Business Security: Another Break-In - Where do we start?

We are all familiar with the media reports of crime against business in our communities and can understand the reluctance for businesses to remain in operation as the loss through crime exceeds potential profit arising from continued business and they fight rising insurance costs, repair costs from crimes committed against their business, loss of income from stolen merchandise and loss of profit from their business that can affect their own, and families, well-being.

Business owners and their managers should not be living in an environment of fear, yet we live in a time where the balance of power is tilting towards criminals rather than law abiding citizens. Governments and Police have their hands tied, reducing their capacity to effectively address the problem of crime due to its inherent multitude of root causes such as social, mental, environmental and gang mentality issues that do not have simple solutions.

Businesses cannot continue business in the same way and expect different results. Business today must look at their business from a criminal’s viewpoint and identify vulnerabilities and, unfortunately in most cases, these vulnerabilities cannot be addressed by the business owner or retailer but also become the responsibility of property owners and Council.

Retailers continue practices that have been part of the industry for many years where marketing and promoting merchandise promotes sales and profit so we see large glass windows incorporated into building design to ensure the desired merchandise would be so inviting that shoppers will enter the store to either buy the merchandise on show or browse and shop, thus ensuring sales and eventual profit for the store.

In our current environment, such displays encourage offenders to break-in and steal merchandise and glass windows are not created to stop a determined attack. Why then, do we see retailers replacing vulnerable glass with identical products, yet expect a different outcome?  We need to start hardening business as part of a crime prevention strategy.  We cannot stop crime, but we can reduce opportunity and desire due to the increased risk of getting caught. Business and retailers must start seeing security as an enabler, not a cost to business. It’s time to shine the light on security and crime prevention.

True security for businesses relies on principles that have been in place for many decades and used from the earliest times of humans seeking protection from the elements, animals and enemies.  The principle is that of ‘Defence-in Depth’ or for business ‘Security-in-Depth’.

This principle relies of a series of ‘layers of barriers’ that protect that which is desired to be protected. It could be a person, secret information, IT systems, high value merchandise, a factory or business. These layers are mutually supporting, and each rely on each other. Many crime prevention methodologies also incorporate the principle without directly referring to it. The principle of ‘Security-in Depth’ incorporates:

·        Deterrence,

·        Detection,

·        Delaying, and

·        Response.

When we look at a typical retailer today, we see a premise that may have some small security signage on windows or the entry doors, have deadlocks installed on entry doors and emergency lighting required under Fire Regulations but the major investment on security is done within the shop itself, with electronic article surveillance, intruder alarm systems and possibly CCTV.  The error in this is that offenders are already inside, and any response is post damage and theft.  The store suffers a loss through the damage committed and its capacity to recover and continue business relies on their insurance company and local business support in undertaking repairs and insurance covering the repairs and restocking quickly.

Once an offender is inside a retail store or any other business, it is too late; your physical security has not protected your business and you will suffer a loss.

Fortunately, ‘Security-in-Depth’ is scalable from the very small to the very large.  As such, it is not something that can only be implemented by large enterprises.  Very affordable and effective options are available for small business however as many businesses do not own the premises that they operate in or the land outside the premises, they are limited as to what they can do, individually, and must have support from building owners and local Council.

Security-in-Depth must start at the outside perimeter of the asset to be protected and have layers of barriers that deter and delay any attack, allowing time for response. The traditional castle, pictured here, is a good example of this.

For a multi-occupancy shopping centre, the first layer of security may be the public area between the carpark and the building perimeter.  

For others where underground car-parking is in place or the premises faces a public street, the first line of defence will be on the footpath and around the building perimeter with a fence line at the sides and rear and vehicle barriers installed away from the building perimeter, on the sidewalk, at the front of the premises.  This will require local Councils to become part of the solution in identifying suitable barriers that do not detract from the environment yet deter or reduce the impact of any vehicle impact against the building structure and deter ram raiding.

Using both manpower security and technical solutions, a perimeter can be made safer, however the use of security manpower to provide patrols and response can add up to quite a considerable sum, so businesses must look at the return on investment for any solution. Ask yourself this question: How much can I, as a business, afford to lose before security costs become a business enabler and be seen as part of the cost of doing business?  


When looking at security-in-depth, using a range of security technology will assist in bringing together the layers of physical barriers by providing detection and reporting.  The technology includes:

• Intruder alarm systems,
• Intruder detection detectors (motion detectors, glass breakage etc),
• Digital CCTV systems (good quality Digital Video Recorder and high-quality CCTV cameras),
• Security lighting,
• Security film or steel security screening for glazed areas,
• Physical security hardware for doors and shutters.

The effectiveness of this technology can be further supported by private security services, security alarm monitoring centres and Police.

Businesses must ensure that all perimeter areas of the premises are protected. Hardening the front and leaving the delivery dock vulnerable is poor risk management. Layer any physical security around the premises to deter and delay any offender from continuing an attack on the premises. Keep in mind ram raiding when assessing risk as this will require vehicle mitigation strategies to be installed in areas that may be controlled by local Council.

