Effective Physical Security by Lawrence Fennelly by Lawrence Fennelly - Read Online

Book Preview

Effective Physical Security - Lawrence Fennelly

You've reached the end of this preview. Sign up to read more!
Page 1 of 1


Chapter 1

Influence of Physical Design

Marianna Perry, MS, CPP


The relationship between physical design and informal social control of crime is a new idea only in the sense of its systematic application to the modern urban scene. Prior to the development of the modern city, most societies took some precautions to relate security in the physical environment to a responsibility for security actions by the inhabitants themselves.

In the rush of modern urban development, however, economic and political priorities seem to far outweigh security priorities, with the result that many urban settings now seem deliberately designed to discourage informal social control. No colonial community would have done so, even when stockades were no longer needed for defense. New England towns continued to be constructed so that homes and stores formed a hollow square around a central common area where social activities could take place and where livestock could be kept in relative security. In this kind of environment, everyone knew everyone else’s business. While this meant less personal privacy than the modern city-dweller may enjoy, it also meant a high degree of shared responsibility for controlling undesirable behavior and unwanted intrusion.

Only recently have students of modern urban society begun again to take serious note of the relationship between physical design and informal social control. Jane Jacobs first applied the concept to modern cities in 1961. In her book The Death and Life of Great American Cities [1], she theorized that multiple land uses along residential streets provided an interaction between the physical design and the users (pedestrians and residents), which promoted natural and informal surveillance and, therefore, increased the safety of the streets.

Lee Rainwater, in an evaluation of a public housing project in St. Louis in 1966, discussed the effect of physical design on the attitudes of public housing residents, pointing out that inappropriate architectural design was directly related to antisocial behavior [2].

Elizabeth Wood, writing in 1961, suggested that current design patterns in public housing projects appeared to discourage informal social relationships and gatherings, thereby preventing the development of social interactions through which residents could create informal social controls and self-policing[3].

Schlomo Angel, in 1968, found that variations in the level of pedestrian and vehicular traffic could either encourage or discourage crimes[4]. Too few users provided enough potential victims, but not enough potential witnesses.

Gerald Leudtke and E. Lystad found, as the result of studies in Detroit, that

 many of the features of urban form and structure…could tend to facilitate or decrease the4 probability of crime. Such physical features include the condition and maintenance of buildings, streets, and alleys; evidence of recent construction; mixtures of land use; rates of pedestrian traffic and pedestrian accumulation within various land uses; location of structures on an urban grid pattern; and distance to adjacent structures. Other examples are types of parking facilities; visibility into structures from roads, sidewalks and adjoining buildings; concealment by trees, shrubs, parked automobiles, fences, signs, and advertising; the visibility of entrance points; building setbacks; and, the number and arrangement of entrance points in a building[5].

In 1969, Oscar Newman and George Rand[6] developed a theory of territoriality (now referred to as defensible space) that held that proper physical design of housing encourages residents to extend their social control from their homes and apartments out into the surrounding common areas. In this way, they change what previously had been perceived as semi-public or public territory into private territory. Upgrading the common areas in this way results in increased social control and an interaction between physical environment and its users that reduces crime.

As Newman himself defines it,

 Defensible space is a surrogate term for the range of mechanisms—real and symbolic barriers, strongly defined areas of influence, improved opportunities for surveillance—that combine to bring an environment under the control of its residents. A defensible space is a living residential environment that can be employed by inhabitants for the enhancement of their lives, while providing security for their families, neighbors, and friends. The public areas of a multifamily residential environment devoid of defensible space can make the act of going from street to apartment equivalent to running the gauntlet. The fear and uncertainty generated by living in such an environment can slowly eat away and eventually destroy the security and sanctity of the apartment unit itself. On the other hand, by grouping dwelling units to reinforce association of mutual benefit, by delineating paths of movement, by defining areas of activity for particular users through their juxtaposition with internal living areas, and by providing for natural opportunities for visual surveillance, architects can create a clear understanding of the function of a space, who its users are and ought to be. This, in turn, can lead residents of all income levels to adopt extremely potent territorial attitudes and policing measures, which act as a strong deterrent to potential criminals[7].

A study by Reppetto[8] in Boston indicated the need to expand the crime prevention through environmental design process to include whole neighborhoods and provide for comprehensive data collection efforts, which would both define the nature of crime patterns and suggest appropriate countermeasures.

