Homework Question!

Week 4 Discussion Board Assignment

Open Homework Posted by: lyjly0 Posted on: 18/09/2020 Deadline: 24 Hours

15 writers want to do this homework:

Fardeen W.
Engineering Guru
Assignment Hub
Professional Accountant.
Quick Engineering Guru
Writing Factory
George J.
Homework Guru
Exam Attempter
Ideas & Innovations
Peter O.
Homework Specialist
Zainab A.
Study Master
Math Specialist


For this assignment discuss the following:

What are the two main categories that biometric characteristics get classified in?

What are the differences in these two categories?

List and discussed three biometric devices

Assignment Requirements

Please provide and discuss the above.

Each question should have at least one paragraph

Each paragraph must have at least four complete sentences

There should be no personal pronouns in your initial discussion post.

Your initial post is due by Wednesday before 1159pm

You should have a minimum of three credible in-text citations (Not at the end of your paragraphs)

All requirements must be met, and proper grammar, spelling, and punctuation must be correct.

Please also ensure you use the Discussion Board Header; you can find this template in the Getting Started folder.

No contractions should be used, or any conjunctions at the beginning of a sentence.

Failure to follow each instruction will negatively affect your grades.

Our Top Online Writers.

Discuss your homework for free! Start chat

Engineering Guru


Engineering Guru

United Kingdom

I have a Bachelor Degree in Computer Science with 4 years as a mathematics teacher, …

Fardeen W.


Fardeen W.


I am an ACCA UK, ICAEW finalist and masters in economics and finance from a …

Order Your Homework

Guarantee your academic success!

Order Your Homework Today For Just $3 Per Page!

15 writers want to do this homework:

Fardeen W.


Fardeen W.


This project is my strength and I can fulfill your requirements properly within your given deadline. I always give plagiarism-free work to my clients at very competitive prices.

Offer: $205

Engineering Guru


Engineering Guru

United Kingdom

I am highly qualified expert, working from 2008-9 in this industry. I have all relevant skills and expertise related to your project. To ensure my potential must visit my profile to check my ratings and uploaded samples. Thanks :--)

Offer: $210

Assignment Hub


Assignment Hub


I feel, I am the best option for you to fulfill this project with 100% perfection. I am working in this industry since 2014 and I have served more than 1200 clients with a full amount of satisfaction.

Offer: $225

Get Rewriting & Paraphrasing Help!

We have more than 1500 academic writers and we promise 0% plagiarism in your paper.

Professional Accountant.


Professional Accountant.


Hi! It is good to see your project and being a reputed & highest rated freelance writer on this website, you can be assured of quality work! I am here to provide you with completely non-plagiarised work

Offer: $225

Quick Engineering Guru


Quick Engineering Guru


Greetings! I am the professional electrical, telecom engineer, rich experience in QPSK, OFDM, FFT, such signal processing concetps with matlab, I can satisfy you definitely. more in chat.thanks.

Offer: $225

Writing Factory


Writing Factory


I can help you with creating a presentation of one slide for The Word of William Hunter. I will be happy to offer you 100% original work with high-quality standard, professional research and writing services of various complexities.

Offer: $195

Get Custom homework writing help and achieve A+ grades!

Custom writing help for your homework, Academic Paper and Assignments from Academic writers all over the world at Tutorsonspot round the clock.

Prices As Low As 3$ Per Page!

Our promises:

  • Custom homework writing help
  • Plagiarism Free Solutions Guaranteed!
  • A+ Grade Guaranteed!
  • Privacy guaranteed!
  • Best prices guaranteed!
  • Timely delivery guaranteed!
  • Hundreds of Qualified Writers 24/7
George J.


George J.

United States of America

Greetings! I’m very much interested to write for attendance systems. I am a Professional Writer with over 5 years of experience, therefore, I can easily do this job. I will also provide you with TURNITIN PLAGIARISM REPORT. You can message me to discuss the details.

Offer: $210

Homework Guru


Homework Guru


I am a Ph.D. writer with more than 9 years of working experience in Writing. I have successfully completed more than 4500 projects for my clients with their full amount of satisfaction. I will provide you super quality work according to your given requirements and deadline with ZERO plagiarism.

Offer: $210

Exam Attempter


Exam Attempter

United Arab Emirates

I will help you with your online exams, quizzes and assignment with A+ grades. Please give me a chance and get relax :)

Offer: $210

Get Rewriting & Paraphrasing Help!

We have more than 1500 academic writers and we promise 0% plagiarism in your paper.

Ideas & Innovations


Ideas & Innovations

Hi, Hope you are doing well. I can do this easily because I have several experiences to write articles on different web sites, creative content for several blogs & also SEO writing. Even I have written many kindle ebooks, Being a creative writer, I think I am the most eligible person for your Ghostwriting project. So lets make no longer delay & start chatting immediately.

Offer: $230

Peter O.


Peter O.


Hi, I am an MS Research Scholar, and after carefully reading the description of the project I can confidently say that I am a suitable candidate, equipped with right skills, to complete this valuable task of yours. I assure you timely completion, originality and grammatically correct content, according to your needs. Please feel free to contact me for completion of this task. Thank you very much.

Offer: $230

Homework Specialist


Homework Specialist

United Kingdom

I am an elite class Ph.D. writer who can deliver you a supreme level of content within your given deadline. I will give you plagiarism free content within your given timeline.

Offer: $225

Get Custom homework writing help and achieve A+ grades!

Custom writing help for your homework, Academic Paper and Assignments from Academic writers all over the world at Tutorsonspot round the clock.

Prices As Low As 3$ Per Page!

Our promises:

  • Custom homework writing help
  • Plagiarism Free Solutions Guaranteed!
  • A+ Grade Guaranteed!
  • Privacy guaranteed!
  • Best prices guaranteed!
  • Timely delivery guaranteed!
  • Hundreds of Qualified Writers 24/7
Zainab A.


Zainab A.


I am a quality assignment solver who have all the relevant skills to help you to get good grades in your homework and assignments. I promise you I will not let you down and I hope this relationship will continue in long run. Please open your messenger and send me complete details so we can discuss it further.

Offer: $225

Study Master


Study Master

I am highly qualified expert, working from 2008-9 in this industry. I have all relevant skills and expertise related to your project.

Offer: $205

Math Specialist


Math Specialist


I am a specialist in MATHS with having 12 years of experience. I can help you with Maths, Stats, Algebra and Calculus within very short amount of time. Please check my reviews,rating and samples to check my skills and level.

Offer: $225

Get Rewriting & Paraphrasing Help!

We have more than 1500 academic writers and we promise 0% plagiarism in your paper.

Ready To Place An Order? Its Free!

Attachment 1





This page intentionally left blank







Lawrence J. Fennelly

image72.jpg image73.jpg



SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO Butterworth-Heinemann is an imprint of Elsevier

Butterworth-Heinemann is an imprint of Elsevier

The Boulevard, Langford Lane, Kidlington, Oxford OX5 1GB, United Kingdom 50 Hampshire Street, 5th Floor, Cambridge, MA 02139, United States

Copyright © 2017 Elsevier Inc. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.

This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).


Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.

Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.

To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.

Library of Congress Cataloging-in-Publication Data

A catalog record for this book is available from the Library of Congress

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the British Library

ISBN: 978-0-12-804462-9

image74.jpg image75.jpg image76.jpg

For information on all Butterworth-Heinemann publications visit our website at https://www.elsevier.com/

image77.jpg image78.jpg

Publisher: Todd Green

Acquisition Editor: Steve Merken

Editorial Project Manager: Nate McFadden

Production Project Manager: Stalin Viswanathan

Designer: Matthew Limbert

Typeset by TNQ Books and Journals



It is with great happiness that we dedicate this book to our two very special daughters-in-law, Annmarie Carr Fennelly and Janet Mansfield Fennelly. Both of these strong women are working mothers, have three beautiful children each, and are wonderful Mothers, Wives, and our Daughters.

Larry and Annmarie Fennelly

This page intentionally left blank



Foreword  ix

Preface  xi

1.  Encompassing Effective CPTED Solutions

in 2017 and Beyond: Concepts

and Strategies  1


2.  Introduction to Vulnerability Assessment  23


3.  Influence of Physical Design  55


4.  Approaches to Physical Security  67


5. Security Lighting 85



6.  Electronics Elements: A Detailed

Discussion  95


7.  Use of Locks in Physical Crime

Prevention  139



8.  Internal Threats and

Countermeasures  181


9.  External Threats and

Countermeasures  219


10.  Biometrics in the Criminal Justice System and Society Today  249


11.  Access Control Systems and

Identification Badges  255


12.  Chain-Link Fence Standards  265


13.  Doors, Door Frames, and Signage  273


14. Glass and Windows  279


15.  The Legalization of Marijuana and the

Security Industry  285


16.  Designing Security and Working

With Architects  291


17.  Standards, Regulations, and

Guidelines Compliance and Your

Security Program, Including Global

Resources  301





18.  Information Technology Systems

Infrastructure  311


19.  Security Officers and Equipment

Monitoring  343


20.  Video Technology Overview  347


21.  Understanding Layers of Protection

Analysis  387




22.  Fire Development and Behavior  391


23.  Alarms Intrusion Detection Systems  401


Appendix 1: Glossary of Terms  421

Index  431




A manager designs and develops security, physical security, safety and investigative programs. Louis

A. Tyska, CPP

This book is your road map to decoding and developing an effective security strategy begin-ning with the design build phase and address-ing everything in between including life safety issues. Larry Fennelly and Marianna Perry have the knowledge and experience to see these com-plicated and ever-changing security challenges from a unique and multifaceted viewpoint. They both share their insight with the reader and that is why every security practitioner needs to read this book. Most security books focus on one topic, i.e., Risk Analysis or Security Surveillance Systems (CCTV) and access control and biomet-rics. I love this text because it has so much mate-rial in it that we need to address our everyday problems.

The baby boomers are retiring and the mil-lennium generation is taking over. The face of security is also changing. Research is being done to advance the security profession to provide the highest level of protection while at the same time, increasing the bottom-line profitability of the organization. College courses are changing. Going forward, the combination of business as a major field of study and security or informa-tion technology as a minor is becoming the new norm. This change is being implemented to pre-pare security professionals to properly protect corporate assets.


The new “buzz words” from 2015 to 2020 will be the following:

1. What kind of “skill set” does the candidate/ officer have?

2. What “certifications and specializations” does the candidate/officer have?

3. Both “physical security and informational security” will be merging with the move toward certifications.

4. “Career pathways” will be used by way of “internships.”

5. Your “certifications” will be the bar for testing qualifications.

6. Education for a career in security is being “redesigned.” Are you ready?

7. The holistic approach is preferred over independent components or “silos” as a logical approach to security systems.

8. 5.0 Megapixel cameras on phones and monitors with full (or true) HDTV—1080 are


Do not be left behind! Plan for the future now!

The top crime threat problems according to recent reports are (1) cyber/communications security, (2) workplace violence, (3) business continuity, (4) insider threat, and (5) property crime.

We mention this because if you are going to be addressing crime problems you first need to know what they are. To make recommenda-tions and solve problems, you first have to make sure that you have correctly identified the issue.





If a security assessment is not completed to determine the root causes of a security issue or vulnerability, the security practitioner may sim-ply keep putting policies or procedures in place that address the symptoms and countermea-sures of a problem and not the actual problem itself. This will be a frustrating (and sometimes costly) situation that can be avoided if, before any action is taken, an assessment is completed by a knowledgeable security professional to accurately identify security vulnerabilities. This will ensure that the true issues and concerns are being addressed, not just the symptoms.

The most demanding problem for manag-ers and supervisors within a protection depart-ment is the physical security devices under his/ her control. The supervisor’s role should be to assist in enabling the manager to provide a level of support within the organization. Supervisors must take responsibility for corporate regula-tions, moral and ethical tone as well as provid-ing the required level of security and customer service required.

Managers work with budgets and other resources (equipment, uniforms, technology, software, etc.) to ensure that the protective mis-sion is achieved. Managers oversee processes (procedures) that accomplish organizational goals and objectives. Staff functions without a supervisory span of control over line employ-ees may be performed by managers. Training, technical support, auditing, etc., are staff func-tions. A manager coordinates activities rather than supervises them. Turnover and job rotation can create overall improvement and a challenge. Staying current on industry trends and events by reviewing news sources, trade publications, and webinars and sources such as ASIS International and others.

Active shooter/active assailant’s incidents, stabbings, and random unthinkable acts of violence are happening in our workplaces and on our televisions everyday. We cannot escape

these mindless crimes and thefts that impact every segment of the security management operation. “Security Matters” now more than ever! Trying to decide which security concepts are right for your organization is a daunting full-time task. However, I suggest that you start off with a professional security assessment, so you can identify your security needs.

This book is your road map to decoding and developing an effective security strategy beginning with the design build phase and addressing everything in between including life safety issues. The authors have the knowl-edge and experience to see these complicated and ever-changing security challenges from a unique and multifaceted viewpoint. They both share their insight with the reader and that is why every security practitioner needs to read this book. Most security books focus on one topic, i.e., Risk Analysis or Security Surveillance Systems (CCTV) and access con-trol. I love this text because it has so much material in it that we need to address our everyday problems.

Today’s security books are more and more complicated and technical. We, as practitioners must stay ahead of the curve, to keep up. Books like this, and those of Thomas Norman, CPP, David Paterson, CPP, Sandi Davis (Women in Security), James F. Broder, CPP, Michael Fagel PhD, and Dr Jennifer Hestermann are security professionals and future educators along with Larry Fennelly and Marianna Perry. Writing a book listing 150 things…etc., is not an easy task. I commend these authors and those that I men-tioned, for their vision and dedication that will keep us ahead of the curve.

Linda Watson, MA, CPP, CSC, CHS-V

Whirlaway Group LLC



We completed this book in about 6 months. Normally, this undertaking would take 18 months. We know that it is hard to believe, but it is true. We both know that the faster we could complete this book, get it published and into the hands of those who are responsible for those practitioners in security, then possibly the infor-mation will get out there and be of further help to our profession. This is basically a very hard book to finish. The first 35 are easy the next 35 are ok, then it gets harder and harder. We went through two drafts and then after having a strong handle on it, we keep adding and adding to the vari-ous pieces. A perfect example is the section on body cameras, I saw a report that was negative, then I found another report that was positive, so we add a piece I felt this was the best part of the book, because it was getting better and better.

Physical security is a big topic, cybercrimes and cyberterrorism, workplace violence, emer-gency management, and IT security issues will continue to be the top issues going forward.

Regulations and Compliances and security standards for your corporation will continue to be developed and aid in the improvement of your security assessment. Follow CPTED prin-ciples and security best practices and master plan development. After you have done so, call your local media to promote your accomplish-ments. Let the bad guys know that you take crime prevention and effective security at your school serious!

Times have changed and you must change as well, I was reading a deposition recently and the security manager said quote “We have been doing it this way for 30 years.” Of course, you have that is why a man died and your being sued.


Social media need to monitored and included in your assessment process.

We are concerned because we know that many of you do not have good security and do not have adequate security in place to pro-tect your assets. We are not advocating that you make your corporate or place of work a fortress into a cold, uninviting fortress. Instead, we want you to have not only a safe environment but also has effective security in place to address vulner-abilities and have continuous assessments to improve the process.

Enterprise risk management (ERM): (1) It looks at a holistic approach to ERM, which breaks down silos between physical and technological security and provides comprehensives risk management solutions. Eugene Ferraro recently said, (2) “We owe it not only to this country, but also to the free world, to think further ahead about future threats and what the solutions look like. And if we can reach consensus around these solutions, we will be in a better position to build them.”

We wish to sincerely thank all of our con-tributors who made this book possible. We truly believe that compiling the knowledge of many security professionals is a more comprehensive approach to addressing the issue of physical security. We thank you for your professionalism as well as your contributions to our profession.

Lawrence J. Fennelly

and Marianna A. Perry, CPP

1Enterprise Security Risks and Workplace Competencies, ASIS, University of Phoenix & Apollo Education Group, 2016.



This page intentionally left blank

image88.jpg image89.jpg



Encompassing Effective CPTED

Solutions in 2017 and Beyond:

Concepts and Strategies

Lawrence J. Fennelly, CPOI, CSSI, CHS-III, CSSP-1,

Marianna A. Perry, MS, CPP, CSSP-1

Deterrence’s, CPTED Design, Policies and

Procedures, Training Programs and Security

Awareness Programs. Thomas L Norman,

CPP, PSP, CSC 2016.



We are delighted to be a part of the series of white papers for School Dangers.Org. It is appropriate to say a few words about Tim Crowe and Crime Prevention through Environmental Design (CPTED), before you read our paper.

Tim Crowe wrote Crime Prevention Through Environmental Design (1991) based on a security assessment that he conducted for a school dis-trict in Florida. Tim’s book (which was updated and modernized by Lawrence Fennelly in 2013) was and is still considered a primary resource for crime prevention practitioners in the secu-rity industry to help them better understand the relationship between design and human behavior. CPTED is a proactive approach to

manipulate the ­physical environment and bring about the desired behavior of reduced criminal activity as well as reduced fear of crime. Tim Crowe and Larry Fennelly lectured for Rick Draper in Australia on the concepts of CPTED.

Tim Crowe’s comprehensive set of guide-lines were developed with one goal in mind— to reduce opportunities for crime in the built environment. His work is the “gold standard” for security practitioners and others who imple-ment CPTED concepts as a crime prevention tool. Crowe’s work is frequently used as a train-ing tool for law enforcement, town planners, and architects. These guidelines have been used in hundreds of training sessions and cited in numerous publications.

Tim Crowe was a professor at the National Crime Prevention Institute (NCPI) at the University of Louisville in Louisville, Kentucky. Marianna Perry is the former Director of NCPI and together both she and Tim have presented training sessions on CPTED.

Effective Physical Security, Fifth Edition



Copyright © 2017 Elsevier Inc. All rights reserved.


image92.jpg image93.jpg


We included this information because we want you to understand the origination of Tim Crowe’s work on CPTED.



The conceptual thrust of a CPTED program is that the physical environment can be manip-ulated to produce behavioral effects that will reduce the incidence and fear of crime, thereby improving the quality of life. These behavioral effects can be accomplished by reducing the propensity of the physical environment to sup-port criminal behavior. Environmental design, as used in a CPTED program, is rooted in the design of the human–environment relationship. It embodies several concepts. The term environ-ment includes the people and their physical and social surroundings. However, as a matter of practical necessity, the environment defined for demonstration purposes is that which has recog-nizable territorial and system limits.

The term design includes physical, social, management, and law enforcement directives that seek to affect positively human behavior as people interact with their environment.

Thus, the CPTED program seeks to prevent certain specified crimes (and the fear attendant on them) within a specifically defined environ-ment by manipulating variables that are closely related to the environment itself.

The program does not purport to develop crime prevention solutions in a broad uni-verse of human behavior but rather solutions limited to variables that can be manipulated and evaluated in the specified human/envi-ronment relationship. CPTED involves design of physical space in the context of the needs of legitimate users of the space (physical, social, and psychological needs), the normal and expected (or intended) use of the space (the activity or absence of activity planned for the space), and the predictable behavior of both legitimate users and offenders. Therefore, in

the CPTED approach, a design is proper if it recognizes the designated use of the space, defines the crime problem incidental to and the solution compatible with the designated use, and incorporates the crime prevention strategies that enhance (or at least do not impair) the effective use of the space. CPTED draws not only on physical and urban design but also on contemporary thinking in behav-ioral and social science, law enforcement, and community organization.



The continuum of space within a residential complex (that is, a property consisting of one or more buildings containing dwelling units and associated grounds or, more broadly, a neigh-borhood consisting primarily of residential uses) may be divided into four categories:

· Public. Space that, whatever its legal status, is perceived by all members of a residential area or neighborhood as belonging to the public as a whole, which a stranger has as much perceived right to use as a resident.

· Semipublic. Space accessible to all members of the public without passing through a locked or guarded barrier. There is thought to be an implied license for use by the public, and strangers will rarely be challenged. This is generally associated with multifamily housing.

· Semiprivate. Space restricted for use by residents, guests, and service people on legitimate assignments. In multifamily housing, this is usually secured by protection officers (or doormen), locks, or other

forms of physical barriers. Strangers can be expected to be challenged as potential trespassers.

· Private. Space restricted for use by residents of a single dwelling unit, their invited guests, and service people, with access

Target Hardening


generally controlled by locks and other physical barriers. Unauthorized use is always challenged when the opportunity for challenge presents itself.



The emphasis on design and use deviates from the traditional target-hardening approach to crime prevention. Traditional target harden-ing focuses predominantly on denying access to a crime target through physical or artificial barrier techniques (such as locks, alarms, fences, and gates). Target hardening often leads to con-straints on use, access, and enjoyment of the hardened environment. Moreover, the tradi-tional approach tends to overlook opportuni-ties for natural access control and surveillance. The term natural refers to deriving access control and surveillance results as a by-product of the normal and routine use of the environment. It is possible to adapt normal and natural uses of the environment to accomplish the effects of artifi-cial or mechanical hardening and surveillance. Nevertheless, CPTED employs pure target-hardening strategies either to test their effec-tiveness as compared with natural strategies or when they appear to be justified as not unduly impairing the effective use of the environment.

As an example, a design strategy of improved street lighting must be planned, efficient, and evaluated in terms of the behavior it promotes or deters and the use impact of the lighted (and related) areas in terms of all users of the area (offenders, victims, other permanent, or casual users). Any strategies related to the lighting strat-egy (e.g., block-watch or neighborhood watch, 911 emergency service, police patrol) must be evalu-ated in the same regard. This reflects the compre-hensiveness of the CPTED design approach in focusing on both the proper design and effective use of the physical environment. Additionally, the concept of proper design and effective use emphasizes the designed relationship among

strategies to ensure that the desired results are achieved. It has been observed that improved street lighting alone (a design strategy) is inef-fective against crime without the conscious and active support of citizens (in reporting what they see) and of police (in responding and conducting surveillance). CPTED involves the effort to inte-grate design, citizen and community action, and law enforcement strategies to accomplish surveil-lance consistent with the design and use of the environment.

CPTED Strategies

There are three overlapping strategies in CPTED (as shown in Fig. 1.1):

1. Natural access control

2. Natural surveillance

3. Territorial reinforcement

Access control and surveillance have been the primary design concepts of physical design programs. At the outset of the CPTED program, access control and surveillance systems— preexisting as conspicuous concepts in the field of CPTED—received major attention. Access control and surveillance are not mutu-ally exclusive classifications since certain


FIGURE 1.1 Overlapping strategies in CPTED.

image98.jpg image99.jpg


strategies achieve both, and strategies in one classification typically are mutually support-ive of the other. However, the operational thrust of each is distinctly different, and the differences must be recognized in performing analysis, research, design, implementation, and evaluation.

Access control is a design concept directed primarily at decreasing crime opportunity. Access control strategies are typically classified as organized (e.g., security officers), mechanical (e.g., locks, lighting, and alarms), and natural (e.g., spatial definition). The primary thrust of an access control strategy is to deny access to a crime target and to create a perception of risk in offend-ers. Surveillance is a design concept directed pri-marily at keeping intruders under observation. Therefore, the primary thrust of a surveillance strategy is to facilitate observation, although it may have the effect of an access control strategy by effectively keeping intruders out because of an increased perception of risk. Surveillance strate-gies are typically classified as organized (e.g., police patrol), mechanical (e.g., lighting, locks, and alarms), and natural (e.g., windows).

Photos 1.1–1.3 reflect good natural surveillance.

Traditionally, access control and surveillance, as design concepts (Fig. 1.2), have emphasized mechanical or organized crime prevention techniques while overlooking, minimizing, or ignoring attitudes, motivation, and use of the physical environment. More recent approaches to physical design of environments have shifted the emphasis to natural crime prevention tech-niques, attempting to use natural opportunities presented by the environment for crime preven-tion. This shift in emphasis led to the concept of territoriality.

The concept of territoriality (elaborated most fully to date in the public housing environment) suggests that physical design can contribute to a sense of territoriality. That is, physical design can create or extend a sphere of influence so that users develop a sense of proprietorship—a sense


image100.jpg image101.jpg




Target Hardening



FIGURE 1.2 Typical access control and surveillance concepts as well as classifications.


PHOTO 1.4 Reflects physical design based on territoriality.

of territorial influence—and potential offenders perceive that territorial influence (Photo 1.4).

At the same time, it was recognized that natural access control and surveillance con-tributed to a sense of territoriality, making it effective for crime prevention. Natural access control and surveillance will promote more responsiveness by users in protecting their ter-ritory (e.g., more security awareness, reporting, and reacting) and promote greater perception of risk by offenders.


Finally, care and maintenance allow for the continued use of a space for its intended

purpose, as well as contributing to territorial reinforcement. Deterioration and blight indi-cate less concern and control by the intended users of a site and indicate a greater tolerance of disorder. Proper maintenance protects the public health, safety, and welfare in all exist-ing structures, residential and nonresidential, and on all existing premises by establishing minimum standards, best practices, as well as a master plan. Maintenance is the respon-sibility of the facilities manager, owners, and occupants.

Furthermore, the effort to achieve a bal-ance between design for crime prevention and design for effective use of environments con-tributed to the shift in focus from organized and mechanical strategies per se to natural strategies. This was because natural strate-gies exploited the opportunities of the given environment both to naturally and routinely facilitate access control and surveillance and to reinforce positive behavior in the use of the environment. The concept reflects a prefer-ence, where feasible, to reinforce existing or new activities, or to otherwise reinforce the behavior of environment users so that crime prevention flows naturally and routinely from the activity being promoted.

The conceptual shift from organized and mechanical to natural strategies has

image105.jpg image106.jpg



PHOTO 1.5 Reflects mechanical layout of mounted cam-

PHOTO 1.6 Can you see the man hiding in the bushes?

era with street light and roof lighting.

oriented the CPTED program to develop plans that emphasize natural access control and surveillance and territorial reinforcement (Photo 1.5).

Although conceptually distinct, it is impor-tant to realize that these strategy categories tend to overlap in practice. It is perhaps most use-ful to think of territorial reinforcement as the umbrella concept, comprising all natural sur-veillance principles, which in turn comprises all access control principles. It is not practical to think of territorial reinforcement, natural surveillance, and access control as independent strategies because, for example, access control operates to denote transitional zones, not neces-sarily impenetrable barriers. If these symbolic or psychological barriers are to succeed in control-ling access by demarcating specific spaces for specific individuals, potential offenders must perceive that unwarranted intrusion will elicit protective territorial responses from those who have legitimate access. Similarly, natural sur-veillance operates to increase the likelihood that intrusion will be observed by individuals who care but are not officially responsible for regu-lating the use and treatment of spaces. If people observe inappropriate behavior but do nothing about it, then the most carefully planned natural surveillance tactics are useless in terms of stop-ping crime and vandalism (Photo 1.6).

The Three-D Approach 1

For CPTED to be a success, it must be under-standable and practical for the normal users of the space. That is, the normal residents of a neigh-borhood and the people who work in buildings or commercial areas must be able to use these concepts. Why? Because these people know more about what is going on in that environment and they have a vested interest (their own well-being) in ensuring that their immediate environment operates properly. The technologist or specialist, who may be a traffic engineer, city planner, archi-tect, or security specialist, should not be allowed to shoulder the responsibility alone for safety and security. The specialist needs to follow the dic-tates of the users of the space because he/she can often be swayed by misperceptions or by the con-flicting demands of his professional competition.

The Three-D approach to space assessment provides a simple guide for the layperson to use in determining the appropriateness of how his/ her space is designed and used. The Three-D concept is based on the three functions or dimen-sions of human space:

1. All human space has some designated purpose.

1 Crowe TD, Fennelly LJ. Crime prevention through environmental design. 3rd ed. Elsevier Publishers; 2013.

Target Hardening


2. All human space has social, cultural, legal, or physical definitions that prescribe the desired and acceptable behaviors.

3. All human space is designed to support and

control the desired behaviors.

By using the Three Ds as a guide, space may be evaluated by asking the following types of questions.


· What is the designated purpose of this space?

· What was it originally intended to be used for?

· How well does the space support its current use and its intended use? Is there conflict?


· How is the space defined?

· Is it clear who owns it?

· Where are its borders?

· Are there social or cultural definitions that affect how that space is used?

· Are the legal or administrative rules clearly set out and reinforced in policy?

· Are there signs?

· Is there conflict or confusion between the designated purpose and definition?


· How well does the physical design support the intended function?

· How well does the physical design support the definition of the desired or accepted behaviors?

· Does the physical design conflict with or impede the productive use of the space or the proper functioning of the intended human activity?

· Is there confusion or conflict in the manner in which the physical design is intended to control behavior?


The three CPTED strategies of territorial rein-forcement, natural access control, and natural surveillance are inherent in the Three-D concept.

Does the space clearly belong to someone or some group? Is the intended use clearly defined? Does the physical design match the intended use? Does the design provide the means for normal users to naturally control the activities, to con-trol access, and to provide surveillance? Once a basic self-assessment has been conducted, the Three Ds may then be turned around as a simple means of guiding decisions about what to do with human space. The proper functions have to be matched with space that can support them— with space that can effectively support territorial identity, natural access control, and surveillance and intended behaviors have to be indisputable and be reinforced in social, cultural, legal, and administrative terms or norms. The design has to ensure that the intended activity can function well and it has to directly support the control of behavior.

Examples of Strategies in Action

There are hundreds of examples of CPTED strategies in practice today. In each example, there is a mixture of the three CPTED strate-gies that is appropriate to the setting and to the particular security or crime problem. Some of the examples were created in the direct applica-tion of CPTED concepts. Others were borrowed from real-life situations. The common thread is the primary emphasis on naturalness—simply doing things that you already have to do but doing them a little better.

Some examples of CPTED strategy activities are:

· Providing clear border definition of controlled space;

· Providing clearly marked transitional zones that indicate movement from public to semipublic to private space;

· Relocating gathering areas to locations with natural surveillance and access control, or to locations away from the view of would-be offenders;

image108.jpg image109.jpg


· Placing safe activities in unsafe locations to bring along the natural surveillance of these activities to increase the perception of safety for normal users and risk for offenders;

· Placing unsafe activities in safe spots to overcome the vulnerability of these activities with the natural surveillance and access control of the safe area;

· Redesignating the use of space to provide natural barriers to conflicting activities;

· Improving the scheduling of space to allow for effective use and appropriate critical intensity;

· Redesigning space to increase the perception or reality of natural surveillance;

· Overcoming distance and isolation through improved communication and design efficiencies.

Use of Information

It goes without saying that all important deci-sions should be based on good information. Especially where the design and use of the physi-cal environment is at stake, it is imperative that at least five basic types of information be collected and used. Unless a rational basis is used to make informed decisions, the same mistakes that gener-ated the original problem will continue to be made.

The five basic types of information needed for good CPTED planning are crime analysis information, demographic information, land use information, observations, and resident or user interviews. This information does not have to be sophisticated. It exists in a fundamental form in every community or location. Moreover, unless it can be presented in its most basic form, it is of little value. For instance, very little can be done with a statistical measure that says burglaries are up by 5%. Much more can be done with a crime map that shows a clustering of burglaries in a specific block.

Even more can be done when one finds that the burglar used an alleyway as his/her approach to a series of related offenses because it afforded a good cover for his vehicle.

The other bits of information that are needed should be available in simple, usable formats.

Following is a simple guide to each type of information:

· Crime analysis. This type of information is available in every police department; it is obtained by plotting offenses on a wall map and organizing the information on crime reports for the major purpose of identifying patterns of criminal activity. There are two basic types of patterns: geographic and similar offense.

· Demographic. This is information that describes the nature of the population for a given

city, district, or neighborhood. It is available through city planning departments or the city manager’s or mayor’s office. Another source of this type of information is the Census Bureau and the city and county data books that may be found in most public libraries.

· Land use. City planning departments, zoning boards, traffic engineering councils, and local councils of government have information and maps that describe

and depict the physical allocations and uses of land. Simple wall maps with colored sections showing residential areas, commercial areas, industrial areas, parks, schools, and traffic flows can be of immeasurable assistance in understanding the physical setting. Natural boundaries and neighborhoods are easier to visualize on such maps, especially in relation to land use and pedestrian and traffic flows.

· Observations. It is very helpful to conduct either formal or informal visual reviews of physical space to get first-hand knowledge of how, when, and by whom that space is used and where problems may arise.

· Environmental cues are the key to normal user and offender behavior.

· Observations may include pedestrian/ vehicle counts, on- and off-street parking, maintenance of yards and fences, the degree of proprietary behaviors prohibited by residents and/or users, the presence of either controlling or avoidance behaviors,

Target Hardening


and other potential indicators of territorial concern such as the percentage of window blinds drawn in homes and businesses overlooking parks or schools.

· Resident or user interviews. This source of information is needed to balance the other data sources. People’s perceptions of where they feel safe and where they feel endangered often vary from the locations on crime maps where the most offenses occur. It is vital to determine the residents’ or users’ perceptions and extent of identity with the surrounding space, what affects their behavior or reactions as they move about, and what they think the needs are. Any attempt to skip the basics in favor of more complex forms of information gathering or analysis often obscures the picture. Professionals often suppress the active participation of residents or space users by relying on complex modes of analysis. This is dangerous because it can cause

some very basic ideas or explanations to be overlooked. It is axiomatic that very little good will be accomplished without the full and active involvement of the users of space.

Some Benefits of CPTED Planning


In addition to dealing with the reduction of crime and fear problems, other benefits of CPTED planning include the following:

· Treatment of crime problems at various environmental scales. The CPTED process for identifying crime/environment problems; selecting CPTED strategies; and initiating, implementing, and evaluating anticrime projects can be applied to entire neighborhoods or types of institutional settings within a city, such as secondary schools, or the process can be applied equally well to a small geographic area or to one particular institution.

· Integration of prevention approaches. CPTED principles are derived from an opportunity model of criminal behavior that assumes that

the offender’s behavior can be accounted for by understanding how, and under what circumstances, variables in the environment interact to induce crime. Once an assessment of the opportunity structure is made, then appropriate strategies can be designed and integrated into a coordinated, consistent program.

· Identification of short- and long-term goals. Comprehensive broad-based programs like CPTED have ultimate goals that may take years to accomplish. Unlike CPTED, however, many programs fail to develop short-term

or proximate goals and adequate ways to measure their success. The CPTED approach includes an evaluation framework that details proximate goals relating to increased access control, surveillance, and territorial reinforcement. The rationale is that the ultimate program success is directly related to its success in achieving the proximate goals.

· Encouragement of collective responses to problems. The CPTED emphasis is on increasing the capacity of residents to act in concert rather than individually. Strategies are aimed at fostering citizen participation and strengthening social cohesion.

· Interdisciplinary approach to urban problems. An explicit policy of interdisciplinary teaming ensures effective cooperation among diverse city departments such as public works, social services, economic development, police,

and so forth. Each participant benefits from exposure to the responsibilities, jurisdiction, and skills of the others.

· Encouragement of better police/community relations. A key strategy is to coordinate law enforcement and community service activities with the result of improving police/community relations and developing an anticrime program that is not solely dependent on enforcement agencies.

· Development of security guidelines and standards. CPTED programming can lead to the creation of security criteria for newly constructed or

image110.jpg image111.jpg


modified environments to avoid planning and design decisions that inadvertently provide opportunities for crime.

· Assistance in urban revitalization. Through its impact on physical, social, and economic conditions, CPTED can be instrumental

in revitalizing communities including downtown areas. Once business leaders, investors, and other citizens perceive that a comprehensive effort is underway to reduce crime and fear, there will be an improvement in community identity and cohesiveness.

· Acquisition of development funds. The incorporation of CPTED into existing programs can provide additional jurisdiction for awarding grants, loans, and community development funds.

· Institutionalization of crime prevention policies and practices. CPTED projects can create a local management capability and expertise to maintain ongoing projects. This capability can be incorporated into existing citizen organizations or municipal agencies.

An Ounce of Prevention: A New Role for Law Enforcement Support of Community Development

Public/private sector partnerships enhance public safety by sharing information, mak-ing the community more aware of threats and involving them in the problem-solving pro-cess. Collaboration is a key word for partner-ships because all partners must recognize that their goals or missions overlap and they work together to share resources and achieve com-mon goals. The added value of public–private sector partnerships is the cross-transfer of skills, knowledge, and expertise between the public and the private sectors.2 For a partnership to be successful, each partner has to understand the value they will gain from participating. Successful partnerships involve partners that

are committed to working together to achieve common goals—building the community. There are a number of compelling reasons for law enforcement to be involved in CPTED aside from the formulation of partnerships:

1. CPTED concepts have been proved to enhance community activities while reducing crime problems.

2. CPTED concepts are fundamental to traditional law enforcement values in terms of helping the community to function properly.

3. CPTED requires the unique information sources and inherent knowledge of the community that is endemic to the law enforcement profession.

4. CPTED problems and issues bear a direct relationship to repeat calls or service and to crime-producing situations.

5. CPTED methods and techniques can directly improve property values, business profitability, and industrial productivity,

thereby enhancing local tax bases.

Law enforcement agencies, regardless of size, must be involved formally in the review and approval process of community and busi-ness projects. Their participation must be active and creative, rather than passive and reactive. Moreover, any such involvement should not be understood to expose the agencies to possible litigation, since it is the role of law enforcement in CPTED to provide additional information and concerns that may not have occurred to the persons who are responsible (and qualified) for making changes to the environment. The expres-sion, “Pay me now, or pay me later,” conveys the idea that the early involvement of a knowledge-able law enforcement agency in the conceptual-ization and planning of community projects can lead to improvements in the quality of life and to reductions in the fear and incidence of crime. This early involvement is one of the most cost-effective methods of crime prevention.3

2 http://it.ojp.gov/documents/d/fusion_center_ 3 Crowe TD, Fennelly LJ. Crime prevention through

guidelines.pdf. environmental design. 3rd ed. Elsevier Publishers; 2013.

Questions to be Answered During an Assessment




During a CPTED assessment, focus on the CPTED principles of:

Natural surveillance

Access management


Physical maintenance

Order maintenance

Activity support

Be sure that you notice positive attributes of the area while identifying needed changes or improvements. Logically organize your obser-vations and recommendations.



· Are there casual surveillance opportunities? If not, can they be added?

· Is there sufficient lighting for all vehicular and pedestrian pathways and activity areas used during hours of darkness (Photo 1.7)?

· Is there sufficient activity lighting indoors and is it supplemented by sources of natural light? Is there emergency lighting?


PHOTO 1.7 Reflects a lack of landscape maintenance.

· Is access managed? If not, what combination of strategies could be used to better manage access?

· Are all spaces designated and delineated for specific use? If not, can they be?

· Are there conflicts between uses?

· Is there sufficient capacity? Is crowding creating tension, fear, or potential dangers?

· Are there expressions of pride and ownership (territoriality)? Can they be increased?

· Are all areas well maintained—kept clean and functional with no needed repairs or replacements? If not, when were they last maintained?

· Are rules of conduct communicated? Enforced?

· Are there supporting activities that enhance surveillance, access management, and social order? If not, can they be added?

· Are the grounds legible? Is it easy to understand where you are at any given point? Is it obvious which path or direction you need to take to arrive at a desired location?

· Does the landscaping enhance the ability to read the site? Does it provide shade and buffering where needed? Does it provide an aesthetic quality? Is it accessible? Is it healthy and well maintained? Is it a problem?

· How do the site users behave? Is there respect for the environment? Are there areas where tensions and disorder are common?

· Is there graffiti or other signs of vandalism?

· Is there CCTV or video surveillance? If so, are they placed in prime locations? Are there other means of surveillance?

· Are there successful CPTED applications already in place? If so, take note and use them as positive examples.5

Surrounding Neighborhood

· Adjacent land uses

· Condition of adjacent streets and properties

· Traffic patterns and volumes on adjacent streets

4 www.popcenter.org/tools/cpted/. 5 http://cptedsecurity.com/cpted_design_guidelines.htm.

image114.jpg image115.jpg


· Pedestrian crossing safeguards (marked crossings, traffic lights)

· Recommendations for improvements

Perimeter and Points of Entry

· First impressions on approaching the site/ location

· Walls and/or fencing

· Type, location, hours of operation, and users

· Special staff and/or visitor access points

· Sign(s) that identify the site/location, welcome visitors, and information about special visitor parking and entry

· Signs and/or maps to guide visitors to special parking and entry

· Signs and/or pavement markings to guide vehicles

· Surveillance opportunities from interior spaces

· Landscaping and cleanliness (Photo 1.8)

· Lighting

· Recommendations for improvements.

Vehicular Travel Routes and Parking


· Motor vehicle traffic patterns, including bus and student drop-off/pickup loops in school applications (Photo 1.9)


· Signs and/or maps to guide visitors to appropriate parking and entry locations

· Sign(s) to identify visitor parking

· Surveillance of parking lots from interior spaces

· Lighting

· Recommendations for improvements.

Pedestrian Travel Paths and Gathering


· Pedestrian routes to and from building(s)

· Pedestrian crosswalk markings or designated pedestrian routes

· Signage, landscaping, and/or landmarks to guide pedestrians

· Surveillance of walkways and exterior corridors

· Formal and informal gathering areas



CPTED Survey for Colleges and Universities:


· Lighting

· Recommendations for improvements.

Building Exteriors and Grounds

· Aesthetics, building design, location, and security of windows and doors

· Surveillance capability both natural and mechanical

· Hidden nooks and alcoves

· Use of mirrors and/or CCTV, security surveillance systems

· Cleanliness and landscaping

· Lighting

· Recommendations for improvements.

Building Interiors

· External and/or internal surveillance capability

· Access management (observed versus policy and procedure)

· Hidden nooks and alcoves in corridors, stairwells, and special use areas

· Use of mirrors and/or CCTV/video surveillance

· Restrooms

· Alarmed areas

· Cleanliness, maintenance, and other territorial reinforcement

· Natural, artificial, and emergency lighting

· Recommendations for improvements.

Maintenance and Delivery Areas

· Access doors, location, and surveillance opportunities

· Security and access management during delivery/maintenance

· Dumpster/trash location(s)

· Storage of fuels and chemicals

· After-hours use

· Recommendations for improvements.






1. Poor visibility at entry to campus

2. Easy vehicular access onto campus

3. No clear boundary separating the campus from public property

4. Inadequate distance between campus buildings and neighbors

5. Exterior doors to buildings unlocked 24/7

6. Areas and buildings on campus hidden by landscaping or vegetation

7. School adjacent to traffic hazard

8. Portions of buildings or campus inaccessible to emergency vehicles

9. Secluded hangout areas on campus

10. No safety/security awareness program for students, faculty, and staff

11. Perimeter of campus not visible from streets

12. No barriers between parking and lawn

13. Gravel in parking area

14. Dangerous traffic routes or patterns on campus

15. Enclosed courtyard that offers concealment to criminals

16. High parapets on buildings that hide criminals

17. No security officers on site for access control or patrol duties

18. No “escort to vehicle” program during darkness

19. Inadequate lighting on campus

20. No lighting maintenance plan to repair or replace nonoperational lights

21. Crime magnet or hangout located close to campus

22. No vegetation/landscape planting and maintenance program

23. Benches on campus that can be used for sleeping by homeless individuals

image119.jpg image120.jpg


24. Faculty, staff, and students not displaying ID badges

25. Bollards not used to prevent vehicles from driving on sidewalks

26. No cameras or video surveillance program

27. Exterior doors in dorms propped open

28. Courtesy desk at entrance to dorms not staffed 24/7

29. Parking areas that are not clearly visible from buildings

30. No signage on campus.


The following are some environmental prob-lems and issues (as well as recommendations) that may be documented in part of a CPTED assessment:

· One-way street systems have been found not only to improve traffic flow but also to create dead zones for business, with resulting crime or fear of crime that deters development efforts.

· Through traffic in neighborhoods has been found to be detrimental to residential housing values, stability, and crime rates.

· Downtown projects continue to fail by making fundamental errors that reduce natural surveillance and natural access control, resulting in the loss of desired users and domination by unwanted users.

· Fortress effects are produced by designers of convention centers, hotels, banks, senior citizen housing, and parking lot structures.

These destroy the surrounding land uses and create a “no-man’s land.”

· Bleed-off parking enhances conflict between commercial and residential uses; both lose.

· Design and management can actually reduce business and increase victimization of employees and customers.

· Mall and major event facility parking areas with poorly planned access control and

layout can produce traffic congestion and become magnets for undesirable activity.

· School and institutional designs can inadvertently create dysfunctional areas where surveillance is impossible, resulting in increased behavioral and crime problems and overall impediments to successful operations (e.g., students’ achievement in schools).

· Public housing and affordable housing can become projects that serve as magnets for transients, as opposed to local poor, with further detrimental effects on existing neighborhoods.


Nearly every environmental situation or loca-tion is amenable to the application of CPTED concepts. The law enforcement agency can assist in asking the right questions and supplying the right kind of information to help the community to make more informed decisions.

CPTED adds a new dimension by incorpo-rating these elements into space design and management:

· Natural access control. Your space should give some natural indication of where people are allowed and are not allowed. Do not depend just on locks, alarms, surveillance systems, and security officers but make security part of the layout (see later section on landscape security).

· Natural surveillance. Again, traditional factors like good lighting are important, but do not overlook a natural factor such as a strategically placed window or the placement of an employee work station.

· Territorial reinforcement. This is an umbrella concept, embodying all natural surveillance and access control principles. It emphasizes the enhancement of ownership and proprietary behaviors.


CPTED proposes that the proper design and effective use of the built environment can lead to a reduction in the opportunity, fear, and incidence of predatory stranger-to-stranger-type crime, as well as result in an improvement of the quality of

Psychological Properties


life (NCPI, 2008). Crime prevention design solu-tions should be integrated into the design and function of the buildings, or at least the location where they are being implemented.

In his writings on CPTED, Tim Crowe stated“… It is clear that light affects human behavior and too much or too little light will have different effects. It is now generally accepted that performance improves and fatigue levels drop in direct propor-tion to increased levels of light, but it also relates to the work or play environment.”6

The ancient field of chromotherapy, or photobiology as it is now called, is making a comeback because many scientists believe that color and light can affect health and behavior. Richard J. Wurtman, a nutritionist at the Massachusetts Institute of Technology, states that light is the most important environ-mental input, after food in controlling bodily function.7

Many psychologists believe that light has a tremendous influence on human behavior. There is a level of light that people experience as the most pleasant. Brightly lit rooms are more arousing than dimly lit rooms. Light also influences the image of a retail store as shop-pers look at and scrutinize merchandise to purchase.

CPTED principles were founded not only on social interactions, criminology, and archi-tecture but also on the psychological impact of the principles. Colors have a physical aspect in security, i.e., assisting in way finding and mov-ing people to safer locations, proper entrances, etc., and also a psychological impact. Security practitioners do well in applying the physical aspect of color such as using lighter colors to reflect more light but not very well at consid-ering the emotions evoked from a particular

6 Crowe TD, Fennelly LJ. Crime prevention through environmental design. 3rd ed. Elsevier Publishers; 2013.

7 http://www.nytimes.com/1982/10/19/science/ color-has-a-powerful-effect-on-behavior-researchers- HYPERLINK "http://www.nytimes.com/1982/10/19/science/color-has-a-powerful-effect-on-behavior-researchers-assert.html" assert.html.

color. Many security practitioners believe that the use of color may be one aspect to consider for preventing crime and may have a positive impact on workplace violence, school safety, and a number of other applications. Any designer or interior decorator can tell you how important color is for setting the mood for an environment. Experiments have shown that different colors affect blood pressure, pulse, and respiration rates, as well as brain activity and biorhythms.8




Red—Red is a powerful color. Its effect is physical, strong, and basic. Red is stimulating and lively as well as friendly.

Positives: physical, courage, strength, warmth, energy, basic survival, fight or flight, stimulation, masculinity, excitement.

Negatives: defiance, aggressive and aggression, visual impact, strain.

Blue—Blue is the color of the mind and is essentially soothing. It affects us mentally, rather than like the physical reaction we have to red. Strong blues will stimulate clear thoughts and lighter, soft blues will calm the mind and aid concentration. The world’s favorite color is blue, but it can be perceived as cold, unemotional, and unfriendly.

Positives: intellectual, communication, trust, efficiency, serenity, duty, logic, coolness, reflection, calm.

Negatives: coldness, aloofness, lack of emotion, unfriendliness.

Yellow—The yellow wavelength is relatively long and essentially stimulating. The wrong

8 Ibid.

9 http://www.colour-affects.co.uk/psychological- HYPERLINK "http://www.colour-affects.co.uk/psychological-properties-of-colours" properties-of-colours.

image122.jpg image123.jpg


color scheme with yellow can cause fear and anxiety.

Positives: emotional, optimism, confidence, self-esteem, extraversion, emotional strength, friendliness, creativity. Negatives: irrationality, fear, emotional fragility, depression, anxiety, suicide.

Green—If a green color scheme is used incorrectly it can indicate stagnation.

Positives: harmony, balance, refreshment, universal love, rest, restoration, reassurance, environmental awareness, equilibrium, peace.

Negatives: boredom, stagnation, blandness, enervation.

Violet—The excessive use of purple can bring about too much of the wrong tone faster than any other color if it communicates something cheap and nasty.

Positives: spiritual awareness, containment, vision, luxury, authenticity, truth, quality. Negatives: introversion, suppression, inferiority.

Orange—Orange focuses our minds on issues of physical comfort—food, warmth, shelter, and sensuality. It is a fun color. Too much orange suggests a lack of serious intellectual values.

Positives: physical comfort, food, warmth, security, sensuality, passion, abundance, fun.

Negatives: introversion, decadence, suppression, inferiority.

Black—Black is all colors, totally absorbed. It creates barriers, as it absorbs all the energy coming toward you. Black is the absence of light. Many people are afraid of the dark. In cowboy movies, the good guys wear what color hats? The bad guys wear what color hats? We wear a black tie to a funeral. We wear black to look thinner; however, in 2016 a fashion designer stated multicolor clothing was the way to go. Black race horses look faster.

Positives: sophistication, glamor, security, emotional safety, efficiency, substance.

Negatives: oppression, coldness, menace, heaviness.

Gray—The heavy use of gray usually indicates a lack of confidence and fear of exposure.

Positives: psychological neutrality.

Negatives: lack of confidence, dampness, lack of energy, depression, hibernation.

Pink—Being a tint of red, pink also affects us physically, but it soothes rather than stimulates. Pink is a powerful color, psychologically.

Positives: physical comfort, food, warmth, security, sensuality, passion, abundance, fun.

Negatives: inhibition, emotional claustrophobia, emasculation, physical weakness.

White—White is total reflection. It reflects the full force of the spectrum to the eyes. White is purity, the negative effect of white on warm colors is to make them look and feel garish.

Positives: hygiene, sterility, clarity, purity, cleanness, simplicity, sophistication, efficiency.

Negatives: sterility, coldness, barriers, unfriendliness, elitism. White is total reflection.

Brown—Brown usually consists of red and yellow with a large percentage of black.

Positives: seriousness, warmth, nature, earthiness, reliability, support. Negatives: lack of humor, heaviness, lack of sophistication.

At a local bank, we noticed the warm color scheme of the bank interior and the lighting lev-els were designed to help customers feel safe and comfortable. We could tell that someone had certainly done their homework. Additionally, the bank manager was in the lobby greeting customers. The comfort zone they were hop-ing for definitely worked. They earned an A+! Many hospitals and other medical facilities use green as an interior color to project calmness

CPTED Landscape Security Recommendation


and relaxation to help patients feel less nervous and anxious.

When discussing the psychology of color, remember that blue and green have a relaxing effect, whereas red and orange are stimulating. Warm colors are perceived as being protective and clear and saturated colors are experienced as more pleasant. Dark colors are perceived as more dominant and more strongly suggest hos-tility and aggression. The psychology of color is complex. There are differing opinions about color as well as scientific research on colors and the combinations of colors.

CPTED involves the design of physical space in the context of the needs of legitimate users of the space (physical, social, and psy-chological needs), the normal and expected (or intended) use of the space (the activity or absence of activity planned for the space), and the predictable behavior of both intended users and offenders. Therefore, in the CPTED approach, a design is proper if it recognizes the designated use of the space, defines the crime problem incidental to and the solu-tion compatible with the designated use, and incorporates the crime prevention strategies that enhance (or at least do not impair) the effective use of the space.

Kerry Kirpatrick, the Social Media Director for Buildings Magazine, stated that research has revealed that increased productivity is a benefit of green buildings through a study that was designed to reflect indoor environments encountered by large numbers of people every day. “These findings have far ranging implica-tions for worker productivity, student learning, and safety.”10

The ceiling of parking garages should be painted white as to get the best reflection possible from lighting. Consider LED lighting because it is the most cost-effective. Also, painting the walls white will enhance the effect and strength of not only the CPTED principle of surveillance but also that

of access control (due to visual sense of place) and maintenance, as related in the “broken windows theory”11 of crime and disorder. Additionally, placement of lighting must be carefully considered in conjunction with video surveillance to avoid conflicting uses, obscuring or making images undetectable due to glare and possible “hot spots” when using warm lighting sources.

Street lighting can have an effect on perceived personal safety and reduce the fear of becoming victimized in a particular environment. Street light-ing is generally seen as the most important physi-cal feature of an environment to affect perceived personal safety. The general consensus is that ade-quate street lighting can reduce crime rates and also reduce the fear of crime. Consideration must again be given to the environment addressed and its intended use. Overlighting or too much light in a neighborhood may have a negative consequence on the surveillance principle of CPTED by result-ing in residents closing their blinds to block out the offending, trespassing light and limiting natural surveillance.




Utilizing adequate lighting, walkways and entryways to buildings should be clearly vis-ible for members of the community. Landscape should be maintained to minimize obstacles to clear observability and places of concealment for potential assailants. This is achieved by trimming bushes to 36 inches in height and tree branches to 8 feet from the ground.

Sidewalks, streets, and parking lots must be clean (power washed) and free of graffiti. Ensure that there is proper signage and ade-quate lighting.

Parks should have a 360-degree view of the area and park benches should be designed

11 http://www.britannica.com/topic/broken-windows-

10 http://energyalliancegroup.org/author/kerry/. theory.

image125.jpg image126.jpg


to not allow someone to sleep on the bench. Create a venue for after-school activities that encourage youth to take ownership of the space for socializing, such as small shel-ter areas with cell phone chargers and Wi-Fi access.

Signage plays an important role in park secu-rity. There should be signs indicating the hours the park is open and rules for those utilizing the space. Proper signage removes the excuses for unacceptable behavior, draws attention to the illegitimate activity, and legitimizes police involvement, thus making the violation of the information on the posted signs an excellent crime prevention tool.

There is a vast array of traffic calming devices, such as speed bumps and raised cross-walks. These areas should be painted yellow and proper signage posted. At the entrance to neighborhoods or communities, post neighbor-hood watch or block watch signs.

Eliminate “hot spots” by planting thorny bushes (barberry, holly, etc.) in problem areas. Use boulders or bollards to control vehicular access (see Photo 1.9). Consider adding com-munity art or sculptures, which not only control access but also reinforce the purpose by giving implied ownership to the artists.

Perimeter fencing should be between 6 and 8 feet tall with three strands of barb wire on the top for a total of 7–9 feet in height. We would not recommend this unless it was a large prop-erty and the perimeter was a significant distance from the business or facility. Careful consider-ation to the type of fencing, the desired impact (boundary definition vs. security), and the loca-tion of the facility (rural vs. urban) must be taken into account and there should be at least 10 feet of clear space on both sides of the fence (Photo 1.10).

LED lighting is cost-effective and should meet lighting standards and guidelines for brightness but may not serve all applications best.

Bus stops should be located in an area where an open business is in clear observation of

PHOTO 1.10

image127.jpg image128.jpg

PHOTO 1.11

the stop. Alternatively, this problem may be addressed by contacting the school or bus com-pany to monitor the space via video surveillance.

Do not allow tagging or graffiti in public spaces. Consider the use of paint or coatings that will allow for easy removal of graffiti. All graf-fiti or tagging should be removed within 24 h (Photo 1.11).

“Hot spots” need to be eliminated. If they cannot be completely eliminated, develop

12 http://www.policechiefmagazine.org/magazine/ index.cfm?fuseaction=display_arch&article_id=902& issue_id=52006.

CPTED Landscape Security Recommendation


a program to keep unauthorized users or unwanted individuals out of the area.

Community policing programs, including the formulation of public–private sector partner-ships12 can be used to fight disorder and crime.

Vacant lots are best monitored by citizens that we give “ownership” of them. One example is a place in Richmond, Virginia, where a com-munity flower garden was placed. People who worked in the garden monitored the space. Another option is for the city to share the prop-erty via giving the lot to Habitat for Humanity to build a structure on within a given time frame, thus resulting in tax revenue. Inspections from local government agencies can also result in the owners of vacant property being held respon-sible for the upkeep of the property or pay fines for noncompliance.

Redesign properties using CPTED principles to make them more crime resistant by reducing the criminal opportunity within the community.

There are some properties, such as Health & Urban Development (HUD) properties, that may need a higher level of protection, such as addi-tional lighting and surveillance systems. Law enforcement support is also needed as to address specific issues and to support a safe community.

Locate open spaces and recreational areas in neighborhoods so they are visible (natu-ral surveillance) from nearby homes and the street. Avoid landscaping that might create blind spots or hiding places. Make sure there is effective lighting. Design streets to discourage cut through or high-speed traffic using “traffic calming” measures. Join or start a neighborhood watch in your neighborhood.

In apartment buildings, ensure that interior hallways are well lit with a secure front door. Install good-quality deadbolt locks and peep-holes on unit doors. Provide a secondary locking device to any sliding glass doors, windows on ground floor, and fire escapes. Provide a com-mon space in central locations to encourage ten-ant interaction. Join or start an apartment watch or neighborhood watch in your building.

For retail businesses, locate checkout coun-ters near the front of the store, clearly visible from outside. Window signs should cover no more than 15% of the windows to provide clear visibility into and out of the store. Use shelving and displays no higher than 4 inches to help see who is in the store. Avoid creating outdoor spaces that encourage loitering. Install mirrors at strategic locations as well as a security sur-veillance system.

Measuring and Evaluation of CPTED

Very little has been written on how to mea-sure the effectiveness of your CPTED program. Some work has been done in 2005—see refer-ences for this material.

Let us call the site in question “the complex” since CPTED covers the full spectrum.

You get 3 years of data from the local police department and from the complex. After a full assessment and review of the natural surveil-lance (landscape security) and natural access and territoriality, the complex hardens the target.

The job of security now must change to be more proactive. In the past crimes of the past 3 years are to be addressed and programs such as awareness or neighborhood are imple-mented followed by security making monthly reports on the status of aspects of physical security.


· Become aware of your community and who the strangers are. The guy walking down the street with the black dog. Who is he?

· Look for signs of behavior that does not fit the normal pattern. “Can I help you?” you ask. Now evaluate the response.

· Ever go for a walk and see four newspapers on the lawn. What does that tell you? Thieves also do assessments and evaluate your complex.

image129.jpg image130.jpg


Fear of Crime

· We have seen fear many times on television when a school is in lockdown and parents have been outside for an hour waiting to see their child. It is not a pretty sight.

CPTED Strategies

· The earlier discussion suggests a series of general design strategies that can be applied in any situation to improve natural access control, natural surveillance, and territorial behavior.

· Provide a clear border definition of controlled space.

· Provide a clearly marked transition from public to semipublic to private space.

· Locate gathering areas in places with natural surveillance and access control and away from the view of potential offenders.

· Place safe activities in unsafe locations and unsafe activities in safe locations.

· Provide natural barriers to conflicting activities.

· Improve the scheduling of space to provide the effective and critical intensity of uses.

· Design spaces to increase the perception of natural surveillance.

· Overcome distance and isolation through improved communications and design efficiencies, e.g., emergency telephones and pedestrian paths.

· Turn soft targets into hard targets.

Obtaining Results

After all of the above-mentioned strategies have been completed and security is main-tained at the highest level, you should have a reduction in crime risks and crime as well as a reduction in fear of crime. Then after 3 years, you compare the data with the previ-ous 3 years to see your results (Fennelly and Perry, 2016).



CPTED addresses the potential victim and the potential criminal’s mindset in preventing crime through manipulating the built environ-ment and better planning for its intended use.

A security assessment is the process of eval-uating a site for security vulnerabilities and making recommendations to address said vul-nerabilities. The goal is to either remove or reduce the potential vulnerability.

Reduce opportunities for crime and fear of crime by making open areas more easily observable and by increasing activity in the neighborhood.

Provide ways in which neighborhood resi-dents, business people, and law enforcement can work together more effectively to reduce opportunities and incentives for crime.

Increase neighborhood identity, investor con-fidence, and social cohesion.

Provide public information programs that help schools, businesses, and residents protect themselves from crime.

Make the area more accessible by improving transportation services.

Improve the effectiveness and efficiency of governmental operations.

Encourage citizens to report crimes so they can be a part of the problem-solving process. The steps taken to achieve these objectives include:

· improved, cost-effective outdoor lighting

· sidewalk and landscaping improvements

· partnerships with law enforcement and other local officials

· neighborhood watch, business watch, and school watch programs

· neighborhood cleanups

· a campaign to educate businesses about safe cash handling procedures and how to discourage robberies

· improve and expand public transportation.


Basic improvements in neighborhoods and communities can enhance “quality of life” and

Reference Material


provide an atmosphere of cohesiveness. The application of CPTED concepts has been used successfully throughout the country to reduce not only the incidence of crime but also the fear of crime, which leads to an improvement in the quality of life for everyone who lives, works, or visits the neighborhood or community.

Shown is a QR code material prepared by Diane Zahm, titled Using CPTED in Problem Solving Tool Guide No. 8 (2007) POP Guide. A special thanks to Rick Draper for designing the QR code for us.


Reference Material

[1] Risk Analysis and Security Countermeasure Selection, Thomas L. Norman, CPP, PSP, CSC, CRC Press 2016, p. 281.

[2] Measuring Crime Prevention through Environmental Design in a Gated Residential Area: A Pilot Survey 2012 Elsevier.

[3] Lawrence J. Fennelly, Marianna Perry [email protected], [email protected].

[4] www.litigationconsultants.com.

This page intentionally left blank

image133.jpg image134.jpg



Introduction to Vulnerability Assessment*


Mary Lynn Garcia, CPP

This chapter provides a description of how to apply the principles and concepts of imple-menting a physical protection system (PPS) and how to identify the vulnerabilities of an installed PPS and propose effective upgrades if needed. It also discusses the additional key con-cepts of risk management, vulnerability assess-ment (VA), and systems engineering.

This text is a follow-on to the previously published Design and Evaluation of Physical Protection Systems. That book (hereafter referred to as the Design textbook) provided an overview of the principles and concepts that must be considered when implementing a PPS; this book is a description of how to apply those principles and concepts to identify the vulnerabilities of an installed PPS and propose effective upgrades if needed. This book is the basis of all VAs conducted by Sandia National Laboratories during the last 30 years for a wide spectrum of customers including the US Department of Energy, US Department of Defense, North Atlantic Treaty Organization, US Department of State, Government Services

Administration, dam and water systems, prisons, schools, communities, and chemical companies.

A VA is a systematic evaluation in which quantitative or qualitative techniques are used to predict PPS component performance and overall system effectiveness by identifying exploitable weaknesses in asset protection for a defined threat. After the VA identifies weak-nesses, it is used to establish the requirements for an upgraded PPS design. In addition, a VA is also used to support management decisions regarding protection system upgrades. Risk assessment and VA are such closely related activities that many security professionals use the terms interchangeably. This may not present a huge problem in practice, but it does hinder communication between and among security service providers and customers.

The VA process can be broken into three dis-tinct phases: planning, conducting the VA, and reporting and using the results. This process is part of the larger risk assessment process. Each of the phases will be described in detail in the

* Originally from Garcia, ML. Vulnerability assessment of physical protection systems. Boston: Butterworth-Heinemann, 2006. Updated by the editor, Elsevier, 2016.

Effective Physical Security, Fifth Edition



Copyright © 2017 Elsevier Inc. All rights reserved.


image137.jpg image138.jpg


remaining chapters of this text. The key points discussed in this chapter include:



· Risk management and VA

· Risk assessment and the VA process

· VA process overview

· VA and systems engineering


This text is concerned with the VA of a PPS, but the concepts can be applied to cyber protec-tion, personnel protection, and overall security protection at a facility or across an enterprise. For clarity, throughout this text the term enter-prise includes organizations, companies, agen-cies, governments, or any other entity with the need to manage security risks. The term asset includes people, property, information, or any other possession of an enterprise that has value.

It is important to differentiate security from safety when discussing a VA. Safety is defined as the measures (people, procedures, or equip-ment) used to prevent or detect an abnormal condition that can endanger people, property, or the enterprise. These include accidents caused by human carelessness, inattentiveness, and lack of training or other unintentional events. Security, on the other hand, includes the measures used to protect people, property, or the enterprise from malevolent human threats. This includes civil disturbances, sabotage, pilferage, theft of critical property or information, workplace vio-lence, extortion, or other intentional attacks on assets by a human. A good security VA will con-sider safety controls because some safety mea-sures aid in detection and response to security events (sprinklers will fight fires regardless of the cause), but some attacks require additional detection and response capability. For example, a disgruntled employee can sabotage critical manufacturing equipment and reduce produc-tion to a significant extent. Without security con-trols, it could be difficult to determine quickly enough whether this is an intentional act of sab-otage and prevent a significant loss of revenue.

Risk management is the set of actions an enterprise takes to address identified risks and includes avoidance, reduction, spreading, trans-fer, elimination, and acceptance options. Good risk management programs will likely include a combination of these options. Risk avoidance is accomplished by removing the source of the risk; for example, a company may choose to buy a critical component from another com-pany, rather than manufacture it. This removes the production line as a sabotage target. Risk reduction is achieved by taking some actions to lower risk to the enterprise to reduce the sever-ity of the loss. This is the goal of many secu-rity programs—lower risk by implementing at least some security measures. Risk can also be spread among multiple locations, perhaps by having similar production capability at more than one enterprise facility. Then, loss of capa-bility at one site may be managed by increas-ing production at the other locations. Another example of risk spreading is the distribution of assets across a large industrial facility. By sepa-rating the assets, fewer assets may be at risk during any given adversary attack. Risk trans-fer is the use of insurance to cover the replace-ment or other costs incurred as a result of the loss. This is an important tool in many security systems. Risk acceptance is the recognition that there will always be some residual risk. The key is to knowingly determine an acceptable level, rather than unwittingly accepting it. In security risk management, these decisions are based on the consequence of loss of the asset, the defined threat, and the risk tolerance of the enterprise. A trade-off analysis must be performed to ensure that the dollars spent on physical security pro-vide a cost-effective solution to security issues. If other risk management options provide equal or better results at lower cost, the use of a PPS may not be justified.

Risk Management and Vulnerability Assessment


image139.jpg image140.jpg image141.jpg image142.jpg image143.jpg image144.jpg image145.jpg image146.jpg










image147.jpg image148.jpg image149.jpg image150.jpg image151.jpg image152.jpg image153.jpg image154.jpg image155.jpg image156.jpg image157.jpg


image158.jpg image159.jpg image160.jpg image161.jpg image162.jpg image163.jpg





FIGURE 2.1 Relationship between risk management and vulnerability assessment.

Security is only one facet of risk; therefore, it must be considered in the context of holistic risk management across the enterprise, along with other categories such as market, credit, opera-tional, strategic, liquidity, and hazard risks. The relationships among risk management, risk assessment, and VA are shown in Fig. 2.1. Risks across an enterprise must be managed holisti-cally, and those identified as above an acceptable level must be addressed. VA is one of the con-stituent pieces of security risk assessment and is used to support risk management decisions.

To frame the relationship between risk assess-ment and risk management, consider definitions provided by Kaplan and Garrick, who state that in risk assessment, the analyst attempts to answer three questions: What can go wrong? What is the likelihood that it would go wrong? What are the consequences? The answers to these questions help identify, measure, quan-tify, and evaluate risks. Then, risk manage-ment builds on risk assessment by answering

a second set of questions: What can be done? What options are available? What are their asso-ciated trade-offs in terms of costs, benefits, and risks? What are the impacts of current manage-ment decisions on future options? The answer to the last question provides the optimal solution. Total risk management results from this process, where total risk management is defined as a sys-tematic, statistically based, holistic process that builds on formal risk assessment and manage-ment by answering the two sets of questions and addressing the sources of system failures.

A security risk assessment is the process of answering the first three questions using threat, likelihood of attack, and consequence of loss as their benchmarks.

A thorough security risk assessment would consider risks in the component parts of a secu-rity system (cyber, executive, transportation protection, etc.) to facilitate informed risk deci-sions across the enterprise. As applied to the VA of a PPS, risk assessment is an evaluation of the

image165.jpg image166.jpg


PPS supported by a number of analysis method-ologies, including:

· threat analysis

· consequence analysis

· event and fault tree analyses

· vulnerability analysis





Most facilities or enterprises routinely con-duct risk assessments of their security systems to verify that they are protecting corporate assets and to identify areas that may need addi-tional attention. These assessments are defined differently for different enterprises, but in gen-eral they include consideration of the likelihood of a negative event; in this case, it is a security incident and the consequence of that event. The Design textbook ended with a description of risk assessment and provided a formula that can be used to calculate risk, using qualitative or quan-titative measures. That discussion, with one addition, is repeated here.

Security risk can be measured qualitatively or quantitatively through the use of the following equation:

R = PA × (1 PE) × C

where R = risk to the facility (or ­stakeholders) of an adversary gaining access to, or stealing, critical assets. Range is 0–1, with 0 being no risk and 1 being maximum risk. Risk is calculated for a period of time, such as 1 year or 5 years; PA = probability of an adversary attack during a period of time. This can be difficult to determine, but generally there are records available to assist in this effort. This probability ranges from 0 (no chance at all of an attack) to 1 (certainty of attack). Sometimes in the calculation of risk, we assume there will be an attack, which ­mathematically sets PA = 1. This is called a conditional risk, where

the condition is that the adversary attacks. This does not mean there will absolutely be an attack, but that the probability of attack is unknown or the asset is so valuable that it will be protected anyway. This approach can be used for any asset, but it is generally reserved for the most critical assets of a facility, where the consequence of loss is unacceptably high, even if PA is low. For these assets, a PPS is generally required; PE = PI Χ PN, where PI is the probability of interruption by responders and PN is the probability of neutral-ization of the adversary, given interruption. PN can include a range of tactics from verbal com-mands up through deadly force. The appropri-ate response depends on the defined threat and consequence of loss of the asset. PE represents the vulnerability of the PPS to the defined threat; C = consequence value, or a value from 0 to 1 that relates to the severity of the occurrence of the event. This is a normalizing factor, which allows the conditional risk value to be compared with other risks across the facility. A consequence table of all events can be created that covers the loss spectrum, from highest to lowest. By using this consequence table, risk can be normalized over all possible events. Then, limited PPS resources can be appropriately allocated to ensure that the highest consequence assets are protected and meet an acceptable risk.

Note that this equation introduces the use of a new term—the probability of neutralization (PN). This was discussed only briefly in the Design book, because many facilities do not have an immediate response to security events. It is included here because response is a part of VA at all facilities.

Using probabilistic risk assessment is more formal, scientific, technical, quantitative, and objective when compared with risk management, which involves value judgment and heuristics and is more subjective, qualitative, societal, and political. Ideally, the use of probabilities is based on objective likelihoods, but in security it is common to use more subjective likelihoods based on intuition; expertise; partial, defective,



or erroneous data; and, occasionally, dubious theories. This is important because these are major sources of uncertainty, and uncertainty is a major element of risk. Additionally, these mea-sures can reduce the credibility of the security risk assessment for senior management, who are used to seeing documented data in standard analysis models. In security systems, this uncer-tainty is even larger than normal, owing to the lack of dependable (i.e., quantifiable) data for all types of adversary attacks.

An additional use of the risk equation is that the security risk life cycle can be viewed in con-text. When considering security systems and the attack timeline, the attack can be broken into three discrete phases: preattack, which is the time the adversary takes to plan the attack; the attack phase, when the adversary actually shows up to attack the facility, and the attack has started; and postattack, when the adversary has completed the attack, and the consequences of a successful attack occur. If the problem is approached this way, each term in the equa-tion is of primary importance during different phases of the attack. As such, PA is most use-ful during the preattack phase. This is where intelligence agencies and deterrence have their biggest effect. Intelligence agencies gather infor-mation concerning threats and provide assess-ments about their likelihood of attack. These agencies may even develop enough informa-tion to disrupt an attack by collecting enough legal evidence to arrest the adversary, through tips from inside sources, or by alerting targeted enterprises, allowing them to increase security protection. All of these activities will have an effect on PA. Heightened security responses to intelligence assessments indicating potential attacks on Citibank and the stock exchange in New York, and the World Bank in Washington, DC, are examples of preattack influences.

If a quantitative approach is used, the PA and C terms can be calculated using historical data and consequence criteria, respectively. In a qual-itative analysis, these terms can be represented

using descriptors such as likely, very likely, or not likely for PA and critical, severe, or minimal for the C term. This determination is based on the capability of the threat and the consequence of loss of the asset. If the likelihood of attack is high, but the consequence is low (think about shoplifting at one store in an enterprise), the problem to be solved is easier than if both PA and C are high. (This ignores the cumulative effects of shoplifting across the enterprise. Many thefts of low-value items can add up to a high over-all impact and this is part of the analysis.) There are times when either approach is appropriate, and the choice should be driven by the conse-quence of loss. This is based on the assumption that assets with a higher consequence of loss will attract more capable and motivated adver-saries (threats), which in turn will require a PPS that is correspondingly more effective. Fig. 2.2 represents the transition from qualitative to quantitative analysis, using consequence as the discriminator. Qualitative analysis uses the presence of PPS components and adherence to PPS principles as system effectiveness measures. A quantitative analysis uses specific component performance measures derived from rigorous testing to predict overall system effectiveness. At any given facility either or both techniques may be used depending on the consequence of loss of the asset. Relative value of PPS compo-nents based on expert opinion is another form of analysis of system effectiveness; however, the outcome depends heavily on the knowledge and experience of the expert.

This section ends with a definition of terms that are used in risk assessments, particularly with respect to the probability of attack by an adversary. These are the proper definitions of these terms; some enterprises may use them dif-ferently. Probability is a number that is, by defi-nition, between 0 and 1 and may or may not be time dependent. (As an example, the probability of snow on any given day in Ohio may be 0.25, but the probability of snow in Ohio is 1.0 over the next year.)

image168.jpg image169.jpg















FIGURE 2.2 Application of qualitative and quantitative analysis approaches.

This is discussed further in the next section. Although probability of attack is routinely cited as a threat measure, it is important to note that there frequently is not enough data to support a true probability. For example, there is no statis-tical data to support the probability of terrorist attacks. That fact, however, has not prevented the massive expenditure of dollars by govern-ments and commercial enterprises to increase security at airports, seaports, critical infrastruc-tures, and other facilities since 9/11. This is a good example of high-consequence, low-prob-ability events and the use of conditional risk. For some assets, the consequence of loss is unac-ceptably high, and measures are taken to pre-vent successful adversary attacks, regardless of the low likelihood of attack. Frequency refers to how many times an event has happened over a specified time and is also called a rate. Annual loss exposure is an example of a frequency often used in security risk assessments. Likelihood may be a frequency, probability, or qualitative measure of occurrence. This is more of a catchall term and generally implies a less rigorous treat-ment of the measure. Haimes has written a thor-ough discussion of risk modeling, assessment, and management techniques that can be used in security or general risk applications.



In any discussion of quantitative security system effectiveness, the subject of statistics of security performance arises. To many, statistics is a subject that arouses suspicion and even dread; however, there are a few fairly simple concepts that form the basis of statistical analy-sis of security effectiveness. Most of these con-cepts are related to the possible outcomes of a security event. A security event occurs when a security component (people, procedures, or equipment) encounters a stimulus and per-forms its intended task, for example, when something, such as a human or small animal, enters the detection envelope of an intrusion sensor. There are four possible outcomes of this event:

1. The sensor successfully detects a human-size object.

2. The sensor fails to detect a human-size object.

3. The sensor successfully ignores a smaller-than-human-size object.

4. The sensor fails to ignore a smaller-than-human-size object.



The successes and failures are related such that when a human-size object is presented, there are two complementary results, and when a smaller-than-human-size object is presented, there are also two complementary results. This fact is used later in the discussion. Sensors are the example used here, but this principle applies to any of the probabilities used in this text—the success or failure of a PPS component or the system in performing its intended task can be measured.

Most statistical analysis of security perfor-mance is based on these four possible out-comes. The rate at which a sensor successfully detects objects is described as the detection rate. For example, if a sensor successfully detects a human-size object 9 times out of 10 events the detection rate for that group of 10 events is 0.9 or 90%. This is a statistic but is not yet a probability. The detection rate can be turned into a probability when coupled with a confi-dence level, which is established based on the number of events that are analyzed; the more the data available, the more the confidence there is in the probability. This is easily under-stood when considering a common example. If a person tosses a coin and the outcome is heads, it would be unwise to assume that every coin toss will result in heads. However, if that person tosses a coin 100 times and 49 results are heads and 51 results are tails, there is a fairly high confidence that the outcomes will be about 50/50. If the experiment is con-tinued to include 1000 trials, the confidence in the estimate of the likely results is even higher. At this point the rate can be estimated with some statistical confidence, and this estimate is a probability. In other words, a probability is an estimate of predicted outcomes of identical trials stated with a confidence level. If 100% confidence is required, an infinite number of tests are required. In reality, when designing performance tests, a confidence level is cho-sen that requires performance of a reasonable number of trials.

