the Technology Interface / Summer97

You've heard about them - the World Trade Center, PanAM 103, the Arizona train derailment, Oklahoma City, Post Office employees attacking coworkers, bombings at the Atlanta Olympics and medical clinics, Internet security. Within the last several years a heightened awareness has developed among the US public about the risks encountered as we go about our daily lives. This increased exposure leads to the realization that these risks and their consequences must be mitigated in order to assure the safety of our citizens as much as possible. Every day we are reminded of our susceptibility to attack. These attacks may be physical, electronic, or financial. All of these concerns fall under the general umbrella of "security" and rank high on the list of things that concern our citizens.

As in any other discipline, security requires the understanding and application of standard principles and concepts in order to achieve effective and consistent solutions. Today, the security industry is very fragmented and there are no entry barriers. There are no universal systems for certifying people or equipment in this field. Anyone can declare themselves an "expert" and conduct business as a security consultant. While many of these consultants can offer useful and pertinent services to their private industry and government customers, many are less effective due to the lack of a grounding in common principles or an understanding of systems concepts. Providing single point technology solutions (for example, installing video cameras or access controls) to security problems is not sufficient to protect critical assets with any degree of confidence.

A series of expectations around the design and application of security systems is needed so that the American public can feel safe and secure, whether at home, work or play, whether they are "surfing' the 'net or going to dinner. Based on a model defining the "four pillars" of knowledge as education, research, development and application, we must start by educating the public and security practitioners about threats, targets, and the risks of implementing security systems or not. How much money will we spend? Will we be better off after the system is installed than we were when we started? How will we know? These questions may be answered by a systematic approach to designing security systems, particularly physical security. The combination of knowledgeable people, established procedures, and the appropriate application of technology all contribute to an effective security system.

The first step in the educational process was the formation of the Southwest Surety Institute in June 1996. Institute membership includes Arizona State University, New Mexico State University, New Mexico Institute for Mining and Technology, and Sandia National Laboratories, and programs in security technology have been established at each university to provide unique, science-based curricula to students. The question may well be asked: why teach security engineering or technology at this level? The answer to this question is much the same as the answer to the addition of any new curriculum at universities - the time has come. In all other professional fields there are unifying principles - in physics, electrical engineering, criminal justice, accounting, and medicine. Yet, in a field where billions of dollars are spent and lost each year, there are no such unifying principles. This is the role of American colleges and universities - to teach these common principles to future security practitioners, advocate for their consistent application and understanding, and further the state-of-the art. Only in this way can the security and safety of our people, enterprises, and infrastructure be improved.

One of the most basic concepts that can be advanced is the application of a methodology that incorporates system thinking in the design of a security system. By this we mean the integration of people, procedures and technology to meet the security system goals of defending the targets from the threats through a balanced approach. Balance includes cost/benefit analysis, application of the appropriate components to the problem and assuring that all paths to the target are equally difficult for the adversary. Consider the level of protection required for a nuclear facility versus that for an office building. The decision about the level of protection is driven by the risk and consequence of the event. Since the risk of loss of life can be very high if nuclear material is lost; this may be defined as the highest consequence event. On the other hand, loss of property from an office building, while financially worrisome, is a lower consequence compared to the loss of life. This then helps define the level of security needed. The new university programs being created will help educate practitioners and the public in what can reasonably be expected in a given situation and provide information to help manage risk within acceptable limits.

With 20 plus years of security system design, testing, and implementation experience, and as the Department of Energy's lead laboratory for physical security, Sandia National Laboratories also plays a role in this educational effort. One result of this long commitment to protecting the nuclear weapons complex is a design methodology which guides the security engineer through the design and evaluation process. This process represents a systematic approach to the security system objectives, technology components, and an evaluation of the proposed design prior to implementation.

This methodology has been widely taught throughout the government sector, both for domestic and international use. Security system design must begin with a clear understanding of what is to be protected, the adversary and their capabilities, and any constraints, such as operational conditions of the facility and the financial resources available to accomplish the goal. There are many useful technologies that can be used to construct a good security system, but these technologies work in concert with people and procedures. A major area where the application of the Sandia methodology can have the greatest impact on security education is in the analysis and evaluation of the proposed system using well defined measures. These effectiveness measures may vary as to criteria, for example, delay times or probability of detection, and in the complexity of the model, i.e., running a software model versus a hand-generated chart, but all provide a firm, scientific basis for predicting system performance.

We live in a complex world where technology increasingly enables more of our tasks and activities. In the past, the security profession depended on the expertise of former law enforcement personnel. Equipment vendors enthusiastically marketed technology to address security issues and were depended on to be experts in these applications. Managers of the companies and agencies seeking security systems had no experience in requesting meaningful information from their security managers, often making decisions based more on safety concerns than on security. Lacking any unifying principles or methods, this traditional approach led to incomplete security solutions. In the future, the integration of law enforcement, business acumen, and technology will result in new, measurable approaches to the implementation of security systems.

The security professional of the future will be required to have a good understanding of technology, legal issues, and business practices to effectively protect people, property and information. Universities have the opportunity to lead this change in approach by preparing security practitioners to design effective systems, by collecting and standardizing the body of knowledge in security, and by advancing the state-of-the-art. Education today will ensure our security in the future.

In future issues, this space will be used to address various topics related to security systems and technology. Next quarter- Emerging Threats.