a question about the weather, for example. The irrelevance of such a question is exactly the point, because it cannot be anticipated. A reply to such a question will have to come from a more natural and truthful place, and is therefore more likely to expose behavioral inconsistencies such as unusual nervousness.
When it comes to checking identification, there are a number of factors that security officers need to pay attention to. The list of fake ID indicators is always worth remembering, and it should be a frequent feature of ongoing education and training. This includes: poor lamination, peeling or ridged edges, photo not matching the appearance of the person, photo matching too closely the appearance of the person (same hairstyle and clothes), photo not aligned properly, holograms and other security features not present or not working properly, and various other problems with fonts, dates, letters and numbers.
It is, however, important to keep in mind that the main issue is never the ID itself, since an ID is no more than an inanimate object. It is not the ID that is attempting to gain entry – it is a human being that is. “The al-Qaeda training manual explicitly instructs operatives to obtain fake IDs – a key part of the process of their attacks,” says Max Bluestein, Director of Research for the Coalition for a Secure Driver’s License. “This directive was followed by the 9/11 terrorists, and these documents continue to be play a crucial operational role in many of the 60 major terrorist plots uncovered since.” A CSDL report, Counterfeit IDs: A National Security, Public Safety Threat, recommends that enterprises train employees that authenticate identities – such as security officers or desk attendants – how to recognize counterfeit IDs; deploy document scanners to validate security features; and improve information-gathering about fake IDs and ID trends in circulation.
On the access control side, there are a few simple techniques to test fake IDs, and many of them involve testing the ID user. People are known to display a number of behavioral traits when their attempted deceits are scrutinized. The easiest tactic here is to simply stall. A person trying to bluff their way past security is already under pressure, and would therefore like it to be over as soon as possible. The simple act of looking at an ID for 10 or 20 seconds, periodically looking up at the person’s face before returning to the ID, can cause nervous cracks to form in an otherwise plain facade. If more than stalling is necessary, security officers should ask the person if you could show their ID to your manager (whether one is present or not); ask the person if they have another form of ID so the two could be matched up; ask about a detail in the ID (birthday, address, etc); and finally, depending on the answers you get, reserve the right to also ask a friendly little “silly question” before making their determination about the ID, and most importantly, about the person.
For a security director, these training tips can help the gatekeepers of an enterprise gather intelligence about potential threats, alert management (or even other locations) to suspicious characters, and act as a deterrent. Keeping threats outside the enterprise involves more than technology – the human factors, including observation, interrogation and a healthy dose of skepticism, are a necessary component in access control and identity management.
About the Author:
Ami Toben is an expert in terrorist activity prevention and surveillance detection. He has more than 12 years of military and security experience, and he is currently the Director of Consulting & Training for HighCom Security Services.