Issued: December 2004
The Treasury Board Operational Standard for Physical Security states under section 6.1 Protection, Detection, Response and Recovery:
“Departments must ensure that their physical security strategy incorporates identifiable elements of protection, detection, response and recovery”.
“Protection is achieved through the use of physical, procedural and psychological barriers to delay or deter unauthorized access. Detection involves the use of appropriate devices, systems and procedures to signal that an attempted or actual unauthorized access has occurred. In the context of physical security, response entails the implementation of measures to ensure that security incidents are reported to appropriate security officials and immediate and long-term corrective action taken in a timely fashion. Recovery refers to the restoration of full levels of service delivery following an incident.”
“With regards to recovery, refer to the (Treasury Board’s) Operational Security Standard – Business Continuity Planning (BCP) Program” (at: http://www.tbs-sct.gc.ca/ - under Policies and Security).
The purpose of this guide is to provide departments with a reference and examples of how to incorporate identifiable elements of protection, detection and response into their security program.
Physical security professionals group safeguards into three categories: systems or components that protect, detect or respond. Each of these components must work within the security system’s strategy to respond to many requirements, including existing conditions, corporate culture and the threat identified in the threat and risk assessment (TRA).
It is important to consider the physical security system in the context of the entire security program; this means harmonizing the application of physical safeguards with:
“Protection is achieved through the use of physical, procedural and psychological barriers to delay or deter unauthorized access.”
Treasury Board Operational Standard – Physical Security
Protection safeguards impede the occurrence of unwanted events and are often referred to as barriers. A protective barrier should serve some or all of the following functions:
A barrier is considered effective against an outside attacker when it restricts access routes to an asset and is able to stop or hinder the attacker approaching from any side. For example, one lock on a door is an effective barrier if there are no unlocked windows or other access points into the room and the attacker is not a person with the physical strength or skills to bypass the door or create another entry. In order to determine if a barrier is effective, an assessment must be done of the specific situation, the probable attacker, and his/her motivation, capabilities, skill and resources.
There are many different types of barriers that can afford site protection for the threats identified in a threat and risk assessment. The main categories of barriers fall into the following groups:
The Scenario figures below graphically illustrate how protective barriers can improve the performance of a protection, detection and response system.
Physical barriers are passive, active or a combination of the two. A passive barrier such as a bollard resists the unauthorized access of a person to information or asset but it will not respond to an attack. Active barriers react or are altered when there is unauthorized activity; for example, a guard dog. A combined active and passive barrier could be a fence that restricts access to the asset by creating a compound which is then used to contain a guard dog. When detection does not activate an effective response, a physical barrier system does little more than provide a psychological barrier to a determined and skilled adversary. Without the elements of detection and response, a barrier will only deter the initiation of the event and limit unskilled opportunistic adversaries.
There are usually two objectives for physical barriers:
Reducing the number of potential attackers who have the necessary knowledge, determination, skills and resources to overcome a barrier system is accomplished by a well-planned design. Barrier designs that employ a variety of materials necessitate the use of many different supportive tools. They may require an attacker to have a variety of expensive tools or specialized skills. They might also be made of complex materials that are difficult to circumvent or mechanisms that are complicated. Designs of this type of system can help deter many potential attackers who are not skilled or ambitious enough to take on this challenge.
The time delay afforded by the barrier creates the time for a response to exploit. Barrier time-delay design should incorporate the following characteristics:
Security systems are often designed utilizing multiple barriers – “rings of protection” - encircling the protected asset. Layered barrier designs are advantageous when they require increased knowledge, skill and talent to circumvent them. A group of attackers with the necessary skills must be assembled and since group secrecy is hard to maintain, the likelihood of being discovered is increased. Layered barriers also afford a greater time delay because each safeguard layer requires time to be circumvented. This helps to provide the necessary delay in the event that the response time is relatively slow.
The use of security staff, log books and administrative procedures such as signing into an office area can act as a deterrent to any unwanted activity. Procedures such as these can be automated or can activate a response when they are not properly followed. They deter unwanted activity by creating a psychological barrier or an audit which tends to prevent compromise of the asset.
Example: Access to files in a file room: If administrative procedures require someone to sign out or record files, this is a deterrent for individuals to take any files without the specific need-to-know of the file contents. Thus, protection of information in the files is achieved in accordance with the need-to-know principle.
A psychological barrier is a deterrent, as it does not hinder or stop an event if the adversary decides to attack. A psychological barrier such as a line painted on the sidewalk at the perimeter of a property will help to confirm a trespasser, but it will not physically prevent anyone from crossing it the moment the decision is made to do so. A good example of a psychological barrier is lighting that initiates when an intruder enters a protected area. Knowing that they can be seen can help deter would-be thieves from committing a crime.
The extent of usefulness of specific psychological barriers should be determined through the threat and risk assessment process.
“Detection involves the use of appropriate devices, systems and procedures to signal that an attempted or actual unauthorized access has occurred.”
Treasury Board Operational Standard – Physical Security
When designing a physical security system, early detection, for the activation of a response, should be one of the major considerations for safeguarding the target or asset(s). This is beneficial because if an unwanted event or security breach is detected immediately, then the likelihood of the responders’ being capable of mitigating the event is better.
There are four distinct steps to detection:
These steps do not always occur in this sequence, but the list describes what occurs before an intervention in an unwanted event.
When designing the security system, many different design strategies will help you detect when a security breach is occurring. Landscape design, clear lines of sight, construction, electronic systems, observation by personnel and the barking of guard dogs are just a few examples of ways in which an intrusion can be evident - or noticed.
Example: A clearly defined perimeter will help to establish whether unauthorized access, such as an intruder hopping over a fence into a yard, is taking place.
The Scenario figures below graphically illustrate how early detection can improve the performance of a protection, detection and response system.
A detection system must have a method of communicating the intrusion to the appropriate response centre. This can take many different forms, such as security staff using a telephone to call the police, an employee orally advising the security staff patrol, an electronic message sent when an unauthorized event is triggered, etc.
When an event occurs, there must be an evaluation or analysis to determine what has transpired - a security breach, a non-threatening occurrence, etc. The evaluation can take many forms: it can be an employee walking to where the intrusion took place and assessing the situation; it can be security staff verifying via a telephone if “everything is okay”; it can be a remote site verifying on camera the area (s) where an event occurred - the possibilities are endless.
An evaluation of the event helps to determine the appropriate responsive action. The evaluation is a very important step in the process of detection. It is essential that the event is understood before appropriate intervention is initiated.
Frequently, when there is an effective security awareness program in place, it is through employee observation that detection of a threatening situation, an unwanted intruder or another type of unwanted event is noticed and reported. This type of proactive detection is very effective if implemented properly, procedures are well defined and the employees are willing to participate in this process. It is also a cost effective strategy.
A good example of this is when an unknown person wanders into an Operations Zone. If security awareness is successfully implemented, the following step will probably occur:
Security staff can provide an effective detection function in many government offices. In many cases, however, it can be costly and inefficient to place security staff at all locations where detection may be required. Sometimes a more effective and less costly option is the use of detection equipment or electronic intrusion detection (EID).
An EID system consists of:
For detection to properly take place using EID, an evaluation of the event and the appropriate response (or intervention) from personnel or equipment have to follow the analysis. An appropriate response could be provided by employees, security staff, police or equipment in the form of audible alarms, lights, fog, sprinklers, etc. depending on the conditions identified.
Choosing detection safeguards can be determined only by careful analysis of each environment, threats and location. A TRA is the most effective tool to provide insight into the most appropriate detection safeguard.
Some examples of how detection safeguards might be chosen:
Example 1: An office facility with 911 calling service is located on the fifth floor of an office tower and has only one entrance. An employee working alone near the entrance sorts classified information for distribution each morning. On this fifth floor location, this employee may provide adequate detection necessary for the facility.