Use of security technology can assist protection through the installation of security lighting around the building perimeter along with suitably installed CCTV cameras that have motion detection capability.  This provides you the second line of defence, providing detection and reporting to a security alarm monitoring centre that has the capacity to link in to the business CCTV system and get a positive record of an intruder, to inform police of a credible offence in progress. Modern CCTV systems that incorporate artificial intelligence can provide an automated CCTV system that can greatly improve protection.

The perimeter of the building structure will be the next layer of security and it should be designed to provide delay, through a series of physical barriers and detectors.  Use of steel shutters or roller doors that are securely locked down using floor anchors or other high security locks, with intruder alarm detectors installed on shutters and doors to alert a monitoring centre of a potential attack is effective although may not be aesthetically pleasing.   The entry doors should be also protected with a steel shutter or roller door anchored down to prevent attack by hand operated tools or lifted using car jacks and have detectors installed on the shutters or roller doors to alert security alarm monitoring centres to an attack in progress.

Glass windows can be hardened by installing impact resistant film and further protected by steel security screening, based on the results of the risk assessment undertaken on the business. Glass breakage detectors are also a useful tool to install on glass windows.  Linked to the intruder alarm system they will alert a monitoring centre to a continued attack on the premises, that can be passed on to Police or a responding security force.

For those who are in high risk areas with continual break-ins, installing attack resistant glazing would be recommended. Attack resistant glazing combines laminates with glass to maintain the existent appearance of normal glass but meets Australian Standard AS/NZ 2208:1996 - Safety glazing materials in buildings and AS3555.1 (2003) Building elements - Testing and rating for intruder resistance. 

A number of companies in Australia can supply attack resistant glazing that is constructed to ensure attack weapons simply bounce off, making penetration all but impossible with glazing designed to meet the Australian Standards, to protect against sledgehammers, axes, crowbars, picks, chisels and bolt cutters; giving 30 minutes of intruder resistance thus providing adequate time for response.

Internal motion detectors may be installed to provide final alert that intruders have breached the outer perimeter of the premises and are now inside the building. If the outer layers of security are effective, these detectors should not activate.  If they do, there is a gap in your outer defences and this gap may be response.

Security-in-Depth is not effective without all parts working together and, in many cases, it is the response that is the weak point of this system. Physical security measures are not designed to prevent entry into premises but are designed to delay any such entry, giving sufficient time for response by Police or a contracted security service. Of course, any delay encourages offenders to move on as the risk of being caught in the act would outweigh the benefit of continuing an attack on the premises.

A good quality lock or security door may give 20 minutes delay against common simple hand tools and improvised weapons (barring ram raids), which is the window of time in which offenders can be apprehended or scared away by responding Police or contracted security services.  The recommended window of time for any response is 15 minutes, with 10 minutes being great. This reduces the time offenders have to physically attack the building perimeter and reduces repair costs as no entry will be gained due to intervention.

By layering physical security utilising Security-in-Depth, with all elements in place and operating effectively, businesses will have the best chance of surviving an afterhours attack on their business.

The cost and implementation of having an effective crime prevention physical security barrier for a business must be borne by the business owner, the property owner, local Council and the Government (once again a layered approach). Taking short cuts, accepting or ignoring the risks is playing into the hands of criminals, who are out to benefit from your hard work and investment. It’s your business but your employees and the shopping public share the effects of crime against your business and crimes against your business can have a flow-on effect to the local and national economy.

Good business security doesn’t need the guards and gates mentality of the past. Business security in this modern age encompasses a wide range of business practices and new technology that not only protect the business building and stock but protects its reputation, its people, its information and its very existence as an on-going entity. The modern security mentality is that of resilience and risk management, with physical security mitigation strategies designed to deter, deny, delay and respond to events that allows a business to recover quickly and bounce back from the adverse event.

Design your security well and it will pay off in reducing the impact of crime in your area.

Crime Prevention Safety and Security Audit Kit

I have finally completed a Crime Prevention Safety and Security Audit Kit for use by community groups, community members, schools ad businesses.

Sergeant Rod Strong (NT Police, retired) did some good work back in the 80's that has been reviewed, updated and expanded to provide more information and provide support and information for business owners who are prime targets for crime.

my next project is to look at some suggested treatments to provide a start point for Audit Groups and business owners, to get them thinking and looking critically at what could be achieved and how.

Crime Prevention Safety and Security Audit Kit

Security Awareness for NT businesses - The Principles of Physical Security

Since the beginning of human endeavour, humans have used barriers, tools and procedures to protect themselves from attack. These practices have developed into principles over the generations of human development and are as relevant today as they were many generations ago.

The basic principle is that of layering defences to protect the asset that you wish to protect.  That could be your business or your family, but what does this layering actually attempt to achieve?

What we seek to achieve is a robust series of layered security measures to achieve security-in-depth.  This is the basis for all protective security, including the securing of IT systems.  The strategies may change but the principle of security-in-depth will remain.  

