Pages

Tuesday 12 December 2017

Security Awareness for NT businesses - The Principles of Physical Security


Since the beginning of human endeavour, humans have used barriers, tools and procedures to protect themselves from attack. These practices have developed into principles over the generations of human development and are as relevant today as they were many generations ago.

The basic principle is that of layering defences to protect the asset that you wish to protect.  That could be your business or your family, but what does this layering actually attempt to achieve?

What we seek to achieve is a robust series of layered security measures to achieve security-in-depth.  This is the basis for all protective security, including the securing of IT systems.  The strategies may change but the principle of security-in-depth will remain.  

This system provides mutually supporting protective security measures that provide well defined protection of an asset or even your family.  It is adaptable and can be used in many areas of security where protection is necessary. Our army has practiced this principle for most of existence under the term 'Defence-in-Depth' when used to protect defensive positions..

Although it is a very old practice, we are seeing the principle being disregarded in crime prevention strategies and security being installed to rely on one element and at times one piece of technology.

When we look at many some crime prevention risk mitigation strategies being approved by State and local government agencies, it is obvious that these decisions are not being based on solid principles of defence, or security-in-depth.

What are these Principles? They are to Deter, Detect, Delay and Respond.


Deter

The deter perimeter is the farthest one from the location of the assets and is often a mix of Legislative controls (laws), physical infrastructure such as fences and lighting and policies and procedures that are posted as signage along fence-lines.

The security objective on this perimeter is to deter the criminal from even attempting a breach of the protective system. Signage, laws and regulations along with business policies and procedures all contribute to deterrence.

Deterrence is a psychological battle, and when security wins, the criminal activity never starts.

Applying surveillance technology along the perimeter of large enclosures such as industrial sites, will make it obvious to all approaching the perimeter that they are under surveillance.

Signs saying, “no trespassing” or “area under surveillance” also aid in communicating a deterrent message to unauthorised persons.

Deterrence also includes routine foot or mobile patrols of the area by police or security.  it reinforces ownership and crime awareness under the CPTED Principles and increases the risk of detection. The most common form of deterrence for industrial sites is that of a guard dog, however, if overcome, the property will be exposed to criminal attack.

This layer will deter the law-abiding person and most opportunist offenders. 

Detect

The detection layer’s security objective is to monitor large areas of space to accurately detect possible unauthorised intrusion in time to respond appropriately. Surveillance camera technology, is improving all the time and is very effective as an accurate detection tool.

Important objectives are the timely notification to security personnel, and having the ability to digitally or optically zoom into the area where intrusion was detected to clearly identify what is occurring and who is involved, with the ability to clearly identify those involved.

The use of external and internal motion detection technology enhances detection, providing a method of tracking an intruders progress. When combined with CCTV, these become an excellent tool for detection and assists response units by providing situational awareness.
Having patrolling guards, who detect unlawful entry also fulfils this principle and allows for more rapid response, when the event is reported to a control centre.

 Delay

The delay layer’s objective is to slow down an active intrusion enough to force the intruder to give up, or allow the security team to respond.

Use of heavy duty locking hardware and security padlocks on gates will delay an offender, who may be attempting to enter your property and may cause them to either change their attack method, scale the fence or gate or withdraw from the area to move to a softer target.  We would prefer that they move on.

Often, interior locking doors or other physical barriers are used to slow down the intrusion. Surveillance cameras can be used inside the delay perimeter to provide situational awareness and measure the effectiveness of the delay countermeasures.

The use of attack resistant laminated polycarbonate glazing or installing steel mesh security screens protecting glazed areas of the building perimeter structure will provide delay and, if supported by a detector, can give alarm to an attempted entry via the particular point of attack, providing responders with necessary information to quickly attend and challenge the offenders.

Insufficient delay will negate the effectiveness of other layers of security. Time is needed for a response and delaying is the tool to achieve the necessary time. 


 Respond
The response layer is typically a police or security personnel response that attempts to apprehend the intruder.  

Surveillance is used at this perimeter to record the apprehension and determine the effectiveness of the response.  

This final perimeter often includes the involvement of law enforcement and typically overlaps the other perimeters.

Some final comments


The general rule is that the farther away from a secured building the more expensive are the security measures. This holds true for cameras, sensors and access control systems.

Designing outdoor systems requires detailed upfront planning because of the wide range of operating conditions to which the security systems will be exposed. For cameras, lighting and weather conditions are the biggest problems the system will have to overcome and requires expert knowledge of surveillance systems and system capabilities to select the right solution.

Holistic design processes that combine both indoor and outdoor perimeters will provide the most effective physical security systems.

Look at your business or home. Where are your vulnerabilities?
  • How can you modify or harden your building perimeter to best apply the principles of physical security and reduce your vulnerabilities?
  • What technology can I afford to provide mutually supporting defence of your property?
  • How effective is response to alarms in your area? The cost of implementing sound physical security may be negated by poor response.
Keep in mind that good security does come at a cost but the biggest cost will be not training your people and yourself in testing and using the technology. 

