Sunday, November 17, 2019

Known knowns and unknown unknowns

"There are known knowns" is a phrase from a response United States Secretary of Defense Donald Rumsfeld gave to a question at a U.S. Department of Defense (DoD) news briefing on February 12, 2002 about the lack of evidence linking the government of Iraq with the supply of weapons of mass destruction to terrorist groups[1]

This quote tells us something about risk management.  Basically there are threats we know about and there are threats we don’t know about and there are threats that we don’t know we don’t know about.

From a risk management standpoint, that’s pretty disconcerting. 

In order to understand the unknowns you have to look at things from the “bad guys” perspective.  In other words, see what the "bad guy" sees.  And to do that you must understand that there are four aggressor types of criminal/man-made threat groups; criminal (sophisticated/unsophisticated, organized/unorganized), protestors (organized/unorganized), terrorist (domestic/transnational/state-sponsored), subversives (saboteurs/intelligence agents [state/non-state sponsored]).  In an effort to design better mitigation strategies planners must understand the “bad guys” motives or the reason(s) behind why they do what they do.  There are also four primary aggressor objectives; inflict injury or death to people, destroy or damage facilities, property, equipment or resources, steal equipment, material or information and create adverse publicity.

So how can I plan to reduce their effects let alone mitigate them?  The answer is really easier than you think.   Traditionally in risk management, we look at things from a probability standpoint.  We ask the question. “Will it happen here, and if so, what will the impact be”?  I believe, likelihood has little influence on risk.  I believe likelihood comes into play when talking about funding.  Our risk management methodologies assume the threat will be successful 100 percent of the time.  We calculate likelihood when it comes to cost benefit.

Our Asset Based Risk Analysis (ABRA) and Critical Asset and Infrastructure Risk Analysis (CAIRA) methodologies combine the aggressors motives and objectives with what the asset owner sees; thereby, giving a complete picture of risk.  

More about ABRA (Platinum GOVIES Award 2017 for Best Government Security Risk Methodology)

More about CAIRA (Platinum 2018 ASTOR Award for Best Risk Analysis Methodology in Homeland Security)

More about risk management and developing mitigation strategies can be found in my new book, The solutions Matrix: A Practical Guide to Soft Security Engineering for Architects, Engineers, Facility Managers, Planners and Security ProfessionalsOrder here

[1] Full quote: Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don't know we don't know. And if one looks throughout the history of our country and other free countries, it is the latter category that tends to be the difficult ones.

Sunday, October 20, 2019

Go Where there is No Path. But, I Can't, I'm Afraid of Snakes

A few months ago, my wife and I were shopping and came across this saying on a night shirt, “Go where there is no path”.  When I showed it to her, her reaction caught me a little off guard.  She said, “I can’t I’m afraid of snakes”. And, of course, being the person I am, I immediately translated that into a language I can understand – security-ish.  My first thought was, that explains why people don’t conduct risk analysis or even more importantly why they don’t even start the process.  They don’t tread into uncharted territory because there are snakes hiding in all that tall grass, so they stay where they’re comfortable – on the path.  Doing what is comfortable causes two problems.  

First, as Defense Secretary Don Rumsfeld, said, “We don’t know what we don’t know”, which translates into, we’re only protecting ourselves against what we can see, expect and believe is likely to occur.  Since, we don’t know what we don’t know, we’re not planning on dealing with its affects either.  This can be extremely more sinister because a lack of action could result in someone getting seriously injured or worse.  

Fortunately, there are methodologies out there that can get rid of the snakes.  I’m consulting on security matters with a local school district.  During our initial meeting, the District Superintendent, said, “Okay, where do we start? With an assessment to see where we are?”  Absolutely! 

Risk management is about managing risks.  In order to do that, you have to accept five factors:
1) You can’t prevent or deter everything
2) Protection from one threat may allow for some protection against another unrelated threat
3) Protection options must be in place before the event occurs
4) Risk Management must address the following pillars; detection, assessment, plans and procedures, response and engagement
5) Risk management and the assessment process is continual and is just part of what we do.

For ways to tame the snakes, read related articles here:

Sunday, September 15, 2019

How Preventing the Wrong Threat Will Cost You

My nephew used to work for an IT company.  Upon returning to work after Christmas holiday, they noticed that the rear windows of the building had been broken and all of the computer equipment had been stolen.  The owner of the company did what anyone would do.  He called a security consultant. 

