CPP Security Management

PROTECTION
OF ASSETS
SECURITY MANAGEMENT
PROTECTION
OF ASSETS
SECURITY MANAGEMENT
PROTECTION
OF ASSETS
SECURITY MANAGEMENT
ASIS International | 1625 Prince Street | Alexandria, VA 22314 USA | www.asisonline.org

Copyright © 2012 by ASIS International
ISBN 978-1-934904-25-1
Protection of Assets is furnished with the understanding that the publisher is not engaged in
rendering legal, accounting, or other professional services. It is designed as a ready reference and
guide to the covered subjects. While every effort has been made to ensure accuracy of contents
herein, it is not an official publication and the publisher can assume no responsibility for errors or
omissions.
All rights reserved. No part of this publication may be reproduced, translated into another
language, stored in a retrieval system, or transmitted, in any form or by any means, electronic,
mechanical, photocopying, recording, or otherwise without the prior written consent of the
copyright owner.
Printed in the United States of America.
10 9 8 7 6 5 4 3 2 1
ACKNOWLEDGMENTS
ASIS International (ASIS), the world’s leading society for security professionals, originally founded
in 1955 as the American Society for Industrial Security, acquired Protection of Assets in December
2003. The acquisition of this work underscores the Society’s leadership role in professional
education. It is the sincere desire of ASIS and its editorial staff to continue to enhance the value of
this important reference.
Protection of Assets, which has been in existence since 1974, is recognized as the premier reference
for security professionals and the publisher wishes to acknowledge the two founding authors and
subsequent editors.
Timothy J. Walsh, CPP Richard J. Healy, CPP
Timothy L. Williams, CPP

Managing Editor
Editorial Associates
David G. Aggleton, CPP

Milton E. Moritz, CPP
Mike Hodge, J.D.
Sanford Sherizon, Ph.D., CISSP
Timothy J. Walsh, CPP, Editor Emeritus
As we move forward, confronted with issues that present a challenge to the security industry, our
mission is to ensure that Protection of Assets provides the strategic solutions necessary to help
st
professionals meet the demands of the 21 century and beyond. We also pledge to assemble a
group of subject matter experts who will enhance this reference as necessary to achieve our
mission.
Michael E. Knoke, CPP

Managing Editor
Eva Giercuszkiewicz, MLS, Project Manager

Evangeline Pappas, Production Manager
Peter E. Ohlhausen, Technical Editor
PREFACE
OBJECTIVES OF PROTECTION OF ASSETS

Protection of Assets (POA) is intended for a security professional to find current, accurate, and
practical treatment of the broad range of asset protection subjects, strategies, and solutions in a
single source.
The need for such a comprehensive resource is quite widespread according to the editors, writers,
and many professional colleagues whose advice has been sought in compiling this text. The
growing size and frequency of all forms of asset losses, coupled with the related increasing cost
and complexity of countermeasures selection, demand a systematic and unified presentation of
protection doctrine in all relevant areas, as well as standards and specifications as they are issued.
Of course, it would be presumptuous to assume that any small group of authors could present
such material unaided. It is, therefore, a fundamental objective of Protection of Assets to draw upon
as large a qualified source base as can be developed. The writers, peer reviewers, and editors
attempt to distill from the available data, common or recurrent characteristics, trends, and other
factors, which identify or signal valid protection strategies. The objective is to provide a source
document where information on any protection problem can be obtained.
Protection of Assets Copyright © 2012 by ASIS International v

READERSHIP
Protection of Assets is intended for a wide readership: all security professionals and business
managers with asset protection responsibility. The coherent discussion and pertinent reference
material in each subject area should help the reader conduct unique research that is effective and
organized. Of particular significance are the various forms, matrices, and checklists that give the
reader a practical start toward application of the security theory to his or her own situation. POA
also serves as a central reference for students pursuing a program in security or asset protection.
DIALOGUE
We hope that Protection of Assets becomes an important source of professional insight for those
who read it and that it stimulates serious dialogue between and among security professionals. Any
reader who is grappling with an unusual, novel, or difficult security problem and would appreciate
the opinions of others is encouraged to write a succinct statement describing the problem and
send it to us at ASIS [protectionofassets@asisonline.org]. At the reader’s request his identity will
not be disclosed, but the problem will be published with invitations for comment. Readers are also
encouraged to communicate agreement or disagreement with strategies or applications recom-
mended in POA and to suggest alternatives. We reserve the right to publish or refrain from
publishing submitted material. The editors also solicit statements of reader opinion on matters of
asset protection policy in which a cross-sectional view would be helpful.
SUPPLEMENTAL TRAINING
Readers with supervisory or management responsibility for other security and asset protection
personnel will find POA to be a useful resource from which to assign required readings. Such
readings could be elements of a formal training syllabus and could be assigned as part of related
course sessions.
With all these objectives in mind, we present to you Protection of Assets, in the sincere belief it will
enhance your expertise in the security field.
Michael E. Knoke, CPP

Managing Editor
vi Protection of Assets Copyright © 2012 by ASIS International

CONTRIBUTORS
The success of this publication is directly related to the peer review process recognized by most
professions. Security professionals, members of academia, and other subject matter experts were
involved in contributing current information, conducting research, reviewing submissions, and
providing constructive comments so that we are able to provide a publication that is recognized as
the “go to” reference for security professionals worldwide.
It is with sincere appreciation that I wish to thank the below-named individuals who contributed
to Protection of Assets.
Teresa M. Abrahamsohn, CPP Lucien G. Canton, CPP Donald J. Fergus

Sean A. Ahrens, CPP James P. Carino, Jr., CPP Eugene F. Ferraro, CPP, PCI
Marene N. Allison Sue Carioti James H. Fetzer, III, CPP
Randy I. Atlas, CPP James S. Cawood, CPP, PCI, PSP Michael T. Flachs, CPP
George J. Barletta, CPP Steve Chambers, CPP, PSP Linda Florence, Ph.D., CPP
Mark H. Beaudry, CPP Richard E. Chase, CPP Richard H. Frank, CPP
Regis W. Becker, CPP John C. Cholewa, III, CPP Kenneth M. Freeman, CPP
Brent Belcoff, CPP Tom M. Conley, CPP Peter J. French, CPP
Howard J. Belfor, CPP Geoffrey T. Craighead, CPP Mary Lynn Garcia, CPP
Adolfo M. Benages, CPP Michael A. Crane, J.D., CPP John W. Gehrlein, CPP
Lawrence K. Berenson, CPP Bruce A. Dean, CPP Eva Giercuszkiewicz, MLS
Alexander E. Berlonghi Fritz X. Delinski Gregory A. Gilbert, CPP
Raymond J. Bernard, PSP Edward P. De Lise, CPP Frederick G. Giles, CPP
Henri A. Berube David A. Dobbins, PSP Timothy D. Giles, CPP, PSP
Martin T. Biegelman, J.D. Colin Doniger, CPP, PSP David H. Gilmore, CPP
Daniel E. Bierman, CPP, PSP Clifford E. Dow, CPP Christopher Giusti, CPP
Patrick C. Bishop, CPP Christina M. Duffey, CPP Leo Gonnering, PSP
Dennis R. Blass, CPP, PSP Brandon Dunlap Brian D. Gouin, PSP
Keith C. Blowe, CPP Nick Economou Richard P. Grassie, CPP
Paul F. Boyarin, CPP, PCI Cheryl D. Elliott, CPP, PCI Benjamin P. Greer
Tom Boyer James W. Ellis, CPP, PSP Steven R. Harris
Pete Brake, Jr., CPP William R. Etheridge Ronald D. Heil, CPP
Darryl R. Branham, CPP Gregory Alan Ewing, CPP, PSP Ed Heisler, CPP, PSP
Joseph P. Buckley, III Kenneth G. Fauth, CPP Richard J. Heffernan, CPP
Jason Caissie, CPP, PSP Lawrence J. Fennelly Chris A. Hertig, CPP
Protection of Assets Copyright © 2012 by ASIS International vii

William T. Hill, CPP Owen J. Monaghan, CPP Charles A. Sennewald, CPP
Ronald W. Hobbs, CPP Wayne Morris, CPP, PSP Dennis Shepp, CPP, PCI
Mark D. Hucker, CPP Patrick M. Murphy, CPP, PSP Shari Shovlin
W. Geoffrey Hughes, PCI Carla Naude, CPP Marc Siegel, Ph.D.
John L. Hunepohl James W. Nelson Laurie Simmons, CPP, PSP
Gregory L. Hurd, CPP Robert L. Oatman, CPP Dennis Smith, CPP
Gregory W. Jarpey, PSP Gerald A. O’Farrell, CPP Stan Stahl, Ph.D.
Sheila D. Johnson, CPP, PSP Peter E. Ohlhausen Paul J. Steiner, Jr., CPP
Thomas R. Jost Leonard Ong, CPP Pamela M. Stewart, PCI
Diane Horn Kaloustian Harm J. Oosten, CPP Dan E. Taylor, Sr., CPP
Cathy M. Kimble, CPP S. Steven Oplinger Lynn A. Thackery, CPP, PSP
R. Michael Kirchner, CPP Denis A. O’Sullivan, CPP Mark L. Theisen, CPP
Glen W. Kitteringham, CPP Jaime P. Owens, CPP Dave N. Tyson, CPP
Michael E. Knoke, CPP Gerard P. Panaro, J.D. Joann Ugolini, CPP, PSP
Terrence J. Korpal James F. Pastor, Ph.D. Darleen Urbanek
James M. Kuehn, CPP David G. Patterson, CPP, PSP Mike VanDrongelen, CPP, PCI, PSP
David Lam, CPP John T. Perkins, CPP Karim Vellani, CPP
Rich LaVelle, PSP Karl S. Perman Barry J. Walker, CPP
Robert F. Leahy, CPP, PSP Kevin E. Peterson, CPP Michael W. Wanik, CPP
Robert E. Lee Charlie R. A. Pierce Roger D. Warwick, CPP
Jeff Leonard, CPP, PSP Doug Powell, CPP, PSP Fritz Weidner
Todd P. Letcher Patrick K. Quinn, CPP Richard C. Werth, CPP
Emblez Longoria, CPP, PSP Roy A. Rahn, CPP Allan R. Wick, CPP, PSP
Cynthia Long John D. Rankin, CPP Anthony S. Wilcox, CPP
Richard E. Maier, CPP William G. Rauen, CPP Donald S. Williams, CPP
Loye A. Manning, CPP, PSP David L. Ray, LL.B. Reginald J. Williams, CPP
Robert L. Martin, CPP Joseph Rector, CPP, PCI, PSP Richard F. Williams, CPP
Ron Martin, CPP Ty L. Richmond, CPP Timothy L. Williams, CPP
Roger B. Maslen, CPP Lisa M. Ruth Coleman L. Wolf, CPP
Judith G. Matheny, CPP Jeffrey J. Ryder, Jr., CPP, PSP Richard P. Wright, CPP
Edward F. McDonough, Jr., CPP Mark A. Sanna, CPP Richard Y. Yamamoto, CPP
Richard A. Michau, CPP Stephen Saravara, III, J.D., CPP Scott S. Young, CPP
Bonnie S. Michelman, CPP
viii Protection of Assets Copyright © 2012 by ASIS International

TABLE OF CONTENTS
PREFACE
CONTRIBUTORS
Chapter 1. ADMINISTRATIVE MANAGEMENT PRINCIPLES . . . . . . . . . . . . . . . . . . . . . . . . 1

1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Organizational Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2.1 Developing the Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2.2 Communicating the Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3 Principles of Business Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3.1 Human Resource Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3.2 Knowledge Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.3.3 Corporate Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.4 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Chapter 2. FINANCIAL MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.1 Financial Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2 Financial Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2.1 Income Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2.2 Balance Sheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2.3 Cash Flow Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.3 Financial Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.3.1 Profitability Ratios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.3.2 Risk Ratios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.4 Limitations of Financial Statement Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.5 Budgets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.5.1 Return on Investment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.5.2 Creating a Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.6 Implementing Financial Strategy and Financial Controls . . . . . . . . . . . . . . . . . . . . . 30
Chapter 3. STANDARDS IN SECURITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

3.1 Introduction to Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.1.1 Characteristics of Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.1.2 Benefits of Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.1.3 Standards Development Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.2 Development of International Standards: ISO Example . . . . . . . . . . . . . . . . . . . . . . 38
3.2.1 Characteristics of ISO Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.2.2 ISO Standards Development Process . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.3 Development of National Standards: U.S. Example . . . . . . . . . . . . . . . . . . . . . . . . 40
3.3.1 Characteristics of ANSI Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.2.2 ANSI Standards Development Process . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Protection of Assets Copyright © 2012 by ASIS International ix

3.4 Management Systems Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.4.1 Characteristics of Management Systems Standards . . . . . . . . . . . . . . . . . . . 42
3.4.2 Benefits of Management Systems Standards . . . . . . . . . . . . . . . . . . . . . . . 44
3.4.3 Plan-Do-Check-Act Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.4.4 Well-Known Management Systems Standards . . . . . . . . . . . . . . . . . . . . . . 47
3.5 ASIS Global Standards Initiative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.5.1 Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.5.2 Product Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.5.3 Organizational Resilience Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Chapter 4. INTRODUCTION TO ASSETS PROTECTION . . . . . . . . . . . . . . . . . . . . . . . . . . 63

4.1 Basis for Enterprise Assets Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
4.1.1 Defining Assets Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
4.1.2 Relation to Security and Other Disciplines . . . . . . . . . . . . . . . . . . . . . . . . 65
4.1.3 Historical Perspectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
4.2 Current Practice of Assets Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
4.2.1 Underlying Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
4.2.2 Assets Protection in Various Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
4.3 Forces Shaping Assets Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
4.3.1 Technology and Touch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
4.3.2 Globalization in Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
4.3.3 Standards and Regulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
4.3.4 Convergence of Security Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
4.3.5 Homeland Security and the International Security Environment . . . . . . . . . . . 83
4.4 Management of Assets Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
4.4.1 Concepts in Organizational Management. . . . . . . . . . . . . . . . . . . . . . . . . 85
4.4.2 Management Applications in Assets Protection . . . . . . . . . . . . . . . . . . . . . 86
4.4.3 Security Organization within the Enterprise . . . . . . . . . . . . . . . . . . . . . . . 87
4.5 Behavioral Issues in Assets Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
4.5.1 Behavioral Science Theories in Management . . . . . . . . . . . . . . . . . . . . . . . 89
4.5.2 Applications of Behavioral Studies in Assets Protection . . . . . . . . . . . . . . . . . 91
Appendix A: Insurance as a Risk Management Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Chapter 5. COST-EFFECTIVENESS AND LOSS REPORTING . . . . . . . . . . . . . . . . . . . . . . 107

5.1 Understanding the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
5.2 What Cost-Effectiveness Means . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
5.3 Elements of Cost-Effectiveness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
5.3.1 Return on Investment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
5.3.2 Security Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
5.4 Boosting Cost-Effectiveness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
5.4.1 Budget Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
x Protection of Assets Copyright © 2012 by ASIS International

5.4.2 Cost Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
5.4.3 Cost Avoidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
5.5 Data Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
5.6 Data Analysis and Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
5.6.1 Claims Avoided . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
5.6.2 Proofs of Loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
5.6.3 Recovered Physical Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
5.6.4 Uninsured Claims or Causes of Action. . . . . . . . . . . . . . . . . . . . . . . . . . 120
5.6.5 Other Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
5.7 Systematic Incident Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
5.7.1 Creating an Incident Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
5.7.2 Functions of an Incident Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
5.7.3 Benefits of Incident Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
5.7.4 Policy on Submission of Incident Reports . . . . . . . . . . . . . . . . . . . . . . . . 125
5.7.5 Incident Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
5.7.6 Management Reporting from the Database . . . . . . . . . . . . . . . . . . . . . . . 126
5.8 Predictive Modeling by the Security Organization . . . . . . . . . . . . . . . . . . . . . . . . 128
5.9 Protection Planning without an Incident Database . . . . . . . . . . . . . . . . . . . . . . . . 129
5.9.1 Pilot Verifications of the Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
5.9.2 Modifications of a Growing Database . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Appendix A: Incident Reporting Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Appendix B: Loss Reporting Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Chapter 6. THEFT AND FRAUD PREVENTION IN THE WORKPLACE . . . . . . . . . . . . . . . . . 137

6.1 Understanding the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
6.1.1 Common Myths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
6.1.2 Motivation to Commit Theft and Fraud . . . . . . . . . . . . . . . . . . . . . . . . . 140
6.2 Employee Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
6.2.1 Prevalence of Employee Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
6.2.2 External Economic Pressure and Opportunity . . . . . . . . . . . . . . . . . . . . . 142
6.2.3 Youth and Theft Nexus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
6.2.4 Job Dissatisfaction and Effects of Social Controls . . . . . . . . . . . . . . . . . . . 143
6.2.5 Summary and Recommendations of Study . . . . . . . . . . . . . . . . . . . . . . . 144
6.3 Fraud and Related Crimes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
6.3.1 Common Elements of Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
6.3.2 Sarbanes-Oxley Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
6.4 Scope of the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
6.4.1 Establishing a Model Prevention Program . . . . . . . . . . . . . . . . . . . . . . . 148
6.5 Dangers of Undetected Theft and Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Appendix A: Flowcharts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Appendix B: 50 Honest Truths About Employee Dishonesty . . . . . . . . . . . . . . . . . . . . . . 171
References/Additional Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Protection of Assets Copyright © 2012 by ASIS International xi

Chapter 7. PRIVATE POLICING IN PUBLIC ENVIRONMENTS . . . . . . . . . . . . . . . . . . . . . 177
7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
7.1.1 Historical Perspectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
7.1.2 Conceptual Perspectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
7.1.3 Public/Private Partnerships and Statistics . . . . . . . . . . . . . . . . . . . . . . . 183
7.2 Contemporary Circumstances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
7.2.1 Economic and Operational Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
7.2.2 Order Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
7.2.3 Crime (Fear of Crime) and Terrorism . . . . . . . . . . . . . . . . . . . . . . . . . . 194
7.3 Principles of Private Policing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
7.3.1 Policing Role and Functional Distinctions . . . . . . . . . . . . . . . . . . . . . . . 197
7.4 Private Policing Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
7.4.1 Private Environment: Supplement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
7.4.2 Public Environment: Replacement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
7.4.3 Public Environment: Supplement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
7.5 The Future of Private Policing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
7.5.1 New Policing Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
7.5.2 Structural/Operational Components . . . . . . . . . . . . . . . . . . . . . . . . . . 214
7.5.3 Legal/Licensing Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Chapter 8. CONSULTANTS AS A PROTECTION RESOURCE . . . . . . . . . . . . . . . . . . . . . . 227

8.1 The Value of Consultants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
8.2 Types of Security Consultants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
8.2.1 Security Management Consultants . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
8.2.2 Technical Security Consultants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
8.2.3 Forensic Security Consultants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
8.2.4 Advisory Security Committee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
8.3 How to Use a Consultant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
8.4 How to Find a Security Consultant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
8.5 Selecting a Security Consultant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
8.6 Consulting Fees and Expenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
8.7 Working with Consultants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
8.7.1 Coordinating the Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
8.7.2 Organizational Orientation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
8.7.3 Levels of Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
8.7.4 Scope of Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
8.7.5 Work Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
8.7.6 Progress Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
8.7.5 Final Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
8.8 The Future of Consulting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Appendix A: Alphabetical Soup of Consulting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Appendix B: Application for Consulting Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . 248
xii Protection of Assets Copyright © 2012 by ASIS International

Appendix C: Curriculum Vitae . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Appendix D: Professional Consulting Services Agreement . . . . . . . . . . . . . . . . . . . . . . . 252
Appendix E: Consulting Security Agreement—Joint Certification . . . . . . . . . . . . . . . . . . . 254
Appendix F: Conflict of Interest Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Appendix G: Professional Services Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Appendix H: Statement of Professional Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Appendix I: Policy on Consultant’s Expenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Appendix J: Consultant Travel Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Chapter 9. EXECUTIVE PROTECTION IN THE CORPORATE ENVIRONMENT . . . . . . . . . . . . . 267

9.1 History of Executive Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
9.2 Research on Executive Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
9.3 Basics of Executive Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
9.4 Financial Implications of Executive Protection . . . . . . . . . . . . . . . . . . . . . . . . . . 270
9.5 Philosophy of Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
9.6 EP Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
9.7 The Power of Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
9.8 Office and Home . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
9.9 The Advance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
9.10 Working the Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
9.11 Protection Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
9.12 Future of Executive Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Chapter 10. SECURITY AWARENESS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

10.1 Levels of Awareness. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
10.1.1 Executive Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
10.1.2 Middle Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
10.1.3 First-Line Supervision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
10.1.4 Individual Employees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
10.1.5 Non-Employees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
10.2 Purposes of Security Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
10.3 Developing and Delivering a Security Awareness Program . . . . . . . . . . . . . . . . . . . 296
10.3.1 Techniques, Materials, and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . 297
10.3.2 Obstacles to an Effective Awareness Program . . . . . . . . . . . . . . . . . . . . . 298
10.3.3 Measuring the Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
10.4 Engaging Employees to Prevent Losses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
10.4.1 Positive Security Contacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
10.4.2 Policies and Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Protection of Assets Copyright © 2012 by ASIS International xiii

Chapter 11. WORKPLACE SUBSTANCE ABUSE: PREVENTION AND INTERVENTION . . . . . . . . 305
11.1 Historical Perspective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
11.1.1 A Change of Mood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
11.1.2 Legal Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
11.1.3 War on Drugs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
11.2 Human Cost of Substance Abuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
11.3 Role of the Employer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
11.4 Why the Workplace? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
11.4.1 Rationalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
11.4.2 Opportunity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
11.5 Path of Workplace Substance Abuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
11.6 Drugs of Abuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
11.6.1 Controlled Substance Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
11.6.2 Depressants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
11.6.3 Narcotics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
11.6.4 Stimulants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
11.6.5 Hallucinogens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
11.6.6 Marijuana . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
11.6.7 Analogue or Designer Drugs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
11.6.8 Prescription Drugs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
11.7 Addiction and Chemical Dependency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
11.7.1 Addiction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
11.7.2 Chemical Dependency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
11.7.3 Functional Abusers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
11.7.4 Denial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
11.7.5 Enabling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
11.7.6 Codependency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
11.8 Role of Supervisors and Managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
11.8.1 Drug-Free Workplace Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
11.8.2 Investigation and Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
11.8.3 Employee Hot Lines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
11.8.4 Intervention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
11.8.5 When Intervention Fails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
11.8.6 Employee Assistance Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
11.8.7 Behavior Modification through Role Modeling . . . . . . . . . . . . . . . . . . . . . 333
11.8.8 Reintegration of the Recovering Employee . . . . . . . . . . . . . . . . . . . . . . . 334
11.8.9 Employee Education and Supervisor Training . . . . . . . . . . . . . . . . . . . . . 334
11.9 Drug Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
11.9.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
11.9.2 Accuracy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
11.9.3 Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
11.9.4 Employer Incentives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
11.9.5 Liability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Appendix A: Drug Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
xiv Protection of Assets Copyright © 2012 by ASIS International

Appendix B: Common Questions About Drug Testing. . . . . . . . . . . . . . . . . . . . . . . . . . 343
Appendix C: Supervisor’s Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Appendix D: Intervention Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Appendix E: U.S. Federal Legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Appendix F: Sample Substance Abuse Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Chapter 12. ADDRESSING WORKPLACE VIOLENCE THROUGH

VIOLENCE RISK ASSESSMENT AND MANAGEMENT . . . . . . . . . . . . . . . . . . 357
12.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
12.2 Conceptual Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
12.3 Focus Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
12.4 Liability and Legal Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
12.5 Behavioral Dynamic of Workplace Violence . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
12.6 Incident Management Team (IMT) and Resources . . . . . . . . . . . . . . . . . . . . . . . . 365
12.7 Violence Risk Assessment Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
12.7.1 Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
12.7.2 Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
12.7.3 Intervention and Non-Emergency Situational Resolution . . . . . . . . . . . . . . 371
12.7.4 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
12.7.5 Review and Debriefing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
12.8 Future of Workplace Violence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Appendix A: Model Policy for Workplace Violence . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Protection of Assets Copyright © 2012 by ASIS International xv

TABLE OF FIGURES
2-1 Income Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2-2 Balance Sheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2-3 Cash Flow Sheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2-4 Margins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2-5 Returns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2-6 Risk Ratios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3-1 Plan-Do-Check-Act Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

3-2 Standards Development Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3-3 Organizational Resilience: Security, Preparedness, and
Continuity Management Systems-Requirements with Guidance for Use . . . . . . . . . . 60
4-1 Examples of Organizational Assets by Type . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

4-2 Paradigm Shift Frequency Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
4-3 School Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
4-4 Selected Standard-Setting Bodies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
4-5 Selected Security Certification Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
4-6 Three Managerial Dimensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
4-7 Assets Protection Customers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4-8 Maslow’s Hierarchy of Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
5-1 Return on Investment (ROI) Formula . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

5-2 Problems Discoverable on Security Officer Patrols . . . . . . . . . . . . . . . . . . . . . 115
5-3 Main Methods Used in Social Science Research . . . . . . . . . . . . . . . . . . . . . . . 118
6-1 Financial Impact of Theft or Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

6-2 Common Targets and Methods of Theft and Fraud . . . . . . . . . . . . . . . . . . . . . 149
6-3 Comprehensive Model of Theft and Fraud Prevention, Investigation,
and Program Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
7-1 Provision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

7-2 Functions of Private and Public Police. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
7-3 Public Safety Policing Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
7-4 Continuum of Governmental Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
7-5 Functionality/Criticality Continuum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
12-1 U.S. Fatal Occupational Injuries by Event or Exposure, 1994-2009. . . . . . . . . . . . . 359

12-2 A Theoretical Behavioral Escalation Curve for Emotion-Based Violence . . . . . . . . . 365
xvi Protection of Assets Copyright © 2012 by ASIS International

CHAPTER 1
ADMINISTRATIVE
MANAGEMENT PRINCIPLES
1.1 OVERVIEW
Security managers are, as the name suggests, both security specialists and business
managers. Most of Protection of Assets focuses on security-specific issues. However, to serve
their organizations effectively, security managers must also understand business principles.
With that knowledge, they can organize their efforts in a way that best supports the overall
vision and mission of their organization. Without that knowledge, they may focus on security
as an end in itself. Security managers who understand business are best positioned to
collaborate with top management and to turn their departments into valuable corporate
resources that support organizational success. Effective security managers are those that are
recognized within their organization as business partners.
In any business, people work and interact to produce a product, service, or both. This
interaction leverages the labor of individuals to enable the business to realize a net profit that
supports investors, managers, customers, and employees.
At some point a business must determine the type of product or service to sell and how to
develop, deliver, and finance that output. To manage this process successfully, managers
and owners must employ practices that support the goals of their business. They must also
develop metrics that define success and support business decisions. Ultimately these
practices aim to define business success not only in the near term, but also over the life of the
business through quantifiable metrics.
Protection of Assets Copyright © 2012 by ASIS International 1

ADMINISTRATIVE MANAGEMENT PRINCIPLES
1.1 Overview
Two hypothetical food service businesses illustrate these themes:
Expensive Italian restaurant. A famous chef opened a high-end restaurant to serve

business clientele in a fashionable downtown district. He realized that his revenue per
plate must be considerable to support his location and staff and generate a profit. The
restaurant’s servers now provide exquisite customer service; cooks prepare the food
with the best ingredients and attention; busboys keep the tables neat; and
management coordinates and supervises their efforts. For this high level of service, a
premium is charged. Customers are willing to pay because the restaurant provides a
continued level of exquisite service and excellent food quality. As a result, the
restaurant hosts a constant flow of high-profile professionals during the evenings.
Inexpensive quick-service restaurant. Several blocks closer to the downtown offices,

two young entrepreneurs saw a gap in quick, inexpensive food options in the area, so
they opened a large, low-cost American fast food franchise. Understanding that
providing a cost-effective lunch option would require large volumes as a result of the
thin profit per meal, the owners marketed the restaurant heavily in nearby offices to
generate the necessary customers, who now shuffle in and out quickly with inexpensive
food during the weekday lunch rush. Further, the restaurant captures some late-night
business from people working late and others heading out to nearby nightlife. The
customer service is limited, but the food is tasty and filling, though not of the highest
quality. Management focuses on quick service and a basic level of cleanliness and
customer service. The restaurant is constantly busy serving customers who require
food quickly so they can be on their way.
Which of the two restaurants is more successful? The Italian restaurant earns more profit per
plate of food than the fast food restaurant, yet the fast food restaurant can serve significantly
more customers. The success of each restaurant is determined by its management practices
and expectations. The management of the Italian restaurant wants the establishment to be a
premium dining facility serving customers looking for a high-end product. The fast food
restaurant, on the other hand, is focused on people who are busy and need a quick,
inexpensive bite to eat.
Both businesses can be considered successful because their management-defined business

processes support the restaurants’ specific purposes. The managers understand the types of
customers they serve, the financial requirements of the business, and ways to coordinate
staff efforts.
2 Protection of Assets Copyright © 2012 by ASIS International

1.2 Organizational Strategy
The following example teaches the same lesson differently:
Paper products company. The executive committee at a paper products company

decided to invest heavily in high-end manufacturing equipment targeting local firms
with an interest in printing marketing material. The company mainly produces
letterhead, stationery, and basic business cards. After installing the equipment and
setting up the production process for potential orders, the executive committee found
that sales were not meeting the required levels for profitability. They had failed to see
that their customers (local companies) were migrating to Web-based marketing and
were limiting their use of printed marketing materials. As a result, the paper company
began to realize losses in its new division.
Clearly, a business must understand its purpose and create management practices that
support it. To define the business purpose, management typically writes a business strategy.
To implement that strategy, management develops appropriate administrative practices.
1.2 ORGANIZATIONAL STRATEGY

The organizational strategy (also called a strategic plan) is set out in writing by a business
unit’s top leadership. It does not focus on day-to-day operations but provides a general
direction. The organizational strategy is the fundamental template for direction that defines
and supports long-term goals.
The organizational strategy serves as the foundation for developing business processes.
Those processes should support the overall business structure required to meet the
organizational strategy. Key metrics and performance indicators can be studied to determine
whether the processes accurately reflect the organizational strategy. Using this feedback, an
organization can, if necessary, change the implementation of the strategy or even shift the
strategic focus itself.
Defining an organization’s overall strategic purpose is essential for developing company-

specific management practices. The organizational strategy defines why the business exists
and how it will maintain itself as a profitable, viable entity. Answering these questions
requires looking at the business not only in the moment but also three to five years out.

1.2 Organizational Strategy
In developing an organizational strategy, it is helpful to ask such questions as the following:
x What markets does the business want to serve? Are they narrow or broad?
x What products do those markets require? Is there stiff competition? What are the
technological costs to develop and sell the products?
x Who will sell the products: the company, wholesalers, retailers?
x Will the company make money through low margins with high volume or high margins
with low volume?
x What quality of product or service will be provided?
x How will the company be financed? What revenues and profit margins are required to
sustain the business?
x What are the Strengths, Weaknesses, Opportunities and Threats involved in the
business venture (SWOT)?
1.2.1 DEVELOPING THE STRATEGY

The first step is to understand the business and where it needs to be in the future. The current
state of the business can be deduced by looking at products offered, markets targeted, and
financial results. To determine where the company should be in the future, leadership must
consider how the company can maintain its profitability.
Comparing the current company and the desired future company, leadership is likely to
observe some distance between the two. If the company is already meeting leadership’s vision,
the organizational strategy can be minimal, merely capturing existing practices to maintain
and adjust them over time. If the company’s current state is far different from its desired state,
the organizational strategy will play a greater role in setting the corporate direction.

1.3 Principles of Business Administration
1.2.2 COMMUNICATING THE STRATEGY

Once a strategic direction is understood, it is essential to capture that direction and com-
municate it effectively within and outside the organization. The following topics can help
communicate the organizational strategy:
Vision The vision of an organization is a specific description of where the business will
be in the long-term. The vision statement conveys a general understanding of
the business, its culture, and its future goals.
Mission The mission of the business specifies its types of products or services, level of
quality, and other tangible aspects of the business and its plans. This is a more
concrete statement.
While the vision states objectives and business goals, the mission com-
municates business functionality and operational methods.
Objectives This statement includes the specific organizational objectives so that all
involved parties can understand what needs to be done. The objectives should
highlight specific goals that the organization wants units to achieve in terms of
sales, market share, product differentiation, or other relevant metrics. The
objectives must be SMART (Specific, Measurable, Attainable, Relevant, and
Time-bound).
1.3 PRINCIPLES OF BUSINESS ADMINISTRATION

To meet its objectives and implement its strategy, a business must pay attention to its primary
resource: its people. Effectively managing current employees and hiring new ones is essential.
It is employees who will embrace the organizational strategy and execute its principles.
Management principles make it possible to tailor daily operations to support the organiza-
tional strategy. For example, if the organization wishes to redevelop a business unit and focus
on an emerging technology as opposed to relying on legacy products, then the operational
focus for human resources should be to find people who can support emerging technology.
Business principles define how an organization functions. Among the most important issues
they must address are human resource requirements, knowledge management, and corporate
structure.

1.3.1 HUMAN RESOURCE MANAGEMENT

The Human Resource (HR) department is one of a company’s most valuable departments. A
good HR department can find and keep high-level talent for the company and leverage that
talent to maximum effectiveness.
While the HR department’s daily focus is staffing, it also promulgates corporate policies and
procedures to employees and provides training and performance measurement. In doing so,
the HR department must align its actions with the overall corporate strategy.
Staffing
The most visible component of the HR department is staffing. Whether a company
outsources staffing searches or handles them internally, it is important for an organization to
understand how to conduct an effective job requirements analysis, thorough candidate
profiles, and effective interviews and evaluations. It is difficult to assess a candidate based
solely on a résumé and a single interview.
Staffing decisions should be measured against a detailed job requirements analysis. The
analysis should be made not only by the manager responsible for hiring but also by other
team members and organizational leaders. The position requirements thus developed must
be narrow enough to be accurate but broad enough to include many good candidates.
How might this work in practice? In a hypothetical example, the head of security for a global
manufacturing firm might need a security manager for corporate headquarters. The security
manager would work with corporate executives, supervise headquarters security personnel,
and in general ensure that the facility is protected.
The job requirements analysis addresses both direct and indirect requirements. The direct
requirements are those that the candidate must meet to understand and function in the position.
The indirect requirements are skills that will increase the candidate’s likelihood of success.
The following are examples of direct requirements:
x certifications, such as technical or driving certifications

x education level, such as a bachelor’s or master’s degree
x years of experience
x previous job responsibilities
x knowledge of computer applications, such as Microsoft Word or Excel

Indirect requirements, which are less specific, include the following:
x leadership ability
x ability to multitask
x organizational skills
x communication skills
The job requirements analysis should weigh which skills are most valuable for the position. If
a company needs a crane operator, the direct requirements may be more significant because
of the safety issues involved and the skills required to operate a crane at an industrial site.
However, if the company is trying to fill an engineering role, some of the indirect
requirements may have more weight because of the need for the engineer’s design work to
interface correctly with that of other engineers.
Returning to the example of the headquarters security manager, analysis of the job require-
ments shows that the candidate must be able to ensure the physical security of the building,
supervise security staff, and interact with corporate executives and high-level managers, who
are the primary occupants of the building. The ability to handle the primary security
functions is still the most valued requirement, but several other skills are also necessary,
such as leadership, management, and interpersonal skills. The head of security will need to
communicate these needs to the HR staff responsible for filling the position.
Internal recommendations are the best way to recruit a good candidate; most employees
would not recommend someone they did not believe could fill the position. Also, hiring
people who have worked with other company employees may help create a more cohesive
team. To encourage internal recommendations, HR should post jobs in a way that effectively
reaches an internal audience.
To reach a larger pool of candidates, it is useful to advertise the position in newspapers and
online. To deal with the many résumés that may be submitted in response to a public listing,
staff must filter the résumés and invite only the most viable candidates for an interview. One
way to reduce this labor is to hire external recruiters.
Once candidates have been selected, it is time to prepare for interviews. To appeal to the best
candidates, a company must impress them just as much as they must impress the company.
HR should ensure that interviewers provide a thorough overview of the company and the
benefits of working for that company.
The interviewer should also examine the candidate’s objective capabilities and subjective fit
with the team the candidate would work with. This latter measure is sometimes the more
important one.

Policies and Procedures

The HR department must also establish policies and procedures to outline how business will
be conducted at the organization. Policies cover items that the organization monitors and
expects employees to conform to. Some policies are driven by government regulations,
which differ for different types of business. Procedures deal with specific items—for example,
how an employee should handle setting up vacation time.
Many types of regulations can affect company policy. In the United States, regulations
related to the following should be researched:
x minimum wage requirements (federal and state)

x Family and Medical Leave Act
x Occupational Safety and Health Administration
x security regulations for organizations that handle sensitive government data
x building codes
x waste and hazardous material management
x drug and alcohol abuse
x harassment and liability issues
x corporate property use
x leave policies
x information technology use
x ethics
Different countries may have similar laws, and if conducting business abroad, the regulatory
issues of such countries should be considered as well.
Policies should be useful and simple and should not overload employees. When developing
policies, it is useful to work closely with the managers whose teams will be most affected by
the policies. They can provide details of current operations and the probable effects of policy
changes. Collaboration can also create management buy-in that increases the likelihood that
policies will be executed and maintained. Compliance with policies can also be strengthened
through training or certification that teaches employees the details of the policies and the
consequences of violating them.
In addition to corporate policies, which provide broad descriptions of how operations will be
conducted, specific procedures need to be developed so that employees will know how to
react to various issues. Clearly articulating company procedures helps prevent confusion.
These procedures should address a wide variety of topics and should be widely promulgated.
Further, staff understanding of the procedures should be refreshed regularly to ensure that
everyone is up-to-date and understands how to respond when an issue arises.

Procedures should encompass all topics that are important for daily functions. The following
are possible subjects of company procedures:
x security
x inclement weather
x building evacuation
x filing a complaint
x requesting leave
x timekeeping
x purchasing
x corporate property rights
The policies and procedures should reflect the ideal functionality of the organization. They
support proper staff behavior and lead to a hospitable, safe workplace.
Performance Measurement and Training

To aid employee development and retention, employers must review and reward employee
performance and provide training mechanisms for employee growth. In today’s working
world, it is easy for employees to transition to other companies if they feel they are not being
engaged enough or their personal growth is suffering. Therefore, companies should use
performance metrics and training modules to foster employee development.
Training may be provided within or outside the company. Internal training is typically aimed
at helping employees do their current jobs better. For instance, an electronics assembler can
be trained on more efficient assembly techniques with different tool sets. Other training
might foster employee growth by giving employees the opportunity to learn different disci-
plines within the company.
Training can also be conducted outside the organization. Employees may pay for the training
themselves, or the company may pay for it, and the training may take place on employees’
own time or during working hours. This external training may be taken in university courses,
at seminars or conventions, or in other venues. It often imparts information that is outside
the scope of the current work environment and that may promote innovative approaches to
work tasks.
The metrics for evaluating employees should align closely with the organizational strategy.
For example, if the strategy calls for growth, then the metric for mid-level managers may be
to grow their business units a certain percentage.

Employees should be measured on both how well they do their current jobs and how well
they contribute to the growth of the company as a whole. Some workers focus on their
current jobs and are content in those positions. Others use their current positions to gain
experience or insights that may help them move into other positions or expand the
responsibilities of their current positions. Measuring those two aspects separately allows for
fair evaluation of the employees and clarifies what they must do to excel at their current
positions, prepare for other positions, and contribute more to the company.
Metrics for assessing how well employees are doing their current jobs include the following:
x work quality
x performance on time
x performance within budget
x meeting of other requirements of the position
Metrics for assessing employees’ overall contribution to the company include the following:
x extra sales, extra hours, and work on several projects

x work on tasks outside the position requirements
x contribution toward improvements in the business process
x leadership
Thus, an HR department can support the organizational strategy by establishing and com-
municating appropriate policies and procedures and by ensuring that the best people are
hired, retained, and provided with growth opportunities.
1.3.2 KNOWLEDGE MANAGEMENT

After employees, corporate knowledge is the second most valuable resource, and supporting
knowledge management supports the organizational strategy. A central knowledge manage-
ment system collects, distributes, and publicizes corporate data in a searchable, accessible
format. It aids corporate departments by reducing redundant efforts and promoting
knowledge sharing. For an engineering firm, centralizing product design documentation
allows multiple engineers to collaborate on a single design and makes it unnecessary for
engineers to design the same component for other projects. Centralization of information
also helps preserve knowledge if an employee leaves his or her position or the company.
In addition, cross-unit knowledge sharing can enable one department to learn from the
processes, technologies, and ideas of another. For example, a company with two divisions—
computer memory chip manufacturing and hard drive manufacturing—might be able to apply
the efficiency techniques of the first division to improve efficiency in the second division.

1.4 Conclusion
Centralized knowledge systems can be used to collect data that measure the productivity and
performance of business units and individual employees. Such measurement enables an
organization to identify problems and spot opportunities to cut costs, increase efficiency, or
expand the business. Relevant metrics may include return on investment, inventory
turnover, and profit margins. If the organizational strategy emphasizes volume over
profitability, an important metric will be growth in revenue. In such a case, the knowledge
management system must be able to capture revenue streams and report them accurately.
Of course, a central knowledge management system may also create a security vulnerability.
Because the information could be accessed and exploited by competitors or other outsiders,
it is essential to keep the information system secure.
1.3.3 CORPORATE STRUCTURE

An organization should be structured in a way that supports its business strategy. For
example, if a company focuses on product innovation, it may choose to have numerous
technical teams that report development efforts to a small number of management
executives. This type of structure reduces the chance that innovative ideas will be stifled by
bureaucracy. By contrast, a construction company may opt to have several management
layers to manage multiple projects, ensure employee safety, and meet schedule require-
ments. For any organization, the right structure can aid in delegating responsibilities and
ensuring accountability.
The initial step is to identify the essential business units. An engineering firm would likely
consider its engineering group to be the essential business unit. Supporting units might
include sales and marketing staff. If the company’s strategy calls for growth, marketing and
sales may grow in importance.
1.4 CONCLUSION
Management practices serve a company best when they are designed in accordance with its
strategic plan. These practices are largely expressed through human resource management,
knowledge management, and business structure. When the overall corporate strategy is
ingrained in daily administration practices, the organization will have the best chance of
success.

CHAPTER 2
FINANCIAL MANAGEMENT
As members of their employers’ management teams, security managers must understand more
than security—they must also know business and finance. Knowledge of financial management is
especially important, as it explains how a business makes some decisions.
As a metaphorical example, a commuter with an unreliable car might weigh many factors when
considering a solution: repair costs; the likelihood of breakdowns; and the purchase, maintenance, and
insurance costs of various replacement cars. The person takes the time to make a justified financial
decision. Businesses use similar but more elaborate processes to help them make sound business
decisions. They may need to decide whether to purchase new equipment or extend credit, or they may
need to estimate the growth potential of prospective investments. Like the commuter, they look at
financial outlays, the expected returns on those outlays, and the potential risks associated with the
investment.
Financial management practices provide the analysis and decision tools that allow businesses to
monitor the financial operations of an organization and make better financial decisions. The basis of
financial management is understanding the accounting principles used in generating financial
reports. Through those reports it is possible to analyze the current state of business finances and
project how financial decisions will affect the business. From the financial analysis it is possible to
develop budgets and set expected goals for revenue or return on investment (ROI). The result is a
financial strategy that is based on thorough analysis and that employs sufficient controls to ensure
success.

2.1 Financial Strategy
Both publicly traded and privately owned companies must follow accounting and financial
reporting standards. Public companies must, by law, observe reporting standards (for investor
protection). Oversight responsibility should be separated from authority. This is the purpose of
having an independent auditor who analyzes the facts, draws conclusions and makes recom-
mendations on the company’s financial status. Private organizations must, in practice, observe
those standards when attempting to gain financing through a bank or when setting a value on a
business. Therefore, it is imperative that individuals charged with managing finances—including
security managers—understand the basics of financial management.
2.1 FINANCIAL STRATEGY

Strategy is management’s effort to focus resources on specific targets that lead to business
success through proper planning. A financial strategy is management’s financial approach to
determining the expected returns of its investments (including its departments and opera-
tions) and estimating and managing the relevant risks.
In establishing a financial strategy, the first step is to identify expected margins, or the profit
that businesses generally make. In the software industry, profit margins tend to be high,
perhaps because of the specialized nature of software and the low price of delivering it.
Manufacturing companies, by contrast, typically rely on smaller margins but higher volume.
Realistically a company has two options if it wishes to improve margins. It can reduce costs
or increase the price of its product or service. Reducing costs requires increasing efficiency,
perhaps by finding cheaper suppliers or by cutting overhead costs. Increasing price may or
may not be successful, as it may lead to a decline in sales volume.
Increasing revenue may involve expanding sales of a current product or identifying new
businesses to fund sales. The growth option usually involves additional costs, as it costs
money to produce more products or pursue new business ventures.
The question is how to fund growth. Growth can be funded from internal cash reserves or
through commercial financing and investors. Both approaches impose trade-offs. Using
internal cash reserves could limit the ability of an organization to pay bills if costs exceed
revenues. Use of external financing puts the company at risk if the investment does not
create the expected revenue. The way to make such financial decisions and project returns is
through analysis of financial statements.

2.2 Financial Statements
2.2 FINANCIAL STATEMENTS

Three financial reports or statements have become accepted as standard: the income state-
ment, balance sheet, and statement of cash flows. Through these statements it is possible to
paint a clear picture of a company’s current and prospective financial health.
Financial statements are created in accordance with generally accepted accounting principles
(GAAP). These principles vary somewhat from country to country. Many countries are
converging on the International Financial Reporting Standards (IFRS), established and
maintained by the International Accounting Standards Board. In the United States, they are
established by the American Institute of Certified Public Accountants, the Financial
Accounting Standards Board, and documented, standardized accounting practices. The pur-
pose of GAAP is to establish and maintain a standard for financial reporting that can be used
across all organizations.
The following sections outline the basics behind the three financial reports.
2.2.1 INCOME STATEMENT

The income statement tells how much money an organization generates (revenue), how
much it spends (expenses), and the difference between those figures (net income). It
provides that information by offering a quantified view of an organization’s operations over a
defined period.
Revenue is the money a company receives for products or services. If its products sell for
$1,000 each and the company sells 100 products during the reporting period, the revenue for
that period is $100,000 (100 units times $1,000 per unit).
Expenses, of course, are the costs of creating and delivering the products or services. If it
costs the company $900 to produce and deliver each product, and 100 units are made, then
expenses equal $90,000.
Net income equals revenue minus expenses. Thus, in this case the company’s net income is
$10,000 ($100,000 minus $90,000).

YEAR 1 YEAR 2 YEAR 3 YEAR 4 YEAR 5
Product Sales 1,643,000 1,807,300 1,988,030 2,186,833 2,405,516
Service Sales 729,000 1,312,200 1,443,420 1,587,762 1,746,538
Revenue 2,372,000 3,119,500 3,431,450 3,774,595 4,152,055
Procurement (60,000) (63,000) (66,150) (69,458) (72,930)
Raw Materials (50,000) (52,500) (55,125) (57,881) (60,775)
Development/Production Costs (75,000) (82,500) (90,750) (99,825) (109,808)
Equipment Purchase (100,000) (100,000) (100,000) (100,000) (100,000)
Cost of Goods Sold (285,000) (298,000) (312,025) (327,164) (343,513)
Payroll (1,336,975) (2,013,326) (2,214,659) (2,436,124) (2,679,737)
Lease (220,000) (226,600) (233,398) (240,400) (247,612)
Utilities/Lease Expenses (44,000) (45,320) (46,680) (48,080) (49,522)
General and Administrative Costs (1,600,975) (2,285,246) (2,494,736) (2,724,604) (2,976,871)
Marketing (100,000) (110,000) (121,000) (133,100) (146,410)
Customer Training (50,000) (50,000) (50,000) (50,000) (50,000)
Sales and Marketing Costs (150,000) (160,000) (171,000) (183,100) (196,410)
EBITA 336,025 376,254 453,689 539,727 635,260
Interest Costs (100,000) (93,725) (86,823) (79,231) (70,880)
Income Before Taxes 236,025 282,529 366,865 460,496 564,380
Taxes at 15% of Income (35,404) (42,379) (55,030) (69,074) (84,657)
Net Income 200,621 240,149 311,836 391,421 479,723
Figure 2-1
Income Statement

Expenses are typically grouped into several categories, such as the following:
x Cost of goods sold. This is the cost of creating a product or service, accounting for
materials, labor, and other costs.
x Sales and marketing. To promote themselves, companies may spend money on

advertising, sales efforts, and customer training to support additional product sales.
x Administrative. Also called operating costs, these are the necessary expenditures of
office space, payroll, utilities, and other general administrative functions.
x Interest. This is the cost of paying the interest portion of a loan.

x Taxes. Companies pay a variety of taxes.
The income statement in Figure 2-1 shows how net income is derived from revenue and
expenses in a yearly report. The term EBITA in the left column refers to earnings before
interest, taxes, and amortization. Numbers in parentheses are negative—that is, meant to be
subtracted.
The income statement shows approximately 10 percent annual growth in product sales. It
also shows a near-doubling of service sales from Year 1 to Year 2. That growth coincides with
an increase in payroll, suggesting that the company may have hired more employees to meet
customer demand for services.
The income statement outlines the organization’s profitability but does not provide a picture
of the organization’s overall financial health. The balance sheet aids in that assessment.
2.2.2 BALANCE SHEET

The balance sheet summarizes an organization’s investing and financing. The report’s
underlying equation is as follows:
assets = liabilities + shareholder equity
An asset is anything that a company owns or has title to that may provide a future economic
benefit. Examples include land, buildings, retail inventory, and intellectual property, such as
trademarks and copyrights.
Liabilities are an organization’s financial commitments. Examples include loans, bills, and
other obligations.
Shareholder equity is the amount of ownership allocated to shareholders. This value is not
an asset or liability but rather the ownership stake for which shareholders are responsible. If
the liabilities of an organization far outweigh the assets, then shareholders are accountable

for the extended liability. In contrast, if an organization’s assets exceed its liabilities, then the
shareholders have positive equity (or ownership) in the company. Shareholder equity is
derived from retained earnings, net income, and dividend payout. Retained earnings equals
the amount of net income that is reinvested in an organization. If dividends are paid out or if
net income is actually a net loss, retained earnings decrease.
The balance sheet thus provides insight into the asset and liability mix and how it relates to
shareholder equity. Through understanding the asset and liability mix, it is possible to deter-
mine what a company owns and what it owes in the short term and long term.
Common terms used to describe assets on the balance sheet include the following:
x Cash. This is the amount of currency a company has in its accounts, including cash
savings, cash checking, and other currency deposits
x Inventory. This is the value of raw materials, works-in-progress, and finished goods
that are stored as inventory to be sold later.
x Accounts receivable. This is the amount due by customers for goods and services
already delivered.
x Property, plant, and equipment. This includes all relevant physical space (including
land and buildings) and equipment that an organization requires to produce goods or
services.
x Prepaid accounts. It is possible to pay ahead for insurance, leases, and even taxes.
These accounts are assets because they were paid before they were actually due.
x Accumulated depreciation. As buildings and equipment age, they begin to lose value.
The loss of value with each year is captured in accumulated depreciation to more
accurately reflect the book value of an asset.
Terms related to liabilities include the following:
x Accounts payable. These are accounts on which an organization owes money. Typical
accounts payable include utilities or services acquired under informal agreements.
x Interest payable. This includes interest payments on loans extended to an

organization.
x Leases. This is the amount owed on equipment and facility leases for that reporting
period.
x Current long-term debt. This includes the amount of principal that was paid for the
reporting period.
x Long-term debt. This is the amount that a company still owes on a loan or equity
financing.

Both assets and liabilities can be grouped into current accounts. Current accounts are assets
and liabilities that can be converted quickly. For example, current assets, such as cash or
accounts receivable, are those that can be used to cover costs or other business expenses for
that reporting period. Current assets are considered cash equivalents on the balance sheet.
Current liabilities are those that are paid in the reporting period.

Cash 1,137,876 1,309,005 1,544,919 1,852,826 2,240,684
Inventories — — — — —
Accounts Receivable — — — — —
Current Assets 1,137,876 1,309,005 1,544,919 1,852,826 2,240,684
Property, Plant, and Equipment 100,000 200,000 300,000 400,000 500,000
Accumulated Depreciation (100,000) (200,000) (300,000) (400,000) (500,000)
Property Assets — — — — —
Total Assets 1,137,876 1,309,005 1,544,919 1,852,826 2,240,684
Accounts Payable — — — — —
Current Leases — — — — —
Current Long-Term Debt 69,020 75,922 83,514 91,866 101,052
Current Liabilities 69,020 75,922 83,514 91,866 101,052
Long-Term Debt 868,235 792,313 708,799 616,933 515,881
Total Long-Term Liabilities 868,235 792,313 708,799 616,933 515,881
Total Liabilities 937,255 868,235 792,313 708,799 616,933
Retained Earnings — 200,621 440,770 752,606 1,144,027
Net Income (Loss) 200,621 240,149 311,836 391,421 479,723
Shareholder Equity 200,621 440,770 752,606 1,144,027 1,623,750
Total Liabilities and Shareholder

1,137,876 1,309,005 1,544,919 1,852,826 2,240,684
Equity
Figure 2-2
Balance Sheet
The balance sheet in Figure 2-2 shows assets, liabilities, and shareholder equity. Total assets
must equal total liabilities plus shareholder equity.