Know your systems well and test your systems to identify gaps or system failures.  A DVR hard drive in tropical areas, subject to severe electrical storms can be easily damaged during wet season tropical storms and, without testing, may not be identified as an issue for some time, leaving your business vulnerable to not having video evidence, when needed.

Security-in-depth and the principles of physical security rely on mutually supporting measures that complement each other. Reliance on one system to protect your property is gambling with your security and safety. Keep this in mind when people are advising you of how you can improve the security of your business or family home.

Friday 17 November 2017

Crime Prevention - Preparation for Christmas



Christmas is coming to town and so are the criminals. Don't make their job any easier. Some simple hints to make your property safer.

1. Keep trees and gifts away from windows Don’t openly display your Christmas tree and gifts in the front window so it’s easily visible from the street. It can be tempting for criminals to smash the window and grab wrapped packages.

2. Hide presents Even if you don’t have children to hide presents from, make sure criminals can’t see them through your windows and doors by hiding them in cupboards and under beds. That includes gift-wrapped presents under the tree, if you won’t be home.


3. Look lived in If you’re going away for Christmas, make the house look lived in. Ask a friend or neighbour to keep an eye on your property, open and close curtains and put lights on. If you’re going away, ask a neighbour to park their car in your driveway to make it look like someone’s home.

4. Triple check your locks Make sure all windows and doors are firmly shut and locked when leaving home. Leaving an entry path slightly open is a temptation for a burglar.

5. Hide packaging When you take the bins out, make sure all packaging from expensive gifts is ripped up and buried under the rest of the rubbish, so criminals can’t easily see what you might have in the house.

6.Don’t run electricity cords through window cracks Burglars prefer to enter through unlocked doors or windows, so an electricity extension cord running through an open window to exterior Christmas lights can be an open invitation. Hire an electrician to install an inexpensive outside plug for outdoor lights.

7.Give a trusted neighbour a spare key Burglars know to look for the hidden door key near the front entrance. Don’t hide spare keys under rocks, in flowerpots, or above door ledges. Instead give the spare key to a trusted neighbour.

8. Be careful what you post on social media If you post on Twitter or Facebook that you’ll be away on holiday or visiting relatives over the festive period, you’ve given the green light to intruders who will know they won’t be disturbed. The same goes for posting how excited you are about expensive gifts, which could help thieves start a shopping list.

Friday 29 September 2017

A Security Industry Honour – Receiving the Australian Security Medal



It was with honour and pride that I attended the 2017 Australian Security Medals Foundation Dinner at the Glasshouse in Melbourne where I was presented with the Australian Security Medal, witnessed by my peers and also my son, who indicated his pride in my accomplishment and his appreciation of the level of security industry professionals at the event.

The Australian Security Medal is awarded to recognise the outstanding career and character of the recipient. ASM recipients will be those who have demonstrated a consistent, high-level contribution to the wider community, possibly via innovative non-core business activities and projects, or via extraordinary performance in their professional role(s).

My thanks go out to Don Williams and Jason Brown, who championed my nomination.

The Foundation video produced for my award is located at https://youtu.be/NAFqoLiSLwg


Tuesday 15 August 2017

CiiSCM Security & Crisis Conference - Malaysia 7 August 2017




I was most impressed with Muhammad Saiful Alan Shah, who spoke at the CiiSCM Security & Crisis Management conference. Muhammad Saiful Alan Shah was an articulate and knowledgeable speaker who provided insightful advice on improvements to our current de-radicalization strategies.He provided many take-away points that increased my knowledge of the difficulties in putting in place a truly effective de-radicalization program in western countries. 

Along with Muhammad, Professor Jolene Jerard, Dr Graham Ong-Webb, Mr Hamoon Khelghat-Doost and Mr Rodolphe Elégoēt provided an insightful series of presentations that promoted discussion and enhanced knowledge of the current state of terrorism beyond borders.

My gracious thanks to the organizers from CiiSCM and Global E2C..

Sunday 6 August 2017

Developing a security culture

It is said that "The destination is not always as important as the journey." It is important to ensure that while moving towards your destination, each step of the way is planned and taken in a way to ensure that the journey can be completed successfully. And that in the end, the result, like reaching a holiday resort, will be enjoyable and all involved are able to enjoy this new and exciting place.  Developing a security culture within an organisation is much like this.

To achieve a sound security culture, you must ensure that all of the elements are in place and working before you start your journey. However, as in real-life, not everything will work right the first time.  When you are developing a security culture you will be experimenting and changing things on your journey, trying to find your way through the myriad of policies and standards that appear to be restricting your progress.  Keep in mind though; there is nothing wrong with learning.  Test and confirm is as relevant in the development of a security culture as it is in research however the key is to use your employees to help you with this journey.