It is not the intent of this section to teach readers how to calculate the statistics of secu-rity component effectiveness, but to familiarize them with the terminology and underlying con-cepts as applied to a PPS. For example, if a metal detector is tested by carrying a gun through it 20 times and it detects all 20 times, the probability of detection can be calculated at a specified con-fidence level. Often the confidence level used for security component testing is 95%. Using this confidence level, the probability calculated for the metal detector based on the 20 trials is 0.85 (it is often said that the probability is 85%, but in proper statistical terminology, a probability is always a number between 0 and 1). In sim-pler language, there is a 95% confidence that the metal detector will detect the gun at least 85% of the time. The actual detection rate may be higher, but this is what can be supported given the amount of data collected. If the metal detec-tor is tested 30 times at the same 95% confidence, the probability is now 0.9. Again restating in simple language, there is a 95% confidence that the metal detector will detect the gun at least 90% of the time.

Sometimes it is more useful to classify PPS component performance into error rates rather than probabilities. These error rates are the mathematical complement of the success rates, which is the number of trials minus the number of successes (i.e., the number of failures). The error rates are stated as false accept and false reject rates. In the preceding sensor example, not detecting the human-size object is a false accept and detecting a smaller-than-human-size object is a false reject. This example is used to show that these are the same possible outcomes; however, error rates are seldom used when describing the performance of detection sensor devices. Error rates are much more useful when characteriz-ing the performance of entry control devices, particularly when evaluating the performance of biometric identity verification devices. These devices measure some biological feature, such as a fingerprint, to verify the identity of an

image171.jpg image172.jpg


individual. In this case, false acceptance of a fingerprint from someone who should not be allowed into a security area and false rejection of someone who should be allowed to enter a secured area are useful ways to view the data.

Other factors of interest in security compo-nent evaluation include discrimination and sus-ceptibility to noise. Discrimination describes a sensor’s ability to ignore an object that is of the appropriate magnitude but is not the intended target. Often, this is beyond the technical capa-bility of the device. In the preceding sensor example, a human-size object may or may not have specific characteristics that allow the sen-sor to discriminate between a human and a human-size animal like a small deer or large dog. When the sensor does not have the ability to discriminate between stimuli of equal mag-nitude, another statistic, the nuisance alarm rate (NAR), is used. A nuisance alarm is caused when the sensor detects an object that is of suf-ficient magnitude but benign in nature. Anyone who has had a belt buckle cause an alarm in an airport metal detector has experienced a nui-sance alarm (assuming that person was not also carrying a gun!). The sources of nuisance alarms are easy to identify when the alarm is assessed by direct human observation or by viewing an image using a video camera. Understanding the causes of nuisance alarms is important in both design and analysis of a PPS. Installing a sensor that has low discrimination to an object or con-dition that is continually present in the sensor’s operating environment will lead to a high NAR, thus lowering confidence in the system. In this scenario, human operators eventually discount alarms and may not pay sufficient attention to a real alarm when it occurs.

Some technologies are also susceptible to noise. Noise in the sensor includes sound, elec-tromagnetic, or even chemical sources. This noise can be present in the background or be internal to the system. Whenever a sensor alarms on external or internal noise, this is defined as a false alarm. False alarms also reduce system

effectiveness much the same way as nuisance alarms. Indeed, false alarms can further erode confidence in the PPS because there is no observ-able alarm source present.

Throughout the discussions of security com-ponent performance in this text, it is important to remember that the four possible outcomes of any event are considered. This information, together with the concepts of discrimination and susceptibility to noise, forms the basis of almost all security component performance evaluation. Combined with defeat analysis (which is dis-cussed in other chapters), the full picture of PPS effectiveness emerges.




The evaluation techniques presented in this text use a system performance-based approach to meeting the PPS objectives. Recall that the pri-mary functions of a PPS are detection, delay, and response (see Fig. 2.3). Each of these functional subsystems is described in the following chap-ters and includes a description of both quantita-tive and qualitative methods of evaluating PPS components at a facility. Quantitative techniques are recommended for facilities with high-conse-quence loss assets; qualitative techniques can be used if there are no quantitative data available or if the asset value is much lower. It is important to determine before the start of the VA whether a qualitative or quantitative analysis technique will be used. This ensures that the VA team col-lects the appropriate data and reports the results in a form that is useful for the analysis.

When performing a VA, the general pur-pose is to evaluate each component of the PPS to estimate their performance as installed at the facility. Once this is done, an estimate of overall system performance is made. The key to a good VA is accurately estimating component perfor-mance. When using a quantitative approach, this is done by starting with a tested performance

Planning the Vulnerability Assessment


Final PPS


Determine PPS Objectives

Design PPS

Analyze PPS Design


Physical Protection Systems



EASI Model

Redesign PPS

Threat Definition




Adversary Sequence











Response Force

Computer Models

Risk Assessment



Alarm Assessment

image174.jpg image175.jpg image176.jpg image177.jpg image178.jpg


Communication & Display

Entry Control

FIGURE 2.3 PPS evaluation process. As in the Design textbook, this process provides the framework for conducting a vulnerability assessment. Although frequently not part of the VA, the protection objectives must be known before evaluating the facility.

value for a particular PPS component, such as a sensor, and degrading its performance based on how the device is installed, maintained, tested, and integrated into the overall PPS. For quali-tative analysis, performance of each component is degraded based on the same conditions, but the performance of the device is assigned a level of effectiveness, such as high, medium, or low, rather than a number. In addition, compo-nent performance must be evaluated under all weather conditions and facility states and con-sidering all threats. The following sections intro-duce the various stages and activities of a VA.




Before a VA can be performed at a facility, a certain amount of preliminary work must be done to plan and manage the VA so that the

customer is provided a useful product. The use of common project management principles and techniques provides a structure and a well-accepted method of approaching the technical, administrative, and business aspects of a VA. At a high level, a project can be broken into three major stages: planning, managing the work, and closeout.

Project Management

Projects, by their definition, have a defined start and end date. There is a point in time when the work did not exist (before the project), when it does exist (the project), and when it does not exist again (after the project). Many VA projects start with an initial customer contact, perhaps as a follow-on to existing work, a reference from another person or business, or as a result of a marketing activity. Project planning starts with understanding what the customer wants

image180.jpg image181.jpg


or needs. This stage of the project normally involves meetings with the customer to discuss what problems they are having or want to avoid, to understand why they are motivated to do this now, and to discover any specific constraints they may have. Defining the project includes determining the scope of work, as well as what needs to be done, over what period of time, and the cost of the final product. The project scope should state the project objectives and major constraints, such as dollars available or time to complete. Generally, the project is defined in a master document, statement of work, contract, memorandum of agreement, or some other equivalent document. This master document is usually supplemented by a requirements document, which is a summary of the technical specifications or performance required for the delivered product.

After the project has been approved, the customer has sent funding, the project team has been identified, and other administra-tive issues are set, the actual work can begin. Managing the project includes providing cus-tomer support; following the project plan; resolving major and minor project issues on a timely basis; and keeping the project on sched-ule, within budget and scope, and performing as expected. All of these aspects of the project are organized so that communication between the project leader and the customer and the project team occurs regularly, project risks are managed, product quality maintains an accept-able level, and all project metrics are monitored and remain in compliance.

At some point, all the direct project work is completed, all deliverables are in the customer’s hands, the last status reports to the customer have been provided, and the project is complete; however, there are still some remaining issues that must be addressed before pronouncing the project complete. Project closeout can be bro-ken into three areas: financial, administrative, and technical. Financial closeout of the project provides a final accounting of all project costs

and allocation of funds to complete the project. Administrative closeout tasks include collect-ing all project documentation, storing it in an archive, destroying drafts or working papers that are no longer needed, returning any customer-owned equipment or documents, and verifying that all sensitive information is properly marked and stored securely. The technical closeout of the project can include a project closeout meeting, a lessons learned review, and a closeout report to the customer or internal management.

The use of good project management prin-ciples, tools, and skills will help scope, define, manage, and complete a successful VA project for both the VA provider and the customer. A combination of project planning and manage-ment techniques minimizes the effects of inevita-ble project problems and provides a framework to work through major project hurdles.

Establish the Vulnerability

Assessment Team

The functional responsibilities of a VA team require a project leader and appropriate subject matter experts (SMEs). Many VA teams will use only a few personnel to serve these roles. Each team member may perform multiple functions, but all appropriate functions must be performed for a thorough VA. The major roles and respon-sibilities of the VA team include:

· project lead

· systems engineer

· security system engineer

· SME—sensors

· SME—alarm assessment

· SME—alarm communication and display (AC&D)

· SME—entry control

· SME—delay

· SME—response

· SME—communication systems

· SME—analyst

· SME—on-site personnel

Planning the Vulnerability Assessment


All members of the VA team should under-stand their roles and responsibilities, including what information or activities they are expected to contribute to the overall assessment.

Project Kickoff Meetings

Before starting the VA, it is helpful to have kick-off meetings with the project team and the cus-tomer. The project team kickoff meeting is meant to familiarize all team members with the project scope, deliverables, schedule, and funding and to answer any questions. The project leader should provide the team with a detailed description of the project including the customer’s objectives, the project schedule and budget, a review of any travel arrangements that must be made, the deliverables and their format, and how customer contact will be managed. This meeting is also the time to start planning the VA. An overview of the facility layout, geography, weather, and opera-tions can be presented, along with any informa-tion concerning threats and targets. Usually, the tools that will be used in the analysis are known, but if not, this is a good time to initiate discussion about appropriate analysis tools.

It can be useful to summarize all of the known information about the project and facility in a VA team guide. This guide serves as a means of communicating information to all project team members and as a living document that captures facility information. The guide is a reasonably detailed description of the planned activities but does not need to be extremely lengthy. It is expected that some portions of the guide will be common to all VAs and some portions will be unique to a specific facility. The team guide should include the background of the VA, how it will be conducted, team assignments, logistics, and administrative details.

Whatever the scope of the VA, a variety of site-specific data are required to complete the planning phase of the VA. This information is necessary to plan and carry out the VA in the most efficient and least intrusive manner

possible. The more this information is known before the team gets to the facility, the easier and faster the VA will be, thus limiting the cost and duration of the team visit. Typical informa-tion required includes drawings of the facility, number of employees, operational hours, loca-tions of critical assets, existing PPS equipment, weather conditions, on-site personnel contact information, and location of a workspace for the VA team. If known, this information is included in the team guide.

Another important aspect of the VA project is a briefing to senior management of the facility that will be evaluated. The better the purpose of the VA is communicated to management, the easier the evaluation will be, with few objec-tions to team activities. This briefing should be clear about the goals and objectives of the VA, how it will be used, when it will be completed, and how the results will be communicated. For some facilities, senior management will receive the report directly. For others, the report may be submitted to another group, who will then distribute the results to the facility. Once the VA team arrives on site, it may be necessary to have a kickoff meeting to explain the VA to lower level facility personnel. Senior management, facil-ity points of contact, the facility security man-ager, operations and safety representatives, the entire VA team, and other stakeholders should be invited to this briefing. If facility manage-ment has already heard a briefing on the proj-ect, they may not attend, although it is probably good practice to invite them or a representative. It is always a welcome touch to invite the most senior manager at the facility to address the group and express his/her support of the pro-cess; at the very least, the security manager of the facility should be an active part of this brief-ing, especially if the VA team is from off-site. Every effort should be made to provide a kickoff meeting at the start of the VA, but if this is not possible, the project leader should be prepared to brief managers and staff at the facility before collecting data in each of the functional areas.

image182.jpg image183.jpg



To successfully complete a good VA, it is crit-ical that protection system objectives are well understood. These objectives include threat definition, target identification, and facility characterization. Each enterprise defines VA and risk assessment differently, and as a result some facilities may not have defined threats or identified assets. At facilities where the threat and assets have not already been defined, this task must be included as part of the VA proj-ect, although this is generally part of a risk assessment. This will likely add cost and time to the project; therefore, it is critical to under-stand this before finalizing these details in the project plan.

Knowing the threat is one of the required inputs to a VA because the threat establishes the performance that is required from the PPS. We would not evaluate a PPS protecting an asset from vandals the same way we would for a system protecting an asset from terror-ists. By describing the threat, the assumptions that were made to perform the assessment are documented and linked to the decisions that are made regarding the need for upgrades. As such, threat definition is a tool that helps facility man-agers understand how adversary capabilities impact asset protection and helps PPS designers understand the requirements of the final PPS.

In addition to threat definition, the VA team must also have an understanding of the assets to be protected at the facility. As with threat defi-nition, some customers do not have their assets identified and prioritized before performing a VA. In this case, this must be accomplished before performing the VA. There are three meth-ods for target identification including manual listing of targets, logic diagrams to identify vital areas for sabotage attacks, and use of con-sequence analysis to screen and prioritize tar-gets. After threats have been defined and assets have been prioritized, a considerable amount

of information will exist that is used to estab-lish protection system objectives. The volume of information can be combined into a matrix that relates probability of attack, threat level and tac-tic, and consequence of loss of assets.

Facility Characterization

The major part of a VA is facility characteriza-tion, which consists of evaluating the PPS at the facility. The goal of a VA is to identify PPS compo-nents in the functional areas of detection, delay, and response and gather sufficient data to esti-mate their performance against specific threats. The PPS is characterized at the component and system level, and vulnerabilities to defeat by the threat are documented. Data collection is the core of PPS characterization; accurate data are the basis for conducting a true analysis of the ability of the PPS to meet its defined objectives. Accuracy, however, is only one of several factors to consider. The data gathered must be appro-priate to the purpose and scope of the VA, and the quantity and form of the data must be suf-ficient based on available resources and desired confidence in the results.

A facility tour is usually conducted early in a VA. During the initial facility tour, the VA team begins to gather information regarding the gen-eral layout of the facility, the locations of key assets, information about facility operations and production capabilities, and locations and types of PPS components. Review of key docu-ments and selected records are two important PPS characterization activities. These are useful in the evaluation of the effectiveness of a PPS and may begin during the planning phase of a VA. This step of a VA will also include inter-views with key facility personnel. Interviews are critical to clarify information and to gain greater insight into specific facility operating procedures. Interviews with personnel at all organizational levels are recommended. Testing is the most valuable data collection method for

Data Collection—Detection


evaluating the effectiveness of a PPS. Evaluation testing can determine whether personnel have the skills and abilities to perform their duties, whether procedures work, and whether equip-ment is functional and appropriate. Evaluation tests include functional, operability, and perfor-mance tests. Functional tests verify that a device is on, and that it is performing as expected (i.e., a sensor still has a probability of detection of 0.9). Operability tests verify that a device is on and working (i.e., a sensor is on and detects but has moved due to vibration so it is aimed at the wrong location). Performance testing is the char-acterization of a device by repeating the same test enough times to establish a measure of device capability against different threats. (A sensor is tested many times using crawling, walking, and running modes and under day, night, and varying weather conditions to fully characterize the probability of detection and NAR.) Because performance tests are fairly rigorous and require many repetitions over a period of time, they are generally impractical during a VA. Performance testing is typically performed in a laboratory or nonoperational facility.

One of the goals of the VA team before any system analysis is to identify the various facil-ity states that can exist at the facility. A VA is used to establish vulnerabilities at a facility at all times of the day and at all times of the year. As such, the team must understand the vari-ous facility states, so they can determine if the PPS is more or less vulnerable at these times. If the team does not identify these states and determines system effectiveness during all of these different states, the VA will be incom-plete and may lead to a false sense of protec-tion. Examples of facility states include normal operating hours, nonoperational hours, a strike at the facility, emergencies such as fire or bomb threats, and shift changes. Once all project planning is complete and protection objectives are understood, the VA team is ready to visit the facility and start collecting data.


The detection function in a PPS includes exterior and interior intrusion sensors, alarm assessment, entry control, and the alarm com-munication and display subsystem all work-ing together. Intrusion detection is defined as knowledge of a person or vehicle attempting to gain unauthorized entry into a protected area by someone who can authorize or initiate an appropriate response. An effective PPS must first detect an intrusion, generate an alarm, and then transmit that alarm to a location for assess-ment and appropriate response. The most reli-able method of detecting an adversary intrusion is through the use of sensors, but this can also be accomplished by personnel working in the area or the on-site guard force. Exterior sensors are those used in an outdoor environment, and interior sensors are those used inside buildings.

Intrusion Sensors

Intrusion sensor performance is described by three fundamental characteristics: probabil-ity of detection (PD), NAR, and vulnerability to defeat. These three fundamental characteristics are heavily dependent on the principle of opera-tion of a sensor and the capability of the defined threat. An understanding of these characteris-tics and the principle of operation of a sensor is essential for evaluating the intrusion sensor subsystem at a facility. Different types and mod-els of sensors have different vulnerabilities to defeat. Sensors can be defeated by spoofing or bypass, and consideration of these attack modes is part of the VA. Exterior sensors are grouped into three application types: freestanding, bur-ied line, or fence-associated sensors. Interior sensors are grouped as boundary penetration, interior motion, and proximity sensors.

Exterior perimeters are generally found only in high-security applications such as pris-ons, military bases, research facilities, critical

image184.jpg image185.jpg


infrastructure facilities, and industrial hazard-ous facilities (i.e., chemical plants). With a large percentage of the critical infrastructure in the United States owned and operated by the pri-vate sector, there is more interest in using exte-rior sensors in private industry since 9/11. If exterior sensors are not in use at a facility, this is an implicit indication that assets are low value or that the expected threat is low and no evalu-ation is necessary. The overall evaluation of exterior sensors will include attention to details such as sensor application, installation, testing, maintenance, NAR, and performance against the expected threats. If the threat is able to cut, climb, or bridge fences, this must be considered during the VA. The goal of exterior sensor evalu-ation is to provide an estimate of sensor perfor-mance (PD) against defined threats, along with supporting notes, pictures, and observations that support this estimate. This will help estab-lish the baseline performance of the overall PPS and, if not acceptable, will provide opportuni-ties for upgrade improvements. Factors that will cause performance degradation include NAR and ease of defeat of the sensor through bypass or spoofing.

Interior sensors are used to aid detection of intrusions inside buildings or other structures. Unlike exterior sensors, interior sensors are com-monly used at all types of commercial, private, and government facilities. Just as with exterior sensors, there are several factors that contribute to overall sensor performance. The most com-mon interior sensors are balanced magnetic switches, glass-break sensors, passive infrared (PIR) sensors, interior monostatic microwave sensors, video motion detectors, and combina-tions of sensors, usually PIR and microwave sensors, in dual technology devices.

Interior boundary penetration sensors should detect someone penetrating the enclosure or shell through existing openings (doors, win-dows, and ventilation ducts) or by destroy-ing walls, ceilings, and floors. Early detection gives more time for the response team to arrive;

detection should occur during entry rather than afterward. Volumetric detection uses sensors to detect an intruder moving through interior space toward a target. The detection volume is usually an enclosed area, such as a room or hallway. Most interior volumes provide little delay other than the time required to move from the bound-ary to the target. Common sensors used for volumetric sensing are microwave and passive infrared radiation. Point sensors, also known as proximity sensors, are placed on or around the target to be protected. In a high-security applica-tion, point sensors usually form the final layer of protection, after boundary penetration sensors and volumetric sensors. Capacitance proximity, pressure, and strain sensors are commonly used for point protection, but a number of sensors previously discussed as boundary penetration and volumetric sensors are readily applicable to point protection.

Use of technology is not the only means of sensing intrusions into a facility or area. Employees working in the area, guards on patrol, and video surveillance are other com-monly used techniques. These may be effec-tive against very low threats, but testing has shown that these methods will not be effective against more capable threats or when protect-ing critical assets. Humans do not make good detectors, especially over a long period of time. The lack of firm criteria for what is an adver-sary intrusion, and the difficulty in recogniz-ing this in time to prevent the attack, as well as safety concerns for employees, all contribute to this problem. Reliable intrusion sensing is best achieved through the use of sensors and is also less expensive than hiring guards. Another weakness of human sensing of intrusions is that it is easier to divert attention away from intrusions, particularly if they are engaged in other activities, such as doing their primary job, answering phones, or assisting visitors. If the defined threat or asset value is significant, sensing through human observation should be degraded during the VA.

Data Collection—Detection


When evaluating interior sensors, the goal is to make a determination of how well installed devices will perform against the expected threat. If sensors are present, there is an implicit expectation that they will be effec-tive in protecting assets. Consideration must be given to the principle of operation of the sensor and its operating environment, installation and interconnection of equipment, NAR, mainte-nance, and the defined threat. The environment associated with interior areas is normally con-trolled and is, therefore, predictable and mea-surable. Consequently, it is possible to evaluate sensors for their performance in a particular environment.

After tours, interviews, and testing are com-plete, the VA team should document intrusion sensing subsystem strengths and weaknesses. Remember that intrusion detection is just one part of the VA, and the analysis cannot be com-pleted until similar information is collected about the other protection subsystems. This part of the VA concentrates on the probability of detection (PD) for each sensing type—exterior or interior sensors or sensing by humans. Estimates may be made using qualitative or quantitative criteria.

Alarm Assessment

After an alarm is generated using sensors or human observation, the alarm must be assessed to determine the cause and decide what, if any, response is needed. The detection function is not complete without alarm assessment. There are two purposes of assessment. The first is to deter-mine the cause of each alarm, which includes deciding whether the alarm is due to an adver-sary attack or a nuisance alarm. The second purpose of assessment is to provide additional information about an intrusion that can be pro-vided to responders. This information includes specific details such as who, what, where, and how many. The best assessment systems use video cameras to automatically capture images

that show the cause of an alarm and then display these images to an operator who can assess the alarm. Assessment may also be accomplished through human observation, but this is much slower and not as effective.

It is important to differentiate video assess-ment from video surveillance when conducting a VA. Alarm assessment refers to direct observa-tion of alarm sources by humans or to immedi-ate image capture of a sensor detection zone at the time of an intrusion alarm. This assessment zone and the captured image can be reviewed to determine the cause of the alarm and initi-ate the proper response to the alarm. Video surveillance uses cameras to continually moni-tor all activity in an area, without benefit of an intrusion sensor to direct operator attention to a specific event or area. Many surveillance sys-tems do not use human operators but record activity on storage media for later review. The most effective security systems will use video assessment and not surveillance to determine causes of alarms.

A video assessment subsystem allows secu-rity personnel to rapidly determine whether an intrusion has taken place at a remote location. Major subsystem components include:

· digital camera and lens

· lighting system

· transmission system

· video recorder and/or storage

· video monitor

· video controller


At the end of this part of the VA, an estimate of the probability of assessment (PAs) must be provided for use in the system analysis. This probability is a result of the combined effects of video image quality and resolution, speed of capture of images, proper installation and maintenance of all components, and integra-tion of sensor detection zones with camera field-of-view coverage. The most important factor in assessment subsystem evaluation is to verify that video images containing the alarm

image186.jpg image187.jpg


source provide enough detail to an operator to allow an accurate determination of the cause of the alarm.

Entry Control

The entry control subsystem includes all the technologies, procedures, databases, and per-sonnel that are used to monitor movement of people and materials into and out of a facility. An entry control system functions in a total PPS by allowing the movement of authorized personnel and material through normal access routes and by detecting and delaying unauthorized move-ment of personnel and material. Entry control elements may be found at a facility boundary or perimeter, such as personnel and vehicle por-tals; at building entry points; or at doors into rooms or other special areas within a building. In addition to checks for authorized personnel, certain prohibited items or other materials may also be of interest on entry or exit. For evaluation purposes, entry control is defined as the physi-cal equipment used to control the movement of people or material into an area. Access control refers to the process of managing databases or other records; determining the parameters of authorized entry, such as whom or what will be granted access; when they may enter; and where access will occur. Access controls are an impor-tant part of the entry control subsystem.

The primary objective of controlling entry to facilities or areas is to ensure that only autho-rized persons are allowed to enter and to log these events for documentation purposes. The objective of searching vehicles, personnel, and packages before entry into these areas is to pre-vent the introduction of contraband materials that could be used to commit sabotage or to aid in the theft of valuable assets. The primary objective of exit control is to conduct searches of personnel, vehicles, and packages to ensure that assets are not removed without proper authori-zation. A secondary objective of entry and exit control is to provide a means of accounting for

personnel during and after an emergency. There are several methods an adversary may use to defeat an entry control point. These include bypass, physical attack, deceit, and technical attacks. Any or all of these methods may be used by the defined threat, and consideration of this is an important prerequisite to entry control sub-system evaluation.

Under operational loads, the entry control subsystem’s performance should not adversely impact security or user operations. The system can be divided into two areas with regard to per-formance—online and off-line functions. Online functions should be treated as a higher priority by the system. These include alarm annuncia-tion, portal access requests, and alarm assess-ment that require an immediate response to the user. Off-line functions include generation of preformatted alarm history reports or ad hoc database queries.

In addition to the system software, the access control software that commands the entry con-trol subsystem hardware and maintains and manages the data and logic necessary for system operation must be evaluated as part of the VA. In general, the software must receive electronic information from the installed entry control devices, compare this information to data stored in a database, and generate unlock signals to the portal locking device when the data comparison results in a match. Failure to achieve a success-ful data match will result in a signal that will not unlock the portal.

Many individual entry control technologies are available, as well as many combinations of them that are used in a PPS. In general, these devices are used to control personnel, contra-band material, and vehicle entry or exit and include manual, machine-aided manual, and automated operation. The entry control subsys-tem uses probability of detection as the primary measure of effectiveness. In the security indus-try the terms false accept rate and false reject rate are also used to characterize entry control device performance. The false accept rate is the

Data Collection—Detection


complement of the probability of detection and is equal to 1−PD. This is a key measurement of subsystem performance because it represents the probability of defeat of the device. The entry control subsystem can be broken into two major categories: personnel and vehicle control. Contraband material control, such as metal or explosives detection, is a subset of each of these categories.

Alarm Communication and Display

AC&D is the PPS subsystem that transports alarm and video information to a central loca-tion and presents the information to a human operator. The two critical elements of an AC&D subsystem are the speed of data transmission to specified locations and the meaningful pre-sentation of that data. Most AC&D subsystems integrate the functions of detection (detect and assess a potential intrusion) and response (initi-ate either immediate or delayed response proce-dures), as well as other subsystems such as radio communications and entry control. Although an AC&D subsystem is a complex integration of people, procedures, and equipment, evalua-tion by the VA team can be reduced to a hand-ful of performance indicators. Effective AC&D subsystems are robust, reliable, redundant, fast, secure, and easy to use.

The AC&D communications system moves data from collection points (sensor and tam-per alarms, video, self-test signals) to a central repository (database, server) and then to a con-trol room and display. If the central repository is physically located in the control room, it may consist of multiple computers or displays, and the communication system may also move data throughout the repository and control room. Alarm communication has several characteris-tics that compel the evaluation. These character-istics include the amount of alarm data, speed of delivery, and high system reliability.

The control and display interfaces of the AC&D subsystem present information to an

operator and enable the operator to enter com-mands affecting the operation of the AC&D subsystem and its components. The ultimate goal of this subsystem is to promote the rapid evaluation of alarms. An effective control and display system presents information to an oper-ator rapidly and in a straightforward manner. The subsystem also responds quickly to opera-tor commands. The control and display system must be evaluated with the human operator in mind; therefore, operation under conditions not directly related to the AC&D subsystem must be observed during evaluations. The console design should facilitate the exchange of infor-mation between the system and the operator, such as alarm reports, status indications, and commands. A good human interface improves the mechanics of issuing commands and of deci-phering the information presented. Thus, the amount of data displayed should be limited to only what is required by the operator.

The overriding evaluation principle for the AC&D subsystem must be operator first, and the operator must always be in command of the system. The primary purpose of any AC&D subsystem is to enhance facility security. This is accomplished by making operators more effi-cient and effective in their duties, thus provid-ing the best protection for the cost of subsystem implementation. An easy-to-use system is much more likely to succeed than an unnecessarily complex one.

The primary performance measure for an AC&D subsystem is the probability of assessed detection (PAD). It is a basic principle of an effec-tive PPS that detection is not complete until an alarm has been assessed, which is why PAD is used as the performance measure for the AC&D subsystem. Factors that contribute to this include time for alarm receipt, time to assess the alarm, ease of system use and control by the operator, and operator workload. This term is the prod-uct of probability of detection of the sensor subsystem and the probability of alarm assess-ment. This formula can be used qualitatively

image188.jpg image189.jpg


or quantitatively—the key is to verify that both sensors and assessment work together to protect assets. The VA team establishes performance of the intrusion sensing and alarm assessment subsystems individually and then evaluates the AC&D subsystem to show how all subsys-tems work as an integrated system. PAD is then degraded further based on the results of the evaluation of individual AC&D components. These include:

· operator workload

· displays (input/output and ergonomics)

· video system integration

· maintenance

· communications systems for moving sensor data to a display

· processing systems (computers)

· other functions (such as entry control)

· physical infrastructure (power, environmental, cabling, etc.)

· system administration


Poorly integrated AC&D subsystems impact overall system effectiveness by caus-ing decreases in performance in each of the individual components.


The second function of an effective PPS is delay, which slows down the adversary and allows time for the desired assessment and response. This delay is effective only if it fol-lows detection, which can take different forms. The most obvious form of detection is through the use of electronic sensor systems, which relay information back to a monitoring station. When dealing with truly massive delay barriers such as 15 ft of heavily reinforced concrete or under-ground bunkers, it may be perfectly acceptable to use humans as the one and only sensor sys-tem. Security patrols conducting scheduled or random inspections will be capable of detecting any manual entry attempt with sufficient time

to neutralize the adversaries. Increases in adver-sary task time are accomplished by introduc-ing impediments along all possible adversary paths to provide sufficient delay for any suitable response. In general, estimates of delay times are made using literature searches, actual test-ing, or approximations made using data from the literature or tests. The delay time of any bar-rier depends on adversary tools and the barrier material. Adversaries have the option of using tactics of force, stealth, deceit, or combinations of these tactics during an attack. Delay evalua-tion during a VA is primarily directed toward adversary tactics of force or stealth; the entry control subsystem addresses deceit.

To aid alarm assessment and interruption of the adversary at predictable locations, consid-eration must be given to installing barriers and detection systems adjacent to each other so that the barrier is encountered immediately after the sensor. This delays the adversary at the point of an alarm, increases the probability of accurate assessment, and allows for an effective response. Barrier effectiveness is supported through the use of the principle of balance, which ensures that each aspect of a specific barrier configura-tion is of equal strength.

A barrier is normally considered as pen-etrated when an adversary reaches a point 3 ft beyond the barrier. In contrast, defeat is a much broader term, which implies that the barrier is no longer effective in delaying the adversary. This distinction is important because it is quite often easier to defeat a barrier via stealth or other means than it is to penetrate it. Most secu-rity barriers at industrial facilities are designed to deter or defeat sporadic acts of vandalism, inadvertent entry, or casual thievery. For more motivated or capable threats, however, these tra-ditional fences, buildings, doors, and locks may present little deterrence or delay.

A close examination of the large variety of scenarios and tools an adversary can select to penetrate a given facility will likely indicate that existing barriers do not ensure that adversary

Data Collection—Response


delay time will always be sufficient for the system. Further, if the adversary has not been detected before encountering a particular bar-rier, or during penetration, the effectiveness of that barrier will be negligible. Most conven-tional barriers such as distance, fences, locks, doors, and windows provide short penetration delay against forcible (and perhaps stealthy) attack methods that use readily available hand or power tools. Against thick, reinforced con-crete walls and other equally impressive-look-ing barriers, explosives become an effective, rapid, and more likely method of penetration by a determined adversary. An example is the use of vehicle bombs. In addition, recall that security guards are not an effective delay unless they are located in protected positions and are equipped as well as the adversary (i.e., armed adversary and unarmed guards).

An important concept in delay evaluation is that delay is a strong function of the defined threat and adversaries’ skill. Stealth, cunning, and surprise can be valuable assets to any adversaries. The VA team should look not only at the physical delay elements present in a PPS but also at their condition and integration with the rest of the PPS. The team must consider unique ways that an adversary team could and most likely would exploit weaknesses in the PPS. One of the often overlooked aspects of a VA is how adversaries can, and will, use existing tools and materials within the facility to achieve their goals.

There are a variety of active or passive bar-riers that can be used to provide delay, and many are present in the normal course of build-ing construction. Depending on adversary tools and capabilities, these barriers will have dif-ferent delay times. Location of the barrier also plays an important role in the delay time and effectiveness of a barrier. A thick concrete wall on the exterior of a building may be susceptible to rapid breaching with explosives. The same wall, however, when incorporated into an inte-rior underground vault may provide substantial

delay, as the adversaries may not be able to use large quantities of explosives without collaps-ing the entire structure around them. Typical barriers include fences, gates, turnstiles, vehicle barriers, walls, floors, roofs, doors, windows, grilles, utility ports, and other barriers.


Response is the third and final function of a PPS that is evaluated during a VA. There are many ways to respond to a security event; the appropriate response depends on the defined threat, the value of the asset, and the use of risk management options other than a PPS at the facility. At any given facility, one or more response strategies may be in use, and this will affect data collection activities accordingly. In addition to the response strategy, security com-munication is a critical part of any response function and must also be considered during the VA.

The key information collected during the VA relates to two important and interrelated fac-tors. The first is the time it takes for the desired response to be placed into effect; the second is the effectiveness of that response. These aspects of response are facilitated by reliable communi-cation among the responders and with others. A related matter is whether there is an immediate on- or off-site response. During the initial design and implementation of a PPS, each facility must decide if the response goal is to react after a suc-cessful attack or to stop the adversary from com-pleting a successful attack. The misalignment of response goals and protection objectives at a facility will cause serious degradation of PPS effectiveness.

Response goals can be broadly categorized as delayed or immediate, respectively. Delayed response refers to any after-the-event reaction, where preventing a successful attack is less important than initiating asset recovery or inves-tigation procedures, or where evacuation of the

image190.jpg image191.jpg


facility is the response to an attack. Examples of delayed response include review of surveil-lance tapes after an asset has been lost or dam-aged, incident investigation, asset tracking and recovery, criminal prosecution, or any combina-tion of these. Immediate response refers to the timely deployment of any personnel to an intru-sion to prevent undesirable events from occur-ring or to the immediate implementation of a mitigation procedure, such as evacuation, after a successful attack, to limit the effects of unde-sirable events. Generally speaking, if there is no immediate response to security events, there is a basic assumption that the asset can be lost and that this risk is acceptable. This may be true when the asset value is low, the threat is not very capable or motivated, the frequency of the event (i.e., the probability of attack) is low, or the asset is protected using another risk management alternative (i.e., insurance) rather than physical protection, or if liability concerns limit the use of an immediate response. For critical assets, however, the lack of an immediate response to a malevolent intrusion increases the risk of asset loss; therefore, it must be carefully considered during the VA.

The two measures of an immediate response are the time for arrival and neutralization. The time to arrive is used to establish interruption; neutralization is a measure of response effec-tiveness, given arrival. Interruption is a mea-sure of the detection, delay, communication, and response functions of the PPS and is rep-resented by the probability of interruption (PI). Neutralization measures response force num-bers, training, tactics, and use of any weapons or equipment and is represented by the probability of neutralization (PN). In addition, the VA team must estimate the probability of communication (PC), which is essential for an effective immedi-ate response.

Several general response strategies can be used at any given facility; some high-security sites with multiple critical assets may use more than one strategy, and the response strategy

plays a major role in how a facility is evalu-ated during a VA. Response strategies include deterrence, denial, containment, and recovery. Deterrence is used to discourage some low-level threats from attacking a facility by presenting the appearance of tight security, suggesting that an attack would not be successful. This strategy is used at almost all private and government facilities. Because this strategy relies on the adversary’s perception that they are not likely to succeed, this approach will work only against less capable or motivated threats.

For some critical assets or production facili-ties, such as hazardous chemical, biological, and nuclear materials or toxic waste, where release of these agents into the environment through sabo-tage would cause many injuries, deaths, or con-tamination, a denial strategy is required. Denial refers to the protection of material by preventing adversary access to areas where materials are stored or to vital equipment used to process the material. For a successful sabotage event to occur, the adversary only has to complete the attack on the target and cause the release; capture of the adversary after a successful release does not pre-vent the consequence of the attack.

A containment strategy is generally used when the adversary goal is theft of an asset. Containment means that the adversary is not allowed to leave the facility with the asset; that is, they are contained on-site and the theft attempt is not successful. This strategy is usu-ally reserved for facilities with high-value or high-consequence assets, such as mints that store large quantities of currency, museums, precious gem or metal repositories, or hazard-ous material storage locations. Prisons also use a containment strategy, but they are attempting to prevent inmates from leaving a facility, not the theft of assets.

In the event that deterrence or containment strategies fail, a backup approach is recovery of the stolen asset. In some recovery strategies, the recovery is immediate (i.e., hot pursuit of the adversary as he/she speeds away in a car). For



most facilities, there is an acceptance that assets may be lost for a period of time, and recovery of the assets at some point in the future is the primary response. Recovery responses include investigation, tracking of assets, and follow-up using criminal prosecution.

Security communications consist of the people,­ procedures, and technology used to transmit communications among members of the response force during both normal and response operations. During normal operations, security communications may be required for conducting entry control, escort, patrols, and other security functions (for an on-site security group). During response to an attack, communi-cations are essential for organizing responders, directing them to the scene of the emergency, and successfully interrupting or neutralizing the adversary. Accurate and reliable communication is required for interruption and neutralization. The overall performance measure used is the PC, which is a measure of confidence that infor-mation will flow through the system, starting with alarm reporting and ending with deploy-ment and engagement with the adversary. For a delayed response using video surveillance or assessment, PC will depend on the transmis-sion system used to capture and store alarm and video information for later review.

The actual performance measures and esti-mates used depend on the response strategy and the presence of an immediate response. For delayed responses, it is sufficient to ensure that there is timely and accurate detection, and that legally admissible and usable video information is captured as evidence. This requires a fully functional communication system, limited in this case to integrated sensing and video assess-ment, and transmission of this information to a storage location. This can be approximated using the probability of assessed detection. For any immediate response, response force time, neutralization capability, and the probability of communication will be the key aspects of the evaluation.



After all the appropriate data have been col-lected, analysis of the PPS can begin. There are two basic analysis approaches used in a VA: com-pliance or performance based. Compliance-based approaches depend on conformance to specified policies or regulations; the metric for this analy-sis is the presence of the specified equipment and procedures. Performance-based approaches actually evaluate how each element of the PPS operates and what it contributes to overall sys-tem effectiveness. The use of compliance- or fea-ture-based systems is only effective against low threats, when assets have a low consequence of loss, or when cost-benefit analyses have been per-formed that document that physical protection measures are not the most cost-effective risk man-agement option. A compliance-based analysis is easier to perform because the measure of system effectiveness is the presence of prescribed PPS equipment, procedures, and people. The analysis consists of a review of facility conformance to the compliance requirements, the use of checklists to document the presence or absence of compo-nents, and a deficiency report that notes where the facility is out of compliance. The VA report summarizes these findings and the facility makes improvements according to enterprise policy. Because the premise of this text is that overall system effectiveness is the goal of a VA, and that all dollars spent on PPS elements should result in improved protection while also complying with requirements, this text primarily addresses performance-based analysis. Performance-based analysis can use either qualitative or quantitative techniques.

When conducting either a qualitative or quantitative performance-based analysis, the following six-step process is used:

1. Create an adversary sequence diagram (ASD) for all asset locations.

2. Conduct a path analysis, which provides PI.

3. Perform a scenario analysis.

image193.jpg image194.jpg


4. Complete a neutralization analysis, if appropriate, which provides PN.

5. Determine system effectiveness, PE.

6. Develop and analyze system effectiveness upgrades, if system effectiveness (or risk) is

not acceptable.

If desired, a facility may also choose to evalu-ate the PPS using risk as a metric, although this method is more commonly used in risk assess-ment and not in VA.

An ASD is a functional representation of the PPS at a facility that is used to describe the specific protection elements that are present. It illustrates the paths that adversaries can follow to accom-plish sabotage or theft goals. Because a path anal-ysis determines whether a system has sufficient detection and delay to result in interruption, it is conducted first. The path analysis uses estimated performance measures, based on the defined threat tools and tactics, to predict weaknesses in the PPS along all credible adversary paths into the facility, measured by the probability of inter-ruption. This step is facilitated through the use of an ASD of the facility to be analyzed.

A scenario analysis is conducted to determine whether the system has vulnerabilities that could be exploited by adversaries using varying tac-tics, resulting in lower effectiveness of the PPS. Scenario analysis considers specific tactics along the path, as well as attacks on the PPS or on the response force. These tactics include stealth, force, and deceit, and they may be used individually or combined during a scenario. As in path analy-sis, an important aspect of scenario analysis is consideration of different operating states at the facility or near the asset. There are usually at least two facility states—open and closed. As a part of scenario analysis, an effort is made to identify the worst cases of attack scenarios. Although analy-sis is not limited to these situations, they are very useful because they define the adversary attacks that test the limits of PPS effectiveness.

After weak paths and suitable attack scenarios have been determined, a neutralization analysis

can be performed. This part of the analysis is performed only at facilities where there is an immediate response resulting in a face-to-face confrontation with adversaries. Neutralization analysis provides information about how effec-tive the response function will be under differ-ent scenarios and is a measure of response force capability, proficiency, training, and tactics.

At this point, PPS effectiveness can be cal-culated, using qualitative or quantitative tech-niques. System effectiveness is represented using only PI (as in the case of a delayed response using review of video and investiga-tion, when the mere presence of an immediate response will chase an adversary away, or when an adversary will surrender if interrupted), or through the use of both PI and PN (at facilities where an immediate response will engage with the adversary).

If the baseline analysis of the PPS shows that the system does not meet its protection objectives, the VA team can suggest upgrades that will address these issues. Usually, these upgrades are not specific technical recommen-dations but are functional improvements that can be achieved by increasing performance at certain locations. The analysis is then repeated using these performance increases to estimate the overall increase in the ability of the system to meet its objectives. These results are provided to security system designers who will determine which specific equipment or other upgrades will provide the required performance. Once the analysis is completed, it is important to present both the baseline and upgrade analyses to estab-lish the need for improvements and show the return on investment (ROI) in upgrades.



After analysis of facility data is complete, the VA team reports the results in a manner that is useful to the managers at the facility. The goal of

Systems Engineering and Vulnerability Assessment


the report is to provide accurate, unbiased infor-mation that clearly defines the current effective-ness of the PPS, along with potential solutions if the current system is not effective. The VA informs facility management of the state of the PPS and supports upgrade decisions. In general, the VA report is then used in successive projects that address the identified vulnerabilities and improve the PPS at the facility.

Reporting can be formal or informal, verbal or written, and may take the form of a short over-view, or a longer, more detailed approach. The choice of reporting form and content is an aspect of the project agreement and generally follows the conventions of the customer or facility being evaluated. Regardless of how reporting is pre-sented and documented, certain content must be included to make the report understandable and useful to the facility. By its very nature, a VA report is a powerful document and should not be shared indiscriminately. Protection of the final report, as well as the appropriate distribu-tion, should be defined as part of the master project agreement. It is recommended that one organization has final control of the document and who it is shared with, even though other organizations may have copies.

Once the VA report is completed, a variety of responses or next steps can take place. By far, the most common approach is for the facil-ity to pursue improving the PPS and following the recommendations of the VA team. A VA can be thought of as the analysis of system require-ments that must occur before system design and implementation. The same things that made a particular PPS weak can limit the effectiveness of any upgrades if they are not carefully con-sidered. This process may be relatively short and easy if the recommendations involve only procedural or minor equipment changes, such as replacing one type of CCTV camera with another. If the system requires major equipment upgrades, however, the proper approach to the upgrade design will ensure a cost- and perfor-mance-effective result.

The goal of the design team is to create upgrades that meet the performance predicted in the upgrade analysis phase of the VA. This can be difficult to accomplish, and it can take several iterations between the designers and the facility to clarify goals and constraints and to create the best system that can be installed for the avail-able funding. The three general stages of design activity include conceptual, preliminary, and final design. Although this discussion is focused on the VA of an existing facility, the same pro-cess is used for evaluation of a new facility. For new facilities, VA analysts and designers work together closely to model the proposed PPS at the facility and then iterate on which PPS ele-ments will give the most cost-effective solution. Once they agree, the system designers work through the design stages to define how the final design will be implemented to meet the specified performance.



This section introduces the systems engineer-ing process and describes how this process is used in a VA. Before discussing this relationship, a few definitions and a brief introduction to sys-tems engineering are provided.

In the Design textbook, a system was defined as “an integrated collection of components or elements designed to achieve an objective according to a plan.” Systems may be small (a microwave oven) or large (a city), and all sys-tems are composed of other smaller systems (or subsystems). In some applications, a collec-tion of many systems into a functional whole is called a system of systems or a family of systems. Further, systems are not found only in engi-neering, but exist in other disciplines as well. For example, there is a criminal justice system that includes law enforcement, the courts, and corrections. Biological systems can be microor-ganisms, a pond, or a human. A social system

image195.jpg image196.jpg


includes the culture, behaviors, and mores of a society. Systems engineering

…is an interdisciplinary approach and means to enable the realization of successful systems. It focuses on defining customer needs and required function-ality early in the development cycle, documenting requirements, and then proceeding with design syn-thesis and system validation while considering the complete problem. Systems engineering considers both the business and the technical needs of custom-ers with the goal of providing a quality product that meets user needs.

It is concerned with the integration of func-tional, technical, and operational requirements within the business goals and environment of the customer. Integration refers not only to physi-cal or electrical integration (although these are important aspects of system performance) but also to the integration of customer needs, tech-nical performance, safety, reliability, procedures, personnel, maintenance, training, testing, and life cycle costs of the proposed solution. The systems engineering process flow is shown in Fig. 2.4. The process is iterative and should begin at the requirements stage. A VA fits into this stage of the cycle, which guides the other stages. The results of the VA are used to establish the requirements for an upgraded system design, which are validated through the use of analysis and testing. Once


installed, the system should be tested and main-tained to optimize system performance and allow for some expansion. At some point, requirements may change or the system reaches the end of its usable lifetime, and replacement of the system or components must be addressed.

Systems engineering is not about being a good engineer—everyone is a systems engineer in his/ her area of expertise. Rather, systems engineer-ing is a logical and structured process that starts by defining the problem to be solved, considering multiple potential solutions, and then analyzing these solutions to support selection and implemen-tation of the most balanced and robust design that meets requirements and goals. Implementation of the design includes proper installation, main-tenance, testing, and training of personnel to preserve optimal system function. Systems engi-neering also addresses the final disposition, retire-ment, or replacement of the system after its useful lifetime has been reached. The information pre-sented in this section is an overview of systems engineering based on principles developed by the International Council on Systems Engineering (INCOSE) and a text by Martin. An effective VA follows basic systems engineering principles.

A common model of systems development is one that considers both systems and component engineering. These two areas are science based, where science determines what is, component



image1.jpg image2.jpg 6HFRQGDU\ ,QIRUPDWLRQ )ORZ




FIGURE 2.4 Systems engineering process.

Systems Engineering and Vulnerability Assessment


engineering determines what can be, and sys-tems engineering determines what should be. The systems engineering domain includes user requirements (define the problem) and system requirements (boundaries and constraints), which lead to the component engineering domain. This domain includes component selection, design, analysis, integration, and testing.

During a VA, the project leader generally serves as the systems engineer who ensures that the final product meets customer needs, although large projects may include a systems engineer as a separate team member. Component engi-neers are the SMEs on the VA team who bring technical depth in engineering, adversary and response tactics, explosives, analysis, and other areas to evaluation activities.

Because the VA process described in this chapter is performance based, it embraces all the areas of system development described previously: science, systems, and component engineering. The science-based nature of this approach cannot be ignored. An example may clarify the distinction between compliance- and performance-based approaches. A compliance-based approach might select a radar to provide exterior intrusion detection instead of other

sensors, such as microwave, active infrared, fence-associated, or buried cable, based on past use, a large inventory of available devices, approved lists, or vendor-provided informa-tion. In contrast, a performance-based approach would begin by ensuring that all system require-ments are identified and that the selected device is the one that best meets all requirements. Then, performance of the device is based solely on the trade-off analysis of which devices meet all requirements. Examples of exterior intrusion detection requirements include probability of detection, NAR, vulnerability to defeat by the defined threat, integration with other PPS com-ponents, expansion capability, and life cycle cost of implementation and operation. This example emphasizes the need for good systems engineering, so that the VA and any necessary upgrades provide the best PPS for the cost. As a result, customer desires often must be bound by explaining what realistically can and cannot be achieved using PPS components. This rationale is included in the requirements stage of systems engineering, which is described next and is a part of VA project management. A brief com-parison of compliance- and performance-based approaches is shown in Table 2.1.

TABLE 2.1 Comparison of Compliance- and Performance-Based Vulnerability Assessment Approachesa



Compliance-Based Approach

Performance-Based Approach

Asset value


All assets

Requirement basis


Overall system performance

Component performance measure


Effectiveness and integration

Data collection methodology

Site survey

Site evaluation testing



System effectiveness


Deficiency report

Path effectiveness and vulnerabilities

Upgrade design

Address deficiencies

Functional performance estimates

Component selection

Component engineering

Systems engineering

Underlying process

Satisfy policy requirement

Systems engineering


a Compliance-based approaches are less rigorous and easier to perform than performance-based approaches. Compliance-based approaches are most appropri-ate for low-value assets, whereas a performance-based process can be used for assets of any value.

image200.jpg image201.jpg


Given this background, Fig. 2.3 illustrates the systems engineering process as applied in a VA, which will be discussed in other chapters. The remaining sections of this chapter describe the phases of systems engineering in more detail and how they relate to a VA, and include refer-ences to specific chapters in the book that con-tain further information. The purpose of this discussion is not to thoroughly describe the sys-tems engineering process but to show how a VA is based on the process.


As shown in Fig. 2.3, evaluation of a PPS begins with an understanding of the problem that is to be solved. This includes facility charac-terization, defining the threat, and target iden-tification. In systems engineering, these PPS objectives are a subset of system requirements, and they serve as the primary basis for appro-priate PPS evaluation by SMEs from a variety of disciplines.

A requirement is a characteristic that identi-fies the levels needed to achieve specific objec-tives under a given set of conditions and is a binding statement in a contract or regulatory document. In formal systems engineering docu-ments, requirements can be thresholds or goals; thresholds are something that must be achieved, whereas goals have some degree of usefulness or desirability, but are not necessarily man-datory. Requirements are generally stated as “shall,” whereas goals are stated as “should.” This is a major point to consider when establish-ing system requirements. There are many cus-tomer, user, and stakeholder wants, needs, and expectations. Early in the evaluation process, these imprecise statements must be reduced to an actionable and measurable set of mandatory requirements, so that the final product delivers what the customer expects. It is not uncommon to skip this step in the process and jump imme-diately into system evaluation. This approach

almost always leads to dissatisfied customers and incomplete products and should be avoided. There are three types of requirements in a sys-tem: functional, constraint, and performance.

A functional requirement describes the prod-uct and level of detail, including component interfaces and what the PPS will do. These requirements address the integration of people, procedures, and equipment that provide the desired end product. They also address stake-holder, customer, and user needs, desires, and expectations. There is a difference in the needs of stakeholders (those who have a role in or expectations of the product), customers (those who pay for the system), and users (those who will operate and maintain the final product). A requirements analysis considers these differ-ent needs. These questions are appropriate for customers and stakeholders: What needs are we trying to meet? What is wrong with the current system? Is the need clearly articulated? Other questions concerning who the intended users are, how they will use the product, and how this is different from the present operation are appropriate for users.

Constraint requirements include any external or internal compliance condition or stipulation that must be met. They include external laws and regulations, legal liabilities, standards, and enterprise policies and procedures. Examples are federal safety requirements, labor law, fire and electrical codes, enterprise-defined infra-structure, and project management processes. In a VA, additional constraints are a function of the specific site, such as terrain, weather, facility layout and footprint, the presence of a response force, and other unique conditions. These con-straints are part of the operational environment that must be considered in the VA. Other con-straints may be imposed by the limits of avail-able technology, such as the previous radar example.

Performance requirements define how well a capability must operate and under what condi-tions. These are stated in clear, unambiguous,

System Requirements


and measurable terms. Examples of performance measures are earned value, monthly financial status, milestones met, other business or admin-istrative measures, and security performance measures such as probability of detection, delay times, probability of assessment, and probabil-ity of interruption. Performance requirements are derived from functional requirements and specify the metrics that are used to judge com-ponent and system effectiveness in meeting requirements.

There are many reasons to perform a VA, and these underlying needs must be understood by the VA team before beginning the evaluation. For example, periodic VAs may be required by an enterprise policy or regulatory agency (a con-straint requirement), even though the system is still performing as required. Or, the facility may have recently been attacked and lost a critical asset, and there is a desire to improve protection of assets (a functional requirement). Since 9/11, many private companies and government agen-cies have issued new threat guidance concern-ing the use of weapons of mass destruction and need to perform VAs to verify that existing PPSs are still effective (a performance requirement). These examples emphasize the need to under-stand customer goals in asking for a VA. In addition, the customer’s intended use of the VA must be considered. If the VA is performed only to satisfy a regulatory requirement, but there is no intention of implementing any changes in response to identified vulnerabilities, this is important for the VA team to understand. If the customer is unwilling or unable to allocate addi-tional funding or other resources to improving the PPS if required, this is part of the operating environment that constrains the VA. Identifying customer needs, motivation, and desires is a part of VA project management.

In a VA, functional requirements can be equated to defining the protection objectives— what is to be protected (assets) and from whom (threat). A high-level functional requirement in security is to “protect the secret rocket fuel

formula from theft by a competitor.” In addi-tion to these requirements, it is also important to characterize the enterprise in terms of its mis-sion and the external and enterprise operating environments, particularly with respect to any compliance constraints that must be met. For example, since 9/11, a variety of laws and man-dates have been enacted by the US government that have had a significant impact on security at airports and seaports. These new constraint requirements must be considered during VAs at these sites, so that their effect on overall system effectiveness is considered.

The performance requirements of the secu-rity system are related to the capability of the defined threat. For example, a PPS that protects assets from vandals requires lower performance than one against a group of highly motivated and well-equipped environmental activists. This is why it is so important to define protection objectives before starting the VA and not jump right into design, or worse, procurement, of PPS components. In many instances, an enterprise has responded to a security incident or regula-tory requirement by buying more cameras, with no analysis of what capability the new cameras will add to the current system. This relates to the earlier point concerning thresholds and goals. As applied to a VA, a threshold is used to specify the minimum acceptable performance of the PPS that must be achieved (i.e., probability of detection must be 0.9 for running, walking, and crawling intruders). If the threshold cannot be met by an improved PPS within the constraints, the system is not implemented or requirements are reduced because analysis does not support making an additional investment in a system or upgrade that cannot meet the minimum functional requirements. Put in different terms, the ROI is zero—additional money was spent with no cor-responding increase in the ability of the PPS to protect assets. This is not the traditional inter-pretation of ROI, where there is a direct financial gain as a result of system improvement. Rather, this ROI is the proactive protection of assets in a

image202.jpg image203.jpg


structured and reasoned manner. This may pay off indirectly in financial gain by protecting the enterprise’s reputation, ensure business continu-ity in case of an attack, and show external audi-tors or agencies that reasonable steps were taken to protect high-value assets. If a PPS that meets customer needs and system requirements cannot be implemented, other risk management alterna-tives should be considered, perhaps in combina-tion. There are often other ways to achieve the customer’s goals that are cheaper and more effec-tive than reducing risk using a PPS.


At this point, a clear set of requirements exists and has been agreed to by the customer, and the VA can begin. The system is evaluated by SMEs (i.e., component engineers) considering the defined threats and identified assets, and all constraints are factored into the evaluation. A VA on a PPS considers the functions of detec-tion, delay, and response and evaluates how well people, procedures, and equipment meet all requirements. It is implicit in this approach that the defined threat must physically enter the facility to attack. As a result, standoff attacks from off-site or cyber attacks on networks are not part of the VA of a PPS; these are legitimate security concerns that are addressed in the over-all security system for the facility. During a VA, the current system is evaluated based on the sys-tem requirements, and analysis is used to show whether the system meets the requirements. If the baseline analysis shows that the system does not meet requirements, potential upgrades are analyzed, but only to a functional level (i.e., spe-cific devices that achieve this performance are not identified). In this case, the VA then estab-lishes a new set of system requirements that is passed to designers for upgrade improvements using the new functional and performance requirements. The upgrade design process is described later in this section.

VA analysis is supported through the use of evaluation tests on installed PPS components, which document PPS component performance and how this affects the overall system. Any performance deficiencies are documented and used in the analysis. These component defi-ciencies lead to system weaknesses that can be exploited by adversaries, which is the definition of a vulnerability. For many PPS components, historical test data already exist that are used in analysis. The principles and techniques used to evaluate the detection, delay, and response subsystems and components of the PPS form the core of this text.

The VA analysis process includes the use of trade-off analyses that consider the performance that can be expected for various combinations of PPS elements and assist in selection of per-formance options that best meet all require-ments. A robust design will also look beyond the requirements (i.e., thresholds) and determine how effective the system is in meeting customer desires. For example, analysis of a PPS must show effectiveness against the defined threat; in addition, analyses showing how well the system will perform against higher threats can also be performed to give an indication of system effec-tiveness beyond requirements. This additional performance documents how effective the PPS will be as threats increase, and if this perfor-mance can be obtained for little increased cost, it can be a viable option. This is an example of a customer goal, as compared with a requirement. The analysis shows how an investment in the PPS can be leveraged to add system capability at a low cost, for example, installing larger, high-resolution CCTV monitors in the alarm-monitor-ing station. It may cost a little more to buy better monitors, but better monitors will make opera-tors faster and more effective at assessing intru-sion alarms caused by small objects. As a result, a small additional investment in better monitors will provide more effective alarm assessment capability. This relates to the earlier point about meeting customer goals—implementation of this

System Design and Analysis


option should be discussed with and approved by the customer, and consider all impacts to the PPS, such as any increased cost of installation, normal and backup power specifications, and

operator viewing distance.

At the end of the VA, analysis shows either that the current PPS is effective in meeting requirements, or it is not. If not, the VA team will propose various functional and perfor-mance upgrades to the PPS that will meet requirements. At this point, the VA is com-plete, and the final report is written. If the facility chooses to follow the VA recommen-dations, and assuming that many equipment improvements are needed, another separate group of PPS designers is assigned to design the upgraded PPS. The design of a PPS is a complex subject that could easily fill another book; however, the process is summarized in the remainder of this section.

The design stage of the systems engineering process is often iterative, starting with concep-tual design, proceeding to a preliminary design, and ending with the final system design that is deployed. As the design progresses, a multidisci-plinary team (much like the team that performed the VA) reviews potential design options to con-verge on the best solution. In many cases, the existing requirements may not completely spec-ify the performance required of the upgraded system, and this is part of the reason for an itera-tive design cycle. This process is facilitated by the use of design reviews, modeling and simu-lation tools, test data, and discussions with the customer to verify that the proposed solution is in alignment with their needs (shall require-ments) and desires (should requirements). The final design ends in a detailed description of the product and how it is implemented (a detailed final drawing package). Before implementing the final design, the system components are ana-lyzed to validate and verify system operation. Validation is the process of checking satisfaction of stakeholders (have we done the right job?) and verification checks that the design meets the

specified technical requirements and the compo-nents are properly integrated (have we done the job right?).

Validation checks to ensure that no require-ments were missed and that there are no extra-neous requirements. This is called requirements traceability and is frequently used in large, costly systems (and may be required by some customers). Traceability shows that the product is just what the customer wanted, no more and no less. It also serves to document and explain selection of specific components during the system design stages and links requirements to these components and the overall system. If there is no link between a component and a requirement, the customer was given more than they needed. This is important because it clari-fies for the customer why one device was used over another in the final design. Consider the example of specifying a camera in a PPS design. Many types of cameras are available, and selec-tion of the appropriate camera depends on the functional, constraint, and performance requirements of the system. If the defined threat includes an adversary crawling across a perim-eter at night, camera resolution, lighting, video recording, and storage must be specified to meet this performance requirement. Contrast this with a defined threat that includes a vehicle crash-ing the perimeter. The larger profile of a vehicle will not require the same camera resolution as a crawling attacker; thus the specific camera that is selected may be different. However, the vehi-cle will be moving at a faster rate of speed than a crawler, and this constraint will influence what other devices are incorporated into the system design. Validation often uses acceptance tests under local conditions to check that the system meets the needs and expectations of stakehold-ers. If formal documentation is needed, the use of traceability software, as noted previously, may be warranted (go to www.telelogic.com for an example). The software documents the link between requirements, system design, imple-mentation, and test.

image204.jpg image205.jpg



At this stage of the upgrade process, the new design is implemented as described in the drawings and specifications of the final design package. Deviations from these specifications should be approved by knowledgeable experts who understand their effects on component and overall system performance. Some changes may be relatively transparent, but others may seri-ously affect system performance. For example, changing the distance between or height of light fixtures may change the amount of light that is available in an area. System installation is sup-plemented by on-site operational, functional, and performance tests to ensure that the sys-tem is working as predicted and the customer’s needs are met. Operational tests confirm that an installed device is working (i.e., it sends a sig-nal), and functional tests show that the device is working and performing as expected (i.e., a sensor still has the expected PD). It is also recom-mended that final acceptance tests are performed before the customer accepts the delivered sys-tem. An acceptance test is the final stage of sys-tem delivery, and test results are used to either justify or withhold final payments to vendors, depending on whether the system passes or fails the test.

Because the PPS is expected to continue to perform after initial installation, proper mainte-nance and periodic testing of components and the system are required to maintain optimal system function. These are aspects of the overall system and system design also includes recom-mendations on the maintenance, testing, and training procedures that should be used to keep the system operating reliably and as expected. These details are aided by complete system doc-umentation, a preliminary training program to acquaint users with the proper ways to maintain the system, and recommended procedures and processes that will ensure continued accept-able system performance. Component instal-lation, maintenance, testing, and staff training

procedures are evaluated during the VA and can have a significant effect on overall system per-formance. Procedural improvements can also be low-cost system upgrades.


It is good systems engineering practice to include planning for the retirement and replace-ment of the system in the system design, after its expected lifetime has been reached. The final design that is implemented should allow for sys-tem expansion and growth, up to a certain point. Typically, this point allows for 50% expansion above the current capability. This advance plan-ning allows for expansion of systems in response to changes without excessive cost or loss of pro-tection. Examples of system expansion include the installation of fiber-optic cable bundles with more conductors than currently needed at ini-tial installation. It only costs a little more to buy a fiber bundle with twice as many conductors; installation costs are the same. Alternatively, a conduit with a larger diameter could be used to allow room for additional wiring at a later date. In the same way, adding power drops or junction boxes will allow for rapid expansion of the PPS in the future. It is expected that technology will advance, threats will change, facilities may grow or shrink, or equipment will fail, any of which can create a need for new components that meet existing or new requirements. Although retire-ment and replacement are not part of a VA, expansion capability of the PPS is one criterion that is considered during a VA.



This chapter described risk management, VA, and systems engineering and explained how these processes support security system evaluation. Risk management and risk assess-ment were reviewed. Both qualitative and



quantitative techniques to measure system effectiveness in a VA were described, as well as when each technique is appropriate. The use of statistical measures was discussed to introduce this topic and to show how statistics are used to support system evaluation. The VA process was also introduced by dividing the process into three stages—planning, con-ducting, and reporting—and using the results. This chapter ended with a brief description of how the evaluation process described in this text follows a systems engineering process to enable the realization of successful systems. This process focuses on defining customer requirements and then evaluating the sys-tem while considering the complete problem. Systems engineering integrates disciplines and groups into a team effort, following a structured development process that proceeds from problem definition to evaluation and

analysis to implementation of any required system upgrades, while considering both the business and the technical needs of customers with the goal of providing a quality product that meets user needs.


[1] Garcia ML. The design and evaluation of physical protec-tion systems. Boston: Butterworth-Heinemann; 2001.

[2] Grose VL. Managing risk: systematic loss prevention for

executives. Arlington, VA: Omega Systems Group; 1987.

[3] Kaplan S, Garrick BJ. On the quantitative definition of risk. Risk Anal 1981;1(1):11–27.

[4] Haimes YY. Risk modeling, assessment, and manage-ment. 2nd ed. Hoboken, NJ: Wiley and Sons; 2004.

[5] International Council on Systems Engineering (INCOSE). Definition available at: http://www.incose.org/practice/ whatissystemseng.aspx; April 18, 2005.

[6] Martin JN. Systems engineering guidebook: a process for

developing systems and products. Boca Raton, FL: CRC Press; 1987.

This page intentionally left blank

image207.jpg image208.jpg



Influence of Physical Design

Marianna A. Perry, MS, CPP

This chapter discusses crime prevention through environmental design (CPTED) and how practitioners, designers, community members, and law enforcement activity can all collaborate to help make urban community housing devel-opments safer. Individuals must realize that safe communities are formed with their interaction and involvement in partnership programs with law enforcement and other community agencies. Residents and those with a “vested” interest in the community join together and partner with law enforcement to reduce not only crime but also the fear of crime and change the perception of the community.



The relationship between physical design and informal social control of crime is a new idea only in the sense of its systematic application to the modern urban scene. Prior to the devel-opment of the modern city, most societies took some precautions to relate security in the physi-cal environment to a responsibility for security actions by the inhabitants themselves.

In the rush of modern urban development, however, economic and political priorities seem to far outweigh security priorities, with the result that many urban settings now seem deliberately

designed to discourage informal social control. No colonial community would have done so, even when stockades were no longer needed for defense. New England towns continued to be con-structed so that homes and stores formed a hollow square around a central common area where social activities could take place and where livestock could be kept in relative security. In this kind of environment, everyone knew everyone else’s busi-ness. While this meant less personal privacy than the modern city dweller may enjoy, it also meant a high degree of shared responsibility for controlling undesirable behavior and unwanted intrusion.

Only recently have students of modern urban society begun again to take serious note of the rela-tionship between physical design and informal social control. Jane Jacobs first applied the concept to modern cities in 1961. In her book The Death and Life of Great American Cities [1], she theorized that multiple land uses along residential streets pro-vided an interaction between the physical design and the users (pedestrians and residents), which promoted natural and informal surveillance and, therefore, increased the safety of the streets.

Lee Rainwater, in an evaluation of a public housing project in St. Louis in 1966, discussed the effect of physical design on the attitudes of public housing residents, pointing out that inappropriate architectural design was directly related to antisocial behavior [2].

Effective Physical Security, Fifth Edition



Copyright © 2017 Elsevier Inc. All rights reserved.


image211.jpg image212.jpg


Elizabeth Wood, writing in 1961, suggested that current design patterns in public hous-ing projects appeared to discourage informal social relationships and gatherings, thereby pre-venting the development of social interactions through which residents could create informal social controls and self-policing [3].

Schlomo Angel, in 1968, found that variations in the level of pedestrian and vehicular traffic could either encourage or discourage crimes [4]. Too few users provided enough potential vic-tims but not enough potential witnesses.

Gerald Leudtke and E. Lystad found, as the result of studies in Detroit, that

many of the features of urban form and structure… could tend to facilitate or decrease the probability of crime. Such physical features include the condition and maintenance of buildings, streets, and alleys; evidence of recent construction; mixtures of land use; rates of pedestrian traffic and pedestrian accumulation within various land uses; location of structures on an urban grid pattern; and distance to adjacent structures. Other examples are types of parking facilities; visibil-ity into structures from roads, sidewalks and adjoining buildings; concealment by trees, shrubs, parked auto-mobiles, fences, signs, and advertising; the visibility of entrance points; building setbacks; and, the number and arrangement of entrance points in a building [5].

In 1969, Oscar Newman and George Rand [6] developed a theory of territoriality (now referred to as defensible space) that held that proper physi-cal design of housing encourages residents to extend their social control from their homes and apartments out into the surrounding common areas. In this way, they change what previously had been perceived as semipublic or public ter-ritory into private territory. Upgrading the com-mon areas in this way results in increased social control and an interaction between physical environment and its users that reduces crime.

As Newman himself defines it,

Defensible space is a surrogate term for the range of mechanisms—real and symbolic barriers, strongly defined areas of influence, improved opportunities for surveillance—that combine to bring an environment

under the control of its residents. A defensible space is a living residential environment that can be employed by inhabitants for the enhancement of their lives, while providing security for their families, neighbors, and friends. The public areas of a multifamily residential environment devoid of defensible space can make the act of going from street to apartment equivalent to run-ning the gauntlet. The fear and uncertainty generated by living in such an environment can slowly eat away and eventually destroy the security and sanctity of the apartment unit itself. On the other hand, by grouping dwelling units to reinforce association of mutual benefit, by delineating paths of movement, by defining areas of activity for particular users through their juxtaposition with internal living areas, and by providing for natu-ral opportunities for visual surveillance, architects can create a clear understanding of the function of a space, who its users are and ought to be. This, in turn, can lead residents of all income levels to adopt extremely potent territorial attitudes and policing measures, which act as a strong deterrent to potential criminals [7].

A study by Reppetto [8] in Boston indicated the need to expand the CPTED process to include whole neighborhoods and provide for comprehensive data collection efforts, which would both define the nature of crime patterns and suggest appropriate countermeasures.

Reppetto was also able to show that closely knit communities do tend to protect their mem-bers through informal social controls. This find-ing was further emphasized by John Conklin in

The Impact of Crime:

A tightly knit community can minimize the prob-lem of street crime. However, informal social control also poses a threat to the diversity of behavior that exists in a pluralistic society, even though it may curb violent crime. Still, street crime would decline if inter-action among the residents of a community were more frequent, and if social bonds were stronger. A sense of responsibility for other citizens and for the community as a whole would increase individuals’ willingness to report crime to the police and the likelihood of their intervention in a crime in progress. Greater willingness of community residents to report crime to the police might also obviate the need for civilian police patrols. More interaction in public places and human traffic on the sidewalks would increase surveillance of the places where people now fear to go. More intense social ties would reinforce surveillance with a willingness to take action against offenders [9].

Defensible Space


C. Ray Jeffrey, in his classic theoretical work

Crime Prevention Through Environmental Design

[10], written before Jeffrey became aware of the works of Newman and others, proposed a threefold strategy involving not only physical design but also increased citizen participation and the more effective use of police forces. He contended that the way to prevent crime is to design the total environment in such a manner that the opportunity for crime is reduced or eliminated.

Jeffrey contends that both the physical and social characteristics of an urban area affect crime patterns. Better physical planning is a key to unlocking the potential for improved physical security and the potential for develop-ment of informal social control. He also argues for high levels of precision in the analytical stages that precede physical planning for crime reduction:

One of the major methodological defects in ecologi-cal studies of crime rates has been the use of large units and census tract data as a basis for analysis. The usual units are rural–urban, intricacy, intercity, regional, and national differences.…Such an approach is much too gross for finding the physical features associated with different types of crimes. We must look at the physical environment in terms of each building, or each room of the building, or each floor of the building. Fine-grain resolution is required in place of the usual large-scale photographs.…Whenever crime rates are surveyed at a micro level of analysis, it is revealed that a small area of the city is responsible for a majority of the crimes. This fact is glossed over by gross statistical correlation analy-sis of census tract data, which ignore house-by-house or block-by-block variations in crime rates. For purposes of crime prevention we need data that will tell us what aspects of the urban environment are responsible for crime, such as the concentration of homicide or robbery in a very small section of the city [11].



Oscar Newman and others have explored and further defined the defensible space con-cept in recent years through design studies and

experiments involving existing and new public housing projects. The following summary of defensible space techniques will give the practi-tioner an initial understanding of this important application of physical design to the urban resi-dential environment.

Design for defensible space involves attempts to strengthen two basic kinds of social behavior called territoriality and natural surveillance.


The classic example of territoriality is “a man’s home is his castle” tradition of the American single-family home and its surround-ings. In this tradition, the family lays claim to its own territory and acts to protect it. This image of the home as a castle reinforces itself “by the very act of its position on an integral piece of land buffered from neighbors and the public street by intervening grounds” [12].

As the urban setting has grown, the single-family home has become, to developers, an eco-nomic liability. Family housing has moved into the row house (townhouse), apartment com-plex, high-rise apartment structure, and massive public housing project. Whatever the benefits of this transition, the idea of territoriality has been largely lost in the process. The result is that “most families living in an apartment building experi-ence the space outside their apartment unit as dis-tinctly public; in effect, they relegate responsibility for all activity outside the immediate confines of their apartment to the public authorities” [13].

As residents are forced by the physical design of their surroundings to abandon claim to any part of the outside world, the hallways, stairways, lobbies, grounds, parking lots, and streets become a kind of no-man’s land in which criminals can operate almost at will. Public and private law enforcement agencies (formal controls) attempt to take up the slack, but without the essential informal social con-trol that a well-developed social sense of terri-toriality brings, law enforcement can do little to reduce crime.

image214.jpg image215.jpg


Natural Surveillance

The increased presence of human observers, which territoriality brings, can lead to higher levels of natural surveillance in all areas of resi-dential space. However, the simple presence of increased numbers of potential observers is not enough, because natural surveillance, to be effec-tive, must include an action component. The probability that an observer will act to report an observed crime or intervene in it depends on the following:

· The degree to which the observer feels that his or her personal or property rights are violated by the observed act.

· The extent to which the observer is able to identify with the victim or property under attack.

· The level of the observer’s belief that his or her action can help, on the one hand, and not subject him or her to reprisals on the other.


Obviously, the probability for both observa-tion and action is greatly improved by physical conditions, which create the highest possible levels of visibility.

Design Guidelines

Defensible space offers a series of architec-tural guidelines that can be used in the design of new urban residential complexes to promote both the residential group’s territorial claim to its surroundings and its ability to conduct natu-ral surveillance [14].

· Site design can stress the clustering of small numbers of residential units around private hallways, courtyards, and recreation areas. In these restricted zones, children can play, adults can relax, and strangers can easily be identified and questioned. Such private spaces can be created by internal and external building walls and access arrangements and by the use of perceptual barriers such as a fence, shrubbery, and other boundary markers.

· Site interrelationships design can be used to create semiprivate connecting and common spaces between and among the private family clusters. Walkways, vehicle access ways, parking areas, recreational facilities, lobbies, and laundry and shopping areas can be designed so that each cluster relates to them much like each resident of a cluster relates to his or her common private space. Physical design can be used to further extend the sense of territoriality and the possibility for informal social control.

· Street design and the design of other public spaces can be engineered to make these spaces into semipublic extensions of the residential clusters and their connectors. Closing streets to through traffic, installing benches and play areas near the streets, providing adequate lighting, and placing perceptual barriers to indicate the semipublic nature of the area can help to define these spaces as part of the shared residential group territory.

· Surveillance-specific design can be used in each of the design areas mentioned here to increase general visibility by providing adequate lighting, by reducing or eliminating physical barriers to visibility, and by the visibility-promoting location of key areas (e.g., entrances, lobbies, elevator waiting areas, and recreational and parking areas) so as to be directly visible from as many viewpoints as possible.

Modifying Existing Physical Design

Cost limitations prevent substantial recon-struction of most existing urban residential facilities. However, a number of relatively low-cost techniques can be used to modify existing facilities so as to promote territoriality and natural surveillance. These include the following:

· Installing adequate security devices (locks, doors, and windows) in each residential unit.

Crime Prevention Through Environmental Design


· Dividing common lawn areas (front or back) into private yards and patios through the use of shrubbery, low fences, and other perceptual barriers.

· Improving the attractiveness and semiprivacy of pathways and other common outside areas by use of decorative paving and lighting: installing benches and other seating arrangements at strategic intervals; careful landscaping; and tying play areas, parking, and vehicle access ways to the overall design.

· Reducing the number of public access points and providing the remaining points with adequate lighting, visibility, and security.

· Establishing audio and video surveillance (monitored by residents or by security staff) in strategic internal areas.


It should be emphasized, in summary, that creating defensible space is not the same as creating a hardened security system (as might be found, for example, in a high-rise luxury apartment). In fact, it is almost the opposite: Defensible space operates on the premise that the living environment must be opened up and used by residents and others, not closed in. It is only in the open, used environment that people can be stimulated to establish the self-policing condition, which is informal social control. In this open living environment, opportunities for crime may continue to exist, but the probability for criminal activity is reduced.

It should also be emphasized that the physi-cal design component of defensible space should always be accompanied by efforts to develop and sustain active citizen participation and by strategies for improved interaction between citi-zens and law enforcement agencies.



CPTED is still a rapidly growing field of study and experimentation. CPTED attempts to

apply physical design, citizen participation, and law enforcement strategies in a comprehensive, planned way to entire neighborhoods and major urban districts, as well as to specific urban sub-systems such as public schools and transporta-tion systems.


Before summarizing the CPTED approach, we suggest that the practitioner views CPTED developments with a healthy skepticism, at least for the present. There are several reasons why a sense of caution is in order:

· CPTED approaches have been conclusively demonstrated.

· There is some disagreement among crime prevention theorists as to the correctness of the assumptions on which current CPTED programs are based.

· The magnitude of the typical CPTED project may be well beyond the practitioner’s current ability to plan, implement, and manage.

· The cost of a typical CPTED project can represent a major financial investment, and unless the investment can be justified on a research and demonstration basis, there is no guarantee that it will be cost-effective.


Despite these cautions, it is useful for the practitioner to be aware of the principles and current applications of the CPTED concept so that he or she can watch its developments and make appropriate use of the knowledge that it may produce.

Recent Projects

In a project combining the best of current com-munity policing techniques with the principles of CPTED the city of Manchester, New Hampshire, proved the value of this integrated approach. In Manchester, the police department formed part-nerships with community organizations and

image216.jpg image217.jpg


provided appropriate crime prevention training, including CPTED to all of the officers assigned to the project areas. By combining the concepts of community policing with the application of CPTED and other related crime prevention strategies, the community realized remarkable reductions in several crime categories. The area encompasses three areas of public hous-ing in which CPTED principles were applied. The changes in community perceptions about crime were measured through surveys and the crime statistics were updated frequently to give the police department the best possible data. In this enterprise community area, drug activity reduced 57%, robbery reduced 54%, burglary reduced 52%, and police calls for service dropped 20%. Additionally, the perceptions of the area’s citizens were markedly improved. This exam-ple demonstrates the levels of success possible when sound policing, crime prevention, and the concepts of CPTED are combined in the correct proportions. As a result of these levels of success the project was recognized by the Department of Housing and Urban Development (HUD) through the awarding of the John J. Gunther Award. This award recognizes the best practices and was awarded in this instance in the category of suitable living environment.