The balance sheet in Figure 2-2 shows that the company is generating cash from profits and
is repaying long-term debt. The balance sheet also provides insight into the company’s use of profit
to increase shareholder equity. In other words, the business is using profit to pay down debt.
Together, the balance sheet and income statement provide views of the company’s opera-
tions, financing, and investments, but they do not outline where cash is being allocated. That
insight comes from the cash flow statement.
2.2.3 CASH FLOW STATEMENT

The cash flow statement, also called the statement of cash flows, provides insight into how
cash inflows and outflows affect an organization. The statement demonstrates whether the
organization is generating enough cash to cover operations and acquire additional assets as
needed.
The cash flow statement shows the following:
x Net operating cash flow. This is the amount of cash generated (or consumed) through
company operations. Operations include production and sales of goods or services
during the defined period. Operating cash flow is based on net income generated for a
reporting period, as well as any changes in liabilities.
x Net investing cash flow. This is the amount of cash generated (or consumed) by
investing in other organizations or selling or acquiring buildings or property.
x Financing cash flow. If a company obtains a loan or other financing, the cash
generated is reported as financing cash flow.
By understanding these basic inflows and outflows, it is possible to identify where cash is
being generated to cover business operations. For example, Figure 2-3 shows where the long-
term debt on the balance sheet (Figure 2-2) comes from. In Year 1, the company secured a $1
million loan to support additional payroll to meet customer demand. The company did not
strictly require financing, as it was able to meet cash requirements for the year. However,
management may have felt that the financing would help the company through any cash
shortages in the first year of operation.
The cash flow statement also shows that the company has a simple financial structure—just
one loan outstanding and one source of income. It does not have any additional investing
cash flow and is free from other financing obligations.

2.3 Financial Analysis

Cash Beginning of Year — 1,137,876 1,309,005 1,544,919 1,852,826
Net Income 137,876 171,129 235,915 307,907 387,858
Change in Liabilities — — — — —
Net Operating Cash Flow 137,876 171,129 235,915 307,907 387,858
Investment Cash Flow — — — — —
Net Investment Cash Flow — — — — —
Issuance/Repayment Loan 1,000,000 — — — —
Dividends — — — — —
Other Financing — — — — —
Net Financing Cash Flow 1,000,000 — — — —
Cash End of Year 1,137,876 1,309,005 1,544,919 1,852,826 2,240,684
Figure 2-3
Cash Flow Sheet
2.3 FINANCIAL ANALYSIS

Financial decisions are based on past performance and projected future performance. For
example, a company may use its financial information to project the sales that would be
generated from a new product line and to estimate the cost of creating that product line. The
key is to determine whether the financial return is worth the expected risk. Return is the
amount of money an investment choice will give back to an investor. Risk is an estimate of the
probability that an investor will gain or lose money. A familiar illustration is the relationship
between credit scores and credit card rates. Lenders view consumers with low credit scores
(due to late payments or defaulted loans) as presenting a greater risk of nonpayment, so the
lenders justify the risk by charging higher rates of interest to increase their return.
Financial analysis involves understanding various profitability measurements and business

risks. The quantitative method of profitability analysis relies on ratios of numbers in financial
statements. The ratios are helpful for comparing performance against expected values in an
industry or against an organization’s historical performance.

2.3.1 PROFITABILITY RATIOS

Profitability ratios aid in quantifying an organization’s ability to generate income beyond
covering expenses. The larger the margin of net income, the more profitable an organization
is. Analysis of profit margins, returns, and earnings is discussed below.
Profit Margins
Profit margins reflect a company’s profitability. The following are different measures of
margins:
x Gross profit margin. By measuring profit based strictly on sales and cost of goods
sold, this figure provides insight into the efficiency of manufacturing a product. The
higher the gross profit margin, the more efficient a company is at producing a
product. If the revenue does not cover the cost of the products, then the product
price may be too low or the manufacturing and materials costs too high. Gross profit
margin is calculated as follows:
Gross Profit Margin = (Revenue – Cost of Goods Sold – General and Administrative
Costs)/Revenue
x Operating margin. This equals earnings before interest, taxes, and amortization
(EBITA) divided by revenue. This margin demonstrates the company’s overall
operating efficiency in producing and selling a product. Operating margin is calculated
as follows:
Operating Margin = EBITA/Revenue
x Net profit margin. This measures net profit after all expenses are included. It summa-
rizes the net income as a percentage of sales. The higher the net profit margin, the
more profitable the company is in its business. Net profit margin is calculated as
follows:
Net Profit Margin = Net Income/Revenue
Figure 2-4 shows the margin values that can be calculated from the income statement in
Figure 2-1. These values show that the company has healthy margins, which dipped slightly
in Year 2 due to growth but then recovered in subsequent years. The growth did not
significantly improve gross margin or operating margin but did boost net margin
considerably. By providing more services and allowing product sales to grow slowly, the
company increased revenue without increasing total expenses.

Gross Margin 20.5% 17.2% 18.2% 19.1% 20.0%
Operating Margin 14.2% 21.1% 13.2% 14.3% 15.3%
Net Margin 8.5% 7.7% 9.1% 10.4% 11.6%
Figure 2-4
Margins
Returns
Two ratios demonstrate how well a firm has done in making money for a reporting period:
x Return on assets (ROA). This ratio demonstrates the organization’s ability to generate
income based on its assets, independent of any financing. It is calculated as follows:
ROA = Net Income/Total Assets
x Return on equity (ROE). This ratio indicates how well a company uses financed assets
to generate income. ROE is calculated as follows:
ROE = Net Income/Shareholder Equity
The practice of borrowing capital to purchase assets that can increase revenue is called
leveraging. For example, by taking out a loan a construction company can purchase more
equipment and hire more people to address a greater demand for the company’s services.
ROA measures how well a company makes profit on assets it already owns; ROE measures a
company’s effectiveness at using loans to generate a profit.
Figure 2-5 shows returns calculated from the income statement in Figure 2-1 and the balance
sheet in Figure 2-2.
Return on Assets 17.6% 18.3% 20.2% 21.1% 21.4%
Return on Equity 100.0% 54.5% 41.4% 34.2% 29.5%
Figure 2-5
Returns

The ROA figures suggest that the company is not focused on using its assets to improve
revenues. In fact, its growth relative to assets remains relatively stagnant.
The ROE numbers reflect the fact that the company had little equity in its business during
Year 1 and Year 2 but much more in subsequent years. The company has been able to
generate a return despite being highly leveraged and exposed to much financial risk.
Earnings
Two earnings-related ratios are commonly examined in financial analysis:
x Earnings per share (EPS). This is a useful metric for a company that has shares that
are publicly or privately owned. EPS represents how much income (or loss) is
generated per share of the organization. It is calculated as follows:
EPS = Net Income/Total Shares
x Price to earnings (P/E). This ratio relates a company’s share price to its EPS. The P/E
ratio is useful in determining whether an organization is fairly valued. It can also be
used to value private shares if an investor is thinking of purchasing an interest in a
private organization. The general benchmark for publicly traded P/E values is around
17. The P/E ratio is derived from the following equation:
P/E = Price per Share/EPS
The various profitability ratios are useful in evaluating whether an organization is meeting
profit targets. A company’s profitability ratios should be compared to those in other companies
or across an industry and also to the company’s past ratios and projected future ratios.

2.3.2 RISK RATIOS

Profitability ratios provide a view of how well a company makes money. However, the ability
to make money must also be compared to the risk an organization faces in its operations.
Financial risk analysis deals with current or projected numbers that are derived directly from
an organization’s financial decisions. This analysis focuses on whether a company will have
the ability to cover expenses and operating costs in the near term as well as the long term.
Several risk ratios are useful in this type of analysis:
x Current ratio. This examines the company’s ability to cover short-term obligations. It
is derived from the following equation:
Current Ratio = Current Assets/Current Liabilities
If the current ratio is greater than one, the company has the ability to cover all its
current liabilities with its current assets. In other words, it can meet its short-term
obligations—assuming that the current assets can quickly be converted to cash
equivalents. Some current assets, such as inventory, may be difficult to convert to cash.
x Quick ratio. This measures an organization’s ability to cover current liabilities with
current assets that can quickly be converted to cash. Such assets include cash,
securities, and accounts receivable. The quick ratio (also known as the acid test) is
calculated as follows:
Quick Ratio = (Cash + Securities + Accounts Receivable)/Current Liabilities
This ratio provides a more accurate picture of an organization’s ability to cover bills
for the current reporting period.
x Debt to equity ratio. This provides a long-term perspective in understanding a com-

pany’s financial health. It does so by analyzing how a company funds its growth and
operations. The debt to equity ratio is based on the following equation:
Debt to Equity Ratio = Total Liabilities/Shareholder Equity
Debt to equity ratios above one demonstrate that a company is highly leveraged and
is financing itself with outside loans and funding. While that approach may result in
faster growth, it may also reduce profit because of interest expenses.

2.4 Limitations of Financial Statement Analysis
Figure 2-6 shows sample risk ratios based on the balance sheet in Figure 2-2.
Current Ratio 16.5 17.2 18.5 20.2 22.2
Debt of Equity Ratio 4.7 2.0 1.1 0.6 0.4
Figure 2-6
Risk Ratios
To generate growth in service sales, the fictional company took on a heavy debt load in the
initial years but paid it back quickly to minimize risk should market conditions turn unfavor-
able.
2.4 LIMITATIONS OF FINANCIAL STATEMENT ANALYSIS

Financial statement analysis has its limitations. The primary limitation is that it does not
directly consider changes in market conditions. The macroeconomic environment (e.g.,
robust growth or recession) greatly affects the way financial statements should be
interpreted. Continued declines in margin may be a result of poor economic conditions
rather than poor company operations. Therefore, it is important to incorporate external data,
including the performance of the company’s sector and other macroeconomic influences.
Another limitation is that all organizations operate differently and target different markets,
even if their industry segments overlap. For instance, if one company is involved in manufac-
turing and services and a competitor simply manufactures products, then the analysis of
each company will yield different results.
The final limitation is that financial ratios are derived from numbers presented in financial
reports, and those reports must be accurate for the ratios to have any meaning. Through the
process of auditing, independent accounting firms attempt to determine whether the
financial statements produced by a company’s internal accountants are complete and
accurate. However, independent auditing firms do not always succeed in that mission.
In the United States, financial frauds involving Enron and WorldCom led to the Sarbanes-
Oxley Act (SOX), officially known as the Public Company Accounting Reform and Investor
Protection Act of 2002. SOX established a new regulatory entity, the Public Company
Accounting Oversight Board, which is meant to monitor the independent auditing of
publicly traded companies. In addition, SOX requires executive officers and chief financial
officers to personally certify financial reports that are released to the public.

2.5 Budgets
2.5 BUDGETS
One of the main purposes for understanding financial accounting and financial analysis is to
be able to establish budgets. A budget is a process for planning where money is to be
allocated for the year. It is a financial tool that estimates costs and revenue and provides a
variance warning mechanism and fiscal uniformity for the company.
Zero-based budgeting, for example, is a process wherein funds are placed in a budget only to
the extent that planned expenditures are justified in detail. It also may force a manager to
consider alternative ways of getting the job done. The budget generally includes both
expenses and expected revenue. Thus, to meet budget requirements, businesses often need
to generate a certain amount of revenue as well as limit spending to predetermined amount.
The budget development process is often viewed as either a top-down or bottom-up process.
A variation on these approaches is to make the process an iterative one, either during its
initial developmental stages or through periodic re-forecasts of the original budget. In each
case, executive management’s choice of strategy will have a far-reaching impact. Some
organizations choose to implement their budget in a top-down approach to impose
performance goals on lower management. An example of this would be executive
management allocating a specific amount of money to the security department without input
from the security department. In a bottom-up approach, frontline managers, who are involved
in the day-to-day operations of their departments or divisions, are their organizations’ best
resource for realistic budget information and would set their own budget. Neither is ideal. A
more practical strategy is a combination of both where the lowest level of input will occur at
the divisional or department level so that executive management can determine a realistic
budget that is in line with the overall financial objectives of the company.
Budgets are usually drawn up on a yearly or other periodic basis. It is essential to maintain
consistency in the budget process so periods can be compared to understand budget effects.
For example, a warehouse for an online retailer must estimate its yearly facilities costs
(including utilities, labor, and leasing costs) so the proper amount of sales revenue can be set
aside to cover those costs.
Budget setting tends to be difficult and politically charged because the amount of capital that
can be spread across all departments is limited. However, budgets are effective tools for
allocating funds to business units based on the expected revenues they will generate. Using
the warehouse example, if the utilities are not paid, then the online retailer will not be able to
use the storage facility. Thus, it is essential to pay business expenses that allow a company to
generate revenue. Also, the line items (specific entries) in budgets can be tracked to ensure
that spending is within its predetermined limits. However, it can be costly to follow budgets
too strictly. Sometimes, spending beyond the budget may be necessary to take advantage of
opportunities that arise.

2.5 Budgets
An effective way to set the value of line items is to look at each budget expense as an
investment and then calculate the expected return on that investment. In other words, one
looks at the benefit of the investment divided by the cost—in simpler terms, cost/benefit.
However, not all returns can easily be measured monetarily. For instance, a line item such as
free lunch for employees may not generate a direct monetary return but may instead
increase employee effectiveness or reduce turnover. To determine whether the lunch
investment creates a greater benefit than other possible investments, such as free gym
memberships for employees, it is useful to calculate the return on investment.
2.5.1 RETURN ON INVESTMENT

Calculating the return on investment (ROI) is an effective way to compare the desirability of
different ways of spending. It also assists in obtaining future budget monies. ROI can be
calculated in two ways:
ROI = [Investment Value at End of Period/Investment Value Beginning of Period] – 1

or
ROI = [(Initial Investment plus Interest Earned (or Lost))/Initial Investment] – 1
ROI is easy to calculate for investments with guaranteed or nearly guaranteed returns, such
as bank deposits. By contrast, ROI is more difficult to calculate for an item like research and
development (R&D), which has a less predictable return. However, a company may be able
to determine its average, historical return on R&D and use that estimate in its ROI calculations.
For example, if company figures show that a $1,500,000 investment in R&D typically returns
$630,000 in revenue within five years, the ROI calculation would be as follows:
ROI = [($1,500,000+$630,000)/$1,500,000] – 1 = 42%
The company may also consider paying down its debt instead of investing in R&D. An ROI
calculation is useful for comparing the two options. Paying additional funds toward debt
reduction is like an investment, and the interest avoided through early debt reduction is like
revenue. If a $2,000,000 investment in debt reduction would save the company $772,000 in
interest payments over five years, the ROI calculation would be as follows:
ROI = [($2,000,000 + $772,000)/$2,000,000] – 1 = 39%
From an ROI perspective, R&D looks like the better choice. However, the ROI analysis does
not consider all factors. For example, it does not take into account the risk that the R&D may
be unproductive. However, despite its limitations, ROI analysis can be useful in determining
which line items of a budget are more important than others.

2.5 Budgets
When it comes to security, measuring return on investment is difficult even though the
department may be adding to the company’s profits by preventing losses such as theft and
damage to company assets. However, the return on the implementation of an effective
security countermeasure can be measured by applying an efficiency versus cost, or cost
versus benefit, ratio to show the long-range cost savings to the company. Also, in some cases
the insurance premiums are lower when risk decreases.
2.5.2 CREATING A BUDGET

A company’s budget takes both big-picture and detailed views. At the executive level, budget
items are clustered in general categories that relate to the income statement. At department
and unit levels, budget items are listed in greater detail. For instance, executive management
may determine that for every million dollars in revenue, production costs are estimated to be
$600,000 (60 percent of revenue). That is a big-picture view. By contrast, specific depart-
ments, such as a production facility, may divide expenses into many categories, such as the
costs of materials, production machines, and labor. One of the reasons lower-level managers
are more likely to accept bottom-up budgeting is because they had a stake in developing it.
Budget line items must be detailed enough that all expected expenses are accounted for but
not so detailed that every screw and nail must be counted.
The budget should be organized to resemble the income statement. That approach generates
the equivalent of a pro forma income statement, which projects future costs and revenue for
a defined period. (By contrast, a normal income statement presents past data.) To project
future revenue, a company may turn to its marketing and sales staff. They may be able to
calculate expected sales revenue based on market data, customer input, and the company’s
product or service offerings. It is unrealistic to expect sales projections to be very accurate.
However, having a general idea of expected revenue enables the company’s various subdivi-
sions to budget appropriately so they can support the expected sales.
For example, if a company manufactures products, its manufacturing operations will need to
estimate the costs of materials, labor, and other components required to create the needed
products. The human resources department must estimate the cost of the benefits it will
need to supply to the company’s personnel. The customer support department can
determine how much money it needs to assist buyers of the product. The requirements for
each unit are based on the company’s expected sales.
Next it is necessary to decide which expenditures to fund and to what degree. That determin-
ation depends largely on the company’s financial strategy. If the company is looking to cut
costs, it must analyze the budget to see where costs can be limited without affecting sales. On
the other hand, if the company is trying to grow quickly, it may need to spend more freely.

2.6 Implementing Financial Strategy and Financial Controls
2.6 IMPLEMENTING FINANCIAL STRATEGY AND FINANCIAL

CONTROLS
To be effective, any financial strategy (cost reduction, rapid growth, or other) must be imple-
mented and overseen with appropriate controls. Implementation depends greatly on clear
communication of the strategy, its purposes, and its expected results. For example, if
production managers understand that the company’s financial strategy is to reduce costs,
they can organize their activities to support that goal. If they do not understand the strategy,
they may focus on the wrong goal and undermine the strategy.
Budgets, too, must be aligned with the company’s financial strategy. If a defined profit
margin is to be achieved, executive-level management must work with the sales and produc-
tion teams to determine the optimal price at which to sell the product and the cost at which
it can be produced. From that discussion, budgets can be established. If a department is
expected to grow, its budget should be flexible so the department can pursue business
opportunities as they appear. However, spending must be carefully managed so the business
can still cover expenses.
Controls need to be in place to monitor execution of a financial strategy and to prevent

fraud. Such controls are implemented through accounting processes and internal auditing.
Financial controls monitor spending in reference to budget allocations. If more or less
money than was budgeted is spent, the situation should be investigated. It is possible for
fraud to be present even when spending is on budget.
Establishing a solid financial strategy is essential to keeping an organization competitive and

able to adapt to changes in the marketplace. The strategy is derived from a thorough analysis
of the company’s current financial situation and its intended financial goal. Communicating
the strategy to employees, investors, vendors, suppliers, and other stakeholders boosts confi-
dence and makes it possible for all to focus on creating success from the strategic direction.

CHAPTER 3
STANDARDS IN SECURITY
3.1 INTRODUCTION TO STANDARDS

A standard is a set of criteria, guidelines, and best practices that can be used to enhance the
quality and reliability of products, services, or processes. Standards are part of everyday life,
and the average person gives them little thought. Many modern conveniences are made
possible by standards: light bulbs fit into lamps, files transfer over the Internet, and
automated teller machine (ATM) cards work around the world. More than 95,000 standards
are recognized in the United States alone (Siegel & Carioti, 2008). Because of the world’s
numerous national and international standards, many parts, processes, and systems work
regardless of who creates or performs them, who uses them, and where they are used.
Standards are also used in the security arena. When they are developed in accordance with
the principles of consensus, openness, due process, and transparency, they can help nations,
communities, societies, organizations, and individuals improve their resilience in the face of
security threats, both natural and man-made.
In the past, some parties expressed concern that security standards, even though voluntary,
might in practice force security professionals to conduct their work in a prescribed manner.
Others observed that security standards, when written in general terms, would allow security
professionals sufficient latitude in how they perform their jobs. Regardless of one’s view, the
trend toward international security standards is under way, and security professionals can
best influence the development of those standards by getting involved instead of leaving
standards development to nonsecurity personnel. Moreover, adopting robust security

3.1 Introduction to Standards
standards may also reduce calls for intrusive government regulations—which would likely tie
security professionals’ hands more tightly than voluntary standards ever could. Thus,
standards development may not only help security professionals coordinate their efforts
around the globe but also preserve their freedom to employ their professional judgment as
they carry out their responsibilities.
In a nutshell, security standards have arrived, more are under development, and they are
likely to work best when security professionals participate in their development.
3.1.1 CHARACTERISTICS OF STANDARDS

A standard may address a product, service, or process. A standard itself is voluntary and is
hence different from a regulation. However, a regulation may require compliance with a
standard.
Over time, standards have evolved from a technical issue to a business issue of strategic
importance. When a well-developed standard is in place, it brings benefits to many parties.
Businesses can use standards to develop products and services that are widely accepted,
enabling those businesses to compete freely in markets around the world. Customers can
choose from a wide variety of products and services that are compatible with each other.
Customers can also more easily judge product quality if a product is in conformance with
certain standards.
Standards are of nine main types: basic, product, design, process, specification, code,
management systems, conformity assessment, and personnel certification. They require
periodic review to remain relevant and state-of-the-art.
3.1.2 BENEFITS OF STANDARDS

Security standards can play several roles in making a security professional’s job easier. They
may do any or all of the following:
x Codify best practices and processes and share lessons learned. The idea is not to
develop statements that are prescriptive but to share in a generic fashion what works
best, how it works, and how it can be used to help improve the services and activities
that an organization participates in. Unlike, for example, a standard addressing light
bulb dimensions, which must be highly specific to be useful, security management
standards do not dictate particular quantities (of staff or equipment) or techniques that
must be used.

x Provide tools to assess threats, risks, vulnerabilities, criticalities, and impacts. A

challenge in risk assessment is that different parts of an organization may not know
how the other parts conduct and document their risk assessments. Thus they may have
no way of measuring improvement consistently across an organization. Security
standards can add consistency in this activity.
x Define measurement methods. Standards provide guidance on benchmarks and
testing methods and protocols.
x Document equipment performance requirements to ensure effectiveness and safety.
Standards can help define how effectively and how safely different types of equipment
perform.
x Establish design requirements for devices, systems, and infrastructure to withstand
threats. These specifications make it easier to design systems and sell equipment
across borders.
x Define effective methods for identification of individuals. Again, standards can
provide a useful consistency.
x Enhance cross-jurisdictional information sharing and interoperability. Standards
help in this regard when they develop communication and interoperability protocols.
Disaster response works much better when responders can communicate with each
other and when their equipment works with the equipment used by other responders.
x Provide for consistency of services. Standards help define benchmarks for service
delivery and provide frameworks for consistent performance.
A famous illustration of the cost of nonstandard equipment is the Great Baltimore Fire (Seck
& Evans, 2004, pp. 6-7):
Fire equipment responding from different cities to the Great Baltimore Fire in 1904 were
hampered or rendered useless by the incompatibility of hose and fire hydrant connections …
When fire hoses were first manufactured, the threads used to couple them differed among all
the manufacturers. The same is true with the fire hydrant connections … Differences in hose
connections on the hydrants, both diameters and threads, were part of the design that
protected manufacturers from competition. Cities with different hydrant suppliers had fire
fighting water supply systems with connections that were incompatible with those in other,
sometimes neighboring, communities. History demonstrates that in major urban fires, the
inability of fire fighting apparatus from other areas to utilize the water supply, because of
incompatible hose connections, was a contributing factor to increased fire damage.
The lack of uniform threads is commonly cited as a factor in the massive destruction of the
th
Great Baltimore Fire that started on Sunday afternoon, February 7 , 1904 … Engine
companies from Washington, DC, transported by train, arrived in Baltimore to assist in fire
fighting a few hours after the fire started. Unfortunately, their hoses would not fit Baltimore
hydrants due to the difference in threads. The fire continued to claim block after block of

buildings in the Baltimore business district as more fire companies arrived from surrounding
cities and counties, Altoona, Annapolis, Chester, Harrisburg, New York, Philadelphia,
Wilmington, and York. Some of the responding fire companies’ hoses fit the Baltimore
hydrant connections; others did not.
After the fire, the National Fire Protection Association adopted a national standard for
hydrant connections. Interestingly, 100 years later, only 18 of the 48 most populous U.S.
cities had installed national standard fire hydrants (Seck & Evans, 2004, p. 6).
rd
The issue of standards-based compatibility remains important. At the ASIS International 53
Annual Seminar and Exhibits in 2007, Stefan Tangen, ISO/TC 223 Secretary from the Swedish
Standards Institute, told attendees, “When standards work, you just don’t notice them. You
take them for granted. But when they are not working, then they become a problem.” He
offered the example of a bridge linking Malmo, Sweden, to Copenhagen, Denmark, which was
designed to comply with both countries’ road and rail standards. Unfortunately, planners did
not harmonize emergency standards for equipment such as fire hoses (Plentiful Preseminar
Programs, 2007, p. 44).
Likewise, F. Mark Geraci, CPP, Chairman of the ASIS Commission on Standards and
Guidelines, has observed, “Today’s security issues and challenges transcend borders and
jurisdictions. Natural disasters and intentional disruptions … do not recognize boundaries.
Therefore, ASIS is behind the effort to eliminate confusion by supporting … standards” (ASIS
Supports Global ISO Standards, 2008, p. 93).
3.1.3 STANDARDS DEVELOPMENT ISSUES

Standards are developed on several levels: national, regional, and international. The follow-
ing issues apply at all those levels.
Many Players Involved

Although ASIS is the largest membership organization of security professionals in the world,
many organizations other than ASIS have developed security standards. For example, ASTM
International (formerly the American Society for Testing and Materials) has developed
standards for high-rise evacuation equipment to be used when primary routes to a safe zone
are cut off, as well as standards related to homeland security, including one on the selection
of antiterrorism physical security measures for buildings and hospital preparedness. In fact,
ASTM has more than 100 active standards relating to a broad range of security concerns.
Similarly, the National Fire Protection Association (NFPA) has issued several standards regard-
ing security issues, including standards on premises security and installation of electronic
premises security systems.

Other security standards have been developed by various government agencies (including,
in the United States, the Department of Agriculture) and by such organizations as the
American Chemistry Council and the Biometric Consortium. Many countries have their own
standards organizations (such as the American National Standards Institute in the United
States, the Deutsches Institut für Normung in Germany, and the Japanese Industrial
Standards Committee. With 159 member countries, the International Organization for
Standardization, ISO, is the world’s largest standards developer. Based on international
consensus, ISO standards address the global business community.
To influence the direction of security standards worldwide, ASIS launched its Global
Standards Initiative, which is discussed in detail in Section 3.5 below.
Standards Determined by Need

Standards are generally developed to address specific needs, such as technical issues; health,
safety, or environmental concerns; or quality or compatibility requirements. It is important
to know why a standard is needed before deciding what type of standard will best suit those
needs. It is also important to assess whether the marketplace will support the standard. If
not, as in the case of fire hydrants and hose couplings discussed above, the effect of the
standard will be limited.
In addition, it is important to assess whether, instead of developing a new standard, an

existing standard could be adopted or revised.
Broad Stakeholder Participation Beneficial

A standard is more likely to be accepted when it is jointly developed by all interested parties
or stakeholders. These are groups or individuals with an interest in the content of the
standard. Producers, users, and others may be included as stakeholders, representing such
parties as manufacturers, professionals, government authorities, educators, and consumers.
Experienced standards developers note that security professionals who participate in

standards development should be sure to attend the relevant meetings. Security
professionals may serve as development committee members or leaders or as subject matter
experts. No matter the capacity in which they serve, by serving on technical committees or
attending meetings they will increase their influence, gain from valuable discussions, keep
up with all circulated documents, demonstrate their interest, and boost their credibility.

3.2 Development of International Standards: ISO Example
3.2 DEVELOPMENT OF INTERNATIONAL STANDARDS:

ISO EXAMPLE
The International Organization for Standardization, called ISO, is the world’s largest
developer and publisher of international standards. Its name is not an acronym but comes
from the Greek word isos, meaning equal. Based in Geneva, Switzerland, ISO is a network of
the national standards institutes of 159 countries.
ISO is a nongovernmental organization bringing together stakeholders from the public,

private, and not-for-profit sectors. It serves as a central point where standards bodies from
around the world—and the organizations that participate in them—can gather to develop
standards jointly. ISO standards address products (e.g., so USB drives will work anywhere in
the world), processes (e.g., how to perform quality control or provide security services), and
other issues.
ISO does not regulate, legislate, or enforce. However, ISO standards often become recognized
as industry best practices and de facto market requirements. Therefore, what ISO does is
important to the security profession worldwide. Because ASIS has liaison status with various
ISO Technical Committees, ASIS is able to play a leading role in shaping standards that will
affect security practice.
3.2.1 CHARACTERISTICS OF ISO STANDARDS

ISO standards are built on the following pillars:
x Equal footing of members. Each participating member (country) in ISO has one vote.
x Market need. ISO develops only those standards for which there is an identified market
need or that facilitate international or domestic trade.
x Consensus. ISO standards are not decided on a majority vote. Rather, they are based
on consensus among the interested parties. All major concerns and objections raised
during the development of the standard must be addressed to the satisfaction of the
participants in the relevant committee. ISO comprises approximately 3,000 technical
groups (including technical committees, subcommittees, working groups, and other
bodies) in which more than 50,000 experts participate annually. The organization
employs a transparent process for developing standards.
x Voluntary participation and application. Participants in the ISO standards
development process are not paid to participate; rather, they work on a standard
because it is important to them. Moreover, ISO has no legal authority to enforce
implementation of its standards. Its standards are simply meant to be a benefit to the
marketplace. In ISO terminology, an organization comes into conformity with a stan-
dard, not compliance.
x Worldwide applicability. ISO standards are designed to be globally relevant.

3.2 Development of International Standards: ISO Example
3.2.2 ISO STANDARDS DEVELOPMENT PROCESS

ISO standards development work is carried out by technical committees that focus on
specific areas of expertise. For example, in the security field ISO has the Societal Security
Committee (ISO/TC 223); other committees address environmental management, quality
management, and a variety of technical specifications.
These technical committees include experts from the industrial, technical, academic,
governmental, and business sectors that have asked for the standards and will put them to
use. Other members include representatives of organizations interested in or affected by the
standard’s subject matter. The committees prize balance, openness, and impartiality to
ensure that the content of a standard is relevant, credible, and broadly acceptable (How are
ISO standards developed? 2008).
ISO has a detailed, written process for moving a proposed standard through the various
stages of development and adoption. The slow, deliberative process is designed to build up
the credibility of the standard. By the time the standard is completed and sent into the
marketplace, it has a large constituency (those who participated in its development) that can
increase the standard’s acceptance. In most cases, the countries that participate in standards
development at the ISO level adopt ISO standards as their national standards.
Each national standards-developing organization that serves as a member of an ISO technical

committee is encouraged to establish a national mirror committee or technical advisory group
of subject experts and interested parties. These mirror committees are broadly inclusive and
typically comprise industry experts, government representatives, consumers, and others who
might be affected by the standards. Members of the mirror committees meet to discuss
development of the standards. Individual countries have their own processes for deciding who
may participate in their mirror committees. Mirror committees frequently charge a
participation fee for voting members. Liaisons are exempt from the participation fee and do
not vote. Observers pay the participation fee and do not vote.
Participation in a mirror committee is a convenient option for people who want to take part
in standards development but are unwilling or unable to travel internationally. A mirror
committee advises its country on what position it should take on the documents being
developed. The committee reviews the documents as they are being prepared and prepares
comments to submit to the ISO technical committee developing the standard. Then some
members attend ISO plenary meetings or technical committee meetings, present the
country’s position, and try to get their country’s views reflected in the standard. In brief, a
mirror committee’s main responsibility is to develop a national consensus to present to ISO.
In ISO, one of the committees working on security activities is ISO/TC 223: Societal Security.
The committee has a broad scope, addressing security, business continuity, crisis manage-

3.3 Development of National Standards: U.S. Example
ment, disaster management, and emergency response. The committee examines crisis
management and organizational continuity related to all types of disasters and disruptions,
including intentional attacks, unintentional accidents, and natural disasters. The committee
focuses on what an organization should do before, during, and after an incident. The
committee also addresses interaction and interoperability between organizations.
3.3 DEVELOPMENT OF NATIONAL STANDARDS: U.S. EXAMPLE

The American National Standards Institute (ANSI) was formed in 1916 to serve as a clearing-
house for Standards Developing Organizations (SDOs) in the United States. The Institute
oversees the creation, promulgation and use of thousands of standards that directly impact
businesses in nearly every sector: from acoustical devices to construction equipment, from
dairy and livestock production to energy distribution, and many more. ANSI is also actively
engaged in accrediting programs that assess conformance to standards—including globally-
recognized cross-sector programs such as the ISO 9000 (quality) and ISO 14000 (environ-
mental) management systems.
3.3.1 CHARACTERISTICS OF ANSI STANDARDS

ANSI is the administrator and coordinator of the U.S. private sector voluntary standard-
ization system. It is a decentralized system that is partitioned into industrial sectors and
supported by hundreds of private sector standards-developing organizations (SDOs). An
SDO is an organization, company, government agency, or group that develops standards,
including professional societies, industry and trade associations, and membership organi-
zations that develop standards within their areas of expertise.
ANSI is the only accreditor of U.S. voluntary consensus SDOs. Of the approximately 600
SDOs in the United States, some 200 are accredited by ANSI as developers of American
National Standards. Examples of ANSI-accredited standards developers are ASIS Interna-
tional, the National Fire Protection Association, and the Security Industry Association. ANSI
also conducts programs for accrediting third-party product certification.
ANSI is the sole U.S. representative to and dues-paying member of the two major non-treaty
international standards organizations: ISO and the International Electrotechnical Commis-
sion (IEC). The institute is designed to support a broad range of stakeholder engagement,
address emerging priorities and new technologies, and allow stakeholders to find the
solutions that best fit their needs. In addition, the ANSI system is market driven, flexible,
sector based, led by the private sector, and supported by the U.S. government.

3.3 Development of National Standards: U.S. Example
The ANSI federation represents more than 125,000 companies and organizations and 3.5
million professionals worldwide. Members include academicians, individuals, government
agencies, manufacturers, companies, trade associations, professional societies, service
organizations, standards developers, consumer and labor interests, and more (About ANSI
Overview, 2008).
3.3.2 ANSI STANDARDS DEVELOPMENT PROCESS

The ANSI standards development process is designed so that standards users, not standards
bodies, drive standardization activities. The process places a high degree of confidence in
private-sector solutions for both regulatory and non-regulatory functions. The process is
deliberately decentralized and provides a strong voice to standards users and individual
stakeholders.
ANSI accreditation, mentioned earlier, signifies that the procedures sponsored by an SDO
satisfy ANSI’s requirements for an open, fair, consensus-based process that benefits
stakeholders and the American public. Procedures provide due process and legal safeguards.
Developers retain some flexibility in how they satisfy ANSI’s requirements. ANSI accredi-
tation is a precondition for submitting a standard for approval as an American National
Standard.
The emphasis on proper procedures is crucial for mitigating the risks of standards-developing
activities. The procedures require the following:
x openness, with no barriers to participation

x timely and adequate notice of the initiation of development of a standard
x a resolution process with a balance of interests
x clearly and fairly defined interest categories
x careful consideration, answering, and addressing of all views and objections
x reporting of any unresolved objections to committee members
x keeping of careful meeting records
x an appeals process
ANSI approval of a standard means the standard was developed in accordance with ANSI’s
requirements and is subject to ANSI’s procedural oversight, due process, and audit. The ANSI
designation means the standard was developed through a process that includes the following:
x consensus by a group that is open to all materially affected and interested parties
x broad-based public review and comment on draft standards
x consideration of and response to comments submitted by voting members of the
relevant consensus body, as well as by the public

3.4 Management Systems Standards
x incorporation of submitted changes that meet the same consensus requirements into
a draft standard
x availability of an appeal by any participant alleging that these principles were not
respected during the standards process
x lack of requirement for compliance unless the standard is adopted into a regulation
or statute
ANSI also examines any evidence that a proposed national standard is contrary to the public
interest, contains unfair provisions, or is unsuitable for national use.
3.4 MANAGEMENT SYSTEMS STANDARDS

Of the several types of standards, one particular type will likely have a large impact on the
way security professionals work: management systems standards. The term management
system refers to the organization’s method of managing its processes, functions, or activities.
Management systems standards are designed to help organizations improve the ways in
which they provide services and perform processes.
Management systems standards are widely accepted and used in many fields and disciplines.
The most famous management systems standards are ISO 9001:2008 Quality Management
Systems—Requirements and ISO 14001:2004 Environmental Management Systems—
Requirements with guidance for use.
3.4.1 CHARACTERISTICS OF MANAGEMENT SYSTEMS STANDARDS

Management system standards are developed to be generic. They are designed to fit all sizes
and types of organizations: private, public, faith-based, not-for-profit, etc. By taking a
generic perspective, these standards avoid becoming overly prescriptive and including
approaches that will be too difficult for some organizations to conform to. They provide a
framework for what an organization should do while leaving how to do it at the discretion of
the organization based on its financial and operating environment.
A management systems standard can help an organization in several ways. For example, a
company in conformity with a management systems standard may thereby give its
customers, suppliers, and other stakeholders greater confidence in its reliability. Likewise, a
company that supplies materials to a large manufacturing corporation (that must meet
certain environmental standards) may better satisfy that company if it can show that it is in
conformity with the ISO 14001 environmental management systems standard. In the same
vein, if a company wishes to supply a critical piece in a supply chain, the customer may be
happy to know that the prospective supplier is in conformity with the ISO 28000:2007

Specification for Security Management for the Supply Chain and/or the ANSI/ASIS
Organizational Resilience Standard. The customer may feel the supplier is less likely to suffer
a disruption that would halt the customer’s production process.
Management systems standards also provide organizations with a forum and mechanism for
complying with regulations, industry requirements, and best practices. Of course, these
standards are not regulations. Instead, they are tools to help an organization meet its goals,
whether in terms of quality, environmental concerns, safety, security, preparedness, or
continuity. Most management systems standards are based on the Plan-Do-Check-Act
(PDCA or Deming Cycle) model of total quality management (TQM), which was developed
decades ago and has been proven in the field of management.
In sum, management systems standards include very generic requirements. They set a
framework for a holistic, strategic approach to management. They address what an org-
anization should do while leaving the details of how to achieve its objectives to the
organization. The organization then has the flexibility to define the scope of the program and
the means of implementing it.
Moreover, an organization can strive to be in conformity with a management systems

standard throughout the organization or only in a part of it. The standard’s generic quality
also means the standard can work in different business cultures and different nations.
Why Management Systems Standards Work

The process of implementing a management system—and thereby coming into conformity
with a management systems standard—is meant to address the specific needs of the
organization. The process requires examination of the organization’s assets, management’s
expectations, the organization’s objectives, communication needs, measurements of success,
and potential risks that could keep the organization from reaching its objectives. The
implementation process encourages the organization to pay attention to the needs of the
many interested parties—employees, suppliers, financers, the local community, and society
as a whole—that may be affected by the organization’s operations.
Because a management systems standard focuses on the organization’s goals, implementing

a management system requires engaging top management. Doing so is the necessary first
step in the process. By gaining the approval and insights of top management, the person
implementing the management system can identify the goals, mission, and vision of the
organization and clarify how its critical functions, activities, and services are defined. That
information helps define the path toward which the management system will lead the
organization. Among other benefits, a management system provides a factual basis for
decision making and a system for continual improvement.

The bottom line is that in working toward conformity with a management systems standard,
the implementer is changing the organization’s culture. In the case of a security management
systems standard, the implementer embeds a culture of security into the organization so all
stakeholders understand that security is an important objective of the organization and that
they are involved, will be held accountable, and should commit themselves to achieving the
goals named in the management system.
Use of Management Systems Standards in Security

As management systems standards become more common in the security field, security
professionals face a change in their vocabulary—they will have to learn “management-
speak.” This change is likely to give them a professional advantage. When organizations’
environmental officers began to implement the ISO 14000 environmental management
systems standard, they had to learn to communicate by using the same words and concepts
that their top management used. They were able to justify their effort by putting it in terms
that management used in carrying out the organization’s mission. By learning that language,
environmental officers were elevated to the status of management.
The same concept applies to security professionals. Being able to describe security goals in
terms that management uses helps both parties. Management will better understand
security issues, and security professionals will better understand management issues, which
are really the issues of making the organization successful. Security then may be viewed as a
strategic business and operational issue.
3.4.2 BENEFITS OF MANAGEMENT SYSTEMS STANDARDS

A management systems standard can benefit an organization by doing the following:
x Establishing benchmarks. These enable the organization to measure its progress and
outcomes. The implementer must demonstrate that the management system is
effective, and benchmarks help in doing so.
x Forcing the organization to systematically identify risks and problems as well as
potential solutions. Many organizations skip this step, make false assumptions, and
therefore focus on issues that do not matter and ignore important ones.
x Including more participants. A management systems standard requires the org-
anization to include all levels of employees and stakeholders in planning. This more
inclusive approach encourages normally reserved people to step forward and identify
problems the organization may have overlooked. It also gives more people a sense of
ownership of the process. They will then be more likely to get involved and participate
in reaching the goals of whatever management system is being implemented (e.g.,
quality, environmental, security).

x Providing problem-solving and decision-making tools. The standard also links those
tools to personnel training that will help employees do what the organization needs to
reach its goal.
x Leading the organization to study how standard operating procedures and
operational controls can enhance the organization’s performance. Often organi-
zations find that implementing a management systems standard improves their
production and quality of service in ways completely separate from the standard’s
particular goal.
x Protecting the organization’s reputation or brand. In many cases, implementing and
conforming with a management systems standard gives others greater confidence in
the organization. News reports often show how a minor mistake, such as a breach of
information security or a contamination problem, causes a company to lose market
share or stock value. Better management systems can help prevent mishaps that lead
to reputational damage.
x Providing a model for continual improvement. A management systems standard does
not call for a one-time action and specific output. Rather, the management system it
leads to is an ongoing system. When an organization is audited for conformity, it is
checked not for specific performance but for a mechanism for improving performance.
x Helping an organization coordinate its resources and programs. These may include
structure, responsibility, training, awareness, operational controls, and communica-
tion; policy and management commitment; planning and program development;
review and improvement; checking and corrective action; knowledge of the
organization; and planning, risk assessment, and impact analysis. These are all
important, but in the absence of an effective management system, they may be like
unconnected puzzle pieces and may not be usable in an effective, coordinated way.
Some specific outcomes that a management systems standard is likely to lead to include
better organizational performance through improved capabilities; strategic alignment of
improvement activities at all levels of the organization; the flexibility to react quickly to
opportunities and a changing environment; and optimization of resources.

3.4.3 PLAN-DO-CHECK-ACT CYCLE

The Plan-Do-Check-Act (PDCA) cycle is the operating principle of ISO’s management
systems standards. Also sometimes called the Assess-Protect-Confirm-Improve model, it is
an approach to structured problem solving focused on continual improvement. It works as
follows:
Plan This most critical stage calls for identifying and analyzing the organization’s
problems—events that could disrupt operations—and assets. One identifies
the root causes of those problems and begins to rank them in terms of
importance.
Do Here one looks at the planning analysis, devises a solution, prioritizes next
steps, and develops a detailed action plan. The key word is action. The goal
is not to write a manual that sits on the shelf, gathering dust. Rather, the goal
is to develop a plan that will be used actively to engage the organization and
address problems and their causes—and then to implement that plan.
Check At this step, one examines the solutions devised to address the problems.
The point is to check whether the solutions are producing outcomes that
are consistent with the plan. It is necessary to have a way of identifying
deviations so one can analyze why some measures might not be working
and how they can be improved.
Act If the solutions are in fact addressing the organization’s problems, it is time
to act to standardize those solutions throughout the organization, review
the current list of problems, and start defining new problems and issues.
This is where the cycle, in effect, begins again.
A good way to start this process is to focus initially on a problem that is relatively easy to
solve. Picking a solvable problem provides practice in using the management system and
demonstrates the system’s effectiveness before the organization moves on to more serious or
difficult problems.

Plan
Define & Analyze a
Problem and Identify the
Root Cause
Act Do
Devise a Solution
Standardize Solution
Develop Detailed Action
Review and Define Next Issues Plan & Implement It
Systematically
Check
Confirm Outcomes Against Plan
Identify Deviations and Issues
Figure 3-1
Plan-Do-Check-Act-Cycle
3.4.4 WELL-KNOWN MANAGEMENT SYSTEMS STANDARDS

The most famous management systems standards (used by more than a million organizations
in 161 countries) are the ISO quality management systems standard and environmental man-
agement systems standard. These have been around for several decades and have proven to be
very efficient.
The ISO 9000 family of standards addresses quality management to help an organization
meet customers’ quality requirements, enhance their overall satisfaction, satisfy regulatory
requirements, and continually improve the organization’s performance in pursuit of these
objectives. The ISO 14000 family of standards addresses environmental management, which
is a way of looking at the organization’s activities, products, and services to gauge their
environmental effect, find ways to minimize any harmful effects, and improve the cost-
effectiveness of the organization’s processes.
All ISO management systems standards are implemented using the same process and have
the same structure and components. Thus, a single, well-designed management system
within an organization can be used to show conformity to several standards.

3.5 ASIS Global Standards Initiative
3.5 ASIS GLOBAL STANDARDS INITIATIVE

ASIS began its Global Standards Initiative (GSI) in 2007 to position itself as a world leader in
international security standards development. The move was driven by members who noted
a lack of a voice for security professionals in the standards being developed within various
countries as well as internationally. It was also driven by members involved in cross-border
activities, who faced different sets of rules and procedures every time they reached a national
or jurisdictional border. These members urged ASIS to get involved at the ISO level to
promulgate a more global perspective in security planning.
3.5.1 PROCESS
An early step taken through the GSI was to have ASIS gain approval as a liaison in the major
national and international standards bodies. Not being a country, ASIS cannot participate
directly in ISO as a national member. However, as an international organization, ASIS was
able to seek liaison status, which enables full participation except for voting. Through the
GSI, ASIS is also developing strategic partnerships with other standards-developing bodies
around the world.
ASIS encourages its members to help identify standards of high priority to security
professionals and then to participate in developing drafts for circulation at the national,
regional, or international level. The goal is to get involved in the development of standards
regarding issues where standardization will make security professionals’ jobs easier and
improve the quality of security service delivery. Specifically, ASIS encourages members to
participate in developing standards on mirror committees in their home countries.
ASIS is also an ANSI accredited SDO. The GSI is actively developing ANSI American National
Standards (ANSI-ANS) in the U.S. As an example of ASIS standards-developing activity,
Figure 3-2 illustrates the ANSI-certified process ASIS follows to develop American National
Standards.
This chapter focuses on standards. It is worth noting, however, that before becoming
involved in standards, ASIS promulgated several guidelines. They were meant to be less
formal than standards in the sense that an organization could use some, none, or all of a
guideline’s elements—there was no issue of being in formal conformity. ASIS began issuing
guidelines in 2001 to help the private sector secure its business assets and critical
infrastructure. Where applicable, these guidelines are being modified into different types of
documents: either actual standards or handbooks for implementing actual standards. The
latter type is appropriate when the original guideline is too detailed and prescriptive to be a
standard but contains much useful guidance that practitioners may want to know as they
apply a standard.

ASIS conducts the five-day Security Lead Auditor Course for ISO 28000:2007, which is
accredited by the Registered Accredited Body, USA and Quality Standards Australia
(RAB/QSA). Upon successful completion of the program, participants receive the
internationally recognized Lead Auditor Competency Certification.
ASIS is also providing implementation guidance for ISO standards; leading education and
training on standards and guidelines issues; and developing auditor training and
certification (for auditing conformity with standards).
Start
ASIS and S & G

Commission
Identifies
Need for Standard
S & G Commission Committee Develops

Committee Chair Working Group
Establishes Standard HQ and Committee Draft Standard and
And Vice Chair Reviews/Revises
Committee and Initiates Develops Voting Body Assigns Working
Appointed Draft Standard
Project Group
HQ Completes ANSI HQ Sends Letter

PINS Form Submitted No HQ Submits ANSI
Project Initiation Comments Ballot to Voting Body
to ANSI for 30-Day BSR8 Form for 45
Notification (PINS) Received? for Draft Standard
Comment Period Day Public Review
Form Approval
Yes
Yes
Committee Reviews Yes Substantive

Comments
Comments and Makes Revisions
Received?
Appropriate Revisions Required?
No No
Draft Standard
Approved
End
HQ Submits ANSI Form

ANSI Approval and BSR9 for Approval/
Publication Appeals Process (See
pg. 2 for Appeals Process)
Figure 3-2
ASIS Commission on Standards/American National Standards Institute
Standards Development Process

3.5.2 PRODUCT STATUS

This section describes the status of various security-relevant standards and guidelines.
Because ASIS is converting some of its guidelines into standards or into products that
accompany standards, both guidelines and standards are listed below.
ASIS Guidelines
The following are the ASIS guidelines that are published or under development as of March
2011. All published guidelines can be downloaded from http://www.asisonline.org/guidelines/
published.htm.
x Chief Security Officer Guideline (2008). This guideline addresses the key responsibilities,
skills, and qualifications needed in an organization’s senior security executive. Status:
published.
x Facilities Physical Security Measures Guideline (2009). This guideline provides a

methodology to select appropriate physical security measures to safeguard an
organization’s assets. Status: published.
x Threat Advisory System Response Guideline (2008). This provides private industry
with possible actions to implement at various U.S. Department of Homeland Security
alert levels. Status: published.
x Information Asset Protection Guideline (2007). This offers general protection advice
for an entity’s information assets, including proprietary, classified, and other sensitive
materials. Topics include collection, storage, dissemination, and destruction. Status:
published.
x Preemployment Background Screening Guideline (2009). This guideline helps

employers understand and implement the fundamental concepts, methodologies, and
legal issues associated with the preemployment background screening of job
applicants. Status: published.
x Business Continuity Guideline: A Practical Approach for Emergency Preparedness,

Crisis Management, and Disaster Recovery (2005). This guideline outlines various
interrelated processes and activities—including readiness, prevention, response,
recovery/resumption, testing and training, evaluation, and maintenance—that can be
used in creating, assessing, and sustaining plans for use in a crisis that threatens an
organization’s viability and continuity. Status: published.
x Workplace Violence Prevention and Response Guideline (2005). This offers useful
ways to maintain a safe and secure work environment. Means include identifying,
evaluating, and controlling potential hazards and conducting employee informational
training. Status: published.

x Private Security Officer Selection and Training Guideline (2010). This guideline sets
forth minimum criteria for the selection and training of private security officers. The
criteria may also be used to provide regulating bodies with consistent minimum
qualifications. Status: published but under revision.
x General Security Risk Assessment Guideline (2003). This provides a seven-step

methodology for identifying and communicating security risks at a specific location. It
also addresses appropriate solutions. Status: published.
ASIS Standards
The following are the ASIS American National Standards that are finished or under
development as of March 2011. All published standards are available at http://www.
asisonline.org/guidelines/published.htm.
Many of these standards are being worked at the international level as well.
x Chief Security Officer (CSO) Organizational Standard (2008). The standard provides a
model for organizations to use when developing a leadership position responsible for
providing comprehensive, integrated risk strategies to protect an organization from
security threats. The CSO’s role may be viewed as a stand-alone position or one that
has been incorporated within an organization’s existing leadership team. The standard
details the CSO reporting relationship, key responsibilities, core competencies,
experience, education, and compensation. It also provides a model position
description. Status: published as an ANSI-ANS.
x Organizational Resilience: Security, Preparedness and Continuity Management

Systems—Requirements with Guidance for Use (2009). Using the Plan-Do-Check-
Act approach, this standard provides steps necessary to prevent, prepare for, and
respond to a disruptive incident. It lists generic auditable criteria for establishing,
checking, maintaining, and improving a management system that enhances
prevention of, preparedness for, mitigation of, response to, and recovery from dis-
ruptive incidents. An annex to the standard provides guidance on system planning,
implementation, testing, maintenance, and improvement. Status: Status: published as
an ANSI-ANS.
x Business Continuity Management Systems Requirements with Guidance for Use

(2010). This joint ASIS/BSI ANSI standard includes auditable criteria for preparedness,
crisis management, business and operational continuity and disaster management. It
uses a management systems process approach according to the Plan-Do-Check-Act
model and is based on the British Standards Institution’s standard on business
continuity, BS 25999. Status: published as an ANSI-ANS.

x Workplace Violence Prevention and Intervention (2011). Joint standard with the
Society for Human Resource Management (SHRM) that provides an overview of
general security policies, processes, and protocols that organizations can adopt to help
prevent threatening behavior and violence affecting the workplace and better respond
to and resolve security incidents involving threats and episodes of actual violence.
Status: Published as an ANSI-ANS for WVPI.
x Auditing Management Systems for Security, Preparedness and Continuity Manage-

ment with Guidance for Application. Management systems standards emphasize the
importance of audits as a management tool for monitoring and verifying the effective
implementation of an organization’s policy. Moreover, audits are an essential part of
conformity assessment. This standard addresses the systematic, objective activities
in evaluating management system performance for security, preparedness, and
continuity management. Status: Under development.
x Physical Asset Protection. This standard uses the Plan-Do-Check-Act approach to
identify, apply, and manage physical security measures to safeguard an organization’s
assets—people, property, information, and intangibles—that are based in facilities (not
in transit). It describes a process that includes setting goals; identifying, assessing, and
managing risks; and selecting appropriate physical security measures. The standard
describes basic functions of physical security measures in deterrence, detection, delay,
and response. Status: Under development.
x Organizational Resilience Maturity Model—Phased Implementation. Standard
describes a maturity model for phased implementation of the ANSI ASIS Organi-
zational Resilience Standard as a series of steps designed to help organizations evaluate
where they currently are with regard to resilience management and preparedness, set
goals for where they want to go, benchmark where they are relative to those goals, and
plot a business sensible path to get there. The model outlines six phases ranging from
no process in place for resilience management to going beyond the requirements of
the Standard. It can be used in conjunction with the ANSI ASIS Organizational
Resilience Standard or as a tool for continually improving a generic resilience manage-
ment and preparedness program. Status: Under development.
x Management Systems for Quality of Private Security Company Operations—
Requirements with Guidance. Provides requirements and guidance for a management
system with auditable criteria for Quality of Private Security Company Operations
(PSC), building on the Montreux Document on pertinent legal and security companies
in conditions where the rule of law has been undermined by conflict or disaster.
Standard provides auditable requirements based on the Plan-Do-Check-Act model for
third-party certification of Private Security Company Operations—private security
providers working for any client. Status: Under development.
x Conformity Assessment and Auditing Management Systems for Quality of Private
Security Company Operations. Provides requirements and guidance for conducting
conformity assessment of the Management System for Quality of Private Security

Company Operations (PSC) Standard. Standard provides requirements for bodies

providing auditing third party certification of Private Security Company Operations—
private security providers working for any client. It provides requirements and
guidance on the management of audit programs, conduct of internal or external audits
of the management system and PSC operations, as well as on competence and
evaluation of auditors. Status: Under development.
x Resilience in the Supply Chain. Standard expands the scope of the ANSI ASIS
Organizational Resilience Standard to include resilience in the supply chain. It
provides a framework for evaluating the internal and external context of the
organization with regard to its supply chain, enabling it to develop a comprehensive,
balanced strategy to reducing both the likelihood and consequences of a disruptive
event. It also is consistent with the risk management principles and framework of the
ISO 31000. The standard provides auditable criteria to prevent, prepare for, respond
to and recover from a disruptive event using a comprehensive approach to managing
risks thereby eliminating the siloing of risks and their impacts. Status: Under
development.
x Risk Assessment. This standard provides a means of analyzing the efficacy of risk
management controls designed to protect an organization’s assets. Status: Under
development.
Standards Activity
ASIS has become involved in numerous security-related standards development projects in
concert with other organizations. Note that security in the ISO context is a very inclusive
term, referring to the entire flow of events that can take place surrounding a disruptive
incident, such as prevention, preparedness, mitigation, response, continuity, and recovery.
ASIS also has relationships with national bodies and is participating in developing standards
with them. The subsequent goal is to take completed standards and submit them to ISO for
consideration as international standards. Doing so accelerates the process and gives a larger
voice to security professionals so standards will truly address their needs and the services
they provide. Members are encouraged to volunteer to participate in technical committees
on standards that affect their areas of practice and expertise. The following are some key
areas of ASIS involvement:
x ISO/TC 223: Societal Security. ASIS Type A liaison status with ISO allows ASIS full
participation. ASIS is a member of the Chairman’s Advisory Group, the Resolutions
Committee, and all work groups and task groups involved. ASIS has been actively
involved in drafting the documents that have been circulated through the technical
committee.

x ISO/TC 247: Fraud and Countermeasures. ASIS Type A liaison status with ISO allows
ASIS full participation. ASIS has been actively involved in drafting the documents that
have been circulated through the technical committee.
x ISO/TC 8: Marine and Maritime. ASIS participates as a liaison, particularly in the ISO
28000 Security in the Supply Chain series.
x ISO/PC 262: Risk Management. ASIS Type A liaison status with ISO allows ASIS full
participation. ASIS has been actively involved in drafting the documents that have
been circulated through the technical committee.
x ISO/IEC JTC 1/SC 27: Information Security. ASIS participates as a liaison, particularly
in the ISO 27000 series.
x ISO/TMB WGRM: Working Group on Risk Management. ASIS participates as a liaison.

