Steps for Conducting a DIY Commercial Security Review
This article is intended as an overview to assist organizations in conducting their own commercial security review. Many small organizations lack the resources to afford or conduct a professional assessment and are consequently compelled to “do it themselves”. This article is intended as a tool to assist such organizations in doing it themselves.
A security assessment requires special education and experience. Physical security and the complexities inherent in protecting people and sensitive assets against known and unknown threats involve substantially more than just building a fence or installing video cameras. For an organization unfamiliar with security principles and assessment procedures, especially for the people from within the organization who are assigned the task, the difficult issues emerge very quickly and the challenges in trying to comprehend the scope of work frequently result in individual frustration and interpersonal conflict.
In almost every case, these frustrations and conflicts stem from no clear vision of the organization’s security objectives or an agreed method of framing and identifying threats. A clear vision of objectives and processes is essential to the efficient use of time and resources.
Without clear missions, goals, and processes circular discussions drag on without achieving results. A real temptation arises in these circumstances to “do something, anything” to show progress and make things “safer”. To demonstrate progress and perhaps to appease or deflect criticism for a lack of progress, a committee or organization may purchase a camera system, new locks, install doors, walls, and fencing. Such efforts are almost always wasteful of precious resources and may inadvertently ADD to the dangers they were intended to address.
A church in Southern California experienced these very phenomena. After months of frustration, the church members agreed to “act” before having a commercial security review or plan; they built walls and installed doors with electronic locks as well as other infrastructure. After spending nearly $120,000 (exceeding the original approved budget), it was determined the new infrastructure created a critically adverse choke point from which the congregation would be compelled to exit en masse to escape an active shooter; to exit, more than a hundred people would force themselves into a short, narrow hallway to a single door.
This critical flaw in their design was made worse by the realization that their initial and supplementary budgetary allocations for “fixing the security problem” were exhausted. The time to remedy the “new problem”, conduct a commercial security review, design and implement the necessary remedies required an additional 18-months costing the church an additional $230,000 (including permitting, demolition, redesign, and rebuild). By itself, the re-work cost to the church exceeded the original budget by more than 2x.
The painful and expensive lessons of this church and the conflicts that arose from their experiences created new dynamics the church is working through, even to this day. The past cannot be changed, and the church leadership with the congregation recognizes real costs (dollars, time, relationships) incurred for remedial work could have been avoided had they applied a few organizational development techniques with a bare-bones security assessment process.
What could they have done to avoid these problems? What could they have done to accomplish their purpose without the address expense, lost time, and interpersonal disputes?
Values Guide The Way
There are few discussions more valuable than the discussion to identify and agree on the values of your organization as those values relate to your security goals. Knowing these values and prioritizing them before starting a security assessment or commercial security review allows for channeling disputes in the direction of solutions consistent with your organization’s values. One of the best ways an organization can overcome confusion and discord in the context of any assessment/review is to consult the list of values.
Any attempt to “fix the problem” without an agreed set of values and objectives risks inserting confusion, different needs, and motives that produce different opinions because of differing values among committee members. Without settling on values, discussions can be circular, repetitive, endless. Values give focus to the discussions and form the basis of clear communication that leads to progress and agreement on the common purpose.
When disagreement emerges between objectives, threats, or potential solutions to a security problem a team leader is well-served to ask the team, “What value are we serving? Does this serve and protect the people and assets as identified in our values? If so, how? If not, why not?” Values provide the group with a foundation and parameters to more efficiently and effectively achieve its mission.
Mission, Then Objectives and Goals
Objectives are the practical and necessary steps to achieving clearly defined goals in the commercial security review. In the above example, the church wanted to make its “school and church more secure”. That was the “mission” of the security committee. However laudable the mission, its expression was too broad and nebulous to be of any help to its security committee. Each member was left with his own set of interpretations and values, contributing to the confusion and circular discussions.
Exactly what were they securing and why? What were they securing against and how? When they confronted conflicting needs, members just argued for their preferences. Is it any wonder that frustration and time pressures squeezed the team into “doing something, anything”?
Leaders provide clear, achievable mission statements. People need to know what they are expected to do and how they can recognize “mission complete”. In its second attempt to address their security problems church leaders worked with the committee to first establish their values, then moved quickly to writing a mission statement. After a few days, church leaders and the committee decided on a clear mission statement.