Reppetto was also able to show that closely knit communities do tend to protect their members through informal social controls. This finding was further emphasized by John Conklin in The Impact of Crime:

 A tightly knit community can minimize the problem of street crime. However, informal social control also poses a threat to the diversity of behavior that exists in a pluralistic society, even though it may curb violent crime. Still, street crime would decline if interaction among the residents of a community were more frequent, and if social bonds were stronger. A sense of responsibility for other citizens and for the community as a whole would increase individuals’ willingness to report crime to the police and the likelihood of their intervention in a crime in progress. Greater willingness of community residents to report crime to the police might also obviate the need for civilian police patrols. More interaction in public places and human traffic on the sidewalks would increase surveillance of the places where people now fear to go. More intense social ties would reinforce surveillance with a willingness to take action against offenders[9].

C. Ray Jeffrey, in his classic theoretical work Crime Prevention Through Environmental Design (1971)[10], written before Jeffrey became aware of the works of Newman and others, proposed a three-fold strategy involving not only physical design, but also increased citizen participation and the more effective use of police forces. He contended that the way to prevent crime is to design the total environment in such a manner that the opportunity for crime is reduced or eliminated.

Jeffrey contends that both the physical and social characteristics of an urban area affect crime patterns. Better physical planning is a key to unlocking the potential for improved physical security and the potential for development of informal social control. He also argues for high levels of precision in the analytical stages that precede physical planning for crime reduction:

 One of the major methodological defects in ecological studies of crime rates has been the use of large units and census tract data as a basis for analysis. The usual units are rural–urban, intricacy, intercity, regional, and national differences.…Such an approach is much too gross for finding the physical features associated with different types of crimes.

 We must look at the physical environment in terms of each building, or each room of the building, or each floor of the building. Fine-grain resolution is required in place of the usual large-scale photographs.…Whenever crime rates are surveyed at a micro level of analysis, it is revealed that a small area of the city is responsible for a majority of the crimes. This fact is glossed over by gross statistical correlation analysis of census tract data, which ignore house-by-house or block-by-block variations in crime rates. For purposes of crime prevention we need data that will tell us what aspects of the urban environment are responsible for crime, such as the concentration of homicide or robbery in a very small section of the city[11].

Defensible Space

Oscar Newman and others have explored and further defined the defensible space concept in recent years through design studies and experiments involving existing and new public housing projects. The following summary of defensible space techniques will give the practitioner an initial understanding of this important application of physical design to the urban residential environment.

Design for defensible space involves attempts to strengthen two basic kinds of social behavior called territoriality and natural surveillance.


The classic example of territoriality is the a man’s home is his castle tradition of the American single-family home and its surroundings. In this tradition, the family lays claim to its own territory and acts to protect it. This image of the home as a castle reinforces itself by the very act of its position on an integral piece of land buffered from neighbors and the public street by intervening grounds[12].

As the urban setting has grown, the single-family home has become, to developers, an economic liability. Family housing has moved into the row house (townhouse), apartment complex, high-rise apartment structure, and massive public housing project. Whatever the benefits of this transition, the idea of territoriality has been largely lost in the process. The result is that most families living in an apartment building experience the space outside their apartment unit as distinctly public; in effect, they relegate responsibility for all activity outside the immediate confines of their apartment to the public authorities[13].

As residents are forced by the physical design of their surroundings to abandon claim to any part of the outside world, the hallways, stairways, lobbies, grounds, parking lots, and streets become a kind of no-man’s land in which criminals can operate almost at will. Public and private law enforcement agencies (formal controls) attempt to take up the slack, but without the essential informal social control that a well-developed social sense of territoriality brings, law enforcement can do little to reduce crime.

Natural Surveillance

The increased presence of human observers, which territoriality brings, can lead to higher levels of natural surveillance in all areas of residential space. However, the simple presence of increased numbers of potential observers is not enough, because natural surveillance, to be effective, must include an action component. The probability that an observer will act to report an observed crime or intervene in it depends on:

• The degree to which the observer feels that his or her personal or property rights are violated by the observed act.

• The extent to which the observer is able to identify with the victim or property under attack.

• The level of the observer’s belief that his or her action can help, on the one hand, and not subject him or her to reprisals on the other.