This group recently finished a draft of a new ISO 31000 Risk Management Standard.
x JTCG Task Force Auditing for the revision of ISO 19011. ASIS represents ISO/TTC 223
as a liaison to this group on auditing of security and security management systems.
This task force is looking at how to expand auditing (as is done in quality and
environmental management systems standards) to the realms of security, information
technology, occupational health and safety, and other fields where management
systems standards are being developed or have been developed.
x ISO/SAG-S: Strategic Advisory Group on Security. ASIS also participates in this group,
which advises the ISO Board on strategic issues related to security. The group is open
only to national bodies, not to liaisons, but ASIS sits at the table as a member of the
Dutch contingent (that is, as a technical expert with the Nederlands Normalisatie-
Instituut).
x Supply Chain Risk Leadership Council. ASIS participates in the Supply Chain Risk
Leadership Council in strategies to address supply chain standards development both
nationally and internationally.
x CEN/BT/TF 167: Security Services, CEN/BT/WG 161: Protection & Security of the
Citizen, CEN/PC 384: Airport and Aviation Security Services, CEN/TC 391: Societal
and Citizen Security, and CEN/TC 379: Supply Chain Security. ASIS participates in
CEN, the European Committee for Standardization, which is a consortium of European
standards bodies. In the first committee listed, ASIS has observer liaison status; in the
second committee, ASIS maintains close relationships with active members.
x ASIS International partners with National Standards Bodies (NSB) around the globe
to develop national standards, promotes collaboration between the local ASIS
Chapters and the NSB, and provides joint training programs.

x ANSI’s Board of Standards Review (BSR) body. ASIS is a voting member of the ANSI
BSR, which is responsible for the approval and withdrawal of American National
Standards and for hearing appeals of its decisions.
x ANSI’s Executive Standards Council (ExSC) body. ASIS is a voting member of the ANSI
ExSC which is responsible for the procedures and criteria for national and international
standards development activities of the Institute, and accredits national standards
developers and U.S. Technical Advisory Groups (TAGs) to ISO. The ANSI ExSC hears
appeals related to its areas of responsibility.
x ANSI National Policy Committee (NPC) body. ASIS is a member of the ANSI NPC,
which is responsible for broad-based policy and position decisions regarding national
standards issues and government relations and public policy issues.
x ANSI International Policy Committee (IPC) body. ASIS is a member of the ANSI IPC,
which is responsible for development of ANSI strategic directions and policies related
to international and regional standardization.
x ANSI ISO Council (AIC) body. ASIS is a member of the ANSI AIC, which is responsible
for developing ANSI positions and preparation of ANSI representatives to ISO General
Assembly and ISO Council and its subgroups, including ISO policy development
committees.
x ANSI International Conformity Assessment Committee (ICAC) body. ASIS is a

member of the ANSI ICAC, which is the U.S. interface to the ISO Council Committee on
Conformity Assessment.
x ANSI Committee on Education (COE) body. ASIS is a member of the ANSI COE, which
is responsible for initiatives related to standards and conformity assessment education
and outreach, as well as fulfilling the objectives of the United States Standards Strategy.
x ANSI Standards Boost Business (SBB) campaign. ASIS participates in the ANSI SBB
effort to increase executives’ and other private-sector leaders’ (C-level) understanding
of how the U.S. voluntary standards system and its activities can boost business
performance.
x ANSI Organizational Member Forum (OMF) body. ASIS is a member of the ANSI OMF,
which provides a forum for U.S. professional societies, trade associations, standards
developers, and academia to come together to discuss national and international
standards and conformity assessment issues of interest.
x ANSI Homeland Standards Security Panel (HSSP). ASIS is a member of the ANSI
HSSP, which identifies existing consensus standards, or, if none exists, assists the
Department of Homeland Security (DHS) and those sectors requesting assistance to
accelerate development and adoption of consensus standards critical to homeland
security. Additionally, ASIS is a member of the ANSI Homeland Standards Security
Panel Steering Committee, an advisory committee to the HSSP.

x Security Industry Standards Council (SISC). ASIS is a member of the SISC, which votes
on proposed standards that are being considered from other security-related SDOS in
addition to review and coordination of standards activities.
x U.S. Department of Homeland Security Title IX program (Voluntary Private Sector
Accreditation and Certification Preparedness Program). The ANSI ASIS Organi-
zational Resilience Standard has been adopted in the Title IX PS-Prep program.
x U.S. Department of Defense. The Department of Defense reached out to ASIS to

develop Standards for Private Sector Security. Two standards projects under
development; Management System for Quality of Private Security Company Operat-
ions, and Conformity Assessment and Auditing management systems for quality of
private security company operations.
The position of ASIS is that these areas represent the best thinking of security professionals
around the world and also help to ensure an organized approach to the challenges facing
corporations and the public and private sectors today.
3.5.3 ORGANIZATIONAL RESILIENCE STANDARD

In March 2009, the ASIS Global Standards Initiative published the American National
Standard ANSI/ASIS.SPC.1: Organizational Resilience: Security, Preparedness and Continuity
Management Systems—Requirements with Guidance for Use. This flagship standard was
developed by technical committees in Australia, the Netherlands, and the United States. The
management system standard provides a framework for a comprehensive approach to
managing the risks of a disruptive incident by addressing reduction of both likelihood and
consequences. It continues to gain international acceptance. The Netherlands and Denmark
have adopted it as a national standard in their countries, and several other countries are in
the process of adoption, translation, and publication. It has also been submitted to ISO for
consideration as an international standard.
This is a practical management systems standard that deals with organizational resilience. It
focuses on security, preparedness, and continuity management all in one management
systems standard. It looks at how an organization can prevent, prepare for, mitigate, respond
to, and recover from a disruptive incident that could, if not controlled, turn into an
emergency, crisis, or disaster. Like ISO standards, it uses the Plan–Do–Check–Act model.
The standard was designed to be business-friendly (improving its likelihood of adoption in the
marketplace) and is completely aligned and compatible with existing management systems
standards, such as ISO 9001:2000: Quality Management, ISO 14001:2004: Environmental
Management, ISO/IEC 27001:2005: Information Technology Security, and ISO 28000:2007:
Supply Chain Security Management. An advantage of this alignment is that an organization

can meet the requirements of other standards through the process of meeting the require-
ments of this organizational resilience standard. The standard is also meant to be an
auditable complement to the new ISO31000: Risk Management standard, thereby enabling
an organization to seamlessly integrate resilience and security management into its overall
risk management strategy.
The standard’s goal may be illustrated by considering a company that, on a normal day of
operation, is working at 100 percent capacity. Suddenly a disruptive incident occurs. Without
a plan in place, the company could completely lose capacity. Once that happens,
management may have no idea how long it will take to return to full capacity, if indeed the
company ever does. This standard encourages management to preempt the problem by
looking at what could potentially disrupt the operation, how to prevent it, and how, if it takes
place, to respond quickly to mitigate the impact of the incident (reduce the drop in capacity)
and shorten the recovery period. The standard also helps management consider how to
bring the most critical processes back online as quickly and efficiently as possible. The goal,
then, is to help the organization survive and thrive.
The following is a summary of the steps contained in the standard, as directed to security
management:
1. Start: Know the Organization

Many organizations unwisely skip this most critical step and start looking for solutions to
what they think are the problems, rather than analyzing what are the core issues they need to
address. This step includes several tasks:
x Identify the internal and external context of the organization.

x Define the scope and boundaries for the security, preparedness, and continuity
management program.
x Identify critical objectives, operation, functions, products, and services. Prioritize them
according to their importance to the organization’s survival.
x Make a preliminary determination of likely risk scenarios and consequences.
By understanding and prioritizes the issues most important to the organization, it is possible
to focus on problems that are manageable and for which one can effectively develop a
system. It is not advisable to deal with all problems of the organization at once. The process
should be approached from a business point of view with a continual improvement
perspective.

2.Security Policy
The next step is to obtain management commitment, participation, and leadership, which
are critical to the exercise. The standard is, after all, for a management system. Security
policy will be elevated to a critical interest of the organization and hence requires the
participation of the entire organization. The policy will state and constitute a commitment to
the protection of critical assets as well as commitment to continuous improvement.
Obviously, management demonstrates its commitment by providing adequate resources to
implement the management system.
3.Planning
This is the time to conduct a risk assessment and impact analysis. The standard simply states
that the organization must have a defined and documented method for doing so. The
organization may choose from the many existing risk assessment methodologies and means
of analyzing business impact, but it must choose a specific, formal methodology and not
merely rely on its general sense of the problem. It is recommended that the organization
follow the risk assessment process outlined in ISO31000:2009: Risk Management Guidelines.
At this stage it is also necessary to determine the legal and other requirements with which the
organization must comply and then choose a method of addressing them.
With these three analyses, the organization has a basis for developing objectives and
determining its means and resources for attaining them.
Plans for security management programs emphasize incident prevention, while plans for
response management emphasize reducing an incident’s impact and quickly returning to
full operation.
4.Implementation and Operation

This is the step for developing the organization’s approach to improving resiliency. Here are
key topics to examine:
x Organizational structures and responsibilities needed to develop the strategic plan.

Organizational roles, responsibilities, and authorities are clearly defined to support the
management system and all the activities needed to address the risks of disruptive
events.
x Training, awareness, and competence. Programs must be developed that will give
employees the confidence and competence to do what they should. They should be
educated on what could happen and how they should respond.
x Communication. The standard addresses communication both within the organi-

zation and with external parties. Key issues include how to prepare in advance to
respond to external questions and who will speak for the organization.

x Documentation. This process requires developing standard operating procedures

regarding security, preparedness, and continuity management, as well as documenting
the management system itself. If it is not documented, no one can check to see if it is
working.
x Incident preparedness and response plans. These contain the specifics of what should
be done to prevent an incident and mitigate its consequences, as well as what should
happen after an incident, covering such issues as alternative work sites, mutual aid
agreements, and meeting points.
5.Checking and Corrective Action

The standard then addresses these topics:
x Performance evaluation: The organization establishes performance metrics and

evaluates its resilience performance, including compliance with legal and other
obligations. Exercises and testing are used to evaluate performance.
x Monitoring and measurement. This step discusses how to identify nonconformity,

address it through corrective and preventive actions, and document those steps.
x Important business records. This step addresses the need to identify, store, and
protect vital documents, as well as keep them accessible to the people who need them.
Again, the standard does not specify how to perform these tasks but merely insists that
the company have a specific plan for doing so.
x Audits. These make it possible to track the performance and effectiveness of all
required tasks.
6.Management Review
Information from all the preceding steps is then fed back for management review. This is the
stage to ensure that the management system is adequate and effective and to discuss any
need for improvement.
Then, for continuous improvement, one repeats steps 1 to 6 indefinitely. Figure 3-3 shows
the process in graphic form.
The standard’s structure is simple, but each step is rather involved. If the organization
contains a person who wishes to focus on security, preparedness, and continuity management,
that person may be the best candidate to bring this management systems standard to
management. Alternatively, an organization may use an external consultant with expertise in
developing such systems. However, the management system is implemented by the
organization with the advice and guidance of the consultant. Ownership throughout the
organization is the key to success.

Standards are nothing to fear. If the security community sits back and waits for others to
develop security standards—whether people from other disciplines or standards developers
with no security expertise or practical understanding—then the standards developed could
be overly prescriptive and make it more difficult for security professionals to do their jobs.
On the other hand, if the people who will use the standards get involved in developing them,
the standards are more likely to be useful tools.
Start: Know your Organiz on

- Define scope and boundaries for
preparedness, re nuity and
recovery management program
- Iden ves, oper ons,
ons, products and services
- Preliminary det on of likely
risk scenarios and consequences
Policy
Management Review - Management Commitment
- Adequacy and Effec veness - Commitment to Protec cal
- Need for Changes Assets and Con nuous Improvement
- es for Improvement - Commitment of Resources
Connua l
Planning
Checking & Corr ve Ac on Improvement - Risk Assessment and Impact Analysis
- Monitoring and Measurement
- Legal and Other Requirements
- Evalua on of compliance and
system performance - ves and Targets
- Nonconformity, Correc ve - Strategic Preven on, Preparedness
and Preven ve Ac on and Response Programs (Before,
er an Incident)
- Records
- Internal Audits
Implementa on and Oper on

- Structure and Responsibility
- Training, Awareness, Competence
- Communica on
- Documenta on
- Document Control
- Oper onal Control
- Incident Preven on, Preparedness and
Response
Figure 3-3
Organizational Resilience (OR) Management System Flow Diagram

References
REFERENCES
About ANSI Overview. (2008). American National Standards Institute. Available: http://www.ansi.
org/about_ansi/overview/overview.aspx?menuid=1 [2008, December 8].
ASIS supports global ISO standards. (2008, January). Security Management, 93.
How are ISO standards developed? (2008). International Organization for Standardization. Avail-
able: http://www.iso.org/iso/standards_development/processes_and_procedures.htm [2008, Dec-
ember 8].
Plentiful preseminar programs. (2007, November/December). ASIS Dynamics, 44.
Seck, M. D., & Evans, D. D. (2004). Major U.S. cities using national standard fire hydrants, one
century after the Great Baltimore Fire. National Institute of Standards and Technology.
Gaithersburg, MD.
Siegel, M., & Carioti, S. (Speakers.) (2008). Standards changing the world of security professionals
(ASIS Virtual Forum CD Recording EDUPRG.VF-06). Alexandria, VA: ASIS International.

CHAPTER 4
INTRODUCTION TO ASSETS PROTECTION
Protecting an organization’s assets is a daunting task. The business world, the security arena, and
life itself are changing at lightning speed. Globalization, information technology, instant
communications, complex and asymmetric threats, public opinion, mergers and acquisitions,
conglomerates and partnerships, and regulation all have a major influence on how security
professionals must perform their mission. In addition to needing a broad array of security
expertise, today’s security professional must be an adaptable, strategic thinker, skilled in process
management and fast, accurate program implementation.
Protection of Assets is designed as a support tool for security professionals and others with similar
responsibilities. It provides information on all aspects of security and related functions and helps
readers balance costs and results in planning, developing, and implementing sound risk
management strategies.
Because of the rapid pace of change, POA is a living document. It features periodic updates and
guides readers to other sources for further information.

4.1 Basis for Enterprise Assets Protection
4.1 BASIS FOR ENTERPRISE ASSETS PROTECTION
4.1.1 DEFINING ASSETS PROTECTION

For many people, the term assets protection suggests finance. Security professionals,
however, think of assets protection in a different, broader sense. In the security arena, one
often speaks of protecting three types of assets: people, property, and information. The larger
view of assets protection, however, also considers intangible assets, such as an organization’s
reputation, relationships, and creditworthiness.
In considering all of an organization’s assets and all potential hazards, both natural and
man-made, the security function should take the lead on some matters and play a
supporting role in others. This approach helps ensure that the security function is, and is
seen to be, a value-adding element of the organization. The greatest protection of corporate
assets occurs when an appropriate mix of physical, procedural, and electronic security
measures is in place in relation to the assets being protected. This creates an effective
defense-in-depth asset protection program.
Graduate students in a security management program were recently asked to define assets
protection from their perspective. The students were all experienced, mid-career professionals
in security, law enforcement, or the military. Almost all the students mentioned elements like
asset definition, threat assessment, vulnerability and risk analysis, security methods for
reducing risk, and the need to balance security costs with the benefits of protective measures
employed. However, several additional aspects of assets protection emerged as well:
x Both tangible and intangible assets must be considered.

x A key objective is maintaining smooth business operations.
x Post-incident business or mission continuity is an important element.
x Both the current and future risk environments must be considered.
x Providing a safe and healthy environment should be factored in.
x Liability reduction/management is an important component.
As those students seemed to understand, assets protection must be a comprehensive,

proactive function that is directly tied to the organization’s mission.
In addition, it is essential to know what needs to be protected. In many cases, asset owners
(such as business owners or managers) lack a thorough understanding of what their real
assets are. Some think purely in financial terms, while others focus on tangible goods, such
as facilities, inventory, vehicles, or equipment. A wider view of assets might include those
listed in Figure 4-1.

TANGIBLE INTANGIBLE MIXED

Facilities/buildings Reputation/image People
Equipment Goodwill/trust Intellectual property
Inventory Brand recognition Knowledge
Vehicles Relationships Proprietary processes
Raw materials Vendor diversity Information technology
Cash/money Longevity/history capabilities
Accounts receivable Past performance Land/real estate
Supplies/consumables Experience Infrastructure
Telecommunications systems Quality assurance processes Credit rating/financial stability
Other capital assets Workforce morale/spirit/loyalty Customers (customer base)
Workforce retention Contracts in place
Management style Financial investments
Human capital development Geographic location
Liaison agreements Staffing sources/recruiting
Market share Certifications (e.g., ISO 9000)
Continuity posture/resiliency
Safety posture
NOTE: Tangible assets are generally those one can see, touch, or directly measure in physical form. Mixed assets have
both tangible and intangible characteristics.
Figure 4-1
Examples of Organizational Assets by Type
4.1.2 RELATION TO SECURITY AND OTHER DISCIPLINES

Because assets protection is a broad, complex function, many departments or elements of an
organization may be involved in it. However, a single office or person should be designated
as the assets protection focal point. Assets protection professionals should either lead or
follow, but in either case they should not allow themselves to be left out of key deliberations
and decisions. Though it is the responsibility of senior management to provide the resources
needed to enhance the protection of assets, it is the assets protection professional’s respon-
sibility to provide them with the best information for their decision-making process.
Assets protection incorporates all security functions as well as many related functions, such
as investigations, risk management, safety, quality/product assurance, compliance, and
emergency management. Therefore, the senior assets protection professional must have

strong collaboration and coordination skills as well as a thorough understanding of the

workings of the enterprise. In today’s asset protection program, countermeasures need to
include people, hardware, and software.
Of particular interest today is convergence, which is the “integration of traditional and

information [systems] security functions” (ASIS International, 2005). Such convergence
makes collaboration even more important.
4.1.3 HISTORICAL PERSPECTIVES

From the dawn of mankind, organizations have faced threats to their safety and security. One
of the tribe’s important functions was the protection of its assets, which might include land,
crops, water supplies, or its cultural or religious heritage.
Over the centuries, upon arriving in a new country, immigrants from particular regions have
tended to settle together in communities that became known as ghettos. These ghettos have
had a strong assets protection aspect.
Like tribes, gangs today emphasize assets protection. Their assets may include “turf,” recogni-
tion, members, weapons, or market share of illegal activities.
Families, too, protect their assets, which include family members, the home and its contents,
vehicles, financial assets, pets, occupations, and status in the community. Families use such
methods as security equipment, insurance, education, communications procedures, and
neighborhood watch groups.
Different assets protection methods work in different situations (Webster University, 2006):
The protection of assets is not an exact science. What works in one situation may have
disastrous results in another. Asset owners and security professionals alike must analyze
specific situations or environments; recognize needs, issues and resources; and draw
conclusions regarding the most appropriate protection strategies and applications.
Assets protection can be performed by internal entities, external entities, or a combination. In

th
the United States, the first private security firms emerged in the mid-19 century. They began
as investigative agencies and expanded to provide other assets protection functions, such as
executive protection, intelligence collection, counterintelligence, cargo escort, and protection
of railroads, a critical infrastructure of the day (Securitas, 2006).
The concepts, techniques, tools, and philosophies of assets protection change as threats
mutate, technologies advance, management approaches develop, and business around the
world becomes transformed.

Influences in Assets Protection

Many recent developments have affected the practice of assets protection. In the early 1970s,
for example, computer security began to flourish as a separate discipline (National Institute
of Standards and Technology, 2006) because of society’s increasing reliance on information
systems.
Another influence was the recognition of the vulnerability of critical infrastructure to both
natural and intentional attacks. In the United States, critical infrastructure was initially defined as
comprising the following industry sectors: transportation, oil and gas, water, emergency services,
government services, banking and finance, electrical power, and telecommunications. More
sectors were added later. Significantly, most U.S. critical infrastructure is owned or operated by
private enterprises. In the United States, attention to the security of critical infrastructure
increased greatly after the 1993 attack on the World Trade Center in New York City and the
bombing of the Alfred P. Murrah Federal Building in Oklahoma City two years later.
Damage to the Pentagon caused by the September 11th attack.

Photograph by Kevin Peterson

To security professionals, the terrorist attacks of September 11, 2001, represented the most
significant turning point in assets protection around the world. That attack
x led to increased security budgets and reduced constraints on security policies and
procedures,
x fostered communication between security officials and front-office executives, and

x enhanced threat awareness and vigilance by business managers and employees
In some cases, knee-jerk reactions to 9/11 wasted valuable resources. For example, one
company with facilities in several countries ordered each site to post a security officer at its
entrance. However, the new security officers had no idea of their roles and responsibilities
and had no way to communicate with other security staff at the sites. At best they were able
to provide a false sense of security. Similarly, after 9/11 many organizations spent much
more than necessary on security technology.
The shock of 9/11 also caused an overemphasis—in terms of security solutions—on terrorist
attacks instead of the broader spectrum of realistic security risks. Even now, resources that
could have been dedicated to information technology (IT) security, information asset protec-
tion, and traditional crime or loss prevention are being diverted to antiterrorism measures,
such as blast-resistant materials, stand-off zones, bollards, chemical/biological hazard
sensors, and similar items. Even in school security, interest in traditional, comprehensive
assets protection has often given way to preparation for terrorist attacks.
Over time, the 9/11 attacks have partly redefined assets protection. The following are some of
the beneficial changes:
x a change in public expectations and an increase in the level of security measures that
the public will tolerate
x an ongoing examination of personal privacy versus public protection
x more serious study of security and protective services budgets and strategies
x better information sharing within and between the security and law enforcement
communities, leading to improved crime-fighting capabilities
x greater application of advanced technologies to threat analysis, vulnerability assess-

ment, information sharing, and protective measures
x more widespread discussion of strategic protection concepts incorporating risk

management and comprehensive assets protection
x more emphasis on security and assets protection research

INTTRODUCTION TO O ASSETS PROTEECTION
4.1 Basis for Enterrprise Assets Prootection
Sim
milarly, the 2001 anthrax scare in the e United Staates led to m
much greater emphasis o on the
security of maillroom operattions. In add
dition, the Saarbanes-Oxleey Act in the United State
es has
req
quired publiccly traded corrporations to
o perform mmore extensivve assessmen nt and reportting.
Resspondents to o one securrity-related survey

s rated
d the act as the second d most impo ortant
legiislation haviing a moderrate or majoor impact onn their orgaanization (ASSIS Internatiional,
200
05, p. 48).
Pattterns of Chaange
In assets proteection, the period
p betwe een major p paradigm sh hifts (includiing technolo
ogical
devvelopments and
a concepttual shifts) has
h been deccreasing. As Figure 4-2 sshows, durin ng the
19550s and 196 60s several years
y passed d between m major parad digm shifts. In more recent
deccades, the in
nterval betwe
een those sh hifts has decrreased to the point wheere changes ttoday
follow each other rapidly.
© Innovative Prrotection Soluttions, LLC, 2006. Used by p ermission.
Figure 4-2
m Shift Frequeency Model
Paradigm
Theese paradigm m shifts inc clude chang ges in surveeillance tech hnology, inttegrated seccurity
systtems, the scope of securrity professioonals’ dutiess, legal and lliability issue
es, the regullatory
env
vironment, the t use of computers inn the securitty function, public/privvate partnersships,
anttiterrorism, convergence
c e, and globall business reelationships.. Security prrofessionals must
be prepared
p forr rapid chang
ge in the worrkplace.
Anoother chang ge is that asssets protecttion is increeasingly bassed on the principle off risk
management, a term ratherr recently ap pplied to seccurity managgement and assets prote ection
(We ebster Unive ersity, 2006)). The ASIS Internation al 2006 Gen neral Risk Security Guid deline
deffines “risk” as the possibiility of loss re
esulting fromm a threat, seecurity incident, or eventt. The
con
ncept is a perrfect fit for asssets protecttion, the prim
mary objectivve of which iis to manage e risks
by balancing
b th
he costs and benefits
b of prrotection meeasures.
o Assets Coppyright © 2012 by ASIS International

Protection of 69
4.2 Current Practice of Assets Protection
4.2 CURRENT PRACTICE OF ASSETS PROTECTION

This section discusses two important issues in assets protection: the field’s underlying
principles and the practice of assets protection in various industry sectors.
4.2.1 UNDERLYING PRINCIPLES

One framework for viewing the underlying principles of assets protection states that three
concepts form a foundation for any assets protection strategy. Those concepts are known as
the five avenues to address risk, balancing security and legal considerations, and the five Ds.
Five Avenues to Address Risk

This concept contends that there are five distinct avenues for addressing identified risks to
assets: risk avoidance, risk transfer, risk spreading, risk reduction, and risk acceptance. Care-
fully considering these avenues is an effective way for assets protection professionals and
management to think creatively in designing ways to protect assets.
Balancing Security and Legal Considerations

Organizations need to find the right balance between a security approach and a “legal”
approach. Some enterprises rely entirely on legal measures, such as patents, copyrights,
trademarks, and service marks, to protect their critical information. They mistakenly believe
that with these legal protections in place, they do not need stringent security programs.
Alternatively, some executives believe a strong security program eliminates the need for legal
measures. Of course, both types of measures are needed. The legal approach must also
consider when and how incidents will be litigated, what preliminary measures must be in
place for successful litigation, and how litigation costs will be managed.
The Five Ds
This security approach complements the “legal” approaches
discussed above. In this concept, the first objective in
protecting assets is to deter any type of attack. The second
objective is to deny the adversary access to the asset, typically
through traditional security measures. The third objective, if
the first two fail, is to detect the attack or situation, often using
surveillance and intrusion detection systems, human
observation, or a management system that identifies short-
ages or inconsistencies. Once an attack or attempt is in
progress, the fourth objective is to delay the perpetrator
through the use of physical security and target hardening

INTTRODUCTION TO O ASSETS PROTEECTION
4.2 Current Practiice of Assets Prootection
methods, or use
e of force. Finally, in toda
ay’s terrorist environmen nt with more violent crim
minals,
it may
m become necessary
n to destroy the aggressor
a if th
he situation w
warrants it.
In short,
s assets protection should
s invollve a compreehensive straategy, not ju
ust piecemea
al ele-
ments (officers,, closed-circu
uit television
n, access con
ntrol systemss, etc.).
4.2.2 ASS
SETS PROTEC
CTION IN VA
ARIOUS SETTIINGS
Maany security principles
p an
nd procedure es are commmon across sectors, geog
graphic areass, and
variious sizes and
a types off organizatio ustry has its own
ons. Howeveer, each parrticular indu
cultture, environ
nment, and issues that in
nfluence asseets protection
n
Heaalth Care Secctor

Hosspitals are op
pen to the public
p 24/7 and
a tend to h have an opeen
envvironment. Patients are vuulnerable, an
nd hospitals ccan be a high h-
stre
ess environmment for all co
oncerned: patients, visitorrs, and staff.
Hosspitals also have to be concerned about a inform

mation assetts,
esp
pecially patie ent privacy,, the protec ction of wh hich is ofteen
gov
verned by reg gulation, succh as, in the United Statees, the Healtth
Insuurance Porta ability and Ac
ccountabilityy Act (HIPAAA) and criteriaa set by the JJoint Commiission
on Accreditatio on of Healtthcare Organ nizations (JCCAHO). In addition, m many health care
insttitutions, esp
pecially at universities,
u engage
e in m
medical reseaarch, an actiivity that callls for
pro
otection of sensitive
s info
ormation, in ntellectual p
property, faccilities, and materials. AAssets
pro
otection stafff may also ne eed to focus on
o maintain ning the hosppital’s reputaation, anothe
er key
asseet.
Thee most serioous threats inn health carre involve woorkplace and d domestic violence, threats,
harrassment, intternal theft, vandalism, extremist acctivity, fraud, threats to h
high-risk or high-
ofile patients, and violenc
pro ce in emerge
ency departmments.
Heaalth care se
ecurity profe
essionals can
n gain man
nagement su
upport throu
ugh these m
means
(Ste
ewart, 2006)::
demonstra ating a knowlledge of hosp pital managem ment issues and respectin ng the busine
ess
aspects of the
t enterprise e maintaining a dialogue wiith managemeent to ensure tthey understa and
the hospita
al’s risks and vu
ulnerabilities, as well as the assets protecttion program itself
Whhether securiity officers in

n health care
e settings sh
hould be arm
med is the su
ubject of ong
going
deb
bate.
o Assets Coppyright © 2012 by ASIS International

Protection of 71
Educational Sector
Educational institutions range from preschools to universities and include both public and
private institutions. Schools at all levels have historically been viewed as somewhat insulated
from the ills of society, but in recent years more attention has been paid to school security.
At the lower academic levels, security responsibility may fall under the school board, county or
city, or local police department. Most colleges and universities maintain their own security
function, which may or may not be connected to the campus police department.
Educational institutions face a wide range of threats, such as assaults against students and
staff, facility damage, vandalism, theft of goods (computers, equipment, supplies, etc.), theft
of private information, attacks against IT, white-collar crime, liability, and natural disasters.
Universities also face the theft of research information.
At most schools, much of a security director’s time is spent on crisis management. Evacuation
planning, preparations for shelter-in-place situations, liaison with first responders, awareness,
training, and exercises are all critical in that environment. In addition, schools may be called
on to serve as community shelters or medical triage centers during disasters. Figure 4-3 lists
some of the common security issues at each educational level.
Universities include more than classrooms—they may also feature dormitories, restaurants,
stores, libraries, entertainment venues (clubs, theaters, bowling alleys, fitness centers, game
rooms, etc.), sporting facilities, worship centers, conference centers, and hospitals. Further
security issues are raised by the fact that some students may be living away from home for
the first time and may not behave as well as they should or show the right level of safety and
security consciousness. Universities also host many students from other countries, who may
violate bans on certain exports or may overstay their visas.
High crime rates, high-profile incidents, and a questionable campus safety record can harm a
university’s image and lead to a loss of students, revenue, grant money, and research projects.
Security directors in the educational environment must take a comprehensive risk manage-
ment approach to their assets protection program. In their security planning, they should
consider many factors, such as the size and demographics of the school, the characteristics
of the surrounding area, the mission and culture of the institution, the types and values of
assets, the school’s image, its management style, and any identifiable threats.

Level Considerations
Preschool Health and safety

Teacher/staff backgrounds
Constant student oversight
Potential for parental/stranger abduction
Elementary (K through 8) Student oversight

Inappropriate discipline
Early gang and drug abuse prevention
Exposure to inappropriate issues
Student interrelationships
Secondary and High School Student independence/student interrelationships

Teacher/staff relationships with students
Gang and drug/alcohol abuse prevention
Exposure to inappropriate issues
Weapons and contraband exclusion
Facility access control
Protection of equipment, chemicals, other resources
College and University Students as an asset and a threat

Lifestyle (student independence, drugs, alcohol, etc.)
Residential setting
Multiple facilities (retail, food service, entertainment)
Overall crime environment
Potential for hate crimes and activist groups
Sports and entertainment venues
Laboratory/research facilities and information
© Innovative Protection Solutions, LLC, 2006. Used by permission.
Figure 4-3
School Security Considerations

Fast Food Sector

This sector, also known as the quick-service restaurant (QSR) industry, features many com-
pany-owned restaurants and franchise stores around the world. The largest companies often
have an in-country or regional assets protection director, who reports to the local business unit
head and the corporate assets protection director. The wide geographical dispersion also
makes QSRs vulnerable to varying levels of ordinary crime, activism, vandalism, and
terrorism. Companies in this industry work hard to protect the value of their brand.
The industry emphasizes cost control, margins, and profit and loss management. Thus,
assets protection professionals must focus on theft prevention, anti-fraud programs,
strategic planning, and supply chain/vendor/distribution integrity. The QSR industry employs
a range of security technology, including closed-circuit television (CCTV) tied to point-of-sale
systems (e.g., cash registers). Assets protection teams in the industry also investigate suspected
false claims of employee or customer injuries.
Because of the high employee turnover rate and the geographic dispersion of stores, security
training is both essential and difficult. Modern IT can enhance the company’s ability to
conduct safety and security training—for example, by facilitating distance learning. One
focus of employee training is simply teaching whom to call and how to report suspicious
activity. Most companies maintain toll-free hot lines. In addition, employee awareness can
be bolstered using security posters, changed regularly.
Telecommunications Sector
Assets protection in the telecommunications sector has changed in the wake of industry
deregulation; the boom in wireless, Internet, fiber optic, and other telecommunications
technologies; and, in the United States, the designation of the telecommunications system as
a national critical infrastructure. Assets protection in the telecom sector now encompasses
four major areas:
x Information security: protecting competitive and proprietary information; protecting

information about the telecommunication infrastructure; and protecting voice and
data signals
x Network and computer security: protecting networks from hacking and other forms of
cyber attacks; protecting computers and other equipment from viruses
x Fraud prevention: protecting the company from toll fraud, calling card misuse, and
other frauds
x Physical security: protecting the people, places, and things that make telecommunica-
tions networks function
Assets protection in telecommunications is greatly affected by government regulation. Some

jurisdictions mandate specific security practices, limiting the ability of assets protection

managers to tailor programs to their particular environment. Another security challenge

arises from the wide exposure of the industry’s product (electronic signals), which are
susceptible to both physical and electronic threats. Finally, telecom companies’ fiber and
cables are often routed through or under property owned by others. Therefore, assets
protection strategies must consider property rights and access issues.
Aerospace Sector
The aerospace sector, which includes civil aircraft,
military aircraft, missiles, space systems, and aero-
space services, is characterized by fierce, global
competition; large, complex contracts; interna-
tional joint ventures; and a huge network of
vendors, all of which factors significantly complicate
assets protection strategies.
In addition to traditional corporate safeguards, firms

in this sector should consider the following:
x protection of sensitive, proprietary, and export- NASA Photo
controlled technical information
x handling of government classified information
x regulatory and reporting compliance at the local, national, and international levels
x integration of safety and security programs
x domestic and international travel security
x test and evaluation program security
The larger aerospace firms maintain large security departments staffed with various
security specialties. By contrast, small aerospace vendors often have no security resources.
Therefore, it is best to discuss security support at the outset of a new project and agree who
will be responsible for various aspects of assets protection and what resources each player
will contribute.
Assets protection in the aerospace industry is also affected by the climate of risk taking; the
extent of high-value information that must be protected; and the industry’s high profile, which
attracts adversaries in the form of competitors, activist groups, and white-collar criminals.
These industry snapshots illustrate the wide variety of issues, concerns, and environmental
factors that affect assets protection programs. They highlight the meshing of security concerns
with business and management issues in planning for a safe and secure setting in which to
conduct the enterprise’s mission.

4.3 Forces Shaping Assets Protection
4.3 FORCES SHAPING ASSETS PROTECTION

This section examines five forces that are shaping the practice of assets protection:
x technology and touch
x globalization in business
x standards and regulation
x convergence of security solutions

x homeland security and the international security environment
Some of these forces are at least partially within an assets protection manager’s ability to
influence, while others are not. In either case, security professionals should study and
leverage these forces as they formulate tomorrow’s protective strategies.
4.3.1 TECHNOLOGY AND TOUCH

Assets protection has always required a balance between human and technological solutions.
Sometimes the balance swings too far toward technology. The following statements are
described as symptoms of “high-tech intoxication” (Naisbitt, 1999):
x We look for the quick fix.
x We fear and worship technology.

x We blur the distinction between real and fake.
x We accept violence as normal.
x We love technology as a toy.
x We live our lives distanced and distracted.
We Look for the Quick Fix

Security solutions are often implemented haphazardly. Decision makers may buy
surveillance cameras or install card readers without an independent assessment or clear
understanding of the real needs. That approach addresses only the symptoms, not the cause.
Through advance planning and meaningful dialogue, the security professional can guide the
corporate decision makers on the best long term security solution for the company.
Security professionals should take the time to ask questions and determine what the actual
problem is and then create a comprehensive assets protection strategy, not a short-sighted
quick fix.

We Both Fear and Worship Technology at the Same Time

Assets protection professionals cannot afford to be technophobes. Security systems and
procedures increasingly demand an understanding of technology, and technology is becoming
a major element in most business processes.
On the other hand, some people see technology as the solution to everything. Most common
functions today consist of several layers of technology. If something does not work, the
tendency is to add another layer of technology (Naisbitt, 2006). Careful examination of the
problem might show that a solution blending technology and other solutions (training, poli-
cies, or personnel) is best.
We Blur the Distinction Between Real and Fake

The quality and quantity of electronic images (on television and in video games) tends to
desensitize people to real situations. Frequently seeing people attacked or killed may make
those events seem commonplace. The ramifications for security include a potential
dampening of reaction by security officers and others. For example, console operators might
react less quickly to events shown on their monitors because they see such things all the time
in games or on television. The delay may be aggravated by information overload as security
staff are expected to monitor more and more images.
We Accept Violence as Normal

When violence is considered normal, employees may not bother to report incidents or suspi-
cions to corporate security officials. Failure to report such matters promptly can make it
more difficult to stop such situations as workplace violence, terrorism, sexual harassment,
and hate crimes.
The perception of violence as normal can also affect the reaction of security officials. If they
become desensitized to crime and violence, they may take incidents less seriously or react
more slowly than they should.
We Love Technology as a Toy

Viewing technology as a toy can lead to a neglect of sound, risk-based assets protection
strategies. For example, one company installed biometric access controls on the entrance to
each of its office suites, even though there was no obvious need for high security. When
asked why the equipment was installed, a manager replied, “We thought it was cool.”
High technology plays an important role in assets protection, but it exacts ongoing costs,
such as training and maintenance. In many situations it makes sense to step back and take a
“back to basics” approach. For example, “Given a specific security challenge, imagine how
you would develop a solution if you had no access to technology at all. You can then think
outside the box and interject some traditional creativity into the problem-solving process”
(Naisbitt, 2006).

We Live Our Lives Distanced and Distracted

Being surrounded by technology changes our relationship to other people. Assets protection
professionals must never lose sight of the people factor in identifying and protecting critical
assets (Naisbitt, 2006):
Any security issue involves human psychology—and always will. The issues of safety and
security are simply fundamental to every human being.
When planning for security, the professionals should always consider the culture of the
organization. … Does the corporate culture foster a sense of community? Do employees respect
and care for one another? Does the nature of their work allow them to develop relationships,
or do they work in a vacuum? How much human interaction is there?
In addition to the six preceding symptoms of high-tech intoxication, two other issues are
worth considering:
x whether the prevalence of security technology leads employees to shirk their

responsibility for protecting the organization’s assets because they think technology
will take care of those assets
x whether a high-tech environment depersonalizes the workplace and leads employees

to feel it is acceptable to commit pilferage, industrial espionage, fraud, embezzlement,
and other workplace crimes
The bottom line is that human factors must always be considered in the development of
security strategies. For example, the security approach called crime prevention through envi-
ronmental design (CPTED) uses psychology, architecture, and other measures to encourage
desirable behavior and discourage undesirable behavior. Some critics claim that CPTED does
not show a conclusive link between the design concept and a reduction in crime. However,
where CPTED has been used, the recording agencies claim that there are fewer reported
incidents when compared to similar structures or developments within their jurisdiction.
4.3.2 GLOBALIZATION IN BUSINESS

Globalization brings a wider range of goods, services, vendors, suppliers, capital, partners,
and customers within a company’s reach. It also brings threats closer and may increase
vulnerabilities. Risks related to business transactions, information assets, product integrity,
corporate ethics, and liability, as well as far-flung people and facilities, expand and evolve
with increasing globalization. As the director of the U.S. Defense Intelligence Agency notes
(Wilson, 2002):
Values and concepts [such as] political and economic openness, democracy and individual
rights, market economics, international trade, scientific rationalism, and the rule of law …
are being carried forward on the tide of globalization—money, people, information, tech-

nology, ideas, goods and services moving around the globe at higher speeds and with fewer
restrictions.
Our adversaries increasingly understand this link. … They are adept at using globalization
against us—exploiting the freer flow of money, people, and technology … attacking the
vulnerabilities presented by political and economic openness … and using globalization’s
“downsides.”
Globalization makes it necessary for assets protection managers to consider a wider variety
of customs, cultures, laws, business practices, economic factors, language issues, workforce
characteristics, and travel requirements. A more radical vision of the impact on organizational
structures is described in William Davidow and Michael Malone’s The Virtual Corporation.
They argue that the centerpiece of the new economy is a new kind of product: the virtual
product where major business functions are outsourced with hardly any internal departmen-
talization. This will give the corporate security manager even more challenges in the protection
of proprietary information, product security, supply chain security, and business continuity. As
in all cases the dissemination of sensitive or proprietary information should be on a need-to-
know basis. Security professionals should not erect barriers to international business but
instead should help their organizations overcome those challenges and comply with the many
regulations and standards that apply around the world (Heffernan, 2006).
4.3.3 STANDARDS AND REGULATION

Security standards are becoming increasingly important, and their development is the
subject of much interest. The establishment of standards and guidelines has been described
as the centerpiece of a comprehensive assets protection program, especially in today’s global
society (Dalton, 2003, p. 185). This section discusses standard-setting bodies; statutory,
voluntary, and mixed standards; the use of certification and licensing as a form of standards;
and the impact of regulation.
Voluntary Standards
Standards from the well-known International Organization for Standardization (ISO) and the
American National Standards Institutes (ANSI) are voluntary but widely adopted. Some have
been integrated into various countries’ regulatory frameworks. ISO standards that are relevant
to assets protection involve such issues as safety and security lighting, identification cards,
radio frequency identification), protection of children, and IT and information security. In the
United States, voluntary standards are also set by the National Fire Protection Association
(NFPA). Many NFPA standards are incorporated into regulations, such as building codes.

Several standards from Underwriters Laboratories (UL) relate to security equipment, such as
locks, alarms, and access control systems. Other standards are set by trade and professional
associations, such as the Illuminating Engineering Society (lighting standards and practices)
and the Electronic Industries Association (electronic components and products).
Statutory or Regulatory Standards

Unlike voluntary standards, statutory or regulatory standards are binding under the law and
can be enforced by formal authorities. In the United States, binding security standards are
promulgated in various sources:
x Code of Federal Regulations

x National Industrial Security Program Operating Manual
x Executive Orders, Presidential Directives, and Homeland Security Policy Directives
x regulations of the Occupational Safety and Health Administration, Nuclear Regulatory
Commission, Federal Energy Regulatory Commission, and Federal Trade Commission
An international source of binding standards is the International Maritime Organization.
Mixed Standards
The distinction between statutory and voluntary standards becomes blurred when voluntary
standards are incorporated into laws or regulations. For example, many of the requirements
in Occupational Safety and Health Administration directives are verbatim references to
standards from such organizations as the NFPA.
In other situations, a standard may remain technically voluntary but practically obligatory.
For example, security standards from UL or Factory Mutual may be used as criteria by
insurers. In other words, they may determine the availability and cost of casualty insurance
based on the use of UL-approved materials or UL-standardized practices. Contracts, too,
may incorporate standards as requirements.
Figure 4-4 lists some of the more prominent standard-setting bodies.

INTERNATIONAL
ASTM International www.astm.org
International Electro-technical Commission www.iec.ch
International Maritime Organization www.imo.org
International Organization for Standardization www.iso.org
UNITED STATES
American National Standards Institute www.ansi.org
Department of Transportation www.dot.gov
Federal Energy Regulatory Commission www.ferc.gov
Federal Trade Commission www.ftc.gov
National Fire Protection Association www.nfpa.org
National Institute for Standards and Technology www.nist.gov
National Labor Relations Board www.nlrb.gov
Nuclear Regulatory Commission www.nrc.gov
Occupational Safety and Health Administration www.osha.gov/comp-links.html
Underwriters Laboratories www.ul.com/info/standard.htm
Figure 4-4
Selected Standard-Setting Bodies

Professional Certifications and Licensing

Standards may also be implemented via professional certification and licensing. In the
security arena, ASIS International certifications are perhaps the best-known. The Certified
Protection Professional designation, established in the 1970s, recognizes a broad skill set in
security management. More recent ASIS certifications include the Physical Security
Professional and Professional Certified Investigator designations.
The International Foundation for Protection Officers offers several certifications for security
officers and supervisors: the Certified Protection Officer, Certified in Security Supervision
and Management, and Certified Protection Officer Instructor designations.
Several IT security certifications are also available, such as the Certified Information Systems
Security Professional (through the International Information Systems Security Certification
Consortium) and the Certified Information Security Manager (though the Information
Systems Audit and Control Association).
Specialized security certifications within particular industries are also becoming common in
such sectors as health care, hospitality and lodging, and finance. Finally, certification in crime
prevention is available through many state agencies and also through the International CPTED
Association.
Some jurisdictions require licensing of various types of security practitioners. Most licenses
require training, background screening, qualification, and registration. In the United States,
licensing is generally the purview of states or localities, but national licensing is under
consideration.
ASIS International www.asisonline.org/certification/index.xml
Information Systems Audit and Control Association www.isaca.org
International CPTED Association www.cpted.net/certification.html
International Foundation for Protection Officers www.ifpo.org

International Information Systems Security
www.isc2.org
Certification Consortium
Figure 4-5
Selected Security Certification Web Sites

4.3.4 CONVERGENCE OF SECURITY SOLUTIONS

In assets protection, convergence generally means the integration of traditional and IT security
functions. A broader definition might consider convergence to be the merging of disciplines,
techniques, and tools from various fields for the purpose of protecting critical assets.
It is widely accepted that “companies’ assets are now increasingly information-based and
intangible, and even most physical assets rely heavily on information” (ASIS International,
2005). An approach using only physical or IT security measures is insufficient. Assets
protection managers must also employ traditional information security, personnel security,
technical security, and public relations and other external communications to protect
intangible assets. A true convergence approach would also employ security architecture and
design, crime prevention through environmental design, investigations, policies and
procedures, and awareness training.
4.3.5 HOMELAND SECURITY AND THE INTERNATIONAL SECURITY ENVIRONMENT

The terrorist attacks of September 11, 2001, made it “crystal clear that the risks and threats of
global terrorism … were no longer vague or unlikely, but rather a genuine reality” (Sennewald,
2003, p. 19). Sennewald contends that 9/11 elevated the corporate security professional to a
higher plateau of respect and recognition within the enterprise.
From an assets protection perspective, reactions to the attack have been a mixed
development. On the positive side, 9/11 raised awareness of security among decision makers
and increased the respect paid to the security profession. It also made resources available for
security enhancements and led to increased interaction among security officials, first
responders, emergency planners, and the communities they serve. On the negative side, 9/11
caused knee-jerk reactions that resulted in wasteful spending, unnecessary security measures,
misdirection of needed funds, and the surfacing of dishonest or unqualified vendors.
Assets protection professionals should study those reactions and apply what they learn to
comprehensive assets protection strategies. That way, they can leverage the awareness and
resources available to improve their organizations’ security posture.
Still, there is a danger of overemphasizing the threat of terrorism and the practice of
homeland security. Assets protection professionals must address the broader security issues
relevant to their particular environment.

INTRODUCTTION TO ASSETS S PROTECTION
4.4 Manageement of Assets Protection
4.4 MA
ANAGEM
MENT OF ASSETS
S PROTE CTION
In addition
a to technical
t exp
pertise, assetts protection
n professionaals need a so olid groundiing in
org
ganizational managemen nt. Success in the fielld—which m may mean saving livess and
pro
otecting valuable assets—
—depends on n the proper balance of tthree manag gerial dimenssions:
tech
hnical expertise, manageement abilityy, and the abbility to deal w
with people.
©2005 Innovaative Protectioon Solutions LLLC
Figure 4-6
Three Managerial
M Dim
mensions
84 Proteection of Assets Copyright © 22012 by ASIS Interrnational

4.4 Management of Assets Protection
4.4.1 CONCEPTS IN ORGANIZATIONAL MANAGEMENT

The job of managing involves five basic functions:
planning x organizing x directing x coordinating x controlling
In addition, management should be guided by two principles, called “who is the customer?”
and “quality.” These principles should become part of the organization’s culture.
Who Is the Customer?

Peter Drucker, an authority on management, suggests that “who is the customer?” is the first
and most crucial question in defining business purpose and mission (1974). The assets
protection manager must understand the purpose and mission of assets protection at the
enterprise before adopting an organizational structure.
Most organizations actually serve multiple customers. It is important to identify all of them
and to understand their interrelationships. Then the assets protection manager can sell the
program not just to executives but to all the customers of assets protection services. Figure 4-
7 lists some of those customers.
For a chief security officer or For a security product or For an independent

security director, service provider, consultant,
customers might include: customers might include: customers might include:
Corporate executives Clients Clients
Corporate staff/managers Clients’ clients Clients’ clients
Corporate employees Potential clients Potential clients
Company clients Parent company or headquarters Partners and associates
Partners and affiliates Vendors and suppliers Vendors and suppliers
Contractors Partners and consultants Own employees
Security team members Original equipment Investors
Vendors and suppliers manufacturers Self
Other divisions of company Own employees
Other facility users Other divisions of company
Stockholders Executive management
Stockholders
Figure 4-7
Assets Protection Customers

Taking a more comprehensive view of who the customers are and how best to meet their
needs can result in greater security team effectiveness. The large view also demonstrates the
assets protection manager’s commitment to the business mission as a whole, not just to the
security mission. That commitment often leads to greater respect for the assets protection
function and ultimately greater influence throughout the enterprise.
Quality
Some managers may think that quality is something in a plan on the shelf, something that is
done once, or something that belongs to the quality assurance experts. That view is wrong.
Quality “belongs to everyone, all the time” (Dalton, 2003, p.240).
As one quality consultant notes (Duffy, 2006):

One of the major definitions of quality is “conformance to customer requirements.” Provid-
ing effective professional services or implementing a meaningful assets protection program
for the customer within appropriate resource constraints means delivering the required level
of quality. The security industry is one that must support multiple customers with a wide
variety of requirements.
Although a quality program may begin with tools, measures (metrics), and special processes,
the culture of quality should ideally become a part of the organization and be integrated into
all business practices.
A culture of quality can be developed in any type of security organization. For example, security
service providers are increasingly formalizing and standardizing their quality programs.
4.4.2 MANAGEMENT APPLICATIONS IN ASSETS PROTECTION

Planning, management, and evaluation are important tools in crime prevention programs
(Fennelly, 2004, p. 418). A strategic approach to managing assets protection programs
likewise involves all three tools. They apply as follows:
x Planning includes developing strategic goals and objectives, aligning assets protection
objectives with the organizational vision, organizing the assets protection function in
the way that best meets objectives, and determining how the mission will be
accomplished.
x Management involves conducting the day-to-day operations of the department,

communicating with others, and controlling specific tasks as well as the overall
functioning of the office.
x Evaluation involves stepping back from day-to-day activities to objectively assess how
well objectives are being met and what factors are contributing to the success or lack
thereof. Reporting, documenting, and using information to make adjustments and
improvements are all important parts of evaluation.

