• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
CAMPUS SECURITY
70
WINTER 2008
SouthEast Education Network
Security 101:Who’s in Charge?
By Jonathan Kendall
PresidentKendall Design Group
(This is part two of a three part series.)
I
n the first part of this series, we discussed the psychologyof security. Not the psychology of the attacker, but thepsychology of those in charge of security. We discussedthe findings of Nobel Prize winner Daniel Kahneman, andAmos Tversky in the research of Prospect Theory, or the factthat on-average the people in charge of our children’s securitytake significantly more risks than was anticipated. Especiallythose risks that are more or less proven to be real problemsfor institutions large and small.We also examined why administrators chose to solve thewrong problem. An administration can solve the wrong prob-lem by installing a new security system or product, and thenbelieve they have a very secure campus, when, in fact, theyhave opened themselves to a new world of risk and liabil-ity because they have not thought the problem all the waythrough. These are generally well-meaning people who wantto put their institution in a positive light. Then, when a se-curity threat presents itself in the form of a cyber attack or aschool shooter, the administration is blind-sided, or overreactsand often engages in a high level of Safety Theater. In effectthey are executing a flashy “solution” to show everyone thatthey are taking steps to protect their campus community.Of course, when this happens after the “horse has leftthe barn,” they believe a theatrical, or massive, appearanceof action is required. Then a visible “tour de force” security“solution” is implemented, sometimes without a high levelof thought or analysis as to whether this will solve the realproblem or deter the real threat. Because this “solution” wasnot vetted in the context of the unique institution, it has thepotential to cause more security risks than it solves.We must carefully look at any attack whether it is com-puter or physical from the perspective of first how can weprevent the attack? Then if the attack occurs, how can wemonitor the attack is happening or has happened, and finallyas we know there is an attack, how can we respond to the at-tack? These steps can be confused or overlapped, they needto be explored as a part of the total solution.But why can’t we fight the propensity to engage in Pros-pect Theory and Safety Theater, and face the risk using a rea-sonable and rational methodology?We can. But it takes planning, thinking and experience. Ittakes a structured look into the real assets we are trying toprotect, from what attackers, in what context. We need toreview the solutions and how they will function during areal attack and what will be the unintended consequencesof the security solution. And then what are the real costs of the security solution in time, money, convenience, bureau-cracy and freedom. This will take a process approach and aconverged team effort with the ability to look beyond thepolitics of an organization, while keeping the critical assetsat heart.This is not easy. It may upset and alienate people in yourorganization, but the safety and security of your people, in-formation and resources need to come first.First, we need a framework to define and prioritize oursecurity interests and assets. We can prioritize in four groups:vital, extremely important, important, and less important orsecondary. For example, students lives and health wouldhave to be in the “vital” category, but what about a student’spersonal information?What about the property resources at your institutionsuch as the computers and the video projectors? Howabout the faculty? The neighboring community? Off campusassets? Buildings? Business offices? Cash? Outside contrac-tors? University credit data? Alumni data? How should all thisbe prioritized?We must clearly define the assets we are going to protectand prioritize these resources. Until we can truly define thepeople, places and things we are trying to protect, we can-not ever hope to define and apply an appropriate solution.
see SECURITY 101 page 72
 
CAMPUS SECURITY
Security 101
continued from page 70
We need to understand the context andcontent, the extent of the assets. Whatare they? How do they operate? What isthe interaction of the different parts of the assets? If these parts work togetherto form a coordinated structure or sys-tem, then we will need to look at theseissues individually and jointly.It is not as simple as saying we wantto save our students from a lone gun-man, and installing a text message sys-tem as that information could be feeddirectly to the gunman and allow himto evade the police more easily, or in-stalling a lockdown system that couldtrap students in an area with the gun-man making his attack easier and moredeadly.Vital interests are those which are es-sential for the survival of the institution.These might include access to sensitivepersonal and financial resources, pro-tection from lone-gunman attack, andprotection from crippling cyber attacks.Any one of these could jeopardize thesurvival of the institution or the way of campus life. We should be willing to de-fend these interests with our solution.Less important interests don’t war-rant the same level of commitment asdo, for example, protecting the studentpopulation from direct physical attack.We may care about promoting safe sexon campus or defending human rights,but should they trump the student’s,faculty and staff’s lives, or should theydrain away resources needed to protectother, more important interests? Theseare examples of the decisions to bemade as a part of your security analysis.
