Abstract
Security solutions should be supported with detailed rationales for recommendations and descriptions of the effects they are designed to elicit. By providing such information during design stages, increased levels of effectiveness, efficiency and subsequently greater levels of support from commercial customers for recommendations may be achieved. The problem-solving process adopted by the U.K. military, including the seven questions, referred to as the combat estimate may be considered as an appropriate process for security professionals, and could be followed alongside existing risk management and business continuity management practices.
Key Words: Security, Risk, Resilience, Design, Effect
Introduction
Security professionals across the globe design security solutions to protect people, property premises, based upon the principles of layered security, balanced protection and of component failure. It is common practice for security solution designers to assess the effectiveness of a protection system, by determining the resulting levels of deterrence, the effectiveness of detection capabilities, its ability to deny or delay the activities of threat actors or activities, and the times it takes to effectively respond to and to threats. The exponential growth of technological developments, experienced during a period increasingly referred to as the fourth industrial revolution, has arguably increased the importance security solutions to effectively integrate people, procedures equipment. The increasing cost of services, coinciding with the reducing proportions of budgets allocated for non-core services, including outsourced services, across many industries, has increased the expectation for security professionals to provide detailed rationales for security prescriptions. As the understanding of threats and security measures increases within business stakeholders in response to the ever-morphing global security threat, including those assessing tender proposals, an effective means of outlining the rationales for all elements of a security solution, may improve the ability to effectively communicate security solution designs. Fundamentally, such a design system could focus upon describing the effect resulting from each element of an integrated solution.
Security professionals seeking to identify a system, which requires and demonstrates detailed consideration of the effects required from each element of a security solution, in order to protect assets from identified threats, could consider the adoption of problem-solving methods used effectively by the U.K. military. The model of rational thinking adopted by the Royal Military Academy Sandhurst (RMAS, 2011) (Figure 1.), which aims to assist in the development of innovative and reflective problem solvers, who understand the process of problem-solving, is outlined in an occasional paper published by the RMAS and revisited by Rennie (2013, 1 - 12) in a paper entitled ‘an Officer and a “reflective” problem solver: further development of problem solving and thinking skills in Officer Cadets at Sandhurst and beyond”.
The model describes four ‘spaces’, or stages through which an individual progresses, during the development of solutions. The four spaces illustrated in Figure 1. represent the different phases of cognitive consideration, which the model suggests are completed when designing a solution to a problem. During the course of problem-solving and solution design, individuals may redefine or refine a problem, as more information is gathered, developed and analyzed. Success during military operations relies upon timely and effective decisions to be made by individuals in leadership positions. Accepting the varying time restraints involved in a given situation, military leaders base decisions upon a mixture of intuition and detailed analysis. The problem space of the Sandhurst problem-solving model (Figure 1.) incorporates the use of a problem-solving tool, the seven questions (7 Q’s) (Figure 2.), which while not restrictive, provides a systematic process to follow and mitigates the potential for process error and cognitive bias. Fundamentally, such a system considers a plethora of situation-specific factors, thereby decisions. This decision making process, known as the ‘Combat Estimate’, addresses seven questions in order to produce a timely, enemy focused and effects based solution.
Application of the 7 Q’s
Security professionals are judged by the effectiveness of security solutions and the time costs associated with their services. Security professionals introduced to a security assignment or task may first consider the situation and all associated factors within the comprehension space. The psychosocial factors which present within this space can influence an thoughts and . This subsequently influences the security threats, hazards and risks perceived by an individual, and the resulting security solutions that designers begin to consider. While Imagineering has gained some academic support, for increasing the levels of innovation and creativity within and social re-design (Nijs, 2015, 8 - 25), security professionals can no longer justify security prescription based upon personal perceptions, imagination or personal experiences. Organisations and individual clients now expect security designs to be evidence-based solutions, with detailed quantitative and qualitative data. With some alterations, the 7 Q’s offers an appropriate decision-making model to adopt during the design of security risk and resilience solutions.
What is the enemy (adversary) doing and why?
Altered to;
What is the client doing and why?