These tools are as applicable in the security services or products arena as they are in the
corporate or organizational setting. In a quality assurance/quality control (QA/QC) program
in a firm that provides security officers, the tools could work as follows:
x Planning may entail developing the company’s QA/QC program, obtaining executive
buy-in, preparing documentation, training supervisors, and establishing procedures.
x Management might involve implementing the program, conducting inspections,

reviewing audit reports, handling complaints and compliments, disciplining and
rewarding officers and supervisors, briefing upper management, and interacting with
the client on matters pertaining to QA/QC.
x Evaluation could consist of periodically determining whether the QA/QC program is

serving company objectives and meeting client expectations, identifying systemic
problems, and recommending process improvements.
In a corporate setting, a security department could use the tools as follows:
x Planning may entail setting strategic objectives consistent with the enterprise’s
mission and vision statements, organizing the security function within the enterprise,
determining resource requirements, establishing liaison relationships, developing
policies and procedures, and identifying staffing needs.
x Management would involve day-to-day operation of the department, personnel

management, logistics, vendor management, security systems operations,
coordinating with others internally and externally, and briefing senior executives.
x Evaluation would consist of periodically comparing performance metrics to the

department’s goals and objectives, identifying shortfalls, assessing any changes in the
assets protection environment, and recommending process improvements.
None of these functions should be neglected at the expense of the others. They should be
repeated in an ongoing cycle that results in up-to-date and appropriate assets protection
protocols, procedures, and practices.
4.4.3 SECURITY ORGANIZATION WITHIN THE ENTERPRISE

Although each organization is unique, some basic principles apply widely to organizational
structure and management. This discussion of the security organization within an enterprise
is influenced by well-respected, much recommended security textbooks by Sennewald
(2003), Dalton (2003), McCrie (2001), and Fischer & Green (2004).
The “span of control” principle suggests that a single person can supervise only a limited
number of staff members effectively. The specific number depends on such factors as the
nature of the work and type of organization, but as a general rule one manager can

effectively supervise up to 10 people. This principle may be in jeopardy. Some observers

believe that the introduction of IT infrastructures, use of current telecommunications
technology, and flattening of organizational pyramids may enable a person to supervise as
many as 100 people. In settings that emphasize self-directed, cross-functional teams and very
flat structures, span of control is less relevant. However, traditional, hierarchical organizational
structures, where span of control is important, are still common.
Unity of command dictates that an individual report to only one supervisor. It is based on
the concept that a person cannot effectively serve the interests two or more masters (that is,
managers). It is the supervisor’s responsibility to ensure the best performance from the unit he
or she manages. Some company structures make unity of command less important, but in
most settings employees still need a clear understanding of which policies they need to adhere
to (primarily) and who will provide day-to-day direction, quality control, and conflict
resolution.
Placement of the security department within an organizational structure can greatly affect
the assets protection manager’s ability to exert influence, remain informed, and garner
resources to support his or her programs and strategies. Assets protection managers, by the
nature of their expertise, must have functional authority within the organization and be
identified as part of the corporate management team. The rule of thumb is that the senior
security or assets protection professional should be placed as high as possible in the
structure of an enterprise and report directly to senior or executive management. A common
discussion today is whether security should be placed under the chief information officer), IT
security should be placed under a chief security officer, or some other arrangement should
be made. If the enterprise includes a chief risk officer, assets protection may be placed in his
or her division.
The following are some other important themes in organizational management:
x Lines of authority, responsibility, and communications should be as clear and direct as

possible.
x Individual and organizational responsibility should come with an appropriate level of
authority.
x Organizational alignments and structures should consider the interrelationships
among functions, roles, and responsibilities (with an eye on the overall mission).
x Communications channels should be structured to allow effective mission accomplish-
ment and interaction.
More information on the chief security officer’s role in organizational management can be
found in the Chief Security Officer Guideline, published by ASIS International (2004). It dis-
cusses roles and responsibilities, success factors, key competencies, organizational issues,
and strategy development.

4.5 Behavioral Issues in Assets Protection
4.5 BEHAVIORAL ISSUES IN ASSETS PROTECTION

Behavioral science, the study of people and their relationships to each other, is important in
assets protection for three key reasons:
x Many security risks are the result of human threats, and behavioral science can yield
insights into human threat sources.
x Security management requires effective interaction with other people, including
collaboration, education, influence, supervision, and the most important, excellent
communication skills.
x An effective security manager must also have trust in his or her staff members and have
the ability to delegate to them not only the responsibility but also the authority to act
within their functional area.
4.5.1 BEHAVIORAL SCIENCE THEORIES IN MANAGEMENT

The following theories in behavioral science are widely accepted as relevant and useful in
many management applications.
Maslow’s Hierarchy of Needs

Abraham Maslow’s theory, commonly known as the hierarchy of needs, asserts that people’s
behavior is driven by basic needs at different levels. It is often depicted as a pyramid, as
Figure 4-8 shows.
Self-
actualization
Esteem
Affiliation
Security
Physiological
Figure 4-8
Maslow’s Hierarchy of Needs

The levels of the hierarchy are:

x self-actualization need: self-fulfillment, realizing one’s full potential
x esteem or recognition needs: respect from others and self
x affiliation or love needs: affectionate social and family relationships
x security or safety needs: protection from perceived harm
x physiological or survival needs: food, drink, shelter
Basic or lower-level needs must be met before a person is motivated by the next higher level
of needs.
Maslow’s theory is still widely recommended to analyze individual employee motivation

strategies and establish tailored rewards, such as pay, recognition, advancement, and time
off (Buhler, 2003).
McGregor’s Theory X and Theory Y

Douglas McGregor holds that two worker models can be contrasted. Theory X contends that
workers are inherently lazy and tend to avoid work. They lack creative ambition, must be
goaded, require constant supervision, and are motivated by fear. Theory Y states that workers
are naturally motivated and want to work hard and do a good job. It assumes that workers are
thoughtful, eager to perform well, and willing to be guided and taught. McGregor stresses that
programs based on Theory Y are more successful than those based on Theory X.
Herzberg’s Motivation-Hygiene Theory

Frederick Herzberg’s motivation-hygiene theory is based on the premise that the opposite of
satisfaction is not dissatisfaction but simply no satisfaction. The theory maintains that two
sets of factors determine a worker’s motivation, attitude, and success (Buhler, 2003).
The first set is job content (motivators), such as achievement, recognition, responsibility,
and satisfaction derived from the work itself.
The second set is job context (hygienes), such as the surroundings, physical work conditions,
salary, coworkers, and other factors that are external to the work itself.
Hygiene factors (such as a fresh coat of paint on the wall) will be able to move an individual
from a state of dissatisfaction to no satisfaction, but only motivation factors can move that
person from no satisfaction to satisfaction.
The lesson is that managers should avoid quick fixes. Manipulating hygiene factors may
alleviate dissatisfaction but will not result in a state of satisfaction. Allowing an individual to
reach a state of satisfaction requires changes in the work content itself, such as increased
autonomy or responsibility (Buhler, 2003).

4.5.2 APPLICATIONS OF BEHAVIORAL STUDIES IN ASSETS PROTECTION

An assets protection program will not succeed unless it cultivates the willing cooperation of
those affected by it and meshes its goals with the personal goals of the workforce. Following
are some examples of how lessons from behavioral science might be employed in assets
protection.
Crime Prevention and Reaction

Behavioral science has long been involved in criminology with the goal of developing better
crime prevention strategies. Through mutual cooperation, private security can play a major
role in the prevention of crime while law enforcement focuses on crime control. Continuing
study is needed, as is better communication between behavioral scientists, criminologists,
and security and law enforcement practitioners. Many questions in criminology remain
unanswered in this area, but we are seeing a major move by law enforcement to have private
security more involved in crime prevention.
Incident Management
Motivation theories may be useful in developing emergency plans, business continuity
plans, and incident response plans. A major factor in any incident is how people will react—
those directly involved in the incident, bystanders, indirectly affected persons, security forces,
and first responders.
Some data can be gathered from exercises and drills through documentation and after-
action reports. Interpreted through human motivation theories, that information may aid in
the development of plans and procedures that will help ensure a smooth response to a real
incident.
Motivation theories should also be considered when developing larger-scale incident

management plans. Such theories may help in predicting how people will react when they
are ordered to shelter in place at the workplace or school—for example, whether they will
accept their separation from their family or instead evacuate immediately, regardless of the
directions given.
Security Personnel Management

In supervising security officers, heading an executive protection team, staffing a security
operations center, serving as a facility security officer, performing architecture and design
functions, or administering a global assets protection program, one needs to understand
what motivates people and what demotivates them.
Motivation theory can contribute to the planning and development of a QA/QC program, a
department organizational structure, an advancement plan, assessment or evaluation criteria,
awards programs, discipline procedures, communications venues, and even dress codes.
Behavioral science plays a role in almost every aspect of personnel management.

Employee Training and Awareness

Early security training and awareness programs were based on top-down management
directives, passive compliance, and an attitude of “we do it this way because the book says
we do it this way.” The modern workforce is more sophisticated, highly educated, and
independent, and security training and awareness strategies must be designed accordingly.
Behavioral theories can guide both content and delivery methods for security training and
awareness, which has been recognized as one of the most cost-effective assets protection
tools (Webster University, 2006). In addition, security training and awareness efforts should
take account of adult learning styles and current instructional design methods. When
employees can relate to the information presented and the way it is presented, the training is
more effective. Managers need to set direction and establish a professional setting, but
through training they need to avoid making operating decisions that should be made by their
supervisors and officers. As an example, when a subordinate requests advice about a routine
operational problem, the supervisor should avoid giving a specific solution, opting instead to
guide the subordinate, through an open exchange of information, toward identifying the
solution himself or herself.
Corporate Ethics
One of the first questions that comes to mind after a large-scale corporate scandal is “What
could have possibly motivated those people to do that?” Behavioral science theories may
help answer that question. They can be applied to help prevent, respond to, and recover
from major white-collar crime incidents and can also contribute to programs that address
smaller-scale, everyday ethical lapses.
Liaison and Leveraging Other Organizations

Because assets protection is a multidisciplinary venture, liaison and collaboration with a
wide variety of people, organizations, agencies, specialties, and professions is essential.
Behavioral theory can help in establishing and maintaining relationships with a network of
professional contacts, both inside and outside the assets protection manager’s organization.
Collaboration is especially valuable and challenging in a global environment that includes a

wide range of cultures, customs, and perspectives (Buhler, 2003):
The diversity of today’s workforce has further complicated an already complex phenomenon.
The differences among workers are greater than ever before. To be more successful in
motivating a diverse workforce requires, then, an understanding of the differences among
people and what makes them tick …
To become a more effective motivator, then, managers must understand as much as possible
about [motivation theory] and then pick and choose what best fits with which individuals.
The bigger the bag of motivational tools, the more likely the manager will be able to
understand employees’ needs and tailor rewards to better meet them. [This] enables
managers to get more done through others.

Appendix A: Insurance as a Risk Management Tool
APPENDIX A
INSURANCE AS A RISK MANAGEMENT TOOL
In many organizations, a current trend is the integration of insurance management into a broader
assets protection program. Therefore, this appendix describes the types and uses of insurance,
primarily in the corporate setting. Further information is available through resources listed at the end.
Most risk management tools are either proactive or reactive, but insurance is a combination of the
two. From a proactive stance, it is the best-known form of risk transfer and is actually considered
an asset of the organization. It is also reactive in that the insurance benefits are not used until after
a loss occurs.
Insurance is a formal undertaking between two parties—the insurer and the insured—under
which the insurer agrees to indemnify or compensate the insured for specified losses from
specified perils. Insurance is “a formal social device for reducing risk by transferring the risks of
several individual entities to an insurer. The insurer agrees, for a consideration, to assume, to a
1
specified extent, the losses suffered by the insured.”
Insurance is no replacement for security, of course. Compared to insurance, protection techniques

like risk reduction and risk spreading are preferable for several reasons:
x Loss control is a more satisfactory approach than after-the-fact indemnity.
x Loss prevention has become highly effective.
x Commercial insurers decline to cover some kinds of risks.
x The balanced scheme of protection is more cost-effective.
In most cases, it is impossible to be fully compensated for a loss, regardless of how much
insurance coverage an enterprise has. Modern management is now more interested in preventing
losses than in trying to buy insurance to cover every possible risk.
In the insurance world, the portfolio theory involves a comprehensive analysis of business risks and
pure risks. A risk model might analyze movements in exchange rates, changes in raw material prices,
and downtime caused by a catastrophic event. This model would produce an aggregate loss
distribution to estimate the likelihood and effect of several events occurring simultaneously. By
treating the risks as parts of a single portfolio, separate insurance policies for each risk can be
eliminated. The theory is that by managing risks, little or no outside insurance is required.
1
Glossary of Insurance Terms, University of Calgary, Canada, 1998, http://wcmprodlb.ucalgary.ca/haskayneundergrad/rminlinks/glossary.

Appendix A: Insurance as a Risk Assessment Tool
INSURANCE OVERVIEW
Insurance is often divided into two general categories: property and liability. Property coverage
includes building and equipment damage or loss, as well as items like cash and negotiable
instruments of all kinds. Liability coverage encompasses all employee risks and includes workers’
compensation and non-occupational coverage, as well as coverage for losses affecting the general
public, such as automobile liability, product liability, landlord liability, contractor liability, and
environmental liability.
The basis for coverage is the insurance policy, the written contract between the insurer and the
insured. Many insurance contracts or policies have been standardized; however, they are not all
alike in coverage. For that reason, each policy must be carefully examined to determine the
coverage offered. Contracts of insurance are seldom read in detail by the owners until a loss occurs.
To determine the protection offered by a policy, the following questions must be asked:
x What perils are covered?
x What property is covered?
x What losses are covered?
x What people are covered?
x What locations are covered?
x What time period is covered?
x What hazards are excluded or what conditions suspend coverage?
Defining the Peril

2
Peril has been defined as “the cause of a possible loss.” Typical insurable perils include fire,
windstorm, explosion, burglary, negligence, collision, disability, and death. An insurance contract
may cover one or more perils. Some policies, called “named perils contracts,” specify the perils
that are covered in the contract. Other contracts, called “all risk contracts,” cover all perils except
those that are specifically excluded. Perils may also be covered only in part—for example, not all
unfriendly fires under a fire policy or not all negligence under a liability policy.
A policy may limit coverage by defining which part of the peril is covered or which part is not
covered. For example, a fire policy states the hazards not covered. The standard policy form
excludes fire losses resulting from action taken by military, naval, or air forces in an actual or
immediately impending enemy attack, invasion, insurrection, rebellion, revolution, civil war, or
usurped power. It also excludes fire losses resulting from neglect of the insured to use reasonable
2
Glossary of Insurance Terms.

means to protect his or her property, along with losses caused by order of civil authority (except
destruction of property to prevent the spread of a fire that did not originate from an excluded peril).
It is important to understand the terms burglary and robbery as they are used in insurance
policies. Burglary is generally defined as felonious abstraction of insured property by any
3
individual or individuals gaining entry to the premises by force. There must be visible marks on
the exterior of the premises at the place of entry, such as evidence of the use of tools, explosives,
electricity, or chemicals.
Robbery is usually defined as the felonious and forcible taking of property by violence inflicted
upon a custodian or messenger, either by putting the person in fear of violence or by an overt act
committed against the custodian or messenger who was cognizant of the act. Sneak thievery,
pickpocketing, confidence games, and other forms of swindling are not included in robbery
coverage.
A burglary contract does not cover robbery. Similarly, a robbery policy does not cover burglary.
Neither policy covers losses resulting from the felonious taking of property where there are no
visible marks of entry and where there has been no violence or threat of violence. A theft or larceny
policy is required to obtain coverage for such losses.
Defining the Property Covered

A standard insurance policy does not cover every piece of property owned by the insured, but it
usually describes the type of property covered. Also, a contract may specify certain property that is
excluded.
Some reasons for property exclusions in a policy are as follows:
x The specific property excluded may be more easily covered under other forms of insurance.
x The moral hazard—a condition of the insured’s personal habits that increases the proba-
bility of loss—may be prohibitive.
x The property may be subjected to hazards that should be specially rated.
x The property might be so uncommon to the average insured that the rate for the standard
policy should not include it.
3
In law, burglary is forced entry or exit with intention to commit a crime. The abstraction of property is actually a larceny. But
insurance policies combine the forceful entry and the taking or abstraction under the single term burglary.

Defining the Losses Covered

The next step in analyzing coverage is to find out what losses are covered. Generally, losses may be
classified as:
x direct loss, such as the physical loss of or damage to the object concerned
x loss of use, such as the reduction of net income due to loss of use of the damaged or destroyed
object
x extra-expense losses, such as the costs of defending a liability suit and paying judgment or
hospital and medical expenses following a personal accident
Most policies cover direct losses only. Some may, in addition, cover a few forms of indirect losses.
For example, a standard fire insurance policy usually covers only the actual cash value of the
property at the time of the loss. Actual cash value is the cost to replace or restore the property at
4
prices prevailing at the time and place of the loss, less depreciation. It will not offer compensation
for additional expenses of rebuilding required by ordinances regulating construction or repair, and
it will not cover the loss of use while the property is being replaced. In addition, it will not pay for
the loss of income, such as loss of rent, while a building is being rebuilt.
Defining the Period of Coverage

Formerly, a loss that occurred during the period the policy was in force would be covered no
matter when the occurrence was discovered, even after the policy expired. The term for this is an
occurrence loss.
Insurance carriers encountered difficulties matching premiums with losses that could still be
covered years after occurrence. As a result, a new form of contract was developed. This form,
known as the claims-made type, provides coverage only for losses that are reported during the
period the policy is in force.
If an insured with a claims-made policy leaves one carrier in favor of another, the new carrier will
probably not cover losses occurring before its own first contract date, even if the claim is made
during the contract period. This tends to lock insureds in with a single carrier. It also raises issues of
later endorsements to reduce coverage, the need for an insured to solicit claims against itself in order
to pass them to the carrier in a timely way, and the uncertainty of coverage or its cost when seeking
to terminate the contract. The solution to this problem is usually called “tail cover”—retrospective
coverage for events that occurred during a prior policy period but are raised during the tail period.
To change carriers, it is normally necessary to purchase tail cover from the prior carrier.
4

Defining the People Covered

Some policies cover only the named insured and representatives while others cover additional
individuals. The first page of a standard fire policy states clearly that the contract insures only the
named insured or insureds and legal representatives. The insured’s executors or heirs under a will
and receivers in bankruptcy would also be covered. Many property policies allow a space for
indicating the name of the lender who holds a financial interest in the property, and such lenders
are considered additional insureds. An endorsement must be added to afford protection to any
others. A frequent technique to extend one party’s coverage to protect another is to have the other
individual designated as a named insured in the policy. Named insureds, however, are subject to
the same policy conditions as the original insured. In some cases, this may not achieve the security
objective of the additional named insured.
Defining the Locations Covered

Some policies cover one location, while others include several locations. The standard fire
insurance contract covers property only while it is located as described in the policy, with one
exception—the contract covers property pro rata for five days at each proper place to which any of
the property is necessarily removed for protection against the perils insured against in the policy.
Defining the Time of Coverage

Policies vary as to the exact time of day they go into effect. Fire insurance policy coverage usually
starts at noon, standard time, on the day the policy is dated and at the place the risk is located. The
coverage will ordinarily continue in force until noon, standard time, on the day of expiration.
Other policies go into effect and expire at 12:01 a.m., standard time.
Conditions that Suspend Coverage (Exclusions)

Insurance policies commonly contain provisions that suspend coverage when a risk increases to
such a degree that the insurance company is no longer willing to offer protection. It is possible to
eliminate the conditions by adding endorsements, which may result in increased premiums.
The limiting provisions may be either “while” clauses or “if” clauses. That is, coverage is
suspended while certain conditions exist or if defined situations exist. The fraud and concealment
clause found in many contracts is a typical “if” clause. It states that coverage is void if, either before
or after a loss, any material fact or circumstance concerning the insurance has been willfully
concealed or misrepresented. An example of a “while” clause would be a statement that the
insurance company will not be liable for loss while the hazard is increased by any method within
the control or knowledge of the insured. Another common example would be the vacancy clause,
which suspends coverage while a property stands vacant beyond a specified period.

In fidelity coverage, it is customary to exclude from coverage any person the insured knows to have
committed any fraudulent or dishonest act, in the insured’s service or otherwise. The exclusion
usually dates from the time the insured became aware of the fraudulent or dishonest act. The
insurance carrier may grant case-by-case exemptions to the exclusion. For example, should a
person be hired despite a minor dishonest act revealed in a preemployment investigation, an
exemption to the exclusion should be requested.
Endorsements
Insurance policies have been standardized by custom, law, or inter-company agreements.
Standard policies may be modified by endorsements—sometimes called riders—to increase or
decrease the coverage of the standard policy. Standard endorsements are available, but if they are
not adequate for the coverage desired, special endorsements may be written and added to the
standard policy. When in conflict with the standard policy, the endorsement governs unless it is
illegal.
Endorsements are added to:

x add perils
x add property
x include more covered individuals
x adjust rates
x add, increase, reduce, or delete deductibles
x add or eliminate exclusions
x increase or decrease amounts of coverage
x record address changes
x correct errors
Crime Coverage
Crime insurance is written to protect the insured against loss by burglary, robbery, theft, forgery,
embezzlement, and other dishonest acts. Two types of bonds may be used for protection: fidelity
and surety. Fidelity coverage is written to protect the employer from the dishonesty of employees.
Surety coverage is intended to guarantee the credit or performance of some obligation by an
individual.
Insurance coverage against crime may be obtained by purchasing a standard crime policy, then
adding the necessary endorsements. It is essential to understand the meaning of each criminal
term used by the insurance company in order to ensure that adequate protection is obtained.
Policies may exclude certain items or may not include certain crimes.

The comprehensive 3D policy is a combination fidelity crime insurance policy designed to offer
the widest possible protection. The standard form contains five insuring agreements. The insured
may select as many as needed and specify the amount of coverage on each. The following are the
basic coverages offered:
Coverage I an employee dishonesty bond
Coverage II money and securities coverage inside the premises
Coverage III money and securities coverage outside the premises
Coverage IV money order and counterfeit paper currency coverage
Coverage V depositors’ forgery coverage
Twelve additional endorsements are available:

x incoming check forgery
x burglary coverage on merchandise
x paymaster robbery coverage inside and outside premises
x broad-form payroll inside and outside premises
x broad-form inside premises only
x burglary and theft coverage on merchandise
x forgery of warehouse receipts
x securities of lessees of safe-deposit box coverage
x burglary coverage on office equipment
x theft coverage on office equipment
x paymaster robbery coverage inside premises
x credit card forgery
Assets protection managers should consider an endorsement for IT equipment and data if they are
not adequately covered in the policy. In determining whether coverage is adequate, the following
questions should be asked:
x Is all equipment completely covered for any loss?

x Does the coverage include the loss of recorded data as well as the cost of new hardware?
x Does the coverage include reconstruction of data?
x Will the coverage pay for temporary operation at an alternate location?
x Does business interruption coverage protect against forced shutdown of equipment?

Business Interruption
Business interruption insurance offers a number of coverage choices. For example, coverage can
be written on a named peril or all-risk basis. If a building or machine sustains physical damage,
there will usually be at least an interruption of production or sales, resulting in financial loss. Other
incidents may not damage the physical facilities but may nevertheless cause a shutdown. For
example, a subcontractor might be required to shut down if the plant of the prime contractor is
destroyed, or a factory across from a chemical plant might be forced to lose a day’s production
because of noxious fumes from the chemical plant. These types of risks can be covered with
endorsements known as contingent business interruption loss forms.
A business that might not return to normal for some time after reopening following a shutdown
could consider another type of coverage: the endorsement extending the period of indemnity. An
example of a business requiring such coverage would be a bowling alley. A fire just prior to the
opening of a bowling season might cause league business to go elsewhere for the full season. Even
if the establishment is able to reopen in two months, it might not recover its normal business until
the following year. With standard business interruption insurance, the coverage would stop once
the facility was restored to operating condition. With the endorsement extending the period of
indemnity, the coverage would be extended for the amount of additional time purchased.
Valuation is a factor to consider in planning for business interruption. An actual-loss-sustained

method or a valued-loss method may be selected. With actual-loss coverage, the insured must
prove the claim according to policy provisions. On the other hand, the valued endorsement usually
stipulates the amount payable per day of shutdown and specifies the number of days for which
coverage is provided. The amount selected for the daily indemnity must be certified by an
accountant as being the approximate amount that will actually be lost. This certification is done
before the loss occurs.
Another type of business interruption insurance is the business interruption and extra expense
endorsement. While the basic business interruption forms include coverage for normal extra
expenses, other expenses may be incurred. Such expenses may be incurred to keep a product on
the market regardless of cost or, for a bank, to function regardless of expense. When the situation is
not a clear-cut case of either loss of earnings or incurring extra expense, a combined endorsement
may offer good protection.
Liability Endorsements
Liability coverage in recent years has become increasingly important because of cases in which
organizations have been held liable for property damage and for injury to victims. Under tort law,
injury victims are entitled to collect for losses and mental anguish from anyone they can prove
responsible for intentionally or negligently injuring them or damaging their property.

Liability litigation is widespread, and the number of liability cases continues to rise. Products are
challenged as unsafe or badly designed, and such actions frequently result in large damage awards.
Professional liability suits against engineers, architects, physicians, and lawyers have multiplied,
and the cost of liability insurance for some professionals is enough to cause them to abandon their
practice.
In the security field, too, liability litigation has exploded, resulting in many large damage awards
against security personnel, contract security agencies, and employers or client companies.
A commercial general liability policy—the standard policy offering liability coverage—is less
comprehensive than generally assumed. As a result, to ensure the necessary coverage, several
endorsements should be added, such as those below.
Liability of Officers and Directors

A liability endorsement to protect officers and directors against legal actions brought by
stockholders and others has become increasingly popular because of the publicity given to such
suits. Coverage should be carefully examined to ensure that it is adequate. For example, a policy
may specify that protection is offered for individuals “while acting within the scope of their
duties.” This provision could lead to questions as to duties of individuals and whether they were
acting within the scope of those duties. An endorsement providing for coverage while “acting in
behalf” of the enterprise would eliminate such a dispute. Such a change can usually be made
without any increase in premium.
Employee Practices Liability Insurance (EPLI)

This relatively new type of insurance is a specialized coverage for employers who become the
targets of work-related lawsuits. EPLI covers a business for employee-related actions, such as the
following:
x discrimination x wrongful discipline

x sexual harassment x deprivation of career opportunity
x wrongful termination x wrongful infliction of emotional
x breach of employment contract distress
x negligent evaluation x mismanagement of employee benefit

plans
x failure to employ or promote
EPLI covers defense costs, judgments, and settlements but may not cover punitive damages, fines,
or penalties. Workers’ compensation, bodily injury, and property damage, and any liability
covered specifically in another policy are generally not covered. EPLI usually covers the corporate
entity, employees, former employees, directors, and officers. Some policies also cover volunteers.

Product Liability
Product liability insurance is sold to manufacturers and dealers of goods. Protection is offered for
damage claims arising from the consumption or use of articles manufactured, sold, handled, or
distributed by the insured, if the damage occurs after possession of the goods or products has been
relinquished to others and if the damage occurs away from the insured’s premises. An exception
exists for organizations that serve food on the premises, for which special coverage is necessary.
Product liability suits may be based on either the tort theory of negligence or the contract theory of
breach of warranty. Since it is easier to prove breach of warranty than negligence, most claims
involving products are based on a breach of an express warranty or an implied warranty that the
product sold is reasonably fit for the particular purpose for which it was bought. Liability coverage
must be examined carefully to ensure that breach of warranty is included. If not, an endorsement
should be added for this protection.
The recall of products, which is excluded in standard liability coverage, can create an expensive
problem. Frequently, manufacturers are required to recall automobiles, television sets, food
products, or pharmaceuticals. The manufacturer is normally required to assume responsibility for
removing the defective item from the possession of all wholesalers and retailers.
Product recall coverage can be obtained by adding an endorsement to the comprehensive liability
policy. This coverage is known as product recall or product withdrawal expense. The coverage may
be written to cover recall of products only if bodily harm is threatened, or it may cover products
that threaten only property damage. The loss of the product itself is not covered.
Insurance Providers
Regardless of the type of insurance provider, customers should be able to expect rapid
compensation for losses incurred. As in any other business relationship, due diligence must be
exercised when selecting an insurance provider. The financial stability and claims settlement
record of the provider is critical to timely reimbursement of a loss. Most organizations select an
insurance provider and settle into a long-term business relationship without subsequent review of
the financial condition of the provider, but ongoing due diligence is necessary.
Insurance can be obtained through these means:

x dealing directly with an insurance company
x dealing with an insurance broker that may represent several companies
x buying an insurance company, known as a captive carrier
x buying an interest in a mutual insurance organization called a risk retention group
The size of the enterprise and its insurance needs typically suggest the type of provider that will be
most cost-effective. Small organizations tend to deal directly with the insurance company or use a

broker. Mid-size organizations have the same options but may also join a risk retention group.
Large organizations have all four of the options listed above. The four different sources of
insurance are discussed below.
Insurance Companies
The large number of insurance companies and the wide variety of policies they offer ensures that
coverage can be found for virtually any risk. In essence, uninsurable risk is only heretofore
uninsured risk. Many organizations merely select an insurance carrier with a good name, accept
the coverage that the representative suggests, and pay the policy premiums. Sound management
principles demand more.
A financially weak carrier tends not to pay claims in a timely manner. If the carrier becomes
insolvent, claimants can turn to the state guarantee trust fund for partial recovery. This is a lengthy
process, and claimants are limited to a certain dollar amount. In essence, choosing the wrong
insurance company can, in itself, be a high risk. The financial stability of the insurance carrier
should be reviewed before entering a contractual relationship, and subsequent reviews should be
conducted at least annually.
The financial stability of insurance carriers is rated by a number of rating services. Each service
uses a different formula, and the rating of a specific insurance company may vary among the
rating services. Prudent managers consult more than one rating service. A significant difference in
the ratings of a company should be a red flag denoting the need for further investigation. Rating
services measure the financial condition of the insurance carrier but do not measure the speed of
claims payments.
Government insurance departments are also valuable sources of information. In the United States,
in each state insurance companies are authorized to do business in, they must file annual financial
statements with the state insurance department. Other pertinent information includes the number
of complaints filed against the company and any disciplinary action taken against the company.
Insurance Brokers
Insurance brokers are marketing specialists who represent buyers of property and liability
insurance and who deal with either agents or companies in arranging for the coverage required by
5
the customer. Insurance brokers deal with more than one insurance company and can suggest the
company best suited to provide a specific type of policy. The expertise and responsiveness of a
broker should be verified by contacting other clients. A good broker keeps abreast of the financial
stability of the insurance companies with which insurance is placed. The broker who arranges
insurance coverage with an insurance company that becomes insolvent may become a defendant
in a civil action.
5

Risk Retention Groups

Smaller firms and organizations may form risk retention groups (RRGs), which are corporate
bodies authorized under the laws of some states as liability insurance companies. Such groups
must be owned by entities within the membership of the group that obtain liability insurance from
the group. RRGs are generally exempt from the laws of other states.
RRGs typically market their liability policies to purchasing groups (PGs), which consist of
organizations that have similar liability insurance needs because of the nature of their business. In
the security field, PGs have consisted of guard and investigations concerns. The PG can acquire
liability insurance for its members from the RRG. Typically, the attraction of such an approach has
been the availability of liability coverage and lower premiums. Some RRGs have experienced
funding or other difficulties and have either abandoned the field or otherwise caused problems for
the PG insureds. Overall, the RRG is a viable alternative to high premiums and the difficulty of
obtaining special coverage; however, the particular group and its track record should be studied
carefully.
Captive Carriers
One of the problems of liability insurance has been the high premium cost when using carriers
conventionally licensed within each state where they offer the coverage. One solution is the
captive insurer—a separate, wholly or principally owned firm, usually organized offshore, used to
write the insurance for the owning company. Sometimes a captive insurer is owned by an
association of two or more firms with common insuring interests. When appropriate, a captive
insurance carrier can make it easier to insure risks not acceptable to conventional carriers, can
help make a more favorable expense ratio, and can open reinsurance resources not otherwise
available. However, the captive carrier is generally a technique of larger firms.
INSURANCE RESOURCES
Business Insurance magazine and online resources, www.businessinsurance.com
Insurance Information Institute, www.iii.org
Risk Insurance and Management Society, www.rims.org
The smart approach to protecting your business: Managing your risk, The Hartford in association
with the U.S. Small Business Administration, www.thehartford.com/corporate/losscontrol/SBA/
TIPS/2009/Product%20Liability%2019295.pdf

References
REFERENCES
ASIS International. (2004). Chief security officer guideline. Alexandria, VA: ASIS International.
ASIS International. (2005). Scope and emerging trends: Executive summary. Alexandria, VA: ASIS
International.
Buhler, P. M. (2003, December). Managing in the new millennium: Understanding the manager’s
motivational tool bag. Supervision.
Dalton, D. R. (2003). Rethinking corporate security in the post 9/11 era. Burlington, MA:
Butterworth-Heinemann.
Drucker, P. F. (1974). Management tasks, responsibilities, practices. New York, NY: Harper and Row.
Duffy, G. (2006, September 23). Vice President, American Society for Quality, www.asq.org.
Unpublished document.
th
Fennelly, L. J. (2004). Handbook of loss prevention and crime prevention (4 ed.). Burlington, MA:
Elsevier Butterworth-Heinemann.
th
Fischer, R. J., & Green, G. (2004). Introduction to security (7 ed.). Burlington, MA: Butterworth-
Heinemann.
Glassman, C. A. (2006, June 8). Complexity in financial reporting and disclosure regulation.
Presentation at the Security and Exchange Commission and Financial Reporting Institute
Conference, Pasadena, CA.
Heffernan, R. J., CPP. (2006, September 25). 2006 trends in proprietary information loss survey
results: An overview. Presentation at the ASIS International Seminar & Exhibits, San Diego, CA.
McCrie, R. D. (2001). Security operations management. Burlington, MA: Butterworth-Heinemann.
Naisbitt, J., Naisbit, N., & Phillips, D. (1999). High tech/high touch. New York, NY: Broadway Books.
Naisbitt, N. (2006, June 22). Founder and executive director, The Pinhead Institute, Telluride, CO.
Personal interview.
National Institute for Standards and Technology, Computer Security Resource Center. (2006).
History of computer security. Available: http://csrc.nist.gov/publications/history [2006, July
28].
Securitas. (2006). History. Available: http://www.pinkertons.com [2006, July 28].

th
Sennewald, C. A., CPP. (2003). Effective security management (4 ed.). Burlington, MA: Butter-
worth-Heinemann.
Webster University. (2006). Business assets protection. Course materials for Business and
Organizational Security Management Program. Washington, DC: Webster University.
Wilson, T. R. (2002). Global threats and challenges. Statement to the U.S. Senate Armed Services
Committee by the Director of the Defense Intelligence Agency, March 19, 2002.

CHAPTER 5
COST-EFFECTIVENESS AND
LOSS REPORTING
5.1 UNDERSTANDING THE PROBLEM

Asset protection must be cost-effective. An organization should not spend $1,000 to protect a
$10 asset. Except for certain high-value, irreplaceable items, an organization should base its
protection strategies on a realistic, cost-effective rationale. As the security industry matures
and incorporates business fundamentals into its repertoire of strategies, several business
tactics are being ingrained into standard security management practices. These include
return-on-investment strategies, metrics management, data capture and analysis, and cost-
benefit analysis. As part of asset protection, security is best described as the implementation
of standards and principles that, when constantly applied, control loss.
5.2 WHAT COST-EFFECTIVENESS MEANS

Cost-effectiveness means producing good results for the money spent. To senior management,
cost-effectiveness is the primary factor in determining the size or existence of the asset
protection program. Anecdotal evidence of the efficiency of an asset protection program is
interesting, but in the final analysis the program must be measurable in financial terms.

COST-EFFECTIVENESS AND LOSS REPORTING
5.3 Elements of Cost-Effectiveness
To maximize cost-effectiveness, a security manager should do the following:
x Ensure that the operations are conducted in the least expensive, but cost effective way.
x Maintain the lowest costs consistent with required operational results.

x Ensure that the amount of money spent generates the highest return.
Cost-effectiveness in asset protection requires balancing expenditures against results and

revising the plan as needed. It also requires critical judgment based on a complete
understanding of the enterprise operations, a broad knowledge of state-of-the-art security,
and the recognition that some elements of the security program may take several years to
implement. Often overlooked as asset protection tools, procedural controls are the least
expensive countermeasures one can employ. Simply by changing the way things are done,
revised procedures can enhance security while improving the bottom line for the enterprise.
A historic, continuing problem is the inability to demonstrate that asset protection expendi-
tures lead to tangible, more valuable goals—in other words, to justify the cost of an asset
protection program to enterprise management.
5.3 ELEMENTS OF COST-EFFECTIVENESS

The question that senior management wants answered is this: Does the asset protection
function accomplish anything that can be quantified and that justifies its cost?
One way to view the issue is to consider a business with gross annual sales of $250 million
and an asset protection operation costing $1 million annually. At that level, asset protection
constitutes 0.4 percent of sales. Senior management will want to know why $1 million should
be spent on asset protection rather than on something else. The “something else” could even
be a short-term investment in financial instruments. At a modest 4.5 percent annual return,
$1 million would earn $45,000 in a year. Thus, the $1 million expenditure actually costs the
enterprise $1,045,000 in a year. That cost must be weighed against the consequences of not
having a security program. Cost-effectiveness also applies within the asset protection
operation itself. An expense budget allocates monetary value to a department’s activities.
The security manager must consider whether a given resource is the most effective one
available at the stated cost. For example, if $30 padlocks are used to secure loaded semi-
trailers in the company lot, the security manager should attempt to answer these questions:
x Is a padlock the appropriate countermeasure in this situation?

x If so, is this particular padlock at $30 best suited for the purpose?

In general, the second question is harder to answer than the first.
Senior management will inevitably view all operations from a financial perspective, because
the department that plays a direct role in the generation of revenue is a profit center. A
security professional lacking this perspective will be unable to justify continued funding of
the security program, especially if the enterprise is emphasizing financial austerity. The three
main expense categories that security professionals must consider when developing a budget
are salaries, operational expenses, and capital expenditures. An essential step in developing a
department budget is to review the organization’s overall strategy and goals to determine
how the security budget fits in. Is it in line or does it exceed what would be realistic and
acceptable to senior management?
Necessary protection programs are often substantially cut because, in the intense
competition for scarce funds, no persuasive argument is made for them. However, the
increased losses that might follow a security cutback could easily and greatly exceed the
presumed saving. The following are various financial concepts that can be used to show
value for money.
5.3.1 RETURN ON INVESTMENT

Return on investment (ROI) is a standard profitability ratio that measures how much net
income the business earns for each dollar invested by its owners. Also called return on
equity, ROI is used to gauge management’s overall effectiveness in generating profits.
Kitteringham and McQuate (2003, p. 121) observe:
ROI can be measured in time saved, improved efficiency, reduced manpower, reduced losses,
lower liability or insurance payments, or greater customer satisfaction. It all translates into an
improved bottom line over time.
The expectation is that security measures should not merely be efficient but should provide a
positive return on investment. For example, security awareness programs may be judged as
effective when benefits are either commensurate with cost or exceed cost estimates. The return
varies in different organizations but may include increased customer satisfaction, happier,
more secure employees, increased productivity, reduced employee turnover, cost savings,
actual revenue, reduced false alarms, saved lives, or anything else that can be quantified.
However, many organizations do not make ROI calculations when judging security spending;
they merely adopt a budget based on historical experience or future estimates. According to
an Ernst & Young study (2003) of the information security field:

Return on investment (ROI) is not valued as a measure of information security spending

effectiveness. This was evidenced by the nearly 60% of organizations that said they rarely or
never calculate ROI for information security spending.
One way to determine ROI is shown in Figure 5-1.
AL + R
= ROI
CSP
AL = Avoided loss
R = Recoveries made
CSP = Cost of security program, including personnel expenses, administrative expenses, and capital costs
Figure 5-1
Return on Investment (ROI) Formula
Two examples of ROI calculation follow.
Nuisance Fire Alarms

Due to a high number of nuisance fire alarms, an organization decided to assess the data
collected in the normal course of security department incident report writing. The cost of
alarms was divided into hard costs and soft costs. Hard costs included lost productivity for
employees evacuating the building and for employees responding to the alarms, as well as
the cost of fire department fines. Soft costs included wear and tear on building mechanical
systems when alarms activated; the tendency for employees to learn to ignore alarms,
thereby placing themselves in jeopardy when legitimate alarms activate; the potential for
staff injuries during evacuations; and the frustration of the organization’s staff and fire
department personnel due to the high number of alarms. Lost productivity was quantified
with an average hourly salary figure from the organization’s human resources department,
and fire department fines were easy to tally. Soft costs were merely estimated.
The next step was to determine the causes of the alarms. There were three factors: the age of
some equipment, a lack of training and familiarity with the fire alarm system, and a lack of
communication between staff and contractors working in the building. Once these factors
were identified, replacement parts were installed, a training program was initiated, and a
formal communication program was implemented. All costs were captured and compared.
The annual costs of nuisance alarms in Year 1 were compared to the same costs in Year 2,
after nuisance alarms were reduced. Nuisance fire alarms were found to have cost the
organization $50,000 in Year 1, before the security program reduced nuisance alarms. In Year
2, following the nuisance alarm reduction initiative, alarm costs dropped to $10,000,

resulting in an avoided loss of $40,000. The annual cost of the nuisance alarm reduction
initiative is $10,000. Hence, for an annual investment of $10,000, the organization saves
$40,000. In other words, for every $1 invested, the company saved $4.
Two-Way Radios
A company was using a trunk cellular two-way radio system. Staff complained of multiple
areas within the building where the radios did not work. The result was a waste of staff time
as they moved out of the dead spots to use their radios, an increase in staff risk when they
were out of radio range, and delayed responses to security, safety, and medical incidents.
Additionally, because of the radio system’s trunk cellular nature, the organization was paying
hard costs of $25,000 annually for air time. The soft costs were harder to quantify and were
left out of the equation. Prospective avoided losses (due to upgrading the radio system)
included possible lawsuits and workers’ compensation claims. Avoided losses were
estimated at $25,000 per year.
The length of the solution may alter the ROI calculation. One method of calculation would be
to multiply the savings by the number of years the original radio system would have been in
use before being replaced. For example, if the radio system had another 10 years in it, then
the annual savings can be multiplied by 10 to obtain the final figure.
A replacement system was researched and installed. The capital expenditure purchase and
installation of the system (cost of security program) was $60,000. Based on a single year, the
formula results in return of $0.41 for every dollar invested. Additionally, all other issues were
resolved to the satisfaction of staff and tenants, including delays in responding to incidents
where time was of the essence. If 10 years were factored into the formula, then the ROI would
be $4.10 for every dollar invested.
5.3.2 SECURITY METRICS

The term “security metrics” refers to security-related measurements. Kovacich and Halibozek
(2006) describe security metrics as the process of measuring an asset protection program’s
costs and benefits as well as its successes and failures. Security budgets and expenditures are
being scrutinized as never before, and security metrics can help in justifying those
expenditures. The first step in good security planning is performing an analysis of the
potential areas of loss, their probability, and their gravity or impact on the corporation. This
data, along with security metrics, provides the information needed to present a security
budget to senior management.

Mainstream security management has been slow to adopt a metrics-based approach, but the
trend is changing. Through the application of metrics, security managers are better able to
show the cost-effectiveness of asset protection.
A loss prevention program can collect metrics on arrests made, recoveries per year,
recoveries per officer, arrests per shift, arrests per location, and other topics. Metrics in the
commercial high-rise industry can be gathered on the number of thefts occurring, costs per
square foot, number of fire alarms per year, number of incidents, doors found open, number
of undesirable persons, recoveries made, investigations conducted, etc. Shopping mall
security management can collect metrics on arrests made, number of people banned from
the property, interactions with the public, loss prevention seminars conducted with retailers,
patrols conducted, cars stolen from the parking lot, etc. Corporate security can collect
metrics on investigations conducted, recoveries made, risk assessments conducted, travel
briefings provided to staff, etc.
Once baseline data is collected, security managers can experiment with and fine-tune the
asset protection program to increase its effectiveness. Data analysis may also suggest
whether specific security measures are effective at all. It is up to the individual security
manager to determine what should be measured. Those metrics may help the security
manager answer the following questions:
x What am I trying to accomplish?
x How will I know if I am successful?
x What would convince me that I am not successful?
x What are my impediments to success?
x How much is it costing per unit to be successful?
x Is it worth the cost?

x How will I be able to collect and display the information in a meaningful format?
x What is the cost of success?

x What is the cost of failure?
Despite its importance, the security department must compete with other departments for
funding. From an engineering department perspective, if a piece of equipment will fail if not
repaired or replaced, the decision to spend money can be made easily. Other departments,
such as security and marketing, may find it harder to gain funds and should use ROI figures
to convince decision makers.

5.4 Boosting Cost-Effectiveness
5.4 BOOSTING COST-EFFECTIVENESS

5.4.1 BUDGET PROCESS
For organizations that generate income, it is customary to budget that income over the same
fiscal periods in which the costs necessary to produce it are incurred. Typically, a sales
forecast will project sales revenue for a quarter or a year. This forecast will then be the
baseline from which all expense budgets are built. In commercial operations, policy makers
will determine the profit that the enterprise must earn. Subtracting that amount from the
estimated revenues leaves the amount available to run the business. That amount is then
divided among the various elements of the business using budgeting techniques.
When expense budgets total more than the available funds, budget reviews are conducted.
Reductions are made by deleting planned expenditures—typically personnel and operating
expenses. After operations have commenced, periodic reports of actual results against bud-
geted results will indicate whether further expense reductions are required.
Management strives to maintain the margin between gross sales and expenses, even in the
face of reduced sales. Accordingly, the only way an operating function can justify continued
funding is to demonstrate that the real costs to the enterprise would be greater if the level of
support for the activity were reduced. If the contribution of the operating function cannot be
quantified or, when quantified, cannot be shown to result in greater net revenue than would
be possible without the function, sound management practices dictate that the function be
reduced or eliminated.
Preventing crime, closing investigations, and maintaining order are all legitimate and neces-
sary objectives of an asset protection program, but only for the purpose of helping the
enterprise achieve its basic goal. For commercial organizations, the goal is to make and
distribute products or render services so as to earn the planned profit. For public service or
not-for-profit organizations, the basic goal is to render services within the limits of the
available funds.
5.4.2 COST REDUCTION

Each element of the operation must be carefully examined for cost-effectiveness. The “we’ve
always done it this way” syndrome can significantly increase the cost of the operation. By
contrast, periodic reassessment of security solutions can lead to savings.
For example, if a company had earlier determined that $30 padlocks were the best solution
for a particular protection need, the company now should evaluate whether $20 padlocks
might provide the required protection. Purchasing 500 padlocks per year at $20 instead of
$30 leads to an annual savings of $5,000.

Security departments can also examine whether it is more cost-effective to use a proprietary
security officer force or a contract force.
Another consideration might be the cost-effectiveness of maintenance contracts for security

systems. The warranty for a new system generally covers the first year of operation. A mainte-
nance contract for each subsequent year costs approximately 13 percent of the original
system cost. Thus, an annual maintenance contract for a $100,000 system might be $13,000.
An analysis of the maintenance history might reveal that the services would cost significantly
less if paid for on a time and materials basis. A countervailing issue is that system suppliers
normally give first priority to customers who have maintenance contracts. Thus, the system’s
age and criticality should also be factored into the calculation.
5.4.3 COST AVOIDANCE

One way to achieve cost-effectiveness is to avoid costs or expenses through the use of asset
protection resources. Following is a discussion of major areas in which cost avoidance is
possible.
Major Loss Prevention

An asset protection program would be cost-justified if it was established that probable real
losses would not occur if the proposed asset protection measures were adopted. Under that
approach, “cost avoidance” would be the total cost of probable security losses assumed to
have been prevented. The real test, of course, would be whether the actual losses were less
than the otherwise probable losses and whether the combined cost of the actual losses and
the cost of maintaining the asset protection organization were within the risk-assumption
boundaries accepted by management when approving the asset protection program.
Other Loss Prevention

Asset protection programs prevent other losses, including some that are rarely quantified. A
good example is the work of security patrols in observing and correcting maintenance or
housekeeping problems, while at the same time preventing hazards such as fires. The
following situations will be found in every operation. In those with security forces, the
security officer often takes the corrective action on patrol. Figure 5-2 lists several types of
issues that security officers may discover on their patrols.

ITEM OR TOPIC CONDITION

Expensive tools or materials Not stored securely
Lights Improperly on or off
Machine Improperly running or not running
Doors or hatches Improperly closed or open
Temperatures Too high or too low
Pressures Too high or too low
Levels Too high or too low
Figure 5-2
Problems Discoverable on Security Officer Patrols
The least dramatic of these—the light left burning when it should have been extinguished—
could be resolved by motion sensors that turn off a light if no motion is detected within a
predetermined period. However if the organization does not use this technology, three
questions can be asked that will allow assessment of the value of the patrol action in turning
the light off:
1. If the security patrol had not turned off the light, how long would it probably have
remained on until discovered by someone else?
2. What is the expense to the enterprise for a light of that wattage burning for an hour or
a shift?
3. What cost has been avoided by turning off the light? (Item 1 multiplied by Item 2)
The savings for one light that might otherwise have burned needlessly for an hour will be
insignificant. But, over the course of a year, preventing hundreds of lights from burning
thousands of bulb-hours will result in significant cost savings. The same factors apply to
turning off machinery, where reduction of wear and tear is an additional benefit.
There could be far more serious consequences than energy expense. If a temperature is too
low or too high, a process could fail or a vessel rupture.
Taken individually, these housekeeping losses are not major items. However, a large facility
features many such items, so the cumulative effect of reducing them may be significant and
should be documented.

5.5 Data Capture
Other Strategies
Security managers can use several other means of identifying acceptable asset protection
strategies. For example:
x WAECUP (Waste, Accidents, Error, Crime, Unethical Practices) can be used as a

blueprint for developing security objectives.
x SWOT (Strengths, Weaknesses, Opportunities, and Threats) Analysis is a model for

analyzing proposed organizational projects. The concept is to analyze an issue or
proposal from each of the four points of view, thereby giving security management a
profile of potential issues to deal with. A goal of risk analysis is the recognition of
threats as they relate to company operations.
x The STEP (Social, Technological, Environmental, and Political) Model points out
potential sources of threats. The security manager can then conduct an analysis to
determine whether such threats are likely and where they could come from.
5.5 DATA CAPTURE

Collecting information is of paramount importance to security management, and the easier
it is to create security reports, the less staff will resist reporting incidents. Options include
pen and paper, electronic report writing at a work station, and portable input devices that
security officers can use on patrol to report their activities, including housekeeping and
maintenance loss avoidance. The screen can be configured to minimize keystrokes, and
information can be transmitted by radio frequency as it is gathered or can be uploaded to the
main database at the end of the tour.
The use of specially designed incident reporting forms also fosters easy data collection. One
approach to using such forms is as follows:
1. Design a good report form. Much time can be saved if the data fields are properly
designed. The minimum information to be captured should include date, time,
location, relevant names, name of officer, type of incident (light on, machine off, etc.),
and department affected by and responsible for the issue reported.
2. Teach security staff how to use it. All members of the asset protection organization
should be prepared to use and process these forms. Of course, the primary security
task—dealing with the incident, not just reporting it—must also be emphasized.
3. Promptly collect data and conduct initial analysis. Because report forms provide data
necessary for asset protection operations, they should be analyzed immediately by a
responsible supervisor. Software in portable data terminals can generate an immediate
report if any abnormal events or conditions require a prompt response. Routine
analysis should determine whether costs can be quantified and totaled.

5.5 Data Capture
4. Produce periodic management reports. The real value of cost-effectiveness data

gathering comes in making periodic cumulative reports to senior management. In
these reports, the number, frequency, distribution by type of incident, and location
can be shown, along with the individual and cumulative costs that were avoided. At
the end of any budget year (earlier if needed), all instances of cost avoidance through
security patrol action in housekeeping/maintenance situations can be totaled and
reported in summary form.
Gathering numbers is important, but considerable information can also be gathered from
personal interviews. For example, useful information on robbery and shoplifting has been
gathered from one-on-one interviews between researchers and prisoners. Surveys, too, can be
powerful tools for the security manager—for example, on a specific problem like laptop theft.
To validate information, security managers can conduct experiments. One method is to

gather statistics before and after implementation of a security measure to gauge whether it
was effective. Another method is to implement the new security measure in one company
site but not another and compare the results. Finally, direct observation can be used in some
less serious, nuisance-level situations to discover unknown aspects of the problem. Figure 5-
3 shows the main methods used in social science research. Security managers can apply
those same methods in the workplace.