This system provides mutually supporting protective security measures that provide well defined protection of an asset or even your family.  It is adaptable and can be used in many areas of security where protection is necessary. Our army has practiced this principle for most of existence under the term 'Defence-in-Depth' when used to protect defensive positions..

Although it is a very old practice, we are seeing the principle being disregarded in crime prevention strategies and security being installed to rely on one element and at times one piece of technology.

When we look at many some crime prevention risk mitigation strategies being approved by State and local government agencies, it is obvious that these decisions are not being based on solid principles of defence, or security-in-depth.

What are these Principles? They are to Deter, Detect, Delay and Respond.

Deter

The deter perimeter is the farthest one from the location of the assets and is often a mix of Legislative controls (laws), physical infrastructure such as fences and lighting and policies and procedures that are posted as signage along fence-lines.

The security objective on this perimeter is to deter the criminal from even attempting a breach of the protective system. Signage, laws and regulations along with business policies and procedures all contribute to deterrence.

Deterrence is a psychological battle, and when security wins, the criminal activity never starts.

Applying surveillance technology along the perimeter of large enclosures such as industrial sites, will make it obvious to all approaching the perimeter that they are under surveillance.

Signs saying, “no trespassing” or “area under surveillance” also aid in communicating a deterrent message to unauthorised persons.

Deterrence also includes routine foot or mobile patrols of the area by police or security.  it reinforces ownership and crime awareness under the CPTED Principles and increases the risk of detection. The most common form of deterrence for industrial sites is that of a guard dog, however, if overcome, the property will be exposed to criminal attack.

This layer will deter the law-abiding person and most opportunist offenders. 

Detect

The detection layer’s security objective is to monitor large areas of space to accurately detect possible unauthorised intrusion in time to respond appropriately. Surveillance camera technology, is improving all the time and is very effective as an accurate detection tool.

Important objectives are the timely notification to security personnel, and having the ability to digitally or optically zoom into the area where intrusion was detected to clearly identify what is occurring and who is involved, with the ability to clearly identify those involved.

The use of external and internal motion detection technology enhances detection, providing a method of tracking an intruders progress. When combined with CCTV, these become an excellent tool for detection and assists response units by providing situational awareness.

Having patrolling guards, who detect unlawful entry also fulfils this principle and allows for more rapid response, when the event is reported to a control centre.

 Delay

The delay layer’s objective is to slow down an active intrusion enough to force the intruder to give up, or allow the security team to respond.

Use of heavy duty locking hardware and security padlocks on gates will delay an offender, who may be attempting to enter your property and may cause them to either change their attack method, scale the fence or gate or withdraw from the area to move to a softer target.  We would prefer that they move on.

Often, interior locking doors or other physical barriers are used to slow down the intrusion. Surveillance cameras can be used inside the delay perimeter to provide situational awareness and measure the effectiveness of the delay countermeasures.

The use of attack resistant laminated polycarbonate glazing or installing steel mesh security screens protecting glazed areas of the building perimeter structure will provide delay and, if supported by a detector, can give alarm to an attempted entry via the particular point of attack, providing responders with necessary information to quickly attend and challenge the offenders.

Insufficient delay will negate the effectiveness of other layers of security. Time is needed for a response and delaying is the tool to achieve the necessary time. 

 Respond

The response layer is typically a police or security personnel response that attempts to apprehend the intruder.  

Surveillance is used at this perimeter to record the apprehension and determine the effectiveness of the response.  

This final perimeter often includes the involvement of law enforcement and typically overlaps the other perimeters.

Some final comments

The general rule is that the farther away from a secured building the more expensive are the security measures. This holds true for cameras, sensors and access control systems.

Designing outdoor systems requires detailed upfront planning because of the wide range of operating conditions to which the security systems will be exposed. For cameras, lighting and weather conditions are the biggest problems the system will have to overcome and requires expert knowledge of surveillance systems and system capabilities to select the right solution.

Holistic design processes that combine both indoor and outdoor perimeters will provide the most effective physical security systems.

Look at your business or home. Where are your vulnerabilities?

• How can you modify or harden your building perimeter to best apply the principles of physical security and reduce your vulnerabilities?
• What technology can I afford to provide mutually supporting defence of your property?
• How effective is response to alarms in your area? The cost of implementing sound physical security may be negated by poor response.

Keep in mind that good security does come at a cost but the biggest cost will be not training your people and yourself in testing and using the technology. 

Know your systems well and test your systems to identify gaps or system failures.  A DVR hard drive in tropical areas, subject to severe electrical storms can be easily damaged during wet season tropical storms and, without testing, may not be identified as an issue for some time, leaving your business vulnerable to not having video evidence, when needed.

Security-in-depth and the principles of physical security rely on mutually supporting measures that complement each other. Reliance on one system to protect your property is gambling with your security and safety. Keep this in mind when people are advising you of how you can improve the security of your business or family home.

Crime Prevention - Preparation for Christmas

Christmas is coming to town and so are the criminals. Don't make their job any easier. Some simple hints to make your property safer.

1. Keep trees and gifts away from windows Don’t openly display your Christmas tree and gifts in the front window so it’s easily visible from the street. It can be tempting for criminals to smash the window and grab wrapped packages.