Obviously, the probability for both observation and action is greatly improved by physical conditions, which create the highest possible levels of visibility.

Design Guidelines

Defensible space offers a series of architectural guidelines that can be used in the design of new urban residential complexes to promote both the residential group’s territorial claim to its surroundings and its ability to conduct natural surveillance[14].

• Site design can stress the clustering of small numbers of residential units around private hallways, courtyards, and recreation areas. In these restricted zones, children can play, adults can relax, and strangers can easily be identified and questioned. Such private spaces can be created by internal and external building walls and access arrangements, and by the use of perceptual barriers such as a fence, shrubbery, and other boundary markers.

• Site interrelationships design can be used to create semi-private connecting and common spaces between and among the private family clusters. Walkways, vehicle access ways, parking areas, recreational facilities, lobbies, and laundry and shopping areas can be designed so that each cluster relates to them much like each resident of a cluster relates to his or her common private space. Physical design can be used to further extend the sense of territoriality and the possibility for informal social control.

• Street design and the design of other public spaces can be engineered to make these spaces into semi-public extensions of the residential clusters and their connectors. Closing streets to through traffic, installing benches and play areas near the streets, providing adequate lighting, and placing perceptual barriers to indicate the semi-public nature of the area can help to define these spaces as part of the shared residential group territory.

• Surveillance-specific design can be used in each of the design areas mentioned here to increase general visibility by providing adequate lighting, by reducing or eliminating physical barriers to visibility, and by the visibility-promoting location of key areas (e.g., entrances, lobbies, elevator waiting areas, recreational and parking areas) so as to be directly visible from as many viewpoints as possible.

Modifying Existing Physical Design

Cost limitations prevent substantial reconstruction of most existing urban residential facilities. However, a number of relatively low-cost techniques can be used to modify existing facilities so as to promote territoriality and natural surveillance. These include:

• Installing adequate security devices (locks, doors, and windows) in each residential unit.

• Dividing common lawn areas (front or back) into private yards and patios through the use of shrubbery, low fences, and other perceptual barriers.

• Improving the attractiveness and semi-privacy of pathways and other common outside areas by use of decorative paving and lighting: installing benches and other seating arrangements at strategic intervals, careful landscaping, and tying play areas, parking, and vehicle access ways to the overall design.

• Reducing the number of public access points and providing the remaining points with adequate lighting, visibility, and security.

• Establishing audio and video surveillance (monitored by residents or by security staff) in strategic internal areas.

It should be emphasized, in summary, that creating defensible space is not the same as creating a hardened security system (as might be found, for example, in a high-rise luxury apartment). In fact, it is almost the opposite: Defensible space operates on the premise that the living environment must be opened up and used by residents and others, not closed in. It is only in the open, used environment that people can be stimulated to establish the self-policing condition, which is informal social control. In this open living environment, opportunities for crime may continue to exist, but the probability for criminal activity is reduced.

It should also be emphasized that the physical design component of defensible space should always be accompanied by efforts to develop and sustain active citizen participation and by strategies for improved interaction between citizens and law enforcement agencies.

Crime Prevention Through Environmental Design

Crime prevention through environmental design (CPTED) is still a rapidly growing field of study and experimentation. CPTED attempts to apply physical design, citizen participation, and law enforcement strategies in a comprehensive, planned way to entire neighborhoods and major urban districts, as well as to specific urban subsystems such as public schools and transportation systems.


Before summarizing the CPTED approach, we suggest that the practitioner view CPTED developments with a healthy skepticism, at least for the present. There are several reasons why a sense of caution is in order:

• CPTED approaches have been conclusively demonstrated.

• There is some disagreement among crime prevention theorists as to the correctness of the assumptions on which current CPTED programs are based.

• The magnitude of the typical CPTED project may be well beyond the practitioner’s current ability to plan, implement, and manage.

• The cost of a typical CPTED project can represent a major financial investment, and unless the investment can be justified on a research and demonstration basis, there is no guarantee that it will be cost effective.

Despite these cautions, it is useful for the practitioner to be aware of the principles and current applications of the CPTED concept so that he or she can watch its developments and make appropriate use of the knowledge that it may produce.

