The Onions and Cheese Slices of Securing your Business

Following his recent three-part series on the recent spate of ram raids, FIRST Security’s Scott La Franchie writes that security science tells us there’s no silver bullet when it comes to preventing loss from theft.

?Onions

In my?previous post , I wrote that security measures are least effective when used as ‘point solutions’ and are most effective when deployed as part of a range of measures specific to the premises and the threats it faces – and the most effective measures are the result of good professional security advice.

This is often referred to as the ‘layered security’ or ‘security in depth’ and is based on the logic that mutually supporting ‘onion layers’ of security controls are most effective in deterring, detecting, delaying, denying, responding to, and recovering from a security incident.

Layering your physical security measures means the security of your people, information, and assets is not significantly reduced with the loss or breach of any single layer,” states the Government’s?Protective Security Requirements ?(PSR). “By designing security measures that combine to support and complement each other, you will make it difficult for an external intruder or an employee to gain unauthorised access.”

The bottom line is that no one singular security measure is adequate, and that what’s required is a combination of various environmental, physical, electronic, personnel, and process controls, that might involve some of the examples listed below:

• Physical Security: Perimeter fences, security zoning, gates, doors, locks, barriers, key systems, secure rooms, etc.
• Electronic Security: Intruder detection systems and onsite/offsite monitoring, video surveillance systems, access control systems; visitor management systems, duress and lone worker solutions.
• Security Personnel: Site guards, mobile (random) patrols, alarm monitoring and response, incident response.
• Crime prevention through environmental design (CPTED): building design and fit out, occupant flow; accessibility, lighting, landscaping, and vegetation.
• Security policy and procedure: including security awareness, training, and governance, visitor and contractor management, and incident and emergency management.

Cheese Slices

So, that covers the ‘onions’ part of this post, but what about the ‘cheese slices’?

Perhaps the most compelling argument for taking a layered approach to security comes from James Reason’s renowned Swiss Cheese Model, which first found fame as a model of accident causation used in risk analysis and risk management.

In Reason’s model, an organisation's defences against failure are represented as slices of Swiss cheese. The characteristic holes in the slices represent weaknesses in individual parts of the system and they vary randomly in size and position across the slices. The system produces failures when a hole in each of the slices momentarily aligns, permitting “a trajectory of accident opportunity”.

The standards-based?Security Risk Management Handbook?AS/NZS HB 167, which is used by security professionals across Australasia and is based on the ISO 31000 Risk Management framework, picks up on Reason’s model and applies it to the context of security controls.

Typically, one can reasonably assume that multiple layers of security are enough to defend an organisation against failure. But, if bad luck, control failure (due to poor maintenance, etc), and an attacker’s skill were to create a ‘worst case scenario’ then improbable instances of failure can – and do – occur.

In other words, don’t rely on just one or two security controls to protect your business. Think about how a proportionate combination of controls might work alongside each other to deter, detect, delay, and deny an attacker and to enable you to respond to the incident, recover, and continue operating with minimal disruption and loss.

If you’d like to know more about how to protect your business from crime,?get in touch ?with FIRST Security.