Territorial Defense Strategies

Territorial defense strategies emphasize preven-tion of property-related crimes such as breaking and entering, auto theft, and household larceny. Within this group, there are five related strategy areas: land use planning, building grounds secu-rity, building perimeter security, building interior security, and construction standards.

· Land use planning strategies involve planning activities aimed at avoiding land use mixtures that have a negative impact on neighborhood security through zoning ordinances and development plan reviews.

· Building grounds security strategies provide the first line of defense against

unauthorized entry of sites and offer social control mechanisms to prevent dangerous and destructive behavior of visitors.

The emphasis is on the access control and surveillance aspects of architectural design. The target environment might be a residential street, the side of a housing complex, or alleyways behind or between business establishments.

· Building perimeter security strategies provide a second line of defense for protecting site occupants and property by preventing unauthorized entries of buildings. They involve physical barriers,

surveillance and intrusion detection systems, and social control mechanisms.

· Building interior security strategies provide the third line of defense for protecting site occupants and property by preventing unauthorized access to interior spaces

and valuables through physical barriers, surveillance and intrusion detection systems, and social control mechanisms.

· Construction standards strategies involve building security codes that require construction techniques and materials that tend to reduce crime and safety hazards. These strategies deal both with code adoption and code enforcement.


It is important to be able to effectively evalu-ate territorial defense strategies and consider the three types of changes.

· Type one addresses design features such as locks, lights, fences, etc.

· Type two considers the impact of the implemented design features on the legitimate users of the property. Have they been inconvenienced by the changes in physical design and are they “on board” within the risk management process?

· Type three changes deal with the direct effect of the intervening factors on crime and the indirect influence of physical design on crime [16].

Crime Prevention Through Environmental Design


Personal Defense Strategies

The second basic strategic approach focuses on the prevention of violent or street crimes such as robbery, assault, and rape and the reduc-tion of fear associated with these crimes. Specific strategies included safe streets for people, transportation, cash off the streets, and citizen intervention.

· Safe streets for people strategies involve planning principles derived primarily from the CPTED concepts of surveillance and activity support. Surveillance operates to discourage potential offenders because

of the apparent risk of being seen and can be improved through various design modifications of physical elements of the street environment (e.g., lighting, fencing, and landscaping). Pedestrian traffic areas can be channeled to increase their use and the number of observers through such measures as creating malls, eliminating

on-street parking, and providing centralized parking areas.

· Transportation strategies are aimed at reducing exposure to crime by improving public transportation. For example, transit waiting stations (bus, trolley) can be located near areas of safe activity and good surveillance, or the distance between stations can be reduced, which improves accessibility to specific residences, business establishments, and other traffic-generating points.

· Cash off the streets strategies reduce incentives for crime by urging people not to carry unnecessary cash and provide commercial services that minimize the need to carry cash.

· Citizen intervention, unlike the three previous strategies, consists of strategies aimed at organizing and mobilizing residents to adopt proprietary interests and assume responsibility for the maintenance of security.

Law Enforcement Strategies

The third general approach involves police functions that support community-based pre-vention activities. The two major activities are police patrol and citizen–police support.

· Police patrol strategies focus on ways in which police deployment procedures can improve their efficiency and effectiveness in responding to calls and apprehending offenders.

· Citizen–police support strategies consist of police operational support activities that improve citizen–police relations and encourage citizens to cooperate with the police in preventing and reporting incidents. Essentially, community members become the “eyes and ears” of law enforcement and are force multipliers to deter crime.


Community policing requires cooperation between members of the community and the police. Community members may be individual citizens, citizen groups, business associations, and government agencies and local offices that include health departments, building inspec-tors, and community development offices. Community members must be involved in not only calling the police to report a crime but also helping to identify and solve other problems in the community. The most important element of community policing is problem solving, and crime is simply identified as a symptom of other problems in the community. The main focus of community policing is to deal with the underly-ing cause of crime and not just react to the symp-toms of the problem [17].

Confidence Restoration Strategies

This fourth general strategy for commercial and residential environments involves activities that are aimed primarily at mobilizing neighbor-hood interest and support to implement needed CPTED changes. Without such interest and sup-port, it is unlikely that programs of sufficient

image218.jpg image219.jpg


magnitude could possibly be successful, partic-ularly in many high-crime rate neighborhoods where people have lost hope. There are two specific strategy areas: investor confidence and neighborhood identities.

· Investor confidence strategies promote economic investment and, therefore, social and economic vitality.

· Neighborhood identity strategies build community pride and foster social cohesion.


Most of these specific strategies are discussed in this and other chapters (some under different names). As a whole, this list of strategies is well organized and provides a good framework with which to view the possible interaction of a vari-ety of crime prevention efforts.


To see how these strategies were applied, let us look briefly at the major changes described in the American Architecture Foundation’s pre-sentation, Back from the Brink: Saving America’s Cities by Design [18]. This provides examples of CPTED applications, with very little mention of crime, as applied in Portland, Oregon, and some other locales. The principles applied are sound, workable redesign strategies that accom-plish the goals of CPTED without overreliance on their direct crime prevention intent. Indeed, they are not presented as crime prevention, but redevelopment efforts, which consider the qual-ity of life above most other considerations.

The CPTED applications in the featured cities achieve the following:

· Reduce opportunities for crime and fear of crime by making streets and open areas more easily observable and by increasing activity in the neighborhood.

· Provide ways in which neighborhood residents, businesspeople, and police can work together more effectively to reduce opportunities and incentives for crime.

· Increase neighborhood identity, investor confidence, and social cohesion.

· Provide public information programs that help businesspeople and residents protect themselves from crime.

· Make the area more accessible by improving transportation services.

· Improve the effectiveness and efficiency of governmental operations.

· Encourage citizens to report crimes.


The steps taken to achieve these objectives include the following:

· Outdoor lighting, sidewalk, and landscaping improvements.

· Block watch, safe homes, and neighborhood cleanups.

· A campaign to discourage people from carrying cash.

· A major improvement and expansion of public transportation.

· Improved street lighting.

· Public transportation hubs that are purpose-built.


These improvements have enhanced the quality of life and provided an atmosphere of improvement in each of the communities featured.

The application of CPTED to school design has been promoted in a number of locations through the work of local practitioners and in cooperation with school district personnel.

Additional CPTED case studies and informa-tion may be found in the text, written by Tim Crowe, Crime Prevention through Environmental Design: Applications of Architectural Design and Space Management Concepts [19]. This text offers CPTED as a specific topic and is widely used by students and practitioners.

The Future of Crime Prevention

Through Environmental Design

The most consistent finding in evaluations of CPTED and related projects is that the users of space must be involved in design decisions. Their involvement ensures that the designs are



realistic and that the users will comply with the behavioral objectives of the plans. Numerous applications of CPTED concepts have been tried successfully on a spot basis, which tends to sup-port the idea that the more simplistic approaches are the most viable. That is, it seems reasonable to assume that the crime prevention practitioner may confidently use CPTED strategies in very specific, controlled environmental settings.

There are many hundreds of examples of CPTED strategies in practice today. It is unfor-tunate that most of the successful applications have not been publicized well, since they are usually part of ongoing field activities that do not come to the attention of evaluators or gov-ernment agencies. However, it has been noted that most applications center on some mixture or interaction between the three basic CPTED processes of natural surveillance, natural access control, and territoriality. The most basic com-mon thread is the primary emphasis on natu-ralness—simply doing things that you already have to do but doing them a little better.

The most productive uses of CPTED, in the foreseeable future, will center on the following simplistic strategies:

· Provide clear border definition of controlled space.

· Provide clearly marked transitional zones that indicate movement from public to semipublic to private space.

· Relocate gathering areas to locations with natural surveillance and access control or to locations away from the view of would-be offenders.

· Place safe activities in unsafe locations to bring along the natural surveillance of these activities (to increase the perception of safety for normal users and risk for offenders).

· Place unsafe activities in safe spots to overcome the vulnerability of these activities with the natural surveillance and access control of the safe area.

· Redesignate the use of space to provide natural barriers to conflicting activities.

· Improve scheduling of space to allow for effective use, appropriate “critical intensity,” and the temporal definition of accepted behaviors.

· Redesign or revamp space to increase the perception or reality of natural surveillance.

· Overcome distance and isolation through improved communication and design efficiencies.


The future of CPTED rests with the persons who shape public and private policy. Crime pre-vention practitioners will have to communicate CPTED concepts in terms that relate to the overall priorities of their organizations or communities. Productivity, profitability, and quality of life are concerns that affect policy-makers, not spe­ cifically security or crime prevention for its own sake. Accordingly, chief executives, builders, architects, planners, engineers, and developers will have to embrace CPTED design objectives. Elected officials and legislative bodies will have to be held accountable for assuring that CPTED is considered in capital improvement and devel-opment plans. Property owners and residents of neighborhoods and commercial areas need the opportunity to question planning, zoning, and traffic signalization decisions. Finally, strategic plans that encompass 20-year community devel-opment periods require an assessment of crime prevention needs and programs.

The United States federal government initiated physical design criteria to ensure appropriate protection for federal buildings and occupants after the 2001 terrorist attacks at the World Trade Center and the Pentagon and the 1995 bombing of the Murrah Federal Building in Oklahoma. These guidelines consider not only physical security, but also CPTED.



The application of environmental design concepts by the crime prevention practitioner can be as cost-effective as the design of crime

image221.jpg image222.jpg


risk management systems for individual place managers. Such an application must be based, however, on sound analysis of particular crime patterns and the physical and social conditions that are related to those patterns. It should stress innovative solutions that are appropriate to the particular circumstances, that are cost-effective, and that will not create more problems than they solve. It should stress working with “things as they are,” rather than with “things as they ought to be.”

The practitioner needs, above all, to become well acquainted with the people and organiza-tions responsible for physical development and redevelopment in his or her community. The best opportunities for applying CPTED occur when buildings, street layouts, street lighting programs, new subdivisions, shopping centers, and housing projects are still in the planning stages, and crime prevention principles can be incorporated before construction starts. It has been proven that it is more cost efficient to design security into the planning of a project rather than to retrofit a building or space after completion. Good security design can help pre-vent crime. It is important to remember that the premise behind CPTED is the physical design and the use of space. It is not the typical target-hardening approach to crime prevention [20].

In keeping with the theory that the quality of the physical environment impacts human behavior, we think that crime prevention and community development go hand in hand. Physical design that enhances the environ-ment from a balanced economic–social–political standpoint can also discourage criminal activ-ity, and the concept of CPTED can be used in any situation—high-density urban areas, small cities and towns, and even rural areas. The essential role of the practitioner is to see the “whole picture” or a holistic approach to see to it that physical design, citizen participation, and police activities fit together. In reality, we need to get back to the basics of what it takes to have a strong community—involvement, interaction,

and partnership programs with a shared respon-sibility for safety.

In June 2009, ASIS International published a guideline entitled “Facilities Physical Security Measures, ASIS GDL, FPSM-2009” [21]. This publication includes CPTED along with typical physical security countermeasures as a major component in any crime prevention program. The physical design of an environment is an important element to consider and the major task of the crime prevention practitioner is to analyze existing and planned physical design, to determine how it relates to existing or poten-tial crime patterns, and to recommend physical design countermeasures to the proper person or organization.


[1] Jacobs J. The death and life of great American cities. New York: Vintage Books; 1961.

[2] Rainwater L. Fear and the home-as-haven in the lower class. J Am Inst Plan January 1966:23–37.

[3] Wood E. Housing design: a social theory. New York: Citizens’ Housing and Planning Counsel of New York, Inc.; 1961.

[4] Angel S. Discouraging crime through city planning. Berkeley: University of California Press; 1968.

[5] Leudtke G, Lystad E. Crime in the physical city. Final Report. LEAA Grant No. NI. 1970. p. 69–78.

[6] Newman O, Rand G. Defensible space. Published by Oscar Newman. New York Publishing: Macmillan; 1972.

[7] National Institute of Law Enforcement and Criminal Justice. Urban design, security, and crime. In: Proceedings of a seminar held April 12–13, 1972. Published by the Law Enforcement Assistance Administration (LEAA); 1972. p. 15.

[8] Reppetto TA. Residential crime. Cambridge, MA: Ballinger Publishing; 1974.

[9] Conklin J. The impact of crime. New York: Macmillan Publishing; 1975. p. 299.

[10] Jeffrey CR. Crime prevention through environmental design. Beerly Hills, CA: Sage Publications; 1971.

[11] Jeffrey CR. Behavior control techniques and crimi-nology. In: Ecology youth development workshop. Honolulu: University of Hawaii School of Social Work; 1975.

[12] Op cit., Newman, pp. 51–52.

[13] Ibid.



[14] Ibid.

[15] Newman O. Design guidelines for creating defensible space. Washington, DC: LEAA; 1976.

[16] Robidas RL. Reports on activity in project area for the Manchester (NH) police department. 1996.

[17] Lab SP. Crime prevention: approaches, practices and

evaluations. OH: Bowling Green State University; 2007. Anderson Publishing.

[18] American Architecture Foundation. Back from the brink: saving America’s cities by design, videocassette. Washington, DC: American Architecture Foundation; 1996.

[19] Crowe TD. Crime prevention through environmental design: applications of architectural design and space management concepts. Stoneham, MA: Butterworth. 1991.

[20] Atlas RI. 21st century security and CPTED. Boca Raton, FL: Auerbach Publications; 2008.

[21] ASIS International. Facilities physical security mea-sures guideline. Alexandria, VA: ASIS International; 2009. ASIS GDL, FPSM-2009.

This page intentionally left blank

image223.jpg image224.jpg



Approaches to Physical Security*

Richard Gigliotti, Ronald Jason

This chapter discusses the theory and concepts of how to approach physical security, and the idea that the best way to approach this is to base the security level on the physical protection required to meet the need. There is also a detailed discus-sion of different methods of physical security, and in what situations each level would apply.

Protection of one’s person and possessions is natural and universally accepted. Unfortunately, there are those who have made it their objective to deprive some of us of one or both of these. In the battle against the criminal element, our resourcefulness in designing and developing more and better methods of protecting our life, property, and livelihood has been unbounded. No system, however, can be made completely secure. Any system conceived can be defeated.

In other words, no physical protection system is 100% defeat proof. If it can be designed to elim-inate most threats, it will have its weak links, for example, with a perimeter fence or an alarm sys-tem. In any event, if a system cannot fully protect against a threat, it must be at a minimum offer enough protection to delay the threat until the system can be upgraded, at least temporarily, to the point at which the threat can be defeated (e.g., the arrival of local law enforcement authorities or

on-site guard force, the implementation of con-tingency measures such as additional physical barriers, or the release of noxious gases).

Maximum security is a concept. Physical bar-riers, alarm systems, security forces, and all the other components of a security system do not indi-vidually achieve maximum security. The parts of the system cannot realize the ultimate aim unless they are combined in the right proportions.


How would one categorize a particular security system? Would one consider protection minimum, medium, or maximum, and what criteria would be used in making this determination? Would a facility be compared to a prison, nuclear reac-tor, department store, or the average American home? While the initial question may appear to be answered easily, arriving at an intelligent and impartial assessment becomes much more difficult simply because there are no known universally accepted standards by which the security profes-sional may evaluate a security system.

This lack of standards often deludes responsi-ble individuals into believing that the protection

* Originally from Security design for maximum protection. Boston: Butterworth-Heinemann, 2000. Updated by the editor, Elsevier, 2016.

Effective Physical Security, Fifth Edition



Copyright © 2017 Elsevier Inc. All rights reserved.


image226.jpg image227.jpg


they provide (or are paying for) is of a higher level than is actually the case. Because of the confusion and lack of cohesive opinion on the subject, this chapter considers the following five levels of security systems (also see Fig. 4.1):

Level 1: minimum security

Level 2: low-level security

Level 3: medium security

Level 4: high-level security

Level 5: maximum security

Minimum Security

Such a system would be designed to impede some unauthorized external activity. Unauthorized external activity is defined as originating outside

the scope of the security system and could range from simple intrusion to armed attack.

By virtue of this definition, a minimum secu-rity system would consist of simple physical barriers such as regular doors and windows equipped with ordinary locks. The average American home is the best example of a site pro-tected by a minimum security system.

Low-Level Security

This refers to a system designed to impede and detect some unauthorized external activ-ity. Once simple physical barriers and locks are in place, they can be supplemented with other barriers such as reinforced doors, window bars and grates, high-security locks, a simple lighting


MAXIMUM image3.jpg

HIGH-LEVEL image4.jpg

MEDIUM image5.jpg

18. Sophisticated Alarm System

17. On-Response Force

16. Formal Contingency Plans

15. Local Law Enforcement Coordination

14. High-Security Lighting

13. Access Controls

12. Highly Trained Armed Guards with Advanced Communications

11. Perimeter Alarm System

10. CCTV

9. Security Officer with Basic Communications

8. High-Security Physical Barriers at Perimeter; Guard Dogs

7. Advanced Remote Alarm System

6. High-Security Locks

5. Basic-Security Physical Barriers

4. Simple Security Lighting

3. Basic Local Alarm Systems

2. Simple Locks

1. Simple Physical Barriers

LOW-LEVEL image6.jpg


FIGURE 4.1 The level of physical security. Reprinted with permission from Security Management.

Levels of Physical Security


system that could be nothing more elaborate than normal lighting over doors and windows, and a basic alarm system that would be an unmoni-tored device at the site of the intrusion that pro-vides detection capability and local annunciation. Small retail stores, storage warehouses, and even older police stations are examples of sites that could be protected by low-level security systems.

Medium Security

A system of this type would be designed to impede, detect, and assess most unauthorized external activity and some unauthorized inter-nal activity. Such activity could range from simple shoplifting to conspiracy to commit sabo-tage. When a system is upgraded to the medium level, those minimum and low-level measures previously incorporated are augmented with impediment and detection capability as well as assessment capability. To reach the medium level of security, it is necessary to:

1. Incorporate an advanced intrusion alarm system that annunciates at a staffed remote location.

2. Establish a perimeter beyond the confines of the area being protected and provide high-security physical barriers such as penetration-resistant fences at least 6–8 ft high and topped with multiple strands of barbed wire or barbed tape at that perimeter, or use guard dogs in lieu of perimeter protection.

3. Use an unarmed security officer (with basic training) equipped with the means for basic communication (e.g., cell phones) to off-site


Medium-security facilities might include bonded warehouses, large industrial manu-facturing plants, some large retail outlets, and National Guard armories.

external and internal activity. After those mea-sures previously mentioned have been incor-porated into the system, high-level security is realized with the addition of the following:

1. State-of-the-art equipment installed.

2. Security surveillance systems (CCTV) with digital state-of-the-art components and installation.

3. A perimeter alarm system, remotely monitored, at or near the high-security physical barriers.

4. High-security lighting, (LED), which at a minimum provides at least 0.05 foot-candles of light around the entire facility.

5. Highly trained armed security officers or unarmed security officers who have been screened for employment (background checks and drug tested) and who are equipped with advanced means of communications, such as dedicated cell phones, two-way radio links to police, and duress alarms.

6. Controls designed to restrict access to or within a facility to authorized personnel such as using access control and/or biometrics.

7. Formal plans prepared with the knowledge and cooperation of police dealing with their response and assistance in the event of specific contingencies at the protected site.

8. Varying degrees of coordination with local law enforcement authorities.

9. Annual assessment or security audits conducted.

· All systems checked on a monthly basis.


Examples of high-level security sites include certain prisons, defense contractors, pharma-ceutical companies, and sophisticated electron-ics manufacturers.

High-Level Security

A system of this sort would be designed to impede, detect, and assess most unauthorized

Maximum Security

Such a system is designed to impede, detect, assess, and neutralize all unauthorized exter-nal and internal activity. In addition to those

image229.jpg image230.jpg


measures already cited, it is characterized by the following:

1. A sophisticated, state-of-the-art alarm system too strong for defeat by a lone individual, remotely monitored in one or more protected locations, tamper indicating with a backup source of power, and access control and biometrics

2. On-site response force of highly screened and trained individuals armed 24 h a day, equipped for contingency operations, and dedicated to neutralizing or containing any threat against the protected facility until the

arrival of off-site assistance.

The highest level of physical security pro-tection will be found at nuclear facilities, some prisons, certain military bases and govern-ment special research sites, and some foreign embassies.

To upgrade a security system to the next highest­ level, all criteria for that level must be met (see Fig. 4.1). Remember that individual criteria from a higher level can be met without upgrad-ing the total system. For example, if a medium-security facility institutes access controls and installs a digital CCTV system, the overall level of security has not been upgraded to a high level. In reality, what results in a medium-­security system with some high-level characteristics. Depending on its capabilities, a high-level system could achieve maximum security by the ­addition of a neutralizing capability. By using modern methods, materials, and technology, a maximum security system can be developed or an existing system upgraded.

This chapter focuses on several examples of components that could result in maximum secu-rity. When the term maximum security is used, it denotes the high level of physical security offered by the total system. There is a little dis-cussion of less than high-security components, such as wooden doors, local alarm systems, and simple fences, because their presence in a maxi-mum security environment is incidental and

does not significantly contribute to the maxi-mum security concept.

Maximum security is security in-depth—a system designed with sufficient diversity and redundancy to allow the strength of one particu-lar component to offset the weakness of another. There is no set rule regarding the number of pro-tective layers; again, it depends on the material being protected. As a general rule, however, the more layers, the more difficult it is to defeat the total system. For years the Nuclear Regulatory Commission has inspected nuclear facilities on a component-specific basis. Such an evaluation cer-tainly can point out weaknesses in any component but by no means does it attest to the effectiveness of the total system. Maximum security depends on the total system not on its individual components.

The Psychology of Maximum Security

The concept of maximum security is as much psychological as it is physical. To the casual crimi-nal, a maximum security facility is a target to be given up in favor of a minimum (or zero) security facility. To the security director, maximum secu-rity accurately describes the system of protection designed to allow him or her to go home at night with the conviction, real or imagined, that the assets entrusted for protection will still be there in the morning. To the average citizen, maximum security is a state of mind more than physical com-ponents. Plus you do not want to be a soft target.

When designing a protection system, one can capitalize on the psychological aspects of maxi-mum security. If a system can create the appear-ance of impenetrability, then it has succeeded in deterring some lesser adversaries. The same principle can be seen when one compares a threat dog to an attack dog. The former has been trained to put on a show of aggression, while the latter has been trained to carry out the threat—a case of bite being worse than bark.

While the concept of maximum security may deter those not up to the challenge, it will not turn aside those who are. Whenever the value of the protected assets exceeds the degree of perceived

The Value of Planning


risk, there will always be takers. For a criminal to act and, for that matter, a crime to be committed, there must be desire and opportunity; the criminal must want to commit the act and must have the opportunity. The effectiveness of the system can be measured in terms of eliminating the opportunity, and the psychology of the system can be measured in terms of eliminating the desire.

The desire to commit a crime can be eliminated or reduced in different ways. The result is that the criminal feels the risk outweighs the treasure and moves on to another target. The strongest reason for a criminal to lose desire is the threat of get-ting caught. The possibility of apprehending the criminal may be increased by the use of lighting for observation capabilities, barriers that delay intrusion, alarms that signal an intrusion, and a security force that can neutralize intrusion. For the maximum psychological effect to be achieved the capabilities of the protection system must be known to the criminal, that is, they must convince the criminal that the odds of getting caught are high. This can be accomplished by posting signs in and around the facility advertising its protec-tion. The capabilities of the system should be announced, but details should be considered pro-prietary information and safeguarded accordingly. This is the primary reason that certain details of maximum security (e.g., communication, access controls, locks, and CCTV) are changed when-ever key personnel terminate their employment. It is far simpler and cheaper to attempt to elimi-nate a criminal’s desire than it is to eliminate the opportunity.

There are those who disagree on the value of advertising a security system’s capabilities. They feel that maintaining a low profile some-how contributes to the overall effectiveness of the system and that criminals will not know that an attractive target exists. This philosophy can be called the ostrich syndrome; it may have been true before the advent of mass media and mul-timedia, but it certainly is not today. A security director who plans to maintain so low a profile that a criminal will be fooled is merely risking

the assets he or she has been entrusted to protect. Rather, anyone scrutinizing a protected facility, passively or actively, will understand that he or she will have to plan carefully and more than likely enlist additional help.

It is important, therefore, that consideration be given to the psychological aspects of maxi-mum security when designing or maintaining a system. An implied presence can do wonders in dissuading criminals from targeting a facility.


When setting up a maximum security system, the best results come from a careful and detailed plan. Two basic questions must first be answered:

1. What is being protected? What assets?

2. How important is it? (This is measured in terms of political and economic impact, corporate commitment to its protection, and

health and safety of the public.)

A third question is sometimes asked: Do the costs of protecting it outweigh its value? This may be a consideration when planning for a security system less than maximum, but it is tacitly implied that something calling for maximum security is worth the cost to someone. Once these questions have been answered, planning can commence.

One of the best approaches to take is to list the basic prerequisites of the security system. As was previously stated, maximum security is designed to impede, detect, assess, and neu-tralize all unauthorized external and internal activity. Under each prerequisite are listed those components that would accomplish these tasks. If the system includes a capability to neutralize, this is stated and provided for accordingly:

· Security force

· Response force

· Coordination and partnership with local law enforcement authorities and fire departments

image231.jpg image232.jpg


Next, decide which components are going to be used to impede (Table 4.1), detect (Table 4.2), assess (Table 4.3), and (if necessary) neutralize (Table 4.4).

Once it is decided which components will be used to make up the maximum security system, attention should be directed to developing a design-reference threat.

TABLE 4.4 Components to Neutralize


Security Force

Response Force

LLEA Coordination

Manning levels

Manning levels

Contingency planning



Training drills



TABLE 4.1 Components to Impede


Physical Barriers


Perimeter fence

Perimeter fence

High-security doors


High-security windows

Designated doors



Security force

Access controls

Manning levels

Protected areas


Vital areas


TABLE 4.2 Components to Detect


Alarm Systems




Protected areas

Vital areas


TABLE 4.3 Components to Assess








Protected areas


Protected areas

Vital areas

Vital areas

Design-Reference Threat

The design-reference threat defines the level of threat with which the facility’s physical pro-tection system could contend (or is designed to defeat). This is a most important consideration when designing or upgrading a system and is essential for cost-effective planning.

The security director should list all possible threats and risks to a particular facility. For example, a hospital’s security director might list the following as conditions or situations the sys-tem should be able to defeat:

· Emergency room coverage and emergency procedures

· Pharmacy coverage effective security application

· Disorderly conduct of patience’s

· Internal theft or diversion

· Assaults on employees/doctors or visitors inside and outside

· Armed attack on facility or guns inside the complex

· Burglary and theft

· Robbery, theft of drugs

· Kidnapping, rape

· Auto theft from parking lot

· Hostage incident

· Infant kidnapping

· Biohazardous and radiological waste storage

· Power loss and backup system

· Violent storms and bad weather


The next step is to evaluate these threats in descending order of credibility, that is, which threats are the most credible based on past

The Value of Planning


experience, loss rates, crime statistics, and so on. The hospital in this example could list, going from the most credible to the least, the following:

1. Internal theft or diversion

2. Auto theft from parking lot

3. Disorderly conduct

4. Assaults on employees or visitors on property

5. Burglary

6. Robbery

7. Hostage incident

8. Kidnapping

9. Armed attack

10. Workplace violence


In this example, internal theft or diversion is considered a very real possibility (probably based on past experience) followed by theft of automo-biles from the hospital’s parking lot. Although possible, the threat of armed attack carries low credibility; therefore, it is of far less concern when deciding on the design of and money to be invested in the security system. Once the credible, realistic threats have been identified and given higher priority, this information can be used to arrive at the design-reference threat.

The types of adversaries that would likely encounter the security system is another area of consideration when determining the design-refer-ence threat. The Nuclear Regulatory Commission describes six generic categories of adversaries as follows:

1. Terrorist groups

2. Organized sophisticated criminal groups

3. Extremist protest groups

4. Disoriented persons (psychotic, neurotic)

5. Disgruntled employees or patents

6. Miscellaneous criminals

The security director should now assess these potential adversary groups in terms of likeli-hood of encounter, from most likely to least. The hospital’s list would probably look like this:

1. Miscellaneous criminals

2. Disgruntled employees and workplace violence

3. Disoriented persons

4. Organized sophisticated criminal groups

5. Extremist protest groups

6. Terrorist groups

The most likely threat group would include petty thieves from within the hospital’s workforce.

Time, location, and circumstance influence the likelihood of a threat from a particular group. For example, labor disputes could lead to threats by disgruntled employees; hospita lizing an unpopular political figure could lead to threats by terrorists. In any case, extraordinary circumstances should not influence the determi-nation of likely adversaries but should be con-sidered during contingency planning.

Once the likely threats and adversaries have been determined, it becomes necessary to corre-late the two and establish a specific design-ref-erence threat. The process begins by comparing the most credible threats with the most likely adversaries for a particular facility (in this case, the hospital).

1. Internal theft or diversion

a. Miscellaneous criminals

b. Disgruntled employees

c. Organized sophisticated criminals

2. Auto theft

a. Miscellaneous criminals

b. Organized sophisticated criminals

3. Disorderly conduct

a. Disoriented persons

b. Miscellaneous criminals

4. Assaults

a. Miscellaneous criminals

b. Disoriented persons

c. Organized sophisticated criminals

5. Burglary

a. Organized sophisticated criminals

b. Miscellaneous criminals

image240.jpg image241.jpg


6. Robbery

a. Disoriented persons

b. Miscellaneous criminals

7. Hostage incidents

a. Disoriented persons

b. Miscellaneous criminals

c. Disgruntled employees

d. Extremist protesters

8. Kidnapping

a. Organized sophisticated criminals

b. Terrorists

c. Extremist protesters

d. Miscellaneous criminals

9. Armed attack

a. Terrorists

b. Extremist protesters/disgruntled employees

c. Workplace violence

There is always overlap among adversary groups, and this fact must be kept in mind when preparing a threat-versus -adversary analysis. In the example here, the hospital’s security director has defined the primary threat to the facility as internal theft or diversion and the most likely adversaries in this area as mis-cellaneous criminals followed by disgruntled employees and organized sophisticated­ crimi-nals. The protection system must be designed or upgraded to counter the most real threat. The most worthy adversary, however, appears to be an organized sophisticated criminal, probably because of the hospital’s drug sup-ply. Although the least likely adversary in this threat, this is the most capable (in terms of desire, resources, and capability); therefore, the system must be designed to defeat him or her. At the same time, adversaries­ of lesser capability­ will also be defeated. A very simple analogy illustrates this principle: A screened door, if properly installed, keeps out flies; it also keeps out wasps, butterflies, and birds.

Continuing the process of determining the adversary most capable of carrying out the most credible threats, the hospital’s security

director probably comes up with the following results:

1. Internal theft—organized sophisticated criminals

2. Auto theft—organized sophisticated criminals

3. Disorderly conduct—disoriented persons

4. Assaults—organized sophisticated criminals

5. Burglary—organized sophisticated criminals

6. Robbery—miscellaneous criminals

7. Hostage incident—terrorists

8. Kidnapping—terrorists

9. Armed attack—terrorists

10. Workplace violence


Planning a system to address a realistic secu-rity concern as well as the adversary most capa-ble of causing that concern allows the system’s architect to prepare for the worst possible case and least capable adversary alike.

Establishing the design-reference threat, there-fore, is contingent on determining the groups to which the specific threats or adversaries belong:

· Internal theft (crimes against property)

· Auto

· Burglary

· Violent conduct (crimes against persons)

· Robbery armed

· Disorderly conduct

· Assaults/Rape

· Hostage incidents

· Kidnapping

· Armed attack


On this basis, the hospital’s security direc-tor knows where to channel resources and the degree of protection needed. Since internal theft or diversion has been defined as the most cred-ible threat, the system should be designed to counter this crime as it would be perpetrated by an organized sophisticated criminal. This is where a great deal of budget money is used.

The Value of Planning


The next most credible threat is auto theft from the parking lot. Again, resources have to be directed to counter auto theft perpetrated by an organized sophisticated criminal. At the other end of the scale, an armed attack on the facil-ity is a very remote possibility. If it were to hap-pen, chances are the act would be perpetrated by terrorists. Since the possibility is quite low,


attention and resources (and budget money) are minimal if any in this area, and they more than likely consist of contingency planning or local law enforcement coordination.

The design-reference threat and its support-ing analysis become the basis for planning the measures to be instituted to preclude its occur-rence or counter its effects.

E X A M P L E 4 . 1 : A N U C L E A R F U E L C Y C L E F A C I L I T Y

Determining the design-reference threat for a nuclear fuel cycle facility, for example, would fol-low the same process.

1. Possible threats

a. Internal theft or diversion

b. Armed attack

c. Hostage incident

d. Burglary

e. Civil disturbance

f. Auto theft

g. Sabotage

h. Employee pilferage

i. Kidnapping

j. Robbery

k. Assaults

2. Credible threats (most to least)

a. Internal theft or diversion of nuclear material

b. Sabotage (including threats)

c. Armed attack (as a prelude to other action)

d. Civil disturbance (including antinuclear demonstrations)

e. Employee pilferage (of non-nuclear material)

f. Assaults

g. Auto theft (from parking lot)

h. Kidnapping

i. Hostage incident

j. Burglary

h. Robbery

3. Potential adversaries (most to least)

a. Terrorist groups

b. Disoriented persons

c. Disgruntled employees

d. Extremists or protesters

e. Miscellaneous criminals

f. Organized sophisticated criminals

4. Matchup of threats and adversaries

a. Internal theft or diversion

i Disgruntled employees

ii Disoriented persons

iii Terrorists

b. Sabotage

i Terrorists

ii Disoriented persons

iii Disgruntled employees

c. Armed attack

i Terrorists

d. Civil disturbance

i Extremists or protesters

e. Pilferage

i Miscellaneous criminals

f. Assaults

i Disoriented persons

g. Auto theft

i Miscellaneous criminals

h. Kidnapping

i Terrorists

ii Disoriented persons


image243.jpg image244.jpg



E X A M P L E 4 . 1 : A N U C L E A R F U E L C Y C L E F A C I L I T Y —(cont’d)

i. Hostage incident

i Terrorists

ii Disoriented persons

iii Disgruntled employees

j. Burglary

i Miscellaneous criminals

k. Robbery

i Miscellaneous criminals

l. Most credible threat—most capable adversary

i Internal theft or diversion—terrorists

ii Sabotage—terrorists

iii Armed attack—terrorists

iv Civil disturbance—extremists or protesters

v Pilferage—disgruntled employees

vi Assault—disoriented persons

vii Auto theft—miscellaneous criminals

viii Kidnapping—terrorists

ix Hostage incident—terrorists

x Burglary—miscellaneous criminals

xi Robbery—miscellaneous criminals

5. Basic generic threats

a. Theft

i Internal and external

ii Pilferage

iii Auto

iv Burglary

b. Violence

i Sabotage

ii Armed attack

iii Civil disturbance

iv Assault

v Kidnapping

vi Hostage incident

vii Robbery


We can see that a nuclear fuel cycle facility’s prime security concern is the theft or diversion of nuclear material. The most capable adversary (although the least likely) is a terrorist group. Although theft may be the most serious con-cern, other violent actions, including sabotage

and armed attack, are very real possibilities. The chance of a fuel cycle facility being burglarized or robbed (in the traditional sense) is negligible due to the heavy protection provided. The secu-rity director must therefore base this system on a design-reference threat that reflects the most seri-ous concerns. The Code of Federal Regulations requires that nuclear fuel cycle facilities “must establish and maintain…a physical protection system…designed to protect against…theft or diversion of strategic special nuclear material and radiological sabotage.” The Code describes the threats the system must be able to defeat:

1. Radiological or biological sabotage. (1) A deter-mined violent external assault, attack by stealth, or deceptive actions, of several persons with the following attributes, assistance, and equipment:

(A) well trained, (B) inside assistance, which may include a knowledgeable individual who attempts to participate in a passive role, an active role, or both, (C) suitable weapons, up to and including handheld automatic weapons, equipped with silencers and having effective long-range accuracy, (D) hand-carried equip-ment, including incapacitating agents and explosives; (2) an internal threat of an insider, including an employee (in any position).

2. Theft or diversion of formula quantities of stra-tegic special nuclear material. (1) A determined, violent, external assault, attack by stealth, or deceptive actions by a small group with the fol-lowing attributes, assistance, and equipment:

(A) well trained, (B) inside assistance, which may include a knowledgeable individual who attempts to participate in a passive role, an active role, or both, (C) suitable weapons, up to and including handheld automatic weapons, equipped with silencers and having effective long-range accuracy, (D) hand-carried equip-ment, including incapacitating agents and explosives, (E) the ability to operate as two or

Physical Barriers



E X A M P L E 4 . 1 : A N U C L E A R F U E L C Y C L E F A C I L I T Y —(cont’d)

more teams; (2) an individual, including an employee (in any position); and (3) conspiracy between individuals in any position.

In summary, a design-reference threat is a systematic­ analysis of all possible threats and

adversaries so that credible threats and adversar-ies can be identified and this information used as a basis for planning and implementing a physical protection system.

Layering for Protection




The designer must remember the principle of security in-depth. Protection must be layered to provide diversity and redundancy (Fig. 4.2). Whenever and wherever possible, components are layered. Conduct a walk-through of the facil-ity and likely threat routes. Start either at a point outside and work in, or start at the most sensi-tive point within the facility and work out.



Physical barriers should be checked at the area considered the most sensitive, such as the vault, cell block, tool crib, or shipping depart-ment. This area is called the objective.

1. Provide a high-security barrier around the objective.

2. Enclose a high-security barrier within another high-security barrier.

3. Surround the outer barrier with a penetration-resistant fence.

4. Establish isolation zones on either side of the penetration-resistant fence.

5. Surround the outer isolation zone with yet another penetration-resistant fence and isolation zone.

6. Establish an isolation zone on the outside of

the outermost fence.

Entry and exit points should be identified and those vital to the effectiveness of the total system













FIGURE 4.2 Layering. Reprinted with permission from Security Management.

determined. High-security doors and windows must be installed or upgraded where appropriate. As a general rule, if a window is not needed at a particular location, it should be eliminated. The area containing the objective should be a vault or other such strong room, depending on cost consid-erations and the effectiveness of the total system. It is important to evaluate the structural components of the facility, including walls, ceilings, and floors, and determine their ability to withstand a threat equivalent to the design-reference threat.

Physical barriers are not exclusively for keep-ing someone out. They can also be used to keep someone in.

image249.jpg image250.jpg



After deciding which openings require locks (high security and otherwise), the types of locks are selected. The use of a single grand master combination for any mechanical locking system is not considered a sound security practice.

Access Controls

Protected and vital areas are designated and a decision made as to who will be admitted to the facility and who will be allowed unrestricted access within it. Generally, the protected area includes the facility and the outside area around it, up to the first penetration-resistant fence. Vital areas include the vault or strong room and could include the alarm stations, emergency generator buildings, or other areas that could be considered vital to the protection of the objective and the facility. (One must not overlook the pos-sibility that the facility, rather than its contents, could be the target of an action.)

Security Force

Appropriate staffing levels of the security force for each shift are established with the amount of training necessary and desirable. (Some states have mandated training levels for security officers.) The force is equipped with resources to handle the design-reference threat.

Alarm Systems

A maximum security system should have a state-of-the-art perimeter alarm system capa-ble of detecting an intrusion anywhere on the perimeter. Additionally, all vital areas should be equipped with alarms capable of detecting the presence of an intruder. All doors that contrib-ute to the protection system should have alarms that are continuously monitored by a person in a remote location on-site. Alarm circuits should be supervised so that tampering with the system or its components causes an alarm.


The value of lighting should be considered for impeding as well as for assessing. In decid-ing where security lighting should be directed, it should be kept in mind that proper placement avoids silhouetting security personnel. High-intensity glare lighting, positioned to illuminate the isolation zone outside of the protected area, is always appropriate in a maximum security environment. Also, inside areas can be illumi-nated to facilitate the use of state-of-the-art and digital CCTV, thus saving money on expensive low-light cameras, energy costs (LED lights) notwithstanding.


The ability to communicate on-site is of vital importance to the security force. Consider the alternatives for communications. In addition to commercial telephones, the security force should be equipped with at least one dedicated and supervised hotline to LLEAs and a two-way radio network. Each officer should have a two-way radio and the system should have at least a two-channel capability. Additionally, the facil-ity should be able to communicate with the law enforcement by radio or cell phone.




The CCTV digital cameras should be placed to ensure proper surveillance and assessment. Depending on the type and quality of equip-ment, the perimeter and protected and vital areas can be effectively monitored.

Response Force

If the nature of the security system requires it to neutralize a threat, attention must be directed toward establishing a response force of security personnel properly trained and equipped for

The Security or Master Plan and Countermeasures


that purpose. The number of personnel consti-tuting a response force should be sufficient to counter the design-reference threat.

Law Enforcement Partnerships

When a system has been designed or upgraded to safeguard something that requires protection of this magnitude, local law enforce-ment authorities should be brought into the picture. It always helps to establish a liaison very early in the game. Once the cooperation is secured, it is helpful to consult with them on contingency planning to meet the design-refer-ence threat and, if possible, schedule joint train-ing sessions and drills to exercise the plans.

Once the process of analysis has been com-pleted, it is time to plan the security system. It is much easier to incorporate security features when a facility is constructed. In this respect, corporate support is essential. The security director should work with the architects and contractors throughout the construction. When this is not possible and an upgrade to an existing facility is necessary, the security director more often than not becomes the chief architect of the upgrade. Whenever this happens, the value of planning as discussed becomes evident, as it is the basis for the formal security setup.



The security or master plan is frequently con-tracted out to a consultant who works with the security director. Before system implementation, it is a necessary building document; after imple-mentation, it becomes a necessary reference document. Needless to say, the plan should be treated as proprietary, and access to it should be restricted to those who have a need to know.

The plan can take many forms and contain a great deal of information. In its basic sense, it is a description of the protection system and its components. Detail can be as much or as little

as desired by the security director. For use as a building document, however, it should be quite detailed. Information can be deleted after imple-mentation, but if the facility is regulated by an agency that requires safeguards, the plan may require many details. If this is the case, the docu-ment should be treated as sensitive.

The security plan should contain, but not nec-essarily be limited to, the following information:

1. A description of the facility and its organizational structure.

2. The security organization of the facility.

3. A discussion of the physical barriers used in the system.

4. A discussion of the alarm system used.

5. A description of access controls used to restrict access to or within the facility.

6. A discussion of security lighting at the facility.

7. A description of the communications capability.

8. A description of the security surveillance systems (CCTV) capability and its use.

9. A breakdown of the security force, its organization, training, equipment, capabilities, resources, and procedures.

10. A discussion of outside resources including law enforcement and others as appropriate.

11. Annual assessments and design and upgrade of your master plan.


Depending on the nature of the facility and its commitment to regulatory agencies, or if the security director so desires, other plans can be developed, such as contingency, training, and qualifications plans.


When it finally comes down to selling a secu-rity design or upgrade to the people who have to pay for it, the job can be made somewhat eas-ier by following a few basic principles.

Most security directors have heard that, “Security contributes nothing to production, is an overhead item, and is a necessary evil.” Dealing with the “necessary evil syndrome” has

image252.jpg image253.jpg


been the subject of much discussion since the business of assets protection started. Good secu-rity holds losses to a minimum and keeps down costs, resulting in increased profits. Fulfillment of the security mission can be called negative profit, compared with the positive profit gener-ated by production. Accordingly, security man-agement personnel must justify many, if not all, systems, expenditures, programs,­ personnel, approaches, and, at times, their own existence.

Most facilities cut costs for security before anything else; therefore, a planned, systematic approach is necessary to keep this practice to a minimum and secure the resources necessary for efficient security operation. Justification should be based on the following steps:

1. Convincing oneself that a proposal is justified

2. Convincing others that it is justified

3. Formulating the approach

4. Presenting the approach.



It has been said that a good salesperson believes in the product. So, too, must the secu-rity director believe in the proposal. Before it can be justified to anyone, it has to be justified in his or her mind. In some cases, this takes only a few minutes and consists of a mental evaluation of the issue. In others, it is a lengthy, detailed examination of alternatives.

As a first step, it is necessary to define the issue—just what is wanted: personnel, equip-ment, policy, and so on. Then, consider the pros and cons: Do the results justify the expense? Is there a cheaper way to accomplish the same thing? Is it really necessary and what happens if it is not done? Is there enough money available to finance it?

Next, consider the benefit to the company: Will this increase profits? Not likely. Will this

reduce overhead? Possibly. Will this make the job easier? Probably.

Turnaround time must be considered, that is, the time it will take to gain a return or real-ize a benefit from the expenditure or approach.

The security director must rely somewhat on gut feeling. If it is felt that the proposal is logi-cal and rational but there is a negative gut feel-ing, set the proposal aside and reconsider it at a later date. Circumstances could change and the whole proposal could become moot.

Convincing Others That It Is Justified

Once the proposal is sound, it has to be sold to others, who may see everything involving secu-rity printed in red ink. Generally, any money that can be saved, no matter what the percentage, a plus is when justifying a proposal. Money saved is negative profit and should be sold as such.

Before an attempt is made to convince oth-ers of the soundness of an approach, the secu-rity director must research the whole issue, investing the time and effort proportional to the expense and importance of the issue. Research is based on the company’s past experience, per-sonal experience, supporting documentation, and others’ perceptions.

Company’s Experience

The company may have encountered prob-lems in this area in the past and therefore could be receptive to the idea. An existent policy could support the proposal or eliminate it from the start.

The security director should consider any adverse publicity that could result from imple-mentation of, or failure to implement, the approach. Tarnished company image is per-haps one of the most overlooked areas of cor-porate concern. If a company is in the midst of a problem that threatens its image, its execu-tives and public relations officers often go to great lengths to preserve its image; however,

Convincing Oneself That a Proposal Is Justified


the inclination to spend money to counter bad press diminishes as time goes by. The tendency to prevent recurrence of an unfavorable situa-tion diminishes as more time elapses. An idea is best promoted hard on the heels of a situa-tion it would have prevented.

Personal Experience

A security director has probably dealt with the same issue before or is familiar with others’ handling of a similar issue. Draw on previous experience to define and analyze possible short-and long-term ramifications and positive and negative results.

It is advisable to pay particular attention to idiosyncrasies that could provide neces-sary direction to the approach and, if pos-sible, capitalize on them. For example, if the approving authority has a liking for gadgets and the approach calls for the use of gadgetry, this affinity could be parlayed into a successful acquisition.

Defining the problem.


Discussing the ramifications of allowing the problem to continue.

Listing the alternative solutions.

Eliminating each alternative but yours.

Stating your solution.

Formulating the Approach

Armed with the raw data accumulated up to this point, it is necessary to adopt a strategy for communicating arguments in a convincing manner.

Formulation of the approach is based on personal knowledge and experience with the approving authority. If charts and transparen-cies are generally well received, they should be used; however, the amount of time spent should be in proportion to the magnitude of the project.

If personal experience shows that a concise approach is best, the security director should formulate accordingly. Decide on the for-mat, written or verbal, and prepare for both. Consistency is important; the odds increase in favor of subsequent approvals if credibility has been established. Make a list of areas to

Supporting your solution, using

the same information you used to convince yourself.

FIGURE 4.3 The justification process. Reprinted with permission from Security Management, pp. 30–34.

be covered by priority (Fig. 4.3). Certain basic information must be communicated regardless of the format:

1. Definition of the problem

2. Ramifications

3. Alternatives

4. Elimination of each alternative (except the one proposed)

5. The solution

6. Support for the solution

image255.jpg image256.jpg


Presenting the Approach

Once the issue has been researched and an approach formulated, it must be presented. (It is always a good idea to send a memo regard-ing the issue beforehand.) If a formal presen-tation is required, it is recommended that the presentation be tested on affected individu-als who should be encouraged to offer their critiques.

The first consideration in this report should be timing. Once the presentation commences, the approach should be presented as formulated and included the basic information already dis-cussed. The security director must be concise and consistent, anticipate any questions, and be prepared to answer them. Depending on time and importance, audiovisual aids can be effective, as can handouts; it may be no more than a single-page outline, but it helps to leave something for later reference. Above all, do not oversell.

If, after this effort, the proposal is not approved and you wish to protect yourself, do so with memos to file and other such corre-spondence, so that if problems result from the proposal’s disapproval, it can be shown that you tried.




Designing security into a new complex should begin with interior security. Work your way out to the exterior and then to the outer perimeter. Keep in mind these points before you sit down with the architects:

1. Elimination of all but essential doors and windows.

2. Specification of fire-resistant material throughout the interior.

3. Installation of fire, intrusion, and environmental control systems.

4. Separation of shipping and receiving areas if possible.

5. Provisions for the handicapped/disabled.

6. Adequate lighting around the perimeter, before, during, and after construction.

7. Review architectural design plans and layout.

8. Site assessment/site survey planned.

9. Interior/exterior detection systems.

10. Natural surveillance and CPTED principles and strategies.

11. Security protection officers/supervision.

12. Employee awareness/policy and procedures.

13. Education of physical security programs.

14. Budget planning and five-year plan.

15. Audits/assessment/future needs.

16. The conclusion of your report should reflect every aspect of the security operation.


By definition—“Serving to Deter Relating to Deterrence”

Category A

· Security surveillance system used to prevent crime in private and public locations

· CPTED principles and concepts

· Defensible space principles and concepts

· Situational crime prevention principles and concepts

· Lighting that meets standards and design by increased visibility

· Biometrics and access control to specific areas

· CPTED design

· CPTED landscape principles

· Signage or visible security signs

· Padlocks and door locks and peepholes

· Intrusion alarms and signage of alarm

· Security surveillance systems (CCTV)

· Security awareness programs

· Planters and thorny bushes

· Bollards or barricades closing down streets

· Barking dog, inside or outside

Designing Security and Layout of Site


· Vehicle in driveway

· Area traffic and escape route available

· Policy and procedures

· Training programs


Category B

· Security officers armed and unarmed in private function, i.e., hotel door man, bus drivers, tickets sellers or ticket takers, and conductors.

· Police officers in uniform and armed security who may deduce that a crime is about to be committed and deter the incident in their presence.

· Security officer patrolling the parking lots of hotels, hospitals, and retail locations, protecting corporate assets and customer protection.

· Guardian angels patrolling streets, neighborhoods, and subways.

· People in the area.


Crime displacement theory: by target harden-ing and soft target moving to another location.

CPTED Strategies

1. Natural access control

2. Natural surveillance

3. Territorial reinforcement (Crowe and

Fennelly 2013)

Defensible space—This concept was developed in the public housing environment. It is similar to CPTED strategies (Crowe and Fennelly 2013).

Environmental security differs from CPTED in that it uses a broader range of crime control strategies including social management, social media, target hardening activity support, and low enforcement.

CPTED security landscape principles:

1. For natural surveillance but back bushes to a height of 3 ft.

2. Cut back the tree branches to 8 ft from the ground.

3. Chain link fence height between 6 and 8 ft plus three strands of barbed wire.

4. Height of a stone wall between 6 and 8 ft.

5. A least 10 ft of clear space both sides of the

fence and wall.1

Situation crime prevention incorporates other crime prevention and law enforcement strate-gies in an effort to focus on place-specific crime problems.

Results and Objectives

· Reduce violent crime

· Reduce property crime

· Displacement of crime

· Eliminate the threats and risk

· Reduce the likelihood of more incidents

· Eliminate vulnerabilities and protect assets


Risk management defined2 as the process by which an entity identifies its potential losses and then decides what is the best way to manage these potential losses.

· Risk: Exposure to possible loss (i.e., fire, natural disasters, product obsolescence, shrinkage, work stoppages).

· Security managers are primarily interested in crime, shrinkage, accidents, and crises.

· Risk managers generally are more focused on fire and safety issues.

· Pure risk: Risk in which there are no potential benefits to be derived (i.e., earthquake, flood).

· Dynamic risk: Risk that can produce gain or profit (i.e., theft, embezzlement).

· Possible maximum loss: Maximum loss sustained if a target is totally destroyed.

· Probable maximum loss: Amount of loss a target is likely to sustain.

1 Broder JF. CPP risk analysis and the security survey. 3rd ed. Elsevier; 2006.

2 Ibid





This chapter was updated and reviewed in 2017 by the editor. The theory and concepts laid out apply generically across the board. The approaches to physical security are based on the physical protection required to meet the need. Through the use of the risk equation, various proposed upgrades in physical protection at a facility can be compared.

The options that give the best cost/benefit to the facility can be implemented. The risk is nor-malized to the consequence of loss of the asset and thus the allocation of scarce physical protec-tion resources is appropriately applied to keep all risks at an acceptable level.

[1] Gigliotti RJ, Jason RC, Cogan NJ. What is your level of physical security? Secur Manag 1980:46–50.

[2] U.S. Nuclear Regulatory Commission. Generic adversary characteristics summary report. Washington, DC: The Commission; 1979.

[3] United States Code of Federal Regulation, Title 10, Part 73.1. 1982.

[4] Gigliotti RJ. The fine art of justification. Secur Manag 1980:30–4.

[5] Garcia ML. The design and evaluation of physical protec-tion of systems. Boston: Butterworth-Heinemann; 2001.

[6] Fennelly LJ, Perry M. 150 Things You Need To Know about Physical Security. Elsevier; 2017.

image258.jpg image259.jpg



Security Lighting

Joseph Nelson, CPP, Philip P. Purpura, CPP, Lawrence J. Fennelly, CPO, CSS, CHL III, CSSP-1, Gerard Honey, James F. Broder, CPP

Adequate light not only helps people recognize and avoid danger, but also in many cases deters criminals by creating in them the fear of detection, identification and apprehension. Randy Atlas, CPP (1993).



In this chapter, the concept of lighting as it relates to crime and crime prevention is dis-cussed. The two major purposes of lighting, to create a psychological deterrent to intrusion and to aid in detection, are put to the test involving natural and constructed light.

From a business perspective, lighting can be jus-tified because it improves sales by making a busi-ness and merchandise more attractive, promotes safety and prevents lawsuits, improves employee morale and productivity, and enhances the value of real estate. From a security perspective, two major purposes of lighting are to create a psychologi-cal deterrent to intrusion and to enable detection. Good lighting is considered such an effective crime con-trol method that the law, in many locales, requires buildings to maintain adequate lighting.

One way to analyze lighting deficiencies is to go to the building at night and study the possible methods of entry and areas where inadequate

lighting aids a burglar. Before the visit, contract local police as a precaution against mistaken identity and recruit their assistance in spotting weak points in lighting.

What lighting level aids an intruder? Most people believe that, under conditions of dark-ness, a criminal can safely commit a crime. But this view may be faulty, in that one generally cannot work in the dark. Three possible levels of light are bright light, darkness, and dim light. Bright light affords an offender plenty of light to work but enables easy observation by others; it deters crime. Without light, in darkness, a bur-glar finds that he or she cannot see to jimmy a good lock, release a latch, or do whatever work is necessary to gain access. However, dim light provides just enough light to break and enter while hindering observation by authorities. Support for this view was shown in a study of crimes during full-moon phases when dim light was produced.

This study examined the records of 972 police shifts at three police agencies over a 2-year period to compare nine different crimes during full-moon and nonfull-moon phases. Only one crime, breaking and entering, was greater during full-moon phases. Although much case law supports lighting as an indicator of efforts to provide a safe

Effective Physical Security, Fifth Edition



Copyright © 2017 Elsevier Inc. All rights reserved.


image262.jpg image263.jpg


environment, security specialists are questioning conventional wisdom about lighting. Because so much nighttime lighting goes unused, should it be reduced or turned off? Does an offender look more suspicious under a light or in the dark with a flashlight? Should greater use be made of motion-activated lighting? How would these approaches affect safety and cost-effectiveness? These questions are ripe for research.

David G. Aggleton, CPP, stated in a recent article in Security Technology Executive (March 2011) that “A quick rule of thumb for mini-mum reflected light is: (A) Detection: 0.5 fc, (B) Recognition: 1.0 fc, (C) Identification: 2.0 fc are required.”

Maintenance and bulb replacement ensure high-quality lighting.



Lumens (of light output) per watt (of power input) is a measure of lamp efficiency. Initial lumens per watt data are based on the light out-put of lamps when new; however, light output declines with use. Illuminance is the intensity of light falling on a surface, measured in foot-candles (English units) or lux (metric units). The foot-candle (fc) is a measure of how bright the light is when it reaches 1 foot from the source. One lux equals 0.0929 fc. The light provided by direct sunlight on a clear day is about 10,000 fc, an overcast day would yield about 100 fc, and a full moon gives off about 0.01 fc. A sample of outdoor lighting illuminances recommended by the Illuminating Engineering Society of North America are as follows: self-parking area, 1 fc; attendant parking area, 0.20–0.90 fc; covered parking area, 5 fc; active pedestrian entrance, 5 fc; and building surroundings, 1 fc. It is gener-ally recommended that gates and doors, where identification of persons and things takes place, should have at least 2 fc. An office should have a light level of about 50 fc.

Care should be exercised when studying fc. Are they horizontal or vertical? Horizontal illu-mination may not aid in the visibility of vertical objects such as signs and keyholes. (The preced-ing fc are horizontal.) The fc vary depending on the distance from the lamp and the angle. If you hold a light meter horizontally, it often gives a different reading that if you hold it vertically. Are the fc initial or maintained?



The following lamps are applied outdoors:

· Incandescent. These are commonly found at residences. Passing electrical current through a tungsten wire that becomes white-hot produces light. These lamps produce 10–20 lumens per watt, are the least efficient and most expensive to operate, and have a short lifetime of 9000 h.

· Halogen and quartz halogen lamps. Incandescent bulbs filled with halogen gas (like sealed-beam auto headlights) provide about 25% better efficiency and life than ordinary incandescent bulbs.

· Fluorescent lamps. These pass electricity through a gas enclosed in a glass tube to produce light, yielding 40–80 lumens per watt. They create twice the light and less than half the heat of an incandescent bulb of equal wattage and cost 5–10 times as much. Fluorescent lamps do not provide high levels of light output. The lifetime is 9000–20,000 h. They are not used extensively outdoors, except for signs. Fluorescent lamps use one-fifth to one-third as much electricity as incandescent with a comparable lumen rating and last up to 20 times longer. They are cost-effective with yearly saving per bulb of $9.00–$25.00.

· Mercury vapor lamps. They also pass electricity through a gas. The yield is 30–60 lumens per watt and the life is about 20,000 h.

Types of Lamps [4]


· Metal halide lamps. They are also of the gaseous type. The yield is 80–100 lumens per watt, and the life is about 10,000 h. They often are used at sports stadiums because they imitate daylight conditions and colors appear natural. Consequently, these lamps complement closed-circuit TV (CCTV) systems, but they are the most expensive lights to install and maintain.

· High-pressure sodium lamps. These are gaseous, yield about 100 lumens per watt, have a life of about 20,000 h, and are energy efficient. These lamps are often applied on streets and parking lots, and through fog are designed to allow the eyes to see more detail at greater distances. They also cause less light pollution then mercury vapor lamps.

· Low-pressure sodium lamps. They are gaseous, produce 150 lumens per watt, have a life of about 15,000 h, and are even more efficient than high-pressure sodium. These lamps are expensive to maintain.

· LED (light-emitting diodes). LED lighting is cost-effective and should meet lighting standards and guidelines for brightness but may not serve all applications best.


These are small lights, such as Christmas bulbs and spotlights. They use very low energy consumption and are long lasting up to 50,000– 80,000 h. This rapidly growing light source may be the light of the future. Currently, they are used in many applications such as in garages, street lighting, and rear taillights in motor vehicles.

· Quartz lamps. These lamps emit a very bright light and snap on almost as rapidly as incandescent bulbs. They are frequently used at very high wattage—1500–2000 W is not uncommon in protective systems—and they are excellent for use along the perimeter barrier and in troublesome areas.

· Electroluminescent lights. These lights are similar to their fluorescent cousins; however, they do not contain mercury and are more compact.

Each type of lamp has a different color ren-dition index (CRI), which is the way a lamp’s output affects human perception of color. Incandescent, fluorescent, and halogen lamps provide an excellent CRI of 100%. Based on its high CRI and efficiency the preferred out-door lamp for CCTV systems is metal halide. Mercury vapor lamps provide good color ren-dition but are heavy on the blue. Low-pressure sodium lamps, which are used extensively outdoors, provide poor color rendition, mak-ing things look yellow. Low-pressure sodium lamps make color unrecognizable and produce a yellow -gray color on objects. People find they produce a strange yellow haze. Claims are made that this lighting conflicts with aesthetic values and affects sleeping habits. In many instances, when people park their vehicles in a park-ing lot during the day and return to find their vehicle at night, they are often unable to locate it because of poor color rendition from sodium lamps; some even report their vehicles as stolen. Another problem is the inability of witnesses to describe offenders accurately.

Mercury vapor, metal halide, and high-pressure sodium take several minutes to produce full light output. If they are turned off, even more time is required to reach full output because they first have to cool down. This may not be acceptable for certain security applications. Incandescent, halogen, and quartz halogen have the advantage of instant light once the electricity is turned on. Manufacturers can provide infor-mation on a host of lamp characteristics includ-ing the “strike” and “restrike” time.

The following sources provide additional information on lighting:

· National Lighting Bureau (http://www.nlb. org): Publications.

· Illuminating Engineering Society of North America (http://www.iesna.org): Technical materials and services, recommended practices and standards, many members are engineers.

image266.jpg image267.jpg


· International Association of Lighting Management Companies (http://www. nalmco.org): Seminars, training, and certification programs.

Cost and Return on Investment

Cost is broken down into three categories:

(1) 88% energy cost, (2) 8% capital cost, and (3) maintenance cost. Return on investment (ROI) is broken down into (1) efficiency and energy savings payback, (2) reduce costs by shutting off unnecessary units, and (3) the concept of going green.

Lighting Equipment

Incandescent or gaseous discharge lamps are used in streetlights. Fresnel lights have a wide flat beam that is directed outward to pro-tect a perimeter and glares in the faces of those approaching. A floodlight “floods” an area with a beam of light, resulting in considerable glare. Floodlights are stationary, although the light beams can be aimed to select posi-tions. The following strategies reinforce good lighting:

1. Locate perimeter lighting to allow illumination of both sides of the barrier.

2. Direct lights down and away from a facility to create glare for an intruder. Make sure the directed lighting does not hinder observation by the patrolling officer.

3. Do not leave dark spaces between lighted areas for burglars to move in. Design lighting to permit overlapping illumination.

4. Protect the lighting system. Locate lighting inside the barrier, install protective covers over lamps, mount lamps on high poles, bury power lines, and protect switch boxes.

5. Photoelectric cells enable light to go on and off automatically in response to natural light. Manual operation is helpful as a backup.

6. Consider motion-activated lighting for external and internal areas.

7. If lighting is required in the vicinity of navigable waters, contact the U.S. Coast Guard.

8. Try not to disturb neighbors by intense lighting.

9. Maintain a supply of portable emergency lights and auxiliary power in the event of a power failure.

10. Good interior lighting also deters burglars. Locating lights over safes, expensive merchandise, and other valuables and having large clear windows (especially in retail establishments) lets passing patrol officers see in.

11. If necessary, join other business owners to petition local government to install improved street lighting.





1. Watts: Measures the amount of electrical energy used.

2. Foot-candle: Measure of light on a surface 1 square foot in area on which one unit of light (lumen) is distributed uniformly.

3. Lumen: Unit of light output from a lamp.

4. Lamp: Term that refers to light sources that are called bulbs.

5. Lux: Measurement of illumination.

6. Illuminare: Intensity of light that falls on an object.

7. Brightness: Intensity of the sensation from light as seen by the eye.

8. Foot-lambert: Measure of brightness.

9. Glare: Excessive brightness.

10. Luminaire: Complete lighting unit; consists of one or more lamps joined with other parts that distribute light, protect the lamp, position or direct it, and connect it to a power source.

Energy Management


11. Ballast: Device used with fluorescent and high-intensity discharge (HID) lamps to obtain voltage and current to operate the lamps.

12. HID: Term used to identify four types of lamps—mercury vapor, metal halide, and high- and low-pressure sodium.

13. Coefficient of utilization: Ratio of the light delivered from a luminaire to a surface compared to the total light output from a lamp.

14. Contrast: Relationship between the brightness of an object and its immediate background.

15. Diffuser: Device on the bottom or sides of a luminaire to redirect or spread light from a source.

16. Fixture: A luminaire.

17. Lens: Glass or plastic shield that covers the bottom of a luminaire to control the direction and brightness of the light as it comes out of the fixture or luminaire.

18. Louvers: Series of baffles arranged in a geometric pattern. They shield a lamp from direct view to avoid glare.

19. Uniform lighting: Refers to a system of lighting that directs the light specifically on the work or job rather than on the surrounding areas.

20. Reflector: Device used to redirect light from a lamp.

21. Task or work lighting: Amount of light that falls on an object of work.

22. Veiling reflection: Reflection of light from an object that obscures the detail to be observed by reducing the contrast between the object and its background.

23. Incandescent lamps: Produce light by passing an electric current through a tungsten filament in a glass bulb. They are the least efficient type of bulb.

24. Fluorescent lamps: Second most common source of light. They draw an electric arc along the length of a tube. The ultraviolet light produced by the arc activates a

phosphor coating on the walls of the tube, which causes light.

25. HID lamps: Consist of mercury vapor, metal halide, and high- and low-pressure sodium lamps. The low-pressure sodium is the most efficient but has a very low CRI of 5.


The efficiency and management of lighting is becoming a high priority in commissioning new buildings and upgrading existing systems. Indeed, the subject of energy management is expected to become one of the most important considerations within the building regulation documents and has a tremendous impact on the way the construction industry looks at energy. It is apparent that serious measures must now be taken to reduce energy use and waste. This will have an impact on security lighting and the way it is applied. Lighting experts show an increas-ing urge to work alongside electrical contractors and installers to help them increase their busi-ness opportunities by identifying the roles and applications in which energy-efficient lighting should be installed. Electrical contractors are becoming better educated in lighting design that is effective and energy efficient.

Lighting design personnel need to

· Recognize inefficient installations.

· Appreciate the environmental, cost, and associated benefits of energy-efficient lighting schemes.

· Estimate energy cost savings and calculate the payback period.

· Recognize the situations in which expert and specialist knowledge are needed in the design of management systems.

· Think in terms of increasing business while trying to preserve the environment.


At certain points in time, it was said that lighting any system brighter was advantageous.

image269.jpg image270.jpg


However, we are now seeing a trend away from large floodlights illuminating the night sky with a strong white glare, as exterior lighting is becoming much more focused on the minimum lux levels required. We are also seeing a move toward directional beams.

The lighting industry wants to remove itself from a proliferation of public and private external lighting schemes to counter the light pollution problem and become more energy and cost conscious in its makeup. There must be a mechanism to tackle the problem of countless floodlights, up lighters, spotlights, decorative installations, and an array of secu-rity lighting forms that are badly installed and specified, create light pollution, and use high energy levels.

Lighting pollution is now at the forefront of debates for two main reasons:

1. Light pollution spoils the natural effect of the night skies.

2. The greater the light pollution, the greater

the power consumption.

Unfortunately, a certain degree of light pollution is needed to satisfy safety and secu-rity applications. Equally, there is always the desire to have purely decorative lighting installations, so the answer lies in a compro-mise. Systems must be designed with a degree of thought given to the avoidance of light pol-lution and energy waste. External lighting must provide minimal light pollution, a safe environment, and an attractive feature. For attractive features, we can see a greater use of fiber optic solutions with color-changing effects and lighting engineered to direct the illumination downward. Bollards or recessed ground luminaries can be set into walk-ways so there is no spill into the night sky. Intelligently, designed schemes can ensure that lighting is reflected only in a downward direction so that pedestrians are better guided and the lighting has a pleasing effect with little overspill.

Therefore, within the lighting industry, there is a need to raise standards in all aspects associ-ated with light and lighting, in particular when it comes to energy management and light pol-lution. We need to define and harness the plea-sures of lighting but at the same time promote the benefits of well-designed energy-efficient schemes among the public at large. There must also be miniaturization and increased lamp life. Energy management must therefore be a part of security lighting.



1. Is all of the perimeter lighted?

2. Is there a strip of light on both sides of fence?

3. Is the illumination sufficient to detect human movement easily at 100 yards?

4. Are lights checked for operation daily prior to darkness?

5. Is extra lighting available at entry points and points of possible intrusion?

6. Are lighting repairs made promptly?

7. Is the power supply for lights easily accessible (for tampering)?

8. Are lighting circuit drawings available to facilitate quick repairs?

9. Are switches and controls

a. Protected?

b. Weatherproof and tamper resistant?

c. Accessible to security personnel?

d. Inaccessible from outside the perimeter barrier?

e. Equipped with centrally located master switch(es)?

10. Is the illumination good for guards on all routes inside the perimeter?

11. Are the materials and equipment in receiving, shipping, and storage areas adequately lighted?

12. Are bodies of water on the perimeter adequately lighted?

13. Is an auxiliary source of power available for protective lighting?

Lighting Checklist


Protective Lighting Checklist

1. Is protective lighting adequate on the perimeter?

2. What type of lighting is it?

3. Is the lighting of open areas within the perimeter adequate?

4. Do shadowed areas exist?

5. Are outside storage areas adequately lighted?

6. Are inside areas adequately lighted?

7. Is the guard protected or exposed by the lighting?

8. Are gates and boundaries adequately lighted?

9. Do lights at the gates illuminate the interior of vehicles?

10. Are critical and vulnerable areas well illuminated?

11. Is protective lighting operated manually or automatically?

12. Do cones of light on the perimeter overlap?

13. Are perimeter lights wired in series?

14. Is the lighting at shipping and receiving docks or piers adequate?

15. Is the lighting in the parking lots adequate?

16. Is an auxiliary power source available with backup standby units?

17. Is the interior of buildings adequately lighted?

18. Are top secret and secret activities adequately lighted?

19. Are guards equipped with powerful flashlights?

20. How many more and what types of lights are needed to provide adequate illumination? In what locations?

21. Do security personnel report light outages?

22. How soon are burned-out lights replaced?

23. Are open areas of a campus sufficiently lighted to discourage illegal or criminal acts against pedestrians?

24. Are any areas covered with high-growing shrubs or woods where the light is insufficient?

25. Are the outsides of buildings holding valuable or critical activities or materials lighted?

26. Are interiors of hallways and entrances lighted when buildings are open at night?

27. Are areas surrounding women’s dormitories well lighted? Within a college setting?

28. Are campus parking lots lighted sufficiently to discourage tampering with parked cars or other illegal activities?

29. Are areas where materials of high value are stored well lighted? Safes, libraries, bookstores, food storage areas, and so forth?

30. Lamp life versus efficiency?

31. Lamp CRI?

32. Continuous levels of light at night?

33. Provide specific levels of light for CCTV units? We are in the age of HD cameras and HD television monitors as well as low-light cameras, all of which are crime deterrents in some cases.

34. Required light for evening patrols?

35. Complex should have an even and adequate distribution of light?

Lighting Levels

By definition a foot-candle is a unit of illumi-nance or light falling onto a surface. It stands for the light level on a surface 1 foot from a standard candle. One foot-candle is equal to one lumen per square foot.

· 0.5 fc for perimeter of outer area

· 0.4 fc for perimeter of restricted area

· 10 fc for vehicular entrances

· 5 fc for pedestrian entrance

· 0.5–2 fc for roadways

· 0.2 fc for open years

· 0.2–5 fc for decks on open piers

· 10–20 fc for interior sensitive structures


Open parking light levels are a minimum of 0.2 fc in low-level activity areas and 2 fc in high-vehicle activity areas. If there is cash collection, the light level is a minimum of 5 fc.

image272.jpg image273.jpg


· Loading docks—15fc

· Loading docks interior—15 fc

· Shipping and receiving—5 fc

· Security gate house —25–30 fc

· Security gate house interior—30 fc


For pedestrians or normal CCTV cameras the minimum level of light for

· Detection—0.5fc

· Recognition—1fc

· Identification—2fc

· Parking structures—5fc

· Parking areas or open spaces—2 fc

· Loading docks—0.2–5fc

· Loading dock parking areas—15–30 fc

· Piers and dock—0.2–5 fc


The color of the surface also impacts reflectance; a light surface, such as a parking lot paved in concrete, will have higher reflectance than a dark surface (a parking lot paved in asphalt or black-top). The measure of reflectance of an object is the ratio of the quantity of light (measured in lumens) falling on it to the light reflected from it, expressed as a percentage.

Color Rendition Index

The ability of a lamp to faithfully reproduce the colors seen in an object is measured by the CRI. Security personnel need the ability to accu-rately describe color. It is an important aspect in the apprehension of criminals who are caught on CCTV displays and recordings. CRI is mea-sured on a scale of 1–100. A CRI of 70–80 is con-sidered good, above 80 is considered excellent, and 100% is considered daylight.


The quantity or flow of light emitted by a lamp is measured in lumens. For example, a typ-ical household bulb rated at 100 W may output about 1700 lumens.

Illuminance is the concentration of light over a particular area and is measured in lux, repre-senting the number of lumens per square meter or foot-candles. One foot-candle is equal to 10.76 lux (often approximated to a ratio of 1:10).

Note: When evaluating the amount of light needed by a particular CCTV camera (or the eye) to perceive a scene, it is the amount of light shining over the area of the lens iris (camera or eye), or its luminance, that is critical.

Corrected Color Temperature

A measure of the warmth or coolness of a light is the corrected color temperature. It has a considerable impact on mood and ambiance of the surroundings.

Lighting Systems

A lighting system consists of a number of components, all of which are important to the effectiveness of a lighting application. Following is a list of the major components and their functions:


When we see an object, our eyes are sensing the light reflected from that object. If there is no light reflected from the object, we only see a silhouette in contrast to its background. If the object is illuminated by other than white light we will see the object in colors that are not true.

· Lamp (also known as a lightbulb). Manufactured light source that includes the filament or an arc tube, its glass casing, and its electrical connectors. Types of lamps include incandescent and mercury vapor, which describe the types of technologies used to create the light.

· Luminary (also known as fixture). Complete lighting unit consisting of the lamp, its

Appendix 5.A Lighting Description


holder, and the reflectors and diffusers used to distribute and focus the light.

· Mounting hardware. Examples are a wall bracket or a light pole used to fix the correct height and location of the luminary.

· Electrical power. Operates the lamp, ballasts, and photocells. Some lamp technologies are sensitive to reduced voltage, in particular the HID family of lamps (metal halide, mercury vapor, and high-pressure sodium).

[3] National Lighting Bureau. Lighting for safety and ­security. Washington, DC: National Lighting Bureau; n.d. p. 1–36; Smith MS. Crime prevention through environmental­

design in parking facilities. Washington, DC: National Institute of Justice; 1996. p. 1–4; Bowers DM. Let there be light. Secur Manage; 1995. p. 103–111; Kunze DR, Schiefer J. An illuminating look at light. Secur Manage 1995. p. 113–116.

[4] Fischer RJ, Halibozek E, Green G. Introduction to secu-rity. 8th ed. Boston: Butterworth-Heinemann; 2008.

[5] Fennelly LJ, Perry M. 150 Things You Need To Know about Physical Security. Elsevier; 2017.


[1] Purpura P. Police activity and the full moon. J Police Sci Adm 1979;7(3):350.

[2] Berube H. New notions of night light. Secur Manage 1994:29–33.


National Lighting Bureau: www.nlb.org.

Illuminating Engineering Society: www.iesna.org. International Association of Light Management Companies:




TABLE 5.1 Lighting Types



CRI (Color Rendition Index)

Light Color




Reflects all light




Good color rendition

Mercury vapor



Fair color rendition

When used as a streetlight, there will

be a blue label indicating wattage

High-pressure sodium



Poor color rendition

When used as a streetlight, there will

be a yellow label indicating wattage

Low-pressure sodium



Very low color rendition

Metal halide


Bright white

Very high color rendition

When used as a streetlight, there will

be a white label indicating wattage

Halogen/quartz halogen











TABLE 5.2 Operation Costs (10 years)



Lamp Changes




Operation Cost

High-pressure sodium







High-pressure sodium







High-pressure sodium







High-pressure sodium







High-pressure sodium










































Metal halide (V)







Metal halide (V)







Metal halide (V)







Metal halide (V)







Metal halide (V)







Metal halide (H)







Metal halide (H)







Metal halide (H)







Metal halide (H)







Metal halide (H)







Low-pressure sodium







Low-pressure sodium







Low-pressure sodium







Low-pressure sodium







Low-pressure sodium







U.S. Energy Technologies, 2007.




Electronics Elements: A Detailed


Thomas L. Norman, CPP, PSP, CSC


This chapter includes a detailed discussion of design elements for alarm/access control sys-tems, system servers, workstations, advanced elements, CCTV and digital video systems, wireless digital video, security communications systems, command/control and communica-tions (C3) consoles, console guard functions, and communications systems.



The basic elements of most current alarm and access control systems are discussed in the sec-tions that follow.

Identification Devices

Identification devices include card/key/­ barcode1/radio frequency identification readers,

1 Barcode is a machine-readable array of lines that due to their spacing and line width contain a unique identity that is assigned to an asset. Barcodes can also be in the form of patterns of dots, concentric circles, and hidden in images. Barcodes are read by optical scanners called barcode readers.

keypads, and biometric2 readers. Access control systems can determine your identity by what you know, by what you have, or by who you are.

The most basic types of identification (ID) readers are keypads. Basic keypads are simple 12-digit keypads that contain the numbers 0–9 and * and # signs (Fig. 6.1). The most desirable attributes of keypads are that they are simple to use and they are cheap. The most undesirable attribute of the keypad is that it is relatively easy for a bystander to read the code as it is being entered, and then you have been duplicated in the access control database (i.e., now two people know your code so now no one is sure if the person who used the code is really you). Also, the pizza delivery guy usually knows a code because there is usually someone in the organization who gives out his or her code for such things. This defeats the purpose of access control because now management has no idea who has the codes. Although shrouds for keypads are available, they are cumbersome and

2 Biometric identification devices identify the user by some unique physical attribute, typically including fingerprints, retinas, iris patterns, hand geometry, ear patterns, and voices. Biometric algorithms can also be used to identify people by their walking gate, facial pat-terns, and handwriting.