The consultant recommended fixing the windows, adding motion sensors in the hallway and an access management system at the main entrance.  

When the company employees returned after the Easter weekend, they noticed the rear windows had been broken out – again, and all of the computer equipment had been stolen – again. 

Why did this occur?  The security company had misanalysed the Design Basis Threat or DBT.  

Everything of value has a threat that goes with it.  If it has value then someone wants it - either the owner or someone else.  It is also possible that a treat can be naturally occurring, like a earthquake or tornado. Usually, protection from these types of threats are governed by ordinances or laws; i.e., earthquake or tornado protection in construction standards.  For man-made threats, on the other hand, there really isn't any legislation that governs prevention or protection, so it's up to us to focus on man-made threats.  There are four general categories of aggressor types; 1) criminals (sophisticated/unsophisticated and organized/unorganized), 2) protestors (both organized/unorganized), 3) terrorist (domestic/trans-national/state-sponsored, and 4) subversives (saboteurs/foreign intelligence agents).  Each type of threat has an Modus Operandi or tactic and tool it uses to execute its objective.  If you make a list of what those may be you can actually design the space so that it provides protection to the things of value inside.  It is also important to understand the objective of man-made threats, too.  They fall into one or more of these categories; 1) inflict injury or death to people,2) destroy or damage property, equipment or resources, 3) steal equipment, material or information, or create adverse publicity. Understanding the motives, the tactics and tools they use will go a long way in prevention and protection.

The solution the security company had provided failed because, they didn't address the correct DBT; which was, breaking and entering and not unauthorized access.  Although, entering through the window is a form of unauthorized entry.  They had recommended the solutions they normally would suggest to deter or reduce the effects of theft, and focused on electronics, but they hadn’t addressed the DBT of the windows being breakable in the first place and didn’t add non-electronic solutions to the mix.  Had the windows been replaced with laminated glass they would not have been able to be broken and then the other countermeasures would have been effective.  Another solution would have been to prevent access to the parking lot behind the building.  I don't prefer this method because it would be more aggressive and unsightly to use a gate or fence with gate.  Just replacing the windows would not have changed the aesthetics of the space, so that is my preferred solution.

More about non-aggressive/aesthetically pleasing security measures can be found here:

Sunday, August 18, 2019

The Need to Push Down Silos

A few years ago, a friend of mine, trying to generate additional students for the classes I teach, asked his cousin who works for a very large architecture and engineering firm in the new World Trade Center in New York City, if they would be interested in attending training on integrating security technologies into building design.  His cousin answered something to the effect, “No, we leave that up to the client after we turn the building over to them”.  While his cousin’s answer is not surprising it is disappointing and confusing to me. 

Not surprising because I’ve heard that so many times before.  In essence, everyone stays in their silo and the connection between the disciplines usually only involves answering questions about the project and clarifying requirements; architects architect – engineers engineer – and security securities, if you will.

It’s confusing on two levels.  First, at the beginning of every project the architect gets the client’s desires list; i.e., the building should be blah, blah, blah. Right from the start the architects develop a mental picture of what the building should look like.  Next he or she begins to include all of the regulatory requirements or “best practices” for design.  Best practices are nothing more than this is how it’s normally done.  In New York City, for multi-story buildings in Manhattan the fa├žade default material is glass in the Mid-West it is reinforced concrete or masonry units.  Meeting regulatory requirements deal with disability act, fire and safety codes, such as, hallway width, stairs, doors and windows, and elevator placement, etc. and depending on the region some weather related events.  And second, very seldom are man-made threats considered.  This contributes to the fact that man-made threats continue to occur despite large amounts of money being spent on security measures. I guess the argument could be made, that “well, we’re not required to consider them like we are for natural threats so we don’t need to; besides it will drive up costs”.  On the surface this makes sense but if you dig just under the surface your next thought should be, why don’t “best practices” apply?

The Department of Defense, and some other federal government agencies to a limited degree, requires that integration mitigation strategies be included in their building design review process regardless of where or what type of threat is involved.  In fact, it’s mandated that all threats, including man-made threats be addressed by a group of stakeholders at the onset of any new building construction project and for renovation projects that meet certain thresholds or “triggers”.   The stakeholder group determines the “design basis threat” to the building and its occupants and the level of protection required based on the number of people occupying the space.   These two factors ensure that the appropriate amount of money is spent on protection options and in the unlikely event a catastrophe does occur; injury and death will be kept to a minimum.