Ensure that there is no perception that this is just the "program of the month." This is usually the perception that everyone in the organisation will have if you start down one path and decide to move in another direction without proper communication. Again, this is where the employee participation comes into play, as all employees must be part of every change that occurs.  Good communication ensures employees are comfortable with changes as they see the benefit and are part of the process. 

An ideal security culture should be seen to be “the ‘engine’ that drives the system towards the goal of sustaining effective security within an organisation” This goal should be achieved irrespective of the organisation’s leader or current commercial concerns.
What drives the system is a constant level of awareness for anything that may bypass organisational security systems. In other words, it is important to remember what can go wrong.

You must maintain an awareness of evolving threats and risks to your business.  It is very dangerous to think that an organisation is safe because information is not saying otherwise. In periods of good security performance, the best ways to stay cautious is “to gather the right kind of information”, which means creating an informed culture.

An informed culture requires security management to be aware of the numerous factors that have an impact on the security systems (i.e. human, technical, organisational, and environmental). In this sense, “an informed culture can be seen to be a security culture”.
An organisations security culture is ultimately reflected in the way in which security is managed in the workplace, although it is important to note that an organisations security management system does not just consist of a set of policies and procedures on a bookshelf.

The security management system is the manner in which security is handled in the workplace and how those policies and procedures are implemented into the workplace.  The nature by which security is managed in the workplace (i.e. resources, policies, practices and procedures, monitoring, etc.) will be influenced by the security culture/climate of the organisation.

Security management should be integrated into the organisational system and management practice. Certainly in high-risk industries such as Defence, and multi-national corporations; security; similar to safety should be considered number one priority.

It is argued “a ‘good’ security culture might both reflect and be promoted by at least four factors”. These four factors include:
  • Senior management commitment to security.
  • Shared care and concern for security and the impact on people, information, assets and the security of the nation. 
  • Realistic and flexible norms and rules about security threats, and
  • Continual reflection upon practice through monitoring, analysis and feedback systems (organisational learning)”.

It has also been argued by academics that fundamentally, good leadership is the key to promoting an effective security culture.

It is also important to remember that an organisation’s culture develops over a period of time and cannot be created instantly. “Organisation’s, like organisms, adapt”. The security culture of an organisation is developed as a result of history, work environment, the workforce, security practices, and management leadership.

Lets move on to the nuts and bolts of developing a security culture.

The University of Melbourne undertook research into developing security cultures within the IT field.  They utilised the Ruighaver / Maynard security culture model.  This model looks at eight dimensions in developing a security culture.  My presentation is heavily based on this research.

The basis of truth and rationality

The basis of truth and rationality is the first dimension of the Ruighaver/Maynard security culture model that I will discuss.

According the authors of the original organisational model, this dimension of culture is about what the employees in an organisation believe is real or not real and, in particular, how what is true is ultimately discovered.

The most obvious aspect of this dimension is that is about beliefs. Beliefs influence the attitude of employees and their attitudes influence their behaviour. Research has shown that the basis of truth and rationality is critical in decision making within Security.  I will discuss some of these aspects.

How important is security for your organisation?

Literature on security culture recognises that the most crucial belief influencing the security in an organisation is the belief that security is important.

If the employees of an organisation do not believe that security is important, they will not support any security measures that restrict their behaviour. The belief that no threat exists is the critical factor in a security culture failing to develop.

Academic research has found that many organisations continuously undermine the belief that security is important by reporting to their staff that no money is available for their security initiatives. Obviously, different organisations need different levels of security, but never use such negative messages. Instead report on the issues that you are currently concentrating on in your security efforts, and indicate that new initiatives will be considered in due time.

Although the security requirements for one company or organisation may not be as high as the security requirements of another, achieving optimal security for that organisation’s particular situation will still be important, as is the need to ensure that their employees believe that security is important.

So, why not implement campaigns similar to occupational health campaigns to stress that security is important for your organisation.

How reliable is the information used in decision making?

While security managers and other decision makers in the security field generally belief that security is important, they often have personal beliefs about which areas of security are important for their organisation that are not based on truth and rationality.

Studies have found that management beliefs and trust in the quality of security, and about the quality of the different processes used to manage security, may be misplaced.

Many of the organisations investigated in a number of academic studies do, for instance, believe that their security is good, but most of these organisations did not really make an attempt to evaluate the quality of their security.

Even larger problems exist with the organisations beliefs about the quality of their risk analysis and security audits. If your asset identification and risk analysis is not based on a systematic application of your chosen methodology, you will have missed assets that need protection and you will have missed risks or threats to assets that they need to be protected against. 

Ad-hoc shortcuts seriously undermine the quality of your risk assessment. Hence, without feedback loops where the organisation continuously updates its risk assessment based on a thorough investigation of incidents and near misses, your risk data will be of low quality.