* Originally from Integrated Security Systems Design. Thomas Norman: Butterworth-Heinemann, 2015. Updated by the editor, Elsevier, 2016.

Effective Physical Security, Fifth Edition



Copyright © 2017 Elsevier Inc. All rights reserved.


FIGURE 6.2 Early access control keypad.

FIGURE 6.1 Alarm keypad.

do not seem to be well accepted, and the pizza delivery guy still knows the code.

Two other variants are the so-called “ash-tray” keypad, which conceals the code quite well (Fig. 6.2), and the Hirsch keypad, which works very well. The Hirsch keypad dis-plays its numbers behind a flexible, transpar-ent cover using seven-segment LED modules. Then, to confuse the guy across the room with the binoculars, it scrambles the position of the numbers so that they almost never show up in the same location on the keypad twice. This ensures that even though the guy with binoculars can see the pattern of button press-ing, it will be useless because that pattern does not repeat often (Fig. 6.3). We have also found that in many organizations, there is something about the high-tech nature of the Hirsch key-pad systems that seems to make its users more observant of the need not to give out the code to unauthorized people.

FIGURE 6.3 Hirsch Scramble Pad. Image used with per-mission of Hirsch Electronics, Inc.

One step up the scale of sophistication from keypads are ID cards and card readers. Access control cards come in several variants, and there are a number of different card reader types to

Alarm/Access Control Systems


FIGURE 6.4 Magnetic stripe card.

match both the card type and the environment. Common card types include the following:

· Magnetic stripe

· Wiegand wire

· Passive proximity

· Active proximity

· Implantable proximity

· Smart cards (both touch and touchless types)


Increasingly rare types include the following:

· Barcode

· Barium ferrite

· Hollerith

· Rare-earth magnet

Magnetic Stripe Cards

Magnetic stripe cards (Fig. 6.4) have a mag-netic band (similar to magnetic tape) laminated to the back of the card. These were invented by the banking industry to serve automatic teller machines. Typically, there are two or three bands that are magnetized on the card. The card can contain a code (used for access control identifica-tion), the person’s name, and other useful data.

Usually in access control systems, only the ID code is encoded. There are two types of mag-netic stripe cards: high and low coercivity (how much magnetic energy is charged into the mag-netic stripe). Bank cards are low coercivity (300 Oersted) and most early access control cards were high coercivity (2750 or 4000 Oersted). However, as clients began to complain that their bank cards failed to work after being in a wallet next to their access card, many manufacturers switched to low coercivity for access cards as well. Magnetic stripe cards are desirable attributes that they are easy to use and inexpensive. Undesirable attri-butes are that they are easy to duplicate and thus not suitable for use in any secure facility.

Wiegand Cards/Keys

The Wiegand effect is named after its discov-erer, John R. Wiegand. This effect occurs when a specially made wire is moved past a mag-netic field, causing it to emit a very fast mag-netic pulse in response (10 μs) to the magnetic field. Wiegand wires are placed into cards and keys in a pattern of north/south such that they create ones and zeros when read by a Wiegand card/key reader. In the early days of access






FIGURE 6.5 Hollerith access key.

control, a wiring protocol was established to accommodate Wiegand effect readers called the Wiegand wiring scheme for card readers. Today, manufacturers refer to their proximity card readers to be wired with this Wiegand wire interface.

Barcode Cards

Barcode cards use any of several barcode schemes, the most common of which is a con-ventional series of lines of varying thicknesses. Barcodes are available in visible and infrared types. The visible type looks similar to the UBC barcode on food articles. Infrared barcodes are invisible to the naked eye but can be read by a barcode reader that is sensitive to infrared light. The problem is that either type can be easily read and thus duplicated; so barcodes are also not suitable for secure environments.

Barium Ferrite Cards

Barium ferrite cards are based on a magnetic material similar to that used in magnetic signs and refrigerator magnets. A pattern of ones and zeros is arranged inside the card, and because the mate-rial is essentially a permanent magnet, it is very robust. Barium ferrite card readers can be config-ured for insertion or swipe type. For swipe types, these are often in the form of an aluminum plate placed within a beveled surface. The user simply

touches the card to the aluminum surface and the card is read. Swipe and insertion barium fer-rite cards and keys are almost nonexistent today, relegated only to legacy systems. The aluminum touch panel is still common in some locales.


The code in Hollerith cards is based on a series of punched holes. The most common kind of Hollerith card is that which is used in hotel locks. Some Hollerith cards are configured such that their hole patterns are obscured by an infra-red transparent material. One brand of Hollerith is configured into a brass key (Fig. 6.5). Hollerith cards are not commonly used in secure facilities.

Rare-Earth Magnets

An extremely rare type of access credential is the rare-earth key. The rare-earth magnets are set in a pattern of four wide by eight long and each can be positioned so that north is pointing left or right, making a pattern of ones and zeros. Such keys are very difficult to duplicate and are suit-able for high-security facilities, although their cost is high because each key must be handmade.

Photo Identification Elements

Access cards grant access and identification cards provide visual evidence that the bearer is

Alarm/Access Control Systems


authorized to be in the area. Identification badges can have many visual attributes, including a photo of the bearer, a logo of the organization (not neces-sarily a wise thing), the bearer’s name, and a color scheme that may identify areas where the person is authorized. Sometimes, a color or code may designate if the bearer is a contractor or vendor.

To help verify the authenticity of the card, it is common to laminate a holographic overlay that provides a visual indication that the card has not been tampered with.

Some organizations use separate access cards and identification cards, but most have com-bined the two functions into a single credential.

Multitechnology Cards

As organizations grow, it is common for some employees to need to travel to multiple offices and facilities where different card technologies may be used. There are three solutions to this problem. One solution is to have the traveling employees carry a different card for each facility they visit. Another is to convert the entire organization’s access control system to a single card standard, which can be expensive. Finally, technology can come to the rescue by creating a card that contains codes that are readable by two or more access con-trol systems. Multitechnology cards can include magnetic stripes, Wiegand, proximity, and even smart cards all in one card. Implantable chips can provide access to very high-security facilities with an assurance that the credential has not found its way into the wrong hands.

Card Readers

Card readers have been configured in a number of different ways. Early card read-ers were of the insertion type (Fig. 6.6). These were prone to getting dirty and thus reading intermittently. Swipe readers came next (Fig. 6.7). These were easier to keep clean and more reliable. These mostly eliminated the problem of chewing gum and coins being inserted and were also easy to use. However, reliability was still a problem.

FIGURE 6.6 Insertion card reader.

Proximity card readers date back to the early 1970s, and they continue to evolve (Fig. 6.8). Reliability issues have been virtually eliminated for all but intentional abuse. Proximity card readers have been designed for many unique environments, including normal interior walls (for mounting to single-gang electrical box) (Fig. 6.9) and door frames (mullion readers) (Fig. 6.10). There are also long-range readers for use in car parks and garages so that the user does not need to roll down the car window and be exposed to the weather (Fig. 6.11).

Proximity cards and readers work by passing a handshake set of radio frequency signals (tra-ditionally in the 60–150 kHz range). Basically, the reader is always transmitting a low power signal through one of two antennas in the card reader. When a card comes into the radio energy field, the radio frequency energy is picked up by one of two antennas on the card and is used to charge a capacitor. When the capacitor voltage reaches a critical level, it “dumps” its energy into an integrated circuit (chip) on the card, which is programmed with a unique card number.

The chip also has a radio frequency transmitter, and it transmits the unique card number through a second antenna on the card. All this occurs in milli-seconds. When the card reader picks up the trans-mission from the card, it passes the card number to the reader input board of the access control sys-tem, where a grant/deny access decision is made based on the facility code and card number, which


FIGURE 6.7 Swipe card reader.

FIGURE 6.8 Proximity card reader. Image used with per-mission of HID Global.

together make up the unique card number code, and the day and time of presentation of the card.

Newer proximity cards and readers use smart-card technology that can also receive, store, and process information from the card reader back to the card, allowing more compli-cated transactions. For example, the card can be used like a credit card to purchase food in a vending machine or gas at a gas pump. The card

FIGURE 6.9 One-gang proximity reader. Image used with permission of HID Global.

can store a history of transactions, such as where the user has gone and with what readers he or she has interacted. Some transactions may be unknown to the user such that it is possible to

Alarm/Access Control Systems


FIGURE 6.10 Mullion proximity reader. Image used with permission of HID Global.

FIGURE 6.11 Long-range proximity reader. Image used with permission of HID Global.

FIGURE 6.12 VeriChip implantable access control cre-dential. Used with permission from VeriChip Corporation.

track a user’s position in a facility at any given time or for other special purposes. One exotic access control credential is the implantable chip. Only slightly larger than a grain of rice, the chip can be implanted in a user’s arm and can pro-vide access to high-security areas. These chips have been implanted in agricultural animals and pets for many years to help track an ani-mal’s health and locate its owner when lost. It is the closest thing to biometrics (Fig. 6.12).

TWIC Cards

The U.S. Transportation Security Agency (TSA) has implemented the Transportation Worker Identification Credential (TWIC) pro-gram. The TWIC card can be used for all per-sonnel who require unrestricted physical or computer access to TSA-controlled facilities. TWIC credentials are used at facilities that are under the jurisdiction of the Aviation and Transportation Security Act and the Maritime Transportation Security Act.

TWIC cards include a photo, biometric creden-tial, and standard access card credentials all in a single card. TWIC positively ties the person to his or her credential and to the person’s threat assess-ment. The credential can then be used to allow unrestricted access to the cardholder for appro-priate areas of the facility. TWIC cards will help ensure that cardholders who travel from facility to facility can be recognized with a single card.


Biometric readers come in many forms, but all share the function of identifying a person by his or her unique physical attributes. Common bio-metric readers include fingerprint readers, hand geometry readers, iris scanners, voice recognition systems, handwriting recognition systems, and finger blood vessel pattern recognition systems.

Other Field Devices

These include electrified locks, door position switches, request-to-exit (REX) devices, and gate operators.

There are a nearly infinite number of types and applications of electrified locks. This is one of the areas that set the master designer apart from the journeyman. It pays to learn electrified locks exceptionally well because many codes stipulate how certain types of electrified locks can be applied. Also, each project has a unique set of security requirements that combined with door types, directions of travel, fire exit paths, and codes, makes for an infinite combination of lock types. There are several basic types of locks.

Electrified Strikes

Electrified strikes replace the conventional door strike into which a typical door latch closes. Unlike a conventional door strike, which requires that the door latch be retracted for it to open, the electric strike unlocks the door by simply folding back to release the door latch as the user pulls the door open. It springs back instantly as the door latch clears the strike so that it is ready to receive the latch as the door closes again. There are many types of electric strikes, but they all operate in the same way. A few electric strikes are strong enough to be con-sidered security devices, but most should not be relied on for high-security environments. Unfortunately, most electric strikes are not rated for their strength, which makes it difficult to determine whether one should rely on it to resist a forced attack. Any strike that does not list its physical strength should be assumed to be

incapable of resisting a forced attack. One of the favorable attributes of electric strikes is that they do not draw power except when they unlock. This makes them suitable for environments in which power availability is a concern.

Electrified Mortise Locks

A mortise lock is a lock that is built into a routed pocked or “mortise” in the door. These locks are very strong because the lock is sizable relative to the latch and dead bolt and the lock is effectively part of the door, so it is essentially as strong as the door. When a mortise lock is placed in either a solid-core door or a hollow metal door, it is placed into a hollow metal frame. The result is a very strong door and lock. Mortise locks are available in different configurations, the most common being office and storeroom types. The office lock is equipped with only a latch bolt, and the storeroom type is equipped with both a latch bolt and a dead bolt. Electrified mortise locks are simply normal mortise locks in which the latch bolt has been attached to a solenoid within the lock body so that upon triggering the solenoid the latch bolt retracts, unlocking the door. There are a few electrified storeroom mortise locks, but most are of the office type.

Magnetic Locks

Often considered the staple of electrified locks, the magnetic lock is little more than just an electromagnet attached to a door frame, and there is an armature attached to the door. When the electromagnet is energized and the armature on the door is against the lock, the lock engages. These are typically very strong locks, usually having 800–1500 lbs. of holding force. This lock is sometimes stronger than the door to which it is attached. Magnetic locks should be used with a redundant means of unlocking to ensure that a person inside the locked area can always exit. A “push to exit” button or crash bar that interrupts power to the magnetic lock is always advised.

Alarm/Access Control Systems


Electrified Panic Hardware

Where a door is located in the path of egress, panic hardware is often used, depending on the occupancy rating. Panic hardware is required on any door where there could be a large number of people needing exit in an emergency. Panic hardware is easily identified by the push bar (formerly called a crash bar) that the users press as they push through the door. Panic hardware facilitates a single exit motion because users have only to push on the door as they are mov-ing through it. This facilitates the rapid exit of large numbers of people because no one has to wait behind anyone else while they stop to turn a door handle. In a severe emergency such as a fire, such momentary delays can compound to cause a crush of people behind a door that is unlocked but that can become a barrier if some-one has difficulty with the door handle. There are several basic types of panic hardware config-urations, depending on the requirements of the door to which the panic hardware is mounted. Panic hardware is electrified by one of several methods, usually involving a solenoid that releases a latch on the door.

Specialty Locks

Most people pay little attention to doors and locks; they just use them. However, there are a remarkable number of variations of doors, frames, locks, and electrification methods. Some unusual locks have been developed for special needs.


Door and gate position switches (DPSs) sense if the door or gate is opened or closed. A variant of the DPS is the monitor strike, which determines if the door is not only closed but also whether a latch bolt or dead bolt is in fact engaged. The typical DPS is composed of a mag-netically sensitive switch and a magnet placed close to the switch.

J-BOX image7.jpg image8.jpg

4" image9.jpg

FIGURE 6.13 Surface-mounted door position switch.

Typically, the switch is placed on the door frame and the magnet is placed on the door or gate. When the door or gate is opened, the switch also opens, sending a signal to the alarm system. Variants of DPSs include surface and concealed mounting versions (Figs. 6.13 and 6.14), wide- and narrow-gap sensing areas, and conventional or balanced bias types. Wide-gap DPSs were developed to prevent accidental trig-gering by nuisance conditions, such as when the wind blows against a sliding glass door.

To prevent an intruder from simply placing a magnet against the DPS while opening the door, balanced-bias switches were developed that place the switch in a closely controlled mag-netic field. If another magnet is brought near the switch when the door is closed, that act alone will trigger an alarm even before the door is opened.

Other types of DPSs include plunger type, Hall effect, and mercury switches. These are sometimes used in areas where it is not pos-sible to place a magnet in the door or gate or where a device must be alarmed if it is moved. The plunger switch alerts when the object that is pushed against it is moved. These are often mechanical switches and can be unreliable for high-security applications. Hall effect switches rely on the presence of a magnetic field within a




MAGNET image10.jpg

image11.jpg 4" image12.jpg

FIGURE 6.14 Concealed door position switch.

confined area to alert. They also work by mov-ing the object. Mercury switches are sometimes placed inside an object that should not be moved in any dimension and can be made to alert to the slightest movement. These are often used with radio frequency transmitters.

Duress Switches

Duress switches are usually placed under a desk or counter to alert security if the person at the counter feels threatened. The two most com-mon types are finger activated and foot switch activated. If the person believes he or she needs assistance, he or she can either push a shrouded button (or two buttons together to prevent false alarms) or place a toe under and lift a foot switch. Another type used in cash drawer applications is the bill trap. This type activates when the last bill in a drawer is removed, indicating a robbery.

Request-to-Exit Sensors

It is good that a security system can alert when a door is opened, but what about a DPS

at a door equipped with a card reader? When a person is exiting that door legally, there must be some way to sense that the exit is not an alarm and bypass the DPS for the duration of the door opening. This is what a REX sensor does.

There are two common types of REX sensors, infrared and push switch. An infrared REX sen-sor is placed above the door on the secure side and constantly monitors the door handle search-ing for human motion. When motion is sensed in the approach area to the door, the sensor acti-vates and thus alerts the access control electron-ics that the pending door opening is a legal exit, not an alarm.

The push switch type is configured either as a labeled button near the door (required in most municipalities for magnetic locks) or can be a switch that is configured into the handle of a mortise lock or the electrified panic hardware push bar. These are more intuitive.

Even when other types of REX sensors are used on magnetically locked doors, it is still important to configure a labeled “push to unlock” button near the door. This button should be wired both to the access control system electronics to signal

Alarm/Access Control Systems


a legal exit and to the lock through a timer to ensure that if the access control system electron-ics should fail, the user may still exit the door. It is not only embarrassing brutal so can be legally costly and even deadly if a user is ever trapped inside a building with no way to exit.

Door and Gate Operators

Door and gate operators are mechanical devices that automatically open and close doors and gates in response to a command. Door oper-ators are common in public buildings and assist in the movement of large numbers of people with little effort or assist handicapped persons through the door. Gate operators are commonly used to automatically open vehicle gates in response to a command.

Door operators are often used with magnetic locks such that the access control system may both unlock and then open a door. This is com-mon at main public and commercial building doors, and this combination is also frequently used where there is a requirement to assist the handicapped. Wherever door operators are used with magnetic locks, it is imperative to sequence the operation such that the door unlocks first and then opens. If this sequencing is not built into the design, the automatic operator may fail after a short period of time. Better door opera-tor companies have incorporated a special cir-cuit for this purpose, but it must be specified. I designed one of the first such interfaces for a major door operator manufacturer. Doors that are in the path of egress must be equipped with safety devices to ensure that a person can exit in an emergency with no special knowl-edge. This typically means that there must be a labeled push button or some other type of code-approved method of egress. Codes will always prevail on any magnetically locked door. Do not assume that a code from one city is acceptable in another. Know your codes.

Gate operators that are electrically locked must also be interfaced to function correctly.

Revolving Doors and Electronic Turnstiles

Revolving doors and electronic turnstiles are sometimes used to provide a positive access con-trol. That is, each person must enter and leave using an access credential, and only one person may transit the portal at a time for accountabil-ity purposes.

Revolving doors (Fig. 6.15) can be equipped with a special operator that will allow only one person at a time through a rotating (X) pane. Like door operators, revolving doors can be locked between uses, but even when unlocked, they can be controlled by the operator so that only one rotation is permitted. Early revolving door operators were sometimes problematic. However, modern operators by major manu-facturers are well developed, and most work well. It is wise to coordinate directly with the manufacturer of the revolving door operator to achieve the desired functions. These may include the following:

· Card reader controlled

· Remote bypass from a security console

· Autoreverse if two or more people enter on one card use

· Autoreverse if an unauthorized person attempts to use the door at the same time as an authorized user but from the opposite side of the revolving door

· Audio alert of improper use with instructions


Such doors are also available with status alerts on alarm, on reverse, with user count, and other options.

Revolving doors for access control should be configured to the “X” rather than “+” configura-tion when waiting for next use.

Electronic turnstiles (Fig. 6.16) are similar to the old-fashioned turnstiles used at subways and ball-parks, except that the rotating member is replaced by an infrared photo beam that detects when someone passes through. There is also a type of electronic turnstile that uses paddle arms or glass wings to act as a physical barrier. These devices


FIGURE 6.15 Revolving door.

FIGURE 6.16 Electronic turnstiles with paddle barriers.

are designed to control access to a commercial or government building with a high degree of speed (throughput) and elegance. Electronic turnstiles must be used with an access control system that can deliver speedy card executions to be accepted by the users. As for revolving doors, the designer should coordinate the specifications carefully with the turnstile manufacturer.

Electronic Processing Components

Electronic processing components include reader interface boards, alarm input boards, out-put relay boards, and controllers. Every alarm and access control system made today uses some form of controller between the worksta-tions/servers and the field devices (Fig. 6.17).

Alarm/Access Control Systems


FIGURE 6.17 Alarm/access control panel. Image used with permission of DSX Access Systems, Inc.

These vary slightly from manufacturer to man-ufacturer, but the theme is the same. Each has three basic elements:

· A microprocessor with connectivity to the server and other controllers

· Memory

· Field device interface modules (reader interface boards, alarm input boards, and output relay boards)


The configuration may vary (some systems combine these elements together into one board, whereas in others they are components that can be distributed or wired together in one electrical box), but all systems use these same elements. However, that will change soon.

When I began writing this book in 2006, the concept of microcontrollers, which I had long proposed, was scoffed at by most in the industry. However, by the time this book was published in its first edition, at least one manufacturer was

making small microcontrollers that control a single door, with some auxiliary inputs and out-puts. At that time, I said that newer generations of microcontrollers will contain their own mem-ory and microprocessor. They will fit in a small box above the door. All that has come to pass. I also said that they will eventually incorporate a mini data switch connected by Ethernet. So far that has not happened, although I understand it to be under discussion as the second edition of this book goes to press.

I said then that this design would revolu-tionize the industry. The alarm and access con-trol industry has been based for years on metal bending—that is, on the sale of hardware. This is about to become a software industry. It is part of the sea change mentioned previously.

Soon, it will be possible to connect a card reader, DPS, REX, and lock, together with an intercom outstation and a video camera, into a single small electronic smart switch that will


contain its own central processing unit (CPU) and memory. I have been predicting this for more than a decade, and now as the second edi-tion goes to press, it is occurring.



All enterprise-class alarm and access control systems depend on servers to store and manage the master databases on which all system opera-tions rely. Smaller systems may incorporate the server functions directly into the system’s work-station. Servers operate basically two kinds of ser-vices: system operation and archiving. On simple systems, these are both contained within a single server. On larger, more complex systems, these functions may be separated into separate boxes.

On larger systems, it is common to have a backup server that duplicates the database and functions of the primary server. This sec-ond server is usually configured to take over in the event the primary server experiences some unexpected failure or planned shutdown. Smart designers place the backup server in another building or even in another state to act as a busi-ness continuity server, not just a failover server. There are two basic functions on backup serv-ers: mirrored operation and failover operation. Mirrored backup servers are used to maintain a constant and instantaneous backup of archived data (both alarm/access control data and video image data). Failover servers wait until the pri-mary server fails, then they take control of the system instantaneously or, in simpler systems, by having the operator switch to the failover server. These servers should be used for system operating services and for archiving where the backup server is in the same physical area as the primary server. For true business continuity servers, the backup servers should be located off-site and all archiving should be mirrored to ensure that if a catastrophic event occurs at the primary server location, no data are lost.


Workstations are the human interface that manage and communicate with the controllers and servers. In simple systems, one worksta-tion may do it all—server, card programming, system programming, report printing, identifi-cation badging, and alarm monitoring. However, on enterprise-class alarm and access control systems, these functions are divided among different workstations.

On a system, I designed for a corporate head-quarters of a major petrochemical company, a single building had five workstations—one for card and system programming, one to capture pictures and program data for the photo iden-tification system, one at the main lobby desk to monitor alarms and the electronic turnstiles access, and two for alarm monitoring in the security command center. The same system used five servers in two different buildings. All these workstations and servers resided on just one campus. This system is capable of moni-toring hundreds of sites in multiple countries. There can be multiple workstations at each site, resulting in dozens to hundreds of workstations.

The point is that there is no practical limit to the number of workstations in a system. Workstations can be connected directly to the server, to the Ethernet backbone, to a control-ler, or to the Internet using a web browser so that a security manager can make decisions remotely while on vacation or during a week-end. Enterprise-class systems provide infinite choice.

Data Infrastructure Basics

When the user presents a card to a card reader and the card reader passes that information to a controller, a decision is made to unlock the door. That information, along with alarm detec-tion information, is transmitted along a data infrastructure to the server, and then it is dis-tributed to appropriate workstations. The data

Advanced Elements


infrastructure is the backbone of the system. In older systems, there was a unique data infra-structure for the alarm and access control sys-tem, but most modern systems have converted to an Ethernet communications protocol. Older protocols included RS-485, Protocol A, Protocol B, 20-ma current loop, and other methods. The newer Ethernet protocol supports worldwide systems architectures that can be connected in many different ways to meet the special needs of each client, each site, and each security environ-ment. Additionally, Ethernet protocols can also communicate CCTV and voice technologies all on a single data infrastructure. Ethernet can be easily converted to fiber optics, 802.11a/b/g/n, laser, or geostationary satellite and even on SCADA systems to facilitate unique environ-mental requirements where normal wired infra-structures present design challenges. It would be easy to write an entire book(s) on the subject of security system data infrastructures, and it is a difficult subject to boil down to its basics. More information on this subject is presented here and in the System Commissioning section of this book.

Interfaces to Other Building Systems

Alarm and access control systems begin to perform wonders when they are interfaced to other building systems. Typical interfaces include fire alarm systems, elevators, park-ing control systems, lighting control systems, signage, roll-down doors, private automatic branch exchange systems, paging systems, water features, irrigation control systems, and even escalators. The primary purposes for interfacing alarm and access control systems to other building systems are to control access to things other than doors and gates, enhance safety or convenience to building users, auto-mate building functions that would otherwise be handled manually or by numerous other systems, or insert a delay into the path of an intruder.


Legacy Systems Integration

One of the key challenges facing enterprise security systems designers is how to integrate the new technology into older, legacy systems. Typically, government entities and large corpo-rations have developed their security systems in a somewhat haphazard fashion. This resulted from the fact that electronic security was initially addressed at the local level in almost all large organizations, and only later did they come to realize that there was a value to having a sin-gle standard across the entire organization. The result was that most organizations had many dif-ferent types of products across various sites that were difficult to blend into a single contiguous system. To complicate this problem, the security industry has a long tradition of proprietary sys-tems that are not based on any single standard (with the exception of CCTV systems, which had to conform to the preexisting NTSC standard). Virtually every alarm and access control system and every major security intercom system used components that could not be interchanged.

This problem was compounded by the early introduction of digital video systems that were based on proprietary compression technologies, which again ensured that the stored data could not be shared with their competitors’ products. The first piece of good news is that the entire suite of enterprise security system components connects to Ethernet data infrastructures.

There are three bad news, not entirely small problems:

· Older and current alarm and access control systems still use proprietary software interfaces that in most cases are not intended to link their data with other competing systems. Manufacturers still seem to hope against all logic that their clients will gleefully abandon all installations made by other manufacturers and replace them with equipment made by them.


· Different digital CCTV manufacturers have adopted varying video compression technologies, making interfacing to a single standard difficult. Some manufacturers have even modified existing compression algorithms to become proprietary to them alone.

· As security intercom manufacturers move to digital products, they are also adopting numerous different compression protocols, again making a single platform more difficult.


Now the second piece of good news: Computers are very good at operating multiple protocols together on the same platform. This means that unless the compression protocol is truly unique, it is possible to combine multiple protocols into a single operational platform.

The third piece of good news is that some of the alarm and access control system manufac-turers are beginning to make uniform interfaces to create multisystem interoperability.

The fourth piece of good news is that, in almost all cases, it is not necessary to fully inter-face different systems together to get them to cooperate in truly meaningful ways.

Data Versus Hardware Interfaces

Alarm and access control systems are often interfaced to other building systems, such as ele-vators and building automation systems. There are two ways to accomplish these interfaces. They can be realized either by exchanging data information or by handshaking with dry con-tacts between the two systems. There are advan-tages and disadvantages to both approaches.

Data interfaces have wonderful advantages. First, a single data interface (one little wire) can last a lifetime, no matter how many times the systems are expanded, adapted, and upgraded. Once the original data interface is connected and the software is interfaced, the systems can be adapted repeatedly to expand the quantity and functions of the interfaces.

Second, the single wire can control an empire. Once an interface is conducted on a network, it is global. It is not necessary to interface each and every site if the systems can communicate by a data interface.

Although data interfaces are wonderful, because they rely on software and they are vul-nerable to software upgrades. When software is upgraded, it is not uncommon for software programmers to forget the little details of the last issue that almost nobody used. Nobody used it; it cannot be important enough to keep updated while we are under a tight schedule to meet the upgrade release date. We can pick that up in a patch later. Thus, the poor unsuspecting client eagerly waits for his or her new software upgrade to install it and the interface does not work anymore—instant software data interface vulnerability. There are indeed organizations that have had to reinstall obsolete software to maintain an old data interface.

Likewise, there are advantages and disadvan-tages to hardware interfaces. Hardware inter-faces are accomplished by connecting the dry contact of a relay in one system to the input point of another system. This allows the first system to signal the second system that some condi-tion has changed and the second system should do something about it. This simple principle is multiplied to accommodate as many individual connections as each system needs. Relays can be combined to perform logic (and, or, not, and if), and they are reliable. Once a relay interface is set up and tested, it does not matter how many times the software is updated on either system. It will always work.

The disadvantage of hardware interfaces is that they are generally site specific and they are entirely inflexible. If the system is expanded, and more interface points are needed, more relays and more inputs will be required—more expense every time there is a change or expan-sion. Thus, it is a trade-off. Each system requires an individual decision as to what is in the best interest of the organization.

CCTV and Digital Video Systems




Evolution of Analog Video Systems

The Bookends of Time

There was once a time when video cameras were a very rare element in security systems. Any system that had even one video camera was considered the pinnacle of high technology security systems. Now security video cameras are available for under $100. In the old days, the ability to see outside the building was consid-ered extraordinary. Today, cameras are used to determine if a particular person in a crowd of 50 is acting suspiciously without human interven-tion and then alert a security officer to that fact for further analysis. This kind of automation can be occurring across 1000 cameras over an entire subway system, vastly increasing the value of the security organization to the city it serves.3

How Analog Video Works

Television video was invented by Philo Farnsworth, who was an employee of Thomas Edison. This inventive genius worked out that if you could control the movement of a directed electronic beam against a phosphorus surface affixed to glass within a vacuum tube, you could “paint” the phosphor with a luminous line. Vary the intensity of the beam and you can make it glow brighter and darker. Cause the beam to return to its origin and shift it down a bit over and over again and you can paint a picture on the phosphorus screen. Carefully select the phosphor so that it glows for exactly the time it takes to write one complete frame and time that to be slightly faster than the persistence of the sensitivity of the human retina and you have moving images. Television—what a concept!

3 The designer is cautioned to select intelligent video systems with great caution. Like buying a bar at retirement, the dream is often sweeter than the reality unless careful research, testing, and selection occur before the system is implemented.

The earliest security video systems hardly qualified to fit the term, having only one or two tube-type (black-and-white Vidicon) cam-eras, some coaxial cable, and one or two black-and-white video monitors. Vidicon’s tubes and monitors required annual replacement. A huge advance in sophistication occurred when RCA invented the sequential video switcher. This handy box connected up to 16 video cameras and displayed them on two video monitors. One sequenced through all the cameras, and the sec-ond displayed one’s favorite camera view.

The Branch

Then video evolution took a branch that still continues today. On one branch was the development of a device called a “quad.” This device displayed four video cameras on a single screen and recorded them all on a single tape. On the other branch was an extension of the old sequencer, the video matrix switch. The video switch allowed the connection of many cameras (as few as 16 and as many as 64 in the early days) and could display them on up to four (or eight) video monitors. A keyboard gave the user the ability to program any camera to any monitor and could also sequence cameras to one or more monitors.


It was at approximately this time that vid-eotape recorders became useful for security projects. Prior to that, videotape recorders used reel-to-reel tape, with early recorders using 2-in. tape to record only 1 h of video, and the record-ers were the size of a small chest of drawers. Recorders did not become practical for any secu-rity application until RCA invented the enclosed 3/4-in. U-matic videotape cartridge. The U-matic tape recorder was the size of a piece of luggage but would record up to 2 h. Soon after, Phillips invented the VHS tape recorder and the U-matic was history. The VHS tape recorder was small and could record up to 6 h of video. Then in the early 1990s, a company called Robot introduced


a VHS recorder that was able to record up to 24 h in combination with a totally new device, the video multiplexer.

The major problem was that at that time it was not common to break video images down, which stream at a rate of 30 frames per second, to a series of individual frames at a rate of 4 frames per second.4 Such a device would have to be able to store one image from each camera and discard the next three.

The multiplexer was specifically made to work with the new 24-h recorder and vice versa. What was truly unique about this new pair was that it worked in a totally new way to achieve the remarkable result of 24-h recording. A Robot researcher determined that although the VHS recorder could not record a continuous stream of any video slower than 6 h, it could nonethe-less record a huge number of individual frames of video if they were sequenced to the recorder in individual images. This approach resulted in its ability to record almost exactly 2 frames per second for 16 cameras. VHS recorders were designed to record a single stream of video that fed at a rate of 30 frames per second. The new multiplexer sampled a frame from each camera for every half second and fed that frame as a still image to the video recorder. Thus, the new 24-h VHS recorder stored one frame from each cam-era in sequence until all were recorded and then began again with the first camera. The new mul-tiplexer passed a single frame of video from each of 16 cameras in sequence to the video recorder and then started all over again. To do this, the

multiplexer had to do something completely new. It converted the analog scanned video into a series of digitized single frames. It was then possible to store digital frames individually on tape moving much slower than one could store an analog frame. At the time, the digitization of video was a footnote to the achievement of the multiplexer. Hardly anyone took notice. However, a few of us in the industry took note and began predicting the future. I began talking about the coming digital revolution as early as 1993.



Capturing and Displaying Analog Video

Analog video is created in a video camera by scanning an electron beam across a phosphor. The beam intensity is determined by the amount of light on each small area of the phosphor, which itself responds to the light being focused on it by a lens. That beam is then transmitted to a recording, switching, or display device. Analog switchers simply make a connection between devices by closing a relay dry contact. Recorders simply record the voltage changes of the electron beam onto tape and display devices convert the voltage back into an electron beam and aim it at another phosphorus surface, which is the display monitor that is viewed.

4 There were a few selected examples of “frame grabbers” that created digital images from analog video signals. A typical implementation included a circuit to select the horizontal and vertical synchronization pulses from the video signal, an analog-to-digital converting circuit, a color decoder circuit, memory to store the acquired image (frame buffer), and a data interface that the computer could use to control the acquisition of the video signal. Early frame grabbers had only enough memory to acquire and store a single frame, hence the name. Modern stream-ing video systems derive from this early technology.

Capturing and Displaying Digital Video

Digital video images are captured entirely differently. Light is focused by a lens onto a digi-tal imager. This is an integrated circuit in which the “chip” is exposed rather than covered by the plastic body of the chip, as in a normal inte-grated circuit. It is a little known fact that virtu-ally all integrated circuits respond to light. Early electronic programmable read-only memory chips were in fact erased of their programming

How Digital Video Differs From Analog


by “flashing” them with light. This phenomenon was utilized to make an integrated circuit that comprised hundreds of thousands (today mil-lions) of individual light-sensitive chips. When light was focused on this chip, it responded by creating a different voltage in each individual picture element (pixel) in direct proportion to the amount of light striking that particular element. A matrix was formed from the output voltages of each row and column of chips, and this lattice was then scanned to replicate the voltage of a conventional tube-type video imager. The result was the world’s first digital imager. Video can be displayed in much the same way as it is gathered. The most common technologies today are liquid crystal displays (LCDs) and plasma displays for directly viewed displays and digital light pro-cessor (DLP) devices for projected video. All of these are variations of the same basic concept. A semitransparent color pixel (blue, green, red) is arrayed in front of an illuminator. The video image is fed to the display and the pixels do their job, displaying the video images. LCDs have become the de facto standard for smaller displays, and both plasma displays and LCDs are common for large screens. DLP projectors accommodate most displays over 60 in. diago-nal, except for video walls, which are composed by grouping arrays of LCD, plasma, or projected video box displays.




Archiving Analog and Digital Video

Analog video is transmitted as a fluctuating voltage with codes embedded for color, hue, and gamma. This fluctuating voltage is processed and fed to a recording head. The basic analog recording head for video works on the same principle as an analog audiotape recorder; that is, current is fed to a specially formed electro-magnet, which is formed to present a smooth surface to the tape that is being swept across the head by a pair of rotating reels. The elec-tromagnet has a very tiny gap, across which a magnetic flux is developed in response to the fluctuating current. As the tape is rolled across the tiny gap in the recording head, the tape is magnetized in direct proportion to the current in the electromagnetic head. To play the tape back, the same tape is moved past another play-back head, and the magnetic signals recorded on the tape are converted back to electrical cur-rents, corresponding to the originally recorded signal. Videotape differs from audiotape in that the heads are slightly tilted and spun to record a series of diagonal stripes, each corresponding to a field of a video frame (Fig. 6.18). There are two fields for each video frame, and these are inter-laced such that the first field records or displays 525 stripes of video. The beam is then shifted down to an area between the first and second stripes of the first field, and then the process is




FIGURE 6.18 Helical scan recording head.


repeated for the second field of 525 stripes. When both fields are displayed together, the result is that the two fields are combined together to form a single video frame. Two fields are used because by painting the entire screen twice and by shifting the second field slightly down from the first field so that its lines lie in between the lines on the first field, the image is of higher res-olution than that of just one field and they are interlaced so that the eye does not catch the time difference from the first stripe at the top of the screen to the last stripe at the bottom.

Digital video is transmitted instead by a string of data packets. Each packet is composed of ones and zeros in a designated format. The packet has a header, footer, data, and, some-times, encryption.5 The header has the packet address (where it comes from and where it is going, what kind of data are in the packet, how much data are in the packet, the camera identi-fier, date and time, and other information). The footer has information that closes the packet so that the destination device knows it has received the whole packet. Each packet of video is stored on digital disk or digital tape, and the video can be retrieved based on its time code, camera number, the alarm condition that the video is recording, or any other criteria that may have been stored in the header.

Digital Transmission Systems

Digital video packets are transmitted in either of two basic protocols: Transport Control Protocol (TCP) or User Datagram Protocol (UDP)/RDP. TCP is a one-to-one communica-tion relationship—one sending device and other receiving device. Well, that is not entirely true.

5 Encryption is a process of replacing clearly written text language (clear text) with a substitute of mixed-up char-acters (or even pixels of an image) so that the meaning of the text is concealed. The intended recipient will have a key to unlock the clear text from the garbled letters, numbers, or pixels so that the message can be read.

TCP packets can in fact be broadcast to many destination addresses, but it requires opening an individual one-to-one session for each des-tination device. Where many cameras and sev-eral monitoring stations are involved, this can consume so much of the network’s resources that the entire system can freeze from data over-load. For these situations, the network designer selects UDP or RDP protocols.

Digital Basics

One cannot really understand digital video without understanding digital systems. To understand digital systems, one must under-stand the TCP/Internet Protocol (IP), on which all digital video systems are based. Protocols are the basic language and culture of digital sys-tems. In the beginning, there were numerous noncompeting digital protocols and languages. Each was developed by scientists and engineers for a specific purpose and application. There were two challenges: how to get computers to talk the same language regardless of the oper-ating system or program language and how to get the signals from here to there in the physical world. These were separate problems, but both had to be solved for networks to work at all. Basically, the early data communication solu-tions broke down into methods that were spe-cific to either military or academia. In fact, the military funded most early digital communica-tion efforts, and academia began working on the problem for the military (the beginning of a long and prosperous funding relationship for aca-demia). Soon after the first viable computer was built, at which time there existed only several computers in several universities and military research agencies, the idea of networking these computers occurred to the users. The Applied Research Programs Agency (ARPA; a branch of the US military) funded a program to develop a network that would network the various com-puters together. ARPANET was born. Now, early in the development of any new technology, there are competing ideas that are developed to

How Digital Video Differs From Analog


solve the unique problems of the organization that it serves. Some of these turn out to be really good ideas, but most do not. They might have gotten the job done for the specific application, but networking requires a simple, robust way of getting many different computers to exchange communications through a common language. It is necessary to make sure that the communi-cation has actually occurred and that only the intended recipients get the message. There were many challenges. Just getting signals across the nation was a major task because only telephone lines existed to get the job done. ARPANET did just that, along with the development of the digital modem, which converted digital pulses into audio tones and then reassembled the tones back to data at the receiving end. ARPANET later evolved into the World Wide Web.6 At the same time that ARPANET was evolving into the World Wide Web, other scientists were strug-gling with how to get the signals from here to there in the physical world. Basically, three ways evolved. The first worked for point-to-point communications, connecting any two comput-ers together, and this involved the invention of modems. The second and third ways involved connecting many computers together in a true network and two approaches developed, from which a truly rich tapestry of interconnections has evolved. The first is a ring network and the second is a line, hub, and tree family of net-works. Both approaches functioned by connect-ing individual digital devices (nodes) onto a network. In early ring networks, a token (thus the term token ring) was passed from node to node like a baton in a relay race. Whoever has the token can talk. Everybody else gets ready to listen.7 When the node with the token is done

6 Griffiths, R. T. 11 October 2002 From ARPANET to the World Wide Web. Leiden University, Leiden, The

Netherlands. Available at www.let.leidenuniv.nl/history/ ivh/chap2.html.

7 Cisco Education, available at www.cisco.com/univercd/ cc/td/doc/cisintwk/ito_doc/tokenrng.html.

dumping data on the ring, the token is passed onto the next node on the ring. It examines the data to determine if it is the addressee and, if it is, it downloads the data; otherwise, it passes it onto the next node, after adding its own mes-sage to the data. Token rings are robust because there can be no collisions of data messages on the network. They work well as long as the data being sent is relatively small. When the data movement becomes large, token rings break down under the weight of all the data, and the ring moves slower and slower as each node pro-cesses what it does not want and adds its own to the message. Remember, however, there is never a collision because only one node can be on the ring at any given time.

The other method that was developed was collision based. The earliest of these were line communication systems in which each node attached to a common communication line, such as a coaxial wire. Any node could get on the line at any time and transmit, and every node was in listen mode if it was not transmitting. The great idea of this approach was that nodes did not have to wait for a token to be passed to them to listen; they were pretty much always listen-ing. This greatly reduced total traffic on the net-work. The problem was that if two nodes tried to transmit at the same time, there was a colli-sion and no other node could hear because the data turned into noise, like a room full of peo-ple arguing where no one can be understood. This approach required a protocol that could handle the collisions. Two methods were used to handle the collisions. The first was that the single long data streams of token rings were broken down into smaller individual packets of data that would be transmitted and then reas-sembled at the receiving end. The second was an embedded code that told the receiving node that it had in fact received all the packets of the message to which the packet belonged. So if a message consisted of 25 packets and only 23 were received, the receiving node would call out on the network for the two missing packets,


and the sending node would resend only those two packets. When all the packets of the mes-sage were received, the receiving node would call back to the sending node with a message that all packets had been received and that com-munication was over. This approach took some working out for several years until the highly robust and reliable TCP/IP protocol suite was developed and refined. Along the way, the net-work protocols developed virtual local area net-works (VLANs), virtual private network (VPN) subnets, and even so-called supernets. In theory, there is no practical limit to the number of nodes that can be connected to a TCP/IP network. Today, we are working on IP version 6 (IPv6), which has a potential limit in the trillions of con-nected nodes, all communicating together on a common backbone, the Internet. After the pure line network came hub or star networks. The hub was simply a line network in which there was a single central point to which all the nodes connected. That device was called a hub. Hubs work well for a few nodes, for example, up to 256 nodes, depending on traffic. However, as the number of nodes increases, so does the number of collisions of data packets. A collision is when two data devices try to send a data packet on the same line at the same time. It is a funny thing about physics: It always works. For anyone who wondered if the data world somehow is more mysterious than the physical world, collisions prove the fact that the same rules work every-where. As in any other kind of collision, things get broken. So when a data collision occurs, neither packet can get through intact. Neither packet gets to its destination; both must be sent again until each one is on the data bus alone to find its destination. Until then, both data devices may send the same packet repeatedly until one of them makes it, and then the other packet will have no competition for the data bus and it can find its destination too. Thus, with increasing collisions comes increasing traffic. In fact, there is a critical mass beyond which there are more requests to resend information than there can

be new information being sent. That is a system crash.

This problem can be resolved by analyzing the data traffic on a typical network, which will almost always prove that most traffic across the network does not in fact have to be sent across the entire network but only to nodes8 that are logically (and often physically) grouped together—for example, nodes within a specific building or a campus. By limiting that kind of traffic to just the nodes within that group and making exceptions for traffic that specifically asks to go outside the group, we can vastly reduce the amount of traffic, again making more overall traffic a reality. The device that does this is a data switcher. The data switcher is capable of switching traffic only to the devices to which the data are being addressed, based on a logi-cal group so that most traffic is unencumbered by the other traffic that does not need to go out to the overall network. Fewer connections, fewer collisions, and more traffic. So a switch is a device that determines where data go.9 As many nodes connect together using switches, they form a local area network (LAN).

There is a higher level of restriction than that of switches. Routers can do the same job for entire buildings and a campus, making sure that traffic that does not really need to go from

8 Node is a common term meaning a network drop— that is, a computer, printer, server, or other device that feeds data to/from the network.

9 People who are learning about network architecture are often confused by the terms hub, switch, router, and firewall. A simplified but easy way to remember these is that a hub connects nodes together, a switch determines where data go, a router determines what kind of data go, and a firewall blocks malicious data traffic. These devices can be combined elegantly to construct a network that sends data exactly where and to whom it should go and denies malicious data from ever landing on the network. Modern data devices can combine the functions of switch, router, and firewall into a single device called a network gateway.

Wireless Digital Video


Chicago to New York stays on the Chicago campus. Routers connect individual LANs into wide area networks (WANs). Routers can even be used to create logical subnetworks (sub-nets) that can ensure that the security system is inaccessible on the company’s administra-tive network. A subnet is essentially a VLAN (a network within a network). Routers are also capable of creating a VPN, which is essentially a tunnel within a network or Internet con-nection that shields the session from prying eyes on the network or Internet. This is use-ful when a remote user is compelled to use the Internet for private company work. Think of it as a wormhole through which you could operate your laptop at home as though you were actually connected by hardware directly to your network at work. This is different than an Internet session that can easily be hacked. A VPN shields the communication between your laptop and your network within a force field of encryption. VLANs and VPNs are used to facilitate communications between segments of an enterprise security system across a corpora-tion’s WAN or across the Internet.

Routers also route data not just based on its intended address but also based on what kind of data they are. For example, certain types of data can be “zipped right past” other switches and ports on the network if those ports have no need to see that kind of data. This is an impor-tant principle for security systems that we will understand better as we begin to discuss uni-cast and multicast data types later. Digital video systems sometimes use multicast-type data to conserve the bandwidth of the LAN. However, many devices cannot coexist with multicast data, so a router is used to ensure that those devices never see the multicast data.

Remember the ring? Did you think it was dead with line and tree networks? Oh, not so! One critical element of enterprise security sys-tems is that they need to be reliable, redundant, and robust. By connecting a line of switches together and closing the two ends of the line,

we get a loop or ring again. By adroit switch programming, we can configure the system such that it communicates not just one way to home but both ways around the loop. Again by adroit switch and router programming, we can configure the loop so that if one switch or node is lost, for example, if the loop is cut, the others will communicate left and right from the cut in the loop so that only the node and not the entire tree is lost in the pruning. Routers and switches can be programmed so that the loop heals itself and reports the lost node so repairs can be made in a timely manner. I recommend designing all enterprise-class security systems as a dual-redundant self-healing loop wherever possible.


Conduit and wiring are expensive. It can represent up to 70% or more of the total cost of outdoor systems. However, conventional wis-dom is that wired reliability is not possible in wireless systems. That is not so. If the goal is to replicate a dual-redundant self-healing wired loop, it is indeed possible and practical to do so at lower cost compared to that of conduit and wire. However, there are a few problems, which will be discussed here.

Wireless Approaches and Frequencies

There are usually many ways to do things, and that is certainly true for wireless video. Following is a list of the most common ways of transmitting video wirelessly:

· Laser: Although becoming more difficult to find, laser transmitters and receivers have several advantages over other methods. The system typically comprises a laser transmitter and receiver pair, with optical lenses and weatherproof enclosures. The system is normally one-directional, so it is


not well suited for pan/tilt/zoom cameras that need control signals. Laser video transmitters are immune to radio frequency noise but are affected by heavy fog or rain or blowing objects (Fig. 6.19).

· Microwave: Microwave wireless systems can transmit either analog signals or data. Unlike laser and many radio systems, virtually

all microwave systems require a license. Properly applied microwave systems can transport signals at considerable distances, typically up to 20 miles. Microwave systems can be bidirectional and require careful, permanent placement. Although temporary systems exist, those are usually deployed by the military, not for civilian use. Microwave systems are subject to different interference factors, including fog, rain, lightning, and other microwave signals. However, when fiber is not practical and radio frequencies are a potential problem due to other radio frequency interference, microwave is often a sure thing (Fig. 6.20).

· Radio: Most wireless video today is transmitted over radio waves. These can be

either analog or digital. Radio-based wireless systems are of two types: licensed and unlicensed. It is often more reliable to use licensed systems for permanent installations because interference is less likely.

· Frequencies: The following are common frequencies for radio video transmitters/ receivers:

440 MHz (FM TV–analog)

900 MHz (FM TV–analog and digital) 1.2 GHz (FM TV–analog)

2.4 GHz (FM TV–analog and 802.11 digital)

4.9 GHz (public safety band) 5.0–5.8 GHz (802.11 digital) 10–24 GHz (digital)

FIGURE 6.19 Laser communicator. FIGURE 6.20 Caption Microwave tower.

Wireless Digital Video



There are very few analog transmitters and receivers available today. Most of them are in the UHF frequency band. Analog transmitter/ receiver pairs suffer from radio frequency noise and environmental conditions more so than do digital systems, and their signal becomes weaker with distance, affecting their image quality. Analog radio systems directly transmit the analog PAL/NTSC video signal over the air. Most of these systems require a license if their power is more than 50 MW.

NTSC is a transmission standard named after the National Television Standards Committee, which approved it for use in the United States. It transmits a scan rate of 525 at 60 Hz and uses a video bandwidth of 4.2 MHz and an audio car-rier of 4.5 MHz.

PAL stands for phase-alternating line. PAL is used in many countries throughout Europe, Africa, the Middle East, South and Southeast Asia, and Asia. PAL signals scan 625 lines at 50 Hz. The video bandwidth is 5.0 MHz and the audio carrier is 5.5 MHz. Some countries use a modified PAL standard called PAL N or PAL M. PAL N has a video bandwidth of 4.2 MHz and audio carrier of 4.5 MHz. PAL M has a scan rate of 525 lines at 50 Hz, video bandwidth of 4.2 MHz, and audio carrier of 4.5 MHz.

Analog frequencies were shown previously as FM TV (see the list earlier).


Digital radio frequency systems transmit IP (TCP/IP or UDP/IP) signals over the air. Typically, to transmit video, either the video signal is sourced directly from an IP-enabled video cam-era, or an analog video signal (PAL/NTSC format) is converted to UDP/IP through a video codec.

Transport Control Protocol or User Datagram Protocol

The main difference between TCP/IP and UDP/IP is that, although both are IP, TCP is a

method for ensuring that every packet reaches its destination. When one does not, the destina-tion computer makes a request to the transmit-ting computer to resend the missing packet. This results in more traffic. For data such as video or audio, which are dynamic and constantly chang-ing, there is no point in going back for a packet because the image will already have been dis-played or the audio will have been heard. Thus, UDP/IP is used. UDP is a connectionless pro-tocol that, like TCP, runs on top of IP networks. Unlike TCP/IP, UDP/IP provides very few error recovery services, offering instead a direct way to send and receive data over an IP network. It is used primarily for broadcasting video and audio over a network.


Common digital radio frequencies are 2.4, 5.0, 5.8, and 10–24 GHz. Some of these frequen-cies are unlicensed and others require a license. Generally, 802.11a/b/g/i does not require a license, whereas other protocols do.

Latency Problems

Digital signals insert circuit delays called latency. Latency is normally measured in milli-seconds (ms), microseconds (μs), or nanoseconds (ns). Cabled wire inserts zero millisecond latency. High-quality digital switch latency is measured in the microsecond range. The very best switches measure latency in nanoseconds. Latency becomes a significant problem above 150 ms. You should strive to design systems that have latency under 50 ms. Long latency times have three poten-tial effects: First, you are not seeing the video in real time, but instead you are seeing a delay of the actual image. Second, you are not controlling a pan/tilt/zoom camera in real time. This is a major problem. Imagine trying to pan/tilt/zoom a camera to look at a license plate in a parking lot. Now imagine that each time you adjust its posi-tion, it overshoots its target because you are look-ing at the image later than the camera is sending


it. This requires a constant adjustment until you can finally, and with much frustration, target the license plate. Following a moving target is utterly hopeless. Last, very long latencies (>1 s) can on many systems cause the TCP/IP processing to lose track of packets, resulting in the sending of many duplicate video packets or the loss of video packets. The loss of packets results in very bad or totally useless video, and the sending of addi-tional packets can result in even slower (possibly useless) transmission that is so full of duplicate packets that no entire image can be received in a timely fashion. This is especially true of satel-lite transmissions. Low latency is good. The best digital wireless systems insert less than 1 ms per node. Some common system design approaches can inject up to 35 ms per node.

latency delays exceeding 240 ms and the expense of a fixed IP address on a satellite dish. The time to set up precise dish positioning can be up to one-half hour, depending on skills (some people never get it). We have seen satellite latency of up to 2500 ms. That kind of latency is almost impos-sible to deal with.

Satellite Phone

Satellite phones can also be used to transmit video. Unlike satellite dishes, no precise position-ing is required. Simply turn on the radio, connect the video camera, establish the communication, and send. Satellite phones are very expensive, as is their satellite time, but for reporters in the field and offshore oil platforms, they make a great backup to satellite dish communications.


Video can also be sent via satellite. There are two common methods.

Satellite Dish

Satellite dish transmission uses either a fixed or a portable satellite dish to uplink and down-link to a geosynchronous satellite. In the fall of 1945, a Royal Air Force electronics officer and member of the British Interplanetary Society, Arthur C. Clarke [the famed author of 2001: A Space Odyssey (1968)], wrote a short article pos-iting that if a satellite’s orbit positioned directly over the equator could be configured such that it rotated at exactly the same speed as the rotation of the earth, then it would appear to “hang” motion-less in orbit above a fixed position over the earth. This would allow for continuous transmissions to and from the satellite. Previous early communica-tion satellites (Echo, Telstar, Relay, and Syncom) were positioned in low Earth orbits and could not be used for more than 20 min for each orbit.

Satellite video is fraught with four major prob-lems: precise positioning, weather interference,

Latency Problems

All satellite communications insert very high latency, typically more than 240 ms. This is use-less for pan/tilt/zoom use, and the insert delay makes voice communications tricky. However, if you cannot get communications there any other way, it is a real blessing. For unmanned offshore oil platforms, when connected to an alarm sys-tem, the video can confirm that a fishing vessel has moored itself out 100 miles from shore and that a break-in on the platform is occurring. Combined with voice communications, those intruders can be ordered off the platform in vir-tual real time with an indication that the vessel number has been recorded. During high-secu-rity levels, the video system allows for a virtual “guard tour”of the platform, without the need to dispatch a helicopter at a cost of thousands of dollars for each sortie.


There are three basic wireless architectures, and they are an analog of the wired networks.

Wireless Architectures



Point-to-point wireless networks are com-posed of two nodes, and they communicate wirelessly between the two. It is analogous to a modem connection. Wireless point-to-point con-nections require a line-of-sight signal or a good reflected signal.


Point-to-multipoint connections are networks in which a single wireless node makes connec-tion to several or many other wireless nodes. The single wireless node serves all the others, and all of them communicate to each other through the same single node. This is analogous to a hub or switch or router connection. Wireless point-to-multipoint connections also require line-of-sight signals or absolutely reliable reflected signals.

Wireless Mesh

Wireless mesh systems are like the Internet. That is, each node connects onto the matrix of the mesh and finds as many connections as it can. It selects a primary connection based per-haps on best signal strength or rules set for the least number of nodes between the source and destination node. If the node cannot talk directly to the destination node, then that sig-nal will “hop” through other nodes until it finds the destination node. A wireless mesh is like the Internet. You may not know how you got to a server in Europe, but you sure can see the web page. Wireless meshes can let signals hop sev-eral times, so even if there is no line-of-sight con-nection available, you can almost certainly hop around that oil tank, tree, or building by jumping across several other nodes that do have line-of-sight connections to each other. A well-designed wireless mesh network will automatically and continuously search for the best available con-nection or shortest available path for each and every node from its source to its destination.

It will do this every time, all the time, making sure that you always have a good, solid signal.

Full-Duplex Wireless Mesh

Old radio-heads like me know that there are two ways of talking over the air: half-duplex and full-duplex. The difference is critical for dig-ital video systems, and if the reader learns any-thing about wireless systems in the book, this is the thing to understand. In half-duplex systems, each node (transceiver) can either listen or talk but cannot do both at the same time. So when it is talking, it is not listening. When it is listen-ing, it cannot talk. For a digital video system, the bandwidth of the transceiver is effectively cut in half, not because it has in fact less bandwidth but because it is communicating bidirectionally only half the time. For a 54-GHz system, it starts out of the box as a 27-GHz system. Subtract net-work overhead and encryption and you are left with approximately 22 or 23 GHz less available bandwidth. OK, you say, I can live with 22 GHz. However, if you understand that the purpose of wireless mesh networks is to use the mesh to retransmit video from node to node, it takes on new meaning. That loss of half of the bandwidth occurs with each retransmission. From the first node to the second, bandwidth is 22 GHz minus the video signal (e.g., 2 GHz), leaving 20 GHz. From the second node to the third, it is halved again from 20 to 10 GHz, and now we subtract the second video camera’s signal load too. That is another 2 GHz, leaving only 8 GHz. There is not enough bandwidth left to safely add a third camera because we need to reserve at least 6 GHz of overhead for communication snafus. We are effectively out of bandwidth after only two camera nodes.

On the other hand, full-duplex wireless nodes communicate both directions (transmit and receive) all the time. That is because a full-duplex wireless mesh system uses two radios in each node (one transmitter and one receiver). By care-ful antenna selection, we can transmit and receive


continuously at each wireless node. Considering our example again, we can communicate digital video effectively across up to 10 nodes, assuming a 2-GHz drop for each camera (I use a standard of four hops). Another trick is antenna selec-tion. There are basically two types of antennas for all radio systems: directional and omnidi-rectional. An omnidirectional antenna transmits or receives in a pattern like an apple. There is a slight pinch at the top and bottom of the pattern, but the rest of the radiation pattern is spherical, at least in the horizontal plane. Directional anten-nas narrow their “view” by restricting the view that its designer does not want. By “pinching” the part of the spherical radiation pattern that is unwanted, the part that is desired is lengthened, sometimes considerably. This creates “gain.” Useful signals can be derived from either a line-of-sight connection or a single reflected signal. However, that reflected signal can be a problem if the receiver can see both the original and the reflected signal. Reflected signals arrive later than line-of-sight signals because they are trav-eling a longer distance from source to destina-tion. All antennas suffer from a phenomenon called multipath. Multipath signals are signals that originate from the transmitting source but from at least two sources, at least one of which may be a reflected signal. There is another type of antenna that is little known (at least until now) called a multiphased omnidirectional antenna.


Video analytics is a technology that processes a digital video signal using a special algorithm to perform a security-related function. There are three common types of video analytics:

· Fixed algorithm analytics

· Artificial intelligence learning algorithms

· Facial recognition systems


The first two of these try to achieve the same result. That is, they try to determine if an

unwanted or suspicious behavior is occurring in the field of view of a video camera and the algorithm notifies the console operator of the finding. However, each takes a dramatically dif-ferent route to get to its result. Fixed algorithm analytics use an algorithm that is designed to perform a specific task and look for a specific behavior. For example, common behaviors that fixed algorithm analytics look for including the following:

· Crossing a line

· Moving in the wrong direction down a corridor

· Leaving an article

· Picking up an article

· Loitering

· Floating face down in a swimming pool


Each fixed algorithm looks for a very specific behavior. The client must pay for each individ-ual algorithm for each individual video camera in most cases.

Artificial intelligence learning algorithms operate entirely differently. Learning algorithm systems begin as a blank slate. They arrive com-pletely dumb. After connecting to a given cam-era for several weeks, they begin to issue alerts and alarms. During that time period the system is learning what is normal for that camera’s image during the day, night, weekday, weekend, and hour by hour. After several weeks, the sys-tem begins to issue alerts and alarms on behav-ior in the screen that it has not seen before or that is not consistent with what it has seen dur-ing that time period for that day of week.

An example illustrates the usefulness of this approach. In one early installation at a major international airport that was intended to spot children climbing on a baggage carousel, the system alerted on a man who picked up a small bag from the carousel and placed it inside an empty larger bag. The man was intercepted and interrogated only to discover that the luggage inside his did not belong to him and that he was part of a ring who came to the airport regularly

Lenses and Lighting


to steal baggage in this way. The airport had no idea this was even occurring, so there was no way they could have purchased a fixed behavior algorithm for this, even if such existed (which it did not). This approach to video analytics is most useful.

The third type of analytic is facial recognition. Facial recognition systems can be used for access control or to help identify friend or foe. Facial recognition systems can also be used to further an investigation.

Typical facial recognition systems match points on a face with a sample stored in a data-base. If the face does not match a record, it will try to create a new record from the best image of that person available. These are capable of making real-time matches of one image against many. The latest version of facial recognition systems constructs 3-D maps of faces in real time and compares those to a truly vast database. One manufacturer claims to be able to match individuals in real time against a country-sized database of images (millions of records).

Traditional facial recognition systems require well-lit scenes and fairly static backgrounds. The latest versions are reported to work under fair to poor lighting and with dynamic backgrounds.


Lenses are to video what loudspeakers are to audio systems. Just as there is a dramatic differ-ence in the quality of audio depending on the quality of the loudspeaker playing the music, so also the quality of lenses directly determines the quality of the video image. For many years, security installers used to place cheap plastic lenses on otherwise good video cameras to pres-ent a price advantage against their competition. The result was very poor and sometimes virtu-ally useless video images. With the introduction of megapixel video cameras as expectations of better quality images increased, many users were very disappointed to see poor images from

very expensive cameras when the installers fit-ted them with standard quality lenses.

It is very important to use only good lenses on every video camera. And it is especially important to use only megapixel quality lenses on megapixel video cameras. A good lens will be all glass, coated to reduce flare, and should be an achromatic design, which brings red and blue to focus at the same point on the focal plane. Manufacturers of cheap plastic lenses often use euphemisms to conceal their poor construction, calling them something such as “optical resin.”

Lenses should be back-focused in the cam-era to assure that its focus is exactly fitted to the camera. The designer should pay attention to be sure that this has been done and quiz the installer on how it is done so that one can be certain the required skills are present in the installer.

Likewise good lighting is essential for a good quality image. Good lighting has three main components: lighting level, lighting contrast, and lighting color temperature.

Lighting Level

Adequate lighting is needed for good video. I suggest reading Guide to Security Lighting for People, Property, and Public Spaces, prepared by Illuminating Engineering Society of North America (IESNA) Security Lighting Committee. A 73-page report is available as a free download on the Internet.10

A minimum lighting level is at least 1 ft-candle, measured at 1 m above the ground with a qual-ity “incident-type” light meter. Incident-type light meters measure light on a white translucent surface on the meter itself. Reflected -type light meters measure light reflected from the scene. The light reading should be taken in the scene with an incident-type meter, not at the video camera with a reflected-type meter. While 1 ft-candle can provide a minimally acceptable

10 http://www.smsiinc.com/pdfs/security-lighting- HYPERLINK "http://www.smsiinc.com/pdfs/security-lighting-guide.pdf" guide.pdf.


lighting level for a walkway or parking lot, a level of 5 ft-candles or greater is required for a truly good image. Specifications should require 5 ft-candles around building entrances, walkway nexus points, and undercover parking (including parking structures). The more light the better. By way of comparison, the range of typical outdoor daylight is about 6000 ft-candles.

Light level terminology can be confusing. Light sources are measured in lumens. Light on a surface is measured in both foot-candles and lux. Although the math can be tedious, the prac-titioner can roughly convert 1 ft-candle to 10 lux. One foot-candle is the amount of light on a sur-face exactly one foot from a candle.

Lighting Contrast

Lighting contrast is the difference in light level between lightest and darkest areas in the scene. If everything were lit at exactly the same level and the subject wore clothing simi-lar to his or her skin color, it would be difficult to identify the subject. Illumination uniformity ratios should be about 4:1 (average/minimum). Ideally, there should be good contrast between the subject and the surrounding scene. Lighting should facilitate clear identity of the subject’s clothing, face, and other identifying features.

Lighting Color Temperature

Lighting color is measured in color tempera-ture (Kelvin). The low end of the Kelvin spec-trum is red, and the high end of the spectrum is blue. Right in the middle is daylight. Daylight for video is approximately 5600 K. Lamps with color temperatures lower than this will appear yellow to red and lamps with color tempera-tures higher than this will appear green to blue. Incandescent and sodium vapor lamps make the video image to appear as yellow, while some LED lamps can cause video to present as blue. Both cause difficulty in the identification of subjects’ clothing and can result in completely wrong descriptions being given by the console

operator to his or her guard staff. This can lead to the release of guilty subjects because their clothes do not match the description.

Other Lighting Issues

Protect lighting from vandalism with protec-tive covers, protected power lines (buried or in conduit), and with mounts too high to reach eas-ily. Assure emergency lighting in case of power outages. Emergency lighting should cover all paths of egress including stairwells.


Security communications are the root of response. Communications involves the follow-ing categories:

· Communications between security officers and the public they serve.

· Communications between security officers and other security officers.

· Communications between security officers and the public via telephones.

· Communications between security officers and public agencies (fire/police, etc.).


Security communications serve several purposes:

· Receiving information and direction to do the job.

· Assisting the public with access or information.

· Directing subjects to comply with established security policies.

· Coordinating emergency responders.

Two-Way Radios

Two-way radios are the heart of communica-tions for any security staff. They provide the abil-ity for security officers to communicate with each other and with other facility personnel, including management and maintenance/cleaning staff.

Security Communications


Two-way radios are used for communications from the security console to field officers and from officer to officer in the field.

Two-way radios have varying frequencies. Common spectrum sections include the 150- and 450-MHz bands. Radios with 800 MHz are a blend of traditional two-way radio technology and com-puter-controlled transmitters. The system’s main advantage is that radio transmitters can be shared among various departments or users with the aid of computer programming. Virtual radio groups, called “talk groups,” are created in software to enable private departmental conversations. This gives the system the look and feel of one having many different “frequencies” when in fact every-one is sharing just a few. A quick reference of pub-lic and private radio frequencies can be found at http://www.bearcat1.com/freer.html.

Cell Phones

Cell phones can provide an inexpensive means of communications, particularly cell phones with a two-way radio function. They provide in a single unit both a two-way radio and the ability to call the police directly when needed, as well as managers.

Cell phones have limits, however. Before decid-ing on using a cell phone as a primary means of communication, it is important to conduct a test with the type of cell phone planned for use in every dark recess of the building, parking struc-ture, stairwell, restroom, storage room, and throughout the entire facility. Otherwise, you may discover a dead spot in exactly the place where the worst possible emergency is occurring, exactly when it occurs. Cell phones are particularly valu-able for patrol officers in vehicles because of their wide geographical reach, allowing the officer to be reached both on and off the property.


Security intercoms enable console officers to talk to anyone near a field intercom station (typi-cally another officer or a member of the public).

Calls can usually be initiated either from the con-sole or from the intercom field station by pressing a “call” button. Most intercoms are hands-free devices, although handsets are sometimes used. ADA (Americans with Disability Act)-compliant intercoms also provide a visual indicator that the call has been sent and acknowledged, in case the user is hearing impaired.

Other types of intercoms include call-out only stations and intercom bullhorns. Callout stations are similar to standard intercoms but are not equipped with call buttons. The console officer always originates the call for this type. Intercom bullhorns are similar to call-out stations but are equipped with a horn that acoustically amplifies the audio so that the console officer and subject can communicate at farther distances (usually up to 100 ft). Intercom bullhorns usually also require an auxiliary amplifier to provide ade-quate power to be heard at that distance. The horn gathers the voice of the subject, although it is more difficult for the officer to hear the sub-ject than it is for the subject to hear the officer. Bullhorns are often used only for directions to the subject and not back to the officer.

Emergency Phones

Emergency phones (also called assistance phones) are intercoms that are also equipped with flashing lights or strobes to help a respond-ing officer find the subject who is calling and to deter a crime against that subject because the strobe calls attention to the area, making a crime of violence less probable.

Paging Systems

Paging systems are strictly for communication from the console officer to the field. Paging sys-tems can be specific to a single paging speaker or horn or to a field of speakers and horns to cover a large area. Paging systems are useful for mak-ing announcements to large numbers of people simultaneously, such as to order an evacuation or to issue directions in an emergency.




Intercom and voice systems historically used analog communications—that is, a microphone was connected to an amplifier and a speaker. For larger systems, a matrix switcher was used to manage one or a few console communication paths out to many field intercoms. This is called a circuit-switched network. Traditional telephone systems are also circuit-switched networks. Each circuit can carry only one communication and there must be a continuous wire connection from speaker to subject. This approach is fine for a single site, but it has drawbacks, including the fact that the wiring is of a fixed architecture, so one intercom master station wires to many field stations. If one wants to add more master stations, one must wire from master to master. There is a single point of failure at the main master where the field intercom stations are first wired. Also, when the organization wants to move the location of the main master station, much costly rewiring is necessary.


For enterprise systems, the drawbacks of circuit-switched networks present major prob-lems. How do you maintain a circuit from New York to California? The cost of leased lines is too high, so digital intercoms are used. As digital video systems become more prevalent, it is also easier to “piggyback” voice communications on that digital path. Digital systems use packet-switched networks instead of circuit-switched networks for communications. Therefore, their path can be dynamic. If the organization wants to move its console, it only has to connect the new console to the nearest digital switch.

Digital intercoms have certain drawbacks too. For security, audio is more important than any other communication. Dropped audio could mean a lost life. So audio communications

must be configured as the priority communica-tion to ensure that no communication is lost as, for example, a new screen of video cameras is loading from one guard tour to the next. This is a programming element and cannot be con-figured in software if it is not written into the code. Audio compression protocols commonly include the G.7xx series, including G.711, G.721, G.722, G.726, G.728, and G.729. Another com-mon protocol is the MPEG protocol, including MP-3. These are all UDP protocols. The software designer must ensure that the audio protocol is given priority of communications over the digi-tal and data protocols. Where this is not done, the security officer can find it difficult to talk while video is loading. This condition is unac-ceptable, although at the time of this writing several video software manufacturers publish software with this flaw. Their common work-around is to require an additional client work-station just for audio. This is one of those design flaws that no one would buy if he or she knew about it ahead of time.

Digital audio has many advantages. Additional intercom stations can be added on anywhere an extra switch port exists, dra-matically reducing wired infrastructure costs. Additional switches can be added at little cost in new infrastructure. For enterprise systems, the Internet or asynchronous transfer mode net-works permit communications across state and national boundaries, making possible a moni-toring center in one state that monitors sites throughout the world.

Wireless Digital

Any digital communication can be configured to operate wirelessly as well as on a wired net-work. This enables communications to remotely located emergency phones across an endless expanse of park or parking lot. All one needs is power and that can sometimes be obtained via solar panels and batteries. Emergency phones are an ideal application for solar panels and

Command/Control and Communication Consoles


batteries because they draw power only when in use, except for a small amount of power for the radio frequency node. This is usually very low, typically less than 25 W for a well-designed system.

advancing their call in the queue. In the mean-time, there would be a digitized ringtone and recorded message with enough variation to keep their anxiety level low. The system could also advise them of the expected wait time.

Communication System Integration

It is also possible to integrate two-way radios, cell phones, land phones, and intercoms into a consolidated communications system (CCS). Typically, there are only one or two security offi-cers at a console, but there may be many com-munications systems. In the worst case I have seen, at a high-rise building in Los Angeles, there were 10 separate intercoms for elevators, 4 inter-com systems for security, 4 two-way radio sys-tems, 2 paging systems, 8 telephone lines, and cell phones. All this was (barely) manageable until an earthquake struck. Then, chaos broke loose in the security console room. Remember, that was 29 separate communications systems for a console room with one or two officers. That does not work very well.

In an ideal configuration, the systems have been coordinated such that there is no more than one of each type of system (interdiscipline coor-dination-instilled design flaws) and those few systems are further coordinated into a “CCS.” The CCS assembles the various communication platforms into a single piece of software that manages the communications to a single (or multiple) console officer station. Calls that can-not be taken are queued.

Queued calls go to an automated attendant that provides feedback to waiting parties. In the earthquake example, people in a stopped eleva-tor would hear an automated message from the intercom speaker when they press the help but-ton advising them that an earthquake has just struck the building and that there is a heavy demand on the security console officer and advising them that their call is in a queue. They would be advised to push the help button for a second time if there is a medical emergency,



Monitoring Consoles

Consoles and workstations provide a means to instruct the security system on how to behave and interact with its environment and users, to provide a face for the security system to its human user (viewing cameras, using the inter-com, responding to alarms, etc.), and to obtain system reports. There are a limited number of common implementations of these types of workstations. System size dictates the type.

Small Systems

Single-site systems are often designed with a common workstation that will provide all system services together in a single computer. The system may separate alarm/access control, video moni-toring, and the intercom master station into three separate units and may commonly be designed as an analog video/intercom system rather than digital. However, this trend will change over time toward digital video and intercom as these systems become more prevalent in the smaller systems. In any event, the alarm/access control system will likely comprise field devices (card readers, locks, etc.), field device controllers, and a single computer to manage them.

System interface and automation will likely be limited to activating video cameras in response to alarms, and this interface may well be accom-plished using dry contacts.

Thus, the small system will likely comprise a single computer workstation for the alarm/access control system, a video multiplexer and per-haps a pair of analog video monitors for the few


video cameras, and an intercom master station to answer intercoms. These will likely be located at a lobby desk, security office, or manager’s office.

Medium-Sized Systems

Medium-sized systems will typically incor-porate a higher level of system integration and possibly more than one workstation or console. Medium-sized systems may well separate sys-tem functions into those that will exist on a server and those that will operate on a client worksta-tion. These systems may be designed as analog video/intercom, or they may be digital. It is pos-sible that the client workstations will include a separate workstation for the lobby desk or secu-rity office and another one for administration of the system by a manager.

Enterprise-Class Systems

Any enterprise-class system (multiple build-ings and/or multiple sites) that is not designed initially with a digital video/digital intercom infrastructure will be a costly system to upgrade, expand, and maintain as time goes by.

These systems routinely incorporate a high level of integration to other building systems and routinely have both local and remote or central-ized system monitoring and/or administration.

All enterprise-class systems are built around a client/server model and may involve many clients and many servers, including servers acting as local and/or central archivers, local and/or centralized guard workstations, and local and/or centralized administrative workstations including photo iden-tification and identity verification workstations.



Command, Control, and Communications


The most sophisticated of all security con-soles, the C3 console, is the operational heart of an enterprise-class alarm monitoring and

management system. Usually, having more than one console (sometimes up to a dozen), the C3 approach is the ultimate in centralized corpo-rate oversight for safety, security, and sometimes even operational efficiency.

Incidents such as major refinery explosions can be effectively prevented if health, safety, and efficiency (HSE) monitoring is augmented centrally. This method of centralized monitoring can advise local on-site HSE personnel of unsafe practices in conflict with established corporate safety or security policies that may be occurring without the knowledge of local managers. For every employee who might complain about the intrusion of centralized authority, lives can truly be saved by avoiding unsafe industrial practices that would otherwise go unnoticed.

A C3 console normally incorporates one or more workstations, and each workstation includes a number of LCD monitors. Typically, two to four monitors display video, one displays alarm and control maps, one may display alarm/ access control system activity, and an additional monitor may be used for an application pack-age such as a report writer, spreadsheet, or word processor. On some systems, email service and voice communication software may be used. C3 consoles may also have one or more large screen displays that anyone in the room can easily see. These are typically run from one of the work-stations in the console. The C3 console generally also incorporates situational analysis software to help the console officers understand what is being displayed in the system in the context of locations of buildings, avenues, and waterways in the real world.

One consideration regarding C3 consoles (and others as well, but especially C3 consoles) is the issue of workstation processing power. Every program and process requires CPU, memory, and video card-processing cycles, and there are a finite number for each individual workstation, based on its processor, clock speed, and video card. It is possible to crash a workstation that is overloaded with requests for processing cycles. That is a bad thing. So it is important to design

Workstation and Console Specifics


workstations in a manner that ensures that it will not happen. The good news is that Moore’s law indicates that processing power will grow by a factor of two approximately every year and a half. The bad news is that the processing power of any workstation is determined by its weakest link, which could be the processor, the video card, memory type and capacity, the operating system, or the software. There is not a single, simple for-mula to calculate how much processing power is required for a given application. However, there is a simple way to make a useful calculation:

· Find a machine that is roughly similar to the type of machine you intend to specify. Generally, the manufacturer of the digital video software will have several machines to select from in its lab.

· Ask the lab technician to start up the machine with only the operating system and the digital video application running (displaying no cameras at this time). Load the task manager and note the CPU usage in percentage of utilization.

· Now display one camera at the resolution and frame rate to be viewed. Again, look at the task manager and note the difference in CPU processing percentage of utilization.

· Then display 4 and then 16 cameras and note the percentage of utilization of CPU.

· Next, open a browser window on top of the video that is already open and again note the CPU utilization figures.

· Last, load on top of this a standard spreadsheet or word-processing application and again note the CPU utilization, with all this running.


From the previous information, you can cal-culate how much CPU utilization will occur when the computer is fully loaded with all intended camera signals and ancillary browsers programs. This will be a real-world number that is meaningful.

The system should be designed so as not to ever exceed 60% of CPU utilization. Exceeding 60% of continuous duty will result in overheating

and shortening of the life of the CPU. It may result in the inability of the computer to adequately process video, causing observably bad images and possibly crashing the computer. This condi-tion can also occur if the image specifications are exceeded. For example, if the computer’s capac-ity is based on the display of 32 2-CIF images at 15 fps, and the console user reprograms the reso-lution to 4-CIF and the frame rate to 30 fps, these results could occur. The user must be instructed as to the design limitations of the workstation.