By bringing all stakeholders together from a variety of disciplines, everyone 1) has a chance to air their requirements and needs, 2) buys-in to the group’s decision on which threats will be addressed and support the “DBT” and the level of protection required, and costs are kept down.  Adding electronics in the form of surveillance or other technologies lies with the owner after the project is completed.  So in the short term, the cost of this equipment and its installation is currently absorbed by the owner/client and is not part of the building costs.  This “trick” helps keep the building design costs down but doesn’t adequately protect people or the facilities they use.  But more importantly, the real costs to the client come after the installation from the long term requirement for equipment maintenance and manpower. 

Since buildings are currently designed with everyone, remaining in their silos, with  limited exception, the process is treated as if it were a vertical process, when in reality it’s a horizontal one.  The “silo effect” and the isolation it causes make security an “add-on” and limits its efficiency and effectiveness.  

Sunday, July 21, 2019

Planning Now for the Terrorist Attack that Won’t Come or Will it?

While radical Islamic-extremist inspire large scale attacks have not occurred in the United States in some time, low scale attacks are more common place than you’d think and not necessarily exclusive to radical-Islamist.  “Bad actor” attacks using terrorist tactics occur all the time.  To prevent, deter and reduce the effects of a terrorist style attack, business owners, facility managers or anyone else charged with the security of those they service must determine if they are an attractive target to, not only terrorist attack, but also criminal activity.

In that regard, two questions come up, 1) “Do I deal with the public?” and 2) “Does the public (or a “bad actor”) have access to my facility?”  If the answer to both questions is “Yes”, then you are at risk.  Even if you answer “No” to the second question, you must remember that a dedicated threat will not be deterred and will bring the tools necessary to carry out the attack.  Answering these questions will be an indicator of threat likelihood.  Additionally, if you ask, “What is the public’s opinion of that service/product?”   The operative word here being “the public’s opinion” and not what you think, you will get an even better understand of your risk.  If there is the slightest likelihood that you could be attacked by a criminal or a terrorist, then you should reconsider if  the procedures you follow and the physical security countermeasures you already have in place are adequate.

Usually, criminal activity doesn’t result in injury to people or death.  Terrorist activity, regardless of motivation intends to inflict violence on another person in order to hurt them.  That said, most criminal acts involve the theft of or damage to property.  Consideration must be given to common criminal activities, such as; theft, burglary, damage to property, assault and work place violence, just to name a few.  Criminal activity using terrorist tactics on the other hand are directed toward people and try to cause as much injury or death as possible.  Common tactics still include; improvised explosive devices (Yes Virginia, sick people are still building bombs), using a vehicle or automatic weapon to inflict injury or death.  While school and workplace shootings have become the norm they are not necessarily terrorist attacks, although the results may be the same – they produce mass casualties. 

Mitigation strategies for any type of criminal activity, including terrorism, must be in place before the event occurs.  So, we want to deter the activity from occurring in the first place and then delay it so that it can be noticed and responded to by trained forces.  And finally, in the unlikely event it does occur we want to reduce it effects as much as possible.

In the case of IEDs, we want to move vehicle parking away for places where large numbers of people gather and prevent the placement of unidentified objects near buildings. 

To thwart the hostile vehicle threat, we need to place rated barriers between vehicle traffic and people, especially where large numbers of people gather; i.e., street fairs, sidewalks or pedestrian zones.

Since police departments and some security companies are teaching people to “Run-Hide-Fight, which actually means hide, we need to create spaces that actually offer protection.  Two protective options are, 1) retrofitting walls with rated ballistic materials; so that when people do hide they are actually protected and 2) limit movement of the person with the gun. 

Note, there will always be some level of risk no matter how much you plan and implement countermeasures.  The goal is to reduce the risk to a level you can accept and to continually analyze and make changes when warranted.  When you hear or see something in the news, you should ask yourself, “Can that happen here?”  If the answer is “Yes”, then you should take actions to change that to a “No”.

Chances are you are not going to become a victim of a terrorist attack; however, there is a greater likelihood that you will become a victim of a criminal act that resembles a terrorist act.  