If the facility were located on the ground floor, however, with emergency exit doors and/or multiple windows, detection would be more difficult to provide. Access through the various ground floor windows and doors might make it difficult for only one person to detect an intruder. In these instances, sensors on the doors and windows that detect movement, openings or breakage may adequately detect intrusions.
Example 2: An employee works alone in a storefront operation, and the threat level for physical violence towards the employee is estimated at “medium”. This risk of injury warrants that this employee be provided with assistance. This requirement may be met in several ways, by:
A comprehensive TRA will determine the most appropriate and cost effective solution and will provide insights regarding how the detection safeguard should be designed to strategically counter the strengths of the adversary.
“Response entails the implementation of measures to ensure that security incidents are reported to appropriate security officials and immediate and long-term corrective action taken in a timely fashion.”
Treasury Board Operational Standard – Physical Security
When considering the system of protection, detection and response, an effective response is an essential component of the system and should be based on:
The Scenario figures below graphically illustrate how response times can improve the performance of a protection, detection and response system.
For example, if the threat of an armed robbery is identified, then an unarmed guard is not a suitable response unless there is an appropriate and timely back-up. An unarmed guard, however, is quite suitable for many threats. If the threats are varied, then the appropriate response may be a guard or personnel versus an electronic or mechanical response. Humans are more effective in some situations where there is a need to evaluate the security breach. They can quickly choose an appropriate response to suit the situation at hand. An electronic or mechanical response is much more limited in scope. It must be pre-determined and then properly coordinated within the system. If a situation occurs which does not fit the pre-planned scenarios, the automatic response may not be effective.
Responses should be carefully thought through. It is important that some of the following items be considered along with the response planning:
It is advantageous to identify threats and all possible scenarios to plan how a response might be handled. This helps to identify if the expectations on the system are realistic or if additional protection or detection is needed. In many cases, it will ensure that the responders have the proper resources needed for an effective response. Telephones, pagers, back-up personnel and other equipment etc. – all these and more must be considered when planning a response. One way to verify if a planned response is appropriate is to test it. This can be done in a variety of ways.
Test the accuracy of the plan documentation – list of responders, phone numbers, etc. It is a good idea to verify and validate all information such as phone numbers and contact information, to keep this information regularly updated and that responders are aware of their roles.
Verify the consistency of the plan and check for flaws in the logical process. A walkthrough is a valuable tool to ensure the adequacy of procedures. This will also identify weaknesses or deficiencies of the plan.
Practice and test the plan. Create test scenarios - simulate execution or actually execute response procedures, using real-time examples. It is a good idea to try theses at several different times of the day.
Revise the plan to mitigate any weaknesses found in the previous steps. This may entail readjusting the protection and detection elements of the system.
Maintain all the information readily accessible to initiate the response efficiently and effectively.
All personnel and first responders should be aware of the requirements of their duties in the event of a security breach. Training should be made available where required.
When planning a response it is very important that realistic timeframes are associated with the plan. If it becomes evident that the response time is inadequate, then protection and/or detection should be improved to prevent a security breach.
As with all security programs, effective documentation and reporting of incidents will enable the security officer to have a record and to track incidents. This helps provide guidance for enabling effective measures to protect against future incidents.
After an incident has taken place, it is important to review previous plans and TRAs to determine how to avoid this type of incident in the future. Plans should be reviewed and revised accordingly to ensure that the response can be effective.
Example: A laptop is missing from the office and the subsequent investigation reveals that this asset is regularly used in an unsupervised Reception Zone. The asset is not assigned to any one individual; it is taken by interviewers to the Reception Zone and used to enter personal data concerning clients and applicants. The investigation also reveals that the laptop is often taken home by employees. There is no policy regarding the handling of the laptop computer or the personal information that is kept on the hard drive. These situations can demonstrate the different ways to review a security program. A post-incident review can also serve to provide the insight necessary to effectively review and accordingly revise the policy, protocols or procedures relating to organizational and administrative, physical and IT security.
