Consider Using a Security Checklist
Most institutions use some form of security checklist. For instance, Alaskan schools use an 11-page checklist which is similar to others in use throughout the country. Alaska’s list is comprehensive, covering 156 areas, including access control, locks, surveillance, procedures, lighting and sensitive equipment. Upon reviewing each of these areas, an assessor can note its status and whether improvement is needed.
In a perfect world, everything will be regularly evaluated, with effective corrective action being implemented in a timely manner. However, this usually doesn’t happen. First, criteria of adequate protection often do not exist. For example, how many lights in a parking lot need to be out to constitute a problem, and does it make a difference if five lights that are out are adjacent or distributed equidistantly throughout the lot? Who makes this determination, and what is the basis of that determination? The response can be to repair everything whenever it’s discovered, but this brings us to a second problem: there is rarely enough money. Further, is there some priority facilities staff should use in determining whether to repair lights before alarms, for instance?
Security planners need criteria. We need to establish priorities to structure how often we look at something and how many resources (money, manpower, etc.) we direct toward them. There are two basic analytical methods you can use to arrive at these priorities: asset-based and mission-based.
CARVER Method Analyzes Assets
One technique popular in the military is known as the CARVER method. Originally developed by military targeteers to select high-value targets, it can also be used to determine how many resources defenders should allocate to various physical assets.
In the CARVER method, each letter stands for a criterion of asset protection.
- Criticality — what is the impact (economic, social, reputation, etc.) of an attack?
- Accessibility — what is the ability to ingress and egress from a target?
- Recuperability — what is the ability of a system to recover from an attack?
- Vulnerability — what is the ease of accomplishing an attack?
- Effect — what is the amount of loss from an attack as measured by the loss of production (ie., the inability to conduct classes or provide medical services)?
- Recognizability — what is the ease of identifying the target?
Before assessing each criterion, a planner would need to identify the parameters of concern. For instance, is the threat posed by fraternity pranksters, disgruntled employees or international terrorists? This would determine the potential size and sophistication of the attack, the types of weapons and assets available to the attackers, the extent of potential losses, etc.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply