Can You Measure Your Building’s Penetration Risk? | 2017-01-31

How can you measure your risk of unauthorized entry? Until now, it’s been virtually impossible. When it comes to security entrances, new analytics technologies (e.g. PSIM, IoT, etc.) are emerging, and it’s becoming possible to use technology, combined with people, to tap into security entrance metrics as part of an overall physical security strategy.

Measuring penetration risk is about prediction, and to accurately predict requires a reliable tailgating prevention strategy, otherwise any PSIM or other available analytical tool will fall short. In this article, we’ll talk about the challenges security professionals face related to penetration risk measurement; later, in a second article, we’ll demonstrate how a tailgating prevention strategy actually works and the metrics that can help predict your risk of penetration.

Rise and Fall of the Security Professional?

It’s 2017, and we all know people see the world differently since 9/11. Expectations on security managers today are high. In a 2009 survey conducted by the Society for Fire Protection Engineers (SFPE), 29 percent of Americans polled said that security was the most important feature for public buildings, while only 12 percent believed it was fire safety, despite fires being a far more likely event. According to a national poll commissioned by Workplace Options in late 2015, U.S. workers ranked “workplace violence/criminal activity in the community” second behind only “employer announcing layoffs/job losses,” when asked to rank workplace events that cause trauma, stress and anxiety. The perception now is that creating safe, secure buildings is highly important. This may spell job security for security professionals, but there is also irony here.

The irony is that given today’s emphasis on security, security professionals are asked to provide a return on investment (ROI), mitigate workplace violence, and plan for multiple emergency responses, all while being under-resourced. One cause for this current reality is that metrics proving ROI have been unconvincing in getting more resources. Everyone seems to be running from the elephant in the room: who is in my building right now, and are those people authorized?

The Elephant in the Room

If security managers cannot adequately answer who exactly comes and goes from their facilities, how can they say they are protecting their company’s brand, assets, IP, and employees? What other executives with multi-million dollar capital and operational budgets are considered successful managers, yet cannot measure spending decision outcomes and prove an ROI? Since when does a “perceived improvement” constitute a good investment? How do you communicate that you are reducing risk if you don’t have a baseline from which to measure the reduction?

Recently, ASIS announced a new global strategic priority for its members: Enterprise Security Risk Management. ESRM uses risk-management principles to control security-related risks across an enterprise. A reliable tailgating prevention strategy, which includes measuring and predicting risk at entry points, would definitely be a critical piece to a successful ESRM initiative. If you can instill fact-based, standard operating procedures (SOPs) when it comes to authorized entry, rather than strictly assumptive and reactionary SOPs, you can measure and accurately predict results.

Better Security vs. Life Safety Compliance

The ability to measure risk can also help security professionals find a balance between security and life safety across an ESRM platform. Imagine a violent incident is taking place in a courtyard and you want to lock down all entrances leading to that location to prevent anyone from panicking and running into the danger and keep the violence from coming inside. But complying with NFPA 7.2, and ensuring free, unobstructed egress could result in injury or worse, death. It is a challenge to obtain any kind of variance from local jurisdictions (government, fire and law enforcement) to override locked exit point restrictions. Without an approved variance, you can only do with your entrances what fire codes demand. On the other hand, if your physical security plan includes fact-based SOPs and verifiable metrics, the likelihood of lobbying successfully for variances greatly improves.

Preventing or Merely Detecting?

Let’s look more closely at a common example of the elephant in the room. As security professionals make significant capital investments for physical security infrastructure, they often deploy optical turnstiles in their lobbies and at side entrances. The turnstiles certainly serve as a deterrent; however they alarm after tailgating occurs and require manned supervision to respond. This is a tailgating “detection” strategy, but it’s not a “prevention” strategy. The result is evidence collection and risk mitigation that is not measurable or predictive. Relying on humans is a reactionary SOP that assumes perfect guard behavior every time there is an alarm. Worse yet, I’ve witnessed situations where the guards become “numb” to the audible alarms and eventually turn them off!

To date, measuring performance has traditionally been analyzing alarm outputs and complaints.

Somewhere mixed in with user errors and false rejections are valid and true alarms, which are rejections to a tailgating/piggybacking incident. These are the metrics security managers have hung their hat on for years; for example, “there were x number of tailgating alarms yesterday.” But, what are the chances of false acceptance… that a person could successfully trick the sensors and get in? Better stated, what is the statistical probability of a false acceptance at every entry point? More importantly, can you prove it? This is where the whole process needs to start and security managers who can generate real ROI and answer these questions now deserve a seat at the C-suite table.

Stop Running from the Elephant

Risk measurement is even more critical when managing systems and facilities across an enterprise’s multiple buildings. We are currently working with a large retail chain corporate headquarters with tens of thousands of associates. In addition to an effective tailgating prevention strategy deployment, they also have SOPs that direct employees away from danger and toward bullet-resistant safe zone enclosures. They can accurately measure and predict the result of this deployment (spend), because they know exactly who is in their facilities at any given time.

Enterprises cannot adequately manage their level of penetration risk without knowing exactly who comes and goes. As ESRM becomes a fundamental discipline in managing enterprise security, we all must stop running from the elephant in the room by implementing a real, effective tailgating prevention strategy. Combined with other analytical methods available today, this will allow security professionals to much more effectively meet the challenges of this new world. In our second article, we’ll cover how you can go about planning and implementing a tailgating prevention strategy that achieves measurable, predictive data that will effectively prove the value of the work that you do.

Read more on this topic in Part II of this series, to be released in the Security eNewsletter on February 28.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.