Recent Projects

In a project combining the best of current community policing techniques with the principles of CPTED the city of Manchester, New Hampshire, proved the value of this integrated approach. In Manchester, the police department formed partnerships with community organizations and provided appropriate crime prevention training, including CPTED to all of the officers assigned to the project areas. By combining the concepts of community policing with the application of CPTED, and other related crime prevention strategies, the community realized remarkable reductions in several crime categories. The area encompasses three areas of public housing in which CPTED principles were applied. The changes in community perceptions about crime were measured through surveys and the crime statistics were updated frequently to give the police department the best possible data. In this enterprise community area drug activity reduced 57%, robbery reduced 54%, burglary reduced 52%, and police calls for service dropped 20%. Additionally, the perceptions of the area’s citizens were markedly improved. This example demonstrates the levels of success possible when sound policing, crime prevention, and the concepts of CPTED are combined in the correct proportions. As a result of these levels of success the project was recognized by the Department of Housing and Urban Development (HUD) through the awarding of the John J. Gunther Award. This award recognizes the best practices and was awarded in this instance in the category of Suitable Living Environment.

Territorial Defense Strategies

Territorial defense strategies emphasize prevention of property-related crimes such as breaking and entering, auto theft, and household larceny. Within this group there are five related strategy areas: land use planning, building grounds security, building perimeter security, building interior security, and construction standards.

• Land use planning strategies involve planning activities aimed at avoiding land use mixtures that have a negative impact on neighborhood security, through zoning ordinances and development plan reviews.

• Building grounds security strategies provide the first line of defense against unauthorized entry of sites and offer social control mechanisms to prevent dangerous and destructive behavior of visitors. The emphasis is on the access control and surveillance aspects of architectural design. The target environment might be a residential street, the side of a housing complex, or alleyways behind or between business establishments.

• Building perimeter security strategies provide a second line of defense for protecting site occupants and property by preventing unauthorized entries of buildings. They involve physical barriers, surveillance and intrusion detection systems, and social control mechanisms.

• Building interior security strategies provide the third line of defense for protecting site occupants and property by preventing unauthorized access to interior spaces and valuables through physical barriers, surveillance and intrusion detection systems, and social control mechanisms.

• Construction standards strategies involve building security codes that require construction techniques and materials that tend to reduce crime and safety hazards. These strategies deal both with code adoption and code enforcement.

It is important to be able to effectively evaluate territorial defense strategies and consider the three types of changes.

• Type one addresses design features such as locks, lights, fences, etc.

• Type two considers the impact of the implemented design features on the legitimate users of the property. Have they been inconvenienced by the changes in physical design and are they on board with in the risk management process?

• Type three changes deal with the direct effect of the intervening factors on crime and the indirect influence of physical design on crime[16].

Personal Defense Strategies

The second basic strategic approach focuses on the prevention of violent or street crimes such as robbery, assault, and rape, and the reduction of fear associated with these crimes. Specific strategies included safe streets for people, transportation, cash off the streets, and citizen intervention.

• Safe streets for people strategies involve planning principles derived primarily from the CPTED concepts of surveillance and activity support. Surveillance operates to discourage potential offenders because of the apparent risk of being seen and can be improved through various design modifications of physical elements of the street environment (e.g., lighting, fencing, and landscaping). Pedestrian traffic areas can be channeled to increase their use and the number of observers through such measures as creating malls, eliminating on-street parking, and providing centralized parking areas.

• Transportation strategies are aimed at reducing exposure to crime by improving public transportation. For example, transit waiting stations (bus, trolley) can be located near areas of safe activity and good surveillance, or the distance between stations can be reduced, which improves accessibility to specific residences, business establishments, and other traffic-generating points.

• Cash off the streets strategies reduce incentives for crime by urging people not to carry unnecessary cash and provide commercial services that minimize the need to carry cash.

• Citizen intervention, unlike the three previous strategies, consists of strategies aimed at organizing and mobilizing residents to adopt proprietary interests and assume responsibility for the maintenance of security.

Law Enforcement Strategies

The third general approach involves police functions that support community-based prevention activities. The two major activities are police patrol and citizen–police support.

• Police patrol strategies focus on ways in which police deployment procedures can improve their efficiency and effectiveness in responding to calls and apprehending offenders.

• Citizen–police support strategies consist of police operational support activities that improve citizen–police relations and encourage citizens to cooperate with the police in preventing and reporting incidents.