5.5 Data Capture
RESEARCH METHOD STRENGTHS LIMITATIONS
Fieldwork x Usually generates richer and x Can only be used to study

more in-depth information than relatively small groups or
other methods. communities.
x Provides flexibility for the x Findings might apply only to the

researcher to alter strategies groups or communities studied;
and follow up new leads. it is not easy to generalize on
the basis of a single field study.
Survey x Makes possible the efficient x Material gathered may be

collection of data on large superficial; important
numbers of individuals. differences between
respondents’ viewpoints may be
x Allows precise comparisons to glossed over.
be made between the answers
of respondents. x Responses may be what people
profess to believe rather than
what they actually believe.
Documentary x Can provide in-depth materials x Depends on existing resources,

and data on large numbers of which may be partial.
subjects.
x Sources, such as official
x Is often essential when a study statistics, may be difficult to
is either wholly historical or has interpret in terms of how far
a historical dimension. they represent real tendencies.
Experiments x Influence of specific variables x Responses of those studied may

can be controlled by the be affected by the experimental
investigator. situation.
x Experiments usually easier for

subsequent researchers to
repeat.
Figure 5-3
Main Methods Used in Social Science Research

5.6 Data Analysis and Display
5.6 DATA ANALYSIS AND DISPLAY

Several software packages are commercially available in the security market, and a security
manager’s company can also write its own software. The key is to ensure that the software
aggregates the data for analysis. Analysis of aggregate data should lead the security manager
to discover trends, successes, failures, costs, losses, savings, recoveries, what works, and
what does not work, along with a host of other information.
Display of the aggregate data is just as important as the data itself. A security manager should
show information, such as the number of thefts per year, in a pie, bar, line, cone, scatter, or
other chart. One can also choose to display all thefts, both successful and unsuccessful, side
by side. People interpret information differently, so there is no one correct choice. Some
security managers may decide that information displayed in raw numbers will meet their
needs. However, there is truth in the saying that a picture is worth a thousand words.
Certainly, when presenting information to decision makers with limited time, graphical
display makes it easier to convey a security manager’s key points quickly.
The following are useful categories of security data analysis.
5.6.1 CLAIMS AVOIDED

Monetary claims against an employer include workers’ compensation, disability, accident,
and health issues. Many such claims are fraudulent or exaggerated. For example, a worker
might claim he was injured on the job and left unable to perform physical work. Medical
evaluation may not refute the claim. However, an investigation by the asset protection
department, complete with photographs and other evidence, may establish that the claimant
is regularly engaging in activities that would not be possible if the claim were legitimate. As a
result of the investigation, the claim may be disallowed and payments stopped. This is a
measurable cost avoidance provided by security, and its value should be calculated and
entered into the cost avoidance database for later reporting. The cost avoidance for denied
claims is often extended over a long period.
5.6.2 PROOFS OF LOSS

Insurance companies typically require proof of loss before making payments. In cases of
casualty coverage—particularly dishonesty or fidelity coverage—apparent losses may be dis-
puted by the carrier. For example, staff at a major electronics facility might find that a large
supply of components is missing from a storage container, which appears to have been
damaged by the thief as he or she tried to gain entry. It is not clear whether the thief was an
employee or a stranger. The distinction is important because the facility’s theft insurance for

losses caused by outsiders has a much larger deductible than its insurance for insider theft
(fidelity coverage).
A security investigation might uncover evidence to persuade the carrier of two points:
x An outsider could not have gained access to the location of the theft during the period
when the theft occurred because of access controls then in effect.
x The missing materials were not simply purchased components but had been worked
on by the enterprise. The components therefore had a labor cost element in addition to
a purchase cost element at the time of the theft.
If the claim had been made under the external theft coverage, it would have been less than
the deductible. But, thanks to the asset protection investigation, the fidelity claim is allowed.
Therefore, the net amount of the claim can be added to the security database for later
reporting.
5.6.3 RECOVERED PHYSICAL ASSETS

The value of a physical asset can be calculated as the purchase price or acquisition cost, the
depreciated book value (acquisition cost less accumulated depreciation), or replacement
cost. If the asset is lost and security action leads to its recovery, then at least one and perhaps
two financial benefits will accrue to the enterprise. First, the net value of the asset will be
recovered—a security recovery expense reduction item. Second, if the lost asset would need
to have been replaced if not recovered, the cost of the replacement is avoided. Both cost
avoidances should be identified and stored in the database.
5.6.4 UNINSURED CLAIMS OR CAUSES OF ACTION

A security investigation often results in a formal statement by an individual confessing
responsibility or in some other way admitting financial obligation. Examples include
confessions by forgers of company checks and admissions by vendors that they delivered less
material than claimed.
Even more important are inculpatory statements by trade secret thieves. Such statements
may lead to actionable claims by the enterprise for financial recovery other than an
insurance claim. The net cash value of such claims should be assessed and the items
identified and added to the database. They, too, are asset increases or expense reductions
that would not exist without the asset protection effort. For litigation and future claims, the
amount may be postponed until collection.

5.6.5 OTHER ACTIONS

A review of other revenue losses within the enterprise may suggest security action that can
recover the revenue. For example, checks returned from the bank as nonnegotiable are
normally handled by the finance department. The sender of the check is notified that the
check is nonnegotiable and is advised to remit the funds within 10 days. If the payment is not
received, the account is referred to a collection agency, which charges a fee of 30 percent to
50 percent of the funds recovered.
If the matter were referred to security rather than to a collection agency, the funds might be
recovered more cost-effectively. Payment with a nonnegotiable check and failure to make
the check good is a criminal offense in most places. Security will normally be familiar with
the process of filing criminal complaints. Because there is no charge to file a criminal com-
plaint, the expense to the enterprise will be that of maintaining the records and the time of
the representative who files the case and attends the hearing. A copy of the letter requesting
payment, proof of receipt of the letter (postal receipt card), and the check will generally
provide a prima facie case. The court can then issue a restitution order. If the face value of
the check is $1,000, the collection agency fee would be $300 to $500. If the matter requires
three hours of a security representative’s time at a rate of $40 per hour, the cost of recovery
would be only $120.
This process should be periodically examined for cost-effectiveness. Nonnegotiable checks

with a face value of perhaps $500 or less would then be excluded from security action.

5.7 Systematic Incident Reporting
5.7 SYSTEMATIC INCIDENT REPORTING

An incident reporting system is needed so that all employees can report incidents and
security can track and analyze them.
A formal incident reporting system is essential if the full cost-effectiveness of asset protection
operations is to be achieved. An incident reporting system does two things that could not
otherwise be done:
x provides a history of events occurring to the organization
x provides a basis for professional efforts at asset recapture, recovery, or incident

reduction or termination
The company can decide which incidents are important enough to be reported. Shopping
malls, financial organizations, oil companies, commercial high-rise buildings, and
warehouses all have unique incident reporting requirements. Over time, security
departments may find that the types of incidents being reported become standard and
change infrequently. However, changes in legislation on health, safety, or privacy could
change the types of incidents that a company wants to track.
Once the company has established guidelines regarding which types of incidents must be
written up, all such incidents should be reported to a central point. It is also essential that the
right details be captured. It is better to know when and where certain items—such as hand
tools, small meters, fractional horsepower motors, flashlights, etc.—are disappearing from
than merely to know the gross value of the lost items. With the right information, the security
department is in a much better position to act to reduce losses.
For incident reporting to function, a statement of enterprise policy is needed. The policy
should do the following:
x Establish the program.
x Identify the kinds of incidents to be reported.
x Assign reporting responsibility to the persons accountable for the various types of inci-
dents. For example, building engineering would be responsible for health and safety
incidents.
x Prescribe the report format.
x Set a time within which reports are to be submitted.

x Identify to whom they should be submitted.
x Indicate the consequences of failure to make timely reports.

Appendix A presents a model incident reporting form. The form requests the time and
circumstances of the incident, the assets involved, and their value. Information on circum-
stances will go into incident profile and modus operandi files and will help in the
development of countermeasures or recovery efforts. The asset description and valuation
will go into the security vulnerability and cost-effectiveness files. The total number of reported
incidents may be used to establish, in part, the criticality of company exposure. The frequency
of incidents will help determine probability. These factors, in turn, are incorporated into the
overall estimate of event probability and criticality on which the asset protection program is
based.
It is efficient to create a blank electronic form so that employees can complete the form
electronically and transmit it to the asset protection organization. It may also be convenient
for employees to report incidents by telephone to asset protection clerical personnel for
entry directly into the incident reporting system.
Many asset protection organizations have automated their incident reporting systems by
providing a report form (in the form of a Web page) on the company network. Employees
can conveniently and securely key in the incident information and immediately route the
form to the security department. This process is easier than a manual system that requires
mailing and copying each report. These approaches encourage employees to make reports.
Appendix B includes a sample policy statement on incident reporting.
5.7.1 CREATING AN INCIDENT DATABASE

Security incident reporting provides a database from which to extract information on
multiple aspects of an asset loss incident. A well-developed database can be useful to all
company departments, not just security. For example, because theft can be attributed partly
to employee dissatisfaction, if the database shows that many employees at one location are
engaging in theft, there may be a larger management issue. If the database shows that a
particular operation is suffering from fraud, it may be that internal controls are inadequate.
In many organizations, incidents are reported not to a central location but to a variety of
departments, making tracking more difficult. The most common situation is to ignore the
incident or expense the actual or suspected losses within the department that incurred the
loss. That approach may conceal losses and, over time, may encourage the inclusion of
incidents or losses—many of which are preventable—in production or operating standards.
Also, if incidents are not reported to a central database, they may be seen as a series of
unique events when in reality they may be linked in some way and may be leading up to a
major loss event (Toft & Reynolds, 1999).

If a manufacturing operation budgets a percentage allowance for the unaccounted difference

between actual finished goods and what should have been made from the material and labor
charged, that allowance becomes a floor. Losses or unaccounted shortages amounting to less
than the budget allowance will not be investigated and could well be caused by theft of
product or raw materials.
If manufacturing output amounts to $10 million per year, a 0.3 percent allowance for
shrinkage, variance, or some other write-off account amounts to a loss of $30,000. If the
business has a 15 percent profit margin, $200,000 in new sales would be needed to generate
the amount written off. For larger companies, the losses and necessary new sales are
commensurately greater. For example, 0.3 percent loss from a $100 million manufacturing
output would be $300,000.
Although those losses may not ruin the enterprise, preventing them would certainly improve
performance. An annual write-off of $300,000 would support the following:
x security director with a salary of $75,000 plus 30 percent for benefits (totaling $97,500)
x two investigators at $45,000 per year plus benefits (totaling $117,000)
x two clerical personnel for the security group at an estimated total cost of $50,000 per
year
It is axiomatic in asset protection that a competent corporate security staff pays for itself
many times over. Proper attention to the reduction of shrinkage or variance losses not only
provides integrity to the organization but also permits reallocation of resources to intensified
asset protection efforts.
5.7.2 FUNCTIONS OF AN INCIDENT REPORT

The purpose of an incident report is to provide the security manager with data on which to
base security decisions. The incident report should do the following:
x Provide a quick notification of an actual, suspected, or potential event.

x Allow staff to create comprehensive reports easily.
x Be standardized.
x Generate suitable information for building an incident profile/modus operandi file.
x Enable staff to tally incidents.
x Help establish accountability for incidents or indicate that no accountability control
exists.
x Provide information for reassessing operating budgets.
x Help executive management compel operating management to assume responsibility
for incidents and prompt reporting.
x Provide a basis for insurance claims or changes to self-insurance reserves.

5.7.3 BENEFITS OF INCIDENT REPORTING

In raw form, the information in incident reports has limited value. Once the information is
processed, however, the security manager can use it to do the following:
x Identify items targeted for theft—through high loss frequency.

x Determine which countermeasures were effective or ineffective—by observing which
countermeasure was or was not in use when incidents occurred.
x Classify events along the continuum from high probability/low criticality to low
probability/high criticality.
x Provide an overview of where security personnel are spending their time.
x Plot event trends—by amounts, frequencies, types of assets, day/time of loss, prime
incident locations, people involved, causes of occurrences, etc.
x Facilitate protection or recovery of assets and apprehension of thieves.
5.7.4 POLICY ON SUBMISSION OF INCIDENT REPORTS

The following practices are recommended when submitting loss reports:
x All employees must notify their immediate supervisors of any incidents or known or
suspected asset losses. This might be done informally or formally. All employees
should be made aware of their personal responsibility for such notification.
x First-line supervisors should be responsible for completing reports for losses within
their areas of responsibility. Supervisors then provide the reports to security personnel.
x The security manager is responsible for reviewing the report. Corrections or modifica-
tions, if any are required, can then be made.
Reports should be distributed to the following locations:
x asset protection or security department—all reports

x insurance department—reports of losses that are, or may be, insured or chargeable to
self-insurance reserves
x property accounting—reports involving depreciable or amortized assets or items for
which property accountability is maintained
x legal department—for reports involving slips and falls and other legally sensitive issues
x auditing department—all reports (to determine whether the loss is related to
noncompliance with existing procedures or lack of procedures)
x originator’s files—all reports filed by that originator (but the originator is not required
to archive the reports)

5.7.5 INCIDENT DATABASE

The security department should maintain the incident report database. Each report should
be converted to a computer file and the permanent database maintained in that format.
The database should be designed to sort and retrieve data based on the following data fields:
x individual asset lost, or asset class, ranked by loss frequency

x value of the lost assets (to show distributions of asset values)
x time and date of the incident (actual or estimated)
x location of the incident, such as the city, facility or floor (to identify vulnerable
locations)
x person or department that reported the incident
x person or department in which the incident occurred
x countermeasures involved in the incident
x
6
circumstances of the incident
x character of the incident (for example, actual, near miss, commercially insured, unin-
sured, or self-insured)—this item may have to be added after the initial submission of
the report, as the character may not be known at that point
Information should also be searchable by various if/then parameters, such as whether an

asset was recovered, criminal prosecution was initiated, or any other action was taken
against the persons responsible.
5.7.6 MANAGEMENT REPORTING FROM THE DATABASE

As the incident database grows, so will management interest. The following are different
types of reports that security managers should distribute periodically to upper management.
General Management Distribution Report

This report is computer-generated and has incident information for the covered period
arranged in the following order:
1. ranked frequency by asset or class of asset

2. ranked frequency by date and time
3. ranked values by assets involved
4. ranked values by location of incident
5. total value of losses for the report period
6
Extra analysis may be required to determine modus operandi or other event characteristics. Examples of significant modus
operandi information would be a particular technique for defeating locks or the presence of unusual materials at the scene of
the incident. The security department should develop that information even if another department manages the files.

This type of report could be widely circulated to all members of senior management. It
would give them a current picture of the extent and type of actual or probable theft losses.
Corrective Action Report

This report is arranged as follows:
x by organizational unit responsible for the incidents

x by total loss value charged to that unit during the report period
This report would immediately alert units with unacceptable incident records to the need for
corrective management action.
Loss Status Report

This report is distributed to senior management on a less frequent basis and depicts the
following:
x total amount of losses incurred

x of total losses, the amounts
— reflected in actual asset recoveries

— of indemnity by way of insurance
— chargeable to self-insurance reserves
— chargeable to current operations as expenses to offset asset value reductions
If profit center managers do not recognize the benefit of submitting incident and loss
reports, they may fail to report such incidents. On the other hand, if losses are tracked to a
central reserve account instead of each manager’s account, they may be more likely to report
incidents and losses. It is better to identify and classify losses and to take any curative or
preventive action than to bury losses in a myriad of accounting ledgers.

5.8 Predictive Modeling by the Security Organization
5.8 PREDICTIVE MODELING BY THE SECURITY ORGANIZATION

The ultimate value of incident reporting lies in the opportunities it creates for avoiding
future incidents, events, and losses through planning, employee awareness training and
security enhancements. Therefore, the following categories of incidents should be tracked:
x most vulnerable assets, such as those susceptible to high-frequency losses
x time of loss occurrence
x locations in which losses occur, especially high-frequency loss locations
x countermeasures that were useful or ineffective
x losses representing the highest costs
x types of incidents
x slips, falls, and other incidents that expose the organization to lawsuits
x health and safety violations resulting in lost time, reduced productivity, and increased
workers’ compensation fees
x any incident type that costs the organization time, effort, or money
This information will enable the asset protection organization to allocate protective
resources cost-effectively. By tracking and analyzing incidents, the security manager can
gain insights into countermeasures that may prevent future losses. For example, if incident
reports show consistent losses of small, high-value items from a warehouse but no
significant losses from other warehouse stocks, special precautions limited to the target
items may suffice. The precautions might be as simple as installing a chain-link cage with a
reliable lock and interior space alarms. Other typical warehouse security measures—such as
intrusion alarms on doors and windows, security officer patrols, and closed-circuit television
surveillance—could then be dispensed with on the basis of incident report data.
The selection of countermeasures also depends on the return on investment. Each counter-
measure can be weighed against its likelihood of preventing losses, cost of implementation,
potential recoveries made, and value of avoided losses.

5.9 Protection Planning without an Incident Database
5.9 PROTECTION PLANNING WITHOUT AN INCIDENT DATABASE

Organizations without incident databases can gain some of the benefits of a database by
developing an asset protection plan as follows:
x Form an asset protection committee. A group very familiar with the company’s
products, materials, tools, and resources should be formed. It is important for senior
management to set the organizational climate for security and loss prevention by
requiring this to be a formal process that includes inspections. Typically, members
would be senior managers or other experienced representatives from the following
departments:
— manufacturing
— engineering
— quality control
— security
— others—such as insurance, accounting, or marketing—depending on the nature
of the business
The committee may be managed by the business ethics or internal control department.
The committee evaluates losses from a number of perspectives.
x Determine the criteria for events and incidents. The committee should research the
cost of events and incidents as well as the effect of non-monetary losses, such as
damage to reputation.
x Identify vulnerable items. The asset protection committee should consider all the
items the organization handles and the activities it engages in. The committee should
then determine the potential risks to those items and activities.
x Develop a system for item tracking. Once the target items have been identified, a flow
chart should be prepared depicting the exact movement of each asset through the
organization. In manufacturing companies, for example, items may travel through pur-
chasing, incoming inspection, raw materials inventory, assembly, and distribution.
x Assess vulnerability. When the assets are identified and the flow or process is clear, the
asset protection manager can assess the vulnerability of each asset at each stage of the
process.
x Select countermeasures. Based on the vulnerability assessment, the asset protection
manager can select the appropriate countermeasures for each area of exposure.
x Cost-benefit model. Finally, the selected countermeasures can be justified in a cost-

benefit model using the costs of the target assets, the level of loss probability, and the
expected amount of risk reduction.

5.9 Protection Planning with an Incident Database
5.9.1 PILOT VERIFICATIONS OF THE MODEL

It is advisable to pilot test the asset protection program. This can be accomplished by
selecting some points of exposure and providing countermeasures, while leaving other
points of exposure, of equal loss probability, unprotected.
Over a controlled test period, actual losses can be tracked in the unprotected areas. For
example, careful inventories or other counts can be taken but no loss prevention efforts
employed even in the face of actual losses. The losses in the unprotected areas can then be
compared to the losses in the protected areas to gauge the effectiveness of the chosen
countermeasures. (Of course, if losses during a pilot test are unacceptably high, the test can
be narrowed or discontinued and countermeasures applied enterprise-wide immediately.)
Based on the pilot data, countermeasures should be adjusted as appropriate.
5.9.2 MODIFICATIONS OF A GROWING DATABASE

Building an incident database takes time. As incidents are entered into the system, the
incident classifications may need to be modified. Security management should be flexible in
establishing and maintaining the system but must make sure to review the data periodically.
Often, various types of incidents may be lumped together in an “other” category. If 80
percent of each month’s reports fall into the “other” category, new categories should be
developed.
To be cost-effective, an asset protection program must consider not only the major incidents
and events it is designed to prevent but also the incidental cost avoidances and asset or value
recoveries that occur in the course of operations. The reasonableness of proposed security
expenditures, compared to the losses that might otherwise occur, will move management to
approve the program. Ongoing evidence of losses avoided through security countermeasures
is necessary to sustain management support of the security program.
Cost-effectiveness reporting demands a reliable database that can be created and maintained
through an enterprise-wide loss reporting system. By using return-on-investment and other
formulas, security managers should find it easier to make the case for security expenditures.

Appendix A: Model Incident Reporting Form
APPENDIX A
MODEL INCIDENT REPORTING FORM
PA RT I [C OMPANY NA ME]
1. Division 4. Date of report

2. Location 5. Reporter’s name
3. Unit or department 6. Reporter’s signature
PA RT II ASSET DE SCR IPT ION
7. Nomenclature and description 11. Ownership

(including dimensions, weight, and a) Company
color; add photo, if available)
b) Other (identify)
8. Serial or other ID#
9. Monetary value
10. Basis of valuation
a) Purchase price
b) Book value
c) Replacement cost
d) Other (describe)
PA RT III C IRC UMSTANCE S OF LOSS
12. Date and time loss discovered 16. Date and time incident occurred
(best estimate)
13. Incident type
17. Hour loss occurred (best estimate)
14. Persons involved (suspect, witness,
complainant, victim, security 18. Nature of incident (brief description
personnel) of what event occurred)
15. Location of incident 19. History of document
PART IV INSTRUCTIONS FOR COMPLETING FORM
[Here would go instructions on the number and routing of copies, the handling of file or suspense copies,
the filing period, etc.]

Appendix A: Model Incident Reporting Form
NOTES ON INCIDENT REPORTING FORM

Item 11. Although this item may sound obvious, it is often overlooked in incident reports. The
person completing the form should determine whether the property is really company property or
whether it belongs to a customer, the government, or another party. In cost reimbursement
contracts, when materials are purchased for use in U.S. government projects, title immediately
goes to the government, whereas in fixed-price contracts, title to materials and components
remains with the contractor until delivery of the final contracted item. The question is important
because a theft in the first example would constitute a theft of U.S. government property, a federal
crime with high sanctions, while a theft in the latter case might involve only state law with lower
sanctions. If the lost property belonged to a third party, and the company suffering the loss was
under a duty of care for such property, then the cost to the company might also include related or
consequent losses suffered by the third party.
Items 12–18. These items are of the greatest significance to security recovery and prevention
efforts. If an incident reporting system is being adopted for the first time, instructions and
examples of completed reports must be provided to employees.
Item 19. Creating a document history helps in tracking changes made to the document. Often,
information is added to reports as more data becomes available and the reports are forwarded to
others for review, comment, and follow-up. Knowing that information has been added, acted on,
or changed may be particularly important with electronic reports.

Appendix B: Loss Reporting Policy
APPENDIX B
LOSS REPORTING POLICY
The preservation of company assets, both human and material, is the responsibility of every
employee of the company. This responsibility includes taking appropriate measures to prevent
losses due to willful actions that would result in personal injury, property damage, or theft. Unit
managers have the additional responsibility of facilitating the gathering of reports of losses, which
will be forwarded to the appropriate security office for tabulation or investigation.
This reporting must be timely and accurate. It provides the basis for accurate tracking of security-
related problems. Tracking facilitates analysis, helps identify weaknesses in current business
processes, and provides early notification to minimize future losses and potentially recover assets
already lost.
Reports of all crime-related losses should be made to the appropriate security office by telephone,
if urgent, or by using the Security Loss/Incident Report form.
Further guidance as to the format, scope, and areas of responsibility can be obtained through
corporate security.
GENERAL
The Security Loss/Incident Report shall be submitted for each case in which misdeeds by
individuals cause damage, loss of company property, or injury to company employees. It should
be prepared by an employee who has direct knowledge of the incident; however, in certain
circumstances, it may be completed by administrative personnel who receive spoken information
on the incident.
It is important that data on all malicious acts against the company be entered into the system. This
will permit analysis that may establish patterns and help in solving some cases. Without full and
complete reporting, the security force is at a disadvantage in preventing future offenses against the
company.
Timely reporting is also significant. Telephone reports shall be made to district and area offices as
soon as possible after discovery of every security loss/incident. The telephone report shall be
followed up by submission of the Security Loss/Incident Report form within 48 hours.

References
REFERENCES
Ernst & Young. (2003). Global information security survey. New York, NY: Ernst & Young.
Kitteringham, G., CPP, & McQuate, C. A., CPP. (2003, September). Many happy returns. Security
Management.
Kovacich, G. L., & Halibozek, E. P. (2006). Security metrics management. Woburn, MA: Butterworth-
Heinemann.
nd
Toft, B., & Reynolds, S. (1999). Learning from disasters: A management approach, 2 edition. Lei-
cester, England: Perpetuity Press.

CHAPTER 6
THEFT AND FRAUD PREVENTION
IN THE WORKPLACE
6.1 UNDERSTANDING THE PROBLEM

The common-law definition of theft is the dishonest appropriation of property belonging to
another with the intention of permanently depriving the owner of rightful possession or use
of it. Fraud, on the other hand, is defined as intentional deception perpetrated for the
purpose of unlawfully taking another’s property or, more simply, theft by deception. Both
offenses are considered criminal and are punished as such. In some instances, as in the case
of alleged fraud committed in the United States, victims have at their disposal both criminal
and civil remedies. Accordingly, security professionals should carefully consider their
options in designing an organization’s theft and fraud prevention program. A program that
contemplates only limited remedies offers only limited protection.
Theft and fraud are the most frequent and costly forms of dishonesty the security
professional will likely encounter. Today’s security practitioner needs to know the factors
that lead to theft and fraud, as well as the best methods of preventing it. The relevant facts or
elements of most economic crimes are motive, ability, and the opportunity to commit the
crime. Although theft and fraud are closely related and similarly motivated, the techniques
used to prevent them differ significantly. In particular, theft and fraud by employees may be
an organization’s greatest threat, second only to competition. Therefore, this document
7
focuses primarily on workplace theft and fraud.
7
According to Report to the Nation 2004 from the Association of Certified Fraud Examiners, the most cost-effective way to deal
with fraud is to prevent it. An organization that has been defrauded is unlikely to recover its losses. The median recovery
among victim organizations in the study was only 20 percent of the original loss. Almost 40 percent of victims recovered
nothing at all.

THEFT AND FRAUD PREVENTION IN THE WORKPLACE
6.1 Understanding the Problem
The following items offer insights into the extent of theft and fraud:
x The United States Chamber of Commerce estimates that 30 percent of business failures
result from employee theft, with over one half of them failing in the first three years of
their existence (Ferraro, 2006, p. 370).
x Occupational fraud is a growing industry in which most perpetrators are first-time

offenders (Association of Certified Fraud Examiners, 2004).
x In 2004, fraud cost each U.S. resident approximately $2,444 (Association of Certified
8
Fraud Examiners, 2004).
x U.S. organizations lose 6 percent of their annual revenues to fraud. That share of the
U.S. gross domestic product would be $600 billion (KPMG, 2003).
x Small businesses suffer disproportionately larger losses than large businesses. In 2003,
the median loss suffered by small businesses was $98,000. The median loss from those
frauds committed by owners and executives was $900,000 (KPMG, 2003).
x More than 2 million shoplifter apprehensions are made every year. They are only a
fraction of the estimated 200 million annual shoplifting incidents. The estimated rate of
shoplifting translates to approximately 550,000 shoplifting incidents per day, with
losses totaling almost $30 million per day (Shoplifters Alternative, 2002).
x Various studies estimate that employees steal over a billion dollars a week from their
employers.
The following are some general observations about the characteristics of employee theft and
fraud:
x Some employees will generally steal to the extent the organization will allow.
x Clear organizational policies, procedures, and practices will significantly increase the
chances of detecting vulnerabilities and systemic gaps before losses occur.
x By reducing temptation and increasing the probability of detection, organizations can

prevent much internal theft and fraud.
x A key to preventing theft and fraud, and to increasing the reporting of suspected
incidents, is a continuous, well-developed, and well-delivered fraud awareness pro-
gram for all employees. Employees must feel confident that senior management takes
these issues seriously, will act with professionalism and discretion regarding reports
made by employees, and will steadily demonstrate their resolve to handle offenders
properly at all levels of the organization. An important prevention tool a company can
use to reduce the level of employee theft, fraud, and embezzlement is to maintain a
climate of trust, honesty, and cooperation throughout the workforce.
8
In a sense, fraud is a tax. Employee theft and fraud siphon off resources, making the victim organization less competitive.

Figure 6-1 describes the impact of theft or fraud on a company with $5 billion in revenue and
a pretax profit margin of 15 percent. Assuming the organization loses 1 percent of revenue as
a result of employee theft or fraud (a very conservative estimate for most industries), it would
need to generate an additional $333 million in sales to recover the losses.
Revenue $5,000,000,000
Losses from theft and fraud (1 percent of revenue) $50,000,000
Additional sales required ($50 million ÷ .15) $333,000,000
Figure 6-1
Financial Impact of Theft or Fraud
Thus, the loss should not be measured merely in terms of revenue. More accurately, the loss
should be measured by extrapolating the amount of sales and other costs such as downtime
and insurance rate changes necessary to cover the loss. In addition, losses avoided may be
determined by the difference between the losses estimated without a security program and
those with the program. The percentage of probable loss can be estimated for various
industries or based on the loss history of the particular organization. This method of
describing the effect of theft and fraud on profitability is a powerful tool for demonstrating
the need for comprehensive initiatives to identify and limit such losses.
In the retail industry, up to 70 percent of losses are perpetrated by employees, and for every
dollar lost to shoplifting, employees steal another $15. In the food service industry, employee
theft imposes a 4 percent tax on every customer dollar spent (Ferraro, 2006, p. 370). The
annual loss to the U.S. banking industry from employee embezzlement is estimated to
exceed $1 billion (Hart, 2004). A serious form of embezzlement in the workplace is fraudulent
cash disbursements.
Employees steal more than food and cash—they steal time. Efficiency consultants have
known this for years. Businesses have attempted to improve workplace efficiency since the
Industrial Revolution began. From Henry Ford’s first assembly line to the implementation of
modern robotics, companies have striven to improve worker efficiency.
Time theft is every employer’s nemesis. If each employee of a 200-person organization were
to steal 10 minutes a day, the employer would lose 2,000 minutes per day. If the work year
consisted of 260 workdays, the employer would have suffered a loss of 520,000 minutes, or

the equivalent of 4.1 man-years. In effect, the workforce of 200 individuals is doing the work
of 196. If the annual wage of an employee was $30,000, the cost of each employee stealing
just 10 minutes a day translates to about $125,000 a year! Reducing wasted time by just one
minute per day per employee would create a savings of $12,500 a year (Ferraro, 2006).
The crimes of employee theft and fraud share some other general characteristics:
x They are usually perpetrated by employees with access.
x Time, finished goods, supplies, scrap and waste, and intellectual property are the assets
most often stolen.
x Lack of supervision and lack of effective processes are the primary contributors to
employee theft and fraud.
x Secretive relationships, missing documents, indicators of substance abuse, and
irregular hours of operation or building entry are clues that employee theft or fraud
may be occurring.
6.1.1 COMMON MYTHS

Employers of all sizes may succumb to the temptation of believing that theft and fraud
prevention is expensive and time-consuming. The following are among the most common
myths (often expressed as rationalizations for inaction) among employers:
x Only the needy and greedy steal.

x Good policies and procedures will catch most wrongdoers.
x Audits identify most irregularities.

x Prosecution is an effective deterrent.
Unfortunately, these assumptions are untrue and misleading. They tend to lure employers
into using quick fixes and relying on inadequate safeguards. Organizations that do so will
unnecessarily place their assets at risk and jeopardize their employees, their reputations, and
possibly their very existence.
6.1.2 MOTIVATION TO COMMIT THEFT AND FRAUD

Psychologists, sociologists, and criminologists have struggled for years to understand and
describe the motivations of dishonest individuals. Studies have sought to identify
characteristics and personality traits most often associated with theft or fraud, as well as the
social forces and environmental factors that might explain why certain individuals are
dishonest and others are not.

6.2 Employee Theft
Historically, the focus of most sociological and criminological research has been on street
crime, especially violent crime. Much study has been devoted to the psychological
composition and personality of murderers, rapists, and bank robbers over the years. More
recently, researchers have studied the minds of white-collar offenders and other dishonest
employees. After the recent corporate scandals involving Enron, Global Crossing, ImClone,
and other companies, the factors leading to executive greed and employee theft have
become even more apparent.
6.2 EMPLOYEE THEFT

th
Although workplace theft first received scholarly attention in the mid-19 century, academia
largely ignored the subject until the early 1980s. John Clark and Richard Hollinger (1982),
researchers from the University of Minnesota Department of Sociology, published the results
of their extensive three-year study on employee theft. They defined employee theft as “the
unauthorized taking, control, or transfer of money and/or property of the formal work
organization that is perpetrated by an employee during the course of occupational activity.”
Clark and Hollinger attempted to develop a consensus regarding the causes of employee
theft and the most effective means of deterring it. They examined employee theft in three
private-sector arenas: retailing, manufacturing, and hospitals. In doing so, they studied the
literature in criminology, sociology, psychology, anthropology, and industrial security. Their
review revealed these separate but interrelated sets of hypotheses commonly used to explain
employee theft: external economic pressures, youth and work, opportunity, job
dissatisfaction, and social control. Each is examined below:
x External economic pressures. Before the study, the most frequent justification of
employee theft was that employees steal from their employers because they have
personal problems involving alcohol, gambling, illicit affairs, or similar situations.
Clark and Hollinger observed that the connections between economic needs and the
manner in which the stolen materials satisfy those needs had not been established and
was vague at best.
x Youth and work. Another commonly expressed theory stated that younger employees
are not as honest or hardworking as people from previous generations. Two studies of
retail employees caught stealing merchandise had found that a disproportionate
number of younger, newly hired employees were involved in theft. However, no clear
and convincing evidence existed to support this theory.
x Opportunity. Security practitioners believed that the opportunity to steal items of
value was a primary factor in employee theft. It was generally held that every employee
is tempted to steal from his employer at one time or another, based on the opportunity

6.2 Employee Theft
to steal. This theory was never empirically studied until Clark and Hollinger’s later
research in 1983.
x Job dissatisfaction. The idea that job dissatisfaction causes employee theft had not
been included in most studies of workplace theft until Clark and Hollinger conducted
their study. The theory suggests that the employer causes theft because management,
directly or indirectly, is responsible for employees’ job dissatisfaction.
x Social control. The social control theory suggests that the broadly shared formal and
informal social structure within an organization greatly influences whether theft will
occur. Although not empirically tested until Clark and Hollinger’s study, the theory
emphasized the role that individual workgroup norms played in deterring workplace
theft. In addition, there was evidence in existing studies that relationships between
supervisors and employees could deter or encourage employee theft. Both theories are
similar to the deterrence doctrine, which assumes that the threat of negative social
sanctions or criminal prosecution could affect the amount of theft in the organization.
In essence, the premise holds that employees are more likely to steal if they perceive
little threat of detection or punishment.
Clark and Hollinger found it difficult to separate theft from other forms of deviance. Their
study also examined production deviance, such as unauthorized or extended coffee and
lunch breaks, inappropriate use of sick time, punching time cards for other employees, and
arrive late or leaving early. Each of those acts, by today’s standards, constitutes theft of time.
6.2.1 PREVALENCE OF EMPLOYEE THEFT

In the industries studied, approximately one-third of employees reported stealing from their
employer. In most instances, theft was minor and occurred infrequently. Model employees
did not report any theft at all. The researchers also found that employee theft exhibits a
bimodal distribution; that is, a small number of employees take large amounts of property,
while the vast majority of those who steal take only small amounts. The four characteristic
principles involved in internal thefts scams include diversion, conversion, disguise, and
divergence. The more a company can do to remove one or more of these principles, the less
likely an employee will be involved in internal theft. This finding corresponds to other
studies of community crimes, which have found that 95 percent of property crimes in a
particular community are committed by less than 5 percent of the population. The Clark and
Hollinger study also found that theft of physical assets represents only a minor share of the
employee deviance problem.
6.2.2 EXTERNAL ECONOMIC PRESSURE AND OPPORTUNITY

The study found that few people steal company property to ease economic pressures. (How-
ever, recent examinations of the subject have revealed a correlation between economic pres-

6.2 Employee Theft
sure and financial crimes committed by executives.) Aside from cashier-related embezzle-
ment and a few other types of theft, the vast majority of large-scale thefts are committed by
managers (Association of Certified Fraud Examiners, 2004). These large-scale thefts usually
fall under two classifications: embezzlement or defalcation. Embezzlement involves the
fraudulent appropriation of property by a person to whom it is entrusted, which can involve
material things such as art, property, and product, not just cash. Defalcation more
specifically deals with the misappropriation of trust funds or money held in a fiduciary
capacity (Bologna & Shaw, 1996).
6.2.3 YOUTH AND THEFT NEXUS

Younger employees (most of whom had little tenure with their employers) reported signifi-
cantly more deviance than older coworkers. Younger employees also held a higher overall
level of job dissatisfaction than more senior employees. Clark and Hollinger attributed both
findings to the employers’ habit of viewing younger or newer employees as temporary or
expendable and withholding many of the rights, fringe benefits, and privileges afforded more
tenured employees. Granting special considerations solely based on seniority may create an
atmosphere in which the youngest members are the least committed to the organization.
Though not addressed in Clark and Hollinger’s work, it is self-evident that employees with
less tenure also have less invested in their job and the organization. Although that factor may
not translate directly into individual dishonesty, a less-tenured employee will likely be more
tolerant of theft.
6.2.4 JOB DISSATISFACTION AND EFFECTS OF SOCIAL CONTROLS

Further unpacking the Clark and Hollinger study, the modern security professional will easily
conclude the following:
x Most fraud perpetrators are influenced by an opportunity to profit.

x Opportunity and theft are clearly correlated. For example, retail employees with the
greatest exposure to cash and high-value merchandise were the most likely to steal.
That propensity was particularly true of employees in occupations of lower social
status.
x However, employees at lower occupational levels do not commit most property theft.
Most such theft is committed by employees with the greatest access to the property
and least perceived chance of detection.
x In manufacturing, assembly workers tend to steal less than other employees.
However, engineers report much higher levels of theft (especially in electronics
manufacturing, where components may mean little to an assembly worker but a
great deal to engineers).

6.2 Employee Theft
x In hospitals, the majority of theft is committed by nursing staff rather than others with
the same access to various areas in the hospitals.
x The most consistent predictor of theft in all industries is the employee’s perceived
chance of being detected. Theft occurs most often when organizational sanctions or
rules against theft are not properly communicated or consistently enforced (see also
Ferraro, 2006, pp. 371-372).
x In addition, employees are greatly influenced by the informal social controls of
coworkers, such as peer group gossip, ridicule, and ostracism. Peer group sanctions
present a significant opportunity for management to reduce employee theft.
x Job dissatisfaction and theft are also correlated. Employees displeased with their
overall employment experience are most often those who seek redress by engaging in
theft and other antisocial behavior at work. Those who sense that their employer and
supervisor are concerned about their well-being do not engage in as much theft.
6.2.5 SUMMARY AND RECOMMENDATIONS OF STUDY

The study offers three cautionary notes:
x Too few organizations have appropriate mechanisms to accurately track acts of

workplace dishonesty. They are thus unable to calculate the overall economic impact
of the problem. As a result, organizations tend to generalize about their losses, and
statistically sound information is scarce. Security managers study the causes of theft to
analyze actual and potential loss-producing incidents.
x Draconian security methods, such as searching employees at workplace exits, are
expensive and hurt employee morale. By contrast, demonstrating a sincere
appreciation for the individual’s contributions to the organization instills a greater
sense of ownership and belonging. Such sentiments translate into less workplace theft
and dishonesty.
x Policies and work rules must be reasonable and fair. They must also be communicated
properly and enforced consistently. Too often, management’s expectations are scarcely
mentioned during employee orientation and never again addressed until someone is
caught stealing.
Security practitioners should focus on identifying the 5 percent of employees responsible for
the great majority (95 percent) of workplace theft. Practices that appear to punish all
employees are generally more expensive and likely to damage morale. By contrast,
anonymous incident reporting systems (sometimes called hot lines) can be used to deter
dishonest employees and empower honest ones. More occupational fraud is revealed by
anonymous tips provided by employees than by all formal internal audits combined
(Association of Certified Fraud Examiners, 2004).

6.3 Fraud and Related Crimes
In sum, loss prevention and asset protection efforts in today’s workplace should be crafted
based on the following:
x Employees who steal are frequently involved in other counterproductive workplace

activities.
x The greater the opportunity for theft, the greater the chance that it will occur.
x Employees who are satisfied with their jobs are less likely to steal.
x The greater the chance of detection, the less likely that employees will steal.
x A strong management commitment to deter theft reduces losses by employing policies
and procedures to reduce the organization’s exposure to litigation and liability.
x Theft on the job is not necessarily correlated to external factors or influences.
x Peer pressure and attitude significantly affect individual employee attitudes toward
theft (Ferraro, 2006, p. 371).
6.3 FRAUD AND RELATED CRIMES

Two prominent explanations of white-collar crime are Edwin Sutherland’s differential
association theory and Donald Cressey’s non-shareable need theory. Sutherland’s theory
states that criminal behavior is most often correlated with an individual’s association with a
criminal environment. In other words, people who frequently associate with individuals who
have criminal tendencies become criminals as a result of those relationships. His theory
posits that criminal behavior is not inherited but learned, and that it is learned through other
people by example and verbal communications. Individuals also learn incentives,
rationalizations, and attitudes associated with particular crimes. They also learn the
psychological machinations needed to commit a crime and justify it—that is, to manage the
fear of the social repercussions associated with the crimes.
By contrast, Cressy’s theory defines the problem as a violation of a position of financial trust.
He theorizes that trusted persons become trust violators when they visualize themselves as
having non-shareable financial problems and feel they can resolve the problems by violating
their position of trust. His theory is based on extensive interviews of individuals convicted of
various trust violations, particularly fraud. Cressy concludes that three elements must be
present before a fraud or similar crime can take place:
x the perception of a non-shareable problem

x an opportunity for a trust violation
x a series of rationalizations that allow the individual to justify his or her behavior as
appropriate for the situation

6.3.1 COMMON ELEMENTS OF FRAUD

Others hold similar beliefs about the mind of the fraudster. For example, in his seminal work,
Occupational Fraud and Abuse, Joseph Wells states that three factors are present in every
fraud (Wells, 1997, p. 11):
x a strong financial pressure
x an opportunity to commit the fraud
x a means of justifying the fraud as appropriate
Unlike employee workplace theft, which often occurs spontaneously, fraud is premeditated.
Wells professes that if the three elements come together in almost any work-related
situation, a fraud will likely occur. He names several sources of financial pressures, such as
gambling debts, drug use, living beyond one’s means, and unexpected medical bills. Other
motivations include the desire to be, or appear to be, successful. However, the predominant
factor is greed.
Proving fraud tends to be difficult. The fact-finder must demonstrate the following:
x The perpetrator misrepresented or concealed a material fact.
x The perpetrator knew the representation was false.
x The perpetrator intended the victim to rely on the falsity.

x The victim relied on the misrepresentation.
x The victim was damaged by his reliance on the misrepresentation.
Fraud Symptoms and Indicators

Theft is evidenced by something’s disappearance. By contrast, most instances of fraud and
embezzlement leave only symptoms or indicators that it might have occurred. Recognizing
these indicators or red flags is important for security practitioners.
The opportunity for fraud is generally created through the absence or weakness of internal
controls. Knowledge of situational pressures and symptoms of fraud also provides the
security professional with insights for preventing frauds. The following are several categories
of such warning signs:
Employee Situational Red Flags

x high personal debts (medical, gambling, excessive speculation in the stock market, etc.)
x poor credit rating or other financial difficulties
x living beyond one’s means
x excessive use of alcohol or drugs
x perceived inequities (being passed over for promotion, receiving low pay, facing
pressure to accomplish unrealistic goals, etc.)

x previous convictions for fraud or related trust violations

x low moral character
x compulsive behavior
Employee Opportunity Red Flags

x position of trust (which can extend significantly through the organization as a result of
employee empowerment and organizational flattening)
x significant knowledge of key operations
x easy rationalization of contradictory behavior
x close association with suppliers and contractors over a long period
x lax or remote supervision
Organization Situational Red Flags

x costs rising faster than revenues (profit squeeze)
x significantly aged or excess inventories
x extremely rapid expansion of overall business or particular lines of business
x constantly operating in a crisis mode
x unrealistic sales quotas or revenue targets
x significant cash flow problems
x history of corruption in the company’s industry
x stiff competition from other companies
x outdating of the company’s products or services
x high rate of turnover among key financial positions
Organization Opportunity Red Flags

x dominant, hierarchical, and secretive management styles
x unethical management models
x exploitation, abuse, and poor management of employees
x lack of employee training on the relationship between security and business success
x lax enforcement of internal controls
x heavy investments or losses
x line supervisors’ failure to develop an effective loss-prevention environment
x urgent need for favorable earnings
x poor accounting records
x lack of separation of responsibility for ordering and receiving
x numerous instances of related-party transactions
x complex organizational structures
x numerous unexplained or undocumented transactions
x frequent turnover among key financial personnel or outside auditors or lawyers
x lack of formal controls and mechanisms for accountability
x domination of operating and financial decisions by a single person
x failure to establish, communicate, or enforce a code of business conduct

6.4 Scope of the Problem
6.3.2 SARBANES-OXLEY ACT

In the United States, the Sarbanes-Oxley Act (formally known as the Public Company
Accounting Reform and Investor Protection Act of 2002) became law on July 30, 2002. This
landmark legislation was passed in response to accounting scandals at public companies in
st
the late 1990s and first years of the 21 century. In the Enron case alone, more than $60
billion in shareholder value was lost and more than 5,000 jobs eliminated. The legislation
establishes new and enhanced accounting standards and business practices for all U.S.
public companies, their boards, and the public accounting firms that serve them. Among
other provisions, SOX (as the law is commonly called) requires CEOs to certify the accuracy
of their organization’s financial statements and imposes stiff penalties for those who commit
fraud and make material misrepresentations to the public with the intent to obtain financial
gain through false or misleading statements.
The requirement to improve internal controls and provide more transparency has not been
without cost. SOX compliance (particularly with Section 404) significantly burdens companies’
officers and boards and imposes both civil and criminal penalties on violators. Whether those
burdens are worthwhile remains to be seen, given the limited effect of internal controls on
detecting fraud and the importance of open communication and setting the tone at the top
(ACFE, 2004).
6.4 SCOPE OF THE PROBLEM

Almost anything of value may be stolen, given someone’s desire and opportunity. However,
some departments or functions in a company are much more prone to theft or fraud than
others. Figure 6-2 shows some of the more common theft and fraud targets and methods.
6.4.1 ESTABLISHING A MODEL PREVENTION PROGRAM

To prevent theft and fraud, organizations must move from a reactive to a proactive
approach. The following is the process most companies follow, usually by default, when theft
losses are identified (Albrecht, 1994, pp. 28-34):
x An incident of theft or fraud is discovered.

x Investigative resources are identified and an investigation is initiated.
x Action is taken based on the results of the investigation.
x The issue is resolved by temporarily tightening controls, replacing terminated

employees, etc.

Once the incident has been resolved, an organization usually slips back into a state of
acceptance, and any control procedures or processes that were implemented lose their
urgency. Should another problem occur, the organization simply follows the same model
and shifts into action to resolve that incident.
FUNCTION LOSS SCENARIO
Accounting Theft of cash, altering bank deposits, fictitious accounts payable, unauthorized
cancellation or reduction of accounts receivable, use of company checks to pay
personal bills, false expenditures, lapping,1 kiting,2 conversion,3 and continually
restating income and expense items.
Purchasing Dummy suppliers, fictitious purchase orders, overstated prices and kickbacks from
vendors, bid rigging, personal work completed by contractors for inflated invoices,
and payment of duplicate invoices.
Payroll Ghost employees on the payroll, increasing hours paid but not worked, increasing
salaries without proper authorization, and theft of cash.
Warehousing and Theft of damaged goods, alteration or elimination of records of accountability, theft
Distribution of inventory, shipment of product to fictitious customers, falsified customer returns,
short-shipment of product, falsification of damaged goods reports, and falsification
of raw materials receipts.
Manufacturing Exaggerated breakage reports, understated manufacturing reports, diversion of

product, falsified quality assurance reports, acceptance of inferior manufacturing
materials for kickbacks, running unauthorized manufacturing shifts and diverting
product, unauthorized sale of scrap materials, and theft of tools.
Computer Operations False vendor/supplier/contractor invoices, false refund or credit claims, altered or
eliminated transactions, misdirected electronic funds transfers, and ghost
employees on the payroll.
Cashier Operations Theft of cash, diverting or eliminating cash receipts, also known as “skimming,”
and unauthorized or forged vouchers for petty cash.
Other Common Losses Inflated expense reports, submission of redeemed travel tickets for reimburse-
ment, use of higher-cost travel tickets to increase personal frequent traveler
awards, and theft of office supplies.
1. Lapping is the pocketing of small amounts from incoming invoice payments and then applying subsequent payment to cover the
missing cash from the previous invoice, and so on.
2. Kiting is any sort of fraud that involves drawing out money from a bank account that does not have sufficient funds to cover the
check.
3. Conversion is a term used for the receiving of money or property and fraudulently withholding or applying it for one’s own use.
Figure 6-2
Common Targets and Methods of Theft and Fraud

A more complete model for dealing with theft and fraud is shown in Figure 6-3. This model is
based on strong collaboration among staff and key stakeholders. Such collaboration requires
a clear delineation of roles and responsibilities between security, human resources, legal,
communications (both internal and external), facilities management, and affected line
managers.
Figure 6-3
Comprehensive Model of Theft and Fraud
Prevention, Investigation, and Program Testing

The 10 elements of the comprehensive model are explained below.
Element 1: Prevention Programs

These programs are designed to teach management and employees about the nature, types,
and most vulnerable areas of losses in the organization. Components of prevention
education include the following:
x a process for screening all applicants for past trust violations
x written policies describing prohibited activities and the actions required if violations
are observed
x setting up shipping, receiving, and warehousing as individual departments
x specific accountability systems for each vulnerable department (presented to the
relevant department manager)
x a code of business conduct that is communicated to employees, vendors, and customers
x proper accounting practices that record all the financial transactions of the business
x a clear separation of duties that limits the accessibility to key information that would
allow an accounting individual to make changes in master files without someone
knowing it
x periodic employee communications that include case histories (free of names and
certain other details) demonstrating company vulnerabilities and management actions
against those who commit theft or fraud
x theft and fraud prevention training for employees (for example, teaching retail clerks
that they can reduce shoplifting by greeting each customer and making eye contact)
x several clearly communicated avenues for employees to report concerns (for example,
to line management, security, internal audit, or an anonymous incident reporting
system)
x frequent audits and security reviews of high-value inventory and operations
Element 2: Incident
An indicator of the effectiveness of prevention efforts is the quick and accurate reporting of
suspected thefts and fraud. Regardless of a program’s effectiveness, incidents will still occur.
The key is to ensure that incidents are reported as soon as they are suspected—perhaps with
an anonymous incident reporting system.
Element 3: Incident Reporting

Employees should be encouraged to report theft and fraud even without a monetary reward.
Fostering a culture of integrity and honesty is the best practice. The most ethical
organizations (and the most successful) regularly and passionately reward employees with
recognition and gratitude.

Element 4: Investigation
Investigations are more successful when investigative roles and responsibilities are clearly
defined. Whether conducting an internal compliance investigation, to determine if there is a
possible violation of company policy, or an actual internal theft incident, the investigator
needs to have clear guidelines on what he or she is expected to accomplish. An investigator’s
objective is to obtain information and evidence so that it can be presented in a factual final
report so senior management can take appropriate action. The main objective of any
preliminary investigation is to determine what crime or violation exists. Under most
circumstances internal thefts and fraud investigations are conducted by in-house or private
contractors and not by law enforcement. During this investigation the investigators should
interview complainants, witnesses, and any suspects, determine whether any evidence is
available to support the allegation, and prepare a report of the facts to be presented to senior
management or in-house counsel. The investigator may also need the assistance of a
financial specialist, such as a CPA, to conduct a fraud audit so that the financial transaction
process can be reconstructed to determine how the theft occurred.
Element 5: Action
This element refers to taking action based on a fair and impartial review of the facts
determined by a thorough investigation. Taking immediate action against theft and fraud
perpetrators is one of the strongest deterrents to future losses. If employees clearly
understand that their actions may put their jobs at risk and lead to criminal prosecution,
only the most determined risk-takers will break the rules.
Element 6: Resolution
Resolution of the case may include determining the appropriate discipline for guilty employ-
ees, estimating the actual loss, reporting the loss to an insurance carrier, and performing
other steps to close the investigation and obtain a recovery. Although discipline and
prosecution can be effective deterrents, nothing makes a point like the payment of
restitution by the perpetrator. In some instances, perpetrators can be made to pay not only
restitution but also the costs associated with the investigation. Even if the perpetrator must
pay installments over a long period, recovery of the loss and the cost of the investigation is
rewarding.
Element 7: Analysis
The concern here is how and why the loss occurred—in other words, the dynamics involved
from a human and control standpoint. Keeping in mind that the most common motivation
for an individual to commit an internal theft is one of economics or profit, the analysis also
has to consider the cost-effective steps that can be taken to prevent recurrences. How much
money should be spent on prevention versus the potential loss? In major incidents or
recurring patterns of losses, human resources, internal audit, finance, and other staff
functions can play a significant role in determining how to prevent future losses. Security
professionals should also maintain files detailing the theft or fraud method for future
awareness training.