2. Hide presents Even if you don’t have children to hide presents from, make sure criminals can’t see them through your windows and doors by hiding them in cupboards and under beds. That includes gift-wrapped presents under the tree, if you won’t be home.

3. Look lived in If you’re going away for Christmas, make the house look lived in. Ask a friend or neighbour to keep an eye on your property, open and close curtains and put lights on. If you’re going away, ask a neighbour to park their car in your driveway to make it look like someone’s home.

4. Triple check your locks Make sure all windows and doors are firmly shut and locked when leaving home. Leaving an entry path slightly open is a temptation for a burglar.

5. Hide packaging When you take the bins out, make sure all packaging from expensive gifts is ripped up and buried under the rest of the rubbish, so criminals can’t easily see what you might have in the house.

6.Don’t run electricity cords through window cracks Burglars prefer to enter through unlocked doors or windows, so an electricity extension cord running through an open window to exterior Christmas lights can be an open invitation. Hire an electrician to install an inexpensive outside plug for outdoor lights.

7.Give a trusted neighbour a spare key Burglars know to look for the hidden door key near the front entrance. Don’t hide spare keys under rocks, in flowerpots, or above door ledges. Instead give the spare key to a trusted neighbour.

8. Be careful what you post on social media If you post on Twitter or Facebook that you’ll be away on holiday or visiting relatives over the festive period, you’ve given the green light to intruders who will know they won’t be disturbed. The same goes for posting how excited you are about expensive gifts, which could help thieves start a shopping list.

A Security Industry Honour – Receiving the Australian Security Medal

It was with honour and pride that I attended the 2017 Australian Security Medals Foundation Dinner at the Glasshouse in Melbourne where I was presented with the Australian Security Medal, witnessed by my peers and also my son, who indicated his pride in my accomplishment and his appreciation of the level of security industry professionals at the event.

The Australian Security Medal is awarded to recognise the outstanding career and character of the recipient. ASM recipients will be those who have demonstrated a consistent, high-level contribution to the wider community, possibly via innovative non-core business activities and projects, or via extraordinary performance in their professional role(s).

My thanks go out to Don Williams and Jason Brown, who championed my nomination.

The Foundation video produced for my award is located at https://youtu.be/NAFqoLiSLwg

CiiSCM Security & Crisis Conference - Malaysia 7 August 2017

I was most impressed with Muhammad Saiful Alan Shah, who spoke at the CiiSCM Security & Crisis Management conference. Muhammad Saiful Alan Shah was an articulate and knowledgeable speaker who provided insightful advice on improvements to our current de-radicalization strategies.He provided many take-away points that increased my knowledge of the difficulties in putting in place a truly effective de-radicalization program in western countries. 

Along with Muhammad, Professor Jolene Jerard, Dr Graham Ong-Webb, Mr Hamoon Khelghat-Doost and Mr Rodolphe Elégoēt provided an insightful series of presentations that promoted discussion and enhanced knowledge of the current state of terrorism beyond borders.

My gracious thanks to the organizers from CiiSCM and Global E2C..

Developing a security culture

It is said that "The destination is not always as important as the journey." It is important to ensure that while moving towards your destination, each step of the way is planned and taken in a way to ensure that the journey can be completed successfully. And that in the end, the result, like reaching a holiday resort, will be enjoyable and all involved are able to enjoy this new and exciting place.  Developing a security culture within an organisation is much like this.

To achieve a sound security culture, you must ensure that all of the elements are in place and working before you start your journey. However, as in real-life, not everything will work right the first time.  When you are developing a security culture you will be experimenting and changing things on your journey, trying to find your way through the myriad of policies and standards that appear to be restricting your progress.  Keep in mind though; there is nothing wrong with learning.  Test and confirm is as relevant in the development of a security culture as it is in research however the key is to use your employees to help you with this journey.

Ensure that there is no perception that this is just the "program of the month." This is usually the perception that everyone in the organisation will have if you start down one path and decide to move in another direction without proper communication. Again, this is where the employee participation comes into play, as all employees must be part of every change that occurs.  Good communication ensures employees are comfortable with changes as they see the benefit and are part of the process. 

An ideal security culture should be seen to be “the ‘engine’ that drives the system towards the goal of sustaining effective security within an organisation” This goal should be achieved irrespective of the organisation’s leader or current commercial concerns.

What drives the system is a constant level of awareness for anything that may bypass organisational security systems. In other words, it is important to remember what can go wrong.

You must maintain an awareness of evolving threats and risks to your business.  It is very dangerous to think that an organisation is safe because information is not saying otherwise. In periods of good security performance, the best ways to stay cautious is “to gather the right kind of information”, which means creating an informed culture.

An informed culture requires security management to be aware of the numerous factors that have an impact on the security systems (i.e. human, technical, organisational, and environmental). In this sense, “an informed culture can be seen to be a security culture”.

An organisations security culture is ultimately reflected in the way in which security is managed in the workplace, although it is important to note that an organisations security management system does not just consist of a set of policies and procedures on a bookshelf.

