Sunday, September 15, 2019


How Preventing the Wrong Threat Will Cost You




My nephew used to work for an IT company.  Upon returning to work after Christmas holiday, they noticed that the rear windows of the building had been broken and all of the computer equipment had been stolen.  The owner of the company did what anyone would do.  He called a security consultant. 

The consultant recommended fixing the windows, adding motion sensors in the hallway and an access management system at the main entrance.  


When the company employees returned after the Easter weekend, they noticed the rear windows had been broken out – again, and all of the computer equipment had been stolen – again. 


Why did this occur?  The security company had misanalysed the Design Basis Threat or DBT.  

Everything of value has a threat that goes with it.  If it has value then someone wants it - either the owner or someone else.  It is also possible that a treat can be naturally occurring, like a earthquake or tornado. Usually, protection from these types of threats are governed by ordinances or laws; i.e., earthquake or tornado protection in construction standards.  For man-made threats, on the other hand, there really isn't any legislation that governs prevention or protection, so it's up to us to focus on man-made threats.  There are four general categories of aggressor types; 1) criminals (sophisticated/unsophisticated and organized/unorganized), 2) protestors (both organized/unorganized), 3) terrorist (domestic/trans-national/state-sponsored, and 4) subversives (saboteurs/foreign intelligence agents).  Each type of threat has an Modus Operandi or tactic and tool it uses to execute its objective.  If you make a list of what those may be you can actually design the space so that it provides protection to the things of value inside.  It is also important to understand the objective of man-made threats, too.  They fall into one or more of these categories; 1) inflict injury or death to people,2) destroy or damage property, equipment or resources, 3) steal equipment, material or information, or create adverse publicity. Understanding the motives, the tactics and tools they use will go a long way in prevention and protection.

The solution the security company had provided failed because, they didn't address the correct DBT; which was, breaking and entering and not unauthorized access.  Although, entering through the window is a form of unauthorized entry.  They had recommended the solutions they normally would suggest to deter or reduce the effects of theft, and focused on electronics, but they hadn’t addressed the DBT of the windows being breakable in the first place and didn’t add non-electronic solutions to the mix.  Had the windows been replaced with laminated glass they would not have been able to be broken and then the other countermeasures would have been effective.  Another solution would have been to prevent access to the parking lot behind the building.  I don't prefer this method because it would be more aggressive and unsightly to use a gate or fence with gate.  Just replacing the windows would not have changed the aesthetics of the space, so that is my preferred solution.

More about non-aggressive/aesthetically pleasing security measures can be found here: https://www.securityindustry.org/2018/04/05/the-puppy-movement/