Disagreements occurred but were resolved within the context of their agreed values and mission. Knowing their mission statement, the committee began asking the right questions about the goals and objectives required to achieve their mission.
It may seem this part of the article is sparse, and it is; it is intended to be so. Each organization must draft its own values, mission, goals, and objectives. Furthermore, in some instances the privacy of results of such work may prove important to the organization’s overall security.
Process of Assessment
Once the basics are established, a security team/committee can take satisfaction in their progress but now begins the “heavy lifting”. How do they “assess” or “review” their security problem? What are the likely assets (including people) under threat and why? What are some ways to “measure which people and assets are under greater threat than others”? We recommend that an organization confront the challenge by categorizing its key assets according to “CARVER”.
CARVER is an acronym for a targeting system developed and used by US special forces. Each letter in the acronym represents a category for analysis. The categories for CARVER are Criticality, Accessibility, Recoverability, Vulnerability, Effect, and Recognizability. What do these categories mean?
Criticality: The measure of how critical a particular person, people, or asset (relative to others) is to your organization.
Accessibility: The ability to physically (or digitally for cyber assets) access and egress from the target asset.
Recoverability: Ability to restore, recover, or replace an asset if attacked or damaged.
Vulnerability: The relative ease to accomplish an attack on the asset
Effect: The relative or direct amount of loss if an asset is attacked or lost.
Recognizability: The ease in identifying a targeted asset.
CARVER is very helpful for a commercial security review. The Value Rating Scale table below provides a simplified model for rating assets relative to one another and among the categories of CARVER. Within the attached matrix is a sample description for assigning numerical weight to each asset within each category. This scale may be expanded to include dozens of assets with an expanded set of rating values, according to need. It may be necessary to “drill down” and develop several matrices that include additional assets under an umbrella of a single, complex asset.
The second attachment is a sample of the matrix in application. Again, it too is simplified for the purpose of demonstrating a methodology for smaller organizations with assets that are less-complex. After performing the work of identifying and rating assets, as in this example, three assets are rated as being most vulnerable. Of the three, two are most accessible.
However, of the three that are most vulnerable (“V”), only one of the three (Bulk Electric Power) is rated as mission stopper (“C”) and the effect (“E”) is highly favorable to the attacker while unfavorable to the defender.
But when we account for all categories of CARVER by adding the scores across the matrix, we see the three most important asset systems (Bulk Power, Bulk Petroleum, Water Supply) that are obvious targets for an attacker. If you were responsible for these systems, you would be well-served by focusing your attention and significant resources to protecting the three assets at the top of the list.
The critique of this methodology is as follows: Most people are unaware of CARVER or how to use it in an attack. This critique ignores the attack on Metcalf substation south of San Jose, California when gunmen perpetrated a surgical attack on an unmanned PG&E facility. Within a few minutes, the attackers inflicted millions of dollars of damage. Video footage of the attack reveals the attack was carefully planned and conducted. The shooters knew what to attack to inflict the most damage. They knew precisely where to stand while shooting so as to minimize the quality and volume of video footage. To this day, the attackers have still not been brought to justice.
A second critique suggests that an “amateur, lone-wolf” is incapable of a sophisticated attack. It is true that some attacks are spontaneous and therefore without a plan. However, the weight of evidence suggests that the bulk of active shooters engage in sophisticated planning, collecting “target intelligence”, workout vulnerable points, evaluate effects, look for points of access, and choose the best means for conducting the attack.
Many active shooters even go through “dry runs” as practice to work-out details and be “more efficient”. To date, every school shooting has been shown to be a planned attack and too many of these attacks achieve their nefarious purpose in ways that are too similar to CARVER to ignore.
The Commercial Security Review Is Done. Now Security Planning – New Challenges
Let’s recap on the commercial security review.
Knowing from the matrix which assets are most critical, vulnerable, recognizable, effect on operations, and level of accessibility, the task of the committee turns to address effective and efficient means of securing the assets. Before initiating this stage of the project, a group is well-served to revisit its mission, list of values, goals, and objectives. At this point, we must remember that all assets exist for use for common purposes and goals of an organization; limiting access does not change the criticality of an asset; there is always some tension between vulnerability and access, but the greater the access the more vulnerable the asset. And that’s the how-to for organizations to conduct their own commercial security review.
The issues involved in security planning will be addressed in the next article in this series.
If, after reading this or other articles, you find the information helpful, then please send us an email. We appreciate your feedback.