Nature of Time and Time Horizon

The Nature of Time and Time Horizon is the second dimension of the Ruighaver/Maynard security culture model. The time horizon that an organisation takes affects whether or not security managers and other organisational members involved in security adopt long term planning and goal setting, or focus primarily on the here-and-now.

Unfortunately, few organisations have long-term goals for security and those that have seldom look beyond a time frame of one or two years. Further more, these goals are in most cases only aimed at the building of a solid security infrastructure in line with National or International Security Standards. To be fair to those organisations, there is very little published security literature, on possible long-term strategies and security standards also offer little assistance.

To develop a high-quality security culture, organisations will need to place more emphasis on long-term commitment and strategic management. All too often the security focus of an organisation is on things demanding immediate attention, not on the things that may prove more important in the long run. And when they finally run into problems because their current security approach is no longer adequate and becomes too expensive to maintain, such organisations often will initiate a complete overhaul of their existing security infrastructure and decision making processes, throwing away the good with the bad.

 Long Term planning

Any organisation that would like to start increasing its investment in Security, by initiating a restructuring of their security management and governance structures, should first consider what long-term strategies and plans can or should be developed and by whom.

For instance, without a long-term strategy aimed at building up appropriate skill-sets related to security, any restructuring will eventually fail. An example taken from the IT security field: the environment in which the organisation's information systems are operating is simply changing too rapidly for an organisation's information security to survive if the necessary skill sets are missing. Similar strategies are needed for knowledge management, as the complexity of the Information Systems and other IT infrastructure is continuously increasing as well.

We need to align the security of an organisation with its organisational culture. Hence it will not come as a surprise that the most important long term strategy to be developed by an organisation that wants to improve its security should be aimed at aligning the organisation's security practices and procedure with its organisational culture.

An obvious example is that traditional security is still based on the implementation of restrictive practices and procedures that minimise risks.

Organisational culture is often the opposite: In their normal work environment employees are given specific goals and targets they need to achieve and are often allowed, or even actively encouraged, to bypass standard procedures and guidelines when necessary to reach those targets. If your organisational culture encourages such behaviour, why do you think these employees will not behave the same when they are restricted by your organisation's security procedures and guidelines? Hence, if this is your organisation's culture, your organisation will need to develop long term strategies aimed at increasing the involvement of employees in security and at finding, introducing and fine-tuning targeted security related objectives and goals for each of your employees.

These security related goals and targets are necessary to encourage employees to improve their behaviour and reduce security risks.

Motivation

Motivation is the third and most easy to understand dimension of our security culture model. There is lots of information in organisational culture literature about what motivates humans and whether people are motivated from within or by external forces. There is also extensive literature on whether people are inherently good or bad, whether people should be rewarded or punished, and whether manipulating someone's motivation can change effort or output.
Security is one of the only areas of organisational motivation where punishment is still the major motivational tool.

As there is no evidence that employees are intrinsically motivated to adopt secure practices, organisations will need to have appropriate processes in place to ensure employees are motivated in relation to security.

However, organisational literature also clearly indicates that punishment does not work in motivation. In a good security culture we would therefore expect positive motivation to be dominant

 Intrinsic motivation versus extrinsic motivation


Organisational behaviour literature suggests that provision of extrinsic rewards to employees for performing particular tasks, such as direct financial rewards, may actually reduce their intrinsic motivation.

However, organisations should consider both tangible rewards (e.g. money) and intrinsic motivation to adopt new behaviours (e.g. recognition and social participation) when employees are expected to meet modified performance standards or change their behaviour.

While it is essential that employees are made aware that security controls are necessary and useful in order to discourage them from attempting to bypass these controls, motivation in security should not only be aimed at preventing employees from compromising existing security measures and guidelines. A good security culture will encourage employees to be motivated to reflect on their behaviour at all times, to assess how their behaviour influences security and what they can do to improve security.

Although it is important that a degree of trust is involved and that responsibility to act in an appropriate manner is delegated to employees themselves, this does not mean that an organisation should not monitor their behaviour. It is essential that organisations have monitoring processes in place to identify security breaches, that they investigate those breaches to ensure that unacceptable behaviour is corrected. Of course, the organisation should also reward exemplary behaviour, and should publicise those examples to increase both awareness as well as motivation. 

For example, Defence has initiated an awards program for excellence in security within the Department and Defence Industry that is supported at the highest level of Defence and will be promoted through media reports throughout Defence. 

Horizontal versus vertical Social Participation


Social participation is a well know aspect of organisational culture. Research has  found that some organisations do encourage social participation in line with the organisation's governance structures, such as in encouraging staff influenced by a decision, to participate in the decision making process. This is called vertical social participation. Research suggests that such social participation has only a limited effect on improving the security culture, and that to improve motivation organisations should encourage more wide spread social participation. It should be obvious that employees at the same level within different areas of an organisation often come across the same security issues and may not know that others in the organisation are covering the same ground.