Community policing requires cooperation between members of the community and the police. Community members may be individual citizens, citizen groups, business associations, and government agencies and local offices that include health departments, building inspectors, and community development offices. Community members must be involved in not only calling the police to report a crime, but also helping to identify and solve other problems in the community. The most important element of community policing is problem solving, and crime is simply identified as a symptom of other problems in the community. The main focus of community policing is to deal with the underlying cause of crime and not just react to the symptoms of the problem[17].

Confidence Restoration Strategies

This fourth general strategy for commercial and residential environments involves activities that are aimed primarily at mobilizing neighborhood interest and support to implement needed CPTED changes. Without such interest and support, it is unlikely that programs of sufficient magnitude could possibly be successful, particularly in many high–crime rate neighborhoods where people have lost hope. There are two specific strategy areas: investor confidence and neighborhood identities.

• Investor confidence strategies promote economic investment and, therefore, social and economic vitality.

• Neighborhood identity strategies build community pride and foster social cohesion.

Most of these specific strategies are discussed in this and other chapters (some under different names). As a whole, this list of strategies is well organized and provides a good framework with which to view the possible interaction of a variety of crime prevention efforts.


To see how these strategies were applied, let us look briefly at the major changes described in the American Architecture Foundation’s presentation, Back from the Brink: Saving America’s Cities by Design [18]. This provides examples of CPTED applications, with very little mention of crime, as applied in Portland, Oregon, and some other locales. The principles applied are sound, workable redesign strategies that accomplish the goals of CPTED without overreliance on their direct crime prevention intent. Indeed, they are not presented as crime prevention, but redevelopment efforts, which consider the quality of life above most other considerations.

The CPTED applications in the featured cities achieve the following:

• Reduce opportunities for crime and fear of crime by making streets and open areas more easily observable, and by increasing activity in the neighborhood.

• Provide ways in which neighborhood residents, businesspeople, and police can work together more effectively to reduce opportunities and incentives for crime.

• Increase neighborhood identity, investor confidence, and social cohesion.

• Provide public information programs that help businesspeople and residents protect themselves from crime.

• Make the area more accessible by improving transportation services.

• Improve the effectiveness and efficiency of governmental operations.

• Encourage citizens to report crimes.

The steps taken to achieve these objectives include:

• Outdoor lighting, sidewalk, and landscaping improvements.

• Block watch, safe homes, and neighborhood cleanups.

• A campaign to discourage people from carrying cash.

• A major improvement and expansion of public transportation.

• Improved street lighting.

• Public transportation hubs that are purpose-built.

These improvements have enhanced the quality of life and provided an atmosphere of improvement in each of the communities featured.

The application of CPTED to school design has been promoted in a number of locations through the work of local practitioners, and in cooperation with school district personnel.

Additional CPTED case studies and information may be found in our text, written by Tim Crowe, Crime Prevention through Environmental Design: Applications of Architectural Design and Space Management Concepts [19]. This text offers CPTED as a specific topic and is widely used by students and practitioners.

The Future of CPTED

The most consistent finding in evaluations of CPTED and related projects is that the users of space must be involved in design decisions. Their involvement ensures that the designs are realistic and that the users will comply with the behavioral objectives of the plans. Numerous applications of CPTED concepts have been tried successfully on a spot basis, which tends to support the idea that the more simplistic approaches are the most viable. That is, it seems reasonable to assume that the crime prevention practitioner may confidently use CPTED strategies in very specific, controlled environmental settings.

There are many hundreds of examples of CPTED strategies in practice today. It is unfortunate that most of the successful applications have not been publicized well, since they are usually part of ongoing field activities that do not come to the attention of evaluators or government agencies. However, it has been noted that most applications center on some mixture or interaction between the three basic CPTED processes of natural surveillance, natural access control, and territoriality. The most basic common thread is the primary emphasis on naturalness—simply doing things that you already have to do, a little better.

The most productive uses of CPTED, in the foreseeable future, will center on the following simplistic strategies:

• Provide clear border definition of controlled space.

• Provide clearly marked transitional zones that indicate movement from public to semi-public to private space.

• Relocate gathering areas to locations with natural surveillance and access control, or to locations away from the view of would-be offenders.

• Place safe activities in unsafe locations to bring along the natural surveillance of these activities (to increase the perception of safety for normal users and risk for offenders).