The security management system is the manner in which security is handled in the workplace and how those policies and procedures are implemented into the workplace.  The nature by which security is managed in the workplace (i.e. resources, policies, practices and procedures, monitoring, etc.) will be influenced by the security culture/climate of the organisation.

Security management should be integrated into the organisational system and management practice. Certainly in high-risk industries such as Defence, and multi-national corporations; security; similar to safety should be considered number one priority.

It is argued “a ‘good’ security culture might both reflect and be promoted by at least four factors”. These four factors include:

• Senior management commitment to security.
• Shared care and concern for security and the impact on people, information, assets and the security of the nation. 
• Realistic and flexible norms and rules about security threats, and
• Continual reflection upon practice through monitoring, analysis and feedback systems (organisational learning)”.

It has also been argued by academics that fundamentally, good leadership is the key to promoting an effective security culture.

It is also important to remember that an organisation’s culture develops over a period of time and cannot be created instantly. “Organisation’s, like organisms, adapt”. The security culture of an organisation is developed as a result of history, work environment, the workforce, security practices, and management leadership.

Lets move on to the nuts and bolts of developing a security culture.

The University of Melbourne undertook research into developing security cultures within the IT field.  They utilised the Ruighaver / Maynard security culture model.  This model looks at eight dimensions in developing a security culture.  My presentation is heavily based on this research.

The basis of truth and rationality

The basis of truth and rationality is the first dimension of the Ruighaver/Maynard security culture model that I will discuss.

According the authors of the original organisational model, this dimension of culture is about what the employees in an organisation believe is real or not real and, in particular, how what is true is ultimately discovered.

The most obvious aspect of this dimension is that is about beliefs. Beliefs influence the attitude of employees and their attitudes influence their behaviour. Research has shown that the basis of truth and rationality is critical in decision making within Security.  I will discuss some of these aspects.

How important is security for your organisation?

Literature on security culture recognises that the most crucial belief influencing the security in an organisation is the belief that security is important.

If the employees of an organisation do not believe that security is important, they will not support any security measures that restrict their behaviour. The belief that no threat exists is the critical factor in a security culture failing to develop.

Academic research has found that many organisations continuously undermine the belief that security is important by reporting to their staff that no money is available for their security initiatives. Obviously, different organisations need different levels of security, but never use such negative messages. Instead report on the issues that you are currently concentrating on in your security efforts, and indicate that new initiatives will be considered in due time.

Although the security requirements for one company or organisation may not be as high as the security requirements of another, achieving optimal security for that organisation’s particular situation will still be important, as is the need to ensure that their employees believe that security is important.

So, why not implement campaigns similar to occupational health campaigns to stress that security is important for your organisation.

How reliable is the information used in decision making?

While security managers and other decision makers in the security field generally belief that security is important, they often have personal beliefs about which areas of security are important for their organisation that are not based on truth and rationality.

Studies have found that management beliefs and trust in the quality of security, and about the quality of the different processes used to manage security, may be misplaced.

Many of the organisations investigated in a number of academic studies do, for instance, believe that their security is good, but most of these organisations did not really make an attempt to evaluate the quality of their security.

Even larger problems exist with the organisations beliefs about the quality of their risk analysis and security audits. If your asset identification and risk analysis is not based on a systematic application of your chosen methodology, you will have missed assets that need protection and you will have missed risks or threats to assets that they need to be protected against. 

Ad-hoc shortcuts seriously undermine the quality of your risk assessment. Hence, without feedback loops where the organisation continuously updates its risk assessment based on a thorough investigation of incidents and near misses, your risk data will be of low quality.

Nature of Time and Time Horizon

The Nature of Time and Time Horizon is the second dimension of the Ruighaver/Maynard security culture model. The time horizon that an organisation takes affects whether or not security managers and other organisational members involved in security adopt long term planning and goal setting, or focus primarily on the here-and-now.

Unfortunately, few organisations have long-term goals for security and those that have seldom look beyond a time frame of one or two years. Further more, these goals are in most cases only aimed at the building of a solid security infrastructure in line with National or International Security Standards. To be fair to those organisations, there is very little published security literature, on possible long-term strategies and security standards also offer little assistance.

To develop a high-quality security culture, organisations will need to place more emphasis on long-term commitment and strategic management. All too often the security focus of an organisation is on things demanding immediate attention, not on the things that may prove more important in the long run. And when they finally run into problems because their current security approach is no longer adequate and becomes too expensive to maintain, such organisations often will initiate a complete overhaul of their existing security infrastructure and decision making processes, throwing away the good with the bad.

 Long Term planning

Any organisation that would like to start increasing its investment in Security, by initiating a restructuring of their security management and governance structures, should first consider what long-term strategies and plans can or should be developed and by whom.

For instance, without a long-term strategy aimed at building up appropriate skill-sets related to security, any restructuring will eventually fail. An example taken from the IT security field: the environment in which the organisation's information systems are operating is simply changing too rapidly for an organisation's information security to survive if the necessary skill sets are missing. Similar strategies are needed for knowledge management, as the complexity of the Information Systems and other IT infrastructure is continuously increasing as well.