Important elements of any security console workstation include the processor, memory, the video card, and the quality of monitor. It is unwise to skimp on servers and workstations. They do the heavy lifting in the system. Unlike other parts of the system in which scale equals dollars (more units Ό more money), a significant investment in servers and workstations does not usually equal a significant increase in the over-all cost of the system. It is a wise investment for the designer to recommend and for the client to make.

Ergonomics for C3 consoles are also a major consideration. The console design may com-prise any of a number of configurations, includ-ing a wraparound design in which the console is nestled into a corner or side wall or a cluster of individual workstation desks facing a large screen display or video wall at one end of the room. Special attention should be paid to the quality of lighting; keyboard, mouse, and moni-tor position; and the quality of chairs. All these factors have a bearing on the ability of the con-sole officer to observe video over a period of many hours.

There has also been much discussion regard-ing how many cameras should be displayed on a console, and like everyone else, I have an opin-ion. First, let us state the various cases made. The many-is-better argument goes like this: If many cameras are displayed, then the console officer can observe the video of any camera at his or her pleasure. He or she can quickly scan all the available views and may see something that he or she would never observe if the cameras were


not otherwise displayed. The fewer-is-better argument goes like this: Some scientific studies have shown that an officer cannot view more than approximately six images with any preci-sion of observation over any long time period. Having more monitors may create complacency on the part of the observing officer, and in any event it is better if most video views respond to some kind of alarm or event indicator if possi-ble. For this reason, it is better to use many cam-eras and fewer monitors and have the cameras triggered by alarms where possible.

I am in the second camp. However, there is a caveat. I am also an advocate of creating a series of scene views using related video cameras—for example, all the cameras on the first level of a parking structure, second level, and so on. These related camera groups can be assembled to create a “virtual guard tour” that allows the console offi-cer to “walk” the facility by sequentially select-ing the groups of related cameras. Additionally, any alarms can also be programmed to select the related group of cameras, not just the single cam-era that is nearest to the alarm event. A superset of guard tour groups is video pursuit, which is discussed later in the book.

C3 Console Use in Public Agency Settings

C3 consoles are of particular use for mass transit facilities where the responding officer will almost always be a sworn police officer. For such installations, it is important to use the C3 console as a vetting console, staffed by civilians, not by a police dispatcher. This is to ensure that the dispatch officer is not swamped by nuisance alarms, of which there may be many in such installations.

After vetting the alarm through the C3 con-sole, real events needing the dispatch of a sworn officer can be passed to the dispatch console for appropriate action.

A well-designed C3 console scheme should permit the civilian console officer to be able to “pass off” the event to a sworn officer at a different console simply by moving an icon

representing the civilian monitor to an icon rep-resenting the sworn officer’s monitor.

When this is done, the video should queue at the sworn officer’s monitor, sounding an alarm to direct his or her attention to the event and keeping the civilian online to hand off the audio.

Lobby Desk Consoles

Security workstations are often placed at lobby desks where the public is assisted. Here, the secu-rity designer is often requested to design the workstation into a highly aesthetic environment.

Careful coordination with the interiors archi-tect is required to determine the ergonomic ele-ments required. The architect will need to closely coordinate the design of the console with the mea-surements of the lobby desk security components.

Dispatch Consoles

Similar to C3 consoles, dispatch consoles also may have many workstations. In addition to the security video, alarm/access control, and inter-com elements, radio dispatch will be a major element. Computer-aided dispatch (CAD) soft-ware will likely be implemented, and this must also be coordinated to display locations of cars, personnel, and activities. The video system can be integrated with CAD software to achieve this result, and the security intercom may also be integrated with the two-way radio system, tele-phone system, and even cellular/radio phone system to facilitate communications. In all other respects, dispatch consoles are similar in requirements and design to C3 consoles, except that the designer is often burdened with very limited space, sometimes requiring more func-tions be added into a very small existing space.

Administrative Workstations

Administrative workstations facilitate the programming of cards, system software, hard-ware and firmware configuration changes, and the creation and reviewing of system reports. Administrative work stations are generally limited to no more than two monitors and may

Guard Console Functions


be combined with other duties on the security manager’s or site manager’s desk.

Administrative workstations are the simplest and least demanding of security work stations. As always, observe processor, memory, and video card requirements. Administrative work-stations include the computer, monitors, key-board, and mouse and report printer.

Identification Badging Consoles

Virtually every medium and large system involves photo identification badges. These are usually bonded on or printed directly onto an access credential.

Photo identification credentials typically dis-play a photo of the credential holder, a logo of the organization or some other identifying logo, the name and department of the person, and may also display a color or pattern scheme that is an identifying feature of the person’s access privileges. This function presents the human readable portion of an access credential that facilitates an organization’s staff to easily iden-tify people wearing badges, the organization or department to which they belong, and whether they are allowed unescorted access to the area in which they are found.

Photo identification systems comprise an identification badging console (workstation), a digital camera, lights, background, posing chair, and a credential printer.

Based on badging volume and the organiza-tion’s human resources processes, the system may be centralized or distributed across several sites, and the credential printers may be attached to either the workstation or a network in which they are shared by several photo identification workstations.

Identity Verification Workstations

Although rare, identity verification worksta-tions facilitate absolute verification of a creden-tialed person through an access portal. These are used in high-security environments such as nuclear and weapons storage facilities, research

and design facilities, and other places where critical proprietary information or assets that could present harm to the public are housed.

The identity verification workstation is typi-cally used with a revolving door, optical turn-stile, or mantrap to provide a means to verify with certainty that the person holding an access credential is who he or she claims to be.

The workstation is part of the overall identity verification portal, which includes a credential reader; a movement-pausing mechanism (revolv-ing door, physical or electronic turnstile, mantrap, or in the simplest form, an electrically locked door); and a visual recognition system, usually in the form of a video camera and computer software, that displays a live image of the person next to an image retrieved from the photo identification data-base corresponding to the one stored for the access credential that was just presented at the portal. After making the comparison, the security officer staffing the identity verification portal verifies that the credential is valid for the portal (authorized for the portal and the date and time of use) and that the credential holder is the person who is autho-rized to carry the credential (the live video image of the person matches the photo ID image). After verification, the security officer manually unlocks the door using a remote electronic release, allow-ing the credential holder into the restricted area.


Guard consoles are used to manage the secu-rity of the facility. The guard console is the air-craft control tower of the security operation. From this location, it should be possible for the console guard to keep an eye on all the major access control and intrusion events occurring in the building. Basic guard console functions include the following:

· Vetting alarms for appropriate response

· Granting access remotely

· Video surveillance


· Video guard tours

· Video pursuit

· Building system interfaces

Vetting Alarms

Any alarm that occurs anywhere in the secu-rity system will report to the guard console. The console software should be integrated to extend its eyes, ears, and mouth into the depths of the facility, wherever an alarm occurs. The guard should receive immediate notification of the alarm and immediately be able to verify the alarm from the console. Often, the best way to do this is by the presence of a video camera near the alarm. If the alarm is verified as an intrusion, the console guard must then take some action, either dispatching an officer to respond (radio) or confronting the subject via security intercom. For this reason, good design principles indi-cate that, where possible, every alarm should have a camera nearby to permit alarm verifica-tion. Ideally, there should also be a field inter-com station or field talk station near the camera to direct the subject away from the area of the intrusion. Additionally, the software should be configured such that for every alarm a camera is programmed to queue for display automatically, and that camera image should be recorded. For digital video systems, a preevent record period is also recommended. That is, even if the camera is not programmed for continuous archiving, the system should be archiving every camera continuously for 2 min such that in the event of an alarm for which that camera may respond, that 2 min being recorded before the alarm becomes part of the alarm video event archive. Otherwise, it is recorded over continuously.

Granting Access Remotely

Another common function of guard consoles is the remote granting of access to authorized visitors, contractors, and vendors. Typically, one or more remote doors may facilitate such access.

If there is a constant flow of people through the door, it may be appropriate to locate a guard there to facilitate authorization and access grant-ing. However, often the flow does not warrant the cost of a full-time guard. For such cases, it is ideal if there can be configured a vestibule for access granting to include a card reader for authorized users, a camera, and an intercom to facilitate a gracious granting of access privileges. These designs take two common forms.

Finished Visitor Lobby

A finished visitor lobby may be used for remote access granting after normal business hours—for example, in a multitenant high-rise building environment. The vestibule provides a secure means of granting access without put-ting anyone in the building at risk, including the lobby desk guard.

Visitor vestibules can be under the control of the console guard and/or may also be under the control of a tenant via use of a building directory and intercom system. In such cases, the visitor looks up the tenant and places a call using the code next to the tenant’s name. Upon answering, the tenant can enter a telephone code unlocking the inner door and permitting access into the building.

Where the control is exclusive to the console guard, the guard may also have control over the elevator system to ensure that the visitor actu-ally goes to the floor he or she has requested and for which he or she is authorized by the tenant.

Delivery Lobby

Delivery lobbies can be created at a loading dock to reduce guard force count. In such cases, again a vestibule is created and the system is activated as an event whenever the vestibule is occupied, when the outer door is opened.

An assumption is made that the delivery per-son is unfamiliar with the building, so its use is in the hands of the guard, making the delivery person’s knowledge level unimportant.

Guard Console Functions


The guard console will display the delivery lobby camera upon opening of the outer door, and the delivery lobby intercom will be queued. The console guard will initiate a call to the deliv-ery person asking him or her to whom he or she is making a delivery. After answering, the guard will ask the delivery person to present his or her driver’s license and delivery company identifi-cation face up on a credential camera reader. The credential reader is a lighted box with a platen for placing the identification papers for viewing.

After recording the delivery person’s identifi-cation, the guard instructs the delivery person to place his or her delivery papers on the platen to record the location of the package for delivery. After this is done, the guard will then enable the elevator–hall call buttons and may also direct the elevator to the proper floor if he or she has been given elevator floor select control on his or her console.11

Video Surveillance

Video surveillance involves the act of observ-ing a scene or scenes and looking for specific behaviors that are improper or that may indi-cate the emergence or existence of improper behavior.

Common uses of video surveillance include observing the public at the entry to sports events, public transportation (train platforms, airports, etc.), and around the perimeter of secure facili-ties, especially those that are directly bounded by community spaces.

The video surveillance process includes the identification of areas of concern and the iden-tification of specific cameras or groups of cam-eras that may be able to view those areas. If it is possible to identify schedules when security trends have occurred or may be likely to occur, that is also helpful to the process. Then, by view-ing the selected images at appropriate times, it

11 With thanks to Chuck Hutchinson, Senior Security Manager, Crescent Real Estate Equities, Ltd.

is possible to determine if improper activity is occurring.

One such application is for train platforms. Following a series of reports of intimidating behavior at a particular train platform, the use of video cameras and intercoms was found to reduce the potential for such events as the per-petrators began to understand that their behav-ior could be recorded and used to identify them to police. Furthermore, the act of getting on a train did not deter the police who boarded at the next station and apprehended the criminals. Word got around and the behavior was reduced dramatically.

Video Guard Tours

The use of correlated groups of video cam-eras programmed to be viewed as a group allows the console officer to see an entire area at once. He or she can then step through the spaces of the facility, each time viewing the entire area as though he or she were walking through a guard tour.

It is much faster to perform a virtual video guard tour than a physical guard tour, thus allowing more frequent reviews of the spaces. Additionally, because the cameras are always in place, people behaving improperly are unaware that they are being viewed by authorities until a response occurs, either by dispatched officer or by intercom intervention, either of which can be effective in deterring improper behavior.

Video guard tours are especially effective at managing very large facilities, such as public transportation facilities in which the spaces can be vast and the time to travel between areas can be significant.

Video Pursuit

The guard tour cameras can also be set up to create a “video pursuit” that will allow a con-sole officer in an environment such as an airport or casino to follow a subject as he or she walks


through the space by selecting the camera in the group into which the subject has walked. With each selection, a new group will be displayed where the new display includes the selected camera and other cameras displaying views into which the subject might walk if he or she leaves the area under display. As the subject moves from camera to camera, video pursuit keeps the subject centered in a cocoon of cameras. A corre-sponding display of maps will show the console officer where the subject is located by highlight-ing the central camera and those around it where the subject might walk.12


Security communication systems facilitate rapid information gathering, decision-making, and action taking.

Security System Intercoms

Security intercoms provide a convenient way for visitors to gain information or access at remote doors. They may be used either to facili-tate remote access granting or to direct the visi-tor to a visitor lobby. They visit or can query the console security officer by pressing a call button on the intercom, thus initiating a call. Likewise, the console security officer can also initiate a call directly from the console.

A second type of intercom is the officer-controlled security intercom. Similar to a con-ventional intercom station but without the call button, these are often placed next to a video camera for use in directing a subject after verify-ing an alarm.

The third type of security intercom is the intercom bullhorn. It is similar to the officer-controlled intercom but has the ability to reach farther distances due to the bullhorn.

12 Video pursuit was invented jointly by the author and his protιgι, Mr David Skusek.

Elevator and Parking System Intercoms

Security intercoms are often located in eleva-tors and elevator lobbies and at parking entrances.

Emergency Call Stations

A security intercom coupled with a blue strobe and emergency signage, this intercom is a welcome point of help in areas where an assault could occur, such as in parking structures and walkways on a college campus. Reports indicate that assault crimes can diminish from historical norms where emergency call stations are used.

Digital intercom systems utilize a codec from the field intercom station to the digital infrastructure. The digital video software often accommodates the communication path and can also automatically queue the intercom for use whenever the camera viewing the intercom is on screen. That can be accomplished automatically in response to an alarm.

Analog intercoms use either two-wire or four-wire field intercom stations. Four-wire intercom stations use two wires for the speaker, two for the microphone, and sometimes two for the call button, whereas two-wire intercoms use only two wires for all three functions. Four-wire inter-coms can operate in full-duplex mode (simulta-neous talk/listen), whereas two-wire intercoms can only operate in half-duplex mode, although this is often more advisable because it allows the console security officer to control the conversa-tion and ensures that conversations in the con-sole room will not be unintentionally overheard at the field intercom station.

Direct Ring-Down Intercoms

These are telephones that ring to a specific number when the receiver is lifted or the call button is pressed (hands-free version). These are commonly used in elevators and emergency call stations. Direct ring-down phones are available in both CO (central office line connection) and



non-CO versions (non-CO versions create their own ring-down voltage and need only a pair of wires connected to an answering phone station set). These are frequently used for remote park-ing gates. Both types are also usually equipped with remote control over a dry contact relay at the ring-down station, permitting remote access through a parking gate or door.

considerably, it is useful to equip the intercom/ telephone or two-way radio with wireless head-phones. These free the console officer from the common tether of a standard headset. Wireless headsets can be connected to various ways depending on the manufacturer and model, including to a headphone plug, USB, or RS-232.

Two-Way Radio

Two-way radio systems facilitate constant communications among a dispatcher, console security officer, security management, security guards, and building maintenance personnel.

Two-way radio systems can comprise an assem-bly of handheld radios with no master station or may be equipped with a master station at the security command center. In any event, a charging station will need to be accommodated in the space planning of the security command center.

Two-way radio systems can be integrated via communications software with other communi-cation systems to create a CCS that can integrate radio, telephone, pagers, and intercoms into a single communication platform.


Pagers can be used to notify roving security officers of an alarm or can discretely notify an officer of a condition requiring his or her atten-tion. Many alarm/access control systems can con-nect directly to a paging system transmitter for local broadcast within a building or on a campus. The systems can also be connected to a telephone dialer to broadcast a page across a city or the country. At a minimum, the security console can be configured to utilize paging software to key in messages independent of any other interface.

Wireless Headsets

For security consoles and lobby security desks that require the console officer to move about


The basics of alarm/access control systems include identification devices (card readers, key-pads, and biometric systems). Keypads can be simple or complex, the most advanced of which scrambles the numbers for each use and limits the view of adjacent users. Card reader types include magnetic stripe, Wiegand, passive and active proximity, and smart cards. Many orga-nizations use multitechnology cards, which allow the user to access various facilities, each of which may require a different card technology.

Access cards are commonly used with photo identification systems such that the access card and identification together form the creden-tial. Photo identification cards help identify users by sight, showing what areas they have access to and displaying their photo, name, and department.

Other devices include locks, door position switches, and request to exit devices. Common electrified lock types include electrified strikes, electrified mortise locks, magnetic locks, electri-fied panic hardware, and specialty locks. DPS can be either surface mounted or concealed. Other devices include door and gate opera-tors and revolving doors and turnstiles. Access control system field elements are controlled by electronic processing boards, which include a microprocessor, memory, and field interface modules. All these devices are managed by serv-ers and workstations.

The different subsystems of an integrated security system can be blended together into a single system. The system can also be interfaced


with other systems to achieve advanced auto-mated functions.

Early analog video systems included only cameras, cable, and monitors. As demand increased, more cameras were displayed on a few monitors using a sequential switcher. As the technology progressed, sequential switchers grew to become digital matrix switchers, and quads and multiplexers promised to display and record multiple cameras onto a single tape. Analog video was recorded by using a helical-scan spinning record head. Early recorders used 2-in. reel-to-reel tape, which was later replaced by cartridges, notably the VHS cassette.

Digital video records and transmits the video as a series of ones and zeros rather than as a volt-age on a coaxial cable, as does analog video.

Digital systems transmit their information in packets. To truly understand digital video sys-tems, or networks, one must fully understand how the TCP/IP protocol works. It is also impor-tant to understand how network switching and routing work. Other issues that are important to understand include both wired and wireless networks. Wired networks utilize cable, switch-ers, and routers. Wireless networks utilize lasers, microwave, and radio links, including land- and space-based radio. Typical radio-based networks connect via point-to-point, point-to-multipoint, and with wireless mesh networks.

Video analytics include fixed algorithm ana-lytics, artificial intelligence learning algorithms, and facial recognition algorithms.

Security communications are the root of response. Common technologies include two-way radios, cell phones, and intercoms. Intercoms can also be related to emergency phones and paging systems.

Command and communications consoles vary greatly depending on the needs of the facility they serve. Small systems often have simple consoles, providing only basic func-tions. Medium-sized systems generally include some system integration elements, whereas enterprise-class systems often use extensive

integration. Console types include lobby desk consoles, dispatch consoles, administrative workstations, identification badging consoles, and identity verification consoles. Guard con-soles vet alarms for appropriate response, grant access remotely, conduct video surveillance and video guard tours, utilize video pursuit, and manage building system interfaces.


1. Identification devices identify by

a. What you know

b. What you have

c. Who you are

d. All of the above

2. Other access control field devices include

a. Electrified locks, door position switches, REX devices, and gate operators

b. Mechanical locks, magnetic tape, signal lights, and pushbutton switches

c. Pushbutton switches, locks of all types, fiber optic cable, and cameras

d. None of the above

3. Biometric readers read

a. Characteristics of a card

b. Characteristics of a key code

c. Characteristics of a person

d. None of the above

4. Common electrified lock types include

a. Electrified mortise locks

b. Magnetic locks

c. Electrified panic hardware

d. All of the above

5. It is common to use two servers for access control

a. Primary and business continuity server

b. Primary and secondary

c. Primary and ordinary

d. Primary and a second server that is never turned on unless it is needed

6. Security system designers must often interface new system elements with

a. Systems from antiquity

Questions and Answers


b. Nonautomated security systems

b. Artificial intelligence learning

c. Legacy security systems


d. None of the above

c. Facial recognition systems


Digital security systems may use

d. All of the above

a. TCP/IP protocol

10. Security communications systems may

b. UDP protocol


c. RDP protocol

a. Emergency phones

d. All of the above

b. Intercoms and paging systems


Wireless signals may include

c. Two-way radio and cell phones

a. Radio, laser, and microwave

d. All of the above

b. Radio, fiber optic, and laser

c. Fiber optic, unicast, and multicast


d. None of the above


Video analytics may include

1: d, 2: a, 3: c, 4: d, 5: a, 6: c, 7: d, 8: a, 9: d, 10: d.

a. Fixed algorithm analytics

This page intentionally left blank



Use of Locks in Physical Crime


James M. Edgar, CPP, PSP, William D. McInerney,

Eugene D. Finneran, John E. Hunter

This chapter discusses the use of locks in physical crime prevention. The terminology of locks and lock components is detailed, as well as a way of critically looking at locks in terms of crime prevention and security.



alter their designs and production techniques. A lock that is excellent in some applications may be undesirable in others. Knowledge of the basic principles of locking systems will enable a preventions specialist to evaluate any lock and determine its quality and its effectiveness in a particular application.


The effectiveness of any locking system depends on a combination of interrelated factors involved in the design, manufacture, installation, and maintenance of the system. A prevention specialist needs to understand the weaknesses and strengths of the various systems, and know how each must be used to achieve maximum benefit from its application. This requires a thor-ough understanding of the inner workings of the various types of locks. It is not sufficient to know what a good lock is in someone else’s opinion. A good lock today may not be as good tomor-row as technology improves and manufacturers

A key-operated mechanical lock uses some sort of arrangement of internal physical barri-ers (wards, tumblers) that prevent the lock from operating unless they are properly aligned. The key is the device used to align these internal bar-riers so that the lock may be operated. The lock is ordinarily permanently installed. The key is a separate piece, which is designed to be removed from the lock to prevent unauthorized use.

Three types of key-operated locks will be introduced in this section: disc or wafer tumbler, pin tumbler, and lever.

* Originally from The Use of Locks in Physical Crime Prevention. James M. Edgar, William D. McInerney, Joe A. Mele: Butterworth-Heinemann, 1987. Updated by the editor, Elsevier, 2016.

Effective Physical Security, Fifth Edition



Copyright © 2017 Elsevier Inc. All rights reserved.


Tumbler Mechanisms

A tumbler mechanism is any lock mechanism having movable, variable elements (the tum-blers) that depend on the proper key (or keys) to arrange these tumblers into a straight line, per-mitting the lock to operate. The tumbler, which may be a disc, a lever, or a pin, is the lock barrier element that provides security against improper keys or manipulation. The specific key that operates the mechanism (called the change key) has a particular combination of cuts, or bitings, which match the arrangement of the tumblers in the lock. The combination of tumblers usually can be changed periodically by inserting a new tumbler arrangement in the lock and cutting a new key to fit this changed combination. This capability provides additional security by pro-tecting against lost or stolen keys.

Tumbler mechanisms and the keys that oper-ate them are produced to specifications that vary with each manufacturer and among the different models produced by each manufac-turer. These specifications are known as the code of the lock mechanism. The coding for each mechanism provides specifications for both the fixed and variable elements of the lock assembly. Fixed specifications include:

· the dimensions of each of the component parts of the lock and the established clearance between each part (e.g., the size and length of the key must match the size and depth of the keyway);

· the spacing of each tumbler position and their relation to each other (Fig. 7.1);

· The depth intervals or increments in the steps of each cut or biting (Fig. 7.2).


.230" .150" .150" .150" .150"

FIGURE 7.1 The spacing or position of each cut on the key is a fixed dimension corresponding to the position of each tumbler in the lock.










FIGURE 7.2 The depth interval (increment) of the steps of each cut or biting is a fixed dimension.

Key-Operated Mechanisms


FIGURE 7.3 The depth of each cut corresponds to the length of each tumbler in the lock.

The relationship between the dimensions of the tumblers and the biting on the key is shown for a typical pin tumbler mechanism in Fig. 7.3. These codes provide a locksmith with dimen-sions and specifications to produce a specific key to operate a particular lock or to key additional locks to the combination of a particular key.

The different arrangements of the tumblers permitted in a lock series are its combinations. The theoretical or mathematical number of possible combinations available in a specific model or type of lock depends on the number of tumblers used and the number of depth intervals or steps possible for each tumbler. If the lock had only one tumbler, which could be any of 10 lengths, the lock would have a total of 10 combinations. If it had two tumblers, it would have a possible total of 100 (10 Χ 10) combinations. With three tumblers, 1000 (10 Χ 10 Χ 10) combinations are possible. If all five tumblers were used, the lock would have a possible 100,000 combinations. The number of mathematically possible combinations for any lock can be determined by this method.

Due to a number of mechanical and design fac-tors, however, not all of these theoretically possi-ble (implied) combinations can actually be used. Some combinations allow the key to be removed from the lock before the tumblers are properly aligned (shedding combinations)—something that should not be possible with a properly com-binated tumbler lock. Others, such as equal depth combinations, are avoided by the manufacturers.

Some combinations result in a weakened key that is prone to break off in the lock. Others are excluded because the space from one cut in the key erodes the space or positioning of adjacent cuts. The combinations that remain after all of these possibilities have been removed are called useful combinations. The useful combinations, which are actually employed in the manufacture of the lock series, are the basis for the biting chart that lists the total combinations used in a particu-lar type of model or lock. When other factors are equal, the more the combinations that can actu-ally be used in a lock, the greater the security of the lock. Total useful combinations range from one for certain types of warded locks to millions for a few high-security tumbler key mechanisms.

Disc or Wafer Tumbler Mechanisms

Disc tumbler mechanisms consist of three sepa-rate parts: the keys, the cylinder plug, and the cyl-inder shell (or housing; Fig. 7.4). The plug contains the tumblers, which are usually spring-loaded flat plates that move up and down in slots cut through the diameter of the plug. Variably dimensioned key slots are cut into each tumbler. When no key is inserted or an improper key is used, one or more tumblers will extend through the sides of the plug into the top or bottom locking grooves cut into the cylinder shell, firmly locking the plug to the shell. This prevents the plug from rotating in the shell to operate the lock. The proper change key has cuts or bitings to match the variations of the tumblers. When inserted, the key aligns all of the tumblers in a straight line at the edge of the cylinder plug (the shear line) so that no tumbler extends into the shell. This permits the plug to rotate.

Disc mechanisms generally provide only moderate security with limited key changes or combinations. Depth intervals commonly used are from 0.015 to 0.030 inches, which permit no more than four or five depths for each tumbler position. Some models use as many as six tum-blers. The more commonly found five-tumbler mechanism, which allows five depth increments








































FIGURE 7.4 The key slots in the discs correspond to the cuts, or bitings, in the key. Note how each cut in the key will align its corresponding disc in a straight line with the others.

for each tumbler position, would have a maxi-mum of 3125 implied combinations. The num-ber of useful combinations would, of course, be considerably fewer for the reasons indi-cated earlier. Some added security is provided by the common, although not universal, use of warded and paracentric keyways, which help protect against incorrect keys and manipulation. Nevertheless, most of these locks may be manip-ulated or picked fairly easily by a person with limited skills. In addition, the variations cut into the tumblers can be sight read with some practice while the lock is installed. Sight reading involves

manipulating the tumblers with a thin wire and noting the relative positions of each tumbler in the keyway. Since each lock has only a limited number of possible tumbler increments, the cor-rect arrangement of these increments can be esti-mated with fair accuracy, permitting a key to be filed or cut on the spot to operate the lock.

Pin Tumbler Mechanisms

The pin tumbler mechanism is the most com-mon type of key-operated mechanism used in architectural or builders’ (door) hardware in

Key-Operated Mechanisms










FIGURE 7.5 Basic pin tumbler cylinder lock mechanism.

the United States. The security afforded by this mechanism ranges from fair in certain inexpen-sive cylinders with wide tolerances and a mini-mum of tumblers to excellent with several makes of high-security cylinders, including those that are listed by Underwriters Laboratories (UL) as manipulation- and pick-resistant.

The lock operates very much like disc tum-bler mechanisms (Fig. 7.5). The locking system consists of a key, a cylinder plug, and a cylin-der shell or housing. Rather than using discs, the mechanism uses pins as the basis interior barrier. Each lock contains an equal number of upper tumbler pins (drivers) and lower tumbler pins (key pins). The proper key has cuts or bit-ings to match the length of the lower pins. When it is inserted, the tops of the key pins are aligned flush with the top of the cylinder plug at the shear line. The plug may then rotate to lock or unlock the mechanism. When the key is with-drawn, the drivers are pushed by springs into the cylinder plus, pushing the key pins ahead of them until the key pins are seated at the bottom

of the pin chamber. The drivers extending into the plug prevent it from rotating (Fig. 7.6).

If an improper key is inserted, at least one key pin will be pushed into the shell, or one driver will extend into the plug. In either case, the pin extending past the shear line binds the plug to the shell. One or more key pins may be aligned at the shear line by an incorrect key, but all will be aligned only when the proper key is used.

Depth intervals commonly used for pin tum-bler cylinders vary from 0.0125 to 0.020 inches. These intervals allow between 5 and 10 depths for each tumbler position. The number of pins used ranges from three to eight—five or six is the most common number. Maximum useful combinations for most standard pin tumbler cylinders (assuming eight tumbler depth incre-ments) are as follows:

Three pin tumblers, approximately 130 combinations

Four pin tumblers, approximately 1025 combinations

















FIGURE 7.6 Operation of a pin tumbler cylinder mechanism: (A) When the correct key is inserted, the bitings in the key align the tops of the lower tumblers (key pins) with the top of the cylinder plug at the shear line. The plug may then be rotated in the shell to operate the lock. (B) When the key is withdrawn, the springs push the upper tumblers (drivers) into the cylinder plug. With the pins in this position, the plug obviously cannot be turned. (C) When an incorrect key is used, the bitings will not match the length of the key pins. The key will allow some of the drivers to extend into the plug, and some of the key pins will be pushed into the shell by high cuts. In either case, the plug cannot be rotated. With an improper key, some of the pins may align at the shear line, but only with the proper key will all five align so that the plug can turn.

Five pin tumblers, approximately 8200 combinations

Six pin tumblers, approximately 65,500 combinations.

These estimates assume that the useful com-binations amount to no more than 23% of the mathematically possible combinations. Many common pin tumbler locks use fewer than eight increments, so the number of useful combina-tions for a specific lock may be much lower than the figures given in the table. Master keying will also greatly reduce the number of useful combinations.

Pin tumbler mechanisms vary greatly in their resistance to manipulation. Poorly constructed, inexpensive cylinders with wide tolerances, a minimum number of pins, and poor pin cham-ber alignment may be manipulated quickly by persons of limited ability. Precision-made cylin-ders with close tolerances, a maximum number of pins, and accurate pin chamber alignment may resist picking attempts even by experts for a considerable time.

Most pin tumbler lock mechanisms use warded keyways for additional security against incorrect keys and manipulation. The wards projecting into the keyway must correspond to

Key-Operated Mechanisms


CENTER LINE image13.jpg

image14.jpg GROOVES



FIGURE 7.7 Milled, warded, and paracentric keys.

grooves cut into the side of the key, or the key cannot enter the lock. When the wards on one side of the keyway extend past the center line of the key, and wards on the other side also extend past the center line, this is known as a paracentric keyway (Fig. 7.7). Although warded keyways are commonly used on most pin tum-bler mechanisms, paracentric keyways are usu-ally restricted to the better locks. They severely hinder the insertion of lock picks into the mech-anisms and the ability of the manipulator to maneuver the pick once it is inserted.

Modifications have been made to the drives in better locks to provide increased security against picking (Fig. 7.8). The usual modified shapes are the mushroom and the spool. Both of these shapes have a tendency to bind in the pin chamber when picking is attempted, making it more difficult to maneuver them to the shear line. To be consistently successful in picking pin

tumbler cylinders with either type of modified driver, special techniques must be used.

There are a number of variations of the pin tumbler cylinder on the market. One, which is seeing increasingly widespread use, is the removable core cylinder (Fig. 7.9). These locks were originally produced by the Best Universal Lock Company, whose initial patents have now expired. Most major architectural hardware manufacturers now have them available in their commercial lock lines. This type of cylinder uses a special key called the control key to remove the entire pin tumbler mechanism (called the core) from the shell. This makes it possible to quickly replace one core with another having a differ-ent combination and requiring a different key to operate. Because of this feature, removable core cylinders are becoming increasingly popular for institutional use and in large commercial enter-prises where locks must be changed often.

Removable core cylinders do not provide more than moderate security. Most systems operate on a common control key, and possession of this key will allow entry through any lock in the system. It is not difficult to have an unauthorized duplicate of the control key made. If this is not possible, any lock, particularly a padlock, of the series may be borrowed and an unauthorized control key made. Once the core is removed from a lock, a screwdriver or other flat tool is all that is neces-sary to operate the mechanism. Additionally, the added control pins increase the number of shear points in each chamber, thus increasing the mech-anism’s vulnerability to manipulation.

Another variation that has been in widespread use for many years is master keying. Almost any pin tumbler cylinder can easily be master keyed. This involves the insertion of additional tumblers called master pins between the drivers and key pins. These master pins enable a second key, the master key, to operate the same lock (Fig. 7.10). Generally, an entire series of locks is combinated to be operated by the same master key. There may also be levels of master keys, including sub-masters, which open a portion, but not all, of a









FIGURE 7.8 Pin tumbler modification.














FIGURE 7.9 Removable core, pin tumbler, cylinder mechanism.





4 5



















FIGURE 7.10 Master-keyed pin tumbler cylinder mechanism: (A) This is a simple master-keyed system using master pins in the first and second tumbler positions. When the change key is inserted, note that the top of the first master pin aligns with the top of the cylinder plug. The remaining positions show the key pins aligned with the top of the plug. This arrangement permits the plug to turn. (B) With the master key inserted, the first position aligns the top of the key pin with the cylinder plug. The master pin is pushed farther up the pin cylinder. The second position shows the master pin aligning at the top of the plug. The master pin has dropped farther down the pin hole in the plug. The remaining three positions are unchanged. This arrangement also allows the plug to rotate.

Key-Operated Mechanisms


series; master keys that open a larger part; and grand masters that open the entire series. In very involved installations, there may even be a fourth level (great grand master key).

There are a number of security problems with master keys. The most obvious one is that an unauthorized master key will permit access through any lock of the series. Less obvious is the fact that master keying reduces the number of useful combinations that can be employed since any combination used must not only be compatible with the change key, but with the second, master key. If a submaster is used in the series, the number of combinations is fur-ther reduced to those that are compatible with all three keys. If four levels of master keys are used, it should be obvious that the number of useful combinations becomes extremely small. If a large number of locks are involved, the number of locks may exceed the number of available combinations. When this occurs, it may be necessary to use the same combination in several locks, which permits one change key to operate more than one lock (cross keying). This creates an additional security hazard.

One way of increasing the number of usable combinations and decreasing the risk of cross keying is to use a master sleeve or ring. This sleeve fits around the plug, providing an addi-tional shear line similar to the slide shear line in a removable core system. Some of the keys can be cut to lift tumblers to sleeve shear line and some to the plug shear line. This system, how-ever, requires the use of more master pins. Any increase in master pins raises the susceptibility of the lock to manipulation, since the master pins create more than one shear point in each pin chamber, increasing the facility with which the lock can be picked.

Thus, although master-keyed and removable core systems are necessary for a number of very practical reasons, you should be aware that they create additional security problems of their own.

The basic pin tumbler mechanism has been extensively modified by a number of

manufacturers to improve its security. The com-mon features of high-security pin tumbler cylin-der mechanisms are that they are produced with extremely close tolerances and that they provide a very high number of usable combinations. Additional security features include the use of very hard metals in their construction to frus-trate attacks by drilling and punching.

Lever Tumbler Mechanisms

Although the lever lock operates on the same principles as the pin or disc tumbler mechanism, its appearance is very different. Fig. 7.11 illus-trates a typical lever mechanism. Unlike pin or



GATES image18.jpg

LEVERS image19.jpg image20.jpg POST HOLE


image21.jpg image22.jpg POST




FIGURE 7.11 Lever tumbler mechanism.


disc tumbler devices, the lever lock does not use a rotating core or plug, and the bolt is usually an integral part of the basic mechanism thrown directly by the key. The only other type of mech-anism in which the key directly engages the bolt is the warded mechanism. You will recall that the bolt in pin or disc tumbler systems is usually directly operated by the cylinder plug, not the key. The key is used to rotate the plug but never comes into direct contact with the bolt.

Despite these somewhat deceptive appear-ances, the lever lock operates very much like the other tumbler mechanisms. Each lever is hinged on one side by the post, which is a fixed part of the case. The leaf springs attached to the levers hold them down in a position that overlaps the bolt notch as shown in Fig. 7.12. In this position, the bolt is prevented from moving back into a retracted position by its fence, which is trapped by the front edges (shoulder) of the levers. When the key is inserted and slightly rotated, the bitings on the key engage the saddle of the lever, raising it to a position where the fence aligns with the slot in the lever (called the gate). In this position, the fence no longer obstructs the movement of the bolt to the rear, and the bolt can be retracted.

The retraction is accomplished by the key engaging the shoulder of the bolt notch. While the bitings of the key are still holding the levers in an aligned position, the key contacts the rear shoulder of the bolt notch, forcing the bolt to retract as the key is rotated. As the bolt is retracted, the fence moves along the gate until the bolt is fully withdrawn. When the key has rotated fully, completely retracting the bolt, it can be withdrawn.

If an improperly cut key is inserted and rotated in the lock, either the levers will not be raised far enough to align all of the gates with the fence or one or more levers will be raised too high, so that the bottom edge of the lever obstructs the fence (Fig. 7.12). In either case, the bolt is prevented from being forced to the rear, thus opening the lock.

Fig. 7.13A shows one version of the basic lever. A number of variations are on the market.

Some levers are made with projections built into the gate designed to trap the fence in various positions (Fig. 7.13B). The front and rear traps prevent the fence from being forced through the gate when the bolt is in the fully extended or fully retracted position. Fig. 7.13C shows another variation: serrated (sawtooth) front edges. These serrations are designed to bind against the fence when an attempt is made to pick the lock. They are commonly found on high-security lever tumbler mechanisms.

Lever mechanisms provide moderate to high security depending on the number of levers used, their configuration, and the degree of care used in the construction of the lock mechanism. Any mechanisms using six or more tumblers can safely be considered a high-security lock. Some mechanisms use a double set of levers, requiring a double-bited key. The levers are located on both sides of the keyway. This con-figuration makes the lock very difficult to pick or manipulate.

Lever locks are commonly found in appli-cations where moderate to high security is a requirement, including safe deposit boxes, strong boxes, post office boxes, and lockers. The lever mechanisms available in the United States, because of the integrated, short-throw bolt, are not ordinarily used as builders’ hardware. But they are commonly used in that application in Europe, and some of these locks have found their way into the United States.


In principle, a combination lock works in much the same way as a lever mechanism. When the tumblers are aligned, the slots in the tumblers permit a fence to retract, which releases the bolt so that the bolt can be opened. The difference is that where the lever mechanism uses a key to align the tumblers, the combination mechanism uses numbers, letters, or other symbols as refer-ence points that enable an operator to align them manually. Fig. 7.14 shows a simplified view of a

Combination Locks














FIGURE 7.12 Operation of a typical lever tumbler mechanism: (A) The bolt is in the fully extended locked position and the key has been withdrawn from the keyway. In this position, the spring forces the lever down toward the bolt notch, trap-ping the fence against the forward edge (shoulder) of the lever. This prevents the bolt from being forced back. (B) The key has been inserted and the biting on the key has lifted the lever against the spring tension, aligning the gate with the fence. The bolt can now be moved back into the retracted position. (C) The key has begun to force the bolt back into a retracted position by engaging a shoulder of the bolt notch at the same time it is keeping the lever suspended at the correct height to allow the fence to pass into the gate. (D) The bolt is now fully retracted and the key can be withdrawn. (E) If an improper key is inserted the biting either will not lift the lever high enough for the fence to pass through the gate or the lever will be raised too high and the fence will be trapped in front of the lower forward shoulder of the lever. From this position, the bolt cannot be forced back into the retracted position.

typical three-tumbler combination lock mecha-nism. The tumblers are usually called wheels. Each wheel has a slot milled into its edge, which is designed to engage the fence when the slot has

been properly aligned. This slot is called a gate. The fence is part of the lever that retracts the bolt. The gates are aligned with the fence by referring to letters, numbers, or other symbols on the dial.

















FIGURE 7.13 Lever tumblers. To operate the lock, the key contacts the lever at the saddle, lifting it until the fence is aligned with the gate. The saddles on the various tumblers are milled to different depths to correspond to different cuts on the key.

FIGURE 7.14 Three-tumbler combination.

Combination Locks


The sequence of symbols that permits the lock to operate is its combination. A typical combination sequence using numbers is 10–35–75. The fact that three numbers are used in the combination indicates that the lock contains three tumblers. The number of tumblers in a lock always cor-responds to the number of symbols used in its combination. Few modern combination locks use more than four tumblers because combina-tions of five or more symbols are unwieldy and hard to remember. Older models, however, used as many as six.

Both drive cam and dial are fixed to the ­spindle so that as the dial is rotated, the drive cam will also rotate in an identical fashion. The drive cam has two functions. It is the means by which motion of the dial is transferred to the wheels, and when all wheels are properly aligned and the fence retracted, it is the mechanism by which the bolt lever is pulled to retract the bolt.

The wheels are not fixed to the spindle but ride on a wheel post that fits over the spindle. These wheels are free floating and will not rotate when the dial is turned unless the flies are engaged. The flies are designed to engage pins on the wheels at predetermined points (determined by the combination of that particu-lar lock). When the flies engage these pins, the wheels pick up the rotating motion of the dial. When the flies are not engaged, the wheels will remain in place when the dial is rotated.

To operate a typical three-wheel combina-tion lock, the dial is first turned four times in one direction to allow all of the flies to engage their respective wheels so that as the dial is being turned, all of the wheels are rotating with it. At this point the wheels are said to be nested. The object is to disengage each wheel at the spot where its gate will be aligned with the fence. To do this, the operator stops the dial when the first number of the combination reaches the index mark on the dial ring. This first stop aligns the gate of wheel 1 with the fence.

The operator then reverses direction to dis-engage wheel 1, which remains stationary, and

rotates the dial three turns to the second number in the combination. When this number is under the index mark, wheel 2 is aligned. Again revers-ing direction to disengage wheel 2, the operator makes two turns to the last number of the com-bination. This aligns wheel 3. At this point all of the gates are aligned with the fence. The opera-tor then reverses direction once again and turns the dial until it stops.

This last operation has two functions. It aligns the gate on the drive cam with the fence, which permits the fence to retract into the space provided by the three gates in the wheels and the fourth gate in the drive cam. The bolt lever is now engaged with the wheels and drive cam. As the operator continues rotating the dial, the drive cam pulls the bolt lever to retract the bolt. When the dial will no longer rotate, the bolt is fully retracted, and the lock is open.

The security afforded by combination mecha-nisms varies widely. The critical elements are the number of tumblers used in the lock, the num-ber of positions on the tumbler where the gate can be located, and the tolerances in the width of the gate and fence. Wide tolerances allow the fence to enter the gates even when they are not quite completely aligned, so that, although the proper combination may be 10–35–75, the lock may also operate at 11–37–77.

Until the 1940s, it was often possible to open many combination locks by using the sound of the movement of the tumblers and feeling the friction of the fence moving over the tumblers as indicators of tumbler position. (Tumblers in com-bination locks do not click despite Hollywood’s contentions to the contrary.) Skilled operators were often able to use sound and feel to deter-mine when each tumbler came into alignment. Modern technology has all but eliminated these possibilities, however, through the introduc-tion of sound baffling devices, nylon tumblers, improved lubricants to eliminate friction, false fences, and cams that suspend the fence over the tumblers so that they do not make contact until after the gates are already aligned (Fig. 7.14).


Another manipulation technique of recent vintage utilized the fact that the tumbler wheels with gates cut into them are unbalanced: more weight is on the uncut side than on the cut side. By oscillating the dial, these cut and uncut sides could be determined, and the location of the gates estimated. The introduction of counter-balanced tumblers has virtually eliminated this approach to the better mechanisms.

Radiology has also been used to defeat com-bination locks. A piece of radioactive material placed near the lock can produce ghost images of the tumblers on sensitive plates, showing the location of the gates. Nylon and Teflon tumblers and shielding material that are opaque to radia-tion are used to defeat this technique.


Most lever tumbler and warded mechanisms contain an integrated bolt as a part of the mech-anism. The key operates directly to throw the bolt, thereby opening and locking the lock. This is not true of pin and disc tumbler locks. These consist of two major components. The cylinder plug, the shell, the tumblers, and springs are contained in an assembly known as the cylin-der. The other major component is the lock body, which consists of the bolt assembly and case or housing. The bolt assembly consists of the bolt, a rollback, and a refractor . This assembly trans-lates the rotating motion of the cylinder plug to the back-and-forth motion that actually oper-ates the bolt. When the cylinder is inserted into the lock body, it is typically connected to the bolt assembly by a tail piece or cam. A cylin-der can be used in a number of different lock bodies. Here we will be primarily concerned with the types of bodies used on standard resi-dential and light commercial doors. The pin tumbler is the usual mechanism used in these locks, although some manufacturers offer door locks using disc tumbler cylinders (such as the Schlage Cylindrical Lock).


There are two types of bolts used for most door applications: the latch bolt and the dead bolt. Examples of these are illustrated in Fig. 7.15. They are easily distinguished from each other. A latch bolt always has a beveled face, whereas the face on a standard dead bolt is square.

Latch Bolt

This bolt, which is sometimes called simply a latch, a locking latch (to distinguish it from nonlocking latches), or a spring bolt is always spring-loaded. When the door on which it is mounted is in the process of closing, the latch bolt is designed to automatically retract when its beveled face contacts the lip of the strike. Once the door is fully closed, the latch springs back to extend into the hole of the strike, securing the door.

A latch bolt has the single advantage of con-venience. A door equipped with a locking latch will automatically lock when it is closed. No additional effort with a key is required. It does not, however, provide very much security.

The throw on a latch bolt is usually ⅜ inch but seldom more than ⅝ inch. Because it must be able to retract into the door on contact with the lip of the strike, it is difficult to make the throw much longer. But, because there is always some space between the door and the frame, this means that a latch may project into the strike no more than Ό inch (often as little as ⅛ inch on poorly hung doors). Most door jambs can be spread at least ½ inch with little effort, permitting an intruder to quickly circumvent the lock.

Another undesirable feature of the latch bolt is that it can easily be forced back by any thin shim (such as a plastic credit card or thin knife) inserted between the face plate of the lock and the strike. Antishim devices have been added to the basic latch bolt to defeat this type of attack. They are designed to prevent the latch bolt from being depressed once the door is closed. Fig. 7.16A shows a latch bolt with antishim device. These are

Lock Bodies





image23.jpg LIP


FIGURE 7.15 Basic types of bolts.

(A) (B)


DEVICE image24.jpg





FIGURE 7.16 Modified latch bolts: (A) latch bolt with antishim device and (B) antifriction latch bolt with antishim device.

often called deadlocking latches, a term that is mildly deceptive since these latches do not actually dead-lock and they are not nearly as resistant to jimmy-ing as deadlocks. Often a thin screwdriver blade can be inserted between the face plate and the strike and pressure applied to break the antishim mechanism and force the latch to retract.

Another type of latch bolt, shown in Fig. 7.16B, is called an antifriction latch bolt. The antifriction device is designed to reclosing pressure required to force the latch bolt to retract. This permits a

heavier spring to be used in the mechanism. Most modern antifriction latches also incorporate an antishim device. Without it, the antifriction latch is extremely simple to shim.

Dead Bolt

The dead bolt is a square- faced solid bolt that is not spring-loaded and must be turned by hand into the locked and unlocked position. When a dead bolt is incorporated into a lock-ing mechanism, the result is usually known













(B) (D)

FIGURE 7.17 Modified dead bolts. Note the difference in penetration into the jamb. The deeper penetration afforded by the pivoting bolt increases protection against jamb spreading.

as deadlock . The throw on a standard dead bolt is also about ½ inch, which provides only minimal protection against jamb spreading. A long-throw dead bolt, however, has a throw of 1 inch or longer. One inch is considered the minimum for adequate protection. Properly installed in a good door using a secure strike, this bolt provides reasonably good protection against efforts to spread or peel the jamb.

The ordinary dead bolt is thrown horizon-tally. On some narrow-stile doors, such as alu-minum-framed glass doors, the space provided for the lock is too narrow to permit a long hori-zontal throw. The pivoting dead bolt is used in this situation to get the needed longer throw (Fig. 7.17A). The pivoting movement of the bolt allows it to project deeply into the frame, at least 1 inch, usually more. A minimum of 1 inch

Door Lock Types


is recommended. When used with a reinforced strike, this bolt can provide good protection against efforts to spread or peel the frame.

Increased security against jamb spreading is provided by a number of different types of dead bolts that collectively are known as inter-locking dead bolts. These are specifically designed to interlock the door and the strike so that the door jamb cannot be spread. The most common of these is the vertical-throw dead bolt shown in Fig. 7.17B. This is usually a rim-mounted device. The other two devices shown in Fig. 7.17C–D (the expanding dead bolt and the rotating dead bolt) are meant to be mounted inside the door. These locks require a securely mounted strike or they are rendered ineffective.


Five basic lock types are used on most doors in the United States: mortise, rim-mounted, tubular, cylindrical, and unit. Each of these has a number of advantages and disadvantages from the point of view of the protection offered. Each, however, with the single exception of the cylin-drical lockset, can offer sound security when a good lock is properly installed.


It was but a few years ago that almost all resi-dential and light commercial locks were mortise locks. A mortise lock, or lockset, is installed by hol-lowing out a portion of the door along the front or leading edge and inserting the mechanism into this cavity. Suitable holes are then drilled into the side of the door in the appropriate spot for the cylinders and door knob spindle (where the door knob is part of the unit, as is usually the case). Fig. 7.18A shows a typical mortise lockset. These mechanisms require a door that is thick enough to be hollowed out without losing a great deal of its strength in the process. One of the major weaknesses of mortise locks is that the cylinder

is usually held in the lock with a setscrew, which provides very little defense against pulling or twisting the cylinder out of the lock with a suit-able tool. Cylinder guard plates can be used to strengthen the lock’s resistance to this threat. On some mortise locks, the trim plate acts as a cylin-der guard.

Rim Mounted

A rim-mounted mechanism is simply a lock that is installed on the surface (rim) of the door (Fig. 7.18B). Most are used on the inside surface, since outside installation requires a lock that is reinforced against direct attacks on the case. These are usually supplementary locks installed where the primary lock is not considered enough protection. These may or may not be designed for key operation from the outside. If they are, a cylinder extends through the door to the outside where it can be reached by a key.


This lock (sometimes called a bore-in) is installed by drilling a hole through the door to accommodate the cylinder (or cylinders) and a hole drilled from the front edge of the door to the cylinder for the bolt assembly (Fig. 7.18C). This type of installation has virtually replaced the mortise lock in most residential and light com-mercial applications because it can be installed quickly and by persons of limited skill.

Cylindrical Lockset

The cylindrical lockset ordinarily uses a lock-ing latch as its sole fastening element (Fig. 7.18D). It is installed like the tubular lock by drilling two holes in the door. The cylinders are mounted in the doorknobs, rather than in a case or inside the door, which makes them vulnerable to just about any attack (hammering, wrenching, etc.) that can knock or twist the knob off the door. Unfortunately, because it is inexpensive and simple to install,


(A) (B)

(C) (D)




The absence of exposed screws

and use of deep mounting

Cut-Out in

flanges increase this particular

model’s resistance to forceful
























FIGURE 7.18 Lock types: (A) mortise deadlock, (B) rim deadlock with rim strike, (C) tubular deadlock, (D) cylindri-cal (lock-in-knob) lockset, (E) unit lock, (F) Ideal Superguard Lock II. Note washers must be used for additional protection against cylinder pulling. These are not supplied with the lock.

Door Lock Types


(A) (B)
















FIGURE 7.19 Mortise lock cylinder installation: (A) with setscrew and (B) with interlock screws.

about 85% of all residential locks currently used in new construction in the United States are of this type. It provides virtually no security whatsoever. There is perhaps no harder or faster rule in lock security than the rule that all cylindrical locks should be supplemented by a secure, long-throw dead bolt. Or, better yet, they should be replaced. A number of more secure locks designed to replace the cylindrical lock are now on the market. One of these is illustrated in Fig. 7.18D.

Unit Locks

A unit lock is installed by making a U-shaped cutout in the front edge of the door and slip-ping the lock into this cutout (Fig. 7.18E). This type of lock usually has the advantage of hav-ing no exposed screws or bolts. It is ordinarily used in place of mortise locks where the door is too narrow to mortise without considerable loss of strength. A good unit lock properly installed on a solid door provides excellent protection against attempts to remove the cylinder or to pry or twist the lock off the doors.


Cylinders are mounted in the lock body in a number of ways. Most mortise cylinders are threaded into the lock and secured with a small setscrew (Fig. 7.19). Tubular and rim locks use cylinder interlock screws inserted from the back of the lock. Better mechanisms use Ό-inch or larger diameter hardened steel screws for maximum resistance to pulling and wrenching attacks (Fig. 7.19). Better cylinders incorporate hardened inserts to resist drilling.

Two basic cylinder configurations are avail-able. Single-cylinder locks use a key-operated cylinder on the outside, and a thumb turn or blank plate on the inside (Fig. 7.20). Double-cylinder locks use a key -operated cylinder on both sides of the door (Fig. 7.20). This pre-vents an intruder from breaking a window near the door, or punching a hole through the door, reaching in, and turning the lock from the inside. The disadvantage of double cylin-ders is that rapid exit is made difficult since the key must first be located to operate the inside






FIGURE 7.20 (A) Single cylinder deadlock with interior thumb turn. (B) Double-cylinder deadlock with interior key cylinder.

cylinder. If a fire or other emergency makes rapid evacuation necessary, a double-cylinder lock could pose a considerable hazard.


The distinguishing feature of padlocks is that they use a shackle rather than a bolt as the device that fastens two or more objects together (Fig. 7.21). The shackle is placed through a hasp, which is permanently affixed to the items to be fastened. Three methods are commonly used to secure the shackle inside the lock body. The sim-plest and least secure method is to press a piece of flat spring steel against an indentation in the shackle. When the key is inserted, it rotates to spread the spring releasing the shackle (Fig. 7.22). This is a locking method commonly found on warded padlocks. It is found more rarely on tum-bler-type locks, but it is found occasionally on the less expensive models.

A slightly more secure method uses a lock-ing dog. The dog is spring-loaded and fits into a notch cut into the shackle (Fig. 7.22). The key is used to retract the dog, permitting the shackle

to be withdrawn. Both of these spring-loaded mechanisms are vulnerable to attacks that take advantage of the fact that the locking device can be forced back against the spring by a suitable tool. Shimming and rapping are common tech-niques used to open them. Often a stiff wire can be pushed down the shackle hole to engage and force back the spring or locking dog. Spring-loaded padlocks should not be used where rea-sonable security is required.

Positive locking techniques do much to reduce the vulnerability of padlocks to these types of attacks. The most common positive locking method uses steel balls inserted between the cyl-inder and the shackle. In the locked position, the ball rests half in a groove in the cylinder and half in a notch cut into the shackle. In this position the shackle cannot be forced past the steel ball. When the cylinder is turned to the unlocked position, the groove deepens, permitting the ball to retract into the cylinder when pressure is put on the shackle. This releases the shackle and opens the lock. These locks are designed so that the key cannot be removed unless the lock is in the locked position.

Door Lock Types


























Note how little of the shackle is exposed to a potential attack.

image25.jpg CYLINDER



FIGURE 7.21 (A) Warded padlock. (B) High-security padlock. (C) Shackleless padlock.

Padlocks are vulnerable to attacks at several points. The shackle can be pried out of the lock by a crowbar or jimmy, or it can be sawed or cut by bolt cutters. The casing can be crushed or dis-torted by hammering. Modifications have been incorporated into better padlocks to reduce their vulnerability to these approaches. Heavy, hard-ened steel cases and shackles are used to defeat cutting and crushing. Rotating inserts and spe-cial hardened materials are used to prevent the sawing of shackles. Toe and heel locking is used to prevent prying (Fig. 7.22).

High-security padlocks are large and heavy, using hardened metals in the case, and a thick, hardened, and protected shackle. Positive locking methods are always used. As little of the shackle is exposed to attack as possible in the locked position. A typical high-­security padlock is shown in Fig. 7.21. This is the shackleless­ padlock, which is designed so that a locking bar that is contained entirely inside the case is used in the place of an exposed shackle. This is sometimes called a hasp lock rather than a padlock.


(A) (B)








FIGURE 7.22 Three methods of securing the shackle inside the lock body: (A) warded padlock with locking spring (heel locking), (B) padlock with locking dog (toe locking), and (C) positive locking padlock (heel and toe locking).

Attacks and Countermeasures


A padlock is, however, no better than the hasp it engages. Hasps offering reasonable security­ are made of hardened metals. They must be properly mounted on solid materials so that they cannot be pried off. In the locked position, no mounting screw or bolt should be accessible. Padlocks and hasps should always be considered as a unit. There is no point in mounting a high-security padlock on an inferior­ hasp. The hasp and lock should always be about the same quality. Where they are not, the complete device is only as good as its weakest member.


Strikes are an often overlooked but essential part of a good lock. A dead bolt must engage a solid, correctly installed strike, or its effectiveness is significantly reduced. The ordinary strike for residential use is mounted with two or three short (usually less than 1 inch) wood screws on a soft wood door frame. It can be easily pried off with a screwdriver. High-security strikes are wider and longer and often incorporate a lip that wraps around the door for added protection against jimmying and shimming (Fig. 7.23). Three or more offset wood screws at least 3½ inches long are used to mount the strike. These screws must extend through the jamb and into the studs of the door frame. This provides added protection against prying attacks. Additionally, none of the fastening screws should be in line. In-line screws tend to split soft wood when they are screwed in. Strikes designed for installation on wood frames should always use offset screws as fasteners.

Reinforced steel should be used on metal-framed doors, especially aluminum frames. Aluminum is an extremely soft metal and, unless a reinforced strike is used, the jamb can be peeled away from the strike area, exposing the bolt to a number of attacks or allowing it to clear the jamb thereby freeing the door to open.

Bolts should be used to mount strikes in metal frames. If the bolt does not penetrate a substan-tial steel framing member, then a steel plate should be used to back the bolt (very large steel washers may be an acceptable substitute). This prevents the strike from being pried out of alu-minum or thin steel frames.



There are two basic methods of attacking locks: surreptitious techniques and force. There are also a number of ways of circumventing a lock by assaulting the objects to which it is fas-tened. This chapter will be concerned only with techniques used to defeat locks and the measures that can be used to forestall those techniques.

No lock is completely invulnerable to attack. A lock’s effectiveness is determined by how long it will resist the best effort of an intruder. An expert can pick an average pin tumbler cyl-inder in seconds, and no lock can survive strong force applied for a sufficient length of time. The sole object of using any lock at all is to delay an intruder. A good lock makes entry riskier or more trouble than it is worth, and that is the objective. Fortunately, most potential intruders are not experts, thus most moderately secure locks can survive for a reasonable amount of time against common attack techniques.

The proper use of countermeasures will sig-nificantly reduce a locking system’s vulnerabil-ity to breaching by an unauthorized person. However, not all of the countermeasures sug-gested in the following sections will be appro-priate for every application. There is always the necessity of striking a suitable compro-mise between the expense and inconvenience of a locking system and the value of the items it is designed to protect. Complex and expen-sive very-high-security systems are simply not appropriate for most residential applications.


(A) (B) (C)





image26.jpg JAMB

image27.jpg 1½" image28.jpg image29.jpg 1½"image30.jpg image31.jpg ¾"

image32.jpg 3½" image33.jpg MORTISE


FIGURE 7.23 High-security strikes: (A) security strike with reinforced lip to prevent jimmying and shimming, (B) secu-rity strike for wood frames with offset screws, (C) normal strike, and (D) proper installation of a strike on a wood frame.

On the other hand, a cheap padlock on a warehouse containing valuable merchandise is an open invitation for someone to break in and steal it. The objective should always be to ensure reasonable protection in the circum-stances surrounding a particular application. With locks, overprotection is often more harm-ful than insufficient protection. If the user is faced with a more complex security system than

is really necessary, she or he simply will not use it. A great many unlawful entries are still made through unlocked doors and windows. The temptation to avoid the inconvenience of constantly locking and unlocking barriers seems to be insurmountable for some people. Contributing to this temptation by insisting on more protection than the user actually needs simply aggravates the problem.

Attacks and Countermeasures


Surreptitious Attacks

Four basic surreptitious approaches are used to breach locking devices: illicit keys, circumvention of the internal barriers of the lock, manipulation of the internal barriers, and shimming. The susceptibility of any lock-ing device to these approaches cannot be elim-inated but can be minimized through the use of commonsense countermeasures.

Illicit Keys

The easiest way of gaining entry through any lock is by using the proper key for that lock. Thousands of keys are lost and stolen every year. A potential intruder who can determine which lock a lost or stolen key fits has a simple and quick means of illicit entry. If an intruder cannot get hold of the owner’s key, quite often he or she can make a duplicate. The casual habit of leaving house keys on the key ring when a car is left in a commercial parking lot or for servic-ing provides a potential intruder with a golden opportunity to duplicate the house keys for later use. One can also find out the owner’s address very quickly by examining the repair bill or trac-ing the automobile license number.

The risk of lost, stolen, or duplicated keys cannot be eliminated entirely, but certain steps can be taken to minimize it.

Maintain Reasonable Key Security

· Under some circumstances, it is almost impossible to avoid leaving at least the ignition key with a parked car or one to be serviced. But all other keys should be removed.

· When keys are being duplicated, the owner should ensure that no extra duplicates are made.

· Many locks, particularly older locks, have their key code stamped on the front of the case or cylinder. This permits anyone to look up the code in a locksmith’s manual and find the proper combination for that lock (or for that combination lock). Codebooks are

readily available for most makes of locks, so if the code appears anywhere on the lock where it can be read after the lock is installed and locked, it should be removed by grinding or over stamping. If removal is not possible, the lock or its combination should be changed.

· Managers and owners of commercial enterprises should maintain strict control over master keys and control keys for removable-core cylinders. The loss of these keys can compromise the entire system, necessitating an extensive and expensive system-wide recombination. Too often in large institutions just about everyone can justify a need for a master key. This is nothing more than a demand for convenience that subverts the requirements of good security. The distribution of master keys should be restricted to those who literally cannot function without them.


Since it is impossible to prevent people from losing keys no matter how careful they are, the next precaution is to ensure that the lost key cannot be linked to the lock it operates.

· The owner’s name, address, telephone number, or car license number should never appear anywhere on a key ring. This has become common practice to ensure the return of lost keys, but if they fall into the wrong hands, the address provides a quick link between the keys and the locks they fit. The proper protection against lost keys is to always have a duplicate set in a secure place.

· For the same reasons, keys stamped with information that identifies the location of the lock should not be carried around. This used to be a common practice on locker keys, safety deposit box keys, and some apartment building keys. It is no longer as common as it once was, but it still exists. If the keys must be carried, all identifying information should be obliterated, or they should be duplicated on a clean, unmarked key blank.


Recombinate or Replace Compromised Locks

If all these precautions fail and the owner reasonably believes that someone has obtained keys to her or his locks, the combinations of these locks should be changed immediately. Where this is not possible, the locks may have to be replaced. When only a few locks are involved, recombinating cylinders is a fairly quick and inexpensive operation well within the compe-tence of any qualified locksmith.

Another common attack method using a key against which there is less direct protection is the try-out key. Try-out key sets are a common locksmith’s tool and can be purchased through locksmith supply houses, often by mail. These sets replicate the common variations used in the combination of a particular lock series. In opera-tion, they are inserted into the lock one at a time until one is found that will operate the lock.

Try-out keys are commercially available only for automotive locks. There is nothing, however, to prevent a would-be intruder from building a set for other locks. In areas where one contrac-tor has built extensive residential and commer-cial developments, most of the buildings will often be fitted with the same lock series. If it is an inexpensive series with a limited number of useful combinations, a homemade try-out key set that replicates the common variations of this particular lock series could be very useful to the potential intruder.

The defense against try-out keys is simply to use a lock with a moderate to high number of available combinations. Any lock worth using has at least several thousand useful combina-tions. No intruder can carry that many try-out keys, so the risk that he or she will have the proper key is minimal.

Circumvention of the Internal Barriers of

the Lock

This is a technique used to directly oper-ate the bolt completely bypassing the locking

mechanism that generally remains in the locked position throughout this operation. A long, thin stiff tool is inserted into the keyway to bypass the internal barriers and reach the bolt assembly. The tool (often a piece of stiff wire) is then used to maneuver the bolt into the retracted, unlocked position. Warded locks are particularly vulnerable to this method (as was indicated earlier), but some tumbler mecha-nisms with an open passageway from the key-way to the bolt assembly are also susceptible. Some older padlocks and cylindrical mecha-nisms had an open passageway of this sort. Few of these are manufactured anymore, but some of the older models are still in use. Any lock that has this type of an opening should be replaced with a better device if reasonable security is a requirement.


The term manipulation covers a large num-ber of types of attacks. At least 50 discrete techniques of manipulating the mechanism of a lock without the proper key have been identified. Fortunately, however, they all fall rather neatly into four general categories: picking, impressioning, decoding, and rapping. Regardless of the specific technique used, its purpose is to maneuver the internal barriers of a tumbler mechanism into a position where they will permit the bolt to be retracted. In a disc or pin tumbler mechanism, this means that the cylinder plug must be freed to rotate; in a lever lock, the levers must be aligned with the fence.

The basic countermeasures against all forms of manipulation are the use of close tolerances in the manufacture of the mechanism and increasing the number of pins, discs, or levers. Close tolerances and a large number of tumblers make manipula-tion a time-consuming process. A number of spe-cific defenses to the various forms of manipulation have also been developed. These will be presented in some detail in the ­following sections.

Attacks and Countermeasures




Lock picking is undoubtedly the best known method of manipulation. It requires skill devel-oped by dedicated practice, the proper tools, time, and often a small dose of good luck. No lock is pick proof, but the high-security locks are so difficult to pick that it takes even an expert a long time to open them. One definition of a high-security mechanism, in fact, is one that cannot be picked by an expert in less than half a minute.

The techniques involved in picking the three basic types of tumbler mechanisms are very similar that an example using the pin tumbler cylinder will serve to illustrate the rest.

All picking techniques depend on the slight clearances that must necessarily exist in a mech-anism for it to function. The basic technique requires slight tension to be placed on the part of the mechanism that retracts the bolt (which is the cylinder plug in pin tumbler mechanisms) by a special tension tool designed for that purpose (Fig. 7.24). The result of this tension is shown in Fig. 7.25. The pin chamber in the plug has moved slightly out of alignment with the pin chamber in the cylinder shell, creating two lips at points A and B. When the key pin is pushed up by the pick, it tends to catch at the shear line because the lip at point A permits it to go no farther. This pushes the driver above the shear line where the lip at point B prevents it from falling down into the cylinder plug once more. As long as tension is maintained, it will stay above the shear line.

This operation is facilitated by the fact that, as shown in Fig. 7.26, the pin chambers in a cylin-der plug are seldom in a perfectly straight line. Consequently, the pin closest to the direction of tension will be more tightly bound than the rest of the pins when tension is applied. It can easily be located because it will offer the most resistance to being maneuvered by the pick. Each pin is tested by lifting it with the pick. The pin that is most resistant is picked first. When this pin reaches the shear line, often the cylin-der plug will move slightly. The picker receives two important benefits from this very small







FIGURE 7.24 Lock picks: (A) standard pick, (B) rake pick, (C) tension tool, (D) special pick for tubular mecha-nisms, and (E) pick and tension tool in use.

movement: first it indicates that the pin has indeed been lifted to the shear line, and second, the movement of the cylinder increases the mis-alignment between the pin chamber in the plug and the one in the shell, making it even less likely that the driver will drop down into the plug (Fig. 7.27). Once this pin has been picked, the next pin nearest the direction of tension will be the most tightly bound. It is located and picked next. The cylinder plug will again move a very small amount. This operation continues until all of the pins are picked above the shear line and the cylinder plug is free to rotate.


B image34.jpg A


FIGURE 7.25 Illustration of the misalignment caused in a pin tumble cylinder when tension is applied.





FIGURE 7.26 Pin chamber misalignment. Pin chambers on even the best cylinders are not in a perfectly straight line. The misalignment in this illustration is highly exaggerated for clarity.

There are endless variations of this basic picking­ technique. One of the most common is the use of a rake pick . When this pick is used, very slight tension is applied to the plug, and then the rake is run along the tumblers lifting them slightly each time until all of them reach the shear line. Raking increases the chance that one or more key pins will inadvertently be pushed up into the cylinder shell, which will not allow the plug to rotate. It is often necessary to release the tension applied to the plug and start over again several times. Nevertheless, it is a very fast technique and very popular. With luck, an expert using a rake can pick an average pin tumbler in a few seconds.


FIGURE 7.27 Increased misalignment occurs as each pin is picked.

Most of the improvements in lock technol-ogy made over the last few thousand years have been devoted to increasing the resistance of locks to picking. The major defense is the use of very close tolerances in the mechanism during manufacture. This makes the forced misalignment between the plug and shell nec-essary for successful picking more difficult to achieve. The addition of more tumblers is also some protection against picking, since it takes the operator more time to pick all of the tumblers in the mechanism. The Sargent Keso mechanism and the Duo disc tumbler use this basic approach. The 12 pins in the former and 14 (soon to be 17) discs in the high- security (UL listed) Duo take a reasonably long time for one to pick successfully. In addition, the unusual configurations of these tumblers make picking even more difficult.

The unusual arrangement of tumblers is also a basic security feature of Ace (tubular) mecha-nisms. These cannot be picked using ordinary picks, but there are special tools available that facilitate picking this lock. The Ace lock also requires special skills, but these are not too dif-ficult to achieve once basic picking techniques have been mastered.

Attacks and Countermeasures




image35.jpg TUMBLER

image36.jpg PLUG


make it extremely difficult to pick the key pin to the shear line, since, when interlocked, the two pins act as if they were one solid pin. The key pin and driver will not split at the shear line unless the pins are first rotated to the correct position.

Fewer such embellishments are possible with discs and levers. Most high-security lever locks, however, do use levers that have a front edge cut in a sawtooth design (serrated). These serrations tend to catch on the fence as it is pushed back to provide pressure on the levers. This often makes it necessary for the operator to release tension and start over again, which increases the time spent picking the lock. The use of two sets of levers with two corresponding fences also increases a lever mechanism’s resistance to picking attempts.


FIGURE 7.28 Mushroom and spool tumblers tend to bind in the pin hole when manipulation is attempted.

Modifications of pin design for increased resistance to picking (and other forms of manip-ulation) are becoming increasingly important as a basic means of precluding this form of attack. As shown in Fig. 7.28, mushroom, spool, and huck pins tend to bind in the pin chamber when tension is applied to the cylinder plug, prevent-ing the key pin from reaching the shear line. The use of these pins does not provide an absolute defense against picking attempts, but a steady hand and a great deal of skill are required to pick them successfully.

Pins that must be rotated provide what is perhaps the maximum protection currently available against picking. The Medeco and the new Emhart interlocking mechanism both require pins to be lifted to the shear line and rotated to a certain position before the lock will operate. It is very, very difficult to consis-tently rotate these pins into the correct posi-tion. The interlocking pins on the Emhart also


Impressioning is a technique used to make a key that will operate the lock. It cannot ordinar-ily be used against high-security mechanisms, but against the average lock it can be very successful.

To make a key by impressioning, a correct key blank is inserted into the lock. It is then securely gripped by a wrench or pliers (there are also special tools available for this purpose) and a strong rotational tension is applied to the plug. While this tension is applied, the key is moved up and down in the keyway. Since the tumblers are tightly bound in the lock by the tension applied to the plug, they will leave marks on the blank. The longest key pin will leave the strongest impression. The key is then removed and a slight cut is filed in the blank. The top of the key is smoothed down with a file or abrasive paper, and the key is again inserted to pick up the impression of the next longest pin. As long as the pin leaves an impression, the cut is deepened. When the pin will no lon-ger leave a mark, the cut is at the right depth. When all of the cuts are to the right depth, the key will operate the lock and permit entry.


Certain types of lock mechanisms are more susceptible to impressioning than others. Warded locks are easily defeated by this method since the fixed wards can be made to leave strong impressions, and, as previously stated, the depth of the cut on a warded key is not criti-cal. Lever locks are probably the most immune to this technique, since it is difficult to bind the levers in such a manner that they will leave true impressions on the key blank. The use of ser-rated levers greatly increases this difficulty.

The average pin and disc tumbler mecha-nism is vulnerable to this approach, but some of the better high-security mechanisms, because of their unusual keys, are not. The Medeco and Emhart interlocking mechanisms are highly resistant. The correct angles of the slant cuts necessary on these keys cannot be determined by impressioning. The special design of the pins in the BHI Huck-Pin cylinder makes the pins bind almost anywhere in the pin hole except at the shear line. All of the impressions that appear on the key blank are, therefore, likely to be false impressions. So, although this mechanism uses a fairly standard paracentric key, it is still very difficult to defeat by impressioning. Modified spool and mushroom tumblers in any pin tum-bler mechanism also tend to increase the diffi-culty of getting good impression marks.


Another method of making a key for a partic-ular lock is through decoding. It was mentioned

earlier that most disc tumbler mechanisms can be sight read fairly easily. Sight reading involves the manipulation of the tumblers with a thin wire while noting their relative positions in the keyway. Since each mechanism has only a lim-ited number of possible tumbler increments, the correct alignment of these increments can be estimated with fair accuracy, permitting a key to be filed or cut on the spot to rotate the lock. This is one method of decoding.

A more common method is to insert a decod-ing tool or a specially marked key blank for a short distance into the keyway of a pin or disc tumbler mechanism. Using the key, rotational tension is applied to the plug, which causes mis-alignment between the pin chambers in the plug and shell. The key is then slowly inserted into the keyway until it has forced the first tumbler to the shear line (Fig. 7.29). The length of this first key pin is determined by the distance the blank (or special tool) enters the keyway. The blank is then moved to the second tumbler, and so on until the length of all of the tumblers is determined and a key can be cut.

Pin tumbler cylinders have wide tolerances, which are the mechanisms that are most suscep-tible to this particular decoding method. Disc tumblers are less so, although most can easily be sight read. (The Duo, however, is very resis-tant to sight reading.) Lever locks require special equipment to decode.

The special features offered on some high-security pin tumbler systems dramatically





FIGURE 7.29 Decoding using a marked key blank.

Attacks and Countermeasures


increase their resistance to this technique. Some are almost immune. The Ace can be decoded, but it usually requires special tools. The use of mushroom or spool tumblers in almost any mechanism increases its resistance to decod-ing. And, of course, the close tolerances of any of the better mechanisms are a basic defense against decoding as well as impressioning and picking.


This approach relies on the fact that pins in a tumbler mechanism can move freely in the pin chambers. Tension is applied to the plug, result-ing in the usual misalignment between the core and shell pin bores. The lock is then struck with a sharp tap just above the tumblers. This causes the pins to jump in their bores. As each key pin reaches its shear line, it pushes the driver before it into the shell where it tends to bind, unable to drop back down into the plug because of the lip caused by the misalignment. Not all of the driv-ers will be pushed over the shear line by one rap. Several may be required.

Theoretically, almost any lock may be defeated by rapping, but in practice it is a method that is used primarily on padlocks. Since padlocks are not encased in a door, they respond more freely to rapping. Modified, manipulation-resistant pins make rapping very difficult, but not impos-sible; it is, nevertheless, not a practical approach to high-security padlocks, which use close toler-ances and modified pins.


Any part of a locking mechanism that relies on spring pressure to hold it in place is vulner-able to shimming unless it is protected. Spring-loaded latch bolts can be shimmed by a thin plastic or metal tool unless they are protected by antishim devices. The locking dogs in pad-locks are susceptible to a shim inserted into the shackle hole. The shim acts to force the dog back against the spring pressure releasing the shackle.

Padlocks that use heel and toe locking are more difficult to shim, but the safest course to use is a nonsprung, positive locking system that cannot be threatened by shimming.

Forceful Attacks

If a potential intruder does not have the skills necessary to decode, impression, or pick a lock, the only course is to find a key or use force against the lock to disable and breach it. Comparatively few intruders have devel-oped manipulative skills, so it is not surpris-ing that the large majority of attacks on locks employ force of one kind or another. Locks can be punched, hammered, wrenched, twisted, burned, pulled, cut, exploded, and pried. Given the right tools and a sufficient amount of time, any lock can be defeated by force. But the nature of forceful attacks entails a number of real dis-advantages to an intruder who is trying to gain entry without being discovered in the process. First, large and cumbersome tools that are diffi-cult to carry and conceal are often required. This is especially true if one of the better protected locks is being attacked. Second, forceful attacks usually make a considerable amount of noise. Noise, especially unusual noise, tends to prompt people to investigate. Third, it is always imme-diately evident to even a casual observer that the lock has been attacked. When surreptitious tech-niques are used, the lock can be opened without damage and relocked, and no one will be able to tell that an unlawful entry has taken place. This often permits the intruder to thoroughly cover tracks even before an investigation is started.

The object of countermeasures against force-ful attacks is to increase these hazards. Generally, more force will have to be applied to stronger, better protected locks, requiring larger and more sophisticated tools, taking more time, making more noise, and leaving more evidence that the lock has been defeated.

Although it is sometimes possible to wrench, pry, or pull an entire lock out of a door, most attacks are directed at either the bolt or the


cylinder. If the bolt can be defeated, the door is open. If the cylinder can be defeated, the bolt can be maneuvered into an unlocked position. The common type of attack will be presented in the next section, along with measures that can be taken to strengthen a lock against them. It bears repeating that no lock is absolutely immune to forceful attacks. The object is to make its defeat more difficult, noisier, and more time-­consuming, increasing the chances that an intruder will be detected or simply give up before successfully breaching the lock.

Attacks on Bolts

Bolts can be pried, punched, and sawed. The object of these attacks is to disengage the bolt from the strike.

Jimmying and Prying

A jimmy is by definition a short prying tool used by burglars. It is a traditional and well-known burglary tool, but other, more lawful, prying tools will work just as well if not better. These include pry bars, crowbars, nail pullers, and large screwdrivers.