• Place unsafe activities in safe spots to overcome the vulnerability of these activities with the natural surveillance and access control of the safe area.

• Redesignate the use of space to provide natural barriers to conflicting activities.

• Improve scheduling of space to allow for effective use, appropriate critical intensity, and the temporal definition of accepted behaviors.

• Redesign or revamp space to increase the perception or reality of natural surveillance.

• Overcome distance and isolation through improved communication and design efficiencies.

The future of CPTED rests with the persons who shape public and private policy. Crime prevention practitioners will have to communicate CPTED concepts in terms that relate to the overall priorities of their organizations or communities. Productivity, profitability, and quality of life are concerns that affect policymakers, not specifically security or crime prevention for its own sake. Accordingly, chief executives, builders, architects, planners, engineers, and developers will have to embrace CPTED design objectives. Elected officials and legislative bodies will have to be held accountable for assuring that CPTED is considered in capital improvement and development plans. Property owners and residents of neighborhoods and commercial areas need the opportunity to question planning, zoning, and traffic signalization decisions. Finally, strategic plans that encompass 20-year community development periods require an assessment of crime prevention needs and programs.

The United States federal government initiated physical design criteria to ensure appropriate protection for federal buildings and occupants after the 2001 terrorist attacks at the World Trade Center and the Pentagon and the 1995 bombing of the Murrah Federal Building in Oklahoma. These guidelines take into account not only physical security but also CPTED.


The application of environmental design concepts by the crime prevention practitioner can be as cost effective as the design of crime risk management systems for individual place managers. Such an application must be based, however, on sound analysis of particular crime patterns and the physical and social conditions that are related to those patterns. It should stress innovative solutions that are appropriate to the particular circumstances, that are cost effective, and that will not create more problems than they solve. It should stress working with things as they are rather than with things as they ought to be.

The practitioner needs, above all, to become well acquainted with the people and organizations responsible for physical development and redevelopment in his or her community. The best opportunities for applying crime prevention through environmental design occur when buildings, street layouts, street lighting programs, new subdivisions, shopping centers, and housing projects are still in the planning stages, and crime prevention principles can be incorporated before construction starts. Good security design can help prevent crime. It is important to remember that the premise behind CPTED is the physical design and the use of space. It is not the typical target-hardening approach to crime prevention[20].

In keeping with the theory that the quality of the physical environment impacts human behavior, we think that crime prevention and community development go hand in hand. Physical design that enhances the environment from a balanced economic–social–political standpoint can also discourage criminal activity, and the concept of crime prevention through environmental design can be used in any situation—high-density urban areas, small cities and towns, and even rural areas. The essential role of the practitioner is to see the whole picture and to see to it that physical design, citizen participation, and police activities fit together.

In June 2009, ASIS International published a guideline entitled Facilities Physical Security Measures, ASIS GDL, FPSM-2009[21]. This publication includes CPTED along with typical physical security countermeasures as a major component in any crime prevention program. The physical design of an environment is an important element to consider and the major task of the crime prevention practitioner is to analyze existing and planned physical design, to determine how it relates to existing or potential crime patterns, and recommend physical design countermeasures to the proper person or organization.


1. Jacobs J. The death and life of great American cities. New York: Vintage Books; 1961.

2. Rainwater L. Fear and the home-as-haven in the lower class. Journal of the American Institute of Planners, January 1966:23–37.

3. Wood E. Housing design: A social theory. New York: Citizens’ Housing and Planning Counsel of New York, Inc; 1961.

4. Angel S. Discouraging crime through city planning. Berkeley: University of California Press; 1968.

5. Leudtke G, Lystad E. Crime in the physical city Final Report. LEAA Grant No NI 1970:69–78.

6. Newman O, Rand G. Defensible space. Published by Oscar Newman New York Publishing: Macmillan; 1972.

7. National Institute of Law Enforcement and Criminal Justice, 1972. Urban design, security, and crime. Proceedings of a seminar held April 12–13, 1972, published by the Law Enforcement Assistance Administration (LEAA), p. 15.