We need to align the security of an organisation with its organisational culture. Hence it will not come as a surprise that the most important long term strategy to be developed by an organisation that wants to improve its security should be aimed at aligning the organisation's security practices and procedure with its organisational culture.

An obvious example is that traditional security is still based on the implementation of restrictive practices and procedures that minimise risks.

Organisational culture is often the opposite: In their normal work environment employees are given specific goals and targets they need to achieve and are often allowed, or even actively encouraged, to bypass standard procedures and guidelines when necessary to reach those targets. If your organisational culture encourages such behaviour, why do you think these employees will not behave the same when they are restricted by your organisation's security procedures and guidelines? Hence, if this is your organisation's culture, your organisation will need to develop long term strategies aimed at increasing the involvement of employees in security and at finding, introducing and fine-tuning targeted security related objectives and goals for each of your employees.

These security related goals and targets are necessary to encourage employees to improve their behaviour and reduce security risks.

Motivation

Motivation is the third and most easy to understand dimension of our security culture model. There is lots of information in organisational culture literature about what motivates humans and whether people are motivated from within or by external forces. There is also extensive literature on whether people are inherently good or bad, whether people should be rewarded or punished, and whether manipulating someone's motivation can change effort or output.

Security is one of the only areas of organisational motivation where punishment is still the major motivational tool.

As there is no evidence that employees are intrinsically motivated to adopt secure practices, organisations will need to have appropriate processes in place to ensure employees are motivated in relation to security.

However, organisational literature also clearly indicates that punishment does not work in motivation. In a good security culture we would therefore expect positive motivation to be dominant

 Intrinsic motivation versus extrinsic motivation

Organisational behaviour literature suggests that provision of extrinsic rewards to employees for performing particular tasks, such as direct financial rewards, may actually reduce their intrinsic motivation.

However, organisations should consider both tangible rewards (e.g. money) and intrinsic motivation to adopt new behaviours (e.g. recognition and social participation) when employees are expected to meet modified performance standards or change their behaviour.

While it is essential that employees are made aware that security controls are necessary and useful in order to discourage them from attempting to bypass these controls, motivation in security should not only be aimed at preventing employees from compromising existing security measures and guidelines. A good security culture will encourage employees to be motivated to reflect on their behaviour at all times, to assess how their behaviour influences security and what they can do to improve security.

Although it is important that a degree of trust is involved and that responsibility to act in an appropriate manner is delegated to employees themselves, this does not mean that an organisation should not monitor their behaviour. It is essential that organisations have monitoring processes in place to identify security breaches, that they investigate those breaches to ensure that unacceptable behaviour is corrected. Of course, the organisation should also reward exemplary behaviour, and should publicise those examples to increase both awareness as well as motivation. 

For example, Defence has initiated an awards program for excellence in security within the Department and Defence Industry that is supported at the highest level of Defence and will be promoted through media reports throughout Defence. 

Horizontal versus vertical Social Participation

Social participation is a well know aspect of organisational culture. Research has  found that some organisations do encourage social participation in line with the organisation's governance structures, such as in encouraging staff influenced by a decision, to participate in the decision making process. This is called vertical social participation. Research suggests that such social participation has only a limited effect on improving the security culture, and that to improve motivation organisations should encourage more wide spread social participation. It should be obvious that employees at the same level within different areas of an organisation often come across the same security issues and may not know that others in the organisation are covering the same ground.

Organisations that have horizontal social participation where, for instance, all security practitioners, system and security administrators across the business units are involved in a regular exchange of information to improve decision making, may find that motivation will increase significantly as well.

Stability versus Change 

The Stability versus Change dimension is the fourth dimension of our Ruighaver/Maynard security culture model. While some individuals are open to change (risk-takers), other individuals have a high need for stability (risk-averse). The same is true for organisations. Risk-taking organisations are said to be innovative with a push for constant, continuous improvement. Risk-averse organisations focus on not rocking the boat. Hence, an important aspect of an organisation's security culture is its tolerance for change and innovation.

Organisations that have a high requirement for security often favour stability over change. Change is often seen as bad for security, as it can result in the introduction of new risks or in the invalidation or bypass of controls to existing risks. If this aspect of security culture is in line with the general organisational culture, there will be few problems. However, when change is carefully managed such organisations will need to ensure that their security posture is not static. Security is never 100% and in today’s complex environment tight centralised control over decision making can result in a lack of flexibility.

Facilitating change.

Most organisations have an organisational culture based on decentralised decision making and a tolerance of change. Often periodic cycles of change are purposefully built into the culture and processes to facilitate the introduction of new products and services. If such an organisation has a culture where individual risk taking behaviour within acceptable boundaries may be tolerated or even encouraged, a security culture which is restrictive is doomed to fail.

Most organisations that have a low requirement for security are tolerant to change, but they often fail to realise that the organisation will still need to constantly adapt its security to the inevitable changes in the organisation's environment. The organisation's existing security procedures and practices will need to improve this and will need to be carefully facilitated. While organisations that have adopted a security policy life-cycle methodology will have a culture of continuous change in that area of security, this may not necessarily extend to other areas such as security strategy development and security governance processes, or even the implementation of security measures.