The easiest prying attack is against latch bolts with antishim devices. A screwdriver or simi-lar tool with a flat blade is inserted between the strike and latch bolt. Pressure is applied until the antishim mechanism inside the lock breaks. The latch is then easily pushed into the retracted position and the door is open. A supplementary long-throw or interlocking dead bolt is the best defense against this attack. No interlocking, long-throw dead bolts are theoretically vulner-able to jimmying, but it takes a much larger tool, more time, and the destruction or spreading of part of the door jamb so that the end of the dead bolt can be reached with the prying tool. Even then, a great deal of force is required to push the bolt back into the lock and free the door. These combined disadvantages make direct jimmy-ing attacks against long-throw dead bolts very impractical. They are even more impractical

against interlocking dead bolts. If the lock and strike are properly installed, the whole strike would have to be pried loose. This would ordi-narily entail the destruction of a considerable portion of the jamb around the strike.

A dead bolt also can be attacked indirectly by prying. An attempt is made to spread the door frame so that the bolt is no longer engaging the strike (Fig. 7.30). An average man can apply about 600 inch-pounds of force using a pry bar 30 inches long. This is usually more than enough to spread a door jamb to clear the normal 72-inch bolt, but a 1-inch (or longer) bolt is more difficult to clear. Interlocking bolts are almost impossible to defeat with this method since they, in effect, anchor the door to the door frame. To spread the frame, the entire strike would have to be pried out. A prop-erly installed security strike is very difficult to remove. Interlocking dead bolts were designed to resist just this type of attack. By and large, they

FIGURE 7.30 Jamb spreading by prying with two large screwdrivers.

Attacks and Countermeasures


are successful. When properly installed, they are, as a practical matter, ­virtually immune.

Automobile bumper jacks (or similar tools) can also be used to spread a door jamb and release the bolt (Fig. 7.31). Most American jacks are rated at 1 ton. It is probably safe to say that most wooden door frames will succumb to that much force. Reinforced metal frames are more resistant. Long-throw and interlocking dead bolts provide some protection. They may even provide enough protection in most circum-stances, since a jamb can only be spread so far by the jack before it buckles outward releasing the jack. The best defense against jamb spread-ing, however, is a properly constructed and rein-forced door frame.

Fortunately, this type of attack is fairly rare. An automobile jack is an awkward tool, hard to carry and conceal, and it requires some time to set up and operate.


The California Crime Technological Research Foundation (CCTRF) identified punching as a possible direct attack on a dead bolt (Fig. 7.32). The attacker would have to punch through the wall and framing members to reach the bolt. It would be fairly easy to miss the bolt on the first few tries, so several attempts may be nec-essary. In essence, the punch and hammer are used to force the bolt back into the body of the lock, allowing it to clear the strike. CCTRF deter-mined that an average man can apply a force of 125 inch-pounds with a 1-pound hammer.

FIGURE 7.31 Use of an automobile bumper jack to

spread the door frame. Standard bumper jacks are rated to

2000 pounds. The force of the jack can be applied between

FIGURE 7.32 Forcing the dead bolt with a drift punch

the two jambs of a door to spread them and overcome, by

deflection, the length of the latch throw.

and hammer.


Most bolts will probably succumb to a determined punching attack. But it is a noisy approach, and rather hit or miss since it is some-what difficult to tell if the punch is actually engaging the bolt, and the punch has a tendency to be a serious disadvantage to an intruder, mak-ing this an attack of last resort.


Bolts can be sawed by inserting a hacksaw or hacksaw blade between the face plate and the strike. (A portion of the jamb will usually be removed or the jamb spread to allow easy access.) Better locks now use hardened bolts or hardened inserts inside the bolt to resist saw-ing. An even better defense are free-wheeling rollers placed inside the bolt. When the saw reaches these rollers, the sawing action rolls them back and forth but will not cut them. Modified bolts are present in almost all rela-tively secure locks, and they are virtually immune to sawing attacks.


Another way to expose the bolt in metal-framed doors is by peeling. Thin sheet steel and aluminum can be easily peeled. The normal countermeasure against this attack is to use a reinforced strike. Peeling may also be used with prying in an attempt to force the bolt back into the lock.

Attacks on Cylinders

Like bolts, cylinders can be pried and punched. They also can be drilled, pulled, wrenched, or twisted. The usual objective of such attacks is to completely remove the cylinder from the lock. Once it has been removed, a tool can be inserted into the lock to quickly retract the bolt.

Cylinder Pulling

The tool usually used for cylinder pulling is a slam hammer or dent puller—a common auto-mobile body shop tool ordinarily used to remove

dents from car bodies. The hardened self-tap-ping screw at the end of the puller is screwed into the keyway as far as it will go. The hammer is then slammed back against the handle. More often than not, an unprotected cylinder will be yanked entirely out of the lock with one or two slams. CCTRF determined that 200 inch-pounds of force could be applied to a cylinder by a dent puller using a 2½-pound hammer having an 8-inch throw.

Many cylinders are vulnerable to this kind of attack because they are poorly anchored in the lock. Mortise cylinders, for example, are ordi-narily threaded into the housing and held in place with a small setscrew. The threads are usu-ally soft brass or cast iron. A good yank shears both these threads and the setscrew.

Most tubular and rim cylinders are held in place by two (or more) bolts inserted from the rear of the lock. This is a much more secure method of retaining the cylinder and one that resists pulling. Retaining bolts of at least Ό inch in diameter made of hardened steel are good protection against most pulling attempts.

The threat of pulling can be significantly reduced by the addition of a cylinder guard. Some better lock assemblies are offered with built-in guards. Locks that do not have a built-in guard can be protected with a bolt-on guard. These are bolted over the cylinder using carriage bolts that extend completely through the door (Fig. 7.33). They offer the maximum available resistance to pulling. The cylinder guard, when correctly mounted, can-not be pried off without virtually destroying the entire door.

Cylindrical (lock-in-knob) locksets are extremely vulnerable to pulling. Often the doorknob will be pulled off with the cylin-der, exposing the entire internal mechanism to manipulation. There is no method of rein-forcing a cylindrical lockset against the threat of pulling. The best measure is to replace it or add a good supplementary deadlock with a cylinder guard.

Attacks and Countermeasures










FIGURE 7.33 Bolt-on cylinder guard with back plate. This commercially available plate is of heavy aluminum and is mounted from the inside of the door with hardened steel bolts that enter threaded holes in the guard. It combines good protection with good appearance.

Lug Pulling

If the cylinder is protected against pulling, an attacker may turn to the cylinder plug. The plug is much harder to pull and requires a spe-cial tool that looks something like a gear puller. A hardened self -tapping screw is engaged in the keyway and pressure is slowly exerted on the plug until the tumblers snap and the plug can be pulled from the cylinder shell. The bolt mechanism can then be operated by a tool inserted through the shell. The ordinary cylin-der guard is no protection against this attack. A special guard is available, however, which is designed to prevent the plug from being pulled (see Fig. 7.34).

Wrenching, Twisting, and Nipping

Most cylinders project from the surface of the door sufficiently to be gripped by a pipe wrench or pliers. Twisting force is applied to the cylinder

FIGURE 7.34 Cylinder guard with rotating plug protector.

by the wrench, which is often sufficient to snap or shear the setscrews or bolts that hold the cyl-inder in the lock. If the cylinder does not project enough for a wrench to be used, a ground-down screwdriver can be inserted in the keyway and twisting force applied to the screwdriver with a wrench. CCTRF found that an 18-inch-long pipe wrench could apply a maximum torque of 3300 inch-pounds to a protruding cylinder hous-ing, and a screwdriver turned with a wrench could produce 600 inch-pounds.

The proper protection against this threat once again is a cylinder guard. Some of the built-in guards are free-wheeling, which prevents a twisting force from being successfully applied. Those that are not free-wheeling are still made of hardened steel, which does not allow the wrench to get a good bite, but more important, it prevents the wrench from reaching the actual cylinder. If a screwdriver and wrench are used, the cylinder might be twisted loose, but it can-not be pulled out. Although the lock might be damaged, it will not be defeated.

Bolt nippers also can be used to remove protruding cylinders by prying and pulling. Cylinder guards also forestall this type of attack.


Cylindrical locksets are very susceptible to wrenching, twisting, and nipping attacks. Some of the better cylindrical devices have free-wheeling doorknobs that provide some protection against wrenching and twisting. Some incorporate breakaway knobs, which do not expose the internal mechanism of the lock when the knob is twisted off. Nevertheless, combinations of twisting, pulling, and ham-mering attacks usually quickly defeat these devices. The best remedy is to replace cylin-drical mechanisms or supplement them with guarded deadlocks.


Cylinder plugs can be drilled out using a fairly large drill bit, but the most common drill-ing attack is centered on the shear line between the plug and shell (Fig. 7.35). A smaller bit is used to drill through the pins, creating a new shear line and releasing the plug, which can then be rotated using a screwdriver or key blank in the keyway. Most of the better locks incorpo-rate hardened inserts to frustrate drilling. Any lock receiving UL approval incorporates these features. Hardened materials do not prevent drilling, but drilling through tempered steel is a long and slow process, which greatly increases the chances of detection.

BHI’s Huck-Pin cylinder has an added pro-tection against drilling. When most cylinders are drilled at the shear line, the drivers will fall out of the shell into the plug, releasing the plug

to rotate. BHI’s drivers are flanged, which pre-vents them from falling out, so they still effec-tively lock the mechanism after it is drilled. This does not prevent the entire cylinder from being drilled out, but this is an even longer and slower process than drilling along the shear line.


Rim-mounted deadlocks are particularly vulnerable to punching. These are ordinar-ily mounted on the back of a door with wood screws. But, since most of the currently available doors are made with particle board cores under a thin veneer overlay, screws are seldom able to take much pressure. Several good blows with a hammer and punch on the face of the cylinder will often drive it through the door, pulling the screws out, so the entire lock body is dislodged.

Correctly mounting the lock using bolts that extend through the door and engage an escutch-eon plate (or even large washers) on the front side generally frustrates punching attacks.

Cylindrical locksets are vulnerable to com-bination punching and hammering attacks. The knob is first broken off, then the spindle is punched through the lock, exposing the latch bolt assembly to manipulation.


Hammering, as well as pulling, wrenching, and twisting, is a quick and very effective way to disable cylindrical locksets. It is not as effec-tive against cylinders, particularly those that



FIGURE 7.35 Drilling.



are protected by cylinder guards. Ordinarily the knob on a cylindrical mechanism can be quickly broken off by one or two strong blows. There is no direct defense against this type of attack. Again, the only viable solution is a sup-plementary guarded deadlock or replacement of the cylindrical lockset with a more secure lock.



Locks are an essential part of most security systems. They are, however, only one part. The effectiveness of a lock cannot be considered apart from the effectiveness of the entire system. A lock is no better than the door it is on, or the frame in which the door is mounted. The stron-gest lock available on a substandard door does not prevent the door from being defeated, even though the lock cannot be.

The degree of protection required from any security system reflects the value of the items to be protected. Most residences require only a modest degree of security—sufficient to thwart the casual or opportunistic intruder. Jewelry stores, banks, and other establishments, which must keep valuable items on the premises, attract a more determined attacker. The degree of protection for these places must, therefore, necessarily be greater. But whatever the degree of protection required, the actual protection offered by any system is no greater than the vul-nerability of its weakest member. A good lock on a poor door provides no more protection than the strength of the door. A good lock on a solid door in a substandard wall is as vulnerable as the wall is weak.

The locks employed in any protection sys-tem must complement the system. If a moderate degree of security is required (as in a residential application), a good cylinder properly installed in a secure lock body must be correctly mounted on a good, solid door. The door must be correctly

hung, using good hardware, on a properly con-structed door frame. The frame must be strongly braced and secured to the wall. The wall must be at least as strong as the door system installed in it. If the lock, the door, the frame, or the wall is significantly weaker than the rest of the sys-tem, it is the point most likely to be successfully attacked.

A good lock is essential to a good security sys-tem. It is often the point at which an intruder will focus an attack. But good locks are not syn-onymous with good security. Always examine the system as a whole.


Eugene D. Finneran

Before an effective key control system can be established, every key to every lock that is being used in the protection of the facility and prop-erty must be accounted for. Chances are good that it will not even be possible to account for the most critical keys or to be certain that they have not been copied or compromised. If this is the case, there is but one alternative—rekey the entire facility.

Once an effective locking system has been installed, positive control of all keys must be gained and maintained. This can be accom-plished only if an effective key record is kept. When not issued or used, keys must be ade-quately secured. A good, effective key control system is simple to initiate, particularly if it is established in conjunction with the installation of new locking devices. One of the methods used to gain and maintain effective key control is outlined as follows:

1. Key cabinet. A well-constructed cabinet will have to be procured. The cabinet will have to be of sufficient size to hold the

* Originally from Finneran, ED. Security supervision: A handbook for supervisors and managers. Stoneham (MA): Butterworths; 1981.


original key to every lock in the system. It should also be capable of holding any additional keys that are in use in the facility but are not a part of the security locking system. The cabinet should be installed in such a manner so as to be difficult, if not impossible, to remove from the property. It should be secured at all times when the person designated to control the keys is not actually issuing or replacing a key. The key to the key cabinet must receive special handling, and when not in use it should be maintained in a locked compartment inside a combination-type safe.

2. Key record. Some administrative means must be set up to record key code numbers and indicate to whom keys to specific locks have been issued. This record may take the form of a ledger book or a card file.

3. Key blanks. Blanks used to cut keys for issue to authorized personnel must be distinctively marked for identification to ensure that no employees have cut their own keys. Blanks will be kept within a combination-type safe and issued only to the person authorized to cut keys and then only in the amount that has been authorized by the person responsible for key control. Such authorization should always be in writing, and records should be maintained on each issue, which will be matched with the returned key. Keys damaged in the cutting process must be returned for accountability.

4. Inventories. Periodic inventories will have to be made of all key blanks, original keys, and all duplicate keys in the hands of the employees to whom they have been issued. This cannot be permitted to take the form of a phone call to an employee, supervisor, or executive asking if they still have their key. It must be a personal inspection of each key made by the person who has been assigned responsibility for key control.

5. Audits. In addition to the periodic inventory, an unannounced audit should be made of all key control records and procedures by a member of management. During the course of these audits a joint inventory of all keys should be conducted.

6. Daily report. A daily report should be

made to the person responsible for key control from the personnel department, indicating all persons who have left or will be leaving the employ of the company in the near future. A check should be made, upon receipt of this report, to determine whether the person named has been issued a key to any lock in the system.

In the event a key has been issued, steps should be initiated to ensure that the key is recovered.

Security force personnel will normally be issued master keys, when such a system is in effect, or they will be issued a ring of keys per-mitting them to enter any part of the guarded facility. Keys issued to the security force should never be permitted to leave the facility. They should be passed from shift to shift and must be receipted for each time they change hands. The supervisor must ensure that all security person-nel understand the importance of not permitting keys to be compromised.

A lost master key compromises the entire sys-tem and results in a breakdown of the security screen. Such compromise will necessitate the rekeying of the entire complex, sometimes at a cost of thousands of dollars.

If rekeying becomes necessary, it can most economically be accomplished by installing new locking devices in the most critical points of the locking system and moving the locks removed from these points to less sensitive areas. Of course, it will be necessary to eventually replace all of the locks in the system, but by using the procedure just described the cost can be spread over several budgeting periods.




The Builders’ Hardware Manufacturer’s Association (BHMA) has announced a new American National Standard for exit locks and exit alarms for the safety and security of build-ing occupants.

Developed by BHMA, the new standard was recently approved by the American National Standards Institute (ANSI).

In effect, the new standard recognizes the increased importance of locks, alarms, and other devices that control egress from a building. The standard establishes general requirements as well as operational tests and finish tests for these products. In addition, it gives descriptions and type numbers of exit locks and exit alarms.

Revisions include increased performance requirements with respect to the recommended tests and a slam test not part of the earlier stan-dards has been added. Testing of products in accordance with this standard allows for certifi-cation to the ANSI/BHMA standard to be estab-lished by third-party testing laboratories.

For more information, or to purchase copies of the ANSI/BHMA A156.29 Standard, please visit http://www.buildershardware.com.


Where a door is located in the path of egress, panic hardware is often used, depending on the occupancy rating. Panic hardware is required on any door where there could be a large number of people needing exit in an emergency. Panic hardware is easily identified by the push bar (formerly called a crash bar) that the users press as they push through the door.

Panic hardware facilitates a single exit motion because users have only to push on the door as they are moving through it. This facilitates the

rapid exit of large numbers of people because no one has to wait behind anyone else while they stop to turn a door handle. In a severe emergency such as a fire, such momentary delays can com-pound to cause a crush of people behind a door that is unlocked but that can become a barrier if someone has difficulty with the door handle. There are several basic types of panic hardware configurations, depending on the requirements of the door to which the panic hardware is mounted. Panic hardware is electrified by one of several methods, usually involving a solenoid that releases a latch on the door.

Specialty locks. Most people pay little atten-tion to doors and locks; they just use them. However, there are a remarkable number of variations of doors, frames, locks, and electrifi-cation methods. Some unusual locks have been developed for special needs.

Switches. Door and gate position switches (DPS) sense if the door or gate is opened or closed. A variant of the DPS is the monitor strike, which determines if the door is not only closed but also whether a latch bolt or dead bolt is in fact engaged. The typical DPS is com-posed of a magnetically sensitive switch and a magnet placed close to the switch. Typically, the switch is placed on the door frame and the magnet is placed on the door or gate. When the door or gate is opened, the switch also opens, sending a signal to the alarm system. Variants of DPSs include surface and concealed mount-ing versions, wide- and narrow-gap sens-ing areas, and conventional or balanced bias types. Wide-gap DPSs were developed to pre-vent accidental triggering by nuisance condi-tions, such as when the wind blows against a sliding glass door. To prevent an intruder from simply placing a magnet against the DPS while opening the door, balanced-bias switches were developed that place the switch in a closely controlled magnetic field. If another magnet is brought near the switch when the door is closed, that act alone will trigger an alarm


even before the door is opened. Other types of DPSs include plunger type, Hall effect, and mercury switches. These are sometimes used in areas where it is not possible to place a mag-net in the door or gate or where a device must be alarmed if it is moved. The plunger switch alerts when the object that is pushed against it is moved. These are often mechanical switches and can be unreliable for high-security appli-cations. Hall effect switches rely on the pres-ence of a magnetic field within a confined area to alert. They also work by moving the object. Mercury switches are sometimes placed inside an object that should not be moved in any dimension and can be made to alert to the slightest movement. These are often used with radio frequency transmitters.


[1] Security Beat [weekly newsletter by publisher of Access Control and Security Systems] 2, no. 7, February 19, 2002.

[2] Electronics Elements a Detailed Discussion, Thomas L. Norman, CPP, PSP, CSC.




John E. Hunter

1. Has a key control officer been appointed?

2. Are locks and keys to all buildings and entrances supervised and controlled by the key control officer?

3. Does the key control officer have overall authority and responsibility for issuance and replacement of locks and keys?

4. What is the basis for the issuance of keys, especially master keys?

* Prepared by John E. Hunter, U.S. National Park Service.

5. Are keys issued only to authorized personnel? Who determines who is authorized? Is the authorization in writing?

6. Are keys issued to other than installation personnel? If so, on what basis? Is it out of necessity or merely for convenience?

7. Are keys not in use secured in a locked, fireproof cabinet? Are these keys tagged and accounted for?

8. Is the cabinet for duplicate keys regarded as an area of high security?

9. Is the key or combination to this cabinet maintained under appropriate security or secrecy? If the combination is recorded, is it secured?

10. Are the key locker and record files in order and current?

11. Are issued keys cross-referenced?

12. Are current records maintained indicating

a. Buildings and/or entrances for which keys are issued?

b. Number and identification of keys issued?

c. Location and number of duplicate keys?

d. Issue and turn in of keys?

e. Location of locks and keys held in reserve?

13. Is an audit ever made, asking holders to actually produce keys, to ensure that they have not been loaned or lost?

14. Who is responsible for ascertaining the possession of key?

15. Is a current key control directive in effect?

16. Are inventories and inspections conducted by the key control officer to ensure compliance with directives? How often?

17. Are keys turned in during vacation periods?

18. Are keys turned in when employees resign, are transferred, or are fired?

19. Is the removal of keys from the premises prohibited when they are not needed elsewhere?



20. Are locks and combinations changed immediately upon loss or theft of keys or transfer or resignation of employees?

21. Are locks changed or rotated within the installation at least annually regardless of transfers or known violations of key security?

22. Are current records kept of combinations to safes and the dates when these combinations are changed? Are these records adequately protected?

23. Has a system been set up to provide submasters to supervisors and officials on a need basis with facilities divided into different zones or areas?

24. If master keys are used, are they devoid of markings identifying them as master keys?

25. Are master keys controlled more closely than change keys?

26. Must all requests for reproduction or duplication of keys be approved by the key control officer?

27. Are key holders ever allowed to duplicate keys? If so, under what circumstances?

28. Where the manufacturer’s serial number on combination locks and padlocks might be visible to unauthorized persons, has this number been recorded and then obliterated?

29. Are locks on inactive gates and storage facilities under seal? Are seals checked regularly by supervisory or key control personnel?

30. Are measures in effect to prevent the unauthorized removal of locks on open cabinets, gates, or buildings?

31. Are losses or thefts of keys and padlocks promptly reported by personnel and promptly investigated by key control personnel?

32. If the building was recently constructed, did the contractor retain keys during the period when construction was being completed? Were locks changed since that time? Did the contractor relinquish all keys after the building was completed?

33. If removable-core locks are in use, are unused cores and core change keys given maximum security against theft, loss, or inspection?

34. Are combination lock, key, and key control records safeguarded separately (i.e., in a separate safe or file) from keys, locks, cores, and other such hardware?

35. Are all locks of a type that offers adequate protection for the purpose for which they are used?

This page intentionally left blank



Internal Threats and Countermeasures*

Philip P. Purpura


A threat is a serious, impending or recur-ring event that can result in loss, and it must be dealt with immediately. Internal loss preven-tion focuses on threats from inside an organi-zation. Crimes, fires, and accidents are major internal loss problems. Catrantzos [12] points to the insider, trusted employee who betrays their allegiance to their employer and commits workplace theft, violence, sabotage, espionage, and other harmful acts. The workplace can be subject to infiltration by spies, gangs, organized crime, and terrorists. Losses can result from full-time, part-time, and temporary employees; contractors; vendors; and other groups who have access to the worksite both physically and remotely.

Productivity losses also illustrate the range of internal losses. Such losses can result from poor plant layout or substance abuse by employees. Other productivity losses result from employ-ees who loaf, arrive at work late, leave early, abuse coffee breaks, socialize excessively, use the Internet for nonwork-related activities, and prolong work to create overtime; these abuses are called theft of time.

Faulty measuring devices, which may or may not be known to employees, are another cause of losses. Scales or dispensing devices that mea-sure things ranging from truck weight to copper wire length are examples.

We can see that the spectrum of internal threats is broad. Although this chapter concentrates on internal theft and associated countermeasures, the strategies covered also apply to many internal and external (e.g., burglary and robbery) threats.


How Serious Is the Problem?

Internal theft also is referred to as employee theft, pilferage, embezzlement, fraud, stealing, pecu-lation, and defalcation. Employee theft is stealing by employees from their employers. Pilferage is stealing in small quantities. Embezzlement occurs when a person takes money or prop-erty that has been entrusted to his or her care; a breach of trust occurs. Peculation and defalca-tion are synonyms for embezzlement. Whatever term is used, this problem is an insidious men-ace to the survival of businesses, institutions, and

* From Purpura, PP. Security and loss prevention 6e. Boston: Butterworth-Heinemann; 2013. Updated by the editor, Elsevier, 2016.

Effective Physical Security, Fifth Edition



Copyright © 2017 Elsevier Inc. All rights reserved.


organizations. This threat is so severe in many workplaces that employees steal anything that is not “nailed down.”

The total estimated cost of employee theft varies from one source to another, mainly because theft is defined and data are collected in so many different ways. An often-cited statistic, from the U.S. Chamber of Commerce, is that 30% of business failures result from employee theft. The Association of Certified Fraud Examiners ([2]: 4–5) conducted research that found that the typical organization loses 5% of its annual revenue to occupational fraud, defined as fol-lows: “The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.” They claim that if this fig-ure were applied to the Gross World Product, global losses would translate to about $2.9 tril-lion annually. These figures may be higher when direct and indirect costs are combined. Indirect costs can include damage to brand, a slowing of production, lower employee morale, investiga-tive expenses, and an insurance premium hike after a claim. The mean loss per case was about $160,000 and each crime lasted about 18 months before detection.

Why Do Employees Steal?

Two major causes of employee theft are employee personal problems and the environ-ment. Employee personal problems often affect behavior on the job. Financial troubles, domes-tic discord, drug abuse, and excessive gambling can contribute to theft. It is inappropriate to state that every employee who has such problems will steal, but during trying times, the pressure to steal may be greater. Research by the Association of Certified Fraud Examiners ([2]: 4–5) revealed that the most common behavioral “red flags” of offenders were living beyond their means (43%) and financial difficulties (36%). A wise employer should be alert to troubled employees and sug-gest referral to an employee assistance program.

The environment also affects internal theft (Fig. 8.1). Blades ([8]: 35) writes that an indi-vidual’s differences (e.g., ethnicity, accent, or hobbies) can result in bullying or tormenting by coworkers that can lead to alienation and thoughts of revenge, such as theft and violence. Management must ensure that the corporate cul-ture facilitates respect for individual difference. A system of policies, procedures, awareness, and training are essential. Otherwise, litigation can result, besides other losses.

Politicians, corporate executives, and other “pillars of society” are constantly being found guilty of some form of crime, resulting in inad-equate socialization. In other words, poor exam-ples are set: employees may observe managerial illegalities and then act similarly. In many busi-nesses, because so many people are stealing, those who do not steal are the deviants and out-casts; theft becomes normal and honesty becomes abnormal. Some managers believe that employee theft improves morale and makes boring jobs exciting. In certain workplaces, employees are actually instructed to be dishonest. This can be seen when receiving department workers are told by their supervisor to accept overages during truck deliveries without notifying the vendor.

Edwin Sutherland, a noted criminologist, offered his theory of differential association to explain crime. Simply put, criminal behavior is learned during interaction with others, and a per-son commits crime because of an excess of defini-tions favorable to violation of law over definitions unfavorable to violation of law. The implication of this theory for the workplace is that superiors and colleagues in a company are probably a more important determinant of crime than is the per-sonality of the individual. Conklin ([17]: 278–279) writes in his criminology textbook that a former head of the Securities and Exchange Commission’s Division of Enforcement stated bluntly, “Our larg-est corporations have trained some of our bright-est young people to be dishonest.”

A study of college student knowledge of how to commit computer crimes found that threat

Internal Theft


FIGURE 8.1 Woody’s Lumber Company. Woody’s Lumber Company has suffered declining profits in recent years. A recently hired manager quickly hired six people to replace the previous crew, which was fired for internal theft. Four addi-tional people were quickly hired for part-time work. The process for conducting business is to have customers park their cars in the front of the store, walk to the sales counter to pay for the desired lumber, receive a pink receipt, drive to the rear of the store, pick up the lumber with the assistance of the yard crew, and then depart through the rear auto exit. At the lumber company, loss prevention is of minimal concern. An inoperable burglar alarm and two fire extinguishers are on the premises.

of punishment had little influence on their mis-deeds. In this study, the strongest predictor of computer crime was differential association with others who presented definitions favorable to violation of the law ([56]: 495–518).

The implications for security from differential association theory point to the importance of eth-ical conduct by top management, who should set a good example in the socialization of all employ-ees. In addition, since criminal laws can be impo-tent, preventive security strategies are essential.

When employees steal, a hodgepodge of ratio-nalizations (excuses) is mentally reviewed to relieve guilt feelings. Some of these rationalizations are “Everybody does it,” “It’s a fringe benefit,”

and “They aren’t paying me enough.” Research by Klenowski et al. [38] found through interviews of white-collar offenders that they rely on gender themes of masculinity and femininity to justify their criminal behavior. The researchers show that men and women account for their crimes in differ-ent ways. Generally, both seek to minimize guilt and maintain a positive self-image; however, men used self-reliance (e.g., accomplish goals in the busi-ness world at the expense of all else) to rationalize criminal behavior, while women relied on necessity (e.g., self-defined distressed financial situation). The researchers concluded that it is easier for men to deny harm, condemn accusers, and argue that the behavior is normal than it is for women.


Donald R. Cressey [18], in his classic study, analyzed thousands of offenders to ascertain common factors associated with inside thievery. He found three characteristics that must be pres-ent before theft would be committed. Cressey’s employee theft formula is

Motivation + Opportunity + Rationalization

= Theft

Motivation develops from a need for money to finance a debt or a drug problem or to win approval from others. Opportunity occurs at many unprotected locations, such as a load-ing dock. Cressey observed that embezzlers’ financial problems are “nonshareable” because of embarrassment or shame, and they ratio-nalize their illegal behavior. This formula illustrates the need for security and an honest environment.

Deterrence has its limitations because follow-ing a crime, the certainty of both swift action by authorities and punishment often do not occur. Prevention seeks proactive security methods to reduce the probability of harmful events and to mitigate losses if harmful events occur. Rational choice theory, related to deterrence theory, points out that a person studies the consequences of a crime against the benefits prior to commit-ting a crime and chooses a criminal act if the rewards offset the consequences. Routine activity theory notes that crime occurs when three ele-ments converge (1) a motivated offender, (2) a suitable target, and (3) the absence of a capable guardian. Rational choice theory and routine activity theory are sometimes viewed as oppor-tunity theories that seek to reduce opportunities for crime by changing physical features of the environment, implementing security strategies, and changing behavior. Situational crime pre-vention techniques offer practical strategies to reduce opportunities for crime. Examples include increasing the effort and risks confronting the offender. These theories have practical applica-tion to the employee theft problem.

Speed ([57]: 31–48) offers insights into the complexity of employee dishonesty, what deters and motivates employee thieves, and manage-ment countermeasures. He focused his research on a major retailer in the United Kingdom to learn how loss prevention could be better targeted. Speed studied company records of employee offenders and surveyed attitudes of a sample of employees. He proposed a manage-ment strategy that divides employees into four groups, based on age and length of service, and then he designed loss prevention strategies for each group. The four groups and the strategies for each are summarized next:

· First group: Employees 20 years of age or younger, new to the company.

· Second group: Employees in their 20 years of age employed with the company for about 2 years.

· Third group: Employees with greater length of service and experience than the first two groups.

· Fourth group: Employees with considerably greater length of service or are much older.


Speed’s research shows that the first group presents great risk of theft because they are less likely to be deterred by disapproval by others or by losing their job. However, more of them fear being caught than the slightly more expe-rienced employees. The first group commits the simplest types of offenses with the lowest val-ues. Strategies for this group include restricted access to high-risk operations and ensuring they are complying with systems. The second group also presents great risk of theft because they are confident that they will avoid detection. They commit high value offenses but are influenced more than the first group by the possibility of losing their job. The recommended strategy for this group is to portray the risks of criminality and the possibility of prosecution. Theft among the third group is less common but more com-plex and less easy to detect. This group is more likely to be deterred by disapproval by others.

Internal Theft


Controls that remove opportunities are less likely to be successful with this group. A more successful strategy is to remind them of the sta-tus and benefits they maintain within the com-pany and the financial impact of offending. The fourth group represents the lowest risk but the greatest confidence of not being caught. This group is similar to the third group on other characteristics.

How Do Employees Steal?

The methods used to steal from employers are limited by employee imagination. Employees often pilfer items by hiding them under their clothing before leaving the workplace. Methods that are more sophisticated may involve the care-ful manipulation of computerized accounting records. Collusion among employees (and out-siders) may occur. Research by the Association of Certified Fraud Examiners ([2]: 5) noted that asset misappropriation schemes were the most common form of fraud by employees. Some employee theft methods follow:

1. Wearing items while leaving the workplace. For example, wearing pilfered underwear or wearing scrap lead that has been molded to one’s body contours

2. Smuggling out pilfered items by placing the item in a lunchbox, pocketbook, computer, bundle of work clothes, umbrella, newspaper, legitimate purchase, hat, or even one’s hair

3. Hiding merchandise in garbage pails, dumpsters, or trash heaps to be retrieved later

4. Returning to the workplace after hours and helping oneself to goods

5. Truck drivers turning in fictitious bills to employers for fuel and repairs and then splitting the money with truck stops

6. Collusion between truck drivers and receiving personnel

7. Executives padding expense accounts

8. Purchasing agents receiving kickbacks from vendors for buying high-priced goods

9. Retail employees pocketing money from cash sales and not recording the transaction

10. Padding payrolls as to hours and rate of pay

11. Maintaining nonexistent or fired employees on a payroll and then cashing the paychecks

12. Accounts payable employees paying fictitious bills to a bogus account and then cashing the checks for their own use

Possible Indicators of Theft

Certain factors may indicate that theft has occurred:

1. Inventory records and physical counts that differ

2. Inaccurate accounting records

3. Mistakes in the shipping and receiving of goods

4. Increasing amounts of raw materials needed to produce a specific quantity of goods

5. Merchandise missing from boxes (e.g., every pallet of 20 boxes of finished goods has at least two boxes short a few items)

6. Merchandise at inappropriate locations (e.g., finished goods hidden near exits)

7. Security devices found to be damaged or inoperable

8. Windows or doors unlocked when they should be locked

9. Workers (e.g., employees, truck drivers, repair personnel) in unauthorized areas

10. Employees who come in early and leave late

11. Employees who eat lunch at their desks and refuse to take vacations

12. Complaints by customers about not having their previous payments credited to their accounts

13. Customers who absolutely have to be served by a particular employee


14. An unsupervised, after-hours cleaning crew with their own keys

15. Employees who are sensitive about routine questions concerning their jobs

16. An employee who is living beyond his or her income level

17. Expense accounts that are outside the norm



Management Support

Without management support, efforts to reduce losses are doomed. A good management

team sets both a foundation for strategies and an atmosphere in which theft is not tolerated. Support for budget requests and appropriate policies and procedures are vital.

Effective Planning and Budgeting

Before measures are implemented against internal theft, a thorough analysis of the problem is essential. What are the losses and cost-effective countermeasures? What types of losses are occur-ring, where, how, by whom, when, and why?

Internal and External Relations

Good internal and external relations can play a role in preventing employee theft. Employees respect loss prevention practitioners who are pro-fessional and are often more willing to provide information and cooperate. With a heightened loss prevention atmosphere within a workplace, an external reputation is sure to follow.

Job Applicant Screening and Employee


The screening of job applicants is a major theft-prevention technique (Fig. 8.2). Although screening is often touted as an effective strat-egy to prevent internal theft, research by the

Association of Certified Fraud Examiners ([2]: 5) found that 85% of offenders had not been previ-ously charged or convicted of a fraud offense. Thus, infinity screening is vital.

Accountability, Accounting, and Auditing

Accountability defines a responsibility for and a description of something. For example, John Smith is responsible (i.e., is held account-able) for all finished products in a plant, and he maintains accurate records of what is in stock. Accounting is concerned with recording, sort-ing, summarizing, reporting, and interpret-ing business data. Auditing is an examination or check of a system to uncover deviations. Personnel audit physical security by checking intrusion alarm systems, closed-circuit televi-sion (CCTV), and so on. An auditor audits the accounting records of a company to see if the records are reliable and to check for fraud.

Policy and Procedural Controls

Policy and procedural controls coincide with accountability, accounting, and auditing. In each of these three functions, policies and procedures are communicated to employees through manu-als and memos. Policies are management tools that control employee decision-making and reflect the goals and objectives of management. Procedures guide action to fulfill the require-ments of policies.

As an example, a company policy states that before trash is taken to outside dumpsters, a loss prevention officer must be present to check for sto-len items. Procedures point out that, to conform to this policy, the head of the cleaning crew must call the loss prevention office and wait for an officer to arrive before transporting the trash outside.


Placing messages about loss prevention on the premises is another method. The message

Management Countermeasures


FIGURE 8.2 Smith shirt manufacturing plant. In the past 2 years, the Smith plant has shown declining profits. During this time, managers believed that employee theft might be the cause, but they were unsure of what to do and were worried about additional costs. Employees work one shift from 8 a.m. to 5 p.m. 5 days per week and are permitted to go to their cars to eat lunch from noon to 1 p.m. A total of 425 employees are divided as follows: 350 sewing machine operators, 15 mainte-nance personnel, 20 material handlers, 20 miscellaneous workers, 2 retail salespeople, 5 managers, and 13 clerical support staff members. A contract cleanup crew works from 6 to 8 a.m. and from 5 to 7 p.m. on Monday, Wednesday, and Friday; Sunday cleanup is from 1 to 4 p.m. The crewmembers have their own keys. Garbage dumpster pick up is 7 a.m. and 7 p.m. Monday, Wednesday, and Friday. The plant contains a fire alarm system and four fire extinguishers. One physical inventory is conducted each year.

must be brief, to the point, and in languages for diverse readers. An example of a message is “Let’s all work together to reduce losses and save jobs.” Boba and Santos ([9]: 257) reported that crime prevention signage at construction sites is cost-effective and shows management commitment to reduce theft.

Loss Reporting and Reward System

Numerous organizations have established loss reporting through such avenues as a toll-free number, suggestion box, website, or intranet. A reward system is a strategy to reinforce report-ing; one method is to provide the anonymous

informant with a secret number that is required to pick up reward money at a bank.

The Sarbanes-Oxley (SOX) Act of 2002 requires publicly traded companies to provide a system of reporting anonymously, with penal-ties for noncompliance. Research shows that the best avenue to encourage reporting is through a confidential, 24-h hotline operated by a third party (Fig. 8.3) [29].

Research by Scicchitano et al. ([53]: 7–19) found that, among the large retailers they sur-veyed, management encouraged employees to report dishonesty that they observed in the workplace. A hotline with rewards was effec-tive in encouraging employees to report losses.













Administrative area








office Safe


Employee parking

Main entrance

Visitor parking

FIGURE 8.3 Compulab Corporation. Compulab Corporation is a research business with tremendous potential. However, it seems that whenever it produces innovative research results, a competitor claims similar results soon afterward. Compulab employs 33 people, including a research director, 2 assistants, 10 scientist–researchers, 8 computer specialists, and an assort-ment of office staff. The facility is open 24 h a day, 7 days per week, and employees work a mixture of shifts each month and remotely from their homes and other locations. Almost every employee has his or her own key for entrance into the building.

The researchers emphasized that corporate cli-mate plays an important role in facilitating peer reporting. Boba and Santos ([9]: 255) found through their study that hotlines were cost-effective in controlling theft; employees are less likely to steal when they believe the probability of apprehension is high; and employee offend-ers fear coworker sanctions more than manage-ment sanctions.


Employee thieves often are familiar with the ins and outs of an organization’s operation and can easily conceal theft. In addition, a thorough knowledge of the loss prevention program is

common to employee thieves. Consequently, an undercover investigation is an effective method to outwit and expose crafty employee thieves and their conspirators.

Businesses subject to theft should partner with police to investigate and disrupt stolen goods markets. Investigations should focus on pawnshops, flea markets, suspect wholesalers and retailers, online sites, fences, and organized crime groups.

Another investigative approach is graph-based anomaly detection that consists of min-ing of data sets, such as employee information, network activity, e-mail, and payroll that con-tain possible interconnected and related data for analysis and plotting on a graph to expose

Management Countermeasures


unusual activities that may indicate an insider threat. Eberle et al. [24] explain that if we know what is normal behavior, deviations from that behavior could be an anomaly; however, they note that graph-based anomaly detection is challenging because an offender will try to act as close to legitimate actions as possible.

Property Losses and Theft Detection

To remedy property losses within an organi-zation, several strategies are applicable. CCTV, both overt and covert, and radio frequency iden-tification (RFID) are popular methods discussed in other parts of this book. In addition, for high-value assets, a global positioning satellite loca-tor chip can be imbedded in an asset to notify security or police and to track the movement of an asset via computer when it is moved with-out authorization. Here, an emphasis is placed on inventory system, marking property, and use of metal detectors. An inventory system main-tains accountability for property and merchan-dise. For example, when employees borrow or use equipment, a record is kept of the item, its serial number, the employee’s name, and the date. On return of the item, both the clerk and the user make a notation, including the date. Automated systems can include a microchip on the item that is read by a scanner for a digital record. Inventory also refers to merchandise for sale, raw materials, and unfinished goods.

Marking property (e.g., tools, computers, and furniture) serves several useful purposes. When property is marked with a serial number, a spe-cial substance, or a firm’s name is etched with an engraving tool, thieves are deterred because the property can be identified, it is more difficult to sell, and the marks serve as evidence. Marking also helps when locating the owner. Publicizing the marking of property reinforces the deter-rent effect. Police departments have operated a program known as “operation identification” for many years in an effort to recruit citizens to mark their property in case of loss.

Besides the popular use of a pinhole lens cam-era for covert surveillance to catch a thief, another investigative technique is to use fluorescent sub-stances to mark property. An ultraviolet light (black light) is necessary to view these invisible marks, which emerge as a surprise to the offender. To illustrate, suppose an organization’s petty cash is not adequately secured and money is missing. To expose the offender, fluorescent substances, in the form of powder, crayon, or liquid, are used to mark the money. A few employees who work after-hours are the suspects. Before these after-hour employees arrive, the investigator handling the case places bills previously dusted with invis-ible fluorescent powder in envelopes at petty cash locations. The bills can be written on with the invisible fluorescent crayon. Statements such as “marked money” can be used to identify the bills under ultraviolet light. Serial numbers from the bills are recorded and retained by the investiga-tor. Before the employees are scheduled to leave, the “planted” bills are checked. If the bills are missing, then the employees are asked to show their hands, which are checked under an ultra-violet light. Glowing hands expose the probable thief, and identification of the marked money car-ried by the individual strengthens the case. The marked money should be placed in an envelope because the fluorescent substances may trans-fer to other objects and onto an honest person’s hands. A wrongful arrest can lead to a false-arrest suit. A check of a suspect’s bills, for the marked money, helps avoid this problem. Many cleaning fluids appear orange under an ultraviolet light. The investigator should analyze all cleaning flu-ids on the premises and select a fluorescent color that is different from the cleaning substances. Other items that may fluoresce include lotions, plastics, body fluids, and some drugs.

Another method of marking property is by applying microdots. Microdots contain a logo or ID number, and the dots are painted or sprayed on property. A microscope is used to view the dots that identify the owner of the property. One utility company, for example, suffered millions


of dollars of losses from the theft of copper wire and equipment, so it applied the dots to copper assets to help identify company property during investigations and recovery [11].

Walk-through metal detectors, similar to those at airports, are useful at employee access points to deter thefts of metal objects and to identify employee thieves. Such detectors also uncover weapons being brought into an area. Handheld metal detectors are also helpful. It is important to note that metal detectors may be overrated because certain firearms, knives, and other weapons are made primarily of plastic. Consequently, X-ray scanners are an expensive option to identify contraband. (The next chapter covers contraband detection.)

Insurance, Bonding

If insurance is the prime bulwark against losses, premiums are likely to skyrocket and become too expensive. For this reason, insurance is best utilized as a supplement to other methods of loss prevention that may fail. Fidelity bonding is a type of employee honesty insurance for employ-ees who handle cash and perform other finan-cial activities. Bonding deters job applicants and employees with evil motives. Some companies have employees complete bonding applications but do not actually obtain the bond.

Confronting the Employee Suspect

Care must be exercised when confronting an employee suspect. Maintain professionalism and confidentiality. The following recommenda-tions, in conjunction with good legal assistance, can produce a strong case. The list of steps pres-ents a cautious approach. Many locations require approval of management before an arrest.

1. Never accuse anyone unless absolutely certain of the theft.

2. Theft should be observed by a reliable person. Do not rely on hearsay.

3. Make sure you can show intent: the item stolen is owned by the organization, and the person confronted removed it from the premises.

In steps 4–14, an arrest has not been made.

4. Ask the suspect to come to the office for an interview. Employees do not have a right to have an attorney present during one of these employment meetings. If the suspect is a union employee and requests a union representative, comply with the request.

5. Without accusing the employee, he or she can be told, “Some disturbing information has surfaced, and we want you to provide an explanation.”

6. Maintain accurate records of everything. These records may become an essential part of criminal or civil action.

7. Never threaten a suspect.

8. Never detain the suspect if the person wants to leave. Interview for less than 1 h.

9. Never touch the suspect or reach into the suspect’s pockets.

10. Request permission to search the suspect’s belongings. If left alone in a room under surveillance, the suspect may take the item concealed on his or her person and hide it in the room. This approach avoids a search.

11. Have a witness present at all times. If the suspect is female and you are male, have another woman present.

12. If permissible under the Employee Polygraph Protection Act of 1988, ask the suspect to volunteer for a polygraph test and have the suspect sign a statement of voluntariness. Follow EPPA guidelines.

13. If a verbal admission or confession is made by the suspect, have him or her write it out, and have everyone present sign it. Do not correct the suspect’s writing errors.

14. Ask the suspect to sign a statement stipulating that no force or threats were applied.

Physical Security Countermeasures


15. For the uncooperative suspect, or if prosecution is favored, call the public police, but first be sure you have sound evidence as in step 3.

16. Do not accept payment for stolen property because it can be construed as a bribe and it may interfere with a bond. Let the court determine restitution.

17. Handle juveniles differently from adults; consult public police.

18. When in doubt, consult an attorney.


Many feel strongly that prosecution is a deterrent, whereas others maintain that it hurts morale and public relations and is not cost-effective. Whatever management decides, it is imperative that an incident of theft be given considerable attention so that employees real-ize that a serious act has taken place. Establish a written policy that is fair and applied uniformly.



Integration and Convergence

The physical security strategies covered in subsequent pages are being increasingly com-bined into what is called integrated systems. Keener ([36]: 6) offers this definition: “An inte-grated system is the control and operation by a single operator of multiple systems whose perception is that only a single system is per-forming all functions.” These computer-based systems include access controls, alarm moni-toring, CCTV, electronic article surveillance, fire protection and safety systems, HVAC, environmental monitoring, radio and video media, intercom, point-of-sale transactions, and inventory control. Traditionally, these functions existed separate from each other, but increas-ingly they are integrated and installed within

facilities worldwide, controlled and monitored by operators and management at a centralized workstation or from remote locations.

The benefits of integrated systems include lower costs, a reduction in staff, improved effi-ciency, centralization, and reduced travel and time costs. For example, a manufacturing execu-tive at corporate headquarters can monitor a branch plant’s operations, production, inventory, sales, and loss prevention. Likewise, a retail exec-utive at headquarters can watch a store and its sales floor, special displays, point-of-sale trans-actions, customer behavior, inventory, shrinkage, and loss prevention. These “visits” to worldwide locations are conducted without leaving the office!

Integration requires careful planning and clear answers to many questions, such as the following:

· Will the integrated system truly cost less and be easier to operate and maintain than separate systems?

· Does the supplier truly have expertise across all the applications?

· Is the integration software listed or approved by a third-party testing agency such as Underwriters Laboratories?

· Do authorities prohibit integration of certain systems? Some fire departments prohibit integrating fire alarm systems with other systems.


Robert Pearson ([48]: 20) writes,

“When attending a conference or trade show, it becomes obvious that every vendor and manufac-turer claims to have the “total integrated solution.” It would appear that one would only need to place an order at any number of display booths and all the security problems at a user’s facility would simply vanish. The vendors and manufacturers freely use terms such as integrated systems, enterprise systems and digital solutions in an effort to convince end users to purchase systems and components.”

Pearson goes on to describe a typical secu-rity alarm system composed of sensors that


connect to a data- gathering panel connected to a computer­ at a security control center. Integration would mean that sensors, card readers,­ and other functions­ would connect to the same data-gathering panel that reports to the same computer. Which multiple func-tions are integrated­ depends on the manu-facturer. Some manufacturers­ began with energy management­ and added security alarm systems in later years; others began with security­ alarm ­systems and added access control. Pearson points out that integrat-ing functions­ among different manufactur-ers via a single computer is often challenging­ and produces various approaches. However, integration firms exist that specialize in application­-specific software that combines systems for a specific client.

Convergence of IT and physical security

means that both specializations and related technologies unite for common objectives. Efforts to secure access to databases, e-mail, and ­organizational intranets are merging with access controls, fire and burglar alarm systems, and video surveillance. Physical ­security is increasingly relying on IT systems and related software. Both IT systems and physical security systems have sensors that generate data that are managed. As examples, an IT system will have an antivirus program and a physical security system will have motion detectors.

Bernard ([6]: 34–37) notes that convergence continues to evolve and he distinguishes between technology convergence and organi-zational convergence. He writes technology convergence whereby voice, data, and video devices and systems interact with each other and require a cable and wireless communications infrastructure with enough bandwidth to hold the enhanced level of data throughput. A second type of security convergence is organizational convergence, which aims to integrate IT and physical security. Bernard illustrates this type by explaining that IT security protects informa-tion and physical security protects information;

organizations should include both simultane-ously when planning information security.

Brenner [10] offers scenarios of how the IT security side and the physical security side can work together:

An offender steals a computer in the workplace. A security incident event management technology sys-tem detects a resource change (missing computer). A physical security information management sys-tem checks door access records and other physical security. All of the systems “talk to each other” (i.e., compare data) and notification technology triggers an alarm and response. Security practitioners have enhanced data to assist investigations.

In another scenario, data loss prevention (DLP) technology detects a threat to a spouse on a company computer. A corporate physical security investigator checks the insider’s background and finds that the insider is a domestic violence offender. IT security technology (e.g., telephony monitoring and DLP sys-tems) is applied and security personnel monitor the case closely for action.

Bernard ([7]: 28–32) refers to another aspect of convergence known as identity management system (IDMS). It is used to manage identities and privileges of computer systems and people. Bernard touts the benefits of IDMS by explain-ing, for example, the following: “Physical security can leverage the HR enrollment of employees by integrating the physical access control system with the IDMS, so the access con-trol privileges are managed automatically along with IT privileges as HR enrolls, re-assigns and terminates employees.” Bernard notes that the federal government is aware of the importance of IDMS in its personal identity verification (PIV) systems mandated by Homeland Security Presidential Directive (HSPD) 12. This man-date points to a single smart access card to be used for both physical and IT security among federal agencies.

Advantages of the convergence of IT and physical security include enhanced data, remote monitoring, and less travel time and expenses. Disadvantages include a virus that

Physical Security Countermeasures


may affect physical security when sharing a single server; downtime (from various causes, such as maintenance, a threat or hazard), and an organization’s bandwidth may reach its limit from the requirements of video surveil-lance. Sources for planners are best practice IT security standards, such as those from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

IT specialists in organizations are playing a larger role in physical security decisions. They want to ensure that physical security technol-ogy is compatible with the network. Physical security purchasing decisions in organizations often consist of a committee of personnel from security or loss prevention, IT, and operations. If IT managers can convince senior management that cybercrime is a greater threat than physical crime, then this also will influence the direction of the security budget.

Another player in corporate management change is the facility manager. This individual, often an engineer, ensures that the company’s infrastructure, which houses people and opera-tions, functions at optimum efficiency to sup-port business goals. The traditional security department is likely to feel a “pull” toward IT or the facility manager because its boundaries are dissolving due to information and communica-tions technology. The process of management is increasingly dependent on information, who controls it, what is done with it, and its dissemi-nation ([26]: 10).

There are those who may claim the demise of the traditional security manager, who will be replaced by the IT manager or facility manager. The argument is that if an offender enters a facil-ity and steals a computer, this crime is minor in comparison to, say, the potential harm from a hacker accessing a company’s IT system. Such reasoning misses the broad, essential functions performed by the traditional security man-ager and staff. Examples are preventing crimes against people, responding to crimes, rendering

first aid, conducting investigations, working with public police to arrest offenders, life safety, and fire protection. At the same time, traditional security practitioners must be put on notice to become involved in lifelong learning of IT sys-tems, which touch all aspects of their traditional duties.

Access Controls

Access controls regulate people, vehicles, and items during movement into, out of, and within a building or facility. With regulation of these movements, assets are easier to protect. If a truck can enter a facility easily, back up to the shipping dock so the driver can load valuable cargo without authorization, and then drive away, that business will not survive. However, access controls such as the following prevent losses: the truck must stop at a gate, a security officer records identifying information on the truck and driver and runs a check through cor-porate IT for authorization to access, a pass is then issued, and documents are exchanged at the shipping dock under the watchful eyes of another officer. RFID technology can be applied whereby information in ID tags on the truck is uploaded (wireless) to a reader/access control system at the gate. If the truck is authorized to enter, the gate opens. As the truck enters, the reader automatically collects identifying infor-mation on the driver and the truck; when the truck departs, information is updated. Other options include CCTV and vehicle license plate recognition (the plate is scanned and then checked in a database for problems).

Controlling Employee Traffic

Access control varies from simple to com-plex. A simple setup for employees includes locks and keys, officers checking identification badges, and written or digital logs of entries and exits. Systems that are more complex use a “smart card” containing computer memory that interacts with a reader for a host of functions


and records; biometrics are used to deny or grant access. A person holding a card-containing RFID can be monitored by readers throughout a facility, and if the person enters a sensitive area without authorization, security is notified and physical security features activated (e.g., alarm sounded, doors locked, and camera zoomed in on person). A prime factor influencing the kind of system employed is need. A research labora-tory developing a new product requires strict access controls, whereas a retail business would require minimal controls.

The fewest entrances and exits are best for access control and lower costs. If possible, employees and others should be routed to the entrance closest to their destination away from valuable assets.

Unauthorized exits locked from within create a hazard in case of fire or other emergency. To ensure safety yet fewer losses, emergency exit alarms should be installed as required by codes. These devices enable quick exit, or a short delay, when pressure is placed against a horizontal bar that is secured across the door. An alarm is sounded when these doors are activated, which discourages unauthorized use.

Searching Employees

Management can provide in the contract of employment that reasonable detentions are permissible; that reasonable searches may be made to protect people and company assets; and that searches may be made at any time of desks, lockers, containers carried by employ-ees, and vehicles ([33] : 47 and 68; [44]: 84). Case law has permitted an employer to use a dupli-cate key, known to the employee, to enter a locker at will. On the other hand, an employee who uses a personal lock has a greater expec-tation of privacy, barring a written condition of employment to the contrary that includes forced entry. When a desk is assigned to a spe-cific employee, an expectation of privacy exists, unless a contract states otherwise. If employees jointly have access to a desk to obtain items, no privacy exists.

Policies and procedures on searches should consider input from management, an attorney, employees, and a union if on the premises. Also, consider business necessity, what is sub-ject to search, signed authorization from each employee, signs at the perimeter and in the workplace, and searches of visitors and others.


Visitors include customers, salespeople, ven-dors, service people, contractors, and govern-ment employees. Any of these people can steal or cause other losses. Depending on need, vari-ous techniques are applicable to visitor access control. An appointment system enables prepa-ration for visitors. When visitors arrive without an appointment, the person at reception should lead him or her to a waiting room. Lending special equipment, such as a hard hat, may be necessary. A record or log of visits is wise. Relevant information would be name of the visi-tor, driver’s license number and state, date of visit, time entering and leaving, purpose, spe-cific location visited, name of employee escort-ing visitor, and temporary badge number. These records aid investigators. A kiosk with touch screen directory features (Fig. 8.4) offer options such as visitor check in, printing a customized map, and creating a temporary access badge. Whenever possible, procedures should mini-mize employee–visitor contact. This is impor-tant, for instance, in the shipping and receiving department, where truck drivers may become friendly with employees and conspiracies may evolve. When restrooms and vending machines are scattered throughout a plant, truck drivers and other visitors who are permitted easy access may cause losses. These services should be located at the shipping and receiving dock, and access to outsiders should be limited.

Controlling the Movement of Packages

and Property

The movement of packages and property also must be subject to access controls. Some

Physical Security Countermeasures


FIGURE 8.4 Interactive kiosk that manages a variety of visitors. Courtesy Honeywell Security.

locations require precautions against pack-aged bombs, letter bombs, and other hazards. Clear policies and procedures are important for incoming and outgoing items. To counter employee theft, outgoing items require both scrutiny and accountability. RFID tags on assets, in union with readers placed strategically at a facility, signal an alarm when an asset is moved to an unauthorized location. Uniformed offi-cers can check outgoing items, while a property pass system serves the accountability function. At one distribution center, an employee was given permission and a property pass to take home cardboard. He or she tied the flat card-board with string and while he or she exited, a security officer asked to search the cardboard. Although the employee strongly objected to the search because he or she had a property pass, a flat screen television was found.

Employee Identification System

The use of an employee identification (card or badge) system will depend on the number of employees that must be accounted for and recognized by other employees. An ID system not only prevents unauthorized people from entering a facility but also deters unauthor-ized employees from entering restricted areas. For the system to operate efficiently, clear poli-cies should state the use of ID cards, where and when the cards are to be displayed on the person, who should collect cards from employ-ees who quit or are fired, and the penalties for noncompliance. A lost or stolen card should be reported so that the proper information reaches all interested personnel. Sometimes ID systems become a joke and employees refuse to wear the badges, or they decorate them or wear them in odd locations on their persons. To sustain an ID system, proper socialization is essential.

Simple ID cards contain employer and employee names. A more complex system would include an array of information: name, signature, address, employee number, physical characteristics (e.g., height, weight, hair, and eye colors), validation date, authorized signature, location of work assignment, thumbprint, and color photo. ID cards often serve as access cards and for many other purposes.

Contractors, visitors, and other nonemployees require an ID card that should be clearly distin-guishable from employee ID cards. Temporary ID badges can be printed with a chemical that causes the word void to appear after a set period. If the ID card is an access card, an expiration date and time can be entered into the computer system.

A protective laminate coating increases the life of cards. It also discourages tampering; if an attempt is made to alter the card, it will be dis-figured. Anticounterfeiting measures are always improving to counter offenders and include various holographic (image) techniques, secret symbols or letters on the badge, and invisible alphanumeric type viewed by a laser.


The area where ID cards are prepared, and rel-evant equipment and supplies, must be secure. In addition, the equipment and software should be password protected.

Automatic Access Control

The Security Industry Association traces the development of automatic access control systems as described next (D’Agostino, 2005 [19]: 1–2). Traditionally, access control systems have been at the center of electronic security systems at buildings that include access con-trol, ID badges, alarm systems, and CCTV. Authentication (i.e., verifying identity) and authorization (i.e., verifying that the iden-tified individual is allowed to enter) have typically occurred as a single -step process in access control. Depending on security needs, access control has been designed for one -factor authentication (e.g., card or personal iden-tification number or biometric), two -factor authentication (e.g., card-plus -PIN or card-plus- biometric), or three-factor authentication (e.g., card-plus-PIN and biometric).

Cryptography (i.e., the study of coded or secret writings to provide security for informa-tion) became part of access control systems with the use of encryption (i.e., hardware or soft-ware that scrambles data, rendering it unintel-ligible to an unauthorized person intercepting it) to protect passwords and other information. Encryption is essential under the requirements of HSPD-12 [31]: 39). It continues in impor-tance as Ethernet networks (i.e., a trademark for a system of communications between com-puters on a local area network) replace propri-etary equipment connections and as security systems increasingly rely on Internet protocol (IP) messages and shared networks with other businesses. Traditionally, because no security standards existed for these systems, manufac-turers applied their own designs. However, according to the Security Industry Association,

standards are now in place because of the fol-lowing drivers:

· The convergence of physical and IT security.

· Common user provisioning that permits a single point of employee registration and dismissal (usually in a human resources system) with assignment of physical and IT privileges.

· Large customers (e.g., the federal government) require their facilities to be interoperable (i.e., products or systems working with other products or systems).

· Access controls enabling a single credential (i.e., smart card) to be used across an enterprise at buildings, facilities, and computer networks. This refers to HSPD-12, the federal government PIV program, and standards for cryptography that all serve as a model for the private sector [39]: 58).

· Digital certificate systems, which are the electronic counterparts to driver licenses and other ID, are used to sign electronic information and serve as part of the foundation of secure e-commerce on the Web, and are essential for physical access control system integration with IT.


The traditional lock-and-key method of access control has its limitations. For instance, keys are difficult to control and easy to duplicate. Because of these problems, the need for improved access control and technological innovations, a huge market has been created for electronic card access control systems. These systems contain wired and wireless components. The benefits of these sys-tems include the difficulty of duplicating modern cards and cost savings because security officers are not required at each access point.

Modern access control systems are also Internet-based and offer numerous features for employees, visitors, and management. For example, employees can report a lost or stolen card, visitors can preregister, management can

Physical Security Countermeasures


see detailed reports of those who enter and leave, and CCTV other physical security can be integrated into the system to aid investigations.

Before an automatic access control system is implemented, several considerations are neces-sary. Safety must be a prime factor to ensure quick exit in case of emergency. Another consideration deals with the adaptability of the system to the type of door presently in use. Can the system accommo-date all traffic requirements? How many entrances and exits must be controlled? Will there be an annoying waiting period for those who want to gain access? Are additions to the system possible? What if the system breaks down? Is a backup source of power available (e.g., generators)?

Tailgating and pass back are other concerns. Tailgating means an authorized user is followed by an unauthorized user. To thwart this problem, a security officer can be assigned to each access point, but this approach is expensive when compared to applying CCTV, revolving doors, and turnstiles. Revolving doors can be expen-sive initially, and they are not an approved fire exit. Optical turnstiles contain invisible infrared beams to count people entering and leaving to control tailgating and pass back. These sensors can be installed in a door frame and connected to an alarm system and CCTV. Pass back refers to one person passing an opening and then pass-ing back the credential so another person can pass through the opening.

A summary of cards used in card access sys-tems follows:

· Smart cards contain computer memory within the plastic that records and stores information and personal identification codes. Security is increased because information is in the card, rather than the reader. Zalud ([66]: 86) writes that because of the memory in the card, it can require the user to supply a PIN or biometric to the reader before the card interacts with the reader; this feature prevents unauthorized

use. In addition, cryptography features secure communications between the reader and the card. Smart cards permit a host of activities from access control to making purchases, while almost eliminating the need for keys or cash. This type of card is growing in popularity as its applications expand.

· Proximity cards (also referred to as RFID) need not be inserted into a reader but placed in its “proximity.” A code is sent via radio frequency, magnetic field, or microchip-tuned circuit. This card is in wide use today.

· Contact memory buttons are stainless-steel buttons that protect an enclosed computer chip used for access. The information in the button can be downloaded or updated with a reader like other systems. These buttons are known for their durability, serve to ensure accountability of security officers on patrol, and are applied as an asset tag. The buttons are used widely.

· Magnetic stripe cards are plastic, laminated cards (like credit cards) that have a magnetic stripe along one edge onto which a code

is printed. When the card is inserted, the magnetically encoded data are compared to data stored in a computer and access is granted on verification. This card is wide used but easy to clone.

· Wiegand cards employ a coded pattern on a magnetized wire within the card to generate a code number. To gain access, the card is passed through a sensing reader. Other technologies have reduced the popularity of this type of card.

· Bar-coded cards contain an array of tiny vertical lines that can be visible and vulnerable to photocopying or invisible and read by an infrared reader. Other technologies have reduced the popularity of this vulnerable card.

· Magnetic dot cards contain magnetic material, often barium ferrite, laminated between plastic


layers. The dots create a magnetic pattern that activates internal sensors in a card reader. This card is easy to clone and rarely used.

Access card systems vary in terms of advan-tages, disadvantages, and costs. Each type of card can be duplicated with a sufficient amount of knowledge, time, and equipment. For exam-ple, a magnetic stripe is easy to duplicate. A piece of cardboard with a properly encoded magnetic stripe functions with equal efficiency. The Wiegand card has the disadvantage of wear and tear on the card that passes through a slot for access. Proximity cards have the advantage of the sensing element concealed in a wall, and the card typically can be read without removing it from a pocket. Smart cards are expensive, but they can be combined with other card systems; also, they are convenient because of the capabil-ity of loading and updating the card applica-tions over the Web ([43]: 28; [5]: 75; [27]: 156–157; [28]: 18; [62]: 23).

Near-field communication (NFC) is a tech-nology with wide applications ([34,46]: S-10). It is short-range (less than 4 inches), wireless (radio) communications between two devices by touching them together or placing the devices in close proximity. NFC evolved from RFID; the difference is that whereas RFID is one-way, NFC is two -way—an NFC-enabled device can send and receive information. A smart phone containing NFC capabilities can serve as a credit or debit card. A device with NFC can serve as a library card, transit pass, and access card to a secure door, computer or network, among other applications. A wallet and keys may someday become obsolete. NFC communication is subject to hacking. The RF signal can be captured with an antenna; infor-mation can be stolen or modified. Security includes use of a password, encryption, keypad lock, and antivirus software.

Biometric Technologies

Biometric security systems have been praised as a major advance in access control because such

FIGURE 8.5 Verifying identity through hand geometry.

Courtesy HID Corporation.

systems link the event to a particular individual, whereas an unauthorized individual may use a key, card, PIN, or password. Di Nardo ([22]: 195) defines biometrics as “the automated use of physiological or behavioral characteristics to determine or verify identity.” He adds that it can also be defined as “the study of measurable biological characteristics.”

These systems seek to verify an individual’s identity through fingerprint scan, hand geometry (shape and size of hand) (Fig. 8.5), iris scan (the iris is the colored part around the pupil of the eye), facial scan, retinal scan (capillary pattern), voice patterns, signature recognition, vascular (vein) pattern recognition, palm print, ear shape, gait, and keystroke dynamics. The biometric leaders are fingerprint, hand geometry, iris, and face recognition ([22]: 194–216; [52]: 41–55).

Biometric security systems have disadvan-tages and can be circumvented. As examples, retinal can be affected by diseases, vascular is expensive and requires bulky equipment, drugs can affect gait, and keystroke has high error rates. Iris was defeated by using a glass eyeball, contact lenses, or high-resolution photos ([22]: 194–216).

Physical Security Countermeasures


Fingerprint can be circumvented by collecting an authorized person’s latent fingerprint by lift-ing it with tape. Terrorists cut off the thumb of a bank manager to gain entry through a finger-print-based access control system. Researchers constructed fake fingers by taking casts of real fingers and molding them into Play-Doh. The researchers developed a technique to check for moisture as a way to reduce this ploy [4].

Spence [58] writes in Locksmith Leger that cer-tain locksmiths are hesitant to become involved with biometric fingerprint systems. One quipped, “They’re 1 percent of my sales and 10 percent of my service calls.” Failure rates were between 3% and 20%.

Research continues to improve biometrics. In the near term, we will not see facial scan pick a known terrorist out of a crowd, but the technol-ogy is evolving. Digitized photos shot at angles or in poor light can be flawed. The challenge with facial scan is identifying a person on the move ([51]: 16–21).

Biometric systems operate by storing identi-fying information (e.g., fingerprints, photos) in a computer to be compared with information pre-sented by a subject requesting access. Access con-trols often use multiple technologies, such as smart card and biometrics. One location may require a card and a PIN (Fig. 8.6), whereas another requires scanning a finger and a PIN. Many systems fea-ture a distress code that can be entered if someone is being victimized. Another feature is an alarm that sounds during unauthorized attempted entry. Access systems can be programmed to allow select access according to time, day, and location. The logging capabilities are another feature to ascertain personnel location by time, date, and the resources expended (e.g., computer time, parking space, cafeteria). These features provide informa-tion during investigations and emergencies.

We are seeing an increasing merger of card access systems and biometric technology, and thus, missing or stolen cards is less of a con-cern. We will see more point -of- sale readers that accept biometric samples for check cash-ing, credit cards, and other transactions. As

FIGURE 8.6 Card reader and keypad. Courtesy Diebold,


research continues to improve biometrics, these systems will become universal—banking, cor-rectional facilities, welfare control programs, and so forth.

Locks and Keys

The basic purpose of a lock-and-key system is to hinder unauthorized entry. Attempts to enter a secure location usually are made at a window or door to a building or at a door somewhere within a building. Consequently, locks deter unauthorized access from outsiders and insid-ers. Many see a lock only as a delaying device that is valued by the amount of time needed to defeat it. Zunkel ([67]: 32) notes, “… it is important that designers know that a lock by itself is only part of a larger system that includes the door, the wall, the perimeter and a security plan.” An offender may decide to avoid a high-security lock and break through a weak door, wall, ceil-ing, floor, roof, or window.


Standards related to locking systems include those from American National Standards Institute (ANSI), American Society for Testing and Materials (ASTM), Underwriters Laboratories (UL), and the Builders Hardware Manufacturers Association (BHMA). Local ordi-nances may specify requirements for locks.

Two general ways to classify locks are mechanical and electromechanical. Mechanical locks include the common keyed lock and the push button lock that contains a keypad to enter an access code to release the lock.

Electromechanical locks include an electronic keypad that is connected to an electric strike, lock, or magnetic lock. When the access code is entered, the strike or lock is released to open the door ([21]: D-5).

There are many types of locks and locking systems that range from those that use simple, ancient methods to those that apply modern technology, including electricity, wireless com-ponents, computers, and the Internet. Here, we begin with basic information as a foundation for understanding locks.

Locking devices are often operated by a key, numerical combination, card, or electricity. Many locks (except padlocks) use a dead bolt and latch. The dead bolt (or bolt) extends from a door lock into a bolt receptacle within the door frame. Authorized entry is made by using an appropriate key to manually move the bolt into the door lock. Latches are spring loaded and less secure than a dead bolt. They are cut on an angle to permit them to slide right into the strike when the door is closed (Fig. 8.7). Unless the latch is equipped with a locking bar (deadlatch), a knife can possibly be used to push the latch back to open the door.

The cylinder part of a lock contains the key-way, pins, and other mechanisms that permit the dead bolt or latch to be moved by a key for access (Fig. 8.8). Double-cylinder locks, in which a cylinder is located on each side of a door, are a popular form of added security as compared to single-cylinder locks. Double-cylinder locks

FIGURE 8.7 Latch and door strike.

FIGURE 8.8 Cylinder.

require a key for both sides; however, fire codes may prohibit such locks. With a single-cylinder lock, a thief may be able to break glass or remove a wood panel and then reach inside to turn the knob to release the lock. For safety’s sake, locations that use double-cylinder locks must prepare for emergency escape by having a key readily available.

Key-in-knob locks are used universally but are being replaced by key-in-the-lever locks (Fig. 8.9) to be ADA compliant. As the name implies, the keyway is in the knob or lever. Most contain a keyway on the outside and a button on the inside for locking from within.

Entrances for Handicapped

The Internal Revenue Service offers a tax credit to eligible businesses that comply with

Physical Security Countermeasures


FIGURE 8.9 Mechanical lock with lever requiring no wiring, electronics, or batteries. Courtesy Ilco Unican.

provisions of the ADA to remove barriers and promote access for individuals with disabilities [25]. The door hardware industry offers several products and solutions to aid the disabled (Fig. 8.10). Electrified door hardware such as mag-netic locks and electromechanical locks retracts the latch when energized.

Attacks and Hardware

The Internet, including YouTube, offers a wealth of information on attacking locks. In addition, lock picking has become a sport with club members and chapters in multiple countries [41] . Google queries for “attacks on locks,” “lock picking,” and “lock bumping” result in millions of sources. These methods are explained next.

There are several ways to attack locks. One tech-nique, as stated earlier, is to force a knife between the door frame (jamb) and the door near the lock

to release the latch. However, when a deadlatch or dead bolt is part of the locking mechanism, methods that are more forceful are needed. In one method, called “springing the door,” a screw-driver or crowbar is placed between the door and the door frame so that the bolt extending from the door lock into the bolt receptacle can be pried out, enabling the door to swing open (Fig. 8.11). A 1-inch bolt will hinder this attack.

In “jamb peeling,” another method of attack, a crowbar is used to peel at the door frame near the bolt receptacle so that the door is not stopped from swinging open. Strong hardware for the door frame is helpful. In “sawing the bolt,” a hacksaw is applied between the door and the door frame, similar to the placement of the screwdriver in Fig. 8.11. Here again, strong hardware, such as a metal bolt composed of an alloy capable of withstanding a saw blade, will impede attacks. Some offenders use the cylin-der-pulling technique: the cylinder on the door is actually ripped out with a set of durable pli-ers or tongs. A circular steel guard surrounding the cylinder (Fig. 8.11) will frustrate the attacker. Offenders also are known to use automobile jacks to pressure door frames away from a door.

Both high-quality hardware and construction will impede attacks, but the door itself must not be forgotten. If a wood door is only 1/4-inch thick, even though a strong lock is attached, the offender may simply break through the door. A solid wood door 1 3/4 inches thick or a metal door is a worthwhile investment. Wood door frames at least 2 inches thick provide durable protection. When a hollow steel frame is used, the hollow area can be filled with cement to resist crushing near the bolt receptacle. An L-shaped piece of iron secured with one way screws will deter attacks near the bolt receptacle for doors swinging in (Fig. 8.12). When a padlock is used in conjunction with a safety hasp, the hasp must be installed correctly so that the screws are not exposed (Fig. 8.13).

Many attacks are by forced entry, which is easier to detect than when the use of force is


FIGURE 8.10 Entrances for handicapped. Courtesy Von Duprin Division of Ingersoll-Rand Company.

FIGURE 8.11 Dead bolt and door frame.

Physical Security Countermeasures


FIGURE 8.12 L-shaped plate.

FIGURE 8.13 Safety hasp.

minimal. Lock picking is one technique need-ing a minimum amount of force. It is used infrequently because of the expertise required, although picks are available on the Internet.

Lock picking is accomplished by inserting a ten-sion wrench (an L-shaped piece of metal) into the cylinder and applying tension while using metal picks to align the pins in the cylinder as a key would to release the lock (Fig. 8.8). The greater the number of pins, the more difficult it is to align them. A cylinder should have at least six pins. Lock bumping is touted as an easy method of picking a pin tumbler lock by inserting a spe-cially designed bump key into the keyway and applying a slight force while turning the key. Another type of attack (more difficult) utilizes a blank key, matches, and a file. The blank key is placed over a lighted match until carbon is pro-duced on the key. Then the key is inserted into the cylinder. The locations where the pins have scraped away the carbon signify where to file. Needless to say, this method is time-consuming and calls for repeated trials. Offenders some-times covertly borrow a key, quickly press it into a bar of soap or wax, return the key, and then file a copy on a blank key. This method illustrates the importance of key control.

After gaining access, an offender may employ some tricks to make sure nobody enters while he or she is busy. This is accomplished, for instance, by inserting a pin or obstacle in the keyway and locking the door from the inside.

Whatever hardware is applied, the longer it takes to attack a lock, the greater is the danger for the offender. One further point: most bur-glary insurance policies state that there must be visible signs of forced entry to support a claim.

Offenders may use other methods of entry. A thief may simply use a stolen key or a key (or access card) borrowed from another person. Unfortunately, intruders often enter restricted areas because somebody forgot to use a locking device. This mistake renders the most complex locks useless.

The methods of defeating lock-and-key sys-tems do not stop here. Innovative thieves and various kinds of locks, keys, and access systems create a hodgepodge of methods that loss pre-vention practitioners should understand.


Types of Locks

Volumes have been written about locks. The following briefly summarizes simple and more complex locks:

· Warded (or skeleton key tumbler) lock: This older kind of lock is disengaged when a skeleton key makes direct contact with a bolt and slides it back into the door. It is an easy lock to pick. A strong piece of L-shaped metal can be inserted into the keyway to move the bolt. Warded locks are in use in older buildings and are recognized by a keyway that permits seeing through. Locks on handcuffs are of the warded kind and can be defeated by a knowledgeable offender.

· Disc tumbler lock: The use of this lock, originally designed for the automobile industry, has expanded to desks, file cabinets, and padlocks. Its operation entails flat metal discs, instead of pins, that align when the proper key is used. These locks are mass produced, inexpensive, and have a short-life expectancy. More security is offered than warded locks can provide, but disc tumbler locks are subject to defeat by improper keys or being jimmied.

· Pin tumbler lock: Invented by Linus Yale in 1844, the pin tumbler lock is used widely in industry and residences (Fig. 8.8). Its security surpasses that of the warded and disc tumbler kinds.

· Lever tumbler lock: Lever locks vary widely. These locks disengage when the proper key aligns tumblers. Those found in luggage, cabinets, chests, and desks often provide minimal security, whereas those found in bank safe deposit boxes are more complex and provide greater security. The better quality lever lock offers more security than the best pin tumbler lock.

· Combination lock: This lock requires manipulating a numbered dial(s) to gain access. Combination locks usually have three or four dials that must be aligned

in the correct order for entrance. These locks provide greater security than key locks because a limited number of people probably will know the lock combination, keys are unnecessary, and lock picking is obviated. They are used for safes, bank vaults, and high-security filing cabinets. With older combination locks, skillful burglars are able actually to listen to the locking mechanism to open the lock; more advanced mechanisms have reduced this weakness. A serious vulnerability results when an offender watches the opening of a combination lock with either binoculars or a telescope. Retailers sometimes place combination safes near the front door for viewing by patrolling police; however, unless the retailer uses his or her body to block the dial from viewing, losses may result. This same weakness exists where access is permitted by typing a PIN.

· Combination padlock: This lock is similar in operation to a combination lock. It is used on employee or student lockers and in conjunction with safety hasps or chains. Some of these locks have a keyway so they can be opened with a key.

· Padlock: Requiring a key, this lock is used on lockers or in conjunction with hasps or chains. Numerous types exist, each affording differing levels of protection. More secure ones have disc tumbler, pin tumbler, or lever characteristics. Serial numbers on padlocks are a security hazard similar to combination padlocks.


Other kinds of locks include devices that have a bolt that locks vertically instead of hori-zontally. Emergency exit locks with alarms or “panic alarms” enable quick exit in emergen-cies while deterring unauthorized door use. Sequence locking devices require locking the doors in a predetermined order; this ensures that all doors are locked because the outer doors will not lock until the inner doors are locked.

