the Technology Interface / Summer97
You've heard about them - the World Trade Center,
PanAM 103, the Arizona train derailment, Oklahoma City, Post Office
employees attacking coworkers, bombings at the Atlanta Olympics
and medical clinics, Internet security. Within the last several
years a heightened awareness has developed among the US public
about the risks encountered as we go about our daily lives. This
increased exposure leads to the realization that these risks and
their consequences must be mitigated in order to assure the safety
of our citizens as much as possible. Every day we are reminded
of our susceptibility to attack. These attacks may be physical,
electronic, or financial. All of these concerns fall under the
general umbrella of "security" and rank high on the
list of things that concern our citizens.
As in any other discipline, security requires the
understanding and application of standard principles and concepts
in order to achieve effective and consistent solutions. Today,
the security industry is very fragmented and there are no entry
barriers. There are no universal systems for certifying people
or equipment in this field. Anyone can declare themselves an
"expert" and conduct business as a security consultant.
While many of these consultants can offer useful and pertinent
services to their private industry and government customers, many
are less effective due to the lack of a grounding in common principles
or an understanding of systems concepts. Providing single point
technology solutions (for example, installing video cameras or
access controls) to security problems is not sufficient to protect
critical assets with any degree of confidence.
A series of expectations around the design and application
of security systems is needed so that the American public can
feel safe and secure, whether at home, work or play, whether they
are "surfing' the 'net or going to dinner. Based on a model
defining the "four pillars" of knowledge as education,
research, development and application, we must start by educating
the public and security practitioners about threats, targets,
and the risks of implementing security systems or not. How much
money will we spend? Will we be better off after the system is
installed than we were when we started? How will we know? These
questions may be answered by a systematic approach to designing
security systems, particularly physical security. The combination
of knowledgeable people, established procedures, and the appropriate
application of technology all contribute to an effective security
system.
The first step in the educational process was the
formation of the Southwest Surety Institute in June 1996. Institute
membership includes Arizona State University, New Mexico State
University, New Mexico Institute for Mining and Technology, and
Sandia National Laboratories, and programs in security technology
have been established at each university to provide unique, science-based
curricula to students. The question may well be asked: why teach
security engineering or technology at this level? The answer
to this question is much the same as the answer to the addition
of any new curriculum at universities - the time has come. In
all other professional fields there are unifying principles -
in physics, electrical engineering, criminal justice, accounting,
and medicine. Yet, in a field where billions of dollars are spent
and lost each year, there are no such unifying principles. This
is the role of American colleges and universities - to teach these
common principles to future security practitioners, advocate for
their consistent application and understanding, and further the
state-of-the art. Only in this way can the security and safety
of our people, enterprises, and infrastructure be improved.
One of the most basic concepts that can be advanced
is the application of a methodology that incorporates system thinking
in the design of a security system. By this we mean the integration
of people, procedures and technology to meet the security system
goals of defending the targets from the threats through a balanced
approach. Balance includes cost/benefit analysis, application
of the appropriate components to the problem and assuring that
all paths to the target are equally difficult for the adversary.
Consider the level of protection required for a nuclear facility
versus that for an office building. The decision about the level
of protection is driven by the risk and consequence of the event.
Since the risk of loss of life can be very high if nuclear material
is lost; this may be defined as the highest consequence event.
On the other hand, loss of property from an office building,
while financially worrisome, is a lower consequence compared to
the loss of life. This then helps define the level of security
needed. The new university programs being created will help educate
practitioners and the public in what can reasonably be expected
in a given situation and provide information to help manage risk
within acceptable limits.
With 20 plus years of security system design, testing,
and implementation experience, and as the Department of Energy's
lead laboratory for physical security, Sandia National Laboratories
also plays a role in this educational effort. One result of this
long commitment to protecting the nuclear weapons complex is a
design methodology which guides the security engineer through
the design and evaluation process. This process represents a
systematic approach to the security system objectives, technology
components, and an evaluation of the proposed design prior to
implementation.
This methodology has been widely taught throughout
the government sector, both for domestic and international use.
Security system design must begin with a clear understanding
of what is to be protected, the adversary and their capabilities,
and any constraints, such as operational conditions of the facility
and the financial resources available to accomplish the goal.
There are many useful technologies that can be used to construct
a good security system, but these technologies work in concert
with people and procedures. A major area where the application
of the Sandia methodology can have the greatest impact on security
education is in the analysis and evaluation of the proposed system
using well defined measures. These effectiveness measures may
vary as to criteria, for example, delay times or probability of
detection, and in the complexity of the model, i.e., running a
software model versus a hand-generated chart, but all provide
a firm, scientific basis for predicting system performance.
We live in a complex world where technology increasingly
enables more of our tasks and activities. In the past, the security
profession depended on the expertise of former law enforcement
personnel. Equipment vendors enthusiastically marketed technology
to address security issues and were depended on to be experts
in these applications. Managers of the companies and agencies
seeking security systems had no experience in requesting meaningful
information from their security managers, often making decisions
based more on safety concerns than on security. Lacking any unifying
principles or methods, this traditional approach led to incomplete
security solutions. In the future, the integration of law enforcement,
business acumen, and technology will result in new, measurable
approaches to the implementation of security systems.
The security professional of the future will be required
to have a good understanding of technology, legal issues, and
business practices to effectively protect people, property and
information. Universities have the opportunity to lead this change
in approach by preparing security practitioners to design effective
systems, by collecting and standardizing the body of knowledge
in security, and by advancing the state-of-the-art. Education
today will ensure our security in the future.
In future issues, this space will be used to address various topics related to security systems and technology. Next quarter- Emerging Threats.