Finally, research has found that almost all organisations were lacking in the development of new and innovative approaches to security. Most organisations just use the same old traditional security technologies and controls, often based on existing security standards that are more than a decade old.

Orientation to work, task and co-workers 

The fifth dimension of the Ruighaver/Maynard security culture model is Orientation to work, task and co-workers. This dimension deals with the balance between work as a production activity and as a social activity. Some individuals view work as an end in itself with a task focus, concerned fundamentally with work accomplishment and productivity. Other individuals see work as a means to other ends, such as having a comfortable life and developing social relationships.

Individuals with a strong task focus are likely to find that traditional security controls are too restrictive. For example, it is an important principle in information security that there is a trade-off between the use of an organisation's assets and their security. Limiting access to an asset such as email and the internet, can significantly improve its security. However, limiting access will result in a serious impediment to the daily operations of employees. There may be a temptation for organisations to lift all restrictions.

Security managers must be continuously fine-tuning the balance between security and how constrained employees feel in their work.  This is an important aspect of a good security culture. Of course, staff will feel less restricted if they are motivated and feel responsible for security, but that alone will not be enough. 

Responsibility and ownership.

While it is obvious that a good security culture depends on making employees feel responsible for security in the organisation, it is just as important that those employees responsible for a particular security area have a strong sense of ownership.

This will be positively influenced by social participation, but can just as easily be negated when staff feel that management do not take any suggestions for the improvement of security very seriously. Hence, a positive response of management and a continuous adaptation of security practices by incorporating at least a few of the suggestions is a must to improve the orientation of staff towards security.

Orientation to work is improved by education and security awareness. Regular education of employees on their roles and responsibilities related to security is crucial.

Too many organisations only give employees an overview of security during induction, and even then they mostly cover aspects of what is considered a legal requirement under governance/compliance rules, missing critical awareness information that necessitates other means of passing information out to all staff.  Security education can also be an important tool in increasing the feeling of responsibility and ownership of those involved in decisions about security. But for education to have a significant impact on the employee’s orientation to work, it will need to be reinforced continuously and must include a response to any unsatisfactory behaviour that has become widespread enough for users to consider it normal behaviour.

Isolation versus Collaboration/Co-operation 

Isolation versus Collaboration/Co-operation is the sixth dimension of the Ruighaver/Maynard security culture model. This dimension addresses underlying beliefs about the nature of human relationships and about how work is most effectively and efficiently accomplished, either by individuals or collaboratively.

It is common knowledge in software engineering that, without user involvement in the design process, acceptance of the resulting information system by the organisation will be minimal. The same is undoubtedly true for security procedures and policies. While organisations often realise that security policies should be created collaboratively using the input of people from various areas of the organisation to ensure its comprehensiveness and acceptance, the cost of this approach seems to a major obstacle.

It is surprising how often we find that an organisation's security planning and implementation is handled by only a small group of specialists and managers. As a result, the efforts of the security management team are often negated by other decisions taken by managers in the business units and on the work floor.

Control, Coordination and Responsibility 

The seventh dimension of the Ruighaver/Maynard security culture model is Control, Coordination and Responsibility. This dimension of an organisation's security culture is clearly related to the security governance in that organisation.

Where control is tight, there will often be formalised rules and procedures that are set by a few, to guide the behaviour of the majority. The need for governance is limited. Where control is loose, we expect flexibility and autonomy of workers, with fewer rules or formal procedures and shared decision-making. It is that shared decision making that depends on high quality security strategies and a well developed security strategic context.

An organisation with centralised decision making tends to have a tight control. Tight control allows for efficient security management but reduces the flexibility of the organisation to respond to the current dynamic security environment. Literature suggests that even where there are mechanisms of control and formalisation within a centralised organisation, a culture of fear and uncertainty that loose control may result in these control mechanisms such as policies, rules and procedures becoming dysfunctional. This may not in fact be true.

Loose control in security needs better governance.

To cope with the current dynamic business environment, most organisations have opted for a more flexible decentralised decision making structure. While those organisations are likely to have a loose control, change management processes may still influence how loose the control actually is.

It should be obvious by now how important it is that an organisation's security culture is aligned with organisational culture. So a tight control of security in an otherwise loosely controlled organisation is not likely to work very well. It is, therefore, surprising that most often organisations still attempt to keep a tight control on their security.

This is a direct result of the current lack of guidelines for adequate security governance at the middle management level in both literature and current security standards. If an organisation does not develop a proper security strategic context, loose control of security will simply not work.

Loose control also increases the importance of coordination. As discussed under motivation, improving the horizontal social participation in an organisation can be an important tool in improving coordination.

Responsibility needs accountability.