Physical Security Countermeasures


The use of interchangeable core locks is a method to deal with the theft, duplication, or loss of keys. Using a special control key, one core (that part containing the keyway) is sim-ply replaced by another. A different key then is needed to operate the lock. This system, although more expensive initially, minimizes the need for a locksmith or the complete chang-ing of locks.

Automatic locking and unlocking devices also are a part of the broad spectrum of methods to control access. Digital locking systems open doors when a particular numbered combina-tion is typed. If the wrong number is typed, an alarm is sounded. Combinations can be changed when necessary. Electromagnetic locks use mag-netism, electricity, and a metal plate around doors to hold doors closed. When the electricity is turned off, the door can be opened. Remote locks enable opening a door electronically from a remote location.

Trends taking place with locks and keys include increasing use of electronics and micro-chip technology. For example, hybrids have been developed whereby a key can serve as a standard hardware key in one door and an electronic key in another door. “Smart locks” have grown in popularity. These locks com-bine traditional locks with electronic access control; read various types of access cards for access; use a tiny computer to perform multiple functions, including holding data (e.g., access events); and can be connected to an access control system for uploading and download-ing data. Aubele [3] refers to “intelligent key systems” whereby keys are programmable like access control cards to limit access according to specific times and doors. In addition, these keys store data on use.

Wireless locking systems and RF online lock-ing systems make use of modern technology, although care must be exercised in the evalu-ation and purchasing process. A pilot project helps to ensure reliability. Signals are hindered by metallic materials (e.g., steel buildings).

Master Key Systems

In most instances, a lock accepts only one key that has been cut to fit it. A lock that has been altered to permit access by two or more keys has been master keyed. The master key system allows a number of locks to be opened by the master key. This system should be confined to high-quality hardware utilizing pin tumbler locks. A disadvantage of the master key system is that if the master key is lost or stolen, security is com-promised. A change key fits one lock. A submaster key will open all locks in, for instance, a wing of a building. The master key opens locks covered by two or more submaster systems.

Key Control

Without adequate key control, locks are use-less and losses are likely to climb. Accountability and proper records are necessary, as with access cards. Computerized, online record-keeping programs are available for key control, similar to software used in electronic card access control systems ([63]: 79–85). Keys should be marked with a code to identify the corresponding lock; the code is interpreted via a record stored in a safe place. A key should never be marked, “Key for room XYZ.” When not in use, keys should be positioned on hooks in a locked key cabinet or vault. The name of the employee, date, and key code are vital records to maintain when a key is issued. These records require continuous updat-ing. Employee turnover is one reason why pre-cise records are vital. Departing employees will return keys (and other valuables) if their final paycheck is withheld. Policies should state that reporting a lost key would not result in puni-tive action; an investigation and a report will strengthen key control. If key audits check peri-odically, who has what key, control is further reinforced. To hinder duplication of keys, “do not duplicate” may be stamped on keys, and company policy can clearly state that key dupli-cation will result in dismissal. Lock changes are wise every 8 months and sometimes at shorter


intervals on an irregular basis. Key control also is important for vehicles such as autos, trucks, and forklifts. These challenges and vulnerabili-ties of traditional lock and key systems have influenced organizations in switching to mod-ern access control and biometric systems.

Intrusion Detection Systems

An intrusion detection system detects and reports an event or stimulus within its detection area. A response to resolve the reported prob-lem is essential. The emphasis here is on inte-rior sensors. Sensors appropriate for perimeter protection are stressed in Chapter 9. We must remember that intrusion detection systems are often integrated with other physical security systems and rely on IT systems with Internet capabilities.

What are the basic components of an intru-sion detection system? Three fundamental components are sensor, control unit, and annun-ciator. Sensors detect intrusion by, for example, heat or movement of a human. The control unit receives the alarm notification from the sensor and then activates a silent alarm or annunciator (e.g., a light or siren), which usually produces a human response. There are various intrusion detection systems, and they can be wired or wireless. Several standards exist for intrusion detection systems from UL, ISO, the Institute of Electrical and Electronics Engineers, and other groups. Types of interior sensors are explained next ([27]: 104–122; [30]: 48–94).

Interior Sensors

In the electronics field, a “switch” is a compo-nent that can interrupt an electrical circuit (e.g., as with a light switch). A balanced magnetic switch consists of a switch mounted to a door (or win-dow) frame and a magnet mounted to a move-able door or window. When the door is closed, the magnet holds the switch closed to complete an electrical circuit. An alarm is triggered when the door is opened and the circuit is interrupted.

An ordinary magnetic switch is similar to the balanced type, except that it is simpler, is less expensive, and provides a lower level of secu-rity. Switches can be visible or hidden and afford good protection against opening a door; how-ever, no security method is ever “foolproof.”

Mechanical contact switches contain a push button­-actuated switch that is recessed into a sur-face. An item is placed on it that depresses the switch, completing the alarm circuit. Lifting the item interrupts the circuit and signals an alarm.

Pressure-sensitive mats contain two layers of metal strips or screen wire separated by sections of foam rubber or other flexible material. When pressure is applied, as by a person walking on the mat, both layers meet and complete an elec-trical contact to signal an alarm. These mats are applied as internal traps at doors, windows, and main traffic points, as well as near valuable assets. The cost is low, and these mats are dif-ficult to detect. If an offender detects the mat, he or she can walk around it.

Grid wire sensors are made of fine insulated wire attached to protected surfaces in a grid pat-tern consisting of two circuits, one running ver-tical, the other horizontal, and each overlapping the other. An interruption in either circuit signals an alarm. This type of sensor is applied to grill work, screens, walls, floors, ceilings, doors, and other locations. Although these sensors are dif-ficult for an offender to spot, they are expensive to install, and an offender can jump the circuit.

Trip wire sensors use a spring-loaded switch attached to a wire stretched across a protected area. An intruder “trips” the alarm (i.e., opens the circuit) when the wire is pulled loose from the switch. If an offender spots the sensor, he or she may be able to circumvent it.

Vibration sensors detect low-frequency energy resulting from the force applied in an attack on a structure (Fig. 8.14). These sensors are applied to walls, floors, and ceilings. Various sensor mod-els require proper selection.

Capacitance sensors create an electrical field around metallic objects that, when disturbed,

Physical Security Countermeasures


FIGURE 8.14 Vibration sensor.

FIGURE 8.15 Capacitance sensor.

signals an alarm (Fig. 8.15). These sensors are applied to safes, file cabinets, grills at openings (e.g., windows), fences, and other metal objects. One sensor can protect many objects; however, it is subject to defeat by using insulation (e.g., heavy gloves).

Infrared photoelectric beam sensors activate an alarm when an invisible infrared beam of light is interrupted (Fig. 8.16). If the system is detected, an offender may jump over or crawl under the

beam to defeat it. To reduce this vulnerability, tower enclosures can be used to stack sensors.

Ultrasonic motion (UM) detectors focus on sound waves to detect motion. Active UM detectors cre-ate a pattern of inaudible sound waves that are transmitted into an area and monitored by a receiver. This detector operates on the Doppler Effect, which is the change in frequency that results from the motion of an intruder. Passive UM detec-tors react to sounds (e.g., breaking glass). These


FIGURE 8.16 Infrared photoelectric beam system.

detectors are installed on walls or ceilings or used covertly (i.e., disguised within another object). The sensitive abilities of these detectors result in many false alarms, which limit use.

Microwave motion detectors also operate on the Doppler frequency-shift principle. An energy field is transmitted into an area and monitored for a change in its pattern and frequency, which results in an alarm. Because microwave energy penetrates various construction materials, care is required for placement and aiming. However, this can be an advantage in protecting multiple rooms and large areas with one sensor. These sensors can be defeated (like UM) by objects blocking the sensor or by fast or slow movement.

Passive infrared (PIR) intrusion sensors are pas-sive in that they do not transmit a signal for an intruder to disturb. Rather, moving infrared radiation (from a person) is detected against the radiation environment of a room. When an intruder enters the room, the level of infra-red energy changes and an alarm is activated. Although the PIR is not subject to as many nuisance alarms as ultrasonic and microwave detectors, it should not be aimed at sources of heat or surfaces that can reflect energy. The PIR can be defeated by blocking the sensor so it can-not pick up heat.

Passive audio detectors listen for noise created by intruders. Various models filter out naturally occurring noises not indicating forced entry. These detectors can use public address system speakers in buildings, which can act as micro-phones to listen to intruders. The actual con-versation of intruders can be picked up and recorded by these systems. To enhance this sys-tem, CCTV can provide visual verification of an alarm condition, video in real time, still images digitally to security or police, and evidence. The audio also can be two-way, enabling security to warn the intruders. Such audiovisual systems must be applied with extreme care to protect privacy, con-fidentiality, and sensitive information, and to avoid violating state and federal wiretapping and electronic surveillance laws.

Fiber optics is used for intrusion detection and for transmission of alarm signals. It involves the transportation of information via guided light waves in an optical fiber. This sensor can be attached to or inserted in many things requiring protection. When stress is applied to the fiber optic cable, an infrared light pulsing through the cable reacts to the stress and sig-nals an alarm.


Two types of sensor technologies often are applied to a location to reduce false alarms, prevent defeat techniques, or fill unique needs. The combination of microwave and PIR sensors is a popular example of applying dual technologies (Fig. 8.17). Reporting can be designed so an alarm is signaled when both sensors detect an intrusion (to reduce false alarms) or when either sensor detects an intru-sion. Sensors are also becoming “smarter” by sending sensor data to a control panel or computer, distinguishing between humans and animals, and activating a trouble output if the sensor lens is blocked. Supervised wire-less sensors have become a major advancement because sensors can be placed at the best loca-tion without the expense of running a wire;

Physical Security Countermeasures

































P Passive infra-red/ microwave detector

C Magnetic contact

Remote keypad to operate

RK system

CP Control panel

FIGURE 8.17 Commercial intrusion alarm system.

these sensors are constantly monitored for integrity of the radio frequency link between the sensor and panel, status of the battery, and whether the sensor is functioning normally ([27]: 104; [47]: 36–48).

Operational Zoning

Operational zoning means that the build-ing being protected has a segmented alarm sys-tem, whereby the alarm can be turned on and off within particular zones depending on usage. For example, if an early morning cleaning crew is in the north end of a plant, then that alarm

is turned off while other zones still have the alarm on. Furthermore, zoning helps to pinpoint where an intrusion has occurred.

Alarm Monitoring

Today, many entities have an alarm system that is monitored by an in-house station (e.g., a console at a secure location) or from a central station (contract service) located off the prem-ises. These services easily can supply reports of unusual openings and closings, as well as those of the regular routine. Chapter 9 covers alarm signaling systems.


Closed-Circuit Television

CCTV (Fig. 8.18) assists in deterrence, sur-veillance, apprehension, and prosecution. This technology is also helpful in civil cases to protect an organization’s interests. The applications go beyond security and justice. For instance, CCTV can yield a greater ROI by serving as a tool to understand production problems or customer behavior. Although it may be costly initially, CCTV reduces personnel costs because it allows the viewing of multiple locations by one per-son. For instance, throughout a manufacturing plant, multiple cameras are installed, and one security officer in front of a console monitors the cameras. Accessories include pan (i.e., side-to-side movement), tilt (i.e., up-and-down move-ment), and zoom lenses, referred to as “PTZ” in the industry, which are mechanisms that permit viewing mobility and opportunities to obtain a close look at suspicious activity. Additional sys-tem capabilities include recording incidents and viewing when limited light is present. Modern technology has greatly altered CCTV capabili-ties, as described in subsequent paragraphs.

Standards for CCTV systems are from sev-eral sources. These include ANSI, SIA, National Electrical Manufacturers Association, American Public Transportation Association, government agencies, ISO/International Electrotechnical Commission, and the International Code

Council. England and Australia are especially active preparing CCTV standards.

During the 1950s, CCTV began its develop-ment. The traditional CCTV system that came into greater use in the 1970s consisted of ana-log recording systems, solid-state cameras, and coaxial cable ([55,59]: 114). This older technology applied multiple cameras connected through cabling to a camera control unit and a multi-plexer that fed several videocassette recorders (VCRs) in a central control room. The images were viewed real time via several monitors. The disadvantages of this technology include the following: the control room is a single point of failure within the security infrastructure; if a camera is moved, cable is required for the connection; the use of VCRs results in numer-ous cassette tapes requiring storage space; and humans are necessary to change and store tapes.

Older technology, such as the VCR that could record for a limited number of hours, was fol-lowed by time-lapse recorders (i.e., single frames of video are stored at intervals over an extended period of time) with recording capabilities up to several hundred hours, plus an alarm mode in which the recorder reverts to real time when an alarm condition exists. Real-time setting records 30 frames a second; time-lapse video may record between 1 frame a second and 1 frame every 8 s. Time-lapse recorder features included a quick search for alarm conditions during playback,

FIGURE 8.18 Closed-circuit television (CCTV) sign. Camera at top.

Physical Security Countermeasures


the playing of recorded video frames according to the input of time by the user, and the inter-face with other security systems such as access controls to ensure a video record of all people entering and departing.

A new generation CCTV system developed with unshielded twisted-pair cabling (i.e., a cable with multiple pairs of twisted insulated copper conductors in a single sheath) that enabled cam-eras to run on the existing infrastructure. Digital video recorders (DVRs) were introduced in the mid-1990s, and with them, several advantages over analog, including recording on hard disk drives, as a file is stored on a personal computer. Other advantages are avoiding tape storage, remote viewing, easy playback and searches, improved quality of images, and longer life of recordings. Another advance is digital recording in networking, which is referred to as network video recorder (NVR). Rather than many DVRs networked together, an NVR is the camera sys-tem. An NVR is digital cameras managed by specially designed computer operating software designed to manage video surveillance [1]: 8).

IP-based network cameras permit IP net-working of video to be shared where the net-work reaches, including offsite storage. IP video can be controlled and viewed from a PDA, phone, laptop computer, or other mobile device. It is also encrypted. IP-based CCTV sys-tems, including IP cameras, IP video servers, and IP keyboards can be located almost any-where. In addition, the IP keyboard can control the PTZ and other management functions such as recording and searching. When the existing infrastructure in a building is used, a building can become automated on one cable system and include not only CCTV but also access control, fire/safety systems, voice, network traffic, and other systems.

Not everyone is happy with IP-based net-work cameras. Pfeifle, L. [50] reports of one retail security practitioner who argued that with IP a lot of coordination is required, espe-cially with IT employees, installation is difficult,

enough bandwidth must be available, and with several cameras, a platform to manage them is necessary.

It is important to distinguish between the older analog technology and the newer digi-tal technology. Analog signals are used in their original form and placed, for example, on a tape. Most earlier electronic devices use the analog format (e.g., televisions, record play-ers, cassette tape recorders, and telephones). Analog technology is still applied today. With digital technology, the analog signals are sam-pled numerous times, turned into numbers, and stored in a digital system. Today, many devices contain digital technology (e.g., high-definition TV, CDs, fiber-optic telephone lines, and digital telephones).

Even with the shift to IP-based network sys-tems for CCTV, video is still transmitted over coaxial cable, twisted pair wire, fiber-optic cable, microwave, radio frequency, and tele-phone lines. What we have is the opportunity (as with other electronic security systems) for, say, an executive in New York to monitor inside a business in Hong Kong.

The choice of wireless video transmission (e.g., microwave or radio frequency) is an option under certain circumstances. Examples include flexible deployment whereby cameras must be moved periodically (e.g., changing exhibition hall), covert surveillance requiring quick and easy installation, at emergency sites, and histori-cal buildings where a cable route is not possible. Careful planning is required prior to the installa-tion of transmitters and receivers to prevent the radio signal from being blocked. Line of sight is an important issue. Interference can result from environmental conditions such as metallic build-ings, aluminum siding, solar flares, lightning, heavy rain, snow, and high wind ([13]: 46–48).

When IT personnel are approached about including CCTV on a network, they are often concerned about how much bandwidth the video will use. To allay fears, one option at a multibuilding facility is to maintain a DVR at


every building for storage of video so all video is not transmitted to the central computer.

For those end users using traditional analog technology while moving toward an IP-based retrofit, options include using “hybrid” products that accommodate both analog and IP-based signals. Lasky ([40]: 38) advises against a full IP retrofit unless there is a clear understanding of the amount of bandwidth required on a network with numerous IP cameras.

Organizations that employ CCTV systems may consider streaming video surveillance from remote sites to regional centers. Although this approach can be challenging, it can also reduce plant and personnel costs. A key factor in this decision is compression because bandwidth limitations affect the amount of video that can be exchanged between transmitting and receiv-ing sites. Similar to a roadway tunnel, only a cer-tain number of vehicles can enter the tunnel at any one time. However, if the vehicles are made smaller, more can fit. Compression is the amount of redundant video that can be stripped out of an image before storage and transmission, and there are various compression techniques ([42]: 34).

Another concern, as physical security person-nel increasingly rely on a network, is access to the network for various security-related infor-mation. In this case, the IT personnel have the option of placing such security information on a subnet to prevent access to the whole network.

Changing technology has brought about the charged coupled device (CCD) or “chip” cam-era, a small, photosensitive unit designed to replace the tube in the closed-circuit camera. CCD technology is found in camcorders. CCD cameras have certain advantages over tube cameras: CCD cameras are more adaptable to various circumstances, they have a longer life expectancy, “ghosting” (i.e., people appearing transparent) is less of a problem, there is less intolerance to light, less power is required, and less heat is produced, thereby requiring less ventilation and permitting installation in more locations.

Another technology for capturing images digitally is the complementary metal oxide semiconductor (CMOS). Teledyne DALSA [61], a global leader in digital imaging, offering both CCD and CMOS, notes that each has a bright future and there are advantages and disadvan-tages depending on application. Both types con-vert light into electric charge and process it into electronic signals. CCD costs less and is not as complex as CMOS.

Digital cameras are replacing analog cameras. Although analog signals can be converted into digital signals for recording to a PC, quality may suffer. Digital cameras use digital signals that are saved directly to hard drive, but space on a hard drive is limited for video. Network cameras are analog or digital video cameras connected to the Internet with an IP address.

Megapixel and high-definition (HD) secu-rity cameras are part of the more recent evo-lution of video surveillance ([45]: 40–43). Both provide an enhanced picture image over ana-log. Megapixel refers to the number of million pixels in an image. We often identify this term with still picture photography. A greater num-ber of pixels result in increased image detail. This is especially helpful during investigations if, as examples, a person needs to be positively identified or in a casino when a playing card requires identification. Keys ([37]: 27) extols the benefits of megapixel cameras. He notes that with megapixel technology, by zooming in on a recorded image that may initially appear use-less, it can show important details. Keys con-cedes that there are lighting issues with these cameras. He also writes that they are “memory hogs” and planners must study the memory needed to archive data. HD could be consid-ered a subset or type of megapixel camera. It complies with industry standards to ensure excellent color and it produces a wider image than megapixel. If campus police were seek-ing disorderly students in a large crowd, HD would be appropriate over megapixel. Which camera is better depends on the application.

Physical Security Countermeasures


Combining megapixel, HD, and other types of cameras can result in an effective, multipur-pose IP-based network video system.

Increasing “intelligence” is being built into CCTV–computer-based systems. Multiplex means sending many signals over one com-munication channel. Video multiplex systems minimize the number of monitors security personnel must watch by allowing numerous cameras to be viewed at the same time on one video screen. The pictures are compressed, but a full view is seen of each picture. If an alarm occurs, a full screen can be brought up. The dig-ital multiplex recorder enables users to record events directly to a hard drive, reducing stor-age space.

The prolonged watching of CCTV moni-tors (i.e., screens) by personnel, without falling asleep, has been a challenge since the origin of these systems. Personnel that are not rotated periodically become fatigued from watching too much TV. This serious problem is often overlooked. People may “test” the monitoring of the system by placing a bag or rag over a camera or even spraying the lens with paint. If people see that there is no response, CCTV becomes a hoax. The use of dummy cameras is not recommended because, when people dis-cover the dummy, CCTV can be perceived as a deceitful farce.

Users of CCTV systems are especially inter-ested in the recording capabilities of their systems, knowing their personnel are often occupied with multiple tasks (e.g., answering questions for customers, providing information over the telephone) and unable to watch moni-tors continuously. When an event does occur, these systems permit a search of recordings by date, time, location, and other variables.

CCTV capabilities can be enhanced by using video motion detection (VMD). A video motion detector operates by sending, from a camera, a picture to a memory evaluator. The memory evaluator analyzes the image for pixel changes. Any change in the picture, such as movement,

activates an alarm. These systems assist secu-rity officers in reacting to threats and reduce the problem of fatigue from watching monitors. Tse ([64]: 42) refers to a study by an Australian firm that found that after 12 min of continuous watch-ing of monitors, an operator would often miss up to 45% of scene activity, and after 22 min, up to 95% is overlooked.

The integration of VMD and video analyt-ics, also referred to as intelligent video systems (IVS), is a technology that offers different func-tions that aim to precisely define alarm condi-tions, enhance the capabilities of CCTV systems, and reduce the problem of humans missing important events on monitors. These systems enable the user to preselect actions that are pro-grammed into the digital video system, and this software signals an alarm when such an event takes place. Examples of events triggering an alarm include stopped or moving vehicles, objects that are abandoned or removed, and loi-tering of people ([3]: 48–53; [23]: 48–50).

Cameras commonly are placed at public streets, access points, passageways, shipping and receiving docks, merchandise storage areas, cashier locations, parts departments, overlook-ing files, safes, vaults, and production lines. In the workplace, the location of cameras requires careful planning to avoid harming employee morale. A key restriction on the placement of cameras is that they must not be applied to an area where someone has a reasonable expecta-tion of privacy (e.g., restrooms, locations where individuals change clothes).

The extent of the use of hidden surveil-lance cameras is difficult to measure, espe-cially because many individuals are unaware of the existence of these cameras in workplaces. Pinhole lenses are a popular component of hid-den surveillance cameras. They get their name from the outer opening of the lens, which is 1/8–1/4 inch in diameter and difficult to spot. Cameras are hidden in almost any location, such as in clocks, file cabinets, computers, sprinkler heads, and mannequins.



Security officers play an important role in countering internal losses. They must be inte-grated with technology, and this entails qual-ity training and supervision. When uniformed officers patrol on foot inside a facility—through production, storage, shipping, receiving, office, and sales floor areas—an enhanced loss preven-tion atmosphere prevails. Unpredictable and irregular patrols deter employee theft (among other losses). A properly trained officer looks for deviations such as merchandise stored or hid-den in unusual places and tampered security devices. Thoroughly searching trash containers deters employees from hiding items in that pop-ular spot. Losses also are hindered when officers identify and check people, items, and vehicles at access points.

Safes, Vaults, and File Cabinets


Protective containers (Fig. 8.19) secure valu-able items (e.g., cash, confidential information). These devices generally are designed to with-stand losses from fire or burglary. Specifications vary, and an assessment of need should be carefully planned. Management frequently is shocked when a fire-resistive safe in which valuable items are “secured” enables a burglar to gain entry because the safe was designed only for fire. The classic fire-resistive (or record) safe often has a square (or rectangular) door and thin steel walls that contain insulation. During assembly, wet insulation is poured between the steel walls; when the mixture dries, mois-ture remains. During a fire, the insulation cre-ates steam that cools the safe below 350°F (the flash point of paper) for a specified time. The FBI maintains safe insulation files to assist investi-gators. Record safes for computer media require better protection because damage can occur at 125°F, and these records are more vulnerable to

FIGURE 8.19 Safe with electronic lock. Courtesy Sargent

& Greenleaf, Inc.

humidity. Fire safes are able to withstand one fire; thereafter, the insulation is useless.

The classic burglary-resistive (or money) safe often has a thick, round door, and thick walls. Round doors were thought to enhance resistance, but today many newer burglary-resistive safes have square or rectangular doors. The burglary-resistive safe is more costly than the fire-resistive safe.

Better quality safes have the Underwriters Laboratories (UL, a nonprofit testing organiza-tion) rating. This means that manufacturers have submitted safes for testing by UL. These tests determine the fire- or burglary-resistive prop-erties of safes. For example, a fire-resistive con-tainer with a UL rating of 350–4 can withstand an external temperature to 2000°F for 4 h while the internal temperature will not exceed 350°F. The UL test actually involves placing a safe in an increasingly hot furnace to simulate a fire. In

Security Officers


reference to burglary-resistive containers, a UL rating of TL15, for example, signifies weight of at least 750 pounds and resistance to an attack on its door by common tools for a minimum of 15 min. UL-rated burglary-resistive safes also contain UL-listed combination locks and other UL-listed components. When selecting a safe, consider recommendations from insurance companies and peers, how long the company has been in business, and whether or not safe company employees are bonded.


Before a skilled burglar attacks a safe, he or she studies the methods used to protect it. Inside information (e.g., a safe’s combination) is valuable, and scores of employees and former employees of attacked firms have been impli-cated in burglaries. Listed next are major attack techniques of two types: with force and without force. Attack methods using force include the following:

· Rip or peel: Most common, this method is used on fire-resistive safes that have lightweight metal. Like opening a can of sardines, the offender rips the metal from a corner. The peel technique requires an

offender to pry along the edge of the door to reach the lock.

· Punch: The combination dial is broken off with a hammer. A punch is placed on the exposed spindle, which is hammered back to enable breakage of the lock box. The handle then is used to open the door. This method is effective against older safes.

· Chop: This is an attack of a fire-resistive safe from underneath. The safe is tipped over and hit with an ax or hammer to create a hole.

· Drill: A skillful burglar drills into the door to expose the lock mechanism; the lock tumblers are aligned manually to open the door.

· Torch: This method is used against burglar-resistive safes. An oxygen–acetylene cutting

torch melts the steel. This equipment is brought to the safe, or the offender uses equipment from the scene.

· Carry away: The offender removes the safe from the premises and attacks it in a convenient place.


Attack methods using no force include the following:

· Office search: Simply, the offender finds the safe combination in a hiding place (e.g., taped under a desk drawer).

· Manipulation: The offender opens a safe without knowing the combination by using sight, sound, and touch—a rare skill. Sometimes the thief is lucky and opens a safe by using numbers similar to an owner’s birth date, home address, or telephone number.

· Observation: An offender views the opening of a safe from across the street with the assistance of binoculars or a telescope. To thwart this, one should place the numbers on the top edge of the dial, rather than on the face of the dial.

· Day combination: For convenience, during the day, the dial is not completely turned each time an employee finishes using the safe. This facilitates an opportunity for quick access. An offender often manipulates the dial in case the day combination is still in effect.

· X-ray equipment: Metallurgical X-ray equipment is used to photograph the combination of the safe. White spots appear on the picture that helps to identify the numerical combination. The equipment is cumbersome, and the technique is rare.


The following measures are recommended to fortify the security of safes and other containers:

1. Utilize alarms (e.g., capacitance and vibration), CCTV, and adequate lighting.

2. Secure the safe to the building so it is not stolen. (This also applies to cash registers that may be stolen in broad daylight.) Bolt


the safe to the foundation or secure it in a cement floor. Remove any wheels or casters.

3. Do not give a burglar an opportunity to use any tools on the premises; hide or secure all potential tools (e.g., torch).

4. A time lock permits a safe to be opened only at select times. This hinders access even if the combination is known. A delayed-action lock provides an automatic waiting period (e.g., 15 min) from combination use to the time the lock mechanism activates. A silent signal lock triggers an alarm when a special combination is used to open a safe.

5. At the end of the day, turn the dial several times in the same direction.

6. A written combination is risky. Change the factory combination as soon as possible. When an employee who knows the combination is no longer employed, change it.

7. Maintain limited valuables in the safe through frequent banking.

8. Select a safe with its UL rating marked on the inside. If a burglar identifies the rating on the outside, an attack is made easier.

9. Consider modern features of safes: remote access management, reports of cash flow, and traceable deposits.


A walk-in vault is actually a large safe; it is subject to similar vulnerabilities from fire and attack. Because a walk-in vault is so large and expensive, typically, only the door is made of steel, and the rest of the vault is composed of reinforced concrete. Vaults are heavy enough to require special support within a building. They commonly are constructed at ground level to avoid stress on a building.

File Cabinets

Businesses that sustain loss of their records from theft, fire, flood, or other threats or hazards face serious consequences, such as the possi-bility of business failure and litigation. Certain

types of records require protection according to law. Some vital records are customer-identifying information, accounts receivable, inventory lists, legal documents, contracts, research and devel-opment, and human resources data. Records help to support losses during insurance claims.

File cabinets that are insulated and lockable can provide fair protection against fire and bur-glary. The cost is substantially lower than that of a safe or vault, but valuable records demanding increased safety should be placed in a safe or vault and copies stored off-site. Special computer safes are designed to protect against forced entry, fire, and moisture that destroys computer media.


[1] Alten J. Shhh… don’t tell anyone that DVRs are becom-ing obsolete. Secur Dir News 2005;2. [March].

[2] Association of Certified Fraud Examiners. Report to the nations on occupational fraud and abuse, 2010. 2010. www.acfe.com.

[3] Aubele K. Checking out security solutions. Secur Manag 2011;55. [December].

[4] Aughton S. Researchers crack biometric security with play-Doh. PC PRO 2005. www.pcpro.co.uk/ news/81257.

[5] Barry J. Don’t always play the cards you are dealt. Secur Technol Des 1993. [July–August].

[6] Bernard R. The state of converged security operations. Secur Technol Exec 2011;21. [April].

[7] Bernard R. Web services and identity management. Secur Technol Des 2006;16. [January].

[8] Blades M. The insider threat. Secur Technol Exec 2010;20. [November/December].

[9] Boba R, Santos R. A review of the research, practice, and evaluation of construction site theft occurrence and pre-vention: directions for future research. Secur J 2008;21. [October].

[10] Brenner B. How physical, it security sides can work together. Computerworld 2010. [September] www. computerworld.com.

[11] Canadacom. Hydro lost millions from theft, damage last year. Vanc Sun 2007. [February 7] www.canada. com.

[12] Catrantzos N. No dark corners: a different answer to insider threats. Homel Secur Aff 2010;6. [May] www. hsaj.org.

[13] Chan H. Overcoming the challenges of wireless trans-mission. Secur Technol Des 2005;15. [October].



[14] Coleman J. Trends in security systems integration. Secur Technol Des 2000;10. [August].

[15] Computer Security Institute/FBI. CSI/FBI computer crime and security survey. 2005. www.GoCSI.com.

[16] Computer Security Institute/FBI. CSI/FBI computer crime and security survey. 2006. www.GoCSI.com.

[17] Conklin J. Criminology. 7th ed. Boston: Allyn & Bacon Pub; 2001.

[18] Cressey D. Other People’s money: a study in the social psychology of embezzlement. Belmont (CA): Wadsworth; 1971.

[19] D’Agostino S, et al. The roles of authentication, authori-zation and cryptography in expanding security indus-try technology. 2005. www.siaonline.org.

[20] Dean R. Ask the expert. Secur Prod 2005;9. [September].

[21] Department of Defense. User’s guide on controlling locks, keys and access cards. Port Hueneme (CA): Naval Facilities Engineering Service Center; 2000.

[22] Di Nardo J. Biometric technologies: functionality, emerging trends, and vulnerabilities. J Appl Secur Res 2009;4.

[23] Duda D. The ultimate integration—video motion detec-tion. Secur Technol Des 2006;16. [June].

[24] Eberle W, et al. Insider threat detection using a graph-based approach. J Appl Secur Res 2011;6(1).

[25] EEOC. How to comply with the American with disabil-ities act: a guide for restaurants and other food service employers. 2011 (January 19) www.eeoc.gov.

[26] Freeman J. Security director as politician. Secur Technol Des 2000. [August].

[27] Garcia M. Vulnerability assessment of physical pro-tection systems. Burlington (MA): Butterworth-Heinemann; 2006.

[28] Gersh D. Untouchable value. iSecurity 2000. [November].

[29] Greene C. Hang up on fraud with confidential hot-lines. Fraud Alert 2004. [Chicago (IL): McGovern & Greene].

[30] Honey G. Intruder alarms. 2nd ed. Oxford (UK): Newnes; 2003.

[31] Hulusi T. Creating a trusted identity. Secur Technol Exec 2011;21. [May].

[32] Hunt S. Integrated security solutions: getting to know it. Secur Prod 2006;10. [February].

[33] Inbau F, et al. Protective securit1y law. 2nd ed. Boston: Butterworth-Heinemann; 1996.

[34] Jarvis B. The next generation of access control: virtual credentials. Access Control Trends Technol 2011. [June].

[35] Jordan B. Telework’s growing popularity. Homel Def J 2006;4. [June].

[36] Keener J. Integrated systems: what they are and where they are heading. Secur Technol Des 1994. [May].

[37] Keys R. What is intelligent video?. Law Off Manazine 2010;6. [March].

[38] Klenowski P, et al. Gender, identity, and accounts: how white collar offenders do gender when making sense of their crimes. Justice Q 2011;28. [February].

[39] Kosaka M. Public goes private. Secur Prod 2010;14. [March].

[40] Lasky S. Video from the top. Secur Technol Des 2006;16. [June].

[41] Loughlin J. Security through transparency: an open source approach to physical security. J Phys Secur 2009;3(1).

[42] Mellos K. A choice you can count on. Secur Prod 2005;9. [October].

[43] Morton J. Top smart card blunders. Buildings 2011;105. [April].

[44] Nemeth C. Private security and the law. Burlington (MA): Elsevier Butterworth-Heinemann; 2005.

[45] Nilsson F. The resolution to your confusion. Secur Technol Exec 2011;21. [March].

[46] Nosowitz D. Everything you need to know about near field communication. Popular Sci 2011. [March] www. popsci.com.

[47] O’Leary T. New innovations in motion detectors. Secur Technol Des 1999;9. [November].

[48] Pearson R. Integration vs. Interconnection: it’s a matter of semantics. Secur Technol Des 2000;11. [November].

[49] Pearson R. Open systems architecture: are we there yet. Secur Technol Des 2001;11. [January].

[50] Pfeifle L. McDonald’s, Saks begin first install of HDCCTV. Secur Dir News 2010. [January 25] www. securitydirectornews.com.

[51] Philpott D. Physical security—biometrics. Homel Def J 2005;3. [May].

[52] Piazza P. The smart cards are coming… really. Secur Manag 2005;49. [January].

[53] Scicchitano M, et al. Peer reporting to control employee theft. Secur J 2004;17. [April].

[54] Shaw E, et al. Managing the threat from within. Inf Secur 2000;3. [July].

[55] Siemon Company. Video over 10G ipTM. 2003. www. siemon.com.

[56] Skinner W, Fream A. A social learning theory analysis of computer crime among college students. J Res Crime Delinquency 1997;34. [November].

[57] Speed M. Reducing employee dishonesty: in search of the right strategy. Secur J 2003;16. [April].

[58] Spence B. Advances in fingerprint biometric technol-ogy. Locksmith Ledger 2011. [June] www.locksmith- HYPERLINK "http://www.locksmithledger.com" ledger.com.

[59] Suttell R. Security monitoring. Buildings 2006;100. [May].

[60] Swartz D. Open Architecture systems: the future of secu-rity management. Secur Technol Des 1999;9. [December].

[61] Teledyne DALSA. CCD vs. CMOS. 2011. www.tele- HYPERLINK "http://www.teledynedalsa.com" dynedalsa.com.


[62] Toye B. Bar-coded security ID cards efficient and easy. Access Control 1996. [March].

[63] Truncer E. Controlling access system performance. Secur Manag 2011;55. [March].

[64] Tse A. The real world of critical infrastructure. Secur Prod 2006;10. [May].

[65] U.S. Department of Homeland Security, Science and Technology Directorate and the Executive Office of the President, Office of Science and Technology Policy. The National plan for research and development in support of critical infrastructure protection. 2004. www.dhs.gov.

[66] Zalud B. Higher level credentials leave footprint on card printers. Security 2010;47. [October].

[67] Zunkel D. A short course in high-security locks. Secur Technol Des 2003;13. [February].



External Threats and Countermeasures*

Philip P. Purpura


External loss prevention focuses on threats from outside an organization. This chapter con-centrates on countermeasures to impede unau-thorized access from outsiders. If unauthorized access is successful, numerous losses are possible­ from such crimes as assault, burglary, robbery, vandalism, arson, and espionage. Naturally, employees as well as outsiders or a conspiracy of both may commit these offenses. Furthermore, outsiders can gain legitimate access if they are customers, repair technicians, and so on.

Internal and external countermeasures play an interdependent role in minimizing losses; a clear-cut division between internal and exter-nal countermeasures is not possible because of this intertwined relationship. In addition, as explained in the preceding chapter, we are in an era of universal threats. This means that because of telework, employees and organizations face the same threats whether work is accomplished on or off the premises.

The IT perspective is important to produce comprehensive security. IT specialists use terms such as denial of access and intrusion detection, as do physical security specialists; however, IT specialists apply these terms to the p­rotection

of information systems. As IT and physical security­ specialists learn from each other, a host of protection methods will improve, examples being integration of systems, investigations, and business continuity planning.



One avenue to begin thinking about how to prevent unauthorized entry is to study the methods­ used by offenders. Both management­ (to hinder penetration) and offenders (to s­ucceed in gaining access) study the characteristics­ of patrols, fences, sensors, locks, windows, doors, and the like. By placing yourself in the position of an offender (i.e., think like a thief) and then that of a loss prevention manager, you can see, while studying Woody’s Lumber Company, the Smith Shirt manufacturing plant, and Compulab Corporation (discussed in Chapter 8), that a com-bination of both perspectives aids in the design-ing of defenses. (Such planning is requested in a case problem at the end of this chapter.) Furthermore, keep in mind these theories­ and practical applications of the theories; these include rational choice and routine activity

* From Purpura PP. Security and loss prevention 6e. Boston: Butterworth-Heinemann; 2013 Updated by the editor, Elsevier, 2016.

Effective Physical Security, Fifth Edition



Copyright © 2017 Elsevier Inc. All rights reserved.


theories and situational crime prevention tech-niques to reduce opportunities for crime.

Forced entry is a common method used to gain unauthorized access, especially at windows and doors. Offenders repeatedly break or cut glass (with a glass cutter) on a window or door and then reach inside to release a lock or latch. To stop the glass from falling and making noise, an offender may use a suction cup or tape to remove or hold the broken glass together. A complex lock may be rendered useless if the offender is able to go through a thin door by using a hammer, chisel, and saw. Forced entry also may be attempted through walls, floors, ceilings, roofs, skylights, utility tunnels, sewer or storm drains, and venti-lation vents or ducts. Retail stores may be subject to smash and grab attacks: a store display win-dow is smashed, merchandise is quickly grabbed, and the thief immediately flees.

Atlas ([3]: 52) describes burglars who targeted a retail chain by rattling storefronts to create false alarms; this resulted in slow police response and retail management turning off the burglar alarm systems to avoid fines. Police and retail manage-ment “bit the bait” and the burglars, disguised with masks and gloves, shattered drive-through windows with a tire iron, climbed in, and stole unsecured cash boxes prepared for morning business.

Berube ([5]: 326–381) writes of conflicting research results on the deterrent effect of burglar alarm systems. Certain burglars do not care if they activate an alarm because they only spend one or 2 min at the crime scene and police are unlikely to respond quickly to make an arrest. Because of the false alarm problem, police may be hesitant to respond quickly or not respond at all. When we consider rational choice and routine activity theories, slow police response to alarm activations reduce risk for burglars and increase opportunities. Berube also cites research that sup-ports the deterrent effect of alarm systems.

Unauthorized access also can be accomplished without force. Wherever a lock is supposed to be used, if it is not locked properly, access is possible. Windows or doors left unlocked are a surprisingly

common occurrence. Lock picking or possession of a stolen key or access card renders force unnec-essary. Dishonest employees are known to assist offenders by unlocking locks, windows, or doors and by providing keys and technical information. Offenders sometimes hide inside a building until closing and then break out following an assault or theft. Tailgating and pass back are other methods of gaining access without force, as covered in the preceding chapter. Sly methods of gaining entry are referred to as surreptitious entry.


Countermeasures for external (and internal)­ threats can be conceptualized around the five “Ds”:

· Deter: The mere presence of physical security can dissuade offenders from committing criminal acts. The impact of physical security can be enhanced through an aura of security. An aura is a distinctive atmosphere surrounding something. Supportive management and security personnel should work to produce a professional security image. They should remain mum on such topics as the number and types of intrusion detection sensors on the premises and security system weaknesses. Security patrols should be unpredictable and never routine. Signs help to project an aura of security by stating, for example, Premises Protected By High-Tech Redundant Security. Such signs can be placed along a perimeter and near openings to buildings. The aura of security strives to produce a strong psychological deterrent so offenders will consider the success of a crime to be unlikely. It is important to note that no guarantees come with deterrence. (Criminal justice policies are in serious trouble because deterrence is faulty; criminals continue

to commit crimes even while facing long sentences.) In the security realm, deterrence must be backed up with the following four “Ds.”



· Detect: Offenders should be detected and their location pinpointed as soon as they step onto the premises or commit a violation on the premises. This can be accomplished through observation, closed-circuit television (CCTV), intrusion sensors, duress alarms, weapons screenings, protective dogs, and hotlines.

· Delay: Security is often measured by the time it takes to get through it. Redundant security refers to two or more similar security methods (e.g., two fences; two types of intrusion sensors). Layered security refers to multiple security methods that follow one another and are dissimilar (e.g., perimeter fence, strong doors, a safe). Both redundant and layered securities create a time delay. Thus, the offender may become frustrated and decide to depart, or the delay may provide time for a response force to arrive to make an apprehension.


Nunes-Vaz et al. ([29]: 372) favor distinguish-ing between “layered security” and “security-in-depth” to enhance research and to guide investments in security. They write, “Risk mini-mization is best achieved by strengthening the layer that may already be the most effective, and by focusing on the weakest function within that layer.” In addition, they argue that “security-in-depth” aims to produce not only effective layers­ but also coherent integration of layers.

· Deny: Strong physical security, often called target hardening, can deny access. A steel door and a safe are examples. Frequent bank deposits of cash and other valuables extend the opportunity to deny the offender success.

· Destroy: When you believe your life or another will be taken, you are legally permitted to

use deadly force. An asset (e.g., proprietary information) may require destruction before it falls into the wrong hands.

Environmental Security Design

When a new facility is planned, the need for a coordinated effort by architects, fire protection

and safety engineers, loss prevention practitio-ners, local police and fire officials, and other specialists cannot be overstated. Furthermore, money is saved when security and safety are planned before actual construction rather than accomplished by modifying the building later.

Years ago, when buildings were designed, loss prevention features were an even smaller part of the planning process than today. Before air conditioning came into widespread use, numer-ous windows and wide doors were required for proper ventilation, providing thieves with many entry points. Today’s buildings also present problems. For example, ceilings are constructed of suspended ceiling tiles with spaces above the tiles that enable access by simply pushing up the tiles. Once above the tiles, a person can crawl to other rooms on the same floor. Roof access from neighboring buildings is a common problem for both old and new buildings. Many of these weak points are corrected by adequate hardware such as locks on roof doors and by intrusion sensors.

Architects are playing an increasing role in designing crime prevention into building plans.

Environmental security design includes natu-ral and electronic surveillance of walkways and parking lots, windows and landscaping that enhance visibility, improved lighting, and other architectural designs that promote crime prevention­. Additionally, dense shrubbery can be cut to reduce hiding places, and grid streets can be turned into cul-de-sacs by using barri-cades to reduce ease of escape.

An illustration of how CPTED is applied can be seen with the design of Marriott hotels ([23]: 84–88). To make offenders as visible as possible, traffic is directed toward the front of hotels. Lobbies are designed so that people walking to guest rooms or elevators must pass the front desk. On the outside, hedges are emphasized to produce a psychological barrier that is more appealing than a fence. Pathways are well lit and guide guests away from isolated areas. Parking lots are characterized by lighting, clear lines of sight, and access control. Walls of the garage are painted white to enhance lighting. On the inside


of hotels, the swimming pool, exercise room, and vending and laundry areas have glass doors and walls to permit maximum witness potential. One application of CCTV is to aim cameras at persons standing at the lobby desk and install the monitor in plain view. Since people can see themselves, robberies have declined. CPTED enhances traditional security methods such as patrolling officers and emergency call boxes.

Research from the United Kingdom has extended the reach of CPTED. The UK Design Against Crime (DAC) Program seeks a wide group of design professionals to develop cre-ative and often subtle design solutions to combat crime and fear of crime. The DAC is a holistic, human-centered approach that facilitates crime prevention without inconveniencing people or creating a fortress environment. Examples include the following: a fence with a top rail that is angled to discourage young people from sit-ting on the fence and “hanging out”; the playing of classical music to prevent youth from congre-gating in certain areas; and the “antitheft hand-bag” that has a short strap, a carefully located zipper, thick leather, and an alarm ([10]: 39–51).

CPTED is enhanced through the “Broken Windows” theory of James Q. Wilson and George Kelling [48]. This theory suggests that deteriorated buildings that remain in disrepair and disorderly behavior attract offenders and crime while increasing fear among residents. If someone breaks a window and it is not repaired, more windows may be broken, and a continu-ation of dilapidated conditions may signal that residents do not care. Minor problems, such as vandalism, graffiti, and public intoxication, may grow into larger problems that attract offenders and destroy neighborhoods. However, residents can increase safety and security when they take pride in the conditions of their neighborhood.

Perimeter Security

Perimeter means outer boundary, and it is often the property line and the first line of defense against unauthorized access (Fig. 9.1). Building access points such as doors and windows also are considered part of perimeter defenses at many locations. Typical perimeter security begins with a fence and gate and may include

FIGURE 9.1 Perimeter security. Courtesy of Wackenhut Corporation. Photo by Ed Burns.



multiple security methods (e.g., card access, locks, sensors, lighting, CCTV, and patrols) to increase protection (Fig. 9.2). Technology can extend security surveillance beyond the perim-eter, as illustrated with radar that is applied at a facility near a waterway (Fig. 9.3).

The following variables assist in the design of perimeter security:

1. Whatever perimeter security methods are planned, they should interrelate with the total loss prevention program and business objectives. In addition, green security should be considered.

2. Perimeter security needs to be cost-effective. When plans are presented, management is sure to ask: “What type of return will we have on our investment?”

3. Although the least number of entrances strengthens perimeter security, the plan

FIGURE 9.2 Multiple security methods increase protection.

must not interfere with normal business and emergency events.

4. Perimeter security has a psychological impact on potential intruders. It signals a warning to outsiders that steps have been taken to block intrusions. Offenders actually “shop” for vulnerable locations (i.e., opportunities).

5. Even though a property line may be well protected, the possibility of unauthorized entry cannot be totally eliminated. For example, a fence can be breached by going over, under, or through it.

6. Penetration of a perimeter is possible from within. Merchandise may be thrown over a fence or out of a window. Various things are subject to smuggling by persons walking or using a vehicle while exiting through a perimeter.

7. The perimeter of a building, especially in urban areas, often is the building’s walls. An offender may enter through a wall (or roof) from an adjoining building.

8. To permit an unobstructed view, both sides of a perimeter should be kept clear of vehicles, equipment, and vegetation. This allows for what is known as clear zones.

9. Consider integrating perimeter intrusion sensors with landscape sprinkler systems. Trespassers, protesters, and other intruders will be discouraged, and, when wet, they are easier to find and identify.

10. Perimeter security methods are exposed to a hostile outdoor environment not found indoors. Adequate clothing and shelter are necessary for security personnel.

The selection of proper security systems prevents false alarms from animals, vehicle vibrations, and adverse weather.

11. Perimeter security should be inspected and tested periodically.


Post and Kingsbury ([34]: 502–503) state, “the physical security process utilizes a


FIGURE 9.3 Radar extends security surveillance beyond the perimeter at a facility near a waterway. Courtesy of Honeywell


number of barrier systems, all of which serve specific needs. These systems include natural, structural, human, animals, and energy bar-riers” Natural barriers are rivers, hills, cliffs, mountains, foliage, and other features difficult­ to overcome. Fences, walls, doors, and the architectural arrangement of buildings are structural barriers. Human barriers include security officers who scrutinize people, vehi-cles, and things entering and leaving a f­acility. The typical animal barrier is a dog. Energy barriers include protective lighting and intru-sion detection systems.

The most common type of barrier is a chain-link fence topped with barbed wire (Fig. 9.1). A search of the Web shows many industry stan-dards for fences from ASTM, UL, ISO, and other groups from the United States and overseas. For example, ASTM F567 focuses on materials speci-fications, design requirements, and installation of chain-link fencing.

One advantage of chain-link fencing is that it allows observation from both sides: a private security officer looking out and a public police officer looking in. Foliage and decorative plastic woven through the fence can reduce visibility and aid offenders. Opposition to chain-link fenc-ing sometimes develops because management wants to avoid an institutional-looking environ-ment. Hedges are an alternative.

It is advisable that the chain-link fence be made of at least 9-gauge or heavier wire with 2″ Χ 2″ diamond-shaped mesh. It should be at least 7 ft high. Its posts should be set in concrete and spaced no more than 10 ft apart. The bottom should be within 2 inches of hard ground; if the ground is soft, the fence can become more secure if extended a few inches below the ground. Recommended at the top is a top guard—sup-porting arms about 1 or 2 ft long containing three or four strands of taut barbed wire 6 inches apart and facing outward at 45 degrees.



FIGURE 9.4 Anticlimb fence with vulnerability.

Anticlimb fences (Fig. 9.4) are an alternative to the chain-link fence. Applied in Europe, with growing interest and application in the United States, these fences are more attractive and more difficult to climb than the chain-link fence. The mesh openings are small which prevents fingers and shoes from being inserted into the fence to climb. As with all other security measures, anti-climb fences have vulnerabilities.

Barbed wire fences are used infrequently. Each strand of barbed wire is constructed of two 12-gauge wires twisted and barbed every 4 inches. For adequate protection, vertical sup-port posts are placed 6 ft apart, and the parallel­ strands of barbed wire are from 2 to 6 inches apart. A good height is 8 ft.

Concertina fences consist of coils of steel razor wire clipped together to form cylinders weigh-ing about 55 pounds. Each cylinder is stretched to form a coil-type barrier 3 ft high and 50 ft long. The ends of each 50-foot coil need to be clipped to the next coil to obviate movement. Stakes also stabilize these fences. This fence was developed by the military to act as a quickly constructed barrier. When one coil is placed on another, they

create a 6-foot-high barrier. One coil placed on two as a base provides a pyramid-like barrier that is difficult to penetrate. Concertina fences are especially helpful for quick, temporary repairs to damaged fences.

Razor ribbon and coiled barbed tape are increas-ing in popularity. They are similar to concertina fencing in many ways. Every few inches along the coil are sharp spikes, looking something like a small-sharpened bow tie.

Gates are necessary for traffic through fences. The fewer gates, the better because, like win-dows and doors, they are weak points along a perimeter. Gates usually are secured with a chain and padlock. Uniformed officers stationed at each gate and fence opening increase security while enabling the observation of people and vehicles.

Vehicle barriers control traffic and stop vehicles from penetrating a perimeter. The problems of vehicle bombs and drive-by shoot-ings have resulted in greater use of vehicle barriers. These barriers are assigned gov-ernment-certified ratings based on the level of protection; however, rating systems vary


among government agencies. One agency, for example, tests barriers against 15,000-pound trucks traveling up to 50 miles per hour, while another agency tests 10,000-pound trucks trav-eling the same speed. Passive vehicle barriers are fixed and include decorative bollards, large concrete planters, granite fountains, specially engineered and anchored park benches, hard-ened fencing, fence cabling, and trees. An alter-native to bollards is a plinth wall—a continuous low wall of reinforced concrete with a buried foundation ([45]: 2–33). Moore [20] notes alter-natives to bollards, including tiger traps (i.e., a path of paving stones over a trench of low-den-sity concrete that will collapse under a heavy weight) and NOGOs (i.e., large, heavy bronze blocks). Active vehicle barriers are used at entrances and include gates, barrier arms, and pop- up-type systems that are set underground and, when activated, spring up to block a vehicle ([44]: 49–53). Factors to consider when planning vehicle barriers include frequency of traffic, type of road (e.g., a curved road slows vehicles), aesthetics, and how the barrier is integrated with other physical security and personnel ([21]: 30). As we know, no security method is foolproof, and careful security plan-ning is vital, including ADA requirements. In 1997, to protest government policy, the environ-mental group Greenpeace penetrated govern-ment security in Washington, DC, and dumped 4 tons of coal outside the Capitol building. The driver of the truck drove the wrong way up a one way drive leading to the building!

Walls are costly and a substitute for fences when management is against the use of a wire fence. Attractive walls can be designed to pro-duce security equal to fences while blending into surrounding architecture. Walls are made from various materials: bricks, concrete blocks, stones, or cement. Depending on design, the top of walls 6 or 7 ft high may contain barbed wire, spikes, or broken glass set in cement. Offenders often avoid injury by throwing a blanket or jacket over the top of the wall (or fence) before scaling

it. An advantage of a wall is that outsiders are hindered from observing inside. However, observation by public police during patrols also is hindered; this can benefit an intruder.

Hedges or shrubbery are useful as barriers. Thorny shrubs have a deterrent value. These include holly, barberry, and multiflora rose bushes, all of which require a lot of watering. The privet hedge grows almost anywhere and requires minimal care. A combination of hedge and fence is useful. Hedges should be less than 3 ft high and placed on the inside to avoid injury to those passing by and to create an added obstacle for someone attempting to scale the fence. Any plants that are large and placed too close to buildings and other locations provide a climbing tool, cover for thieves, and a hiding place for contraband.

Municipal codes restrict the heights of fences, walls, and hedges to maintain an attractive envi-ronment devoid of threatening–looking barriers. Certain kinds of barriers may be prohibited (e.g., barbed wire) to ensure conformity. Planning should encompass research of local standards.

The following list can help a security man-ager eliminate weak points along a perimeter or barrier.

1. Utility poles, trees, boxes, pallets, forklifts, tools, and other objects outside a building can be used to scale a barrier.

2. Ladders left outside are an offender’s delight. Stationary ladders are made less accessible via a steel cage with a locked door.

3. A common wall is shared by two separate entities. Thieves may lease and occupy or just enter the adjoining building or room and then hammer through the common wall.

4. A roof is easy to penetrate. A few tools, such as a drill and saw, enable offenders to cut through the roof. Because lighting, fences, sensors, and patrols rarely involve the roof, this weakness is attractive to thieves. A rope ladder often is employed to descend from the roof, or a forklift might be used to lift



items to the roof. Vehicle keys should be hidden and other precautions taken.

5. Roof hatches, skylights, basement windows, air conditioning and other vent and duct systems, crawl spaces between floors and under buildings, fire escapes, and utility covers may need a combination of locks, sensors, steel bars, heavy mesh, fences, and inspections. A widely favored standard is that any opening greater than 96 square inches requires increased protection.

Protecting Buildings Against Terrorism

To help justify security and loss prevention expenditures, executives should refer to the

Reference Manual to Mitigate Potential Terrorist Attacks against Buildings ([45]: iii), here referred to as FEMA 426. This publication notes that building designs can serve to mitigate multiple hazards. For example, hurricane window design, espe-cially against flying debris, and seismic standards for nonstructural building components apply also to bomb explosions. Next, Purpura [36] describes protection methods from FEMA 426.

FEMA 426 refers to site-level considerations for security that include land use controls, land-scape architecture, site planning, and other strategies to mitigate risks of terrorism and other hazards. Land use controls, including zoning and land development regulations, can affect security because they define urban config-urations that can decrease or increase risks from crime and terrorism. For instance, managing storm water on-site can add security through water retention facilities that serve as a vehicle barrier and blast setback. This reduces the need for off-site pipes and manholes that can be used for access or to conceal weapons. FEMA 426 offers several building design suggestions to increase security (Fig. 9.5).

A target-rich environment is created when people, property, and operations are concen-trated in a dense area. There are advantages and disadvantages to a dense cluster. An

advantage is the possibility to maximize stand-off (i.e., protection when a blast occurs) from the perimeter. Additional security benefits are a reduction in the number of access and surveil-lance points and a shorter perimeter to protect. A dense cluster of buildings can possibly save energy costs through, for instance, heat transfer from heat-producing areas to heat-consuming areas. In addition, external lighting would not be dispersed over a large area, requiring more lights and energy. In contrast, dispersed build-ings, people, and operations spread the risk. However, dispersal can increase the complexity of security (e.g., more access points), and it may require more resources (e.g., security officers, CCTV, lighting perimeter protection).

FEMA 426 recommends that designers con-solidate buildings that are functionally compat-ible and have similar threat levels. For instance, mail rooms, shipping and receiving docks, and visitor screening areas, where people and mate-rials are often closely monitored prior to access, should be isolated and separated from concen-trations of people, operations, and key assets.

The design of open space with protection in mind offers several benefits: the ease with which to monitor and detect intruders, vehicles, and weapons; standoff value from a blast; pervious open space that permits storm water to perco-late back into the ground, reducing the need for pipes, manholes, and other covert access points and weapon concealment sites; and wetland or vegetated area to improve aesthetic value while hindering vehicle intrusion.

Keep out zones help to maintain a specific distance between vehicles or people and a building. This is accomplished through perim-eter security. If terrorists plan to attack a specific building, they will likely use surveillance to study security features, look for vulnerabilities, and try to penetrate access controls and defenses through creative means; security planning should include surveillance and other methods to identify individuals who may be gathering such information from off or on the premises.
















1 Locate assets stored onsite but outside of the facility within view of occupied rooms in the facility

2 Eliminate parking beneath facilities

3 Minimize exterior signage or other indications of asset locations

4 Locate trash receptacles as far from the facility as possible

5 Eliminate lines of approach perpendicular to the building

6 Locate parking to obtain stand-off distance from facility

7 Illuminate building exteriors or sites where exposed assets are located

8 Minimize vehicle access points

9 Eliminate potential hiding places near facility; provide an unob-structed view around facility

10 Site facility within view of other occupied facilities on the installation

11 Maximize distance from facility to installation boundary

12 Locate facility away from natural or man-made vantage points

13 Secure access to power/heat

plants, gas mains, water supplies, and electrical service

FIGURE 9.5 Summary of site mitigation measures. U.S. Department of Homeland Security. Reference manual to mitigate potential­ terrorist attacks against buildings, FEMA 426. Washington (DC): FEMA; December 2003.

Here are other suggestions for buildings from FEMA 426:

· Provide redundant utility systems to continue life safety, security, and rescue functions in case of an emergency.

· Since hardened glazing may cause windows not to blow out in a blast, a system for smoke removal is essential.

· When possible, elevate fresh air intakes to reduce the potential of hazardous materials entering a building from ground level. The

intakes should be sloped down and have screens in case a device is thrown toward the opening.

· Manipulation of the HVAC system could minimize the spread of a hazardous agent. Filtration systems are another option, although expensive.

Mitigation for Explosive Blasts

Standoff distance is the distance between an asset and a threat. FEMA 426 views distance as the most effective and desirable strategy against



a blast because other methods may vary in effectiveness, be more costly, and result in unin-tended consequences. A blast wall can become a part of the fragmentation if a bomb is detonated close to it. Urban environments create challenges when designing standoff distance because land is often expensive and it may be unavailable. There is no ideal standoff distance; numerous variables take part in planning, such as the type of threat or explosive, construction characteris-tics and target hardening, and desired level of protection.

Blast and antiramming walls provide an expensive option for protecting buildings, espe-cially in urban areas. Revel ([38]: 40) writes that a test of a blast wall conducted by the U.S. Government’s Technical Support Working Group (TSWG) showed the effectiveness of this security method. The blast wall sustained an explosion more powerful than the one that destroyed the Murrah Federal Building (Oklahoma City bombing) and the effects on the test building behind the blast wall were reduced by about 90%. The blast wall was constructed by first inserting in the ground 18-foot blast posts, with 9 ft extending above the ground. Then steel-jacketed concrete and rebar-filled panels were lowered between the posts in an interlock-ing pattern. When the explosion occurred, the posts twisted and deflected the blast above and back from the panels, directing the force up and beyond the lower structural steel of the building and around the ends of the wall. The blast wall is also capable of absorbing large vehicle impact at high speeds.

Although several building design features can mitigate explosive blasts, many factors enter into the design of buildings, including cost, pur-pose, occupancy, and location. A high-risk build-ing should incorporate more mitigation features than a low-risk building. Significant changes to existing buildings may be too expensive; therefore, lower cost changes must be sought. Bollards and strong gates are less expensive than making major structural changes to a building. In addition, trees, vegetative groupings, and

earth berms offer some degree of blast shielding. Examples of mitigation features from FEMA 426 are as follows:

· Avoid “U-” or “L-” shaped building designs that trap the shock waves of a blast. Circular buildings reduce a shock wave better than a rectangular building because of the angle of incidence of the shock wave.

· Avoid exposed structural elements (e.g., columns) on the exterior of a facility.

· Install as much glazing (i.e., windows) as possible away from the street side.

· Avoid locating doors across from one another in interior hallways to limit the force of a blast through the building.

· High-security rooms should be blast- and fragment-resistant.

· Provide pitched roofs to permit deflection of launched explosives.


Annealed glass, also called plate glass, is com-monly used in buildings. It has low strength, and upon failure, it fractures into razor sharp pieces. Fully thermally tempered glass (TTG) is four to five times stronger than annealed glass, and upon failure, it will fracture into small cube-shaped fragments. Building codes generally require TTG anywhere the public can touch (e.g., entrance doors). Wire-reinforced glass is made of annealed glass with an embedded layer of wire mesh. It is applied as a fire-resistant and forced entry barrier. All three types of glass present a dangerous hazard from a blast [45].

Traditionally, window protection focused on hindering forced entry. Today, we are seeing increasing designs that mitigate the hazardous effects of flying glass from various risks, besides explosion. Experts report that 75% of all dam-age and injury from bomb blasts results from flying and falling glass. Vendors sell shatter-resistant film, also called fragment retention film, which is applied to the glass surface to reduce this problem. Conversely, a report on the 1993


World Trade Center attack claimed that the destroyed windows permitted deadly gases to escape from the building, enabling occupants to survive. A balanced design (i.e., type of glass, glass frame, and frame to building) means that all the window components have compatible capacities and fail at the same pressure levels. The U.S. General Services Administration pub-lishes glazing protection levels based on how far glass fragments would enter a space and cause injuries. It is important to note that the highest level of protection for glazing may not mitigate the effects from a large explosion [45].

Blast curtains are window draperies made of special fabrics designed to stop glass window shards that are caused by explosions and other hazards. Various designs serve to catch broken glass and let the gas and air pressure dissipate through the fabric mesh. The fibers of these cur-tains can be several times as strong as steel wire. The U.S. General Services Administration estab-lishes criteria for these products ([30]: 143–144).

Glass can be designed to block penetration of bullets, defeat attempted forced entry, remain intact following an explosion, and protect against electronic eavesdropping. The Web shows many standards for glazing from the American Architectural Manufacturers Association (AAMA), ANSI, UL, ASTM, Consumer Product Safety Commission, ISO, and overseas groups. Security glazing should be evaluated on com-parative testing to an established national con-sensus standard such as ASTM F1233, Standard Test Method for Security Glazing Materials and Systems. Important issues for glazing include product life cycle, durability, installation, main-tenance, and framing [39].

Underwriters Laboratories classifies bullet-resistant windows into eight protection levels, with levels 1 to 3 rated against handguns and 4 to 8 rated against rifles. Level 4 or higher windows usually are applied by government agencies and the military. Protective windows are made of either glass or plastic or mixtures of each.

Laminated glass absorbs a bullet as it passes through various glass layers. The advantage of glass is in its maintenance: it is easy to clean and less likely to scratch than plastic. It is less expen-sive per square foot than plastic but heavier, which requires more workers and stronger frames. Glass has a tendency to spall (i.e., chip) when hit by a bullet. UL752-listed glass holds up to three shots, and then it begins to shatter from subsequent shots.

Two types of plastic used in windows are acrylic and polycarbonate. Both vary in thick-ness and are lighter and more easily scratched than glass. Acrylic windows are clear and monolithic, whereas glass and polycarbon-ate windows are laminates consisting of lay-ers of material bonded one on top of another. Acrylic will deflect bullets and hold together under sustained hits. Some spalling may occur. Polycarbonate windows are stronger than acrylics against high-powered weapons. Local codes may require glazing to pop out in an emergency.

In addition to protective windows, wall armor is important because employees often duck below a window during a shooting. These steel or fiberglass plates also are rated.

Burglar-resistant windows are rated (UL 972, Burglary Resisting Glazing Material); avail-able in acrylic and polycarbonate materials; and protect against hammers, flame, “smash and grab,” and other attacks. Combined bul-let- and burglar -resistant windows are avail-able. Although window protection is an expense that may be difficult to justify, insur-ers offer discounts on insurance premiums for such installations.

Electronic security glazing, containing metal-ized fabrics, can prevent electromagnetic signals inside a location from being intercepted from outside, while also protecting a facility from external electromagnetic radiation interference from outside sources. Standards for this type of glazing are from the National Security Agency, NSA 65–8.



Window Protection

Covering windows with grating or security screens is an additional step to impede entrance by an intruder or items being thrown out by a dishonest employee. Window grating consists of metal bars constructed across windows. These bars run horizontally and vertically to produce an effective form of protection. Although these bars are not aesthetically pleasing, they can be purchased with attractive ornamental designs. Security screens are composed of steel or stain-less-steel wire (mesh) welded to a frame. Screens have some distinct advantages over window grating. Employees can pass pilfered items through window bars more easily than through a screen. Security screens look like ordinary screens, but they are much heavier in construc-tion and can stop rocks and other objects.

When planning window protection, one must con-sider the need for emergency escape and ventilation. To ensure safety, certain windows can be tar-geted for the dismantling of window protection during business hours.

Window Locks

Businesses and institutions often contain windows that do not open. For windows that

do open, a latch or lock on the inside provides some protection. The double-hung window, often applied at residences, is explained here as a foundation for window protection. It consists of top and bottom windows that are raised and lowered for user convenience. When the top window is pushed up and the bottom window pushed down, a crescent sash lock containing a curved turn knob locks both parts of the whole window in place (Fig. 9.6). By inserting a knife under the crescent sash lock where both win-dow sections meet, an offender can jimmy the latch out of its catch. If an offender breaks the glass, the crescent sash lock can be unlocked by reaching inside. With such simple techniques known to offenders, defenses that are more complicated are necessary. Nails can be used to facilitate a quick escape while maintaining good window security: one drills a downward-sloping hole into the right and left sides of the window frame where the top and bottom win-dow halves overlap and inserts nails that are thinner and longer than the holes. This enables the nails to be quickly removed during an emergency escape. If a burglar attacks the win-dow, he or she cannot find or remove the nails (Fig. 9.6). Another method is to attach a window

FIGURE 9.6 Double-hung window (view from inside).


lock requiring a key (Fig. 9.6). These locks are capable of securing a window in a closed or slightly opened position. This can be done with the nail (and several holes) as well. The key should be hidden near the window in case of emergency.

Electronic Protection for Windows

Four categories of electronic protection for windows are foil, vibration, glass-breakage, and contact-switch sensors. Window foil, which has lost much of its popularity, consists of lead foil tape less than 1-inch wide and paper thin that is applied directly on the glass near the edges of a window. In the nonalarm state, electricity passes through the foil to form a closed circuit. When the foil is broken, an alarm is sounded. Window foil is inexpensive and easy to maintain. One disad-vantage is that a burglar may cut the glass with-out disturbing the foil. Vibration sensors respond to vibration or shock. They are attached directly on the glass or window frame. These sensors are noted for their low-false alarm rate and are applicable to fences, walls, and valuable artwork, among other things. Glass-breakage sensors react to glass breaking. A sensor the size of a large coin is placed directly on the glass and can detect glass breakage several feet away. Some types operate via a tuning fork, which is tuned to the frequency produced by glass breaking. Others employ a microphone and electric amplifier. Contact switches activate an alarm when opening the window interrupts the contact. In Fig. 9.7, this sensor protects a door and roof opening.

Additional ideas for window protection follow:

1. A strong window frame fastened to a building prevents prying and removal of the entire window.

2. First floor windows are especially vulnerable to penetration and require increased protection.

3. Consider tinting windows to hinder observation by offenders.

FIGURE 9.7 Switch sensors have electrical contacts that make or break an electrical circuit in response to a physical movement.

4. Windows (and other openings) that are no longer used can be bricked.

5. Expensive items left near windows invite trouble.

6. Cleaning windows and windowsills periodically increases the chances of obtaining clear fingerprints in the event of a crime.


Many standards apply to doors, from the AAMA, ANSI, ASTM, BHMA, National Association of Architectural Metal Manufacturers (NAAMM), NFPA, Steel Door Institute (SDI), UL, and ISO. In addition, other countries have standards. Aggleton ([1]: 24)



writes that because of life safety issues (e.g., quick egress in case of emergency), door hard-ware and locks are subject to more stringent codes and standards than other physical secu-rity, such as intrusion sensors.

Doors having fire ratings must meet certain frame and hardware requirements. Decisions on the type of lock and whether electronic access will be applied also affect hardware. Decisions on doors are especially crucial because of their daily use and the potential for satisfying or enraging users and management ([40]: 40).

Businesses and institutions generally use aluminum doors. Composed of an aluminum frame, most of the door is covered by glass. Without adequate protection, the glass is vul-nerable, and prying the weak aluminum is not difficult. The all-metal door improves protection at the expense of attractiveness.

Hollow-core doors render complex locks useless because an offender can punch right through the door. Thin wood panels or glass on the door are additional weak points. More expensive, solid-core doors are stronger; they are made of solid wood (over an inch thick) without the use of weak fillers. To reinforce hollow-core or solid-core doors, one can attach 16-gauge steel sheets via one way screws.

Whenever possible, door hinges should be placed on the inside. Door hinges that face out-side enable easy entry. By using a screwdriver and hammer, one can raise the pins out of the hinges to enable the door to be lifted away. To protect the hinge pins, it is a good idea to weld them so they cannot be removed in this manner. Another form of protection is to remove two screws on opposite sides of the hinge, insert a pin or screw on the jamb side of the hinge so that it protrudes about half an inch, and then drill a hole in the opposite hole to fit the pin when the door is closed. With this method on both top and bottom hinges, even if the hinge pins are removed, the door will not fall off the hinges (Fig. 9.8).

FIGURE 9.8 Pin to prevent removal of door.

Contact switches applied to doors offer elec-tronic protection. Greater protection is provided when contact switches are recessed in the edges of the door and frame. Other kinds of electronic sensors applied at doors include vibration sen-sors, pressure mats, and various types of motion detectors aimed in the area of the door.

More hints for door security follow:

1. A wide-angle door viewer within a solid door permits a look at the exterior prior to opening a door.

2. Doors (and windows) are afforded extra protection at night by chain closures. These frequently are seen covering storefronts in malls and in high-crime neighborhoods.

3. To block “hide-in” burglars (those who hide in a building until after closing) from easy exit, require that openings such as doors and windows have a key-operated lock on the inside as well as on the outside.

4. Almost all fire departments are equipped with power saws that cut through door locks and bolts in case of fire. Many firefighters can gain easy access to local buildings because building


owners have provided keys that are located in fire trucks. Although this creates a security hazard, losses can be reduced in case of fire.

5. All doors need protection, including garage, sliding, overhead, chain-operated, and electric doors.

Intrusion Detection Systems

Standards for intrusion detection systems are from UL, the Institute of Electrical and Electronics Engineers (IEEE), and ISO, plus other groups in the United States and overseas. UL, for example, “lists” installation companies that are authorized to issue UL Certificates on each installation. This means that the installer con-forms to maintenance and testing as required by UL, which conducts unannounced inspections.

Intrusion detection systems; these systems have gone through several generations, lead-ing to improved performance. Not in the table is magnetic field, which consists of a series of buried wire loops or coils. Metal objects moving over the sensor induce a current and signal an alarm. Research shows that the vulnerability to defeat (VD) for magnetic field and infrared photo beam is high. Microwave, electric field, fence distur-bance, seismic sensor cable, taut wire, and video motion systems all have a medium VD. The VD for ported coaxial cable systems is low. Visible sensors are relatively easy to defeat but cost-effective for low-security applications. Multiple sensors, and especially covert sensors, provide a higher level of protection ([8]: 57–61; [37]: 36–42; [41]: 80–82).

Fiber optics is a growing choice for intrusion detection and transmission. Fiber optics refers to the transportation of data by way of guided light waves in an optical fiber. This differs from the conventional transmission of electrical energy in copper wires. Fiber optic applications include video, voice, and data communications. Fiber optic data transmission is more secure and less subject to interference than older methods.

Fiber optic perimeter protection can take the form of a fiber optic cable installed on a fence.

When an intruder applies stress on the cable, an infrared light source pulsing through the system notes the stress or break and activates an alarm. Optical fibers can be attached to or inserted within numerous items to signal an alarm, including razor ribbon, security grills, windows, and doors, and it can protect valuable assets such as computers.

Dibazar, et al. [11] writes of their research on the development and deployment of “smart fence” systems consisting of multiple sensor technologies. Their research illustrates the direc-tion and capabilities of “smart fence” systems. Included in their design are “(a) acoustic based long range sensor with which vehicles’ engine sound and type can be identified, (b) vibration based seismic analyzer which discriminates between human footsteps and other seismic events such as those caused by animals, and

(c) fence breaching vibration sensor which can detect intentional disturbances on the fence and discriminate among climb, kick, rattle, and lean.” Garcia ([13]: 83–84) views intrusion sensor per-formance based on three characteristics: probabil-ity of detection of the threat, nuisance alarm rate, and VD. The probability of detection depends on several factors including the desired threat to be detected (e.g., walking, tunneling), sensor design, installation, sensitivity adjustment, weather, and maintenance/testing. According to Garcia, a nui-sance alarm rate results from a sensor interacting with the environment, and a sensor cannot dis-tinguish between a threat and another event (e.g., vibration from a train). A false alarm rate results from the equipment itself, and it is caused by inadequate design, failure, or poor maintenance. VD varies among systems. Bypass means the adversary circumvented the intrusion detection system. Spoofing means the adversary traveled through the detection zone without triggering an alarm; depending on the sensor, one strategy is by moving very slowly. Garcia emphasizes the importance of proper installation and testing of

intrusion detection systems.

No one technology is perfect; many pro-tection programs rely on dual technology to



strengthen intrusion detection. In the process of selecting a system, it is wise to remember that manufacturers’ claims often are based on perfect weather. Security decision-makers must clearly understand the advantages and disad-vantages of each type of system under various conditions.


Intrusion detection systems can be classi-fied according to the kind of protection pro-vided. There are three basic kinds of protection: point, area, and perimeter. Point protection (Fig. 9.9) signals an alarm when an intrusion is made at a special location. It is also referred to as spot or object protection. Files, safes, vaults, jewelry­ counters, and artwork are tar-gets for point p­rotection. Capacitance and vibra-tion systems­ provide point protection and are installed directly on the object. These systems often are used as a backup after an offender has succeeded­ in gaining access. Area protection

(Fig. 9.10) detects an intruder in a selected area such as a main aisle in a building or at a strategic passageway­. Microwave and infra-red systems are applicable to area protection. Perimeter protection (Fig. 9.11) focuses on the outer boundary of the premises. If doors and windows are part of the perimeter, then contact switches, vibration­ detectors, and other devices are applicable.

Alarm Signaling Systems

Alarm signaling systems transmit data from a protected area to an annunciation system. Local ordinances and codes provide guidelines and restrictions on these systems.

Local alarm systems notify, by sound or lights, people in the hearing or seeing range of the signal. This includes the intruder, who may flee. Typically, a siren or bell is activated outside a building. Often, local alarms pro-duce no response—in urban areas, responsible action may not be taken, and in rural areas,

FIGURE 9.9 Point protection.


FIGURE 9.10 Area protection.

FIGURE 9.11 Perimeter protection.

nobody may hear the alarm. These alarms are less expensive than other signaling systems but are easily defeated. If a local alarm is used dur-ing a robbery, people may be harmed. Research from the United Kingdom ([9]: 53–72) points to

the benefits of delayed-audible alarms during a burglary that are triggered as the offender enters the premises but sound a few minutes later so cameras have an opportunity to record the offender and police still have time to respond



prior to the offender’s escaping if they are noti-fied promptly. Combining these strategies with an immediate silent alarm to a central station increases the opportunity for an arrest.

A central station alarm system receives intru-sion, fire, medical, and environmental signals at a computer console located and monitored a distance away from the protected location. When an alarm signal is received, central station personnel contact police, firefighters, or other responders. Central station services employ sales, installation, service, monitoring, and response personnel. Proprietary monitoring systems are similar to central station systems, except that the former does the monitoring and the system is operated by the proprietary orga-nization. Resources for central station design are available from UL, NFPA, and the Security Industry Association ([32]: 80).

Technology drives advances in central station capabilities. Remote video monitoring enables a central station operator to view what triggered an alarm to verify the need for a human response. Global positioning system (GPS) permits real-time tracking (e.g., location, direction, and speed) and archiving of moving assets and people. Off-site video storage, especially at a UL-listed central station, affords increased protection and backup for video recordings. It also helps to prevent the problem of offenders taking recording equip-ment with them as they leave the crime scene and, thus, destroying evidence ([12]: 44–46).

WeGuardYou [47], a security vendor, describes how its technology is applied to shopping mall security as explained next. Each security vehicle functions as a central station that offers real-time local and remote video, alarm, and data monitoring while transferring information over a secure wireless system. In one scenario, a woman leaves a mall one evening, packages and pocketbook in hand. Suspected muggers are in the parking lot. Cameras follow the woman in real time as the images are sent to mobile units (i.e., security vehicles), besides showing on TV monitors inside the mall central station control

room. Mobile units containing emergency lights, loudspeaker, and enhanced lighting converge on the “hot spot” to prevent victimization. If an emergency occurs, security officers take action, all security personnel are notified via radio, police and EMS are notified, and fixed cameras and those on mobile units record the incident with images remotely accessible.

Various data transmission systems are utilized to signal an alarm. Here, the older technology is covered first before the modern technology. As with fire alarm systems, security alarm systems are using less traditional phone lines to trans-mit an alarm as digital systems involving cellu-lar networks, fiber optics, and voice over IP are advancing ([22]: 32).