The process must anticipate threats to these interests.
We need vastly better solutions andprocesses, and forward-thinking analy-sis, which, when working together,help the institutional leaders antici-pate emerging threats that jeopardizeour interests. These threats should notbe driven by the current headline butshould be placed in the framework of the institutional goals, location, physi-cal resources, student body, availableresources, partnering opportunities,national interests, and other definingfactors.
Consider education security in a rap-idly changing world.
We must see the security threats asconverged physical, electronic and cy-ber protection. Look from the Cleve-land Elementary School to Columbineand Virginia Tech, to the 15-year oldstudent in Pennsylvania who stolethe sensitive personal information of 55,000 residents, students, parents andteachers from the local school district.The creativity and resourcefulness of today’s criminal, regardless of age, is ex-panding. Are these attacks for personalgain, fame or fun? It matters when ex-ploring security solutions.Third, the process must identify thesecurity solutions, products, processes,and countermeasure to each threat us-ing the appropriate level of resources.In other words, what’s the answer?This new, more focused process mustanticipate and rank these solutionsagainst all the institutional interests.We must understand the total solution,
     ▼
 
CAMPUS SECURITY
or countermeasure, against the threat.Equally important, we must analyze theeffect of this countermeasure on thesecurity-related outcome, and analyzethe interaction with other issues suchas related risks and the effect on othernon-security-related issues. Does the se-curity solution really protect the assetwithout causing undo harm to the cam-pus quality of life, for example?
Use a process to investigate, quantify and qualify candidate solutions.
The idea of just implementing a par-ticular system or technology can beboth wasteful and harmful. Too many of these systems are purely reactive, andbecome very easy for a criminal or at-tacker to work-around.We need during this stage to balancethe prevention of an incident againstthe detection of an incident, and bestmethods to respond to a securityevent.It is very unlikely that the manufac-turer of a product or the provider of protection guards will give you the oneanswer for your unique needs. After all,they have a “product” to sell, a prod-uct that may or may not solve the realproblem. This often will provide a highdegree of Safety Theater. As a rule, themarketing literature highlights a host of Safety Theater issues and answers. Weneed to look at these products in thefull context of all the threats and solu-tions, and the day-to-day reality of thecampus environment.
What are the costs of the solution?
This is not just the monetary invest-ment but what are the costs to the aca-demic freedom, convenience, usability,campus life? Can we expect those oncampus to use the product or process?All the solutions whether they areproducts or process have an impacton the campus and the functionalityof the assets, people and things beingprotected.What other costs or trade-offs doesthe security system or process require?This is force you to consider the impli-cations of the interaction of securitywith all the other processes and poli-tics on campus. It’s during this phasethat convergence can be considered.The security forces must form a teamagainst physical, electronic and cyberattacks — and the future blended at-tack.As we explore these steps of theprocess, we will find that some of theanswers to be simple, and some to betoo onerous or too expensive to imple-ment.Let’s say the first priority for an in-stitution is against the lone gunmanattacker. Just build a campus-fortressthat is strong and secure with 24/7vigilance. Construct a wall around thecampus with controlled entry and exitpoints checking student ID’s at ev-ery turn. Then have regular patrols of trained security guards and the prob-lem is solved — right?It may seem that in an urban settingthis is possible, even preferred, but it’sa trap. It is a classic example of buildinga breakable security solution against asmart and well prepared attacker. Manyof the school shooters are students atthe institution, so they have access toeverything and a working knowledgeof the security measures, and time, and
see COSTS OF THE SOLUTION page 78
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...