The first of the seven questions requires the development of a detailed level of understanding of a client, their environment the existing risks. The level of detail in the findings generated through this initial question will provide the security solutions designer, with the ability to distinguish themselves as someone that understands not only the surface elements of a client or but also the intricate and often complex aspects involved in their activities. By doing so, the security professional can support the development of a business relationship, within which they are viewed as a trusted partner.
This initial question is an appropriate time to incorporate ISO 31000 Risk Management standards (International Organisation for Standardisation, 2009) (Figure 3.). This procedural construct, which follows the principals of plan, organise, direct and control, provides a means to manage risk, which can be used by varying in size and sector. Having established a line of communication and a consultation procedure with a client, the determination of the context within which a client exists and operates will help to answer the first question. This should clarify who they are, what they do, where they are located or operate, when they are in certain places or perform activities, why they perform them and how. In addition to considering relevant macro and microenvironments, other business analysis models can be used to develop a greater understanding of the context and the threats a faces. Wernerfelt’s (1984, 171 - 174) Resource-Based View (RBV) model may be such a tool. The RBV identifies the tangible and intangible resources which a business possesses and which provide it with a competitive advantage (Barney, Wright Ketchen, 2001, 625 - 641). Such resources, or business assets, will need to be considered within a physical and information protection systems, and business continuity planning.
What have I been told to do and why?
The answer to the second question will determine the initial level of scope that a security engagement presents. This will largely be influenced by the clients’ own approach towards security; whether it is input or output driven. This can be determined during open tender processes, by the specificity of the request for information (RFI) and request for price (RFP) requirements. Fundamentally, an output driven request for increasing the levels of security and resilience a client possesses will empower security professionals with the ability to assess threats, design appropriate protection systems and to plan effective business continuity management responses. Conversely, input driven requests may limit the ability for the security solution designers to suggest innovative or potentially appropriate security solutions systems to clients. Accepting the limitations imposed by an input driven request for security services, the second question initiates the generation of options by the security solution designer. It is crucial, that responses are not solely based upon intuitive feelings, but are evidence-based.
What effects do I need to have on the enemy (adversary) or situation, and what direction must I give to develop the plan?
Altered to:
What effects do I need to have and what direction must I give to develop the plan?
The third question considers the adversary. Who are they and what are their aims?. For commercial clients, this group can include a wide range of criminal or terrorist actors, protestors or other activist groups, urban warriors or competitors. A number of threat scenarios can be considered, which should determine a variety of attack types, locations adversarial routes. Using threat matrix, which could be to produce quantitative measurements, the consequence and likelihood of each attack can be determined and considered against the results of a vulnerability assessment, to calculate a risk score (Likelihood x Consequence x Vulnerability = Risk). The level of vulnerability of an asset to attack is influenced by the overriding ability of an existing security system to deny unauthorized access.
While limited by the subjectivity of the determined scores, the quantitative data may assist in communicating the security risk findings to clients. The quantitative data may enable security solution designers to provide clients with a visual aid, to determine the scale of a risk, before and after mitigation prescriptions have been implemented. Such a tool can be particularly useful, if risks critical to specific stakeholders, as identified through a prior process such as a sales pain chain (Eades, 2003), are in the visual presentations. The level of protection provided by an integrated approach of physical security measures, technology environmental features, can be measured by their ability to deter, detect, deny, delay destroy or respond to a threat. In addition, the principles of defence, mnemonic adopted by the U.K. military, may assist in the design of security solutions.
Depth
Defense in depth aims to delay an adversary from gaining access to an asset. By forcing an adversary to pass through a number of layers and to overcome the challenges posed by the security prescriptions in place at each, a security solution may increase the deterrent effect. If a facility is attacked, the momentum of this action will be reduced, thereby increasing the chance of detection.
All Round Defense
Achieving defense requires security measures to be installed, which can protect an asset against attacks from all directions. Within a commercial environment, this may include areas within a secured zone or from other business areas. defense will consider insider threats.
Mutual Support
A mutually supporting or integrated security system will ensure that the overarching security strategy is achieved through the implementation of appropriate policies, technologies, people procedures.
Reserves
As included in an effective business continuity plan, security reserves can take the form of extra security operators, data backups or alternative business locations.