6.5 Dangers of Undetected Theft and Fraud
Element 8: Publication
Organizations can use newsletters or bulletins to inform employees of incidents and their
resolution and show how the security organization provides value to the company. However,
naming names and publishing the details of incidents that have not been prosecuted may
constitute defamation and could be civilly actionable. A company that intends to publicize
the results of an investigation should first obtain the advice of an attorney.
Element 9: Implementation of Controls

Additional controls may prevent future thefts. For example, a company might add locking
devices on high-value inventory or require more senior authorizations for certain levels of
purchase orders. Controls must be cost-effective and based on a solid analysis of the loss.
Little is gained if new controls simply add costs or bureaucracy.
Element 10: Compliance Testing and Training

The final element consists of periodic testing or auditing for compliance with existing
controls, such as reviewing expense accounts. Such testing can be achieved through audits
(by internal or external auditors), security reviews by the company’s security department, or,
as a last resort, the use of undercover operations.
6.5 DANGERS OF UNDETECTED THEFT AND FRAUD

Financial losses due to specific incidents are not the only consequence of undetected theft
and fraud. Organizations may become complacent to ongoing losses and even build them
into their standards or expectations. For example, companies establish an allowable negative
variance between the book count and actual count of various items in stock or inventory.
Theft and fraud losses are often hidden in the negative variance and are not discovered
because they are below the allowable variance. Over time, this negative variance may grow,
presenting the opportunity for significant cumulative losses.
In addition, when thefts or frauds go undetected, the victim business cannot recover the loss
through insurance or by treating the loss as a tax deduction. Losses also affect employee
morale, shareholder value, and public confidence in an organization. Few risks have such
far-reaching consequences, yet are so preventable.
Given employees’ perceived pressures and their ability to rationalize theft and fraud, losses
from these crimes will continue to be significant. Organizations that are unprepared or have
not implemented a comprehensive theft and fraud prevention program will incur even
greater losses. Security professionals should thus give priority to the prevention of theft and
fraud in their overall loss prevention strategy.

Appendix A: Flowcharts
APPENDIX A
FLOWCHARTS
The following flowcharts suggest controls that can be adopted to discourage dishonesty in a
variety of functional areas. They are taken from How to Reduce Embezzlement Losses (New York,
NY: Royal-Globe Insurance Company) and are used with permission.
GENERAL
A BANK DEPOSITS
INCOMING FUNDS
FROM ALL SOURCES
RECORD OF
CASH
FUNDS
AND
RECEIVED
CHECKS
EMPLOYEE RECONCILING
RECORD
EMPLOYEE MAKING DEPOSIT RECORDS AND
OF
UP BANK DEPOSIT DEPOSIT INCOMING FUNDS
RECORDS
CASH AND CHECKS DUPLICATE

DEPOSIT SLIPS
DUPLICATE
DEPOSIT
EMPLOYEE OPENING
BANK
SLIP INCOMING MAIL

GENERAL
B INCOMING MAIL
EMPLOYEE OPENING
INCOMING MAIL
CANCELED RECORD OF RECORD OF

REMITTANCES
CHECKS REMITTANCES REMITTANCES
EMPLOYEE ACCOUNTS
RECONCILING RECEIVABLE
UP BANK DEPOSIT INCOMING FUNDS
BANK STATEMENT DEPARTMENT
RECORDS
C SECURITIES
OFFICERS HAVING
ACCESS PROCEEDS EMPLOYEE MAKING
SAFE DEPOSIT BOX ACCESS TO
FROM SALE UP BANK DEPOSIT
SECURITIES
LIST OF
SECURITIES
PURCHASED
CHECK
SIGNERS
LIST OF LIST OF
SECURITIES SECURITIES
PURCHASED WITHDRAWN
EMPLOYEE MAINTAINING
LIST OF
BANK STATEMENT
SECURITIES OWNED
COPY OF
PHYSICAL APPROVAL OF
VERIFICATION SALE
OFFICER COPY OF
DEPOSIT RECORDS AND
CHECKING APPROVAL
OF SALE INCOMING FUNDS
SECURITIES
RECORDS

INCOMING FUNDS – GENERAL
A CENTRAL CASHIER AND CREDIT APPROVAL BY OFFICER
CREDIT OR
DISCOUNT
APPROVING
CUSTOMER
REQUEST OFFICER
CASH
ORIGINAL
ORDER
SALES FORM
APPROVAL
CENTRAL COPY OF SALES

CASHIER SALES FORM CLERK
COPY OF COPY OF
CASH
SALES FORM SALES FORM
COPY OF ACCOUNTS
EMPLOYEE MAKING DEPOSIT RECORDS AND CREDIT RECEIVABLE
UP BANK DEPOSIT INCOMING FUNDS SALES FORM DEPARTMENT
RECORDS
See Incoming Funds Credit for questions leading to completion of credit portion of this diagram
B CENTRAL CASHIER BUT NO CREDIT APPROVAL BY OFFICER
CUSTOMER
CASH ORIGINAL ORDER

SALES FORM
CENTRAL COPY OF SALES

CASHIER SALES FORM CLERK
COPY OF COPY OF
CASH SALES FORM SALES FORM
COPY OF ACCOUNTS
CREDIT RECEIVABLE
UP BANK DEPOSIT INCOMING FUNDS SALES FORM DEPARTMENT
RECORDS

INCOMING FUNDS – GENERAL
C MAIL ORDERS
CUSTOMER
ORDER
EMPLOYEE OPENING
INCOMING MAIL
CUSTOMERS
REQUEST
APPROVING
FOR CREDIT
OFFICER
RECORD OF ORDER
SHOWING AS
CASH OR CREDIT
ORDER SHOWING WRITTEN APPROVAL
CASH
AS CASH OR CREDIT OF
CREDIT REQUEST
ACCOUNTS
EMPLOYEE MAKING SHIPPING DEPOSIT RECORDS AND
RECEIVABLE
UP BANK DEPOSIT DEPARTMENT INCOMING FUNDS
DEPARTMENT
RECORDS
See Incoming Funds Credit for questions leading to completion of credit portion of this diagram
D ADMISSIONS
CASH
TICKET TICKET
CUSTOMER TICKET
SELLER COLLECTOR
TICKET
CASH VOIDED
TICKET
RECORDS

INCOMING FUNDS – RETAIL
A NO CENTRAL CASHIER BUT CREDIT APPROVAL BY OFFICER

CREDIT OR
APPROVING
CUSTOMER DISCOUNT
REQUEST OFFICER
CASH
SALES
WRITTEN
FORM
APPROVAL
CASHIER
OR
SALES CLERK
COPIES OF
TAPES OR
SALES SLIPS
CASH
EMPLOYEE
“BLEEDING”
REGISTERS
COPIES OF
TAPES OR
SALES SLIPS
COPIES OF ACCOUNTS
UP BANK DEPOSIT INCOMING FUNDS SALES SLIP DEPARTMENT
RECORDS
B NO CENTRAL CASHIER OR CREDIT APPROVAL BY OFFICER
CUSTOMER
CASH
SALES
FORM
CASHIER
OR
SALES CLERK
COPIES OF
TAPES OR
SALES SLIPS
CASH
EMPLOYEE
“BLEEDING”
REGISTERS
COPIES OF
TAPES OR
SALES SLIPS
EMPLOYEE RECONCILING COPIES OF ACCOUNTS

UP BANK DEPOSIT INCOMING FUNDS SALES SLIP
DEPARTMENT
RECORDS

INCOMING FUNDS – CREDIT
A PAYMENT BY MAIL
CUSTOMER
CREDIT REMITTANCE
REQUEST OR
COMPLAINT
APPROVING EMPLOYEE OPENING

COMPLAINT OFFICER
OFFICER INCOMING MAIL
WRITTEN BILLING
APPROVAL RECORD OF
REMITTANCE REMITTANCE
RECONCILIATION
SHIPPING DEPARTMENT RECORD ACCOUNTS
DEPOSIT RECORDS AND EMPLOYEE MAKING
OR OF RECEIVABLE
SALE INCOMING FUNDS UP BANK DEPOSIT
SALES CLERK DEPARTMENT
RECORDS
RECONCILIATION
B PAYMENT IN PERSON
CUSTOMER
PAYMENT RECEIPT
EMPLOYEE EMPLOYEE
ADVICE OF
RECEIVING PAYMENT
COMPLETING
PAYMENT RECEIPT
PAYMENT COPY OF
RECEIPT
ACCOUNTS
EMPLOYEE MAKING DEPOSIT RECORDS AND RECONCILIATION RECEIVABLE
DEPARTMENT
RECORDS
COMPLAINT AND CREDIT APPROVAL SHOULD REQUIRE SAME PROCEDURES DIAGRAMMED IN (A) ABOVE.

OUTGOING FUNDS – GENERAL
PURCHASING
DEPARTMENT
EVIDENCE
OF ADVICE
DEBT OF
PAYMENT
EVIDENCE OF DEBT ACCOUNTS

CHECK
PAYABLE
SIGNERS
ADVICE OF PAYMENT DEPARTMENT
COMPLETED CHECK
AND
EVIDENCE OF DEBT
EMPLOYEE
MAILING
CHECKS INITIALED
EVIDENCE
OF DEBT
EVIDENCE
CHECK
OF
DEBT
PAYEE
BANK STATEMENT
CANCELED
CHECK
CHECK
CANCELED
EMPLOYEE OPENING
BANK CHECK
INCOMING MAIL

OUTGOING FUNDS – PAYROLL
A CASH
EMPLOYEE
TIME CARDS OR OTHER PREPARING
EMPLOYMENT RECORDS PAYROLL
LIST LIST FOR
APPROVAL
EMPLOYEE CHECK
CHECK
CHECK CASHING BANK
SIGNERS
CHECK CASH
COPY OF CASH
LIST
EMPLOYEE
DISTRIBUTING
CANCELED
PAYROLL CHECK
CASH
ALL
EMPLOYEES
CANCELED EMPLOYEE OPENING
BANK ACCOUNT
CHECK INCOMING MAIL
STATEMENT
B CHECK
EMPLOYEE
TIME CARDS OR OTHER PREPARING
EMPLOYMENT RECORDS PAYROLL LIST FOR
LIST APPROVAL
CHECK
SIGNERS
CHECKS
COPY OF
LIST
EMPLOYEE
DISTRIBUTING
PAYROLL
CHECKS
ALL CHECKS BANK

EMPLOYEES
CANCELED
CHECKS
EMPLOYEE RECONCILING CANCELED EMPLOYEE OPENING

BANK STATEMENT CHECKS INCOMING MAIL

OUTGOING FUNDS – PETTY CASH
PERSON TO WHOM
EXPENDITURE
IS MADE
VOUCHERS CASH
OR
RECEIPTS
EMPLOYEE
EMPLOYEE DISBURSING CASH
AUTHORIZING AUTHORIZATION BANK
PETTY CASH CHECK
DISBURSEMENT
COPY OF
AUTHORIZATION
RECONCILIATION CHECK
REQUEST FOR
OF PETTY CASH
REPLENISHMENT
WITH RECORDS
CANCELED
CHECK
EMPLOYEE CHECKING CHECK

REQUEST FOR
PETTY CASH REPLENISHMENT
SIGNERS
COPY OF
AUTHORIZATION
EMPLOYEE RECON-
CILING
BANK STATEMENT

INVENTORY – PURCHASING
EMPLOYEE
MAKING
REQUEST
REQUEST
PURCHASING PURCHASE
ORDER
SUPPLIER
DEPARTMENT
COPY OF
PURCHASE
ORDER
COPY OF (Quantity Omitted)
PURCHASE MERCHANDISE
ORDER
NOTIFICATION
OF RECEIPT OF
MERCHANDISE
ACCOUNTS
RECEIVING
PAYABLE
DEPARTMENT
DEPARTMENT

INVENTORY – RECEIVING
A RECEIPT OF ORDERED MERCHANDISE

PURCHASING
DEPARTMENT
COPY OF
PURCHASE NOTIFICATION OF
ORDER RECEIPT OF
MERCHANDISE
NOTIFICATION OF
RECEIVING RECEIPT OF
ACCOUNTS PAYABLE
DEPARTMENT MERCHANDISE DEPARTMENT
B REFUNDS
CUSTOMER
MERCHANDISE
CHECK
EMPLOYEE
COPY OF CHECK
AUTHORIZING AUTHORIZATION SIGNERS
REFUNDS
COPY OF
AUTHORIZATION MERCHANDISE
(CREDIT ONLY)
ADVICES OF
REFUND
ACCOUNTS
RECEIVING
RECEIVABLE
DEPARTMENT
DEPARTMENT
NOTIFICATION OF RECEIPT
OF MERCHANDISE
RECONCILATION
(CREDIT ONLY)
PERPETUAL RECONCILATION EMPLOYEE RECONCILING

INVENTORY (CASH ONLY) BANK STATEMENT
PERSONNEL
C WAREHOUSE RECEIPTS - ISSUANCE
REQUEST FOR
EMPLOYEE CONTROLLING WAREHOUSE RECEIPT
EMPLOYEE ISSUING WAREHOUSE
UNISSUED RECEIPT CUSTOMER
WAREHOUSE WAREHOUSE RECEIPTS
WAREHOUSE RECEIPTS
RECEIPT
SIGNED COPY OF
REQUEST FOR MERCHANDISE
WAREHOUSE RECEIPT
WAREHOUSE RECEIPT
PERPETUAL
RECEIVING
INVENTORY
DEPARTMENT
PERSONNEL

INVENTORY – STOCK IN STORAGE AND WITHDRAWALS
A INVENTORY AND WITHDRAWAL PROCEDURES
EMPLOYEE COPY OF
PERPETUAL
TAKING INVENTORY INVENTORY
INVENTORY PERSONNEL
PHYSICAL COPY OF
REQUEST FOR
INVENTORY REQUEST FOR
WITHDRAWAL
PROCEDURE WITHDRAWAL
REQUEST FOR
INVENTORY WITHDRAWAL ALL
STORAGE DEPARTMENTS
MERCHANDISE
B WAREHOUSE RECEIPTS - REDEMPTION
WAREHOUSE HOLDER OF
OFFICER RECEIPT WAREHOUSE RECEIPT
CANCELED
WRITTEN
WAREHOUSE MERCHANDISE
AUTHORIZATION
RECEIPT
PERPETUAL ADVICE OF
RELEASE OF
INVENTORY
INVENTORY
MERCHANDISE STORAGE
PERSONNEL

INVENTORY – MANUFACTURED GOODS
EMPLOYEE
TAKING
INVENTORY
INVENTORY INVENTORY
PROCEDURE INVENTORY PROCEDURE
PROCEDURE
DEPARTMENT FORWARDED DEPARTMENT FORWARDED DEPARTMENT

A MERCHANDISE B MERCHANDISE C
COPIES OF FORMS
SHOWING FORWARDED
MERCHANDISE
EMPLOYEE HAVING
NO ACCESS TO
INVENTORY
RECORDS OF
WITHDRAWALS, SCRAP
MATERIALS AND
INVENTORY FOR
RECONCILIATION

INVENTORY – SHIPPING
A DELIVERIES TO CUSTOMER
CUSTOMER
ORDER
RETURNED
MERCHANDISE
SALES MERCHANDISE
PERSONNEL
ORDER
SHIPPING MERCHANDISE
DELIVERY
DEPARTMENT MEDIUM
RECORD OF
SHIPMENT LIST OF LOADED
AND RETURNED
MERCHANDISE
ACCOUNTS PERPETUAL DELIVERY

RECONCILIATION RECEIPTS
RECEIVABLE OF RECORDS
INVENTORY
DEPARTMENT PERSONNEL
LIST OF
RETURNED
RECORD OF MERCHANDISE
RECORD OF RETURNED
RETURNED MERCHANDISE
MERCHANDISE
INVENTORY EMPLOYEE
RETURNED
STORAGE CHECKING RETURNED
MERCHANDISE
AREA MERCHANDISE
B RETURNS TO SUPPLIERS
SHIPPING RETURNED DELIVERY RETURNED

MERCHANDISE MERCHANDISE SUPPLIER
DEPARTMENT MEDIUM
RECORD OF
SHIPMENT
ACCOUNTS PERPETUAL
PAYABLE RECONCILIATION INVENTORY
DEPARTMENT PERSONNEL

OUTSIDE EMPLOYEES
A SALESMAN
OFFICER
CREDIT
CUSTOMER ORDER SALESMAN REQUEST
APPROVING
CREDIT
PAYMENT
COPY OF COPY OF COPY OF COPY OF

EMPLOYEE OPENING CREDIT
ORDER ORDER ORDER
INCOMING MAIL (CREDIT) APPROVAL
RECORD OF
PAYMENT
ACCOUNTS
DEPOSIT RECORDS AND
RECEIVABLE
INCOMING FUNDS
DEPARTMENT
RECORDS
SHIPPING
DEPARTMENT
RECONCILIATION
PAYMENT
EMPLOYEE MAKING
UP BANK DEPOSIT
B COLLECTOR
COLLECTIONS
ACCOUNTS TO BE MADE PAYMENT
EMPLOYEE MAKING
RECEIVABLE COLLECTOR
RECORD OF UP BANK DEPOSIT
DEPARTMENT
COLLECTIONS
COLLECTION
REQUEST PAYMENT
SPOT
CHECK
VERIFICATION
CUSTOMER
RECORD
OF
RECONCILATION COLLECTION
DEPOSIT RECORDS AND
INCOMING FUNDS
RECORDS

C SALESMAN - COLLECTOR - DELIVERYMAN
OFFICER
APPROVING
CREDIT
ADVICE OF ADVICE OF
CREDIT CREDIT
APPROVAL APPROVAL
LOADED
EMPLOYEE CHECKING MERCHANDISE ACCOUNTS
LOADED AND RETURNED S-C-D RECEIVABLE
MERCHANDISE RETURNED DEPARTMENT
MERCHANDISE
AND SALES FORMS
CASH
LIST OF LIST OF
LOADED & RETURNED LOADED & RETURNED
MERCHANDISE MERCHANDISE
SALES
FORMS PERPETUAL EMPLOYEE ADVICE OF
INVENTORY MAKING UP BANK ITEMS DELIVERED
PERSONNEL DEPOSITS ON CREDIT
DEPOSIT AND INCOMING
FUNDS RECORDS

RETAIL – MISCELLANEOUS
A COUPONS
COUPONS EMPLOYEE
LOCKED
CASHIER COUPONS COLLECTING
BOX
COUPONS COUPONS
RECORD OF RECORD OF
VALUE VALUE COUPONS
OF COUPONS OF COUPONS
ACCOUNTS
RECONCILIATION DEPOSIT RECORDS AND
RECEIVABLE SAFE
INCOMING FUNDS
DEPARTMENT
RECORDS
ADVICE OF EMPLOYEE
PHYSICAL
COUPONS CHECKING COUNT
ON HAND COUPONS
ADVICE OF EMPLOYEE SENDING

COUPONS COUPONS COUPONS
ON HAND TO SUPPLIERS
B TRADING STAMPS
EMPLOYEE OPENING
INCOMING MAIL
TRADING
STAMPS
RECEIVING TRADING
STAMPS SAFE
DEPARTMENT
PHYSICAL
COUNT
EMPLOYEE CHECKING
TRADING STAMPS
RECORD OF
PHYSICAL
COUNT
PERPETUAL
DEPOSIT RECORDS AND
INVENTORY RECONCILIATION
INCOMING FUNDS
PERSONNEL
RECORDS

Appendix B: 50 Honest Truths About Employee Dishonesty
APPENDIX B
50 HONEST TRUTHS ABOUT EMPLOYEE DISHONESTY

The following was developed by Steven Kirby, CFE, Kirby and Associates, and is used with
permission.
THE EMPLOYEE AND YOUR COMPANY

1. Employers can create an atmosphere that fosters honesty—or dishonesty—by the way
they conduct business.
2. If you ask an employee to steal for you, don’t be surprised when he steals from you.
3. Theft is the ultimate sign of employee disrespect towards you and your organization.
That disrespect is usually predictable, based upon prior behavior.
4. Employees involved in theft have usually been involved in other prior misconduct at the
company.
5. Employee theft is far more costly to the organization than just the value of the goods
stolen.
6. The employee who steals is more insidious than the outsider because that employee
violated your trust.
7. No employee who steals is a “good employee”—no matter how hard he or she otherwise
works.
8. Tenure is not an insurance against theft.
PSYCHOLOGY OF EMPLOYEE THEFT

9. Need and opportunity are critical elements for theft to occur.
10. Need can be very superficial and at times difficult to understand.
11. An employee’s ethical makeup will temper the temptation to steal.
12. Virtually every employee who steals has rationalized his or her dishonesty.
13. Most employees wouldn’t steal if they couldn’t rationalize.
14. Employees who steal believe that everyone steals and that most steal more than they do,
no matter how much they have actually stolen.

15. Employees who steal from you do not consider themselves dishonest. They prefer to
think you are somehow responsible.
16. A thief learns to lie before he learns to steal.
TOLERANCE OF THEFT
17. No theft, no matter how minor, should be tolerated or ignored.
18. Theft is like a cancer—if left untreated it will continue to grow and spread.
19. Employees who know of unreported theft are as bad as the thief.
20. Very unfortunately, most employees mistake kindness for weakness.
21. Most employees appreciate a second chance—to steal from you again.
DETECTION AND PREVENTION

22. No one ever gets caught the first time.
23. The employee who is closest to the loss (that is the one with the most access) is usually
the one who did it.
24. Be careful of the employee who discovered the loss.
25. When the person’s explanation sounds suspicious, be suspicious.
26. Your so-called sixth sense is usually pretty accurate (it’s actually a consolidation of all
your senses), so trust it.
27. Employees who deny guilt, but are willing to make restitution, are guilty.
28. When a number of employees suspect one person, there’s usually a pretty good reason.
CONTROLS OVER THEFT

29. Virtually every theft or fraud could have been prevented by better management.
30. Nothing you own is immune from theft, and no business is theft- or fraud-proof.
31. Most businesses are loath to install controls to prevent theft and fraud; the failure to do
so is itself a result of rationalization and denial.
32. For some reason, companies are more eager to detect theft after the fact than to prevent
it from happening, even though it is much cheaper to prevent it in the first place.

33. The best way to avoid employee theft is not to hire a thief.
34. The best way not to hire a thief is to investigate a potential employee’s background.
35. If a person has stolen from a previous employer, is it reasonable thinking he won’t steal
from you?
36. Constant and eclectic vigilance is required to prevent theft; there is no silver bullet.
37. Isolating the responsibility is a critical theft prevention concept.
38. Never let an employee be his or her own check and balance.
39. Asset protection is in everyone’s job description.
40. Effective security measures are not oppressive or burdensome. They go with the flow of
operation.
41. Asset protection is an insurance. The cost should be weighed against the risk.
CRIME AND PUNISHMENT

42. There is no perfect resolution. Each case must be considered independently for the most
just and intelligent disposition.
43. You cannot rely on the criminal justice system to protect your assets, investigate theft, or
bring the culprit to justice.
44. The deterrent effect of any punishment is far shorter than you can imagine.
45. If you want to understand the physics of a black hole, bring your employee theft or fraud
case to the typical big city court.
46. The employee who says he is sorry usually is—sorry to have been caught.
47. The employee who is remorseful today will be spiteful tomorrow.
48. If the only punishment the employee receives is termination, the proceeds of his theft are
his golden parachute.
49. If the dishonest employee offers to resign, accept it and avoid the urge to be vindictive.
50. Of the three “shuns” (termination, prosecution, and restitution), restitution, while the
most difficult, does the victim the most good.

References/Additional Reading
REFERENCES
Albrecht. W. S., McDermott, E. A., & Williams, T. L. (1994, February). How companies can reduce
the cost of fraud. The Internal Auditor, pp. 28–34.
Association of Certified Fraud Examiners. (2004). Report to the Nation 2004. Available: http://
www.acfe.com/documents/2004RttN.pdf [2006, October 17].
Bologna, J., & Shaw, P. (1996). Corporate crime investigation. Boston: Butterworth-Heinemann.
Hollinger, R. C., & Clark, J. P. (1982). Formal and social controls of employee deviance. Sociological
Quarterly, 23, 333–343.
Ferraro, E. F. (2006). Investigations in the workplace. New York, NY: Auerbach Publications.
KPMG International. (2003). KPMG forensic fraud survey 2003. Available: http://www.kpmg.com/
aci/surveys.asp#fraud03 (2006, January 12].
Hart, K. M. (2004). Employee theft. Posted on New Jersey Law Blog. Available: http://www.
njlawblog.com/corporate-investigations-white-collar-employee-theft.html [2006, September 12].
Shoplifters Alternative. (2002). 2002 shoplifters survey. Jericho, NY: National Association for
Shoplifting Prevention.
Wells, J. T. (1997). Occupational fraud and abuse. Austin, TX: Obsidian Publishing.
ADDITIONAL READING
Albrecht, W. S., Romney, M. B., Cherrington, D. J., et al. (1982). How to detect and prevent business
fraud. Englewood Cliffs, NJ: Prentice-Hall.
Albrecht, W. S., Wernz, G., & Williams, T. L. (1995). Fraud: Bringing light to the dark side of
business. Burr Ridge, IL: Irwin Professional Publishing Co.
Bettencourt, K. C. (1990). Theft and drugs in the workplace. Saratoga, CA: R&E Publishers.
rd
Fennelly, L. J. (1996). Handbook of loss prevention and crime prevention (3 ed.). Woburn, MA:
Ferraro, E. F. (2000). Undercover investigations in the workplace. Woburn, MA: Butterworth-

Heinemann.
th
Fischer, R. J., & Green, G. (1998). Introduction to security (6 ed.). Woburn, MA: Butterworth-
Heinemann.

Green, G. S. (1996). Occupational crime. Chicago: Burnham, Inc.
Healy, R., & Walsh, T. J. (1981). Principles of security management. New Rochelle, NY: Professional
Publications.
nd
Rusting, R. R. (1987). Theft in hospitals and nursing homes (2 ed.). Port Washington, NY: Rusting
Publications.
Snyder, N. H., Broome, O. W., Kehoe, W. J., Mcintyre, J. T., Jr., & Blair, K. E. (1991). Reducing
employee theft. New York, NY: Quorum Books.

CHAPTER 7
PRIVATE POLICING IN
PUBLIC ENVIRONMENTS
7.1 INTRODUCTION
This chapter examines private security operations in the public realm. Specifically, that
realm includes streets, municipal parks, business districts, residential communities, and
other areas frequented by the public without any meaningful access restrictions. The public
realm also includes critical infrastructures. The areas discussed are also routinely patrolled
by municipal police departments. Private policing in public environments raises a number of
important considerations, including political, operational, legal, ethical, and societal
implications.
A few caveats are in order:
x First, this work in no way advocates the elimination, or even the diminishment, of
public policing agencies. Indeed, it illustrates that the expansion of security personnel
into the public realm is due to forces outside the control of policing agencies. The
growth of private police is not a reflection of poor public policing.
x Second, the use of private police is designed to supplement already overworked, and
often understaffed, law enforcement agencies. The work of public and private police
should be viewed as a division of labor.
x Third, private policing has certain market-based benefits compared to government-

based policing. The widespread introduction of private police serves the interests of
more highly trained law enforcement officers, as well as the community—or the
client—they serve.

PRIVATE POLICING IN PUBLIC ENVIRONMENTS
7.1 Introduction
A way to conceptualize this arrangement is to view it in light of other professions. Perhaps

three decades ago, the introduction of paralegals and paramedics created controversy in
their respective professions. The legal bar worried about lowering the value of the licensed
attorney. Doctors worried about the quality of medical services their clients would receive
from medical paraprofessionals. Today, however, the importance of paraprofessionals in
those fields is self-evident. In this sense, private police can be considered “para-police”
(McLeod, 2002).
As security professionals know, the provision of security and public safety services is not the
exclusive domain of government. Indeed, the majority of persons charged with security and
public safety services are employed by private firms. Of course, this does not minimize the
substantial role that public police officers contribute to public safety. The point is that
security and public safety are not exclusive to government.
Though commonly accepted within the security profession, the introduction of private
police into the public domain may cause some people concern or even alarm. This is
understandable, particularly in Western countries. Most contemporary observers view police
agencies as “normal,” as if their use was the natural state of law enforcement. It is not. Public
policing is a rather new phenomenon. When the first police department was organized by Sir
Robert Peel in London in 1829, many people viewed that change with concern or alarm. The
introduction of private policing can be viewed as going back to the future, in which private
citizens contribute more time and effort to the safety and security of their communities.
7.1.1 HISTORICAL PERSPECTIVES

The history of policing can be summarized in terms of one overriding human need: survival.
The security of the individual, the family, the community, and the nation state are all tied to
this basic need. Indeed, in his famous hierarchy of needs, Abraham Maslow classifies
security as a second tier need, just above food, clothing, and shelter (Robbins, 2003; Pastor,
2006). Given the importance of security, it is understandable that people have developed
various mechanisms to gain it.
For centuries, people in the community acted as “security” within the community. The job
of security was not even a job. There was no police department to call. Instead, it was the
duty of all able-bodied men to protect their homes and their community (Pastor, 2003).
Thus, the people acted in self-defense or in defense of their community. Viewed in this
manner, security has historically been the province of the people. This assertion was even
reflected in one of Peel’s guiding principles: the people are the police, the police are the
people (Oliver, 2004; Pastor, 2006).

7.1 Introduction
Before the formation of public policing agencies, self-help and self-protection were
considered the foundations of law enforcement and public order (Pastor, 2003; Nemeth,
1989; Shearing & Stenning, 1983). Kings were primarily concerned with conducting warfare,
not enforcing domestic tranquility. That arrangement changed when the enforcement of the
law—or, in broader terms, the justice process—was seen as a cash cow (Pastor, 2003;
Reynolds, 1994; Benson, 1990). This realization facilitated the expansion of government’s
role into the internal justice process through the expansion of the king’s peace. The king’s
peace, in essence, equated to law and order (Pastor, 2006).
As the power of the king evolved, many offenses previously regarded as intentional torts
(wrongs subject to civil tort law) became crimes against the king’s peace (Pastor, 2003;
Johnston, 1992). The change from a tort-centered to a crime-centered system inevitably
affected people who were to be compensated for the injury caused by the act (i.e., tort or
crime). Often victims desired crimes to be viewed as civil torts so they could collect financial
compensation (Pastor, 2003). Conversely, the king had an incentive to declare an act a crime
in order to derive a financial benefit. If the act was declared a crime, the king could
confiscate the criminal’s property and inflict corporal or capital punishment (Johnston,
1992). With these incentives, over time arson, robbery, murder, and other felonious and
violent actions were declared to be crimes (Reynolds, 1994).
The ever-increasing expansion of the criminal law was not without justification. Some
believed it would reduce retribution by private citizens, as well as provide legitimate
sanctions by the government (Pastor, 2003; Nemeth, 1989; Benson, 1990). State sanctioning
of criminals removed the need for the victim (or his or her family) to retaliate against the
offender. Instead, the state (or king) would avenge the harm done to the victim on behalf of
all the people. In return, crime prevention and control was also transferred to the king.
Many citizens were happy to transfer this duty because the costs, resources, and efforts
previously devoted to crime prevention and control would also transfer to the king (Pastor,
2003; Reynolds, 1994).
Notwithstanding this gradual transfer of retributive authority to the throne, the burden of
law and order rested on the citizenry for a large part of recorded history. To accomplish
crime control, towns were protected by citizens through the use of the “hue and cry”
(Pastor, 2003; Nemeth, 1989). Hue and cry was a call to order. When a hue and cry went
out, able-bodied men would lend assistance against criminals or criminal acts. This
ancient system of crime protection is remarkably similar to the “observe and report”
function of private security, absent the pursuit and capture of the criminal (Pastor, 2003).
The underlying purpose of observing and reporting is that the security officer should act as
a deterrent to crime. If a crime is observed, the security officer should gather information
about the criminal and the crime and then immediately report such to the public police.
This is deemed as being the eyes and ears of the police (Pastor, 2003).

7.1 Introduction
Over time, a more defined crime control system was established. This system, known as
“watch and ward,” was administered by “shire reeves,” who were appointed by the king
(Pastor, 2003; Nemeth, 1989). The shire reeves appointed constables to deal with various
legal matters. Both the shire reeve (later shortened to sheriff) and the constable became the
forerunners of modern sworn law enforcement officers (Pastor, 2003; Nemeth, 1989). This
system furthered the legitimacy of public officers in crime prevention and control with the
appointment of individuals directly accountable to the king (Pastor, 2006).
The emergence of public police was not without problems and detractors. Some argued that
a full-time police force was too expensive. Obviously, the traditional sheriff-watch method
was much cheaper since much of this protection involved unpaid private citizens (Warner,
1968; Pastor, 2006). Other concerns came from a deeper level, relating to philosophical or
political arguments against government having a monopoly on policing (Pastor, 2003; John-
ston, 1992; Miller, 1977). The typical criticism centered on fears of excessive police power
(Miller, 1977). To those with this mindset, the cop on the beat represented an “ominous
intrusion upon civil liberty” (Miller, 1977). To others, the desire for security overrode esoteric
constitutional provisions. The tension was between the need for security and the desire to
maintain constitutional protections. This same concern is often echoed today relative to
public policing and by some who oppose private policing (Pastor, 2003).
Finally, the notion of sovereignty was a powerful argument in favor of municipal policing
agencies. Since the medieval period, there has been a gradual tendency to limit the use of
power or coercion. It was widely believed that the “eye for an eye” retribution standards
caused much violence, if only in response to the initial violent act. Notwithstanding the
potential for deterrence, or even the justification of retribution, the notion that government
should be the exclusive arbitrator of violence had compelling logic. With this viewpoint,
government was in charge of retribution and attempted to limit the use of violence by private
individuals. In turn, government was increasingly saddled with the burden of controlling
crime and capturing and punishing criminals (Pastor, 2006).
As is illustrated by this brief historical perspective, private policing in public environments

is not new. It is a variation of an age-old principle: security is the province of the people. In
contemporary times, “the people” typically pay others for protection. Citizens pay taxes for
municipal policing, and clients pay contracted fees for security services from firms (Pastor,
2006). Both of these methods are contemporary norms. However, a new dynamic is
developing. When citizens hire security firms for protection within the public realm, the
approach reflects the “watch and ward” system common in historical times. A key question
follows from that approach: Is it appropriate for clients, who are citizens of a governmental
entity, to pay a private firm for public safety services? Stated another way, if public police
cannot or will not provide for one’s personal protection, is it wrong to pay a security firm to
do so? No reasonable person should deny this right of self-defense.

7.1 Introduction
Consequently, private policing is justified on historical and philosophical precepts. It is an

appropriate response to current socioeconomic, political, and policing operational factors
facing most countries, especially Western societies.
7.1.2 CONCEPTUAL PERSPECTIVES

When one considers the provision of public safety and security services, it is useful to think
in terms of location and provision. As Figure 7-1 shows, location may be private or public,
and provision is either a substitute or a supplement.
P R O V I S I O N
Substitute Supplement
x Corporate security x Corporate campuses
L O C A T I O N
Private x College campuses

x Gated communities
x Reminderville, Ohio x Marquette Park

x Sussex, New Jersey x Starrett City
Public
x Grand Central
x Center City District
Copyrighted by James F. Pastor, 2005. Used with permission.
Figure 7-1
Provision
In the Private/Substitute cell, the typical provision is that security personnel, either contract
or proprietary, provide the majority (if not all) of the security services. This does not mean
that public police officers do not or cannot enter into these private facilities and properties. It
simply means that public police do not routinely enter or patrol there. For example, public
police typically do not stand guard at the entrance to a manufacturing plant. Of course, if a
crime occurs, law enforcement personnel are often called to the private property. The cell is
not a complete substitute; however, it is largely a substitute, and for some firms it may be an
almost exclusive substitute. Consequently, this cell represents the norm in the security
industry.
In the Public/Substitute cell, the examples are the towns of Reminderville, Ohio, and Sussex,
New Jersey, which fired their police officers and hired security personnel in their place. The

7.1 Introduction
security officers patrolled the town, answered calls for service, took reports, and made
arrests. The private security personnel acted as a substitute for the public police. These
services were provided within the public domain as if the security officers were the police.
These highly unusual and controversial substitute arraignments were terminated after a
short period. Too many problematic issues are tied to such arrangements.
The last two cells, Private/Supplement and Public/Supplement, are the growth environments
for the security industry. In these cells, the focus is on supplementing or enhancing the public
safety already provided by policing agencies. For example, college campuses often feature
undefined or loosely defined boundaries between themselves and the larger community.
Since university or campus police are often vested with police powers, they can conduct
themselves and make arrests as do municipal police officers. Although the police powers
may be derived from government, if these university or campus police officers are employed
by a security firm, then this is an illustration of private policing. An even more common and
clear example occurs within gated residential communities and on corporate campuses. In
these environments, the typical provision of security services is from private firms.
As in the Private/Substitute cell, there is overlap between the service provision of public and
private entities. The overlap is much more pronounced in the Private/Supplement cell.
There the public police may regularly or semi-regularly patrol the gated community or a
college or corporate campus. The involvement of public police in these areas is usually more
than in the Private/Substitute areas but substantially less than in public streets, parks, and
the like (i.e., in the public realm). The provision of security services by private firms in this
cell (Private/Supplement) is already extensive.
The Public/Supplement cell, then, is the focus of this chapter. It is there that the greatest
opportunities for the security industry exist. This is also where most of the problems and
pitfalls reside.
The prospect for private policing is likely to grow substantially. Factors driving this growth
include the following:
x economic and operational issues

x crime (fear of crime) and terrorism
x order maintenance
Each factor increases the need for private policing in public environments. Many countries
in Europe, such as England and Sweden, are well into this transformation. For example,
Project Griffin, a program of London’s Metropolitan Police Service and the City of London
Police, has three components: training, communications, and the deployment of security
officers in the event of a major incident. The training is provided to security officers by the

7.1 Introduction
police. The communication methods include a “bridge call” every week, where the police
intelligence bureau updates security managers on current threats, recent crime trends, and
upcoming events. Deployment of security officers alongside police will occur in the event of
a major incident. To date, about 500 security officers have been trained for this deployment.
(More information is available at http://www.met.police.uk/projectgriffin and http://www.
cityoflondon.police.uk/CityPolice/Departments/CT/ProjectGriffin.)
Another European example was pioneered by the Sweden-based security firm Securitas,
which has provided a “time share” service to residential and commercial clients. This
concept provides patrol and other security services to numerous clients, who each pay a
proportionate share of the costs. In essence, the time share concept is similar to buying a
fractional share of a condo unit and gaining the right to use the unit for a proportionate
period per calendar year. This service is provided in public places in various European
locations, including Trondheim, Norway, where Securitas security officers patrol a business
district.
The use of private security personnel to provide services within public areas is illustrative of a
new policing model, which may be called public safety policing. This model is a blend of
public and private entities with a defined delegation of duties or functions. These duties or
functions can be considered a division of labor (Bayley & Shearing, 2001). This division of
labor should include a structural component that enables the entities to blend the delivery of
public safety services through operational and administrative processes.
7.1.3 PUBLIC/PRIVATE PARTNERSHIPS AND STATISTICS

For several decades, there has been a growing movement to foster better relations between
law enforcement and the security industry. Many of these relationships have been built on
individuals moving from one profession (usually law enforcement) to the other profession
(usually the security industry). Over time, many meaningful professional relationships devel-
oped as individuals interacted with their counterparts in the other industry.
Still, many people from both entities sensed that more formalized relations were necessary
to cope with growing crime and public safety concerns. The Law Enforcement Liaison
Council (LELC) and Private Security Services Council of ASIS International, along with the
Private Sector Liaison Committee of the International Association of Chiefs of Police (IACP)
and other significant associations, have set the stage for this transformation.
Innovations like Operation Cooperation have been instrumental in this development. Opera-
tion Cooperation is, in essence, a goal and a program. Its goal is to communicate certain
partnership models, where security and police work together to combat crime and deliver
public safety services. From a programmatic perspective, a group of law enforcement and

7.1 Introduction
security organizations together published a document, titled Operation Cooperation, that

outlines the history of public/private partnerships and advocates future cooperative work.
This professionally developed document describes some of the most effective public-private
policing partnerships. These include the Business/Law Enforcement Alliance (BLEA) in
California, the Area Police-Private Security Liaison Program (APPL) in New York City (now
NYPD Shield), and the Downtown Detroit Security Executive Council (DDSEC) in Michigan
(Operation Cooperation, 2000). These models act as a template from which additional partner-
ships can be developed.
The cause of law enforcement–private security partnerships gained additional support more
recently when the Office of Community Oriented Policing Services, U.S. Department of
Justice, funded production of three valuable resources: a video detailing successful
partnerships, Law Enforcement & Private Security: On the Job Together (2008); a major guide
called Operation Partnership: Trends and Practices in Law Enforcement and Private Security
Collaborations (2009); and a free, one-hour e-learning course on forming such partnerships,
Team Up: Action Planner for Police-Security Partnerships (2010). All three resources are
available online.
The time has come to institutionalize coordination and cooperation between security and
police personnel through structural and contractual relationships. The value of partnerships
is limited unless more concrete ties are developed between private security and public
police. Personal relationships can be fickle, and existing partnerships have not completely
broken down the barriers between the two groups of professionals. Attitudes and histories
often die hard, but the insidious motivations of terrorists necessitate the acceleration of
structural cooperation between security and policing (Simeone, 2006). The details of future
relationships have yet to be articulated, but enhanced structural coordination would not be
possible without the tireless efforts of the professionals who developed and built
foundational partnerships.
The transition from a partnership model to a structural model can be illustrated by various
statistical trends. For example, as a consequence of the September 11, 2001, terrorist attacks,
certain security firms predicted revenue growth in the range of 10 to 12 percent per year
(Perez, 2002). In September 2001, there were 104,000 security officers in New York City. By
October 2003, the number of security officers had risen to 127,006 (National Policy Summit,
2004). This level of growth is not atypical in the security industry. For example, in England
there are now about 333,600 security personnel, compared to only 150,000 in 1996 (Sarre,
2005). In South Africa, private security personnel outnumber public police by a ratio of 5 to 1
(Sarre, 2005). In addition, statistics in continental Europe reveal a substantial presence of
security personnel. Recent estimates reveal that there are approximately 530,000 security
personnel, Germany having the most (Prenzler, 2005). Similarly, Australia witnessed an

7.1 Introduction
increase in security personnel from 22,975 in 1986 to 34,854 in 2001, a 52 percent increase,
while police experienced only a 19 percent increase during the same period (Prenzler, 2005).
The growth of private security can be illustrated by two huge international firms that
dominate the security industry. Securitas had revenues of $5.8 billion with a net income of
$115.2 million in 2001 (Perez, 2002). Its revenues increased to $6.6 billion in 2005. The firm
employs 220,000 people worldwide, with 124,000 in the United States. Since 9/11, it has hired
about 10,000 more guards to serve U.S. accounts (Perez, 2002). Similarly, Group 4 Securicor,
a Danish firm, had 2001 revenues of $2.81 billion, with a net income of $3.7 million (Perez,
2002). This firm employs 58,000 guards worldwide, with 38,000 in the United States, of which
about 3-5 percent are directly attributable to 9/11 (Perez, 2002). In 2005, Securicor had
revenues of $4.13 billion dollars, employed 50,500 employees in the United States, and had
about 400,000 full- and part-time employees worldwide.
Those in the security industry are well acquainted with the Hallcrest reports (see
Cunningham et al., 1991). These reports sought to compare the U.S. security industry to
public law enforcement quantitatively. The data revealed that security personnel greatly
outnumber police officers (Pastor, 2003). More recent census data show that the number of
full-time sworn police personnel is estimated at 796,518. In comparison, security industry
estimates suggest that more than 2 million people were employed by security firms in 2000
(Zielinski, 1999). Whatever the exact numbers, the difference between the fields is so great
that some argue private security is now the primary protective resource in the United States
(Bailin, 2000; Cunningham et al., 1991).
The ratio of public police officers to reported crimes has seen an even greater change. In the
1960s, there were about 3.3 public police officers for every violent crime reported. By 1993,
the numbers had reversed, and there were 3.47 violent crimes reported for every public
police officer (Walinsky, 1993). Thus, each public police officer in the 1990s had to deal with
more than 10 times as many violent crimes as a police officer in the 1960s (Walinsky, 1993;
Pastor, 2003). Walinsky notes that to return to the 1960s ratio of police to violent crimes,
about 5 million new public police officers would have to be hired by local governments
(1993). That will not occur. Indeed, what did occur during this time frame was an explosive
growth of the security industry (Cunningham et al., 1991).
Data from the U.S. Department of Justice suggest that the cost of public policing increased
from $441 million in 1968 to about $10 billion in 1994. This represents a 2,100 percent
increase in the cost of public policing, while the number of violent crimes rose 560 percent
from 1960 to 1992 (Walinsky, 1993). As crime rates increased, the monies used to combat
crime also dramatically increased. The Justice Department reported approximately 1,383,000
violent crimes in 2003 (475.8 per 100,000 population) and 1,367,000 in 2004 (465.5 per

7.1 Introduction
100,000 residents). These data reflect a generalized decrease in crime rates within the U.S. in
the past decade.
Some authors attribute this reduction of crime rates, at least in part, to the growth of private
security (Davis & Dadush, 2000), though the proposition is debatable. A related question is
whether any additional spending on public policing would result in a further reduction.
Based on this short historical and statistical overview, the answer appears to be negative.
The impact of security may even be more substantial than the data suggest. Indeed, the
growth of the security industry can be viewed by its involvement in businesses, homes, and
communities throughout the country (Pastor, 2003; Zielinski, 1999; Carlson, 1995; Goldberg,
1994). This involvement includes such diverse services as alarm systems, security guard
services, and investigative and consulting services. The growth of such services caused one
observer to note, “We are witnessing a fundamental shift in the area of public safety. It’s not
a loss of confidence in the police, but a desire to have more police” (Tolchin, 1985). Indeed,
th
today’s security industry is being compared to public policing in the mid-19 century. One
security firm owner stated, “This is a significant time for the private security industry. People
are just beginning to realize its potential. I see private security much like what public law
enforcement was in the 1850s” (Spencer, 1997). This assertion seems even more relevant in
the face of terrorism. Consequently, some see private policing as the “wave of the future”
(Goldberg, 1994; Benson, 1990). Numerous authors argue that there is a need for more
police, or at least more protective services (Dilulio, 1995; Walinsky, 1993; Cunningham et al.,
1990; Spitzer & Scull, 1977; Benson, 1990; Clotfelter, 1977; West, 1993; Seamon, 1995). Other
authors are more critical of the ability of the public police to provide an appropriate level of
protection (Benson, 1990; McLeod, 2002). Either way, another author observed, “People want
protection, and what they cannot get from the police, they will get from private security
companies” (Kolpacki, 1994). Consider the implications of these statements in the light of
terrorism. Police are finding that, in addition to their crime-fighting duties, they now have
significant homeland security responsibilities (National Policy Summit, 2004). This assertion
was echoed by Judith Lewis, former captain with the Los Angeles County Sheriff’s
Department, who observed (Stephens, 2005):
The expectations of law enforcement as first responders for homeland security have put an
almost unachievable burden on local law enforcement. Local law enforcement is not
designed organizationally to support the cooperation needed, and its officers don’t have the
training and technology to do the job. … Currently, traditional law enforcement is being left
behind.

7.2 Contemporary Circumstances
7.2 CONTEMPORARY CIRCUMSTANCES

As these statements and data reveal, the rise of private policing seems inevitable. But why
now? Certainly the terrorist acts of 9/11 changed many things. With the creation of the
Department of Homeland Security in the United States, the Afghan and Iraqi wars, and
terrorist acts after 9/11 (including bombings in Bali, Spain, and London), the desire for
increased security is obvious. However, the security industry was playing a growing role in
crime control long before 9/11. Terrorism is not the only trigger for private policing. The
following additional factors have all contributed to the growth of private security.
7.2.1 ECONOMIC AND OPERATIONAL ISSUES

Cost is a significant distinction between public and private policing. Alternative service provid-
ers, such as private security firms, provide labor cost savings. For example, a compensation
survey conducted by the Bureau of Labor Statistics found the hourly pay for security personnel
ranged from an average of $6.82 in the Tampa/St. Petersburg metro area to $12.82 per hour in
Denver (Institute of Management & Administration, 2000). Public police were said to cost 2.79
times as much as private police in 1979 (Benson, 1990). Other data suggest that a police officer
costs at least $100,000 per year, counting salary, benefits, and overhead (Reynolds, 1994;
Pastor, 2003).
The cost of public policing seems to increase steadily. For example, during the period 1967-
1973, the average salary for state and local police increased 56 percent, while the average
salary for employees of private security firms increased only 34 percent (Clotfelter, 1977).
Further, personnel expenditures are often the largest municipal budgetary line item. Just two
groups—police and fire—represent about 55 percent of the total expenditures for the City of
Chicago (Miranda, 1993). A study of New York City revealed that over a 25-year period, the
number of public police officers rose from 16,000 to 24,000. However, the total annual hours
worked by the entire force declined (Savas, 2000; Pastor, 2003).
Municipalities spend a large proportion of their budgets on the salaries and benefits of
public police officers. It is doubtful whether that pay structure can be sustained.
Several authors have argued that certain operational functions drive up the costs of public
safety services. For example, in the United States, citizens have been urged to call 911 for
decades. This computerized call-taking system has resulted in huge increases in workloads in
police departments. Calls for such conditions as barking dogs, street light repairs, noisy
neighbors, unruly children, alarm response, and the like have created a difficult unintended
consequence for police agencies (Pastor, 2005). The problem has been lessened with the use of
311 (nonemergency police response) and call stacking (prioritizing calls for dispatch based on
the level of seriousness). However, these approaches have not resolved the basic dilemma—
serving the community with the resources allocated to the department (Pastor, 2005).

The budgetary and operational dilemma for law enforcement officials may be best illustrated
by alarm response. Alarm response refers to police being dispatched to burglar, fire, or panic
alarms from commercial, industrial, and residential facilities. Often the problem with alarm
response is attributed to the high rate of false alarms, which is as high as 95 percent or more
(Benson, 1990; Olick, 1994; Cunningham et al., 1990). That is only part of the problem. In the
1980s, only 2 percent to 5 percent of residences had alarm systems. This figure was estimated
at 10 percent in the 1990s and about 20 percent from the year 2000 (Litsikas, 1994;
Cunningham et al., 1991). As the market for security alarms increased, the burden of alarm
response for police agencies also increased.
The impact of this one service hinders the ability of the police to perform their overall mission:
to serve and protect society. For example, according to the Seattle Police Department, alarm
response accounts for its second largest resource allocation. In just one year (2003), Seattle
police officers responded to over 22,000 alarm calls, averaging about 62 alarms a day at a total
estimated cost of $1.3 million.
Many police agencies are looking for ways to deal with this problem. Private policing may
provide the best way to resolve this financial and operational dilemma. For example, in
Johannesburg, South Africa, there is a growing market for alarm response conducted by
private firms. More than 450 registered companies provide alarm response services, serving
about 500,000 clients and employing about 30,000 private officers (Davis & Dadush, 2000).
These officers are equipped with 9mm weapons and bulletproof vests but have only normal
citizens’ arrest powers. The average response time to the protected facility is five minutes. At
least in part, this service provision evolved from the public’s lack of confidence in the
responsiveness of the police. Administration of these services seems professional when mea-
sured in terms of citizen complaints, use-of-force incidents, and the average response time
for alarm calls (Davis & Dadush, 2000).
Approximately 80 percent of police resources are used in “social worker, caretaker, baby-
sitter, and errand boy” activities (Benson, 1990; Pastor, 2003; Reynolds, 1994). Stated another
way, only 20 percent of police officer work is devoted to crime-related matters (Youngs,
2004). A Police Foundation study also found that instead of watching to prevent crime,
motorized police patrols are often merely waiting to respond to calls for assistance (Benson,
1990). The study asserted that about 50 percent of police duty time is spent simply waiting
for something to happen (Benson, 1990). While police officials claim this time is devoted to
preventive patrols, Benson argues that systematic observations suggest otherwise. Such
observations reveal that much of the time is occupied with conversations with other officers,
personal errands, and sitting in parked cars on side streets. While some of these activities
may be necessary, the compelling conclusion of these studies is that municipalities will not
be able to afford the status quo (Pastor, 2003). Partly as a result of this situation, the Toronto
Police Department reported that more than 60 percent of all calls to the police are handled

by alternative response units, which include private police acting as a supplement to public
police departments (Palango, 1998; Pastor, 2003).
Partly because of the widespread use of community policing, municipal police agencies have
reoriented their approach to crime control. This policing model has attempted to change
public policing away from its traditionally reactive approach toward proactive crime fighting.
That approach, however, presents its own operational difficulties and incentives. Typically,
security firms are more oriented toward pleasing their clients—typically by preventing prob-
lems, including crime. In contrast, public police have less incentive to prevent crime since
they are expected to produce arrest statistics and other quantifiable measures (Benson,
1990). The result is an operational incentive geared toward waiting for crimes to be
committed in order to make the arrest.
In recent years, the focus on crime prevention and community policing has changed this
incentive. However, a proactive crime control strategy is costly to administer and is very
labor-intensive (Pastor, 2003). Community policing has created additional tasks that were
largely ignored by traditional enforcement-oriented police departments (Moore & Trojanow-
icz, 1988; Trojanowicz & Carter, 1990). These tasks include beat meetings, crime prevention
missions, accountability sessions, and other service and communication tasks. While
community policing appears to have had some success in reorienting the police to a more
proactive, client-friendly approach, the monies used to support this strategy are now largely
exhausted (Pastor, 2006).
Notwithstanding the exhaustion of federal community policing monies, a basic problem with
fully implementing community policing involves the resources and personnel levels
associated with these tasks (Oliver, 2004). That challenge may lead public police to transfer
tasks to or supplement their strength with private security personnel. Crime prevention and
order maintenance have long been the forte of private security. With these functions in
mind, private policing is predicted to play an increasing role in public safety (Pastor, 2006).
The form of this new policing model may mirror the community policing approach, which is
premised on client service designed to prevent and control crime. In this sense, private
police will be used to supplement public police in service and order maintenance functions.
This allows public police officers more time for addressing serious crimes, including terrorist
violence. Carlson asserts that communities are certain to follow this approach because “they
may have to” (1995). For comparison, he observes that hospitals were forced to give more
responsibility to nurses due to rising medical costs. He adds:
Cities may find that sworn police officers—whom they must train, pay relatively well and
sustain pensions—are too expensive for fighting and deterring certain types of low-level
crimes. To maintain basic civic order, rent-a-cops may be a better deal.