Organisations that have horizontal social participation where, for instance, all security practitioners, system and security administrators across the business units are involved in a regular exchange of information to improve decision making, may find that motivation will increase significantly as well.

Stability versus Change 

The Stability versus Change dimension is the fourth dimension of our Ruighaver/Maynard security culture model. While some individuals are open to change (risk-takers), other individuals have a high need for stability (risk-averse). The same is true for organisations. Risk-taking organisations are said to be innovative with a push for constant, continuous improvement. Risk-averse organisations focus on not rocking the boat. Hence, an important aspect of an organisation's security culture is its tolerance for change and innovation.

Organisations that have a high requirement for security often favour stability over change. Change is often seen as bad for security, as it can result in the introduction of new risks or in the invalidation or bypass of controls to existing risks. If this aspect of security culture is in line with the general organisational culture, there will be few problems. However, when change is carefully managed such organisations will need to ensure that their security posture is not static. Security is never 100% and in today’s complex environment tight centralised control over decision making can result in a lack of flexibility.

Facilitating change.


Most organisations have an organisational culture based on decentralised decision making and a tolerance of change. Often periodic cycles of change are purposefully built into the culture and processes to facilitate the introduction of new products and services. If such an organisation has a culture where individual risk taking behaviour within acceptable boundaries may be tolerated or even encouraged, a security culture which is restrictive is doomed to fail.

Most organisations that have a low requirement for security are tolerant to change, but they often fail to realise that the organisation will still need to constantly adapt its security to the inevitable changes in the organisation's environment. The organisation's existing security procedures and practices will need to improve this and will need to be carefully facilitated. While organisations that have adopted a security policy life-cycle methodology will have a culture of continuous change in that area of security, this may not necessarily extend to other areas such as security strategy development and security governance processes, or even the implementation of security measures.

Finally, research has found that almost all organisations were lacking in the development of new and innovative approaches to security. Most organisations just use the same old traditional security technologies and controls, often based on existing security standards that are more than a decade old.

Orientation to work, task and co-workers 

The fifth dimension of the Ruighaver/Maynard security culture model is Orientation to work, task and co-workers. This dimension deals with the balance between work as a production activity and as a social activity. Some individuals view work as an end in itself with a task focus, concerned fundamentally with work accomplishment and productivity. Other individuals see work as a means to other ends, such as having a comfortable life and developing social relationships.

Individuals with a strong task focus are likely to find that traditional security controls are too restrictive. For example, it is an important principle in information security that there is a trade-off between the use of an organisation's assets and their security. Limiting access to an asset such as email and the internet, can significantly improve its security. However, limiting access will result in a serious impediment to the daily operations of employees. There may be a temptation for organisations to lift all restrictions.

Security managers must be continuously fine-tuning the balance between security and how constrained employees feel in their work.  This is an important aspect of a good security culture. Of course, staff will feel less restricted if they are motivated and feel responsible for security, but that alone will not be enough. 

Responsibility and ownership.


While it is obvious that a good security culture depends on making employees feel responsible for security in the organisation, it is just as important that those employees responsible for a particular security area have a strong sense of ownership.

This will be positively influenced by social participation, but can just as easily be negated when staff feel that management do not take any suggestions for the improvement of security very seriously. Hence, a positive response of management and a continuous adaptation of security practices by incorporating at least a few of the suggestions is a must to improve the orientation of staff towards security.

Orientation to work is improved by education and security awareness. Regular education of employees on their roles and responsibilities related to security is crucial.

Too many organisations only give employees an overview of security during induction, and even then they mostly cover aspects of what is considered a legal requirement under governance/compliance rules, missing critical awareness information that necessitates other means of passing information out to all staff.  Security education can also be an important tool in increasing the feeling of responsibility and ownership of those involved in decisions about security. But for education to have a significant impact on the employee’s orientation to work, it will need to be reinforced continuously and must include a response to any unsatisfactory behaviour that has become widespread enough for users to consider it normal behaviour.

Isolation versus Collaboration/Co-operation 

Isolation versus Collaboration/Co-operation is the sixth dimension of the Ruighaver/Maynard security culture model. This dimension addresses underlying beliefs about the nature of human relationships and about how work is most effectively and efficiently accomplished, either by individuals or collaboratively.

It is common knowledge in software engineering that, without user involvement in the design process, acceptance of the resulting information system by the organisation will be minimal. The same is undoubtedly true for security procedures and policies. While organisations often realise that security policies should be created collaboratively using the input of people from various areas of the organisation to ensure its comprehensiveness and acceptance, the cost of this approach seems to a major obstacle.

It is surprising how often we find that an organisation's security planning and implementation is handled by only a small group of specialists and managers. As a result, the efforts of the security management team are often negated by other decisions taken by managers in the business units and on the work floor.

Control, Coordination and Responsibility 

The seventh dimension of the Ruighaver/Maynard security culture model is Control, Coordination and Responsibility. This dimension of an organisation's security culture is clearly related to the security governance in that organisation.