8. Reppetto TA. Residential crime. Cambridge, MA: Ballinger Publishing; 1974.

9. Conklin J. The impact of crime. New York: Macmillan Publishing; 1975; 299.

10. Jeffrey CR. Crime prevention through environmental design. Beerly Hills, CA: Sage Publications; 1971.

11. Jeffrey CR. Behavior control techniques and criminology: 1975. Ecology Youth Development Workshop Honolulu: University of Hawaii School of Social Work; 1975.

12. Op. cit., Newman, pp. 51–52.

13. Ibid.

14. Ibid.

15. Newman O. Design guidelines for creating defensible space. Washington, DC: LEAA; 1976.

16. Robidas, RL, 1996. Reports on activity in project area for the Manchester (NH) police department.

17. Lab SP. Crime prevention: Approaches, practices and evaluations. Bowling Green State University, OH: Anderson Publishing; 2007.

18. American Architecture Foundation. Back from the brink: Saving America’s cities by design, videocassette. American Architecture Foundation 1996; , Washington DC.

19. Crowe TD. Crime prevention through environmental design: Applications of architectural design and space management concepts. Stoneham, MA: Butterworth; 1991.

20. Atlas RI. 21st century security and CPTED. Boca Raton, FL: Auerbach Publications; 2008.

21. ASIS International. Facilities physical security measures guideline. Alexandria, VA: ASIS International; 2009; ASIS GDL, FPSM-2009.

Chapter 2

Introduction to Vulnerability Assessment

Mary Lynn Garcia

This text is a follow-on to the previously published Design and Evaluation of Physical Protection Systems. That book (hereafter referred to as the Design textbook) provided an overview of the principles and concepts that must be considered when implementing a physical protection system (PPS); this book is a description of how to apply those principles and concepts to identify the vulnerabilities of an installed PPS and propose effective upgrades if needed. This book is the basis of all vulnerability assessments (VAs) conducted by Sandia National Laboratories during the last 30 years for a wide spectrum of customers including the U.S. Department of Energy, U.S. Department of Defense, North Atlantic Treaty Organization, U.S. Department of State, Government Services Administration, dam and water systems, prisons, schools, communities, and chemical companies.

A VA is a systematic evaluation in which quantitative or qualitative techniques are used to predict PPS component performance and overall system effectiveness by identifying exploitable weaknesses in asset protection for a defined threat. After the VA identifies weaknesses, it is used to establish the requirements for an upgraded PPS design. In addition, a VA is also used to support management decisions regarding protection system upgrades. Risk assessment and VA are such closely related activities that many security professionals use the terms interchangeably. This may not present a huge problem in practice, but it does hinder communication between and among security service providers and customers.

The VA process can be broken into three distinct phases: planning, conducting the VA, and reporting and using the results. This process is part of the larger risk assessment process. Each of the phases will be described in detail in the remaining chapters of this text. The key points discussed in this chapter include:

• Risk management and vulnerability assessment

• Risk assessment and the vulnerability assessment process

• Vulnerability assessment process overview

• Vulnerability assessment and systems engineering

This text is concerned with the VA of a PPS, but the concepts can be applied to cyber protection, personnel protection, and overall security protection at a facility or across an enterprise. For clarity, throughout this text the term enterprise includes organizations, companies, agencies, governments, or any other entity with the need to manage security risks. The term asset includes people, property, information, or any other possession of an enterprise that has value.

It is important to differentiate security from safety when discussing a VA. Safety is defined as the measures (people, procedures, or equipment) used to prevent or detect an abnormal condition that can endanger people, property, or the enterprise. These include accidents caused by human carelessness, inattentiveness, and lack of training or other unintentional events. Security, on the other hand, includes the measures used to protect people, property, or the enterprise from malevolent human threats. This includes civil disturbances, sabotage, pilferage, theft of critical property or information, workplace violence, extortion, or other intentional attacks on assets by a human. A good security VA will consider safety controls because some safety measures aid in detection and response to security events (sprinklers will fight fires regardless of the cause), but some attacks require additional detection and response capability. For example, a disgruntled employee can sabotage critical manufacturing equipment and reduce production to a significant extent. Without security controls, it could be difficult to determine quickly enough whether this is an intentional act of sabotage and prevent a significant loss of revenue.