Independent of whether there is a tight control or a loose control, clear guidelines on who has decision rights in the different areas of security is essential. This aspect is often called responsibility and ensuring that all responsibilities have been assigned is a required feature in any strategic security policy. Top management support for security is a significant predictor of both the direction of an organisation's security culture and the level to which its security policies are enforced. Therefore, whereas operational responsibility and accountability may lie with middle management and end-users, top management has a clear responsibility to:

• Visibly demonstrate a prioritization of security,
• Provide strong and consistent support to the overall security program, and
• Take security issues into account in planning organisational strategies.

Orientation and Focus 

The Orientation and Focus dimension is the eighth and last dimension of the Ruighaver/Maynard security culture model. The nature of the relationship between an organisation and its environment and whether or not an organisation assumes that it controls, or is controlled by, its external environment is an important aspect of both organisational culture as well as of security culture. An organisation may have an internal orientation (focusing on people and processes within the organisation) or external orientation (focusing on external constituents, customers, competitors and the environment), or have a combination of both.

The orientation and focus of an organisation's security will clearly depend on the environment in which the organisation operates. Unfortunately, if an organisation is forced to conform to external audit and government requirements it will be likely that the emphasis of their risk management processes is only on meeting these requirements, and no longer on improving their security. The organisation often believe that meeting these requirements guarantees good security. Similarly, it has been found that many other organisations only aim to bring their protective and ICT security in line with international industry standards. Again the emphasis is often geared towards passing an audit to prove that they have achieved this goal, rather than on achieving the best security for the organisation within the obvious limitations of resources and budget.

As security in an organisation is influenced by both external factors and internal needs, I believe that an ideal security culture has a balance between an internal and external focus. External requirements and industry standards can obviously not be ignored, but the external focus should at least also include an awareness of the organisation's external security environment and how this changes over time.

This will allow the organisation to pro-actively meet any new threats. More important, however, is that the organisation builds up an awareness of its internal security environment. If the organisation is not trying to identify what security breaches occur and why they occur, it will never know if its security strategies are working and how it can improve the implementation of these strategies.

 Conclusion

There are challenges for both corporate and government security professionals in creating and maintaining a security culture within their organisation.

Financial constraints within corporations or government agencies provide an environment where risk management strategies must be robust and effective in order to provide an environment where security is valued as a capability enabler rather than a cost burden.

There is no simple solution, nor a one solution, fits all.  Each business unit has its own dynamics that requires analysing to ensure solutions fit the culture and provide an environment where a security culture can thrive.

This is the challenge for corporate and government security advisers in the current and future security environment.

Security Culture Bibliography

Improving your Security Culture.

1. Chia, P. Maynard, S., and Ruighaver, A.B. (2002) ‘Exploring Organisational Security Culture’ Sixth Pacific Asia Conference on Information Systems, Tokyo, Japan, 2-3 September 2002.
2. Chia, P. Maynard, S., and Ruighaver, A.B. (2003) 'Understanding Organisational Security Culture' in Information Systems: The Challenges of Theory and Practice, Hunter, M. G. and Dhanda, K. K. (eds), Information Institute, Las Vegas, USA, pages 335 - 365.
3. Dojkovski, S., Lichtenstein, S. and Warren, M. (2006) Challenges in Fostering an Information Security Culture in Australian Small and Medium Sized Enterprises, Proceedings of the 5th European Conference on Information Warfare and Security, Academic Conference Limited, United Kingdom.
4. Dojkovski, S., Lichtenstein, S and Warren, M. (2005) Information Security Culture in Small and Medium Sized Enterprises: A Socio-Cultural Framework, Proceedings of 6th Australian Information Warfare & Security Conference, School of Information Systems, Deakin University, Geelong, Australia.
5. Martins, A. and Eloff, J. (2002) ‘Information Security Culture’ IFIP TC11 International Conference on Information Security, Cairo, Egypt, 7- 9 May 2002.
6. Ngo, L. Zhou, W. Warren, M. (2005) Understanding transition towards organisational culture change. Proceedings of the 3rd Australian Information Security Management Conference, Perth Australia.
7. Ruighaver, A.B. , Maynard, S. & S. Chang (2006) Organisational Security Culture: Extending the End-User Perspective. Computers & Security, Volume 26, Issue 1, February 2007, Pages 56-62.
8. Ruighaver, A.B. & Maynard, S. (2006) Organisational Security Culture: More Than Just an End-User Phenomenon. Proceedings of the 21st IFIP TC-11 International Information Security Conference (IFIP/SEC 2006). May 22, 2006, Karlstad, Sweden, pages 425-430.
9. Schlienger, T. and S. Teufel (2002) ‘Information Security Culture - The Socio-Cultural Dimension in Information Security Management.’ IFIP TC11 International Conference on Information Security, Cairo, Egypt, 7-9 May 2002
10. Schlienger, T. and S. Teufel (2003) ‘Information Security Culture - From Analysis to Change.’ Proceedings of ISSA 2003, Johannesburg, South Africa, 9-11 July 2003.
11. Schlienger, T. and S. Teufel (2003) ‘Analysing Information Security Culture: Increased Trust by an Appropriate Information Security Culture’ 14th International Conference on Database and Expert Systems Applications (DEXA 2003), Prague, Czech Republic, September 2003.