Private police officers are not “rent-a-cops” but alternative service providers. Many needed
and valuable services can be performed at a lower cost compared to public police officers.
Contracting certain service tasks can be equated to the common business practice of
outsourcing (Youngs, 2004). These tasks include the following:
x traffic accidents/traffic control

x parking tickets/abandoned vehicles
x vehicle lock-outs
x building checks
x alarm response
x animal complaints
x funeral escorts
x paperwork/subpoena services
x “cold call” follow-ups
x vandalism complaints/reporting
x theft/burglary/lost-and-found reporting
x crime scene security
x prisoner transport/security
In sum, public police are overburdened with many service-oriented functions (Pastor, 2003).
Private police can help resolve both functional and economic constraints. Indeed, the threat
of terrorism will only exacerbate these constraints—thereby accelerating the need for
alternative service providers. For example, about 85 percent of all critical infrastructures in
the United States are already protected by private security personnel (Simeone, 2006).
Private police services are financed by business or property owners, either through special
taxing initiatives or more directly through contracts with property or community associations.
With these funding sources, private policing services could be sustained with little or no
municipal expenditure. Consequently, the economic benefits derived from privatized service
providers can help relieve already strained municipal budgets (Pastor, 2003).
Obtaining private security services through a taxing initiative usually involves the creation of
a special taxing district. The district may be given broad powers to promote economic
development or stability through health, safety, and environmental improvements. The spe-
cific source of the monies can be a tax on real property or a sales tax levy. Since the tax is
confined to a certain geographic area, the local property or business owners usually maintain
control over the authority vested in the district. Participation in this authority usually
requires a certain connection to the geographic area, such as being a property owner,
working in or owning a business within the district, or owning stock in a corporation within
the district (Pastor, 2003).

7.2.2 ORDER MAINTENANCE

Order maintenance techniques, and their relationship to the physical environment, are rele-
vant for several reasons. Widely used in community policing, order maintenance may prove
beneficial in reducing crime and incivility or disorder (Pastor, 2003). Many researchers
believe that a lack of order can lead to high crime or fear of crime in a given area (Covington
& Taylor, 1991; Lewis & Maxfield, 1980; Kelling, 1995).
The theory underlying order maintenance contends that crime problems originate in
relatively harmless activities. Public drinking, graffiti on buildings, and youths loitering on
street corners are common activities in certain areas. If these activities go unchecked, the
level of fear and incivility begins to rise. Over time, more serious crimes, such as gang fights
or even drive-by shootings, may take place. Disorder tends to reduce the social controls
previously present in the area. This results, at least in theory, in increased crime, which
contributes to the further deterioration of the physical environment and the economic well-
being of the community (Pastor, 2003).
The development of order maintenance theories can be traced to a line of thinking that
initially focused on conditions in cities, particularly in slums. In these areas, conditions such as
“physical deterioration, high density, economic insecurity, poor housing, family disintegration,
transience, conflicting social norms, and an absence of constructive positive agencies” were
deemed contributors to criminal behavior (McLennan, 1970). Over time, researchers started to
shift their focus from socioeconomic factors toward the physical characteristics of the
community. For example, Cohen and Felson (1979) argued that the completion of a crime
requires the convergence in time and space of an offender, a suitable target, and the “absence
of guardians capable of preventing the violation.”
This focus on environmental factors was found in a number of other studies. Gibbs and
Erickson (1976) argued that the daily population flow in large cities “reduces the effectiveness
of surveillance activities by increasing the number of strangers that are routinely present in the
city, thereby decreasing the extent to which their activities would be regarded with suspicion.”
Similarly, Reppetto (1974) concluded that social cohesion and informal surveillance decline
when a large number of people live in a given area (Jackson, 1984). Lewis and Maxfield (1980)
took this logic to the next level. They focused on specific physical conditions within the
environment, seeking to assess the impact on those conditions on crime and the fear of crime.
Their research assessed such factors as abandoned buildings, teen loitering, vandalism, and
drug use. They believed those factors draw little attention from police partially because
police have limited resources to deal with them. The researchers noted that such problems,
nonetheless, are important indicators of criminality within any community.
The implications of these studies are clear. When faced with disorderly conditions, individuals
tend to feel a greater exposure to risk and a loss of control over their environment, and they are

more aware of the consequences of a criminal attack (Fisher & Nasar, 1995). This thinking
further advances the concept of situational crime prevention by assessing the circumstances
surrounding the crime. This assessment takes into account the intersection of potential
offenders with the opportunity to commit crime. Researchers argue that a particular crime
could be prevented through measures designed to reduce the offender’s ability (or even
propensity) to commit crimes at specific locations (Pastor, 2003).
These conclusions have been echoed by a number of other authors, including Kelling (1995).
He asserts that citizens regularly report their biggest safety concerns to be things like
“panhandling, obstreperous youths taking over parks and street corners, public drinking,
prostitution, and other disorderly behavior.” Each of these factors was identified as a
precursor to more serious crime. Moreover, the failure to correct disorderly behavior may be
perceived as a sign of indifference. This indifference communicates the message that no one
cares—which may, in turn, lead to more serious crime and urban decay (Kelling, 1995).
Consequently, the key to crime control is to address both the physical and social conditions
that foster crime.
Implicit in these findings is the desire to prevent crime or reduce the conditions or factors
that foster crime. These conclusions have been embraced by both public police and private
security. A key component of these preventive methods is order maintenance, which can be
accomplished in a number of ways, including the rehabilitation of physical structures, the
removal or demolition of seriously decayed buildings, and the improvement of land or
existing buildings by cleaning and painting. Other relatively simple environmental
improvements are recommended, such as planting flowers, trees, or shrubs to enhance the
“look and feel” of an area (Pastor, 2003). These physical improvements, coupled with efforts
to reduce or eliminate certain antisocial behaviors, such as loitering, drinking and drug use,
fighting, and other disorderly behaviors, are at the core of an order maintenance approach to
crime prevention. The goal is to correct these conditions and behaviors before more serious
crimes occur.
Viewed in this broad manner, security can encompass such diverse factors as trash collection,
planting flowers, and private police patrols. Each service is designed to improve conditions
within an area. The advent of terrorism will only magnify this environmental focus. For
example, an unattended package or an unidentified vehicle may actually contain a bomb.
While these threats are difficult to remedy, this focus on the environment has been echoed by
st
Kaplan, who views the environment as the security issue of the early 21 century (1994).
In public policing, these order maintenance techniques are encompassed in the concept of
community policing (Moore & Trojanowicz, 1988; Kelling, 1995; Palango, 1998; M. Robinson,
1997; Seamon, 1995; Kolpacki, 1994; Spencer, 1997; Cox, 1990; Johnston, 1992). In essence, a
core goal of community policing is to focus on fear reduction through order maintenance

techniques (Moore & Trojanowicz, 1988). In this sense, crime and fear reduction through
order maintenance are in accordance with the environmental theories articulated above.
Community policing also strives to reduce calls for service by addressing the underlying
reasons for the calls.
In the private sector, the focus has long been on prevention (Chaiken & Chaiken, 1987;
Shearing & Stenning, 1983; Cunningham et al., 1990). The similarity of private security and
community policing techniques can be narrowed to one core goal: both are intended to use
proactive crime prevention that is accountable to the client or the citizen, respectively
(Kolpacki, 1994; Pastor, 2003). Private security is particularly well suited to perform order
maintenance. At least partly because of that sector’s crime prevention focus, private security
personnel have replaced public police in the protection of business facilities, assets,
employees, and customers (Pastor, 2003). Private security personnel provided what the
public police could not. Specifically, security firms provided services for specific clients,
focusing on the protection of certain assets, both physical and human, as their primary or
even exclusive purpose.
Security personnel attempt to predict reasonably foreseeable crime and develop precautions
against it (Gordon & Brill, 1996). A substantial body of law has grown around the
environmental aspects of crime. Tort claims on grounds of premises liability or negligent
security have provided explosive business for personal injury attorneys (Pastor, 2003). These
lawsuits stem from a negligence-based legal theory that questions whether the business or
property owner knew or should have known that a criminal would commit a crime within the
property (Pastor, 2006).
This legal exposure helped create a significant consequence. Property and business owners
were motivated to institute security measures within and around their property or business
location. The exposure serves as both carrot and stick. The carrot is a safe and secure place to
do business and to live or work in. Of course, a safe and secure environment will not hurt the
reputation of the business or the viability of the property. The stick is potential liability with
substantial jury awards. In addition, media exposure stemming from crime, coupled with the
reputational and public relations damage associated with an incident, provides substantial
motivation to secure the premises from criminals. Consequently, security began to be seen
as an asset and crime control as a duty.
The result was a growing use of security personnel and methodologies. Business and
property owners started to think and worry about security, becoming more proactive in their
approach to a safe and secure environment. For security firms, the legal exposure created
opportunities. It brought security closer and closer into the realm of the average citizen.
Security personnel began to be used routinely at businesses and large corporations, which
began to focus on the protection of employees and clients instead of simply focusing on asset

protection. In this sense, security became more mainstream. It became part of people’s
workplaces, apartment buildings, and hospitals. Private security became “the people.” This
relationship of the security industry to mainstream society also increased the scope of
services provided by private police (Pastor, 2006).
As premises liability and negligent security lawsuits developed, the liability of business and
property owners expanded farther and farther from the protected facility. Indeed, it is now
common for security patrols for properties and businesses to extend into the streets and
other public areas to prevent crime and provide a safe and secure environment. Private
police have become another security layer in the public domain.
Public police had and still have a much more difficult task incorporating crime prevention
into their organizational structure. The challenge arises from their mission to enforce laws
uniformly throughout society, as well as the need to preserve democratic and constitutional
ideals. Considering the many burdens of public police, it is reasonable to conclude that the
role of private security will continue to increase. Many have advocated that private police
play a larger role in the prevention of crime in areas traditionally and exclusively patrolled by
public police (Chaiken & Chaiken, 1987; Palango, 1998; McLeod, 2002; Benson, 1990). The
use of order maintenance techniques will prove to be an important function used by private
policing (Pastor, 2003).
7.2.3 CRIME (FEAR OF CRIME) AND TERRORISM

The relationship between crime and fear has been systematically studied in numerous
studies (Smith & Hill, 1991; Lewis & Maxfield, 1980; Liska et al., 1982; Benson, 1990; Moore &
Trojanowicz, 1988; Pastor, 2003). Similarly, other authors assert that crime has led to a
generalized increase in fear levels in certain demographic subsections, as well as in the larger
society (Farnham, 1992; Litsikas, 1994; Walinsky, 1993; West, 1993). The consistent conclusion
was that crime has created concern, often rising to what could be construed as fear, and that
fear of crime is exacerbated by signs of criminal activity. Indeed, signs of criminal activity, such
as disorder or incivility, have an impact on people’s perceptions of crime (Lewis & Maxfield,
1980; Kelling, 1995). Incivility is equated with disorder; both represent chaotic conditions that
result in more serious criminal activity.
The levels of fear are greatest where there is a concern about both crime and incivility. If
incivility (or disorder) is not perceived to be a problem, then residents may be able to cope
with higher rates of crime (Lewis & Maxfield, 1980). This conclusion has important implica-
tions. Communities must deal with both the crime rate and the physical and social indicators
that lead to the perception of incivility and disorder (Lewis & Maxfield, 1980).

Another implication of these theories is that private police will increasingly be used to
combat or respond to crime (Benson, 1997; Tolchin, 1985; Cunningham et al., 1990; Spencer,
1997; Meadows, 1991; Walinsky, 1993; McLeod, 2002; Bailin, 2000). These authors and many
others have predicted or shown that private security personnel are being hired in response to
the incidence of crime. This assertion is echoed by Stephanie Mann, author of Safe Homes,
Safe Neighborhoods, who asserted that “people need to take responsibility for their safety. …
Citizens are the law and order in a community, not the police” (Litsikas, 1994). This view is
based on the impact of normal crime. With the threat of terrorism, it seems particularly
appropriate to assert that government cannot implement the necessary remedies to deal
with crime and terrorism (including the attendant fears) without the contribution of the
private sector (Pastor, 2003).

7.3 Principles of Private Policing
7.3 PRINCIPLES OF PRIVATE POLICING

Private policing is related to the larger notion of privatization. Advocates of privatization
argue that the use of private firms results in lower costs for the same—or better—service than
when services are provided by government (Wessel, 1995; Donahue, 1989; Tolchin, 1985;
Clotfelter, 1977; Miranda, 1993; Carlson, 1995; Benson, 1990; Morgan, 1992; Clemow, 1992).
These authors maintain that private firms are able to pay lower wages and terminate
inefficient workers. However, there is substantial evidence that labor costs (including
benefits, training, etc.) have a direct relationship to service quality (Benson, 1990; Donahue,
1989; Linowes, 1988; Wessel, 1995).
Still, there is ample evidence that private firms can deliver more efficient services at a lower
cost. Savings are typically based on the following (Donahue, 1989):
x more flexible use of labor
x richer array of incentives and penalties
x more precise allocation of accountability

x less constraint on process and more focus on results
Proponents of privatization argue that market competition results in more efficient service
delivery, especially when many similarly situated firms are ready, willing, and able to provide
such services (Morgan, 1992; Donahue, 1989; Benson, 1990). The absence of competition in
the public sector allows for complacency, with little incentive to provide better service at the
lowest cost possible.
Opponents of privatization argue that reduced labor costs are illusory because they are
achieved through hiring less qualified and less trained personnel, providing inadequate
benefits to employees, using hiring practices that focus on part-time employees, and even
using creative accounting methods (Bilik, 1992). The cost of contract bidding and
administration must be assessed, as it adds to the bottom line and may even invite
corruption (Hebdon, 1995; Donahue, 1989; Chaiken and Chaiken, 1987). Other authors
contend that without adequate competition, the ill effects of monopolies will result (Shenk,
1995; Clemow, 1992; Schine et al., 1994; Bilik, 1992; Donahue, 1989; Hebdon, 1995).
The use of private service providers does not necessarily result in lower costs or better service
quality. However, the benefits of limited privatization far outweigh the negatives. This is
especially true in the case of public safety services, where the failure of law enforcement to
protect society is potentially measured in thousands or even hundreds of thousands of lives.
Given the threat posed by terrorists with weapons of mass destruction, the concerns voiced
by privatization opponents seem pale. Still, it is critical to maintain competition among

private sector vendors; enforce accountability; and develop and maintain standards for the
selection, training, and hiring practices of private security firms. As Donahue states, the
“evidence is overwhelming that where…negligence or the nature of the service itself
undercuts competition, the benefits of privatization shrink or vanish” (1989).
7.3.1 POLICING ROLE AND FUNCTIONAL DISTINCTIONS

The clearest distinction between public and private policing is that public police officers are
duly sworn by government officials. In contrast, private police are individuals who are
employed by private firms or other organizations without governmental affiliation. However,
this distinction is not always clear. Some jurisdictions license and regulate private security
personnel. Some governmental units even grant special police status to private security
personnel, giving them broad arrest powers.
Carlson identifies five specific categories of distinction between public and private policing
(1995):
x Philosophical. Private police may lack the moral authority that government can give to
law enforcement.
x Legal. Private police are hobbled by the law, with only limited powers of arrest, usually
restricted to the commission of crimes within their presence. However, those with special
police status have nearly all powers of public police, including authority to make
arrests and carry guns.
x Financial. Private police can perform certain tasks more cheaply.

x Operational. Private police are more flexible, can be assigned to specific locations, and
spend nearly all their tour on the beat. They make fewer arrests, are burdened with little
paperwork, and rarely make court appearances.
x Security/Political. Private police give citizens more control over their own safety by
augmenting police efforts, helping to maintain order when police are spread thin. Also,
private policing encourages citizens to follow community standards in a way that police
officers cannot or do not.
These categories raise many questions. For example, the perception that security personnel
do not possess the same legal and moral authority as public police officers may affect how
private officers perform their jobs. When a private police officer directs someone to refrain
from loitering, the person’s willingness to comply may depend on whether the officer has the
authority, either legal or moral, to force compliance (Pastor, 2006).
Another issue involves the level of control over the functions of the private police and how
responsive the private police are to the needs of the client. It may not even be clear who the

client is. Is it the property owners who contribute their monies through real estate taxes? Is it
the larger community, or even anyone who happens to drive through the neighborhood? In a
community policing model, the public police are urged to be more accountable to the
citizens they serve. In this sense, the citizens are the clients.
Another way to distinguish public and private police is by the roles they take or functions
they perform. The distinctive aspects of these policing functions are outlined by Chaiken and
Chaiken (1987), as shown in Figure 7-2.
Figure 7-2 distinguishes the functions of private and public police dramatically. One of the
most profound distinctions regards the input—that is, the person for whom the service is
designed or intended. In private policing, the bill payer is usually deemed the client. In
public policing, the citizen or society is the client (Shearing & Stenning, 1983).
Private Police? mPolicing Function?o Public Police
Client Input Citizen
Crime prevention Role Crime response
Specific Targets General
Profit-oriented enterprise Delivery system Government
Loss reduction/asset protection Output Enforcement/arrest
Figure 7-2
Functions of Private and Public Police
A corporation performs both a private and public function by hiring security personnel and
equipping them with uniforms, badges, and weapons. The generally accepted responsibility
or function of security in this context is to enforce certain rules or laws on the company’s
property (McKenzie, 1994). Consequently, this seemingly private function provides an
external benefit to the larger society, or at least to the citizens who happen to be within the
protected facility or area (Pastor, 2003).
This input distinction explains much about the service orientation of the two entities.
Particularly in the private sector, the need to please the client cannot be underestimated.
Private security personnel tend to view behavior in terms of whether it threatens the interests
of the client (Shearing & Stenning, 1983). However, what constitutes the interests of the
client is not always clear or consistent (Dalton, 1993). That presents a challenge because
knowledge of a client’s interests may affect how a security firm performs its duties.

7.4 Private Policing Environments
Another important distinction regards the output of the service. Private security today tends to
focus on loss reduction or asset protection. However, the role of private security may be
shifting back to its historical roots. If so, private policing could renew some of its enforcement
orientation, which has become the almost exclusive realm of public policing agencies (Benson,
1997; Tolchin, 1985; Cunningham et al., 1990; Spencer, 1997; Meadows, 1991; Walinsky, 1993;
Bailin, 2000).
Perhaps the most important distinction involves the delivery system. For private police, the
delivery system is profit-oriented firms or corporations. With public police, it is government.
The competition in which companies engage drives better service and value. Conversely,
monopolies, such as police departments, tend to be less efficient, even complacent. If a
security firm is not performing well or is not providing good value, it can be fired. In public
policing, however, citizens cannot directly fire their police department. While they may
petition political leaders for redress, doing so is not nearly as effective as exercising a 30-day
termination clause, as is common in the security industry.
Another issue involves the applicability of constitutional protections, such as prohibitions on

unreasonable searches and seizures. Historically, such protections did not apply to private
police (Nemeth, 1989; Chaiken & Chaiken, 1987). However, courts are now inclined to extend
constitutional protections to cover actions by private security personnel. Typically, their
actions must have a connection to government or sworn police officers (Pastor, 2003).
7.4 PRIVATE POLICING ENVIRONMENTS

Though unusual, private police patrols on public streets are not unprecedented. This section
presents various models of privatization, wherein private police play a role in providing public
safety services.
As Moore and Trojanowicz assert, police are responsible for managing crime and its effects.
No other government agency regards itself as specifically responsible for crime (1988).
However, if the police cannot prevent crime, one logical response is to hire private security
firms to do so. In this way, private police can be viewed as an additional layer of security for
the community. As Carlson explains, private security firms can help restore community life,
allowing people to worry less about crime and spend more time building families and
neighborhoods (1995). Few people would argue against targeting crime and reducing its
impact on society.
The scope and details of these arrangements vary widely. In rare cases, private security has
replaced public police in a jurisdiction. In most private policing initiatives, some level of

partnership forms the basis for the arrangement. Such partnerships make sense. The two
entities have many similar goals, such as reducing crime and fear through an environmental
or order maintenance approach. The commonality of goals may foster cooperation in the
spirit of public safety. For example, public police may rely on private police to carry out tasks
they prefer not to undertake. In return, public police provide some needed services, such as
expeditious response to calls for assistance (Chaiken & Chaiken, 1987). Most public police
officials welcome fuller partnership with private security if it frees up their officers for crime
fighting (Pastor, 2003).
The models presented below describe past or present privatized policing arrangements. Two
key factors in these models are the location of services and the provision of services. Locations
may be public or private, but sometimes the distinction is unclear. For example, a gated
neighborhood with a fenced perimeter has characteristics of both public and private locations.
(However, for present purposes such a space is deemed private because of its physical
separation from the larger community.)
As for provision of services, security personnel may be used to supplement public police,
replace public police, or provide a service that lies between those extremes. For example, in
some cases a private firm has only ancillary involvement in community safety. In other cases,
private security personnel may engage in proactive and tactical enforcement techniques,
designed to search out and arrest criminals. However, in most cases, the security firm acts
as a supplement to public police.
Accurate statistics on the scope of private policing are difficult to obtain. Thus, it is unknown
how common the following arrangements are.
7.4.1 PRIVATE ENVIRONMENT: SUPPLEMENT

There are many examples of private security acting as a supplement to the public police in
private, gated communities. For example, in Los Angeles 35 neighborhoods have asked local
governmental permission to separate from the surrounding communities by installing gates
and hiring security firms (Farnham, 1992). In suburban Detroit, the 2,300-home East English
Village Association hired a private security force to supplement patrols by local police (Farn-
ham, 1992). The reasoning behind this decision is illustrated by a statement from the
president of the property association: “We figured if we wanted to keep this neighborhood
stable, we couldn’t stick our heads in the sand and say the police should take care of it. We
realized there’s only so much they can do” (Farnham, 1992).
The Frenchman’s Creek development in Florida hired a miniature tactical team called STOP
(Special Tactical and Operations Personnel). The team “roams the grounds every night
dressed in camouflage face paint to stay as unobtrusive as possible and give them the edge

on any intruder” (Cruickshank, 1994). This tactical team stays sharp by conducting exercises
with sophisticated equipment, including night vision gear and infrared detectors that
distinguish a human body from the surrounding vegetation. It also includes a marine patrol
and tickets speeders (Cruickshank, 1994).
7.4.2 PUBLIC ENVIRONMENT: REPLACEMENT

In rare (and problematic) instances, public police have been replaced by private security
firms. For example, in 1992 Sussex, New Jersey, fired its police officers after a drug scandal
(Reynolds, 1994). The town of Reminderville, Ohio, did the same. Police officers in both
towns were replaced by private security guards who patrolled the town in blue, police-like
uniforms. They were armed with 9mm semiautomatic weapons, radios, batons, and
handcuffs. In essence, the security personnel maintained the appearance of public police
but provided their services at a lower cost (Geyelin, 1993; Reynolds, 1994). The towns saved
money, but the experiments were terminated after pressure from public police organi-
zations and complaints by residents that the security personnel were not adequately
enforcing laws (Pastor, 2003; Reynolds, 1994; Geyelin, 1993; Tolchin, 1985). Although the
security personnel looked like police officers, they had “no more than citizen’s power of
arrest, and … no authority whatsoever to question, detain or search a suspect without
risking a lawsuit” (Geyelin, 1993).
7.4.3 PUBLIC ENVIRONMENT: SUPPLEMENT

It is more common for private police to supplement, not replace, public police. Many such
arrangements exist in business improvement districts (BIDs). Indeed, New York City
contains more than 40 BIDs, and more than a thousand BIDs exist across the United States
(Davis & Dadush, 2000). An overview of some supplemental arrangements follows.
Grand Central Partnership

The Grand Central area in New York City consists of more than 6,000 businesses, comprising
more than 51 million square feet (Carlson, 1995). Each property owner is taxed an additional
12.5 cents per square foot. In 1994, this tax raised $6.3 million for the Grand Central
Partnership (GCP). The tax revenue is returned to the district management association,
which administers the program and employs a security force (Goldberg, 1994). A spokes-
person for the association emphasized that the program requires “layers of cooperation”
with various city planning commissioners, assessment and tax officers, and the city council
(Carlson, 1995; Goldberg, 1994). The revenues and cooperative efforts with city officials
provide diverse services, including private street sweepers and trash collectors; garbage cans,
street lighting, and flower boxes; multilingual tour guides; homeless shelters; and uniformed
security guards.

Obviously, the scope of the project goes beyond what is traditionally viewed as security and
works to change both people’s perceptions and the physical environment. The New York Times
had described the area as “chaotic and forbidding, often filthy and sometimes dangerous”
(Carlson, 1995), but after two years of operation, the Grand Central Partnership saw crime drop
20 percent. After the fifth year, reported crime was down 53 percent (Carlson, 1995).
Explanations for the crime drop are varied. Some maintain that the private police perform
tasks in a cost-effective manner and are more flexible than public police (Carlson, 1995;
Patterson, 1995). GCP staffers offer other reasons. A retired New York City detective in charge
of GCP operations asserted, “Police are involved with other matters[;] they cannot concentrate
on the quality of life crime when they have major crimes. We are the eyes and ears of the police
department. …[T]hey appreciate our work because we try to solve some problems ourselves,
without police intervention” (Carlson, 1995). Another GCP staffer stated, “We don’t do
homicides, we don’t do rapes, but we do other quality of life things. … We do the work the
police have trouble getting [to] because they are so busy” (Carlson, 1995; Pastor, 2003).
These statements reflect an order maintenance approach, which is also demonstrated by the
workload handled by the security personnel. In 1994, the security personnel responded to
6,916 incidents. Only 624 of them required police assistance, and only 122 resulted in arrest
(Carlson, 1995). The result of this cooperative effort is that police are able to focus on more
serious crimes, and security personnel address the bulk of the service and order
maintenance duties (Pastor, 2003).
Selection criteria for these guards are similar to those for public police (Carlson, 1995). A
guard in the GCP must:
x be at least 18 years of age

x have no recent felony convictions
x be a reasonably upstanding and sober citizen
x be a high school graduate
x pass psychological examination
x pass a drug screening test
In addition, there is a hiring preference for military service.
By contrast, their seven-day training is substantially less rigorous than training for public
police. Weekly follow-up training addresses use-of-force issues and security procedures.
Discipline within the ranks is strictly enforced. According to Carlson, absenteeism or
lateness, sloppy dress, smoking in public, and even minor rule violations are not tolerated
(1995). This level of discipline is particularly important because the security personnel wear

uniforms that resemble New York City police uniforms. They—like the police—also wear
radios and bulletproof vests.
Despite the favorable statistics, some people—including police officers—are not convinced
of the merits of this arrangement. The following statement sums up their reservations: “In
the eyes of the police, guards seem to occupy a confusing gray area between public official
and private citizen that many cops find disconcerting” (Carlson, 1995). However, other
private citizens and property owners care less about such legal niceties and more about their
own security. Some even claim that regardless of the cost paid for these services, the
protection received is well worth it (Carlson, 1995). One property owner stated, “Before the
security guards, there were no cops. Muggers would snatch a purse right in front of the store,
and they would be laughing, not even running away. … They can’t do that now. Without
guards, it’s like a jungle out there” (Carlson, 1995).
The GCP arrangement is built on the logic of order maintenance. The president of the GCP
stated, “When a citizen sees prostitutes, graffiti, rough talking panhandlers, and poorly
maintained buildings, he concludes that things are out of control and he forgoes use of that
street” (Blyskal, 1996).
Metro Tech Area

The Metro Tech Area is another New York City BID that provides supplemental private
security and sanitation services. This BID also focuses its efforts on an order maintenance
approach, seeking to reduce signs of physical and social disorder through street
maintenance and regulation of people’s behavior (Davis & Dadush, 2000). A CCTV system
with 26 cameras monitored by the New York City Police Department (NYPD) dispatchers
enhances the ability of private officers to control crime and disorder (Davis & Dadush, 2000).
The BID employs 28 private police officers. Candidate selection is highly competitive,
accepting only one of 25 applicants (Davis & Dadush, 2000). Each candidate must be 21 years
old, pass drug tests and psychological exams, submit to random drug tests, have a clean
felony record, and have no history of drug activity (Davis & Dadush, 2000). The starting salary
is $20,500, with an increase after one year, plus merit and promotional opportunities. Each
officer receives 96 hours of training at the NYPD academy on such topics as conflict
resolution, communication skills, legal topics, court procedures and testimony, investigative
techniques, and report writing (Davis & Dadush, 2000). These officers also receive in-service
training at roll calls and annual training in cardiopulmonary resuscitation (CPR) and baton
use. The officers do not carry firearms but do possess arrest powers. Approximately six
arrests are made per year, but only when the officers witness the crime. Incidents handled by
these officers usually relate to order maintenance and assistance to citizens (Davis &
Dadush, 2000).

Internal accountability is structured into this arrangement. Every private officer must pass
written exams each year. These exams focus on the code of conduct, post orders, and rules.
Merit increases are based on professional performance. In addition, the officers are under
CCTV surveillance and are subject to internal investigation complaints. Only six abuse
allegations have been made in nine years. These complaints are overseen by the BID’s public
safety committee and board. Finally, external accountability is accomplished by the court
system, the Department of Business Services, the NYPD, and, of course, the BID’s clients
(Davis & Dadush, 2000).
Center City District

Another supplemental arrangement in a public environment is the Center City District
(CCD), a Philadelphia BID formed in 1991 (Seamon, 1995). Before the BID was formed, the
downtown business district was crime-ridden. The Central Police District, which serves the
downtown area, reported that 37 percent of its workload came from this area (Seamon,
1995). In addition, the area was plagued by a growing number of vacant commercial
properties, unregulated vendors, homeless citizens, and trash on the streets and sidewalks.
The district covers 80 square blocks, and 2,087 property owners pay a property tax surcharge
equal to 5 percent of the current city real estate levy (Seamon, 1995). In 1994, the budget was
$6.6 million. The budget is allocated to the following privately contracted services:
x 53 percent for street cleaning and trash pickup

x 33 percent for public safety
x 7 percent for administration

x 7 percent for marketing
These allocations reflect a broad conception of security and an order maintenance approach.
The partnership also reflects a diverse combination of people and disciplines. A successful
privatization program requires city officials, police authorities, and security managers to
work together in a way that promotes trust and creates bonds between the public and private
sectors. The parties must also clearly understand their respective roles (Seamon, 1995). To
reach its goals, the partnership set up its daily operations to foster collaboration. City police
officers and the BID’s security officers (called community service representatives) share
headquarters and locker facilities, conduct joint roll calls, and are regularly addressed by
police detectives on current crime conditions (Seamon, 1995).
Philadelphia Police Department statistics reveal that from 1993 to 1994, crime decreased by 6
percent in the CCD area. By way of comparison, during the same period crime rose 1 percent
in the Central Police Division.

The security force consists of 45-50 officers. Their training curriculum ranges from problem-
solving techniques, customer service, and hospitality to police procedures, use of force, radio
communications, first aid, CPR, and victim assistance (Seamon, 1995). The minimum
standards include two years of college, an age of 21 years, and the completion of a background
investigation (Seamon, 1995). These are higher standards than those for typical security
guards (Pastor, 2003).
The security personnel perform unarmed, uniformed service, acting as a supplement to

police. They act as public concierges or neighborhood watchers. Their radios are inter-
connected with those of the police. The security personnel also use a computerized crime
mapping system designed to enhance crime prevention.
Downtown St. Louis

The St. Louis Metropolitan Police Department and a private security company entered into a
supplemental, contracted relationship in which private uniformed security personnel patrol
the central city. This private security force is funded through a special tax district that
encompasses all of downtown St. Louis and is administered by Downtown St. Louis, Inc., a
private, not-for-profit chamber of commerce. Property owners in the district pay a tax
surcharge, which is collected by the city and state, then redistributed to the district (Mokwa
& Stoehner, 1995). The revenues pay for the following services:
x market attractions
x special events
x private security
The tax revenues guarantee business owners their own security protection (Mokwa &
Stoehner, 1995). The security force consists of 6-30 patrol officers, depending on the shift or
the particular event. The St. Louis Police Department allocates 10 patrol vehicles and 30 foot
patrol officers to the downtown area. In addition, some off-duty police officers serve on the
security force. Partly because of the interrelationship between the security force and the
police, the security personnel have the same powers of arrest as police. Just like the police,
security officers wear uniforms and walk their beats—using reasonable force when necessary
to stop a crime (Mokwa & Stoehner, 1995; Pastor, 2003).
The selection criteria are sophisticated. A security officer must have an outgoing personality,
knowledge of the St. Louis metro area, and two years of prior experience in the security
industry. In addition, an officer must pass a psychological test and several personal
interviews. The training consists of a 16-hour course designed and administered by the St.
Louis Police Department. The training stresses police policies and procedures. The security
firm also conducts a 16-hour public relations course. When the training is completed, the
security officers are licensed by the St. Louis Police Department and are given arrest

authority by the city’s police board (Mokwa & Stoehner, 1995). With this regulation and
proclamation, the private police officers are vested with “special police” powers.
This supplemental private/public partnership has been credited with a reduction in crime.
The total number of crimes in downtown St. Louis declined almost 10 percent in one year
(from 306 in 1993 to 276 in 1994), and auto theft rates dropped 31 percent (Mokwa &
Stoehner, 1995).
Greater Green Point Management District

The Greater Green Point Management District (GGPMD) encompasses a 12-square-mile
section of Houston, Texas. The district has a mix of residential and commercial properties.
Between 1980 and 1990, its population grew substantially, as did the crime rate, and physical
conditions deteriorated (Robinson, 1996). From 1986 to 1991, crime increased 25 percent
and calls for service increased 46 percent. Over the same period, the number of public police
officers assigned to the area decreased 22 percent (Robinson, 1996).
Local property owners petitioned the state legislature to create the GGPMD. The legislature
approved the district in 1991, and a tax levy of 10 cents per $100 of assessed property value
was established (Robinson, 1996). The district is administered by a 22-member board of
directors appointed by the governor. The board is headed by an executive director, who is in
charge of operations. It also includes a security manager, who is in charge of security and
public safety.
The security manager implemented a comprehensive public safety program based on

surveys conducted by the district administrators. The surveys revealed that business owners
were in “absolute terror” due to the growing crime problem (Robinson, 1996). Police
response time ranged from 14 to 15 minutes for emergency calls and almost two hours for
nonemergency calls (Robinson, 1996). This situation called for more responsive services. For
approximately $400,000 per year, GGPMD funded the hiring of additional police officers and
supplemented them with private security personnel. Further, the district opened a new
police substation in space donated by a large shopping mall (Robinson, 1996). Both police
and security personnel were stationed there.
The crime rate dropped 25 percent in the year following the implementation of the
initiatives. In addition, the occupancy rate of business units in the district rose to become
one of the highest in Houston (Robinson, 1996). In short, the arrangement was deemed to
have contributed to the betterment of the city’s overall environment.
Durham, North Carolina

In Durham, following a series of shootings on public buses, the city contracted with
Wackenhut Security to provide private patrols of its buses. These private police officers were

vested with the same arrest powers as public police officers. They are well-trained, armed,
and wear uniforms that are similar but not identical to those of the local public police. After
the introduction of private patrols, crime decreased, bus ridership increased, and people’s
satisfaction with the bus system improved (Bureau of Justice Assistance, 2005).
Dallas Downtown Improvement District

In 2004, business owners in Dallas hired 31 private police officers to patrol the downtown
business district. These patrols cost about $1.5 million a year, with each officer earning
$12.50 per hour (Brown, 2004). These patrols take an order maintenance approach. Their
goal is to reduce crime and to increase the perception that the area is safe. Significantly,
these officers are considered “public safety officers,” a term that is consistent with the public
safety policing model.
The private police officers wear blue police-like uniforms, carry pepper spray, use radios, and
exhibit a friendly, courteous manner (Brown, 2004). The patrols take place on foot and on
bicycles. Training of these officers lasts three weeks or about 120 hours. A deputy chief of the
Dallas Police Department noted that this force will work as extra eyes and ears of the police
(Brown, 2004). It is interesting to note that Brown, writing in a police magazine, discussed
these private patrols in a negative manner. She stated that “inexplicably” the Dallas police
brass seem to be in favor of “losing department jobs to the private sector.” She characterized
this arrangement as “the front” in the “privatization war.” While it is unfortunate to describe
this public safety initiative with such critical language, the merits of these public/ private
arrangements are sure to survive the arrows of critics.
Starrett City
The Starrett City housing development in Brooklyn is a classic model of the benefits of
th
privatization. The development is located in the 75 police precinct, which consistently has
one of the highest murder rates in New York City (Carlson, 1995; Walsh et al., 1992). Some 90
percent of its residents receive government rent subsidies (Carlson, 1995).
The management company that administers the development hired private police officers.
By the late 1980s, 60 private police officers were employed, of whom approximately 40 were
armed. Each private police officer carries the “special police” designation and has full arrest
powers. These private police personnel handle about 10,000 service calls annually (Carlson,
1995). The average salary is $31,000, which represents about 70 percent of the average salary
of a police officer (Pastor, 2003).
Carlson observes that 20 years after hiring these security officers, Starrett City is as safe as
any affluent neighborhood. In 1994, this community of 20,000 people reported only 24 car
thefts, 12 burglaries, 6 aggravated assaults, and no rapes (Walsh, et al., 1992). In the same

year, Carlson notes, the complex reported only 67 robberies. This compares favorably to the
2,548 robberies reported in the neighborhood just outside its boundaries in 1995. Further,
overall crime rates in New York City were substantially higher than those in Starrett City.
New York averaged 84 felonies reported per 1,000 residents, while Starrett City reported just
th
7 felonies per 1,000. Similarly, in the 75 precinct, a residence outside Starrett City was 38
times more likely to be burglarized than one within Starrett City (Walsh et al., 1992). Signifi-
cantly, no physical boundaries or barriers separate Starrett City from other residents in the
precinct. The only real physical distinction is the private security personnel. The difference
between the neighborhoods is so stark that a Starrett City security supervisor described the
complex as “an oasis in a vast wilderness” (Carlson, 1995; Pastor, 2003).
In a survey conducted by Pennsylvania State University, almost 90 percent of the residents

said they felt “somewhat or very safe” living in the complex. Only 40 percent felt similarly
secure outside its boundaries (Carlson, 1995). The survey also found that 90 percent of the
residents believed the complex would not be safe without its private security personnel.
Significantly, over 50 percent said they would leave the area if the private police were not
employed (Walsh et al., 1992). Another indication of the commitment to private security is
that 78 percent of residents said that, if assaulted, they would call security before calling the
police (Walsh et al., 1992). Indeed, the complex receives only part-time coverage from two
police officers even though the complex accounts for about 16 percent of the population in
the precinct (Walsh et al., 1992). Without private policing, Starrett City would not be a secure
residential environment (Pastor, 2003).
San Francisco Patrol Special Police

A unique private policing arrangement, the San Francisco Patrol Special Police dates back to
the Gold Rush days. It provides San Francisco neighborhoods with supplementary police
patrols. Formed in 1847 by merchants to combat crime, the Patrol Special Police was
incorporated into the city’s charter in 1935.
The Patrol Special Police is a separately chartered law enforcement group that works under
the supervision of the San Francisco Police Department (SFPD). Patrol Special Officers are
governed by rules and procedures set by the San Francisco Police Commission. The commis-
sion is empowered to appoint patrol special police officers and may suspend or dismiss them
after a fair and impartial hearing on charges duly filed with the commission.
Each patrol special police officer must be at least 21 years of age at the time of appointment,
pass an extensive police background investigation, complete training at the San Francisco
Police Academy, and meet physical qualifications. These requirements are consistent with
those of the California Commission on Peace Officer Standards and Training. In addition,
these officers receive annual training from the SFPD and qualify with firearms at the police

department’s range. They wear uniforms approved by the police commission, carry firearms,
and use two-way SFPD radios. Each of these factors provides an excellent example of
structural interaction with the SFPD, including accountability measures designed to ensure
proper, consistent service.
Patrol special police officers are considered the owners of certain beats or territories that
may be established or rescinded by the commission. These beats are considered property
that may be bought, sold, leased, bequeathed by will, or otherwise conveyed to a person of
good moral character, approved by the police commission.
These private police officers are committed to community policing with an emphasis on
problem solving and community outreach. These goals are achieved through various tasks,
including walking the beat and getting to know people on an individual basis, attending
community meetings, and working closely with the police department and other city
agencies. This emphasis on community policing clearly reflects the need to serve clients and
perform an order maintenance function.
United Kingdom
Clapham, England, hired Guardforce Security Services to patrol the town with vehicles
equipped with video surveillance cameras (BBC News, 2004). In addition, the Kent County
Council allocated more than £1.4 million to the creation of its own private police force
(Short, 2001). The county will hire 12 neighborhood wardens, who will wear distinctive dark
red jackets with sheriff-style badges. The wardens are intended to be the eyes and ears of the
police. They will be trained by officers from the Kent Police Department (Short, 2001).
Toronto, Canada
The use of private police in the Toronto metropolitan area is best illustrated by the services
of Intelligarde. This security firm bills itself as “the law enforcement company.” According to
its Web site, the company is driven by the “belief that society and the individual have a
fundamental need for social order—a need unsatisfied by contemporary public policing.” In
response to this need, the firm’s personnel and programs are designed to “re-establish social
order where it is breaking down and then support social order on an ongoing basis”
(www.intelligarde.org). This assertion reflects an underlying order maintenance approach.
Intelligarde provides a wide variety of security services, including private police patrols in
numerous public environments. Its marketing materials boast “the largest mobile fleet of
marked and unmarked patrol vehicles in the Greater Toronto Area and also in Ottawa.”
Clients are provided verification of the time and location of patrols through the use of global
positioning system monitoring. Also provided are canine and mounted patrols, vehicle
patrols for alarm response, spot checks of specific locations, and sweeps of disorderly areas.

The officers also perform arrests to enforce various laws relating to incivility. This
enforcement orientation resulted in about 40,000 arrests over 25 years of work (Walmington,
2005). The willingness to make arrests is considered critical to the role of these private police
officers. The firm’s owner observes that enforcement and “social work” are both required. He
adds that the patrols must “be able to do the enforcement piece—but enforcement and
community development work together. One doesn’t work without the other.” The officers’
work requires “the denial of opportunity to the people who are intent on committing
criminal acts—the shooters, drug dealers and gang bangers. … In other words, you take away
the playing field.” This requires officers on-site who know the legitimate residents and check
out all the others coming onto the property. The firm’s owner uses the term “blended
policing” to describe “public safety officers” (that is, private police) working “hand in glove”
with the police (Walmington, 2005).
Marquette Park
In what may be the most comprehensive study of private policing to date, Pastor (2003)
conducted a multifaceted research study of the Marquette Park Special Service District on
th
the southwest side of Chicago. The boundaries of the special service area are from 67 Street
th
to 74 Street and Kedzie Avenue to Bell Street. Included within the area is approximately half
of Marquette Park, which is part of Chicago’s vast park district system. The name of the
special service district—and the neighborhood—reflects the name of the park.
The neighborhood consists of single-family residences, two- and three-story apartment build-
ings, and strips of businesses. The largest concentration of apartment buildings is on the east
side of the neighborhood. These apartment buildings are often poorly maintained or neglected.
Most of the single-family houses are better kept, yet some show signs of disrepair. The majority
of the deteriorated homes are found on the east side of the community (Pastor, 2003).
The streets are similar to those of a typical Chicago neighborhood, with trees on the
parkways between the street and the sidewalk. Businesses are located on the main arteries
that intersect the community. Many serve as hangouts for young people in the area. Citizens
expressed concerned that some youths appeared to be gang members, and many business
owners were fearful of their presence. Others seemed to cater to them, either for business or
possibly for protection. Indeed, the presence of loiterers, particularly gang members, was a
key concern of the community—and of the private patrol program (Pastor, 2003).
th
The special service district is part of the 8 Police District, which is segmented into 16 beats
and is one of the largest districts—in area and population—in Chicago. The special service
district is a separate taxing entity established in 1995. The decision to hire private security
patrols was done, at least partly, to stabilize the community. Long-term residents were moving
from the area. This flight from a community with generational ties dating back to the early

1900s created the desire to stop, or at least slow, the demographic changes. Before the
formation of the special service area, community groups petitioned for a ballot referendum. At
issue was whether property owners would vote to increase their real estate taxes for the
purpose of hiring private security patrols. These private patrols would supplement the police
department, seeking to reduce crime and minimize conditions that foster crime (Pastor, 2003).
There are certain requirements for the creation of special services districts. First, voters
within the area must pass a referendum to create the district as a legal entity. After the
referendum passes, it is referred to the city council. The formal establishment of the district
must be enacted pursuant to a resolution. This council resolution provides the legal
authority for the Cook County Collector to levy and collect real estate taxes from property
owners within the district. In this district, the service tax may not exceed .41 percent of the
assessed value of taxable property (Pastor, 2003).
Once a special service district is established, the alderman in the affected ward selects
individuals for the governing commission. They must be residents or business owners in the
community. Once appointed, each commission member serves a two-year term. There are
seven voting members within the governing commission. Each politically appointed
commission member is deemed a voting member. The commission also contains three non-
voting members, including the commander of the police district and two officials who
represent the Chicago Department of Planning and Development. These nonvoting
members are supposed to provide guidance to the voting members of the commission. The
commission is charged with overseeing the special service district, including preparing a
budget, conducting periodic community meetings, and arranging administrative matters to
operate the private police patrols.
The day-to-day affairs of the district are handled by the “sole service provider.” This commu-
nity-based organization acts as the intermediary between the community and the governing
commission and deals directly with the security firm. It addresses crime patterns and
incidents and performs other operational and administrative tasks, such as obtaining legal
counsel and insurance carriers. The sole service provider is also charged with hiring and
contracting with the security firm. This occurs after the governing commission makes the
selection based on a vote of board members. The hiring of a particular security firm is
accomplished through two separate contracts. One contract is between the City of Chicago
and the sole service provider, and the second contract is between the sole service provider
and the security firm.
Contract documents are drafted by the Chicago Department of Law. Oversight of the entire
process is accomplished by the city’s Department of Planning and Development (Pastor, 2003).
The budget to operate and administer the security patrols is approximately $200,000. These
monies come from the tax levy on real property within the special services district. The cost

for the average property owner is about $50 to $60 per year. Approximately $140,000 to
$150,000 goes to the security provider, another $5,000 is spent on insurance, and about $20,000
is used to pay for legal and other professional services. The remainder goes to office expenses
and administrative costs (Pastor, 2003).
The private police officers carry handguns and other police equipment. They use handcuffs,
flashlights, radios, and bulletproof vests. Each officer wears “civilian dress” clothing, which
looks almost identical to the attire worn by Chicago Police Department tactical officers. The
vehicles are also similar to those of the public police (Pastor, 2003). However, the officers are
not granted the “special police” designation. A couple of the officers are off-duty police, but
most have only private citizen arrest powers.
The study assessed three questions related to the privatized police services. The first
question was, “How do the private police officers perform their job?” Through ride-alongs,
interviews, and document analysis, the study found that the majority of their functional work
product was order maintenance (51.5 percent). Thirty-two percent of their work involved
observation and reporting, and 16.5 percent involved law enforcement (Pastor, 2003).
The second research question was, “Are these private police public actors?” The answer
affects whether constitutional provisions would apply to the actions of private police. The
study concluded that the private police were indeed public actors, so constitutional
provisions were applicable to their actions.
The third research question was related to whether the private police officers violated the
constitution in the performance of their duties. The study concluded that some private
police officers indeed violated the Fourth Amendment protection against unreasonable
searches and seizures. However, with inadequate training, a lack of policy guidelines, and
little accountability, the officers were doing the best job they could under demanding and
dangerous circumstances.
The examples in this section illustrate the effectiveness of privatization and the need for
cooperative efforts between private and public police. They demonstrate that such cooperative
efforts have been successful in combating crime and enhancing the environment within the
patrol arrangement. The mission of crime prevention within the security industry, coupled
with the ability of the police to arrest offenders, provides a dynamic combination of skills and
resources. The present focus on community policing may prefigure a widespread establish-
ment of privatized public safety services. Nonetheless, a difficult and uncertain transition lies
ahead. Functional, constitutional, and public policy considerations remain problematic
(Pastor, 2003).

7.5 The Future of Private Policing
7.5 THE FUTURE OF PRIVATE POLICING
7.5.1 NEW POLICING MODEL

A new model of policing is emerging, but before it can be described, two core questions must
be answered:
x Can municipal police departments perform as first responders for homeland security
and at the same time operate with a community service orientation?
x What future role will alternative service providers have in the delivery of public safety
services?
The answer to the first question would appear to be no. First, it seems that terrorism will be a
fact of life for years to come. If so, police agencies will not only have to deal with the carnage
associated with terroristic violence but may also be targets of the violence. Indeed,
contemporary times reveal horrendous violence against Iraqi police and civil defense forces.
Being both a first responder and a target will create an environment that is extraordinarily
complex, in both operational and human terms.
The second part of this question is that community policing, which has been the widely
accepted policing model, is about to end. While this statement may be subject to criticism
from police, academics, and politicians, federal funding of community policing programs is
largely exhausted. Without additional monies, this policing model will slowly be
deemphasized into extinction. If the money for community policing is now directed to
homeland security, then police agencies will redirect their missions accordingly. However,
private police may prove to be excellent providers of community policing services because of
their responsiveness to their clients.
The answer to the second question is that, with the future police focus on terrorism and
violent crime (including street gangs, which are likely to graduate to terrorism), the need for
alternative service providers becomes paramount. Alternative service providers will be the
paraprofessionals of police departments. These alternative service providers include private
police, civilian employees of police agencies, and auxiliary (volunteer) officers. While it is
likely that all three types of alternative service providers will coexist, the most likely and
beneficial option is private police officers.