Offensive Spirit
Proactive security is an effective defensive measure. This can include overt security prescriptions such as patrols and manned guards, and discrete activities to identify threats.
Deception
Deception can take a variety of forms, including; the camouflage and concealment of assets, decoy installations and managed activities to provide the impression of a larger security force.
Where can I best accomplish each action or effect?
In order to increase and to preserve the resilience of a client to an attack, each location, its vulnerabilities, the potential routes of entry and methods of an adversary will be considered in detail. As a result of this process, the levels of deterrence, detection, denial, delay and the ability to respond to a threat, will subsequently differ across a location. Security designers can use a number of tools to assist in this design process. Research to determine potential threats to a client and a will include reviews of previous attacks, local and national crime data, and changes to the local and national political environment. The vulnerability assessment of a client location to the identified threats can be supported through the use of geographical mapping programmes and design (CAD) platforms. Such tools can be further used to differentiate levels of footfall in locations.
What resources do I need to accomplish each action or effect?
Having determined threats and the effects required to mitigate and counter them, a security provider will determine what resources are required, and available within their inventory to achieve the desired outcome.
When and where do the actions take place in relation to each other?
The security actions and the subsequent effects should support each other and provide both continuity and resilience. The prescribed security measures should be planned in accordance with the activities and footfall at different sections of a location. Detailed planning, potentially supplemented with CAD, will enable security assets to be deployed effectively and offer opportunities for economies of scale, thereby improving the return on investment of a security solution.
What control measures do I need to impose?
Altered to;
What control measures and key performance indicators (KPI) do I need to put in place?
Jurisdictional controls are imposed upon security professionals and in some contractual responsibilities may determine what effects can be elicited by providers. In addition, controls are imposed upon security by the available budget. Key Performance Indicators can take the form of an array of quantitative security data metrics (Kovacich and Hailbozek, 2006), including; proof of presence, losses or thefts, successful and failed security operations, as defined by the effect that security prescription is aiming to achieve and cost-effectiveness. A cost-effective security system can be maintained by ensuring that security operations are conducted in the least expensive while remaining effective. Organisations expect security provision to provide a positive return on investment (ROI), which can be calculated through
AL + R
COI
AL: Avoided loss
R: Recoveries made
COI: Cost of Investment (Security system)
Summary
Security professionals are increasingly being considered as respected business partners across industries. Individuals within the professional field demonstrate the ability to use a mixture of technical and academic knowledge, alongside practical experience within a wide range of security fields, to successfully design and implement client specific security solutions. Another notable feature within the professional field is the dedication of individuals to developing new methodologies and refining existing ones, in order to effectively respond to ever morphing threat actors and tactics. The process adopted by the U.K. military may provide security professionals with a sequential process system to adopt during security solution design.
Figure 1. Model of Rational Thinking. Taken from Royal Military Academy Sandhurst (2011).
Figure 3. ISO 31000 Risk Management process.
References
Barney, J., Wright, M. and Ketchen Jr, D. J. 2001. “The Resource-Based View of the Firm: Ten Years After 1991”. Journal of Management, 27(6): 625-641.
Eades, K. 2003. The New Solution Selling: The Revolutionary Sales Process That is Changing the Way People Sell. London: McGraw Hill Professional.
Kovacich, G. L. Halibozek, E. P. 2006. Security Metrics Management: How to Measure the Costs and Benefits of Security. Oxford: Butterworth-Heinemann.
Nijs, D. E. 2015. “The Complexity-Inspired Design Approach of Imagineering”. World Futures, 71(1-2): 8-25.
Rennie, M. 2013. “An Officer and a Problem Solver: Further Development of Problem Solving and Thinking Skills in Officer Cadets at Sandhurst and Beyond”. Sandhurst Paper, 15: 1 - 12.
Royal Military Academy Sandhurst Department of Communication and Behavioral Science. 2011. “An Officer and a Problem Solver': Developing Problem Solving and Thinking Skills in Officer Cadets at Sandhurst”. Sandhurst Occasional Papers, 6.
Wernerfelt, B. 1984. “The Resource-Based View of the Firm”. Strategic Management Journal, 5 (2): 171–180.