Sunday, June 16, 2019

Case Study: Unimpeded Access Allows Illegal Dumping

The issue was that people were driving up to the banks of a stream and dumping trash; i.e., tires, mattresses, rubbish, etc.  The city called a security consultant.  And as expected, he recommended adding a camera to the site so that “things” could be monitored.  The camera fed back to the superintendent’s desk.  Of course, when the supervisor wasn’t there (weekends, evening/late at night, attending meetings, lunch, naps, etc.), all the time when someone would dump trash the dumping occurred and continued.  The superintendent was scratching his head on what to do.  After all, he just spent several thousands of dollars on the latest technologies and they didn’t seem to work.
Our solution was not electronic.  Instead, we suggested that they build a raised berm/curb using natural landscaping (trees/boulders/bushes, even park benches) so that the vehicle couldn’t drive up to the water’s edge in the first place.  We suggested specific landscaping strategies due to low cost and ability to prevent vehicles from reaching the stream.   We imagined that since the culprits couldn’t physically access the stream embankment without using a vehicle they would be  less likely to want to carry heavy objects from the roadway, across a bicycle/walking path and then into the wood clearing to reach the stream.  Our second reason was to ensure the aesthetics of the area were kept intact.  Sure, we could have suggested a fence along the embankment to deny access and achieve the same effect, but who wants to walk along a fence with barbed wire when they’re taking the dog out or jogging or cycling.
Related articles: 

Sunday, May 19, 2019

Getting Everyone to Speak a Common Language

A couple weeks ago, I was teaching a class about using building design to deter criminal activity, including terrorist attack, and when it fails reduce its effects and prevent mass casualties.  After the obligatory introductions, I said something to the effect, that building design is a matter of reducing risk whenever and wherever possible.  But in order to do that you have to the know your “DBT”.

Based on the blank stares, I got back, I knew something was wrong.  So, I said it again.  Still the deer in the headlights looks.  So, I said, “Everyone knows what DBT stands for, right”?  Still nothing.  Not one person raised their hand.  I was taken aback.  After all the class was made up of seasoned architects, engineers, planners and security folks.  I would have thought, at least, one or two would have known what I was talking about.

So, we spent the new few minutes talking about Design Basis Threat or DBT, if you will.  DBT is identifying your threats, their tactics, the tools they may use and then designing your building to deter or prevent them from happening, in the first place, and understanding that if they do happen you can reduce their effects if you’ve included reduction strategies into the design.

The very first thing to do is to assemble “the planning team”.  The idea that “it takes a village” needs to be used here.  The team should include architects, engineers, facility manager, security, end users and others.  It’s important to bring these folks together, so that they can discuss the parameters of what they are trying to accomplish and “buy in” to the project.  If done correctly at the beginning of a project, security costs can be kept to a minimum, usually somewhere around five percent of the total project costs.  If security comes in at the end of the project this cost may skyrocket to thirty-forty percent, because of the long term cost of equipment maintenance and especially, personnel costs.

Once the team is assembled, the first step is to identify the threat or threats.  Threats can be divided into two categories; natural and man-made.  Fortunately, laws and ordinances exist that address natural threats in building design; i.e., earthquake, flooding, fire, tornado, etc.  Man-made threats on the other hand – not so much.  Although, that is changing slowly.  Last year, federal legislation was signed into law that addresses the use of hostile vehicles as a method of attack in public spaces.  We’re still waiting for the DHS report the law requires and its subsequent findings and recommendations.  I’m particularly concerned that our government hasn’t the courage to attack hostile shooter legislation, when it is so needed.  But that’s another Blog topic for another time.

The second step is to identify the motives of the man-made threat,; i.e., causing injury or death, theft or unlawful removal of property or equipment, damage to property or facilities and causing adverse publicity.  Then we need to figure out what type of groups commit these acts; criminals (sophisticated/non-sophisticated, organized/unorganized), protesters (organized/non-organized), terrorist (domestic/trans-national/state-sponsored) and subversives.  

Then we look at the tactics they use; stationary or moving vehicle, different types of weapon usage, forced entry, etc.  Each tactic uses a different set of tools. That said, each type of tool use has a countermeasure available to reduce its effectiveness.

If we understand their motives, tactics and tools, we can design countermeasures into inhabited space that reduces the possibility that they will occur and when that falls short reduces their effects. 

My book, The Solutions Matrix: A Practical Guide to Soft Security Engineering for Architects, Engineer, Planners and Security Professionals, will be available in September.  It will outline the processes used to determine DBT, have a quick reference chart that outlines how to counter each type of man-made threat and provide examples of practical real-world solutions.