Where control is tight, there will often be formalised rules and procedures that are set by a few, to guide the behaviour of the majority. The need for governance is limited. Where control is loose, we expect flexibility and autonomy of workers, with fewer rules or formal procedures and shared decision-making. It is that shared decision making that depends on high quality security strategies and a well developed security strategic context.

An organisation with centralised decision making tends to have a tight control. Tight control allows for efficient security management but reduces the flexibility of the organisation to respond to the current dynamic security environment. Literature suggests that even where there are mechanisms of control and formalisation within a centralised organisation, a culture of fear and uncertainty that loose control may result in these control mechanisms such as policies, rules and procedures becoming dysfunctional. This may not in fact be true.

Loose control in security needs better governance.


To cope with the current dynamic business environment, most organisations have opted for a more flexible decentralised decision making structure. While those organisations are likely to have a loose control, change management processes may still influence how loose the control actually is.

It should be obvious by now how important it is that an organisation's security culture is aligned with organisational culture. So a tight control of security in an otherwise loosely controlled organisation is not likely to work very well. It is, therefore, surprising that most often organisations still attempt to keep a tight control on their security.

This is a direct result of the current lack of guidelines for adequate security governance at the middle management level in both literature and current security standards. If an organisation does not develop a proper security strategic context, loose control of security will simply not work.

Loose control also increases the importance of coordination. As discussed under motivation, improving the horizontal social participation in an organisation can be an important tool in improving coordination.

Responsibility needs accountability.


Independent of whether there is a tight control or a loose control, clear guidelines on who has decision rights in the different areas of security is essential. This aspect is often called responsibility and ensuring that all responsibilities have been assigned is a required feature in any strategic security policy. Top management support for security is a significant predictor of both the direction of an organisation's security culture and the level to which its security policies are enforced. Therefore, whereas operational responsibility and accountability may lie with middle management and end-users, top management has a clear responsibility to:
  • Visibly demonstrate a prioritization of security,
  • Provide strong and consistent support to the overall security program, and
  • Take security issues into account in planning organisational strategies.

Orientation and Focus 

The Orientation and Focus dimension is the eighth and last dimension of the Ruighaver/Maynard security culture model. The nature of the relationship between an organisation and its environment and whether or not an organisation assumes that it controls, or is controlled by, its external environment is an important aspect of both organisational culture as well as of security culture. An organisation may have an internal orientation (focusing on people and processes within the organisation) or external orientation (focusing on external constituents, customers, competitors and the environment), or have a combination of both.

The orientation and focus of an organisation's security will clearly depend on the environment in which the organisation operates. Unfortunately, if an organisation is forced to conform to external audit and government requirements it will be likely that the emphasis of their risk management processes is only on meeting these requirements, and no longer on improving their security. The organisation often believe that meeting these requirements guarantees good security. Similarly, it has been found that many other organisations only aim to bring their protective and ICT security in line with international industry standards. Again the emphasis is often geared towards passing an audit to prove that they have achieved this goal, rather than on achieving the best security for the organisation within the obvious limitations of resources and budget.

As security in an organisation is influenced by both external factors and internal needs, I believe that an ideal security culture has a balance between an internal and external focus. External requirements and industry standards can obviously not be ignored, but the external focus should at least also include an awareness of the organisation's external security environment and how this changes over time.

This will allow the organisation to pro-actively meet any new threats. More important, however, is that the organisation builds up an awareness of its internal security environment. If the organisation is not trying to identify what security breaches occur and why they occur, it will never know if its security strategies are working and how it can improve the implementation of these strategies.

 Conclusion

There are challenges for both corporate and government security professionals in creating and maintaining a security culture within their organisation.

Financial constraints within corporations or government agencies provide an environment where risk management strategies must be robust and effective in order to provide an environment where security is valued as a capability enabler rather than a cost burden.

There is no simple solution, nor a one solution, fits all.  Each business unit has its own dynamics that requires analysing to ensure solutions fit the culture and provide an environment where a security culture can thrive.

This is the challenge for corporate and government security advisers in the current and future security environment.