When considering the response as part of an effective security system, it is always important to think of the many possible ways of handling incidents. Sometimes an appropriate response may be a very different solution than conventional intervention methods such as calling the security staff or police force.
Example 1: Destruction can be considered an appropriate response in an office where there is a risk to highly sensitive material due to sit-ins or occupation by non-government individuals. The electro-magnetic erasure of computer disks, shredding of paper information or physically destruction of a material asset could be the appropriate response in the event this sort of situation is imminent.
Example 2: When dealing with potential incidents in a parking lot in which users feel threatened, the situation may be properly addressed by making an annunciator or alarm post available, or by activating a camera to the alarm location as well as additional lighting at this spot in response to the signal.
It is always important to consider the protection, detection, and response elements in the context of a system. Each must be considered relative to one another, as they are interdependent.
When discussing physical security systems with respect to protection, detection and response, it is important to mention the principles of Crime Prevention Through Environmental Design (CPTED). CPTED is a subject matter that focuses on design principles and strategies to create environments that facilitate the natural physical security systems of protection, detection and response. Briefly, the basic premise of this branch of situational crime prevention is that the physical environment can be changed or managed to produce behavioural effects that will reduce the incidence and fear of crime. Drawing heavily on behavioural psychology, CPTED concepts and strategies take advantage of the relationships which exist between people and their environments.
Example: When we react to an environment it is often determined by the psychological cues from that environment. Legitimate users of a space feel safe when the lighting levels are adequate. They can be seen and feel there is a certain safety from natural surveillance in being seen. Illegitimate users of the same space feel that they will be seen exhibiting undesirable behaviour (such as painting graffiti on a wall) because natural surveillance is enhanced by good lighting levels.
CPTED has three main design strategies:
Natural access control is directed at decreasing crime opportunity by denying access to people and assets and creating a perceived risk in circumventing a barrier or perceived barrier. This it accomplished by designing streets, sidewalks, building entrances and neighbourhood gateways to clearly indicate public routes and access points and by using structural elements or defined boundaries to discourage access to private areas.
The object of natural surveillance is primarily to make intruders easily observable. This is accomplished by features such as doors and windows that maximize the visibility of people, parking areas, access streets and building entrances by providing lines of sight to observe these areas. Other features are pedestrian-friendly sidewalks and streets, front porches and adequate nighttime lighting.
Territorial reinforcement is the use of physical design to create or extend a sphere of influence. Users will develop a sense of territorial control if they have ownership of, or a vested interest in, a space. This feeling of ownership helps create an environment that discourages potential offenders who either visually or by other means perceive a territory as belonging to others. Features that define the territory include the demarcation of property lines, the use of landscape planting to distinguish private spaces from public spaces, pavement design, gateway treatments, fences and other demarcation of property.
Please refer to Section 9 for a list of CPTED-related Web sites.
There are many other methods used in applying physical security strategies in protection, detection and response systems. The following is a brief summary and explanation of some physical security methods including comments on the advantages and disadvantages of each.
Splitting the asset into parts so that either part is of no value to the adversary is a security concept applicable only to objects which together constitute an asset.
One advantage of the split target is that an adversary must circumvent multiple safeguards in order to gain access to the desired asset (such as both the STU-III phone and key). It is important that the asset components be protected separately.
Disadvantages include increased storage, security and space costs, administration of two components, and inconvenience.
This method involves the positioning of the primary target in a highly exposed, observable location where it is under continual, casual observation of both departmental personnel and outsiders. This increases the likelihood of detection and response in the event of an attempted theft or attack.
The advantage of this technique is the extra surveillance and attention that is focused on the asset – as well as the increased potential for a quick response.
The disadvantage is that a professional thief knows the location of the target and can also determine the means and time necessary to defeat the protection surrounding the asset.
The rationale for this method is to make an asset difficult to locate. There are two different methods used to hide the asset, although subtle differences in the methods are varied. The target may either be “buried” out of sight in the depths of a building complex, or it may be disguised or included with a multitude of similar but inconsequential objects.
The advantages are low physical security costs, usually capital and operating costs.
The disadvantages are that its effectiveness is related to secrecy so accessing the asset may be restricted at times if secrecy is to be preserved, and there may be little or no protection for the asset when the location or value is known.
Target hardening is a concept related to achieving physical security through strength: countermeasures that prohibit entry or access such as window locks, dead bolts for doors, interior door hinges, strengthened walls and doors, etc.
The “rings-of-protection”, “onion skin”, “security-in-depth” or “bull’s eye” concept all refer to the idea of safeguarding an asset by using layered physical barriers completely encircling the asset. One objective of this approach is to grant access to the asset to the smallest group of personnel practicable.
Example: Layering space with progressively restrictive areas after each barrier. This concept is often applied in conjunction with target hardening, where the time needed by the attacker to penetrate each layer is cumulative, thus increasing the protection provided to the asset. It is understood that the higher the security need of an area, the greater must be the number and sophistication of the protective rings and adjacent detection systems.
The advantage of this method is the opportunity to progressively reduce the number of personnel who could possibly access specific assets.
The disadvantage is related to the time and expertise needed to design the physical security system.
“Defensible Space" operates by subdividing large portions of public spaces and assigning them to individuals and small groups to use and control as their own private areas – similar to territoriality explained in CPTED above.
The advantage is the effectiveness of the method to control opportunistic crime and the low operating costs when it is applied effectively.
The disadvantage of this approach is that it may have limited effectiveness in deterring a motivated thief since there may be no physical barriers.
When you are in a position to design a protection, detection and response (PDR) system, it is very important that all aspects of the system work together in a complementary fashion to ensure its effectiveness. Three main aspects of the system must be considered in order to accomplish the objective.
When determining what type of PDR system to use, as with the TRA process mentioned in Section 2, the first step is to define the targets (or assets) that are being protected. A target is something of value or perceived value that an adversary will wish to:
How vulnerable the assets are often depends on their overall value to the adversary as well as the qualities of the adversary who is a threat to them. Defining these assets is a very important first step when looking at the PDR system.
The next thing to consider when looking at a PDR system is to understand the threat and the qualities of the adversary (or threat). It is very important to know who or what these adversaries are:
It is also important to know as much about the threat as possible. An adversary could be anyone from an unsophisticated opportunistic adolescent to a professional safecracker, a misguided political activist to an ideological fascist. Each type of adversary will have a set of qualities that will guide you in the process of designing an appropriate PDR system. Some qualities to consider are:
The modus operandi (MO) of an adversary is, more often than not, consistent. This is advantageous when trying to predict future behaviours and designing the security system to prevent this adversary from accessing the target or asset.
Example: If a thief robs commercial establishments during daylight hours by “piggy backing” through electronic access control barriers, and steals cash, negotiables or purses of employees, then it is likely that the thief will continue to commit the same crimes using this methodology as long as he/she has not been caught.
The choice of how to protect against the MO of a certain thief is as varied as the system itself. Monitoring “piggy backing” of access control systems and having portals and doors designed to prevent this are two such solutions applicable to the above example.
Physical security involves the use of safeguards that are interdependent within a system that can protect, detect and respond to an unwanted event. In order to understand how to create an effective physical security system, it is important to understand the elements, methods and applications that can be used to design an effective and safe environment for the targets or assets. This guide briefly describes many elements, methods and applications of the physical security practitioner, most of which are included in the physical security operational standard.
It could be argued that, when having to deal with a skilled and determined adversary, the first safeguards to be considered when designing physical security should provide detection. This evolves from the idea that, given enough time, any physical barrier can be overcome. This position is further supported by the fact that if detection is early it facilitates the arrival of a response before the delay provided by the protection safeguard elapses, thus preventing the compromise.
However, since the elements of protection, detection and response are interdependent and must be considered relative to one another, it does not really matter with which element the design starts as long as all elements are looked after.