The aim of Physical Security is to protect people and goods (goods and chattels, properties, intangible goods) from intentional wrongful acts committed by offenders who may be motivated by several reasons. The “Safety” is a different concept, which aims to develop strategies and solutions to contrast events of accidental nature, but it is complementary and integrated to physical security in an efficient “Security System”.
The latter is implemented through a combination of men, technologies and procedures. The primary function of Physical Security is to detect, delay and readily respond to a given event, while its secondary function is defense (Garcia, 2008, pp 2-6). In this perspective, the draft of a security system come into force in different moments and ways, necessarily passing through our two main activities: Risk Assessment and Risk Management.
The Risk Assessment is carried out through identification, analysis and risk assessment, and is necessarily preparatory to the activity of Risk Management.
Inductive or deductive methods (also called qualitative or quantitative methods) should be implemented in order to identify risks, but this depends on the amount of available data and on the context. Both methods have weakness and strength points: while the quantitative method is much easily described in terms of tradeoff (cost-benefit analysis), it is not applicable in a state of scarcity or lack of data or time series.
The risk analysis seeks to answer questions as:
What could go wrong?
What is likely to be wrong?
Which are the possible consequences? (Kaplan & Garrick, 1981).
The risk evaluation is linked to concepts such as regularity, probability, magnitude of risk (remember that regularity is measured after the occurrence of one or more events, while the probability is calculated before this/these occur/not occur).
Immediately after the Risk Assessment activity, it comes that one of Risk Management, which seeks to answer the following questions:
What can be done?
Which are the available options?
What is the best tradeoff in terms of costs, benefits, residual risk?
What will be the impact of managerial decisions on future options? (Kaplan & Garrick, 1981)
All these questions have as common purpose: a decrease of dangers, which will never be nullified, but in this way we will face an acceptable residual risk.
Generally speaking, a risk can be reduced by three options:
Mitigation of the consequences. (Protection of Assets – Physical Security, 2012, pp 42-43).
Crisis management consists in planning how a society should behave in the potential event of harmful circumstances, threatening its survival. A vulnerable organization, the occurrence of sudden and unwanted events can be confusing for those who are called to cope. This could often led to exacerbate negative consequences or even to unwillingly damage property, humans or reputation. Corporate crisis management can be considered as “closing the loop” of a good security system. It is a series of procedures that, on the base of the event/s taking place or previously occurred, will identify the parties involved and the actions to perform with the aim to contain consequences as quickly as possible. In order to harmonize processes, these activities are very often subjected to simulations or trainings. As with all other activities of a security system, Crisis Management is not a “monolith steel” and is therefore subjected to continuous improvements, also as a result of previous experiences.
Physical Penetration Test
A Physical Penetration Test consists in a simulation of attack by a third trustee, hired by the organization, in order to check the safety level of installations, infrastructure and personnel.
Usually it concerns structures such as industrial sites, critical infrastructure, ports, and airports.
The results of this test are displayed in a detailed report that identifies:
- Shortcomings related to the planning;
- Deficiencies concerning procedures and/or processes;
- Deficiencies in infrastructure, electronic systems (CCTV, anti-intrusion, access control, etc.)
- Deficiencies in personnel;
- Other Security Weaknesses.
These results constitute the starting point to put into force the entire security system.