Security Culture Bibliography
Improving your Security Culture.
  1. Chia, P. Maynard, S., and Ruighaver, A.B. (2002) ‘Exploring Organisational Security Culture’ Sixth Pacific Asia Conference on Information Systems, Tokyo, Japan, 2-3 September 2002.
  2. Chia, P. Maynard, S., and Ruighaver, A.B. (2003) 'Understanding Organisational Security Culture' in Information Systems: The Challenges of Theory and Practice, Hunter, M. G. and Dhanda, K. K. (eds), Information Institute, Las Vegas, USA, pages 335 - 365.
  3. Dojkovski, S., Lichtenstein, S. and Warren, M. (2006) Challenges in Fostering an Information Security Culture in Australian Small and Medium Sized Enterprises, Proceedings of the 5th European Conference on Information Warfare and Security, Academic Conference Limited, United Kingdom.
  4. Dojkovski, S., Lichtenstein, S and Warren, M. (2005) Information Security Culture in Small and Medium Sized Enterprises: A Socio-Cultural Framework, Proceedings of 6th Australian Information Warfare & Security Conference, School of Information Systems, Deakin University, Geelong, Australia.
  5. Martins, A. and Eloff, J. (2002) ‘Information Security Culture’ IFIP TC11 International Conference on Information Security, Cairo, Egypt, 7- 9 May 2002.
  6. Ngo, L. Zhou, W. Warren, M. (2005) Understanding transition towards organisational culture change. Proceedings of the 3rd Australian Information Security Management Conference, Perth Australia.
  7. Ruighaver, A.B. , Maynard, S. & S. Chang (2006) Organisational Security Culture: Extending the End-User Perspective. Computers & Security, Volume 26, Issue 1, February 2007, Pages 56-62.
  8. Ruighaver, A.B. & Maynard, S. (2006) Organisational Security Culture: More Than Just an End-User Phenomenon. Proceedings of the 21st IFIP TC-11 International Information Security Conference (IFIP/SEC 2006). May 22, 2006, Karlstad, Sweden, pages 425-430.
  9. Schlienger, T. and S. Teufel (2002) ‘Information Security Culture - The Socio-Cultural Dimension in Information Security Management.’ IFIP TC11 International Conference on Information Security, Cairo, Egypt, 7-9 May 2002
  10. Schlienger, T. and S. Teufel (2003) ‘Information Security Culture - From Analysis to Change.’ Proceedings of ISSA 2003, Johannesburg, South Africa, 9-11 July 2003.
  11. Schlienger, T. and S. Teufel (2003) ‘Analysing Information Security Culture: Increased Trust by an Appropriate Information Security Culture’ 14th International Conference on Database and Expert Systems Applications (DEXA 2003), Prague, Czech Republic, September 2003.




Tuesday 30 May 2017

Crime & Security Awareness: some thoughts by Raymond V. Andersson


Media reports over many years now have highlighted the threat of criminal activities to individuals, properties and businesses in Darwin, Palmerston, Alice Springs and other areas within the NT and of course, other states in Australia.  
We live in a society where many criminals operate within their own system of ethical and moral standards, having no respect for the law, age, disabilities or common standards that conform to the general population’s own standards of citizenship.  

The ethical standards and moral positions that we may treasure as being the cornerstone of our communities are regarded as a weakness to be exploited.    This is often supported by arguments regarding the rights of the individual overriding the rights of the many, thus exploiting our own belief system to the criminal’s advantage.   After all, we as a community also believe in the rights of the individual, however we temper this right with our citizenship responsibilities as members of a community.

Much of this crime is blamed on our youth however it must be realised that for every juvenile delinquent there are always one or more adult delinquents – people of mature years who either do not know their duty to their community and nation, or who knowing it, fail.   It is a fundamental fact of life that children emulate adults and adopt the adults’ ethical and moral beliefs in most instances.

What then can the average person do to minimise the threat of crime?

First of all, you have to ACCEPT THAT THE THREAT EXISTS. Human nature is a funny thing. We don't like living with threats.  Crime is a subject of conversation nearly every day, or night in homes, bars and workplaces.  You read about it in the papers every day, and the TV and radio tell you about it constantly.  But as soon as we've finished lamenting the problem, we stick it in the recesses of memory; we forget about it.

You cannot allow yourself to forget that the criminal is out there. They steal for a living.  They assault so they can steal.  They will attack to create an environment of fear and intimidation, so they simply aren't going to forget about you.

Next you have to consciously accept that YOU ARE A TARGET. Now this is quite difficult for the average person, because the average person is a nice person and it doesn't figure that someone you've never seen before in your life wants to harm you. The bottom line is simply that you have something he or she wants. This goes for every crook or assailant on earth. The criminal assault may be purely an act of theft, or low-level terrorism conducted to gain personal satisfaction in the fear or pain created or just for the individual or groups self gratification in stamping their control over ‘their turf’.  You have to accept that they do not see the world the way that you do. To them you are simply an anonymous target; a bit like those legs dangling in the ocean in front of a shark.

The main problem is that very strong human belief that 'it will never happen to me'.  Every single crime victim is a 'Me'.

There are a few easy steps that anyone can adopt that can reduce or remove the risk.

a. ENVIRONMENTAL CONTROL: Control your environment by being aware of your immediate and proximate surroundings and being able to react to any apparent potential threat. If the criminal wants to mug you, steal from you, pick your pocket, sell your kids some drugs, they have to take control of the environment in which they are to operate. They might do this by stealth or by force.   By controlling your environment, you take the initiative away from them.

b. ENVIRONMENTAL AWARENESS: Think about it like this, if I am aware of my environment I will be able to react to anomalies.  Get to know what is happening around you.  Be aware of the normal pattern of life in your neighborhood so that unusual patterns or people will stand out.  Harden the security on your home or business then look outside of this perimeter at the environment that you live and work in.

c. CONSCIOUS SELF-INTERROGATION: This is self-explanatory. As you drive your car or walk, along the street where you live, on your route to work, wherever; ask yourself, consciously what is going on around you, who else is also driving or walking within your local environment? Are those persons standing on the corner legitimate pedestrians, or watching the behaviour of residents or businesses?  Police patrols and well-trained Security Officers carry out self-interrogation at all times whilst working as a matter of street survival.  