Automatic telephone dialer systems include the tape dialer and digital dialer. Tape dialer systems are seldom used today. They deliver a prere-corded or coded message to an interested party (e.g., central station, police department) after that party answers the telephone. Digital dialers use coded electronic pulses that are transmitted and an electronic terminal decodes the message. Digital dialers, often called digital communica-tors, are still applied today, although the tech-nology is more advanced than in earlier years. Local codes typically prohibit tape dialers or similar automatic devices connected to authori-ties (e.g., police and fire) because of false alarms, wasted resources, and the need for authorities to ask questions about the emergency. The central station evolved to serve as a buffer between the site of the emergency and authorities so infor-mation can be gathered and verified prior to contacting authorities.

Today, there are different automatic voice/ pager dialer systems on the market that contact a central station or individual when a sensor is activated. The technology is also applied in sales, such as the use of software enabling calls through a computer.

Radio frequency and microwave data transmis-sion systems often are applied where telephone lines are not available or where hardwire lines


are not practical. The components include trans-mitter; receiver; and repeaters to extend range, battery backup, and solar power.

Fiber optic data transmission systems, as dis-cussed earlier, transport data by way of light waves within a thin glass fiber. These cables are either underground or above ground. The com-ponents include transmitter, receiver, repeaters, battery backup, and solar power. Fiber optic sys-tems are more secure than direct wire.

Signals should be backed up by multiple technologies. Options for off-site transmission of activity include satellite, local area network, wide area network, cellular, and the Internet. Cellular is especially useful for backup, since it is more likely to remain in operation in certain disasters. It can also be used as a primary trans-mission method ([50]: 74–83).

Among the advances in alarm monitoring is remote programming. Using this method, a cen-tral station can perform different functions with-out ever visiting the site. Capabilities include arming and disarming systems, unlocking doors, performing diagnostics and corrections, and, with access systems, adding or deleting cards.

Alarm systems also may be multiplexed or integrated. Multiplexing is a method of transmit-ting multiple information signals over a single communications channel. This single commu-nications channel reduces line requirements by allowing signal transmission from many pro-tected facilities. Two other advantages are that information that is more detailed can be transmit-ted, such as telling which detector is in an alarm state, and transmission line security is enhanced with encoding. Integrated systems, as covered in Chapter 8, combine multiple systems (e.g., alarm monitoring, access controls, and CCTV).

Closed-Circuit Television

CCTV allows one person to view several locations (Fig. 9.12). This is a distinct advantage when protecting the boundaries of a facility, because it reduces personnel costs.

FIGURE 9.12 Closed-circuit television.

Television programs and movies sometimes portray an intruder penetrating a perimeter bar-rier by breaking through when a CCTV camera had momentarily rotated to another location. Usually, the camera just misses the intruder by returning to the entry point right after the intruder gains access. Such a possibility can be averted via overlapping camera coverage. If cameras are capable of viewing other cam-eras, personnel can check on viewing obstruc-tions, sabotage, vandalism, or other problems. Smoked domes prevent an offender from iden-tifying the direction of the camera. In addition, covert CCTV surveillance should be considered for outdoor applications in conjunction with overt CCTV surveillance.

Tamperproof housings will impede those interested in disabling cameras. Different mod-els are resistant to vandalism, bullets, explosion, dust, and severe weather. Housings are manu-factured with heaters, defrosters, windshield wipers, washers, and sun shields.



Low-light-level cameras provide the means to view outside when very little light is available. When no visible light is available, an infrared illuminator creates light, invisible to the naked eye, but visible to infrared-sensitive cameras. Another option is thermal imaging cameras, which sense heat from an intruder and are especially helpful to spot them in darkness, fog, smoke, foliage, and up to several miles away ([43]: 56–66; [33]: 24–28). An essential aspect of CCTV usage is proper monitoring. Although video motion detection and video analytics (Chapter 8) apply technology to identify anomalies that human observers may miss, security manage-ment should take action to reduce fatigue and ensure good-quality viewing. Suggestions include rotating personnel every 2 h, limit TV monitors to fewer than 10, arrange monitors in a curved configuration in front of the viewer, control the lighting over the console to avoid glare on the monitor screens or tilt the moni-tors if necessary, place the monitors in an order that permits easy recognition of camera loca-tions, provide a swivel chair that hampers the opportunity for sleeping, and assign tasks to the viewer (e.g., communications and logging).


From a business perspective, lighting can be justified because it improves sales by making a business and merchandise more attractive, pro-motes safety and prevents lawsuits, improves employee morale and productivity, and enhances the value of real estate. From a security perspective, three major purposes of lighting are to create a psychological deterrent to intrusion, to enable detection, and to enhance the capabilities of CCTV systems. Good lighting is considered such an effective crime control method that the law, in many locales, requires buildings to maintain adequate lighting.

Painter and Farrington [31] conducted a major study on the effect of lighting on the incidence of crime in England. Three residential areas

were selected. One was the experimental area that contained improved lighting. The second was labeled the adjacent area. In addition, the third served as the control area. Lighting in the adjacent and control areas remained unchanged. The research included the question of whether improved lighting might result in a reduction of crime in the adjacent area. The research results showed a marked reduction in different crimes in the experimental area, whereas crime in the adjacent and control areas remained the same.

One way to study lighting deficiencies is to go to the premises at night and study the possible methods of entry and areas where inadequate lighting will aid an offender. Before the visit, one should contact local police as a precaution against mistaken identity and to recruit their assistance in spotting weak points in lighting.

Three sources for information on lighting are the Illuminating Engineering Society of North America (IESNA), the National Lighting Bureau, and the International Association of Lighting Management Companies. The IESNA provides information on recommended lighting levels for various locations.

What lighting level will aid an intruder? Most people believe that under conditions of darkness a criminal can safely commit a crime. However, this view may be faulty, in that one generally cannot work in the dark. Three pos-sible levels of light are bright light, darkness, and dim light. Bright light affords an offender plenty of light to work but enables easy observation by others; it will deter crime. Without light—in darkness—a burglar finds that he or she can-not see to jimmy a door lock, release a latch, or perform whatever work is necessary to gain access; a flashlight is necessary, which someone may observe. However, dim light provides just enough light to break and enter while hinder-ing observation by authorities. Support for this view was shown in a study of crimes during full-moon phases, when dim light was pro-duced. This study examined the records of 972 police shifts at three police agencies, for a 2-year


period, to compare nine different crimes during full-moon and nonfull-moon phases. Only one crime, breaking and entering, was greater dur-ing full-moon phases ([35]: 350–353). Although much case law supports lighting as an indicator of efforts to provide a safe environment, secu-rity specialists are questioning conventional wisdom about lighting ([6]: 29–33). Because so much nighttime lighting goes unused, should it be reduced or turned off? Should greater use be made of motion-activated lighting? How would these approaches affect safety and cost-effective-ness? These questions are ripe for research.


Lumens (of light output) per watt (of power input) are a measure of lamp efficiency. Initial lumens per watt data are based on the light out-put of lamps when new; however, light output declines with use. Illuminance is the intensity of light falling on a surface, measured in foot-candles (English units) or lux (metric units). The foot-candle (FC) is a measure of how bright the light is when it reaches 1 ft from the source. One lux equals 0.0929 FC. For measures of illumi-nance, values not labeled as vertical are gener-ally assumed to be horizontal FC (or lux). The light provided by direct sunlight on a clear day is about 10,000 FC; an overcast day would yield about 100 FC; and a full moon, about 0.01 FC. A sample of outdoor lighting illuminances rec-ommended by the Illuminating Engineering Society of North America [16] are as follows: guarded facilities, including entrances and gate-house inspection, 10 FC (100 lux); parking facili-ties, garages, and covered parking spaces, 6 FC (60 lux) on pavement and 5 FC (50 lux) for stairs, elevators, and ramps; and for fast-food restau-rant parking, general parking at schools and hotels/motels, and common areas of multifam-ily residences and dormitories, 3 FC (30 lux).

Care should be exercised when studying illu-minance. Horizontal illuminance may not aid in the visibility of vertical objects such as signs and keyholes. FC vary depending on the distance from

the lamp and the angle. If you hold a light meter horizontally, it often gives a different reading than if you hold it vertically. Are the FC initial or main-tained? Maintenance and bulb replacement ensure high-quality lighting ([27]: 1–36; [42]: 1–4).


The following lamps are applied outdoors ([24]: 12–13; [27]: 1–36; [42]: 1–4):

· Incandescent lamps are at residences. Electrical current passes through a tungsten wire enclosed in a glass tube. The wire becomes white-hot and produces light. These lamps produce 17–22 lumens per watt, are the least efficient and most expensive to operate, and have a short lifetime of from 500 to 4000 h. Compact fluorescent light bulbs are replacing incandescent bulbs because they are “earth friendly,” useless energy, last longer (10,000 h), and generate less heat.

· Halogen and quartz halogen lamps are incandescent bulbs filled with halogen gas (like sealed-beam auto headlights) and provide about 25% better efficiency and life than ordinary incandescent bulbs.

· Fluorescent lamps pass electricity through a gas enclosed in a glass tube to produce light, producing 67–100 lumens per watt. They create twice the light and less than half the heat of an incandescent bulb of equal wattage and cost 5–10 times as much.

Fluorescent lamps do not provide high levels of light output. The lifetime is from 9000

to 17,000 h. They are not used extensively outdoors, except for signage.

· Mercury vapor lamps also pass electricity through a gas. The yield is 31–63 lumens per watt, and the life is over 24,000 h with good efficiency compared to incandescent lamps. Because of their long life, these lamps are often used in street lighting.

· Metal halide lamps are also of the gaseous type. The yield is 80–115 lumens per watt, and the efficiency is about 50% higher than



mercury vapor lamps, but the lamp life is about 6000 h. They often are used at sports stadiums because they imitate daylight conditions, and colors appear natural. Consequently, these lamps complement CCTV systems, but they are the most expensive light to install and maintain.

· High-pressure sodium lamps are gaseous, yield about 80–140 lumens per watt, have a life

of about 24,000 h, and are energy efficient. These lamps are often applied on streets, parking lots, and building exteriors. They cut through fog and are designed to allow the eyes to see more detail at greater distances.

· Low-pressure sodium lamps are gaseous, produce 150 lumens per watt, have a life of about 15,000 h, and are even more efficient than high-pressure sodium. These lamps are expensive to maintain.


Each type of lamp has a different color rendi-tion, which is the way a lamp’s output affects human perceptions of color. Incandescent, fluo-rescent, and certain types of metal halide lamps provide excellent color rendition. Mercury vapor lamps provide good color rendition but are heavy on the blue. High-pressure sodium lamps, which are used extensively outdoors, provide poor color rendition, making things look yellow. Low-pressure sodium lamps make color unrec-ognizable and produce a yellow-gray color on objects. People find sodium vapor lamps, some-times called anticrime lights, to be harsh because they produce a strange yellow haze. Claims are made that this lighting conflicts with aesthetic values and that it affects sleeping habits. In many instances, when people park their vehi-cles in a parking lot during the day and return to find their vehicle at night, they are often unable to locate it because of poor color rendition from sodium lamps; some report their vehicles as being stolen. Another problem is the inability of witnesses to describe offenders accurately.

Mercury vapor, metal halide, and high-pressure­ sodium take several minutes to

produce full light output. If they are turned off, even more time is required to reach full output because they first have to cool down. This may not be acceptable for certain security appli-cations. Incandescent, halogen, and quartz halogen have the advantage of instant light once electricity is turned on. Manufacturers can provide information on a host of lamp characteristics including the “strike” and “restrike” time.

Lighting Equipment

Fresnel lights have a wide flat beam that is directed outward to protect a perimeter, glaring in the faces of those approaching. A floodlight “floods” an area with a beam of light, resulting in considerable glare. Floodlights are stationary, although the light beams can be aimed to select positions. The following strategies reinforce good lighting:

1. Locate perimeter lighting to allow illumination of both sides of the barrier.

2. Direct lights down and away from a facility to create glare for an intruder. Make sure the directed lighting does not hinder observation by patrolling officers.

3. Do not leave dark spaces between lighted areas for offenders to move within. Design lighting to permit overlapping illumination.

4. Protect the lighting system, locate lighting inside the barrier, install protective covers over lamps, mount lamps on high poles, bury power lines, and protect switch boxes.

5. Photoelectric cells will enable lights to go on and off automatically in response to natural light. Manual operation is helpful as a backup.

6. Consider motion-activated lighting for external and internal areas.

7. If lighting is required near navigable waters, contact the U.S. Coast Guard.

8. Work to reduce light pollution, such as wasting energy and disturbing neighbors with light trespass.


9. Maintain a supply of portable, emergency lights and auxiliary power in the event of a power failure.

10. Good interior lighting also deters offenders.

11. If necessary, join other business owners to petition local government to install improved street lighting.

Parking Lot and Vehicle Controls

Employee access control at a building is easier when the parking lot is on one side of a building rather than surrounding the building. Vehicles should be parked away from shipping and receiving docks, garbage dumpsters, and other crime-prone locations.

Employees should have permanent parking stickers, whereas visitors, delivery people, and service groups should be given a temporary pass to be displayed on the windshield. Stickers

and passes allow uniformed officers to locate unauthorized vehicles.

Parking lots are more secure when these spe-cific strategies are applied: CPTED, access con-trols, signs, security patrols, lighting, CCTV, and panic buttons and emergency phones. Crimes often occur in parking lots, and these events can harm employee morale and result in law-suits, unless people are protected. Hospitals, for example, supply an escort for nurses who walk to their vehicles after late shifts. Employee edu-cation about personal safety, locking vehicles, and additional precautions prevent losses.

Certain types of equipment can aid a parking lot security/safety program. Cushman patrol vehicles, capable of traveling through narrow passageways, increase patrol mobility. Bicycles are another option. A guardhouse or security booth is useful as a command post in parking lots (Fig. 9.13).

FIGURE 9.13 Access controls at a parking lot.



Various technologies can be applied to con-trolling vehicles at access points. One example is automatic license plate recognition systems that apply image-processing technology that reads a vehicle’s license plate and uses infrared light to illuminate a plate in the dark. A high-speed cam-era is used to photograph a plate, and then the recorded information is compared to a database. Besides access controls, the applications include fleet management, locating stolen vehicles, and border security ([26]: 1).

The threat of terrorism has influenced the design of parking lots and vehicle controls. Different types of parking lots present vari-ous security issues. Surface lots keep vehicles away from buildings, consume large amounts of land, and may add to storm water runoff vol-ume. On-street parking provides no setback. A garage may require blast resistance. If the garage is under a building, a serious vulnerabil-ity exists, since an underground bomb blast can be devastating.

A designer can propose minimizing vehi-cle velocity because, for example, a bollard that can stop a 15,000 -pound truck moving at 35 MPH may not be able to stop the same truck moving at 55 MPH (FEMA 426). The road itself can become a security measure by avoiding a straight path to a building. A straight road enables a vehicle to gather speed to ram a barrier, penetrate a building, and then deto-nate a bomb. Approaches should be parallel to the building and contain high curbs, trees, or berms to prevent vehicles from leaving the road. Curving roads with tight corners offer another strategy.

Traffic calming strategies are subtler and communicate appropriate speed. Examples are speed humps and raised crosswalks. A speed hump is not as rough as a speed bump. The lat-ter is often used in parking lots. All these strate-gies reduce speed and liability while increasing safety. Drawbacks are that the response time of first responders increases and snow removal may become difficult.

Security Officers

Officers normally are assigned to stationary (fixed) posts or to patrol. A stationary post is at a door or gate where people, vehicles, and objects are observed and inspected. Stationary posts also involve directing traffic or duty at a con-trol center where communications, CCTV, and alarms are monitored. Foot or vehicle patrols conducted throughout the premises, in parking lots, and along perimeters identify irregularities while deterring offenders. Examples of unusual or harmful conditions that should be reported are damaged security devices, holes in perim-eter fences or other evidence of intrusion, hid-den merchandise, unattended vehicles parked inappropriately, keys left in vehicles, employ-ees sleeping in vehicles or using drugs, blocked fire exits, cigarette butts in no-smoking areas, accumulations of trash, and odors from fuels or other combustibles. In contrast to public police officers, private security officers act in primarily a preventive role and observe and report.

Before security officers are employed, far-sighted planning ensures optimum effectiveness of this service. What are the unique needs and characteristics of the site? How many people and what assets require protection? What are the vulnerabilities? How many hours per day is the facility open? How many employees? How many visitors and vehicles enter and exit daily? What are the specific tasks of security officers, how much time will be expended on each task, and how many officers are required?

Security officers are expensive. Costs include wages, insurance, uniforms, equipment, and training. If each officer costs $40,000 per year for a proprietary force and five officers are required for the premises at all times, to maintain all shifts 7 days per week requires approximately 20 officers. The cost would be about $800,000 per year. To reduce costs, many companies switch to contract security services and/or consider tech-nological solutions.

Several specific steps can be taken to improve the effectiveness of officers. Three of the most


critical are careful applicant screening, sound train-ing, and proper supervision. Management should ensure that officers know what is expected of them. Policies, procedures, and day-to-day duties are communicated via verbal orders, memos, and training programs. Courtesy and a sharp appearance command respect that enhances security.

Policies should ensure that supervisors check on officers every hour. Rotating officers among duty assignments reduces fatigue while famil-iarizing them with various tasks. Providing inspection lists for adverse conditions will keep them mentally alert. The formal list should be returned with a daily report. Miller [18], in an ASIS CRISP Report entitled, “Fatigue Effects and Countermeasures in 24/7 Security Operations,” offers shift work strategies to counter fatigue, such as “smart” scheduling and ensuring ade-quate time between schedule changes for proper sleep.

Armed versus Unarmed Officers

The question of whether to arm officers is controversial. Probably the best way to answer this question is to study the nature of the par-ticular officer’s assignment. If violence is likely, then officers should be armed. Officers assigned to locations where violent crimes are unlikely do not need firearms, which, if worn by officers, could be offensive. The trend is toward unarmed officers because of liability issues and costs for training and equipment. If weapons are issued to officers, proper selection of officers and training are of the utmost importance. Training should include use of force and firearms safety, as well as practice on the firing range every 4 months.

Monitoring Officers

Lower burglary and fire insurance premiums result from monitored patrols and insurance personnel subject the records to inspection. Early technology used watch clocks to monitor officer patrols along preplanned routes. The officer on patrol carried this old technology, consisting

of a timepiece that contained a paper tape or disc divided into time segments. A watch clock was operated by an officer via keys mounted in walls at specific locations along a patrol route. These keys were often within metal boxes and chained to walls. When inserted into the watch clock, the key made an impression in the form of a number on the tape or disc. Supervisors exam-ined the impressions to see whether the officer visited each key location and completed the scheduled route. Keys were located at vulnera-ble locations (e.g., entry points, flammable stor-age areas). Good supervision prevented officers from disconnecting all the keys at the beginning of the shift, bringing them to one location for use in the watch clock (and, thus, avoiding an hourly tour), and returning the keys at the end of the shift.

Automatic monitoring systems are another way to monitor patrols and keep records. Key sta-tions are visited according to a preplanned time schedule and route. If an officer does not visit a key station within a specific time, a central monitoring station receives a transmitted sig-nal, and if contact cannot be made, personnel are dispatched.

Bar code or touch button technology provides other avenues for monitoring patrols. A security officer carries a wand that makes contact with a bar code or touch button to record data that are later downloaded into a computer. Bar codes or buttons are affixed at vulnerable locations for a swipe by the wand to record the visit by the officer, who can also swipe bar codes or but-tons that represent various conditions (e.g., fire extinguisher needs recharging). Supervision of these systems ensures that officers are patrolling properly and conditions are being reported ([2]: 48–58). To improve the efficiency of a security officer, the officer can use a wireless tablet PC (Fig. 9.14), which enables the officer to leave a monitoring post and take the workstation with him or her. If, for example, an officer must leave a control center to investigate an incident, the officer can bring the tablet PC and continue to



FIGURE 9.14 The tablet PC is a mobile workstation enabling a security officer to leave a post and do many things while mobile that are done from a desktop PC such as view closed-circuit television, monitor alarms, and open doors. Courtesy of Hirsch Electronics, Santa Ana (CA).

watch CCTV, monitor alarms, and open doors for employee access. Levine ([17]: 35) describes a customized PDA system that grew into a digi-tal incident-reporting tool, then into a mobile phone with GPS tracking, as well as containing a camera, e-mail and text messaging functions, a panic alarm, time and attendance recording, and the means to read bar codes for monitoring patrols. He explained that in one case a client at a meeting complained about never seeing a security officer on patrol, so the security execu-tive took out his computer, accessed the website, pulled up the previous day, and showed the cli-ent the tracking of the officer on patrol.

Contraband Detection

Contraband is an item that is illegal to pos-sess or prohibited from being brought into a spe-cific area. Examples are weapons, illegal drugs, and explosives. Security officers and government

personnel play a crucial role in spotting contraband at many locations. They use special devices and canine services to locate contraband, and these devices and services are as good as the personnel behind them.

Various types of devices detect contraband. Metal detectors transmit a magnetic field that is disturbed by a metallic object, which sets off a light or audio signal. Two types of metal detec-tors are handheld and walkthrough. X-ray scan-ners use pulsed energy to penetrate objects that are shown on a color monitor. These devices are mobile and stationary and can inspect such things as mail, packages, loaded trucks, and shipping containers. Since the 9/11 attacks, ports, border checkpoints, airports, and other locations have intensified efforts to detect con-traband, research and development and busi-nesses selling detection devices have increased. Although vendors are prone to over promise and under deliver, contraband detection technology is improving. Reputable research groups apply-ing scientific research methodologies improve the likelihood that devices operate as touted. For example, the National Institute of Standards and Technology [25] focuses on customer needs (e.g., police and military) and conducts research on various technologies. The focus of this group’s research includes real-time imaging systems to detect large concealed objects for identifying suicide bombers and microwave electromag-netic signatures to identify dangerous liquids.

Protective Dogs

Besides serving to detect contraband and pro-tect people, canine (K-9) is classified as an animal barrier that can strengthen security at a protected site. An alarm dog patrols inside a fenced area or building and barks at the approach of a stranger but does not attempt to attack. These dogs retreat when threatened but continue to bark. Such barking may become so alarming to an intruder that he or she will flee. A guard or attack dog is similar to an alarm dog, with an added


feature of attacking an intruder. To minimize the possibility of a lawsuit, a business should selec-tively apply and adequately fence in these dogs, and warning signs should be posted. An expe-rienced person on call at all times is needed to respond to emergencies. Another type of attack dog is the sentry dog. This dog is trained, kept on a leash, and responds to commands while patrolling with a uniformed officer. The advan-tages are numerous. These animals protect offi-cers. Their keen senses of hearing and smell are tremendous assets when trying to locate a hid-den offender (or explosives or drugs). Dogs can discern the slightest perspiration from people under stress, enabling the dogs to sense indi-viduals who are afraid of them. An ingredient in stress perspiration irritates dogs, which makes frightened persons more susceptible to attack. When an “attack” command is given, a German shepherd has enough strength in its jaws to break a person’s arm.

In addition to the possibility of a lawsuit if a dog attacks someone, there are other disad-vantages to the use of dogs. If proprietary dogs are part of the protection team, personnel and kennel facilities are needed to care for the dogs. These costs and others include the purchase of dogs and their training, medical care, and food. Using a contract service would probably be more feasible. Another disadvantage is the possibility that dogs may be poisoned, anesthe-tized, or killed. An offender also may befriend a dog. Dogs should be taught to accept food only from the handler. Neighbors near the protected premises often find dogs noisy or may perceive them as offensive for other reasons.

Since the 9/11 attacks, interest in canines has increased. At the same time, there is a need for consistent standards for training, quality assur-ance, kenneling, selection of handlers, and pre-sentation of evidence. Definitions also present a problem. For example, there is no consistent def-inition as to what constitutes an explosive detec-tion canine. The Bureau of Alcohol, Tobacco, Firearms and Explosives has developed the

National Odor Recognition Testing initiative, which could be a standard to which dogs could be certified. Research is being conducted on the use of chemical warfare agent detector dogs and GPS technology in conjunction with remote commands for searches, surveillance, and track-ing of persons ([15]: 36–38).

Communications and the Control Center

As emergency personnel know, the ability to communicate over distance is indispens-able. Every officer should be equipped with a portable two-way radio; this communication aid permits officers to summon assistance and notify superiors about hazards and impending disasters. Usually, officers on assignment com-municate with a control center that is the hub of the loss prevention program. FEMA 426 ([45]: 3–45) recommends redundant communications. The control center is the appropriate site for a console containing alarm indicators, CCTV monitors, door controls, the public address sys-tem, and an assortment of other components for communication and loss prevention (Fig. 9.15).

Because of the convergence of IT and physi-cal security, the traditional security control cen-ter may be within a network operations center. Some organizations may choose to outsource a portion of operations. Since these operations are critical, they must be secure both electronically and physically [19].

Because personnel will seek guidance from a control center in the event of an emergency, that center must be secure and operational at all times. A trend today is automated response systems programmed into the control cen-ter because so many decisions and actions are required for each type of emergency ([32]: 76–81). The control center is under increased protection against forced entry, tampering, or disasters when it contains a locked door; is located in a basement or underground; and is constructed of fire-resistant materials. An auto-matic, remotely operated lock, released by the



FIGURE 9.15 Security officer at console managing access control, closed-circuit television, alarm monitoring, and video imaging. Courtesy of Diebold, Inc.

console operator after identifying the caller also enhances security. Bullet-resistant glass is wise for high-crime locations. FEMA 426 ([45]: 3–47) recommends a backup control center, possibly at an off-site location. Whoever designs the con-trol center should be well versed in ergonomics, which deals with the efficient and safe partner-ship between people and machines.


[1] Aggleton D. The latest innovations in door hardware. Secur Technol Exec 2010;20. [May].

[2] Arnheim L. A tour of guard patrol systems. Secur Manag 1999. [November].

[3] Atlas R. Fast food, easy money. Secur Manag 2010;54. [December].

[4] Bernard R. The security industry World has changed. Secur Technol Exec 2010;20. [May].

[5] Berube H. An examination of alarm system deterrence and rational choice theory: the need to increase risk. J Appl Secur Res 2010;5(3).

[6] Berube H. New notions of night light. Secur Manag 1994. [December].

[7] Burton R. A new standard for high-performance green buildings. Buildings 2010;104. [March].

[8] Clifton R, Vitch M. Getting a sense for danger. Secur Manag 1997. [February].

[9] Coupe T, Kaur S. The role of alarms and CCTV in detecting non-residential burglary. Secur J 2005;18.

[10] Davey C, et al. Design against crime: extending the reach of crime prevention through environmental design. Secur J 2005;18.

[11] Dibazar A, et al. Intelligent recognition of acoustic and vibration threats for security breach detection, close proximity danger identification, and perimeter protec-tion. Homel Secur Aff 2011. [March] www.hsaj.org/?sp ecial:article=supplement.3.4.

[12] Evans R. Remote monitoring. Secur Prod 2005;9. [March].

[13] Garcia M. Vulnerability assessment of physical pro-tection systems. Burlington (MA): Butterworth-Heinemann; 2006.

[14] Gips M. A pharmacopoeia of protection. Secur Manag 1999;43. [March].

[15] Harowitz S. Dog use dogged by questions. Secur Manag 2006;50. [January].

[16] Illuminating Engineering Society of North America. Guideline for security lighting for people, property, and public spaces. New York (NY): IESNA; 2003.

[17] Levine D. Armed and ready. Secur Technol Exec 2010;20. [October].

[18] Miller J. Fatigue effects and countermeasures in 24/7 security operations (CRISP report). 2010. www.asison- HYPERLINK "http://www.asisonline.org" line.org.

[19] Milne J. Build your own security operations center. Secure Enterp 2005. [August 1] www.secureenter- HYPERLINK "http://www.secureenterprisemag.com" prisemag.com.

[20] Moore M. Defensive devices designed to blend in with New York. USA Today 2006. [July 31] www.usatoday. com/news/nation/2006-07-31-ny-security_x.htm.

[21] Morton J. Access denied. Buildings 2011;105. [May].

[22] Morton J. Upgrade your fire alarms with IP reliability. Buildings 2012;106. [March].

[23] Murphy P. Grounds for protection. Secur Manag 2000;44. [October].

[24] National Fire Protection Association. NFPA 730, guide for premises security, 2006 edition. Quincy (MA): NFPA; 2005.

[25] National Institute of Standards and Technology. Concealed weapon and contraband detecting, locating, and imaging. 2010. www.nist.gov/oles/diet-conceal.cfm.

[26] National Law Enforcement and Corrections Technology Center. No license to steal. TECHbeat 2006. [Spring].

[27] National Lighting Bureau. Lighting for safety and secu-rity. Washington (DC): National Lighting Bureau; n.d.

[28] Newman O. Defensible space. New York: Macmillan; 1972.

[29] Nunes-Vaz R, et al. A more rigorous framework for security-in-depth. J Appl Secur Res 2011;6(3).


[30] Owen D. Building security: strategies & cost. Kingston

(MA): Reed; 2003.

[31] Painter K, Farrington D. Street lighting and crime: diffusion of benefits in the stoke-on-trent project. In: Painter K, Tilly N, editors. Crime prevention studies. Monsey (NY): Criminal Justice Press; 1999.

[32] Patterson D. How smart is your setup?. Secur Manag 2000;44. [March].

[33] Pierce C. Thermal video for the mainstream?. Secur Technol Des 2006;16. [May].

[34] Post R, Kingsbury A. Security administration: an intro-

duction. 3rd ed. Springfield (IL): Charles C. Thomas; 1977.

[35] Purpura P. Police activity and the full moon. J Police Sci Adm 1979;7. [September].

[36] Purpura P. Terrorism and homeland security: an intro-

duction with applications. Burlington (MA): Elsevier Butterworth-Heinemann; 2007.

[37] Reddick R. What you should know about protecting a perimeter. Secur Prod 2005;9. [April].

[38] Revel O. Protective blast and anti-ramming wall devel-opment. Secur Technol Des 2003. [November].

[39] Saflex, Inc. Architectural glazing. 2007. www.saflex.com.

[40] Schumacher J. How to resolve conflict with proper sys-tems integration. Secur Technol Des 2000;10. [October].

[41] Shelton D. The new and improved moat. Secur Technol Des 2006;16. [March].

[42] Smith M. Crime prevention through environmental design in parking facilities. Washington (DC): National Institute of Justice; 1996. [April].

[43] Spadanuta L. How to improve your image. Secur Manag 2011;55. [March].

[44] True T. Raising the ramparts. Secur Manag 1996. [October].

[45] U.S. Department of Homeland Security. Reference manual to mitigate potential terrorist attacks against buildings, FEMA 426. Washington (DC): FEMA; 2003. [December].

[46] U.S. Environmental Protection Agency. Sustainability. 2011. www.epa.gov.

[47] WeGuardYou. Mall security scenario. 2011. http:// weguardyou.com/applications-mallsecurity.html.

[48] Wilson J, Kelling G. Broken windows: the police and neighborhood safety. Atl Mon 1982. [March].

[49] Wroblaski K, et al. The great debate: 2011’s key sustain-ability issues. Buildings 2011;105. [January].

[50] Zwirn J. Alarm design that rings true. Secur Manag 2003. [April].



Biometrics in the Criminal Justice

System and Society Today

Dr. Thomas J. Rzemyk, Ed.D., CHPP, CAS


This chapter will briefly discuss the history of biometrics in the United States and abroad. It will also provide an in-depth analysis on emerg-ing trends and technology in the biometrics sector today as it relates to society, private orga-nizations, and the law enforcement community to include local, state, and federal government agencies. Biometrics is defined as the process by which a person’s unique physical and other traits are detected and recorded by an electronic device or system as a means of confirming identity.1 In today’s era, biometric data are considered to be a metric which directly relates to independent human characteristics through a form of inde-pendent proof of identification and access con-trol. The features of biometric metrics and data can be used to categorize data in individuals and groups of individuals who may or may not be under direct surveillance. These specific features include voice, eye, and fingerprint data.

Evolution has proven that each human being was created differently from a physical and

1 Definition of “Biometrics”, 2016. Retrieved from: http://www.dictionary.com/browse/biometrics.

behavioral perspective. Each individual’s finger-prints, iris’, facial features, and body types are completely different from one another. Applying effective and efficient biometric technologies can be used to determine the identity of individuals from around the globe. Additionally, biometric technology tends to use automated methods of identifying or authenticating the identity of a liv-ing person based on a physiological or behavioral characteristics. Although primarily automated, there are many instances when this type of tech-nology also requires manual intervention as well to ensure efficiency and accuracy. This chapter will conclude by discussing the challenge of collecting­ biometric information from private citizens, which has proven to be a controversial and highly discussed topic in today’s era.




The law enforcement community and private­ security industry has been using biometric technology for decades to include voice and fingerprints. The first instances of biometrics

Effective Physical Security, Fifth Edition



Copyright © 2017 Elsevier Inc. All rights reserved.


took place centuries ago in ancient China, when artists would engrave fingerprints on clay sets and artwork. In the early 1900s to the mid-1950s is when the art and skill of fingerprinting was established in the United States. Since imple-mentation, verification of one’s identity has been based upon the authentication of attributed and biographical human body characteristics to include human fingerprints. After small- and large-scale societies, industrial societies, global-ization represents the third period of personal identification and the growth of independent biometric data collection.2

Since 1924, the Federal Bureau of Investigation (FBI) has been keeping formal written records of fingerprints from various individuals over time. By the late 1960s, the FBI fingerprint catalog had grown into the millions, and they knew that an automated system would need to be devel-oped to manage the large number of records on file. Finally in 1986, the FBI developed the Automated Fingerprint Identification System (AFIS), which combined manual and automated processes into one computerized central data-base. However, this new system did not come without its difficulties and issues. It took several years and private vendors to improve AFIS and the speed at which it could match an inputted fingerprint match.

September 11, 2001 prompted the United States federal government to pass the United States Patriot Act and the Department of Homeland Security (DHS). The provisions of the United States Patriot Act required that federal agencies that had been operating independently since inception, now had to come together under the DHS umbrella. After the migration of several agencies, the independent databases could now be shared among each of the parties to improve communication and collaboration relationships.

2 Mordini E. Biometrics, human body, and medicine: a controversial history. Ethical, Legal, and Social Issues in Medical Informatics. Medical Information Science Reference (IGI Global); 2008.

By 2005, a small number of companies had developed universal standard applications to bring together national databases for compre-hensive libraries of prints, making the selection of software upon which to run the AFIS database easier for agencies.3 Additionally, even though automated systems may exist, it still takes at least one to two latent print fingerprint examin-ers to match a record for legality purposes.


Biometrics in today’s era has been growing, trending, and improving at a very rapid rate for both the public and private sectors. There are several private and public local state and federal agencies involved with biometrics activities today. However, one of the largest agencies involved is the FBI. Biometric technology is important because it is seen by many as a solution to a lot of the user identification and security problems in today networks.




The FBI has a data center and campus in Clarksburg, West Virginia called the Biometric Center for Excellence (BCOE). The purpose of the BCOE is to collaborate and improve infor-mation sharing and to advance the adoption of optimal biometric and identity management solutions, within and across the law enforce-ment and private security community. Each and every day, industry leading experts and scientists­ explore new and enhanced biometric technologies for integration into operations.

3 “Automated Fingerprint Identification System (AFIS)”. World of Forensic Science 2005. Retrieved March 23, 2016 from: http://www.encyclopedia.com/ doc/1G2-3448300049.html.

Biometric Modalities and Technology


The FBI and the BCOE established and for-malized the following biometric priorities4:

· Extend biometric technical capabilities

· Strengthen forensic science and advance biometrics

· Drive national biometrics

· Improve national security by developing and deploying biometric technologies.



Commonly implemented or studied biomet-ric modalities by the FBI and other public and private agencies include the following:

and swirls. Fingerprinting is the most common method of collecting biometric information from human subjects. Since the FBI and other agencies began keeping records of millions of fingerprints, none have been proven to be exactly identical. There have been several that are similar, which can occur in the same genetic pools and in very rare instances, outside of the gene pool. Current AFIS technology permits fingerprints to be elec-tronically categorized, scanned, and organized according to specific classifications and character-istics. Improvements in recent technologies have allowed for automated cross-referencing to take place. Previously, latent print examiners would verify the final results of a fingerprint inquiry (in many local, state, and federal jurisdictions, this still takes place for civil and criminal proceedings).

Palm Print

The human palm and the fingerprint are not only very similar in nature but also contain sev-eral differences. As stated by the FBI, palm iden-tification, just like fingerprint identification, is based on the aggregate of information presented in a friction ridge impression.5 Palm prints used ridge flow, ridge characteristics, and raised structures to differentiate from one to another. Palm recognition has been used for decades, but it has been more of a manual process rather than an automated process due to slow technology enhancements in this area.


The human fingerprint contains very unique characteristics such as circles, wavy lines, arcs,

4 Federal Bureau of Investigations—BCOE, 2016. Retrieved March 23, 2016 from: https://www.fbi.gov/about-us/cjis/ fingerprints_biometrics/biometric-center-of-excellence/ about/about-the-biometric-center-of-excellence.

5 Federal Bureau of Investigations—Biometrics (Palm Prints), 2016. Retrieved March 23, 2016 from: https:// www.fbi.gov/about-us/cjis/fingerprints_biometrics/ biometric-center-of-excellence/modalities/palm-print.

Hand Scanner and Finger Reader

Recognition Systems

These measure and analyze the overall struc-ture, shape, and proportions of the hand, such as length; width; thickness of the hand, fingers, and joints; and characteristics of the skin surface such as creases and ridges.

Facial Recognition

Facial recognition technology has had several enhancements over the past decade post 9/11. In the mid-21st century, facial recognition was limited to characteristics related to the eyes, ears, nose, mouth, jawline, and cheek structure. Several private organizations have released updated technologies to both government and the public. Newly enhanced technologies permit both verification and identification (open-set and closed-set).6 Facial recognition technology today

6 Federal Bureau of Investigations—Biometrics (Facial Recognition), 2016. Retrieved from: https:// www.fbi.gov/about-us/cjis/fingerprints_biomet- HYPERLINK "https://www.fbi.gov/about-us/cjis/fingerprints_biometrics/biometric-center-of-excellence/modalities/facial-recognition" rics/biometric-center-of-excellence/modalities/ facial-recognition.


uses complex mathematical representations and matching processes to compare facial features to several data sets using random (feature-based) and photometric (view-based) features. It does this by comparing structure, shape, and pro-portions of the face; distance between the eyes, nose, mouth, and jaw; upper outlines of the eye sockets; the sides of the mouth; the location of the nose and eyes; and the area surrounding the cheek bones. The main facial recognition methods are feature analysis, neural network, eigen faces, and automatic face processing. Although facial recognition technology has come a long way, there is still a need for enhancements to prove accuracy and reliability.

Iris Scan and Recognition

There are several technologies used today that are used to collect iris characteristics from human beings. It is a newer type of technol-ogy as compared to some of the older biometric tools. This technology uses complex mathemati-cal patterns to document the human eye finger-print. It then compares and contrasts the results of others in several proprietary and government databases for viable matches.

Voice Recognition

Voice recognition biometrics has evolved greatly in recent times in collaboration with speech therapists and other occupational related fields. As the FBI outlines, the speaker recognition process relies on features influ-enced by both the physical structure of an individual’s vocal tract and the individual’s behavioral characteristics. 7 There are sev-eral proprietary pieces of software that have

7 Federal Bureau of Investigations—Biometrics (Voice Recognition), 2016. Retrieved from: https:// www.fbi.gov/about-us/cjis/fingerprints_biometrics/ biometric-center-of-excellence/modalities/ voice-recognition.

proven to be reliable but not always accu-rate. The United States government uses a technology called the Speaker Verification Application Program Interface or SVAPI. This specific technology is an interface that integrates­ with specific voice recognition pro-grams, improves consistency- based practices, and permits for compatibility and interopera-bility between various vendors and networks. Different speech creates different shapes on the graph. Spectrograms also use color or shades of gray to represent the acoustical qualities of sound.

Deoxyribonucleic Acid

DNA is perhaps one of the most important biometrics today as it has been used to solve thousands of crimes around the globe. The technology surrounding DNA is always evolv-ing and new enhancements are being applied to the law enforcement community. One of the most recent improvements has been the devel-opment of the Rapid DNA Program Office estab-lished in 2010 by the FBI. Rapid DNA, or Rapid DNA Analysis, describes the fully automated (hands-free) process of developing a CODIS Core STR profile from a reference sample buc-cal swab. The “swab in—profile out” process consists of automated extraction, amplification, separation, detection, and allele calling without human intervention. 8 The FBI’s Imitative is to improve the process and the time that it takes to complete DNA testing by integrating tech-nologies into CODIS and other DNA-related systems. In sum, the benefit of using DNA as a biometric identifier is the level of accuracy offered. Similar to fingerprint data, it is nearly impossible for two human subjects to share the same DNA structure.

8 Federal Bureau of Investigations—Biometrics (DNA),

2016. Retrieved from:https://www.fbi.gov/about-us/ lab/biometric-analysis/codis/rapid-dna-analysis.

International Biometrics: India’s Private Usage of Biometrics on Society


Writer Recognition

There are typically two types of handwriting and writer biometric recognition to include static and dynamic. In the static method, individuals write directly on paper and it is then scanned into a computer system for analysis.9 Dynamic bio-metrics records handwriting in real time through the use of digitizers, tablets, and other devices. The handwriting examples can then be scanned through an automated system or independently by handwriting experts. This is equivalent to a traditional handwritten signature in many respects since if the signature is properly implemented, it is more difficult to forge than the traditional type. Digital signature schemes are cryptographi-cally based and must be implemented properly to be effective. Digital signatures can be used for e-mail, contracts, or any message sent via some other cryptographic protocol.

Palm Veins

Vein matching and palm vein biometrics has been in place since the 1980s. It is considered a controversial type of biometric because of its accu-racy and record history because it uses blood ves-sel patterns that exist to the naked eye. However, although highly debated, and not officially adopted by criminal laboratories, several govern-ment agencies such as the FBI, CIA, and DEA have been using it for years in several different formats. Vascular technology uses scanners to determine vessel and blood patterns in a nonautomated for-mat. Advancements are currently underway to make these processes to become automated.

Behavioral Biometrics

Based on the manner in which people con-duct themselves, such as writing style, walking rhythm, typing speed, and so forth.

9 Chapran J. “Biometric Writer Identification: Feature Analysis and Classification”. International Journal of Pattern Recognition & Artificial Intelligence 2006;483–503.

As stated in a previous edition of this chapter, for any of these characteristics to be used for sustained identification encryption purposes,­ they must be reliable, unique, col-lectable, convenient, long term, universal, and acceptable.




The country of India encourages that all citizens of the nation to register their finger-prints and other biometric data to obtain a national identification card (ID). The finger-prints and other data are held in the largest national encrypted database in the world called Aadhaar. This database is shared among internal intelligence government agencies within India.10 The system was designed to document all citizens in the country and to also help identify missing persons, crimi-nals, to solve crimes, etc. Additionally, it was also developed to change the retail market. Custom Aadhaar numbers now permit some transactions within India to be completed based solely on biometric data. There has been a resistance by many in the country believing that it is a civil liberties infraction and a strict invasion of one’s right to privacy. Although it is currently a volunteer -based program, this will most likely change moving forward. To date, about 50% of the country has Aadhaar numbers, and it is estimated that each and every citizen will have one in 3–5 years’ time. The question is, “How many other nations in the global community will move towards this type of classification system”.

10 Muralidharan K, Niehaus P, and Sukhtankar S. Building state capacity: Evidence from biometric smartcards in India (No. w19999). National Bureau of Economic Research 2014.




There will be several biometric enhancements over the next few years. To date, many of us have witnessed biometrics being integrated into our daily lives when using technology equip-ment. Smartphones, mobile devices, computers,

workstations, communication systems, home security systems, entry systems, and other ­several pieces of equipment are now using fingerprints for authentication purposes. Also, as time moves, forward biometrics will be integrated into back-end technology systems to counter cybersecu-rity attacks. Finally, biometrics will be used for authentication and access control features as well.



Access Control Systems and

Identification Badges

Dr. Joshua Sinai

This chapter discusses two types of access controls for security-based facilities: access con-trol systems and protocols and access badges for personnel. These two types of access mecha-nisms are employed as comprehensive preven-tative measures to keep these facilities’ external and internal perimeters secure from potential malicious physical intrusions, whether from the outside or, if they manage to bypass the initial access control point(s) and enter these facilities, once they are inside and unsuper-vised. This chapter’s concluding section also discusses some of the latest trends in access control technologies as part of the continuous effort to address new vulnerabilities that mali-cious adversaries may be continuously trying to exploit.

It is important to note that in this discussion access control refers to control of the physical movement in and out of facilities but not the control of the transfer of proprietary or classified information via the Internet. Thus, the control of physical devices that might contain proprietary or classified information such as CDs or USB drives in and out of facilities is considered in this definition but not the deployment of pro-tective access control mechanisms to manage Internet security.

Finally, the extent, magnitude, and tightness of access control security systems need to be established relative to a facility’s assessed threat level.1 Thus, risk management principles need to govern the nature of access control systems in facilities that is determined to be high threat, while security at facilities that face some degree of potential threat should be implemented rela-tive to their assessed threat levels.



Perimeter barriers, intrusion detection devices, and protective lighting provide impor-tant physical security safeguards; however, they alone are not sufficient to protect a facility from intentional or accidental unauthorized access. For complete access security, access control system and protocols must be established and

1 The author would like to acknowledge the peer review by Jeff Fuller, the President of Security Risk, Inc., of Fairfax, VA, a leading authority on risk management, who also suggested adding a threat assessment and risk management component to this chapter.

Effective Physical Security, Fifth Edition



Copyright © 2017 Elsevier Inc. All rights reserved.


maintained to preclude an unauthorized entry into a facility. Effective access control systems and protocols also serve to prevent the intro-duction of espionage devices (such as cameras, smartphones, and USB devices), dangerous materiel (such as firearms/IEDs), and other spy-craft components (such as unobtrusive electronic bugs). Upon exit from a facility, by establishing proper access control systems and protocols, they also prevent the possible misappropria-tion, pilferage, or compromise of materiel or recorded information, whether intentional or accidental, by controlling the transport of out-going packages, materiel, and other properties out of such facilities. In addition, access control rosters, personnel recognition systems such as ID cards, badge-exchange/drop-off procedures, and personal escorts for visitors all contribute to an effective facility access control system.

In this section, the governing principle in establishing access control is based on protecting two general circles around a facility in question: an inner circle and an outer circle.2 The inner circle is defined as the facility “that is being pro-tected, along with its immediate exterior”.3 The outer circle is the entire area around the facility, “stretching as far as a security officer can realis-tically visually control (1–3 blocks on average, depending on the surroundings)”.4

Inner Circle Access Control

Designated Restricted Areas

One of the first steps in establishing an access control system is for a security manager to des-ignate and establish the restricted areas that

2 Toben A. The inner and outer circle relationship – part I: access control, https://protectioncircle.wordpress. com/2016/02/25/the-inner-and-outer-circle-relation- HYPERLINK "https://protectioncircle.wordpress.com/2016/02/25/the-inner-and-outer-circle-relationship-part-1-access-control/" ship-part-1-access-control/; February 25, 2016.

3 Ibid.

4 Ibid.

require security protocols to safeguard them. In general, a restricted area is defined as any area that is subject to special restrictions or controls for security reasons. This does not necessarily include a facility’s entrance lobby or cafeteria, if they are outside a restricted area, although entry into such areas may still require a certain degree of access control. Restricted areas may be estab-lished for the following:

· The enforcement of security measures and the exclusion of unauthorized personnel.

· Intensified access controls in areas requiring special protection.

· The protection of classified information or critical equipment or materials.

Determine the Required Degree of Security

The most important step in considering access control system requirements is to work through a risk = threat  Χ  vulnerability  Χ  conse-quence analysis to ensure that the access con-trol system design addresses the specific threat profile challenging a facility and consider its consequences and vulnerabilities to a range of potential threat scenarios. By conducting such a collaborative risk analysis, a facility’s security department will ensure that the access control system design addresses the threats, fits within the larger security system, and provides the best return on investment.5 The access control requirements, therefore, should be driven by an assessment of the threats facing the facility. These assessments can include insider threats, disgruntled employees, criminal theft, vandals, and terrorists. The security- based/access con-trol system should then be evaluated against each threat profile that the security department identifies as a potential threat. While it may

5 Fuller J. Risk management from a county of city Perspective, Security Risk Newsletter, http://www. securityriskinc.com/wp-content/uploads/2015/03/ SRI-Newsletter-5-Risk-Management-at-the-County- HYPERLINK "http://www.securityriskinc.com/wp-content/uploads/2015/03/SRI-Newsletter-5-Risk-Management-at-the-County-Level-Oct-2014.pdf" Level-Oct-2014.pdf; October 2014.

Access Control Systems and Protocols


not be necessary to delve into great detail in this article on the processes and methods that support effective risk analysis and risk man-agement, as with most risk assessments, the important point is that “an ounce of analysis is worth a pound of solutions.”

The degree of security required to control access depends therefore on the nature, sensitiv-ity, or importance of a facility’s security level. Restricted areas are classified as controlled, lim-ited, or exclusion areas.

· A controlled area is that portion of a restricted area usually near or surrounding a limited or exclusion area. Entry to the controlled area is restricted to personnel with a need for access. The controlled area is provided for administrative control,

for safety, or as a buffer zone for in-depth security for the limited or exclusion area. The security director is responsible for establishing the control of movement within such an area.

· A limited area is restricted to authorized persons, with access granted via escorts and other internal restrictions.

· An exclusion area is the most secure area in a facility, with access granted under the most restrictive conditions.

Access Controls of Packages, Personal

Property, and Vehicles

An effective access control system for physi-cal items is also essential to prevent or mini-mize pilferage, sabotage, and other types of espionage.


A facility’s standard operating procedure (SOP) may allow the entry of packages with proper authorization into restricted areas with-out inspection. A package checking system is also used at the entrance gate. When practical, all outgoing packages except those properly authorized for removal should be inspected. When a 100% security inspection is not possible,

security forces should conduct frequent unan-nounced spot checks of incoming or outgoing packages. An effective package-control system thus provides for a comprehensive manage-ment of the movement of authorized packages, material, and property, as well as mitigating the potential for the movement of unauthor-ized packages.

Property controls are not limited to packages carried openly, as they include the control of anything that could be used to conceal property or material. A facility’s personnel should not be routinely searched except in unusual situations that warrant it. Searches must be performed according to a facility’s SOP.

Outer Circle Access Control

As discussed earlier, the outer circle is defined as the entire area around the facility that can “realistically [be] visually controll[ed]”.6


In a facility’s outer circle, to manage the move-ment of vehicles, physical protective measures, such as fences, gates, and window bars need to be installed, where appropriate, to ensure that parking areas for privately owned vehicles (POVs) are established outside of restricted areas. Moreover, vehicle entrances should be kept at a minimum for the safe and efficient con-trol of incoming traffic. Also, personal vehicles parked at a facility’s garage or outdoor parking may be required to be registered with a facil-ity’s security office. In the case of visitors, secu-rity personnel should assign a temporary decal or other temporary ID tag for their vehicles to indicate authorized parking. The decal or the tag should be distinctly different from that of regu-lar facility personnel.

The movement of delivery trucks and other commercial vehicles into and out of restricted

6 See footnote 5


areas may be required to be supervised and inspected. Depending on the threat, vulner-ability, and consequences analysis, delivery entrances should be controlled by locked gates when not in use and manned by security per-sonnel when unlocked. In some cases, ID cards/ badges could be issued to driver operators to ensure proper ID and registration for access to specific loading and unloading areas.

When necessary, delivery trucks and should be assigned escorts before they are permitted to enter designated limited or exclusion areas.



Whether for the outer or inner circles, an identification (ID) badging system is established at a facility to provide a method of identifying personnel authorized to use the premises. The ID system provides for personal recognition and the use of security ID cards or badges to aid in the control and movement of personnel activi-ties in and out of a facility.

There are two types of ID cards: standard and security. Standard ID cards provide access into areas that are unrestricted and do not pose a secu-rity requirement. Security ID cards or badges pro-vide for personnel requiring access to restricted areas. The design of each type of the card/badge must be simple for easy recognition and manage-ment by the monitoring security personnel.

Identification Methods

Four of the most common access control ID methods are the personal recognition sys-tem, the single-card/badge system, the card or badge-exchange system, and the multiple-card/ badge system.

Personal Recognition System

In the personal recognition system, a secu-rity officer manning the access control area visually checks the person requesting entry

to the facility. The criteria-determining entry is based on the need for entry being estab-lished by having the person listed in the access control roster and the individual being recognized.

Single-Card/Badge System

In this system, permission to enter a specific area is based on specifically designated and rec-ognized letters, numbers, or particular colors (e.g., green or blue).

Card/Badge-Exchange System

In this system, two cards/badges contain identical photographs. Each card/badge has a different background color, or one card/ badge has an overprint. One card/badge is presented at the entrance to a specific area and exchanged for the second card/badge, which is worn or carried while in that area. Individual possession of the second card/badge occurs only while the bearer is in the area for which it was issued. When leaving the area, the second card/badge is returned and maintained in the security area. This method provides a greater degree of security and decreases the possibil-ity of forgery, alteration, or duplication of the card/badge.

Multiple-Card/Badge System

This system provides the greatest degree of security because instead of having specific markings on the cards/badges denoting permis-sion to enter various restricted areas, the mul-tiple-card/badge system provides an exchange at the entrance to each security area. Exchange cards/badges are maintained at each area only for individuals who have designated access to the specific area.

Mechanized/Automated Systems

An alternative to using security officers to visually check cards/badges and access ros-ters is to use building card-access systems or biometric-access readers. These systems can

Identification Badging System


control the flow of personnel entering and exit-ing a complex. Included in these systems are the following:

· Coded devices such as mechanical or electronic keypads or combination locks.

· Credential devices such as magnetic stripe or proximity card readers.

· Biometric devices such as fingerprint readers or retina scanners.


Access control and ID systems base their judgment factor on a remote capability through a routine-discriminating device for a positive ID. These systems do not require security offi-cers at entry points; they identify an individual in the following manner:

· The system receives physical ID data from an individual.

· The data are encoded and compared to stored information.

· The system determines whether access is authorized.

· The information is translated into readable results.

Access Control Rosters

Admission of personnel to a restricted area is granted to those identified and listed on an access control roster. Rosters are maintained at access control points. They are kept current, verified, and accounted for by an individual designated by a manager, who authenticates the rosters. Admission of persons other than those on the rosters is subject to specific approval by the security manager or another specific man-ager. These personnel may require an escort according to the local SOP.

Status of Badges

An important consideration in badging a facility’s personnel is their role in an employee’s career, whether at the beginning or termina-tion of their service. Thus, for example, badges

with color coding can be used for various rea-sons that may include designating years of service, clearance levels, departments, and/or locations. In addition, a video badging can be deployed, which displays a corporate logo or a special design and may be color coded, and there are badges incorporating digitized data or a photograph.

When badges are initially introduced to a facility’s security system, the following consid-erations need to be taken into account:

· If an employee loses their badge, specify a cost for its replacement. Some employers may allow one “free” replacement initially.

· When an employee is fired, determine who retrieves the badge, keys, or other company property. Ensure that all company badges are deleted if not used in the past 30 days.

· If a badge is stolen, determine the process to render it useless.

· If a badge is borrowed or used by an unauthorized person(s), determine the data associated with it, such as the holder’s height, weight, and color of eyes and hair, which might be included on both sides of a card.

· Ensure there is a database for all facility badges, including approvals by authorized managers before access is granted.

· Identify access levels and authorization processes for all issued badges.

· Consider all potential vulnerabilities and the risk of threats that might arise if a badge is lost or stolen.

Control Methods

As discussed earlier, a number of meth-ods are available to manage the movement and control of personnel in limited, con-trolled, and restricted areas. The following paragraphs discuss the use of escorts and the two-person rule.



Escorts are selected because of their ability to accomplish access control tasks effectively and properly due to their training and knowl-edge of the areas being visited. Escorts may be guardforce or personnel from the area being visited. A facility’s security regulations and SOPs determine if a visitor requires an escort while in the restricted area. Personnel on the access list may be admitted to restricted areas without an escort.

Two-Person Rule

The two-person rule is designed to prohibit access to sensitive areas or equipment by a lone individual. Two authorized persons are considered present when they are in a physi-cal position from which they can positively detect incorrect or unauthorized procedures with respect to the task or operation being performed. The team is familiar with appli-cable safety and security requirements, and they are present during any operation that affords access to sensitive areas or equipment that requires the two-person rule. When the application of the two-person rule is required, it is enforced constantly by the personnel who constitute the team.

The two-person rule is applied in many other aspects of physical security operations, such as the following:

· When uncontrolled access to vital machinery, equipment, or materiel might provide an opportunity for intentional or unintentional damage that could affect the installation’s mission or operation.

· When uncontrolled access to a facility’s funds could provide opportunity for diversion by falsification of accounts.

· When uncontrolled delivery or receipt for materials could provide an opportunity for

pilferage through “short” deliveries and false receipts.

The two-person rule is governed by the authority and discretion of the facility’s secu-rity manager. An electronic entry control system may be used to enforce the two-person rule. The system can be programmed to deny access until two authorized people have successfully entered their codes or swiped their cards.

Visitor Identification and Control

In classified facilities, to effectively control access by authorized visitors, appropriate pro-cedures and systems must be implemented to control their movement. Approval for visitors should be obtained at least 24 h in advance (if possible) to assure proper vetting. Once their vis-its are authorized, visitors should be provided with cards/badges that will then be presented to the guards at the various entrances that are established at the restricted areas. Throughout their visit, guards at the initial access points must ensure that visitors stay in areas relating to their visit, where appropriate, by staying with their assigned escort at all times.

Individual or group visitors that are autho-rized to enter a restricted area must meet spe-cific prerequisites before being granted access. Such access to a restricted area is granted in accordance with the following guidelines.

Employees Assigned to Work After Normal Operating Hours

Designated employees who are assigned to work in restricted areas after normal operating hours need to be approved by their supervi-sors, under established internal controls based on coordination with the security manager. Supervisors also need to notify security person-nel of the workers’ presence, authorization for their work, and duration of their work under such circumstances.

Identification Badging System




To allow contractor personnel to work as full-time, part-time, or as temporary consul-tants in restricted areas, the security manager must coordinate with the procurement office for their access badging. The security manager must also identify and coordinate the move-ment-control procedures for these contract personnel.


Facility supervisors employing contractor cleaning teams must seek technical advice from the physical security office on internal controls for their operations in restricted areas. This may include providing escorts.


Before allowing designated visitors into a restricted area, the security office needs to be in contact with the employee or activity (such as a meeting) being visited. After verifying the visi-tor’s identity and completing the registration forms, they will be issued a badge and assigned an escort (if required). Visitors may include pub-lic utility and commercial service representa-tives required to fulfill a service function.



The procedures for admitting very important persons (VIPs), especially foreign nationals, into a facility’s restricted areas are another important component of access control. Special consid-erations and coordination between a facility’s protocol office and security office are required for facilitating and managing such visits. A 24-h (or longer) advance notice is desirable for these requests, along with an agenda for a visit and the designation of an escort, if appropriate. In case of VIPs from foreign countries of concern, a longer advance notice may be necessary so that

such visits are coordinated with relevant local and national counterintelligence agencies.

Enforcement Measures

The most vulnerable link in any ID system is its enforcement. Security forces must be proac-tive in performing their duties. Some of these measures may include the following:

· Designating alert and tactful security personnel at entry control points.

· Ensuring that personnel possess quick perception and good judgment.

· Requiring entry control personnel to conduct frequent irregular checks of their assigned areas.

· Formalizing standard procedures for conducting guard mounts and posting and relieving security personnel. These

measures will prevent posting of unqualified personnel and a routine performance of duty.

· Prescribing a uniform method of handling or wearing security ID cards/badges. If carried on the person, the card must be removed from the wallet (or other holder) and handed to security personnel. When worn, the badge will be worn in a conspicuous position to expedite inspection and recognition from a distance.

· Designing entry and exit control points of restricted areas to force personnel to pass in a single file in front of security personnel. In some instances, the use of turnstiles may be advisable to assist in maintaining a positive control.

· Providing lighting at control points. The lighting must illuminate the area to enable security personnel to compare the bearer with the ID card/badge.

· Enforcing access control measures by educating security forces and employees. Enforcement of access control systems rests primarily with the security forces;


however, it is essential that they have the full cooperation of the employees. Employees must be instructed to consider each unidentified or improperly identified individual as a trespasser. In restricted areas where access is limited to a particular zone, employees must report unauthorized individuals to the security force.

· Positioning ID card/badge racks or containers at entry control points so they are accessible only to guardforce personnel.

· Appointing a responsible custodian to accomplish control procedures of cards/ badges according to policy manual. The custodian is responsible for the issue, turn in, recovery, and renewal of security ID cards/ badges as well as monthly verification of individuals in various areas and the deletion of terminated employee badges.


The degree of risk management in the ID access control system is dependent on the degree of security risk toleration required. The following control procedures are recommended for preserving the integrity of a card/badge system:

· Maintenance of an accurate written record or log listing (by serial number) all cards and badges and showing those on hand, to whom they are issued, and their disposition (lost, mutilated, or destroyed).

· Authentication of records and logs by the custodian.

· A periodic inventory of records by a manager or auditors.

· The prompt invalidation of lost cards/ badges and the conspicuous posting at security control points of current lists of lost or invalidated cards/badges.

· The establishment of controls within restricted areas to enable security personnel to determine the number of persons within the area.

· The establishment of the two-person rule (when required).

· The establishment of procedures to control the movement of visitors. A visitor control record will be maintained and located at entry control points.

Duress Code

In case of a potential security violation in a facility, a duress code should be issued. It is a commonly known and exercised word or phrase used during a normal conversation to alert other security personnel that an authorized person is either observing or might be under duress. A duress code requires planning and rehearsal to ensure that response protocols to an appropriate response are seamlessly employed. This code should be revised regularly to minimize pos-sible compromise or misuse.

Leveraging Security System Technologies

For a large and complex facility that faces a range of threats, integration of security functions and cards, and cameras, a multilevel employees’ tailored access requires leveraging an array of modern security technologies. The importance of understanding the features and capabilities of modern security technologies is crucial since, for example, the difference between old camera surveillance systems and their modern “smart camera” system successors is its exponentially greater order of magnitude effectiveness. The same is true in the management of security and access control systems, with modern sys-tems capable of integrating access control into a facility’s overall security system. By leverag-ing modern technology, therefore, the allocation of security personnel can be reduced in certain areas or be refocused on more pressing tasks. The overall effectiveness of the access control system can thus be improved dramatically by employing risk management principles to eval-uate the best fit of a security system against its assessed threat, vulnerability, and consequence of a range of potential attacks.

Identification Badging System


In sum, some of the considerations for select-ing an access control system should include the following: security functions, system fea-tures, reporting features, and help and support. Security functions should include video surveil-lance, card control management, Internet-based monitoring, 24/7 monitoring, systems and pro-tocols to limit access to authorized individuals, door scheduling management, holiday sched-ule management, and biometric scan options. System features should include maximum number of doors, maximum number of users, alarm capabilities, professional installation, and automatic upgrades. Reporting features should include scheduled reports, customizable reports, email notifications, and reports avail-able on smartphone. Finally, help and support features should include email, telephone, edu-cational documents, video tutorials, and FAQs (frequently asked questions).7

Future Trends in Access Control

In terms of future trends, a facility’s disparate access control systems will ultimately become increasingly networked, with information and data generated from them fused to produce predictive analytics, thereby upgrading reac-tive security to one that is more proactive.8 Such integrative access control systems will provide users with “a single control platform to monitor the state of a facility or location and include data from video surveillance, video management, vis-itor management, time and attendance, alarms, photo imaging, badging, elevator control, build-ing control, and many other systems”.9

7 Tripp N. Access control systems reviews, Top-10 reviews, http://access-control-systems-review.toptenre- HYPERLINK "http://access-control-systems-review.toptenreviews.com/" views.com/; 2016.

8 Laughlin R. 9 Emerging trends to watch in access control, Security InfoWatch, http://www.securityin- HYPERLINK "http://www.securityinfowatch.com/article/12090850/9-emerging-trends-to-watch-in-access-control" fowatch.com/article/12090850/9-emerging-trends-to- HYPERLINK "http://www.securityinfowatch.com/article/12090850/9-emerging-trends-to-watch-in-access-control" watch-in-access-control; July 8, 2015.

9 Ibid.

Risk and Other Considerations

There are important considerations concern-ing the establishment of effective access controls. These considerations include the following:

· A security risk survey. It should be performed prior to the installation. This should consider the internal and external threats to be managed as well as the assets to be protected. This can determine immediate and anticipated needs that require protection. Anticipated needs can be determined at the same time however should be considered from conducting risk surveys on a reasonable reoccurring basis to maintain current risk information as well as alignment to future organizational needs.

· The size and nature of the security interest being protected. The nature of the assets

is also important to consider. For example, within the access control plans, consideration for additional security measures should be made. For example, areas with classified documents and high-value small items

may need additional separation or compartmentalization with safes or other means.

· Some security interests are more sensitive to compromise than others. Brief observation or a simple act by an untrained person may constitute a compromise in some cases. In others, detailed study and planned action by an expert may be required.

· All security interests should be evaluated according to their importance. This may be indicated by a security classification such as confidential, secret, or top secret.

· A restricted area. It is any area that is subject to special restrictions or controls for security reasons. Restricted areas may be established for the following:

· The enforcement of security measures and the exclusion of unauthorized personnel.


· Intensified controls in areas requiring special protection.

· The protection of classified information or critical equipment or materials.

· Designated restricted areas. While the security manager is typically responsible for designating and establishing restricted areas, those using the areas should be involved.

Degrees of Security

The degree of security and controls required depends on the risk nature, and sensitivity or importance of the security interest. While all controlled areas are restricted, restricted areas are generally classified by security manage-ment by the degree of security control over the access to the area. Some examples of the degrees involved can be expressed in categories of restriction such as “limited,” “restricted,” and “highly restricted.”

· The security manager establishes the degree of control of movement and entry to a controlled area by designing and

implementing access controls that will limit access to only those personnel with an organizational need.

· A standoff or limited area is generally a restricted area within close proximity of a security interest. Uncontrolled movement within this area may permit unacceptable risk to the asset(s). When appropriate, additional security elements to control movement in a limited area should also be considered. Escorts and other restrictions may prevent risks from occurring within limited areas.

· Generally, the restricted or highly restricted area is the exclusion area containing a security interest.

· Parking areas for POVs are established outside of restricted areas. Vehicle entrances must be kept at a minimum for safe and efficient control.

· Physical protective measures (such as fences, gates, and window bars) must be installed.10

10 Nelson J. CPP, 150 things you need to know about security; 2017.



Chain-Link Fence Standards

Chain-Link Fence Manufacturers Institute *

This chapter discusses security fences including the different types of fences and the standards for security fences. The design features and material specifications are laid out, as well as resources for installation and inspection.


Chain-link fencing has been the product of choice for security fencing for over 60 years because of its strength, corrosion resistance, “see-through capabilities,” ease of installa-tion, versatility, different product selection, and value. A chain-link fence is one of the ­primary building blocks for a facility’s perimeter ­security system.

The physical security barrier provided by a chain-link fence provides one or more of the fol-lowing functions:

· Gives notice of a legal boundary of the outermost limits of a facility.

· Assists in controlling and screening authorized entries into a secured area

by deterring entry elsewhere along the boundary.

· Supports surveillance, detection, assessment, and other security functions by providing

a zone for installing intrusion detection equipment and closed-circuit television (CCTV).

· Deters casual intruders from penetrating a secured area by presenting a barrier that requires an overt action to enter.

· Demonstrates the intent of an intruder by their overt action of gaining entry.

· Causes a delay to obtain access to a facility, increasing the possibility of detection.

· Creates a psychological deterrent.

· Reduces the number of security guards required and frequency of use for each post.

· Optimizes the use of security personnel while enhancing the capabilities for detection and apprehension of unauthorized individuals.

· Demonstrates a corporate concern for facility security.

· Provides a cost-effective method of protecting facilities.

* Note: The information in this chapter has been provided as a public service to assist in the design of appropriate­ security fencing. The Chain-Link Fence Manufacturers Institute disclaims any responsibility for the design and operation of specific security fence systems. Permission obtained to be reproduced in 2012.

Effective Physical Security, Fifth Edition



Copyright © 2017 Elsevier Inc. All rights reserved.



Chain-link fence enhances the goals of good security planning. In-depth security planning takes into consideration the mission and func-tion, environmental concerns, threats, and the local area of the facility to be secured. This can be translated into an A-B-C-D method that points out the values of chain-link fencing to a security program.

A. Aids to security. Chain-link fencing assists in the use of other security equipment, such as the use of intrusion detectors, access controls, cameras, and so forth. Chain-link fences can be employed as aids to protection in an exterior mode or an internal protected property, as a point protection, and for general protection as required.

B. Barriers for security. These can be buildings, chain-link fences, walls, temporary checkpoints, and so on.

C. Controls. They support the physical security chain-link fences and barriers, such as an access control system tied into vehicle gates and pedestrian portals, various

level identification badges and temporary badges, security escorts, and internal procedures.

D. Deterrents. A chain-link fence, guards, lighting, signage, and checkpoint control procedures are a few of the deterrents that ensure intruders will consider it difficult to

successfully gain access.

When properly used, the aspects of the A-B-C-D method reinforce and support each other. Thus a chain-link fence is also a deterrent, and a barrier, if need be. By combining A-B-C-D, suffi-cient obstacles are created to prevent an intruder from obtaining information that is being worked on during the day in the controlled access area and then is protected at night, on weekends, and on holidays through the implementation of the security in-depth concept.

More important, keep in mind that a chain-link fence is the common denominator of the A-B-C-D system and will reduce overall risk, secure the environment, and reduce security costs if designed and installed properly. However, believ-ing that a fence will eliminate all illegal access is not prudent. A fence system will only delay or reduce intrusion.

To ensure the effectiveness of the facility security fence program, it is recommended that a maintenance program be developed for the proper maintenance of the fence system, gates, gate operators, and related access controls.


Material specifications for chain-link fence are listed in the following:

· Chain-Link Fence Manufacturers Institute Product Manual (CLFMI)

· American Society of Testing Materials (ASTM), volume 01.06

· Federal Specification RR-F-191K/GEN, May 14, 1990

· ASTM F 1553, “The Standard Guide for Specifying Chain-Link Fence,” provides the appropriate information to develop a specification document.


The framework for a chain-link fence con-sists of the line posts; end posts; corner posts; gateposts; and, if required, a top, mid, bottom, or brace rail. The Federal Specification and the CLFMI “Wind Load Guide for the Selection of Line Post Spacing and Size” provide recom-mended post sizes for the various fence heights. However, the latter document also provides choices of line post types, sizes, and spacings to accommodate selected fence heights and fab-ric sizes for wind loads at various geographical project locations. The CLFMI Product Manual,

Design Features and Considerations


ASTM F1043, and ASTM F1083, as well as the Federal Specification, list the material specifica-tions for the framework.

Chain-Link Fabric

The material specifications for chain-link fabric are thoroughly spelled out in the

CLFMI Product Manual, ASTM, and Federal Specifications. The choice of chain-link fabric will govern the desired security level, and the various fabric-coating choices will govern the corrosion resistance. Light-gauge residential chain-link fabric will not be considered in this document. Provided are only those chain-link fabrics that offer a level of security, thus the gauge of wire and mesh size has been narrowed down to the following:

11 gauge (0.120 inches diameter)—minimum break strength of 850 lbf

9 gauge (0.148 inches diameter)—minimum break strength of 1290 lbf

6 gauge (0.192 inches diameter)—minimum break strength of 2170 lbf.


Gates are the only moveable part of a fence and therefore should be properly constructed with appropriate fittings. Chain-link gate speci-fications are listed in the CLFMI Product Manual, ASTM, and Federal Specifications.

Limiting the size of the opening increases vehicular security and reduces the possibility of one vehicle passing another, and the smaller opening reduces the open–close cycle time. The cantilever slide gate is the most effective for vehicle security, especially one that is electrically operated and tied into an access control system. High-speed cantilever slide gate operators are available for certain applications.

Pedestrian/personnel gates can be con-structed using a basic padlock or designed with an electrical or mechanical lock or a keypad/ card key system tied into an access control sys-tem. Prehung pedestrian gates/portals installed independent of the fence line are available to isolate the gate from fence lines containing sen-sor systems thus reducing possible false alarms.

Mesh sizes to consider (mesh size is the mini-mum clear distance between the wires forming the parallel sides of the mesh) are 2-inch mesh, 1-inch mesh, and ⅜-inch mesh. Consider the fol-lowing regarding mesh size:

· The smaller the mesh size, the more difficult it is to climb or cut.

· The heavier the gauge wire, the more difficult it is to cut.


The various mesh sizes available in the three previously discussed gauges are listed in the order of their penetration resistance/security:

1. Extremely high security: ⅜-inch mesh 11 gauge

2. Very high security: 1-inch mesh 9 gauge

3. High security: 1-inch mesh 11 gauge

4. Greater security: 2-inch mesh 6 gauge

5. Normal industrial security: 2-inch mesh 9 gauge.



Some basic design features to consider that enhance security:

· Height. The higher the barrier, the more difficult and time-consuming it is to broach.

· Eliminating top rail. Omission of a rail at the top of the fence eliminates a handhold, thus making the fence more difficult to climb. A seven-gauge coil spring wire can be installed in place of the top rail.

· Adding barbwire. Addition of three or six strands at the top of the fence increases the level of difficulty and time to broach. When using the three-strand 45-degree arm, it is recommended to angle the arm out from the secured area.


· Bolt or rivet barbwire arms to post. Barbwire arms are normally held to the post by the top tension wire or top rail. For added security, they can be bolted or riveted to the post.

· Adding barbed tape. Stainless-steel barbed tape added to the top and in some cases the bottom of the fence greatly increases the difficulty and time to broach.

· Adding bottom rail. Addition of a bottom rail that is secured in the center of the two line posts using a ⅜-inch diameter eye hook anchored into a concrete footing basically eliminates the possibility of forcing the mesh up to crawl under the fence. The bottom of the fence, with or without a bottom rail, should be installed no greater than 2 inches above grade.

· Bury the chain-link fabric. Burying the fabric 12 inches or more will also eliminate the possibility of forcing the mesh up.

· Colored chain-link fabric. One of the security features of a chain-link fence is visibility, allowing one to monitor what is taking place inside or outside of the fence line more efficiently. Color polymer-coated chain-link fabric enhances visibility, especially at night. Complete polymer-coated systems including coated fabric, fittings, framework, and gates increase visibility and provide greater corrosion resistance, especially for use in areas adjacent to the seacoast.

· Double row of security fencing. It is not uncommon to add an additional line of internal security fencing 10–20 feet inside the perimeter fence. In many cases, double rows of fencing are used with sensors and detectors, or with a perimeter patrol road in the area between the fences.

· Clear zone. In wooded or high grass areas, it is advisable to clear and grub a clear zone on either side of the fence to aid surveillance.

· Internal security fencing. Many situations require the need of a separate interior fence to add another level of security for a particular building, piece of equipment, or location.

· Peen all bolts. This eliminates the removal of the bolt nut.

· Addition of a sensor system. This adds another level of security to the fence system.

· Addition of lighting. Increases visibility as well as raises the level of psychological deterrent.

· Signage. Installed along the fence line, signs are important to indicate private secured areas (violators may be subject to arrest) and possibly note the presence of alarms and monitoring systems.


We have chosen for our example to list the ref-erenced specifications separately to help iden-tify the various items that need to be specified. The specification writer may use this format or the standard construction specifications insti-tute (CSI) format in developing their document.

In developing specifications for a typical chain-link fence, the design could be described as follows:

8′0″ high chain-link fence plus 1′0″, three strands of barbwire at top for a total height of 9′0″, consisting of 2 inches mesh 6-gauge chain-link fabric, *_____ o.d. or *_____ “C” line posts spaced a maximum of 10′0″ o.c., 7-gauge coil spring wire at top, secured to the chain-link fabric with 9-gauge hog rings spaced not greater than 12 inches, 15⁄8-inch o.d. bottom rail secured in the center with a ⅜-inch diameter galvanized steel eye hook anchored into a concrete footing, chain-link fabric secured to line post and rail at a maximum of 12 inches o.c. using 9-gauge tie wire.

*_____ o.d. end and corner posts complete with 15⁄8 -inch o.d. brace rail, ⅜-inch truss assembly, 12-gauge tension bands secured at a maximum of 12-inch o.c., tension bar, necessary, fittings, nuts, and bolts.

Chain-link fabric shall comply with ASTM ____.*

Post and brace rail shall comply with ASTM ____.*

Barbwire shall comply with ASTM ____.*

Fittings, ties, nuts, and bolts shall comply with ASTM ____.*

Coil spring wire shall comply with ASTM ____.*

Typical Design Example


*Reference is made to ASTM as an example. All chain-link specifications, fabric, posts, fittings gates, and so forth are referenced in ASTM F 1553, Standard

Guide for Specifying Chain-Link Fence.

A typical design/specification for gates would be listed as follows:

Pedestrian/personnel swing gates shall have a 4′0″ opening by 8′0″ high plus 1′0″, and three strands of barbwire on top. Gate frames shall be fabricated from 2-inch o.d. or 2-inch square members, welded at all corners. Chain-link fabric shall be installed to match the fence line unless otherwise specified. Gateposts shall be *_____ o.d. complete with 1⅝-inch o.d. brace rail, ⅜-inch diameter truss assembly, 12-gauge ten-sion bands secured a minimum of 12 inches apart, necessary tension bar, fittings, and nuts and bolts.

Chain-link fabric shall comply with ASTM ____.

Swing gates shall comply with ASTM ____.