Risk Management and Vulnerability Assessment

Risk management is the set of actions an enterprise takes to address identified risks and includes avoidance, reduction, spreading, transfer, elimination, and acceptance options. Good risk management programs will likely include a combination of these options. Risk avoidance is accomplished by removing the source of the risk; for example, a company may choose to buy a critical component from another company, rather than manufacture it. This removes the production line as a sabotage target. Risk reduction is achieved by taking some actions to lower risk to the enterprise to reduce the severity of the loss. This is the goal of many security programs—lower risk by implementing at least some security measures. Risk can also be spread among multiple locations, perhaps by having similar production capability at more than one enterprise facility. Then, loss of capability at one site may be managed by increasing production at the other locations. Another example of risk spreading is the distribution of assets across a large industrial facility. By separating the assets, fewer assets may be at risk during any given adversary attack. Risk transfer is the use of insurance to cover the replacement or other costs incurred as a result of the loss. This is an important tool in many security systems. Risk acceptance is the recognition that there will always be some residual risk. The key is to knowingly determine an acceptable level, rather than unwittingly accepting it. In security risk management, these decisions are based on the consequence of loss of the asset, the defined threat, and the risk tolerance of the enterprise. A trade-off analysis must be performed to ensure that the dollars spent on physical security provide a cost-effective solution to security issues. If other risk management options provide equal or better results at lower cost, the use of a PPS may not be justified.

Security is only one facet of risk; therefore, it must be considered in the context of holistic risk management across the enterprise, along with other categories such as market, credit, operational, strategic, liquidity, and hazard risks. The relationships among risk management, risk assessment, and vulnerability assessment are shown in Figure 2-1. Risks across an enterprise must be managed holistically, and those identified as above an acceptable level must be addressed. VA is one of the constituent pieces of security risk assessment and is used to support risk management decisions.

FIGURE 2-1 Relationship between risk management and vulnerability assessment.

To frame the relationship between risk assessment and risk management, consider definitions provided by Kaplan and Garrick, who state that in risk assessment, the analyst attempts to answer the three questions: What can go wrong? What is the likelihood that it would go wrong? What are the consequences? The answers to these questions help identify, measure, quantify, and evaluate risks. Then, risk management builds on risk assessment by answering a second set of questions: What can be done? What options are available? What are their associated trade-offs in terms of costs, benefits, and risks? What are the impacts of current management decisions on future options? The answer to the last question provides the optimal solution. Total risk management results from this process, where total risk management is defined as a systematic, statistically based, holistic process that builds on formal risk assessment and management by answering the two sets of questions and addressing the sources of system failures.

A security risk assessment is the process of answering the first three questions using threat, likelihood of attack, and consequence of loss as their benchmarks.

A thorough security risk assessment would consider risks in the component parts of a security system (cyber, executive, transportation protection, etc.) to facilitate informed risk decisions across the enterprise. As applied to the VA of a PPS, risk assessment is an evaluation of the PPS supported by a number of analysis methodologies, including:

• Threat analysis

• Consequence analysis

• Event and fault tree analyses

• Vulnerability analysis

Risk Assessment and the Vulnerability Assessment Process

Most facilities or enterprises routinely conduct risk assessments of their security systems to verify that they are protecting corporate assets and to identify areas that may need additional attention. These assessments are defined differently for different enterprises, but in general they include consideration of the likelihood of a negative event; in this case it is a security incident and the consequence of that event. The Design textbook ended with a description of risk assessment and provided a formula that can be used to calculate risk, using qualitative or quantitative measures. That discussion, with one addition, is repeated here.

Security risk can be measured qualitatively or quantitatively through the use of the following equation:


R = risk to the facility (or stakeholders) of an adversary gaining access to, or stealing, critical assets. Range is 0–1, with 0 being no risk and 1 being maximum risk. Risk is calculated for a period of time, such as 1 year or 5 years.

PA = probability of an adversary attack during a period of time. This can be difficult to determine, but generally there are records available to assist in this effort. This probability ranges from 0 (no chance at all of an attack) to 1 (certainty of attack). Sometimes in the calculation of risk, we assume there will be an attack, which mathematically sets PA = 1. This is called a conditional risk, where the condition is that the adversary attacks. This does not mean there will absolutely be an attack, but that the probability of attack is unknown or the asset is so valuable that it will be protected anyway. This approach can be used for any asset, but it is generally reserved for the most critical assets of a facility, where the consequence of loss is unacceptably high, even if PA is low. For these assets, a PPS is generally