Make sure you do it consciously, just to make sure that you are keeping up the habit and after a while, your subconscious will take over.   Healthy suspicion may avoid placing yourself in a position of risk.

d. CORRIDORS AND PATTERNS: Ever heard the saying that 'we're slaves to habit'? It's absolutely true. We oscillate between known points; home, work, the bank, schools and we go to them at given times and along favourite routes. This plays into the hands of criminals.  Vary your routine.  Watch for corridors that afford the criminal any advantage.  This includes intersection stop signs, traffic control lights etc.  They all afford criminals and also terrorists the advantage of time whilst the target has their attention elsewhere.   Many thefts, car-jacking and assassinations have occurred at intersections and traffic lights’.   Be aware of your environment and what is occurring around you.

e. LEAVING AND APPROACHING YOUR CAR: This is particularly important in parking lots. Imagine you are at a shopping centre and you are driving into the parking area.    This is an area where many people develop patterns or create corridors of opportunity for criminals.

Get into your well-lit parking place as quickly as possible and then get out of your car and stand up as quickly as possible, gaining control your environment once more. Remember that if you are bending down peering at the lock you are surrendering environmental control. After locking up, walk briskly away from your car, observing who is watching you. You don't have rear view mirrors, so consciously turn around and look at your sides and behind you. An observer with ill intent will note that you are alert and in most cases, will look for an easier target, but don't let this make you 'cocky' they will still have a go if they don't find easier pickings.

Inevitably your going to come back to your car, so as you walk out of the supermarket, the hairdresser, restaurant, you must once more interrogate the area around your car. Do not walk directly to your car, go away from it, at an angle so that you can keep it visual and watch for any reactions in the people around. Once you are happy that the area is clear, walk back to your car from a different direction.

Walk to your car as quickly as possible, unlock it while standing upright, get in the car, lock it and get out of there. If you are carrying goods, stay upright as much as possible and put things in the car from a standing position. Do not lean into the car and thus make yourself vulnerable.  Having two people can assist here as one can always remain alert whilst the other packs the car.  If you have a remote electronic central locking system, make sure that locking and unlocking is accompanied by a minimum of flashing lights and certainly make sure that your car does not make any bleeping sounds. That will alert anyone in the parking lot that someone with the means to open the car and drive it away is approaching a specific vehicle and that makes you vulnerable to the opportunist

f. ON FOOT: We previously looked at controlling your environment when out of your car.  Using this principle should also enable you to identify areas you should stay out of; alleys, bushy areas, unlit areas, shanty areas where environmental clutter makes it hard to control the environment. You just don't go there without adequate protection.  Ask any expert self defence exponent, what they would do if four men attacked him or her whilst alone in a dark alley. Their response would most likely be that they wouldn't be alone in a dark alley. That's the best possible rule of thumb; if you can't control it, don't go there.  

Studies and practical implementation overseas has revealed that street and other overhead lighting has dramatically reduced the level of crime in those areas that have adopted this strategy.   It also dramatically reduced the fear factor of people going out at night in those same areas.   Lighting is a primary tool in Crime Prevention Through Environment Design and should be considered as a matter of priority by Councils responsible for areas of high crime risk.   Lighting assists in bringing control of the night away from criminals and back to the community and as ratepayers you have a right to live in a safe environment.

When crossing the street in a built-up part of town in a reasonably developed part of the world, you can use shop windows as mirrors if the lighting is right, but it still pays to have the odd look behind you, just so they know you are alert.

Maintaining control of your environment is particularly important at ATMs, which are constantly observed by opportunist thieves. Don't fixate on the screen, examine the screen before you start work, look for any tampering with the machine, but at all times, look around you every couple of seconds. In this instance, as in all other situations, you must have your escape route planned.  If you don’t feel safe, simply walk away.  Trust your intuition when you feel you may be in danger.  Intuition or gut feelings can be more often right than they are wrong.

When using mobile phones, it's best to stand with your back to a flat high wall. A shop window is good. Now you only have to sweep your vision through 180 degrees. But remember when you walk off, your environment is 360 degrees again, because some interested party has just seen you use that phone…


Crime will not go away.  We must therefore attempt to control it by reducing the opportunity, increasing the risk of detection and capture. Making the criminal act less desirable to all bar the most desperate offenders.   This can be achieved by being crime & security aware and taking control of your environment.