7.5.2 STRUCTURAL/OPERATIONAL COMPONENTS

Figure 7-3 illustrates this public safety policing model:
Copyright by James F. Pastor, 2005. Used with permission.
Figure 7-3
Public Safety Policing Model
While this figure excludes certain police functions (such as investigative and administrative
units), it captures the essence of the three key aspects of street policing. Tactical operations
would include heavy weapons/SWAT teams, gang and drug tactical teams, and saturation
units. This aspect of policing is likely to be much more militarized than at present. It will
focus on tactical techniques accomplished by highly trained public police officers.
The technological functions will also be greatly expanded. Many technologies commonly
used in security will be emphasized in police agencies, including networked cameras and
access control systems, predictive crime mapping software, and integrated identification
systems. These technologies will improve the “eyes and the ears” of policing agencies to
better respond to and even predict criminal or terrorist behavior. The key to this approach is
surveillance for crime prevention, apprehension, and enforcement.
Order maintenance operations will be the key component for alternative service providers.
The key will be to control the environment, focusing on both physical aspects and social
incivilities. The primary tasks of these service providers will be to provide routine service
functions, such as report writing, alarm response, traffic control, and “street corner security.”
Each of these tasks relates to either order maintenance or “observe and report” functions.
In these ways, alternative service providers will also enhance the “eyes and ears” of policing
agencies. The majority, if not the vast majority, of order maintenance functions will be
conducted by private police employed by security firms. This work product, however, must
be based on contractual provisions or be directly tied to the structure of the policing agency
within the jurisdiction. An excellent example of contracted arrangements is Wackenhut’s

agreement with the Durham Transit Authority to provide security on transit buses. A more
comprehensive structural arrangement is illustrated by the San Francisco Patrol Special
Police. This arrangement provides excellent accountability methods and is directly
connected through various structural components to the San Francisco Police Department.
These examples provide useful models for consideration by those who seek to implement
public safety services within public environments.
7.5.3 LEGAL/LICENSING STANDARDS

The legal limitations on private police regarding arrest powers and the use of force have been
demonstrated. It is recommended that private police officers be vested with some govern-
mental authority. Currently, there are three basic alternatives, as Figure 7-4 shows:
X X X
Private Citizen Special Police Peace Officer
Figure 7-4
Continuum of Governmental Authority
The figure depicts a continuum. On one extreme are private citizen arrest powers. On the
other extreme are peace (police) officer arrest powers. In the middle are special police
powers, which combine the private citizen role with the arrest powers of a peace officer
(public police officer). Peace officer arrest powers are only available to the special police
officer when he or she is on duty. This limitation should not be considered problematic as it
does not affect the work such officers are paid to perform (Pastor, 2006).
Certain benefits follow from being “blessed” by government, such as a moral and legal
authority that most citizens respect. The pronouncements and actions of an officer with
governmental authority are much more likely to be complied with. The common response
that “I don’t have to listen to you; you are not the police” would be largely negated with this
connection to governmental authority. Without this designation, a private police officer is
simply one private citizen telling another private citizen what to do.
This approach would give municipal police departments a larger force without the financial
and operational challenges of employing more police officers. In addition, this special police
designation may carry with it the protection of qualified immunity. Qualified immunity acts
as a liability shield to protect the officer (and his or her employer) from civil lawsuits.
Although this shield is not available for reckless or malicious conduct, it protects the
reasonable and prudent officer who makes a mistake in judgment or behavior. Further, it

reduces the legal exposure of the security firm and the insurance costs associated with the
service provision (Pastor, 2006).
Licensing standards directly relate to the issue of legal authority. To perform the work of the
public police, private police officers should be trained and selected in a manner
commensurate with their functional work product. In furtherance of this goal, ASIS
International has promulgated the Private Security Officer Selection and Training Guideline,
which states that “security officers … must also be able to work closely and effectively with
public safety personnel” (ASIS International, 2004). The guideline is by far the most
comprehensive approach to addressing the training and selection of security officers. It
recommends state regulation regarding background investigations, training, continuing
education, insurance, licensing, and oversight bodies. In addition, it suggests selection criteria
for new hires, including criminal history, education, citizenship, fingerprinting, photographs,
drug screening, and other personal information related to the applicant. Each of these factors
will go a long way toward establishing more professionalism in the security industry generally
and in those private police officers who operate within the public realm. Since the actions of
private police officers are likely to be much more visible in the public realm, the need to meet
or exceed these criteria is of critical importance (Pastor, 2006).
Still, the training and selection standards need not be equivalent to those for public police
officers, who typically receive 600 to 800 hours of training. Instead, the best practice would
be to develop a training curriculum that focuses on the particular role or function to be
performed. The different levels and types of training would then be regulated through
governmental licensure.
The proposed training and licensing continuum could be illustrated as follows:
PUBLIC Traffic Control Patrol Officer Tactical Detective SWAT

Officer HBT
PRIVATE Desk/Greeter Building Street Patrols Investigator Nuclear Utility

Patrols Infra-Strt.
License: A B C D E
Copyright by James F. Pastor, 2005.
Figure 7-5
Functionality/Criticality Continuum

In this model, the key is to assess both the function and criticality of the job. As the
complexity of the work increases, or as the critical nature of the task increases, the level of
training and licensing should also increase. A comparison can be found in vehicle licensing
standards. For passenger vehicles, the typical training and licensing requirements are basic.
As the type of vehicle becomes more difficult to operate (e.g., a tractor-trailer), or as the nature
of the cargo becomes more important to protect (e.g., passengers in a bus or dangerous
chemicals in a tank car), the need for better trained and more highly skilled drivers also
increases (Pastor, 2006). The key is to train and license security officers in a manner that
adequately prepares them for the expected work product. For example, the tasks of a desk
greeter differ substantially from the tasks of a security officer at a nuclear power plant. Each
should be trained and licensed at a different level. The licensing should range from class A to
D or E, depending on the particular legislative approach. Similarly, training hours should
range from 20 or 40 at minimum to 200 to 600 for street patrols and critical infrastructure
security (Pastor, 2006).
Finally, the issue of accountability of private police should be addressed. Private police must
be—and must be perceived as—accountable to the community, the law, and the larger
society. Real and specific mechanisms must be in place. One of the most telling conclusions
from Pastor’s research is that privatized policing arrangements must develop formal
accountability standards and methods (Pastor, 2003).
There are several avenues for enhancing accountability. First, specific operating procedures
must be developed to address the realities of the job. Without such guidance, there is simply
too much discretionary decision making in the fluid environment of the street. Indeed,
discretion without judgment formed through proper guidance and experience is a recipe for
disaster.
Second, a community-based board should be established to oversee the operations of private

policing firms. Just as community policing is designed to get the community involved in the
day-to-day operations of the police, this oversight board can work with administrators of the
security firm to direct and guide approaches to community problems. Unlike community
policing, however, a contracted relationship provides for a more authentic client-based
service because the security firm can be fired. A police agency does not face this ultimate
sanction. Too much of the current community policing model is based on the rhetoric of
community decision making, without much actual decision-making authority. Local police
administrators should also work with this oversight board, helping to coordinate the
activities of both the public and private police officers.
The last critical element of accountability is to have some well-defined process for addressing
citizen complaints. This should be done by a separate board vested with subpoena powers, the
ability to conduct hearings, and the legal authority to levy warnings, fines, and other employ-

ment and contractual remedies (Pastor, 2006). Such authority could be granted to various
existing government agencies, such as a department of professional regulation or a civilian
oversight board that monitors police misconduct. However the board is constituted, it must be
able to deal with the types of complaints common to police departments (Pastor, 2006).
In conclusion, the coming years are likely to bring many challenges. All nations will be faced
with varying levels of political unrest, financial constraints, and the threat of violence and
terrorism. These factors cannot be completely avoided.
The challenges ahead present a massive potential market for security firms. Just as the new
asymmetric form of warfare is changing the way the military confronts and combats
terrorism, so too police agencies must reinvent their way of policing. This transformation will
leave a gap in how public safety services are delivered. Security firms are uniquely prepared
to bridge this gap and deliver order maintenance and related services. The former president
of the Illinois Association of Chiefs of Police notes that in the current climate what was once
considered a professional relationship between the public and private sectors has now
become a professional necessity (Braglia, 2004). This professional necessity presents the
largest increase in business opportunities for security firms since the 1850s, when security
personnel policed the American Wild West. This opportunity, however, is a double-edged
sword, replete with pitfalls for the unwary (Pastor, 2006).
The desire for professionalism in private policing must center on an even more basic
purpose: the safety of individuals and communities and the stability of their way of life. The
threat of terrorism is designed not only to kill people and damage property, but also to
destroy the social fabric. Those in the security industry, especially those protecting public
environments, trophy or symbolic buildings, and critical infrastructure, will be in the front
lines of this asymmetric conflict. Advancing standards and principles of professionalism is
the best defense (Pastor, 2006).

REFERENCES
ASIS International. (2010). Private security officer selection and training guideline. Available: http://
www.asisonline.org [2011, December 8].
Bailin, P. (2000, November). Gazing into security’s future. Security Management.
Bayley, D. H., & Shearing, C. D. (2001). The new structure of policing. Washington, DC: National
Institute of Justice.
BBC News. (2004). Private ‘police’ confuse public. Available: http://www.bbc.co.uk/1/hi/uk/3664365.

stm [2006, May 23].
Benson, B. L. (1990). The enterprise of law: Justice without state. San Francisco, CA: Pacific
Research Institute for Public Policy.
Benson, B. L. (1997). Privatization in criminal justice. Washington: National Institute of Justice.
Bilik, A. (1992). Privatization: Defacing the community. Labor Law Journal, pp. 338-343.
Blyskal, J. (1996, March 16). Thugbusters. New York.
Braglia, F. T. (2004, Winter). Public-private law enforcement: A win-win partnership, Command.
Brown, C. (2004, December). Outsourcing police jobs: Cops replaced by civilians to cut costs.
American Police Beat.
Bureau of Justice Assistance. (2005). Engaging the private sector to promote homeland security:
Law enforcement–private security partnerships.
Carlson, T. (1995). Safety Inc.: Private cops are there when you need them. Policy Review, 73, Summer.
Chaiken, M., & Chaiken, J. (1987, June). Public policing—privately provided. Washington: National
Institute of Justice.
Clemow, B. (1992). Privatization and the public good. Labor Law Journal, Vol. 43, pp. 344–349.
Clotfelter, C. T. (1977). Public services, private substitutes and the demand for protection against
crime. The American Economic Review, 67(5).
Cohen, L. E., & Felson, M. (1979). Social change and crime rate trends. American Sociological
Review, 44, 588–607.
Covington, J., & Taylor, R. B. (1991). Fear of crime in urban residential neighborhoods. The Socio-
logical Quarterly, 32(2), 231–249.

st
Cox, S. M. (1990). Policing into the 21 century. Police Studies, 13(4), 168-177.
Cruickshank, K. (1994, November). Frenchman’s Creek provides the ultimate in security.

Manager’s Report, No. 8.
Cunningham, W. C., Strauchs, J. J., & Van Meter, C. W. (1990). Private Security Trends 1970- 2000:
The Hallcrest Report II. Boston: Butterworth-Heinemann.
Dalton, D. R. (1993, January). Contract labor: The true story. Security Management.
Davis, R. C., & Dadush, S. (2000). The public accountability of private police: Lessons from New
York, Johannesburg, and Mexico City. Vera Institute of Justice. Available: http://www.vera.
org/download?file=225/privatepolice.pdf [2006, December 8].
DiIulio, J. J. (1995). Ten facts about crime. Washington, DC: National Institute of Justice.
Donahue, J. D. (1989). The privatization decision. New York: Basic Books.
Farnham, A. (1992, December 28). U.S. suburbs are under siege. Fortune.
Fisher, B., & Nasar, J. L. (1995). Fear spots in relation to microlevel physical cues: Exploring the
overlooked. Journal of Research in Crime & Delinquency, 32(2), 214–239.
Geyelin, M. (1993, June 1). Hired guards assume more police duties as privatization of public safety
spreads. The Wall Street Journal.
Gibbs, J. P., & Erickson, M. L. (1976). Crime rates of American cities in an ecological context.
American Journal of Sociology, 82, 605–620.
Goldberg, C. (1994, December). New roles for private patrols. Security Management.
Gordon, C., & Brill, W. (1996, April). The expanding role of crime prevention through environ-
mental design in premises liability. Washington, DC: National Institute of Justice.
Hebdon, R. (1995). Contracting out in New York State: The story the Lauder Report chose not to
tell. Labor Studies Journal, 20(1), 3–24.
Institute of Management & Administration. (2001, May). Security Director’s Report.
Jackson, P. I. (1984). Opportunity and crime: A function of city size. Sociology & Social Research,
68(2), 173–193.
Johnston, L. (1992). The rebirth of private policing. London: Routledge.
Kaplan, Robert (1994, February). The coming anarchy. The Atlantic Monthly.

Kelling, G. (1995, May/June). Reduce serious crime by restoring order. The American Enterprise.
Kolpacki, T. A. (1994, November). Neighborhood watch: Public/private liaison. Security Manage-

ment.
Lewis, D. A., & Maxfield, M. G. (1980, July). Fear in the neighborhoods: An investigation of the
impact of crime. Journal of Research in Crime & Delinquency, pp. 160–189.
Linowes, D. F. (1988). Report of the President’s Commission on Privatization—Privatization: Toward

More Effective Government. Washington: U.S. Government Printing Office.
Liska, A. E., Lawrence, J. J., & Sanchirico, A. (1982). Fear of crime as a social fact. Social Forces,
60(3), 760–770.
Litsikas, M. (1994, September). Security system installations up in 1994. Security Distributing &
Marketing.
Meadows, R. J. (1991). Premises liability and negligent security: Issues and implications. Journal of
Contemporary Criminal Justice, 7(3), 112–125.
McKenzie, E. (1994). Privatopia: Homeowner associations and the rise of residential private
government. New Haven, CT: Yale University Press.
McLennan, B. N., ed. (1970). Crime in urban society. London: Cambridge University Press.
McLeod, R. (2002). Para-police. Toronto: Boheme Press.
Miller, W. R. (1977). Cops and bobbies: Police authority in New York and London, 1830–1870.
Chicago, IL: University of Chicago Press.
Miranda, R. A. (1993). Better city government at half the price. In Chicago’s Future in a Time of
Change, Richard Simpson, ed. Champaign, IL: Stipes.
Mokwa, J., & Stoehner T. W. (1995, September). Private security arches over St. Louis. Security
Management.
Moore, M. H., & Trojanowicz, R. C. (1988, November). Corporate strategies for policing. National
Institute of Justice Perspectives on Policing, No. 6.
Morgan, D. R. (1992). The pitfalls of privatization: Contracting without competition. American

Review of Public Administration, 22(4), 251-268.
National policy summit: Building private security/public policing partnerships to prevent and
respond to terrorism and public disorder. (2004). Washington, DC: U.S. Department of Justice.
Nemeth, C. P. (1989) Private security and the law. Cincinnati, OH: Anderson.

Olick, M. (1994, December). Private response: The no response solution. Security News.
Oliver, W. M. (2004). Community-oriented policing: A systematic approach to policing. Upper

Saddle River, NJ: Prentice Hall.
Operation Cooperation: Guidelines for partnerships between law enforcement and private security
organizations. (2000). Washington: Bureau of Justice Assistance.
Palango, P. (1998, January 12). On the mean streets: As the police cut back, private cops are moving
in. MacLeans.
Pastor, J. F. (2003). The privatization of police in America: An analysis & case study. Jefferson, NC:
McFarland.
Pastor, J. F. (2005, November). Public safety policing. Law Enforcement Executive Forum, Vol. 5,
No. 6, pp. 13–27.
Pastor, J. F. (2006). Security law & methods. Burlington, MA: Butterworth-Heinemann.
Patterson, J. (1995, January). Forging creative alliances. Security Management.
Perez, E. (2002, April 9). Demand for security still promises profit. The Wall Street Journal.
Prenzler, T. (2005). Mapping the Australian security industry. Security Journal, 18(4), 51–64.
Reppetto, T. (1974). Residential crime. Cambridge: Ballinger.
Reynolds, M. O. (1994). Using the private sector to deter crime. National Center for Policy Analysis
Policy Report No. 181. Available: http://www.ncpa.org/pub/st181 [2006, December 8].
Robbins, S. P. (2003). Organizational behavior. Upper Saddle River, NJ: Prentice Hall.
Robinson, F. W. (1996, February). From blight to bliss. Security Management.
Robinson, M. (1997, April 30). Why the good news on crime. Investor’s Business Daily.
Sarre, R. (2005). Researching private policing: Challenges and agendas for researchers. Security
Journal, 18(3), 57–70.
Savas, E. S. (2000). Privatization and public-private partnerships. London: Chatham House.
Schine, E., Dunham, R. S., & Farrell, C. (1994, December 12). America’s new watchword: If it
moves, privatize it. Business Week.
Seamon, T. M. (1995, September). Private forces for public good. Security Management.

Shearing, C. D., & Stenning, P. C. (1983). Private security: Implications for control. Social Problems,
30(5), 493–506.
Shenk, J. W. (1995, May). The perils of privatization. The Washington Monthly.
Short, V. (2001). Kent County Council creates its own private police force. Available: http://
www.wsws.org [2006, May 23].
Simeone, M. J. (2006, May). The power of public-private partnerships: P3 networks in policing. The
Police Chief.
Smith, L., & Hill, G. D. (1991). Victimization and fear of crime. Criminal Justice and Behavior, 18(2),
217–240.
Spencer, S. (1997). Private security. Phoenix Mosaic Group. Available: http://web.archive.org/

web/20010303062708/http://www.onpatrol.com/cs.privsec.html [2006, December 8].
Spitzer, S., & Scull, A. T. (1977). Privatization and capitalist development: The case of the private
police. Social Problems, 25(1): 18–28.
Stephens, G. (2005, March/April). Policing the future: Law enforcement’s new challenges. The
Futurist, Vol. 39.
Tolchin, M. (1985, November 29). Private guards get new role in public law enforcement. The New
York Times.
Walinsky, A. (1993, July). The crisis of public order. The Atlantic Monthly.
Walmington, J. (2005). Good guys must seize and control turf. The Toronto Sun, December 31,
2005. Available: http://www.torontosun.com [2006, June 25].
Walsh, W. F., Donovan, E. J., & McNicholas, J. F. (1992). The Starrett Protective Service: Private
policing in an urban community. In Gary W. Bowman et al. (eds.), Privatizing the United States
Justice System. Jefferson, NC: McFarland.
Warner, S. B., Jr. (1968). The private city. Philadelphia, PA: University of Pennsylvania Press.
Wessel, R. H. (1995, October). Privatization in the United States. Business Economics.
West, M. L. (1993, March). Get a piece of the privatization pie. Security Management.
Youngs, A. (2004, January). The future of public/private partnerships. FBI Law Enforcement
Bulletin.
Zielinski, M. (1999). Armed and dangerous: Private police on the march. CovertAction Quarterly.
Available http://mediafilter.org/caq/caq54p.police.html [2006, December 8].

ADDITIONAL READING
Benson, B. L. (1996). Are there tradeoffs between costs and quality in the privatization of criminal
justice? Journal of Security Administration, 19(2), 19–50.
Blakely, E. J., & Snyder, M. G. (1997). Gating America. Available: http://www.asu.edu/caed/

proceedings97/Blakely [2004, October 28].
Clutterbuck, R. (1975). The police and urban terrorism. The Police Journal.
Crenshaw, M., ed. (1983). Terrorism, legitimacy and power: The consequence of political violence.
Middleton, CT: Wesleyan University Press.
Cunningham, W. C., & Taylor, T. H. (1994). The growing role of private security. National Institute
of Justice.
Davis, J. R. (1982). Street gangs: Youth, biker and prison groups. Dubuque, IA: Kendall-Hunt.
DuCanto, J. N. (1999). Establishment of police and private security liaison. Manuscript presented
th
at 45 Annual Seminar of the American Society for Industrial Security International, Las Vegas,
Nevada.
Ezeldin, A. G. (1987). Terrorism and political violence. Chicago, IL: University of Illinois at Chicago
Press.
Feliton, J. R., & Owen, D. B. (1994, September). Guarding against liability. Security Management.
Graham, T., & Gurr, T., eds. (1971). History of violence in America. Princeton, NJ: Princeton Univer-
sity Press.
Greisman, H .C. (1979). Terrorism and the closure of society: A social impact projection.
Technological Forecasting and Social Change, Vol. 14.
th
Law Enforcement and Industrial Security Cooperation Act of 1996. (1996). H.R. 2996, 104
Congress.
Kolderie, T. (1986). The two different concepts of privatization. Public Administrative Review,
10(2), 285–290.
Landman, K. (2003). National survey of gated communities in South Africa. Available: http://
www.gatedcomsa.com [2006, June 20].
McGoey, C. E. (1999). Gated communities: Access control issues. Available: http://www.crime

doctor.com/gated.htm [2006, June 20].

Nalla, M. & Newman, G. R. (1991). Public versus private control: A reassessment. Journal of
Criminal Justice, 19, 414–436.
Pastor, J. F. (2005). Terrorism & public safety policing. Crime &Justice International, 21(85), 4–8.
Robbins, S. P. (2003). Organizational behavior. Upper Saddle River, NJ: Prentice Hall.
Trojanowicz, R. C., & Carter, D. L. (1990, January). The changing face of America. FBI Law
Enforcement Bulletin.
U.S. Department of Justice (2004). Crime in the United States. Available: http://www.fbi.gov/
about-us/cjis/ucr/crime-in-the-u.s./2004 [2006, June 23].
Wardlaw, G. (1982). Political terrorism: Theory, tactics and counter-measures. Cambridge:

Cambridge University Press.
Waugh, W. L. (1982). International terrorism. Salisbury, NC: Documentary Publications.
Wolf, J. B. (1981). Fear of fear: Survey of terrorist operations and controls in open societies. New
York, NY: Plenum.
WSOC-TV. (2006). Private police patrols begin in Charlotte. Available: http://www.wsoctv.com/

news/7561311/detail.html [2006, May 23].
Young, R. (1977). Revolutionary terrorism, crime and morality. Social Theory and Practice, Vol. 4.
WEB SITES
http://www.cityoflondon.police.uk/CityPolice/Departments/CT/ProjectGriffin/
http://www.met.police.uk/projectgriffin/
http://www.intelligarde.org
http://www.sfpatrolspecpolice.com

CHAPTER 8
CONSULTANTS AS A PROTECTION
RESOURCE
8.1 THE VALUE OF CONSULTANTS

Security executives, just like other corporate executives, encounter times when they need
professional expert advice or guidance. At the same time, companies without a formal
security function may need to call on outside help to aid in a specific security-related task. In
either scenario, executives seek out external expertise for many reasons, such as the lack of
time or in-house specialized knowledge. They also may desire an independent, objective
assessment, fresh ideas, or the flexibility to hire personnel as needed.
Security consultants, niche professionals within the greater security industry, are the
principal resource for such assistance. On occasion, knowledgeable individuals within a
company may be called in to help, but typically, professional security consultants are the
resource security or corporate executives turn to for guidance. Independent security
consultants are often viewed as an invaluable resource since they do not promote or sell a
product but rather assess actual needs and recommend a mix of security solutions to reduce
threats.
For companies faced with liability concerns, an objective, third-party study of critical issues
is often preferred over an in-house analysis. Security consultants provide the company with
that objectivity, which is a distinct advantage when dealing with common security issues
such as liability and due diligence. Some companies also stagnate from a lack of ideas and
turn to consultants who can provide much-needed out-of-the-box thinking. Others look to

CONSULTANTS AS A PROTECTION RESOURCE
8.1 The Value of Consultants
outside resources because they are not as susceptible to corporate politics or bureaucratic
red tape. Finally, contracting with outside resources is often less expensive than hiring addi-
tional staff as no capital outlay or payroll overhead is necessary, especially if the work is
periodic and therefore does not warrant the creation of a full-time position.
Though consultants are commonly accepted within today’s organizations, executives may
encounter some resistance from middle management and line employees, who may perceive
that their jobs are in jeopardy. Though this perception is mostly unfounded, it is an issue that
the consultant and management must address. Resistance to the use of a security consultant
usually reflects one or more of the following concerns:
x Asking for outside help suggests that the security staff is incompetent.
x A negative report from an outsider reflects unfavorably on the security program and
the organization.
x The organization and its policies and procedures could be compromised by an outsider
who would become intimately familiar with the enterprise.
Despite these objections, modern management practices used by executives in every

organizational function show that many benefits are derived by maximizing the use of
outside consultants. Similarly, security executives can augment their resources by bringing
in temporary talent to solve a host of problems and challenges while reducing costs and
enhancing the status of the security department and its employees.

8.2 Types of Security Consultants
8.2 TYPES OF SECURITY CONSULTANTS

Security consultants can be classified into three major categories: security management
consultants, technical security consultants, and security forensic consultants. Additionally, a
security consultant or security advisory committee may be an internal resource to assist
company or security executives in identifying and solving security problems before they
warrant outside involvement.
8.2.1 SECURITY MANAGEMENT CONSULTANTS

This category of consultants represents the largest group within this niche profession. Invari-
ably, security management consultants specialize in a certain discipline, which comprises
the foundation of their expertise (and reputation). Management consultants assist the client
in managing the protection strategies for the business. The list of specialties is only limited
by those institutions and commercial endeavors in society today, such as healthcare,
manufacturing, transportation, banking and finance, and retail.
Understanding a consultant’s specialty is an important qualifier, however. For example,

suppose a retail firm opts to bring in a security consultant to assess its distribution system.
Based on this specific need, the retailer would want to search for security consultants with
expertise in retail security, loss prevention, or supply chain management. Similarly, a theme
park may seek the services of a security consultant to review and possibly rewrite the security
department’s policies and procedures manual. A consultant experienced in theme park
security and policy development would clearly be the logical expert to undertake this
assignment.
The targeted focus of these two examples underscores a very important aspect of security
consulting called the scope of work. That topic is addressed later in this chapter.
Security consultants with specialties other than retail or amusement parks might also be
effective in addressing the needs posed in the previous examples. Experts in warehouse
operations, over-the-road trucking operations, delivery services, or shipping and receiving all
might qualify for the retail assignment, and a retail security or loss prevention consultant
might be fully capable of dealing with the theme park’s needs.
In fact, many security management consultants are generalists within the security discipline.
For example, a consultant who has a strong background in banking and finance will almost
certainly have a general knowledge of related specialties such as investigations, physical and
electronic security, and preemployment screening. While some of these may appear to be
technical specialties, management consultants will not cross into technical specifics. They
may be able to provide the functional concepts of a security system, but they will not be
specialists in the detailed design of the system.

8.2.2 TECHNICAL SECURITY CONSULTANTS

Consultants in this category have special technical expertise. They generally focus on certain
types of security applications, such as the following:
x physical security and system integration
x IT security
x personnel security
x convergence
x legal issues and other regulations

x engineering
x liability and due diligence

x security personnel and protective force management
Technical security consultants specialize in translating the concepts and functionality pro-
vided by the security management consultant into detailed blueprints and equipment
specifications. This capability requires years of technical training and experience. Some
technical security consultants also provide management services, such as writing security
procedures and policies, but they might also subcontract those services to a security
management consultant.
Security executives often call upon technical security consultants to assist with new
construction or renovation projects. These consultants can work with the architects and
design engineers to ensure that the needed security systems, such as access control, video
surveillance, and alarm monitoring, are integrated into the initial designs. Drawing on his or
her technical understanding of blueprints and design documents, the technical consultant
can uncover security concerns in the plans before they are finalized. Finally, this consultant
can recommend security hardware and software that is compatible with other building
systems and takes advantage of the overall planning concepts. Addressing these issues in the
design stages keeps security in the forefront of planning, which ensures that the security
agenda receives adequate attention. Using a technical consultant in this way saves money
because it eliminates having to retrofit security into a structure once it’s built.
8.2.3 FORENSIC SECURITY CONSULTANTS

Forensic consulting deals with investigation, identification and collection of evidence,
identification of vulnerabilities, mitigation strategies and litigation. A forensic security
consultant may be referred to as an expert witness, an outdated term that is quite broad and
implies expertise on any issue. The forensic security consultant works exclusively on
security-related issues.

Both security management consultants and technical security consultants may undertake
forensic assignments in civil lawsuits that involve a security-related matter. An example
might be defending a claim of excessive use of force by the security employee of a nightclub
when an intoxicated patron was physically ejected and, in the process, sustained serious
injuries. Alternatively, a consultant might be called on to testify in a false arrest lawsuit where
a shopper was detained for shoplifting, but the evidence proved no crime or theft had
occurred. The judicial system relies on experts who, in these examples, would be allowed to
testify as to whether the use of force by the security employee was reasonable or excessive
and whether there was probable cause for the shoplifting detention.
Some corporate risk managers have relied on security consultants with forensic experience
to evaluate incidents to determine if the claim of negligence is warranted or if insurance
demands hold merit. Some major security departments, working with their insurance carrier,
insist that certain forensic security consultants be retained in their defense based on prior
cases in which the consultant aided in successful litigation. (These topics and related
subjects are discussed at length in the Protection of Assets volume on legal issues.)
8.2.4 SECURITY ADVISORY COMMITTEE

Security advisory committees are an internal resource that can be formed to assist corporate
executives and chief security officers in their efforts to ensure that current security measures
are adequate. Should changes be warranted, the committee can help ascertain whether the
problem can be corrected through internal resources or should be referred to an external
consultant. An example of a policy statement that authorizes such a committee follows:
The purpose of the security advisory committee is to critically examine the security program
to ensure that all company assets are being protected, to maintain general oversight over the
program, and to assist the corporation in meeting corporate and government requirements.
The committee, chaired by a project coordinator, reviews the corporate security program at
least quarterly to determine if any additional protective measures are needed and advises on
any changes to policies or procedures. The group can review new program suggestions in
light of their effect on the company as a whole, on specific organizational units, and on
employees. Criticism or suggestions from supervisors or employees can be fielded by
committee members, and recommendations for corrective action can be considered.
Committee members should represent key corporate functions. Also, they should have
attained stature and creditability within the organization and have sufficient information
about the company’s operation to enable them to offer useful opinions about actions that
should be taken by internal security staff or by outside consultants.

8.3 How to Use a Consultant
8.3 HOW TO USE A CONSULTANT

Consultants can provide many services, as outlined in the lighthearted “Alphabetical Soup of
Consulting” (Sennewald, 2004, p. 8) shown in Appendix A. The decision to retain security
consulting services is typically driven by a specific problem, need, challenge, or goal. For
example, a grocery store chain facing numerous violent crimes at one of its stores may hire a
consulting firm to determine the best ways to reduce the opportunities for crime to occur at
a specific store or across the enterprise. If the scope of work is limited to a specific store, the
company’s management may ask the consultant to determine the level of crime at that
particular property and then make recommendations for security changes.
In reality, however, the consultant will typically conduct a more thorough crime analysis,
which can be defined as follows (Vellani & Nahoun, 2001, p. 2):
Crime analysis is the logical examination of crimes which have penetrated preventive
measures, including the frequency of specific crimes, each incident’s temporal details (time
and day), and the risk posed to a property’s inhabitants, as well as the application of revised
security standards and preventive measures that, if adhered to and monitored, can be the
panacea for a given crime dilemma.
Through the analysis, the consultant will first determine what crimes have occurred in the
store and its parking lot. The consultant then evaluates the specific security measures in
place where the crimes occurred and makes note of any additional measures that should be
in place to block future opportunities for crime.
In making recommendations, the independent security consultant seeks to develop an effec-

tive mix of security solutions. That mix may include a combination of architectural design
and crime prevention methods known as crime prevention through environmental design
(CPTED), changing the environmental design, updating policies and procedures, adding
security personnel, and upgrading the physical security requirements. Clients should be
concerned if a non-independent consultant promotes only one product or a limited range of
security measures. Effective security programs typically include a well-thought-out array of
security measures.
Nearly every security executive has had a program, request, or recommendation rejected by his
or her management. For example, a recommended series of barriers in a protection plan,
known as security-in-depth, may be proposed. Competition for resources is a fact of
organizational life, and there may be alternate claims on the resources required to implement
the barriers. An independent consultant can review the proposal and provide objective advice
as to whether the proposed barriers are an efficient and cost-effective method of reducing a
security exposure. Also, a consultant should be able to identify whether the barriers will create
additional hazards or issues and, if so, how these can be addressed In the previous example,

8.4 How to Find a Security Consultant
the outsider can see what those who worked at the store every day could not see, another
example of the effective use of a consultant who can look at an issue with a fresh set of eyes.
Management is usually amenable to a consultant’s ideas, since he or she draws on

experience from other companies and can speak to industry norms. At times, consultants are
even asked to arrange meetings among clients from several companies to discuss industry
best practices. The consultant should remain above company politics, however. Delving into
company politics is an unnecessary distraction that only complicates the issues and costs the
company time and money.
8.4 HOW TO FIND A SECURITY CONSULTANT

Most security executives today know one or more security consultants, and these connections
are a logical starting point for locating a consultant suited to a specific assignment. However,
the more professional the consultant, the more restrictive he or she will be in accepting a
particular assignment. Most consultants specialize and may not see themselves as suited for
every need. Clients should be cautious of a consultant claiming to be able to address all
aspects of security.
One of the best sources for finding a consultant is a referral from a colleague, preferably in a
similar business. Companies without security connections should look into industry
associations that have consultants as members. In the security industry, many independent
consultants belong to the International Association of Professional Security Consultants and
ASIS International. Consulting associations with members in a variety of fields are another
alternative. The Institute of Management Consultants is one such organization.
Other sources to consider are industry-specific associations such as the Building Owners and
Managers Association, the Institute for Real Estate Management, and the International
Association of Chiefs of Police or any of their local equivalent organizations. A search of the
Internet will reveal many more security associations worldwide, including the International
Professional Security Association, Professional Information Security Association, and
Information Systems Security Association.

8.5 Selecting a Security Consultant
8.5 SELECTING A SECURITY CONSULTANT

Selecting a security consultant that meets a company’s needs requires thoughtful
consideration of various candidates’ credentials and personal interviews. As a guide, and
after defining the scope of work, the following five steps can be used when selecting a
consultant:
Step 1: Identify candidates.
Step 2: Invite candidates to submit an application.
Step 3: Evaluate the applications.
Step 4: Interview the top two candidates.
Step 5: Negotiate an agreement and finalize the selection.
To identify candidates, the first step, company representatives should talk to peers and
colleagues to elicit suggests of consultants they know. Additional names may be gleaned
from industry associations. Placing an advertisement in related publications may also bring
in candidates.
In the second step, the company should develop a custom application that asks for basic
information from each candidate that can be used for comparison. A sample application is
shown in Appendix B. As an alternative, the company can ask the candidates to submit
letters outlining their services, and the sample in Appendix B can be used as a checklist.
Candidates should be asked to attach a copy of their curriculum vitae (CV) to the application
or letter. In jurisdictions where security consultants are required to be licensed or registered,
appropriate proof must be provided.
A sample CV is shown in Appendix C. The application and the CV provide a uniform way to
compare the credentials of each candidate. Also, having to provide both an application and a
CV may discourage someone with weak qualifications from applying. Thus, the documents
themselves may disqualify poor candidates.
During step three, the quality of the documents and the candidates’ credentials are
compared. Another source of useful information can come from prior clients, and several
should be contacted from a list provided by the applicants. As top candidates emerge, a
background investigation should be performed by contacting references and using a
structured interview process to evaluate responses.
The two top candidates should be interviewed personally by at least two representatives of
the company, the fourth step in the hiring process. To help the discussion, the candidate

8.5 Selecting a Security Consultant
should be asked to bring redacted work samples to the interview for review. The same or very
similar questions should be put to each candidate so the interviews are comparable.
Questions should probe the candidate’s security philosophy to ensure that it is a close fit
with the company’s policies. If possible and when the scope of work includes physical
security measures, the candidate should be given a brief tour of the facility prior to the
interview to become familiar with the facility.
If the candidate does not live locally, the company should negotiate the cost of bringing the
candidate to the company, or an employee should travel to the consultant’s location for a
personal interview. Teleconferencing is an interview option, but a poor one. In the final step,
negotiations begin with the top candidate. Subjects to be negotiated are the scope of work,
the product to be delivered, the methodology, the timing, and related expenses. If
negotiations with the first candidate prove unsatisfactory, the company should move quickly
to the next choice. Once negotiations are successfully concluded, the company should be
prepared to present the consultant with a contract.
An example of a professional consulting services agreement is shown in Appendix D. The

documents shown in Appendix E and Appendix F cover supplementary agreements that
define the consultant’s responsibility for handling company proprietary information or
government classified documents and conflicts of interest. These points should be discussed
with the consultant and all forms should be signed before work commences.

8.6 Consulting Fees and Expenses
8.6 CONSULTING FEES AND EXPENSES

There are no bargains in the consulting profession. Other professionals, such as physicians
and lawyers, follow the same fee strategy. The doctor with the best skills or the attorney with
the best reputation and practice will receive the highest fees from patients or clients.
Likewise, the security consulting profession has its own fee structure based on levels of
expertise.
As with other professional disciplines, time and quality must be considered when analyzing a
range of consulting fees. A low fee might actually prove to be more costly in the long run
because a less skillful consultant might take longer to complete the assignment satisfactorily.
Also, the security industry has a long and rocky history of keen competition based on the
awarding of contracts to the lowest bidder. To increase their competitive advantage, some
security product and service companies will offer consulting services at a very low rate.
Clearly, the objectivity of the resulting recommendations must be questioned if the
consultant believes the solution might lead to the purchase of that company’s services or
equipment. If the fee proposed by a potential consultant seems to be a bargain, the client
should remember the Latin phrase caveat emptor: let the buyer beware!
The basis for higher billing by some medium-sized or large consulting firms, as opposed to
the independent sole proprietor or small consulting firm, often reflects a higher overhead.
The costs billed by individual consultants as well as by larger firms include direct charges,
such as time and travel, and overhead costs, such as office rental, clerical help, proposal
expense, publications, and professional taxes and licenses. As a result, a consultant’s daily
rate does not equate to an annual income since consultants may not work every day of the
year but their expenses continue.
Consultants, like other professional service providers, typically use software to track the time
and expenses related to each client’s project. In some cases, consultants keep a project
journal while others monitor activity through simple spreadsheets. Consultants may also use
specific billing software such as QuickBooks.
No matter how the consultant tracks and bills his or her time, the client should review
payment options and choose the one that fits the company’s accounting scheme as well as
the type of consulting assignment. Five options should be considered: hourly fees, daily fees,
fixed fees, not-to-exceed fees, and retainers. The company should also set parameters on
how miscellaneous and regular expenses should be billed and approved.

Hourly Fees
Paying a consultant an hourly fee is unusual in security management consulting, but it does
happen. This arrangement is most applicable when the assignment is expected to last less than
a day, but the exact amount of time needed is unclear. In this scenario, the client and
consultant could agree to “let the meter run” for the actual time spent. An example might be a
case where management is considering moving an employee to a new assignment, and the
consultant is retained to meet and interview the employee at a convenient time. If the
company expects the interview will only take 2.5 hours, the consultant could agree to be paid
for just that amount of time.
Forensic consulting is often billed by the hour, however. If a corporate legal or risk management
office brings in a security consultant for advice on how to avoid litigation, evaluate a case, or
arrange a settlement, the time is calculated by the hour and any fraction thereof.
Daily Fees
The daily fee is calculated by multiplying the consultant’s hourly rate by eight. In reality, this
arrangement often benefits the client because an eight-hour day can easily be extended for
any number of legitimate reasons, unless the contract clearly defines the number of hours in
the consultant’s day. Security consultants know that the time needed to meet the agreed goal
and submit a final report might exceed the typical day. Depending on the number of days in
the agreement, the consultant might propose a certain number at a fixed daily rate and a
slightly reduced rate for every day thereafter. Clearly, the daily fee can be flexible based on
the nature of the task and the services required.
Fixed Fees
A flat or fixed fee is the total amount to be paid by the client to the consultant for the
completion of a consulting assignment. More often than not the fixed fee includes all expenses,
so only one amount is negotiated. The consultant’s office time and expense calculations,
which could be based on his or her hourly rate plus an hourly rate for the office staff, is
translated into an estimate of what is needed to deliver the end product.
This arrangement is generally agreed to when the number of days required to accomplish the
work can be estimated accurately and controlled by the consultant. Usually a fixed fee will
only be acceptable to a consultant if the work to be done is limited to a study that is not
complex. The advantage to the client is that the company can easily compare competitive
bids and budget the exact amount that will be needed to complete the required work. Fixed
fee arrangements are usually not appropriate if the work involves implementing a
recommended program because the consultant often has to rely on other employees from
the client’s company to perform or arrange for the actual work. The danger in this case is that
the consultant could lose control of the time that could be spent but must absorb any

overtime. The scope of work in these situations must be very carefully defined to protect
both the client and the consultant.
Not-To-Exceed Fees
A not-to-exceed pay arrangement, similar to the fixed fee, is the consultant’s guarantee that
the total cost or time will be limited to the parameters agreed to in the contract. In this
instance, the consultant agrees that any costs connected with unforeseen events or delays
will not be passed on to the client, unless the client agrees to pay them. The difference
between not-to-exceed and fixed fees is this arrangement allows for a lesser fee than
originally estimated. For example, the consultant might state that he or she expects to
complete a task in five days but that the time spent is not to exceed seven days. If the task is
completed in five or six days, then the client just pays for that amount of time. If the task
should take eight days, the client still only pays for seven.
Retainers
A company that wishes to use a consultant on a regular basis might prefer to pay a retainer.
In this arrangement, the consultant agrees to work a specified number of days each year for
that client, and the client is guaranteed access to the consultant when needed. In a retainer
agreement, consultants typically provide their services at a substantially discounted rate. For
example, the agreement might state that the consultant will provide or be available to the
client for two days each month at a fixed rate per day, or 24 days a year at a set annual price.
In this case, the client is assured of receiving services for the minimum number of days
covered by the retainer. The consultant, on the other hand, is guaranteed an income.
Retainers can be quite negotiable. The client might use all of the agreed-upon days in the
first half of the year or only use the consultant less than half the days in the contract. The
consultant keeps the retainer even if the minimum days provided are not used by the client.
However, some consultants dislike committing to a retainer because it can cause scheduling
problems. For example, the consultant might be in the middle of a project for one client
when an urgent problem surfaces at another company that has already paid a retainer to that
consultant. To avoid this difficulty, it is recommended that retainer agreements identify
specific days to be applied to the client in specific months. If a schedule cannot be arranged,
then the consultant can agree to commence working for the client on the first available day
after notice is received.
Other options in a retainer agreement could cover the days used by the client in excess of
those in the contract. In one example, the client would continue to pay the discounted rate
for any extra days. In another case, those excess days would revert back to the consultant’s
normal fee.

Miscellaneous Arrangements
Other fee arrangements can be beneficial to both the client and the consultant. For example,
the consultant could agree to accept some equity in the client’s business for part or all of the
consulting fee. Alternatively, the fee could be set as a percentage of the savings realized as a
consequence of the consultant’s work, although this option is not common in security
management consulting.
If such innovative fee concepts are proposed, both parties should seek adequate legal counsel
while drafting an agreement to ensure that the interests of both are adequately defined. A
clear, binding agreement is the cornerstone for avoiding costly litigation or work disruption.
Expenses
The cost of outside consultants must allow for reasonable expenses to cover project-related
activities such as transportation, living costs, telephone, secretarial services, and
reproduction. Consulting expenses can sometimes be reduced if the consultant is allowed to
use amenities and services available at a client’s facility. Such items as clerical assistance,
office space, and reproduction services might be provided on-site. Consultant support is
discussed in more detail later in this chapter.
Expenses are usually reimbursed at actual costs, which should be substantiated by expense
reports submitted by the consultant. A reimbursement arrangement might also be based on
a per diem for living expenses plus actual costs for transportation and other expenses. Both
the consultant and the client must clearly understand how expenses will be paid and what
expenses are reimbursable. Any limitations on amounts to be spent should be defined. For
example, if the daily allowance for hotel accommodations and meals is a set amount, the
consultant should be informed of that limit during the selection process.
A common rule of thumb is that the consultant should receive the same travel allowances as
those given to members of the client’s senior management. Although commonly accepted
business practice limits air travel costs to coach accommodations unless first class or
business class accommodations are specifically approved, the client should not assume that
everyone understands or agrees with this policy. International travel almost always involves
at least two days of travel time (to and from the destination) and sometimes more. Special
arrangements should be made for compensation in these situations.
The bottom line in expense negotiations is that the details must be discussed and agreed
upon at the outset of the relationship. Most professional security consultants will have their
own forms and methods of providing clients with necessary and appropriate records of time
and expenses. To ensure that potential clients are aware of the requirements, the forms and
policies in Appendices G through J show expense reports and guidelines that apply to
consulting situations.

8.7 Working with Consultants
8.7 WORKING WITH CONSULTANTS

Once the contract is signed but before the consultant actually begins to work, senior and
functional managers as well as those employees who may be affected by the consultant’s
activities should be made aware of management’s decision to retain the services of a security
consultant. The announcement, preferably from the chief executive officer, should
underscore the expectation of employee cooperation and assistance, which will facilitate the
successful completion of the consulting project.
A consulting project coordinator, often a member of the security advisory committee, should
be assigned to work with the consultant and monitor progress. That person can provide
adequate information about the organization and provide assistance. Clear specifications for
the project should be outlined in a scope of work, which should include a work plan,
progress reports, and a final report.
8.7.1 COORDINATING THE PROJECT

To facilitate and coordinate the project, some companies designate a sole representative to
serve as project coordinator, typically the chief security officer (CSO) or vice president (VP) of
security. He or she works closely with the consultant during the project without any other
management involvement. Other clients create a temporary security project committee,
often a spin-off from the security advisory committee, to facilitate the project. The
committee should be chaired by the project coordinator, again the CSO or VP of security. If
the project coordinator is temporarily unavailable, a designated alternate should fill in and
respond to the consultant in a timely way so that the work is not delayed.
The project manager should strive to include someone from within the organization who can
act as the project sponsor. A good candidate for this role is the individual who may have
originally suggested the concept that led to the consulting project. Both the consultant and
the project manager will find this person a valuable resource and ally throughout the course
of the project.
The mission of the project coordinator and the committee is to be a liaison between the
consultant and the company, and that task is critical. Committee members should represent
the sectors of the company involved in the work. They should be completely familiar with the
organization and the project and have sufficient credibility and clout in the company to
effectively meet the needs of the consultant, such as collecting data or scheduling interviews.

8.7.2 ORGANIZATIONAL ORIENTATION

The project coordinator should arrange an orientation for the consultant, at which he or she
can be briefed on the backgrounds and responsibilities of key personnel in the organization
before meeting them personally. The consultant should also be made aware of any role each
individual might play in the completion of the assignment. The orientation should include
an organizational chart and background data about the company, including the operating
environment, key assets and functions, internal and external relationships relevant to the
project, specific legislative or regulatory controls, a history of the enterprise, the philosophy
of top management, and the company’s competitive position. If the client is a public
company, copies of the latest annual report to shareholders, as well as relevant government-
required disclosure filings, should be provided.
The more information the consultant has, the better he or she will be at meeting the client’s
expectations. To that end, the results of previous projects of a similar nature undertaken by
the company should be discussed with the consultant. Also, any unique or unusual
situations that might be encountered within the organization should be brought to light. All
companies have their own cultural idiosyncrasies. If the consultant is not made aware of
potential problems, some action, seemingly minor to the consultant, could trigger an
incident and negatively affect the project and everyone associated with it. On the other hand,
consultants are expected to be objective and independent observers with the freedom—in
fact the obligation—to state the facts, even if they point out idiosyncrasies that could affect
the outcome or success of the consultant’s work.
When a client seeks a consultant for work in a different country, the consultant is expected to
have a knowledge of the culture and customs of the country, working conditions, local
legislative requirements, visa requirements and conditions, etc.
8.7.3 LEVELS OF ASSISTANCE

A consultant’s time costs money, and the project coordinator should arrange to see that all
the necessary assistance and support is provided in a timely way. Advice or assistance may
be required from related departments, such as legal, industrial relations, public relations,
and finance. Technical help may also be solicited from qualified in-house talent. Company
personnel may need to prepare letters, memorandums, and reports generated as a result of
the project. Reports or other data specified in the contract are usually prepared by the
consultant.
Consultants are often given access to sensitive information. Therefore, nondisclosure

agreements are necessary to protect the company. More information on nondisclosure
agreements can be found in the Protection of Assets volume on legal issues.

A method for the proper handling of sensitive information developed or collected during the
progress of the work should also be devised. Such data could even be embarrassing to the
organization or its employees if it became known either inside or outside the organization.
Sensitive information could also include the conclusions or recommendations of the consul-
tant. Such information should be safeguarded by a limited number of individuals and only
be handled by personnel known to be trustworthy. Most importantly, written consulting
reports are subject to discovery by an adverse party in a lawsuit. Consideration should be
given to identifying the proper custodian and location for reports that might be sought
through subpoena.
Visits to other companies, other clients of the consultant, or other corporate locations may
be required. Such visits can often be expedited if the project coordinator assumes the
responsibility for making arrangements, such as procuring security clearances, airline or
company airplane schedules and tickets, rental cars, and hotel reservations.
The consultant’s methodology is critical to the success of the project. The methodology
should be sound and widely accepted within the industry. It would be impossible to outline
every method that could be used to complete the myriad projects taken on by security
consultants. Nonetheless, potential clients can review industry guidelines for various types of
projects. Commonly accepted and widely used methodologies in the security industry are
ASIS International’s General Security Risk Assessment Guideline, the International
Association of Professional Security Consultants’ Forensic Methodology Best Practice and ISO
Standard 31000, Risk Management.
8.7.4 SCOPE OF WORK

From the very beginning, candidates for consulting assignments should understand the
scope and objective of the project. This information should be part of the initial request for
quote and also be included in a written contract. However, it should not be assumed that
these few paragraphs will be enough for the consultant to begin work and perform
adequately.
Before the actual consulting assessment begins, the client and consultant should review the
project’s objectives, goals, scope of work, and deliverables. The project coordinator should
participate in the review along with project committee members and any others who may be
affected by the work to be done.
The “scope of work” refers to the central objective of the consulting task, or the clear focus of
the effort. Suppose the scope of work is to “reassess the company’s distribution system to
identify procedural deficiencies that could or do contribute to cargo losses.” In the perfor-
mance of the work, every physical inspection, interview, and document examined should be

guided by and limited to that objective. The initial project review, then, should address the
strategies that will achieve the objective.
This review also updates those who did not participate in the selection process and gives
everyone an opportunity to ask questions and clarify points. The consultant is now a
member of the team and should ask and answer questions that might not have been
appropriate in the earlier discussions.
A common occurrence in consulting projects is referred to as “scope creep,” meaning the

scope of work grows after the contracts have been signed and the work has begun. This
phenomenon may be raised by either party and for myriad reasons, often out of necessity.
Caution flags should be raised, however, when the consultant is being paid an hourly rate
and the project could grow to exceed budget limitations. While expanding the scope of work
is often necessary, it should only be done with both parties agreeing to it in writing as an
addendum to the contract.
8.7.5 WORK PLANS

Once the scope of work has been agreed upon, a work plan should be developed with the
project coordinator. Tasks and priorities can be determined, assignments made, and
completion schedules established. Deadlines should be converted to milestone charts, if
appropriate, so the project can be reviewed periodically. The frequency of work product
reviews can also be specified and scheduled during this planning stage. Information that the
project coordinator and others will need to furnish to the consultant can also be defined, and
a schedule established for its delivery.
Especially in lengthy projects, the project coordinator and the consultant should hold
frequent progress meetings to ensure that the project is on schedule. Ultimately, the
consultant is responsible for ensuring that the project stays on the right course while
traversing any unanticipated hurdles posed by corporate politics or culture. Measurement of
the project’s progress, sometimes referred to as an earned value analysis, should be
conducted by the consultant and project coordinator during these meetings to ensure that
the project objectives described in the scope of work are being met.
Those responsible for gathering information or performing support tasks should understand
that deadlines are important. If they are not met, the efforts of the consultant may be
hampered or work on the project may come to a halt. The project coordinator should assume
responsibility for ensuring that deadlines are met and that the project is on schedule at all
times.

8.7.6 PROGRESS REPORTS

The progress of the consultant’s work can be monitored by scheduling periodic meetings
and requiring written reports, which can be specified in the work plan with the caveat “if
deemed necessary.” Great discretion must be exercised in the frequency and length of
meetings.
Progress meetings should be attended by all personnel working on the project as well as by
interested management representatives. The coordinator, as the key company repre-
sentative, might personally record, publish, and distribute the results of the meeting or might
assign another team member to take minutes. The minutes should outline decisions made
during the meeting, detail the progress of the work, and specify any work assignments and
deadlines.
The frequency of project review meetings and written reports will, of course, depend to a
great extent on the size and complexity of the project. Scheduling review meetings too often
will interfere with work to be done, but if they are not scheduled often enough, control of the
project could be jeopardized. If the exchange during the meetings is adequate, the group
may choose to forego interim reports. They may also be skipped if the project is short, about
10 to 15 days, and if the review meeting reports are satisfactory.
8.7.7 FINAL REPORTS

A final written report should be delivered for all consulting projects including a technical
consulting assignment, although the project’s end result should be a functioning system. But
it is absolutely essential in a security management consulting project where the end product
consists of recommendations and advice, which must be implemented in the future.
A final report should begin with an executive summary, then address the results achieved,
and conclude with the recommendations. A simple approach to the report content is to
make the sequence consistent with the scope of work. The results section should identify
whether all the established goals were met, whether any items included in the work plan
were not accomplished, and the reasons why an item was not completed. The recom-
mendations should define any additional work that needs to be done together with
suggestions on how to accomplish it.
Sometimes a final briefing for top management is specified in the statement of work or
requested at the project’s conclusion. The salient features of the written report can be
incorporated into such a briefing, which should be done by the consultant. The project
coordinator and others from the company should be on hand to give advice and assist in the
briefing since they will be most familiar with the requirements of top management.

If the report itemizes recommendations, each should be numbered for future reference, as
follows:
Recommendation #23: Use of part-time police officers to protect cash offices should be
discontinued. Security for cash offices should be in the form of operating procedures and
state-of-the-art physical barriers, including a two-door “man trap” with remote electronic
access control.
The acceptance and subsequent implementation of that recommendation could be called

Project #23.
If additional work is to be implemented as a result of the consultant’s efforts, the final written
report should include enough detail so that personnel in the client organization can
complete the tasks by following the guidelines included in the report. After reviewing the
report, however, the client may decide that additional assistance from the consultant will be
required to implement the recommendations. In that case, an additional contract or a
contract amendment should be prepared for the consultant’s signature, and a new scope of
work to implement the recommendation should be defined.
For example, suppose a security consultant has completed a vulnerability study for an
organization and recommends a comprehensive protection program. Once the final report is
presented, the organization’s management realizes that they will need to hire one or more
experienced security professionals to implement and manage the recommended program.
The consultant might then enter into a contract with the company to search for and pre-
qualify a security executive to implement and manage the recommended program. The
usual fee for this kind of service is 25 percent to 30 percent of the new security executive’s
salary for the first year, plus expenses incurred during the search.

8.8 The Future of Consulting
8.8 THE FUTURE OF CONSULTING

st
As new business and societal events of the 21 century unfold, the use of consultants by
security and other corporate executives will most likely trend upward. For example, when
companies downsize, they frequently lose in-house specialists but add them when needed
by hiring consultants. As a result, many consultants are zeroing in on a specialty, which they
then can provide to many clients.
An example might be crime analysis. In the past, companies may have had security
employees who focused on this task. Today, however, those employees have been promoted
or have moved on to perform more generalized security functions. When companies
encounter a case where crime analysis is needed, they turn to consultants who specialize in
this niche.
Another trend can be seen in the way consulting fees are established. Rather than bill at
hourly rates, many consultants are moving toward project-based pricing. Based on the scope
of work, experienced consultants can accurately assess the time needed to complete a
project. This arrangement is of great benefit to companies that use consultants since they
have a closed-end cost that can be used for accurate budgeting.
Both of the trends mentioned have led to a third: consulting alliances. Consultants with
specialties have seen the need to provide a range of services to a client when completing a
project, and they have teamed with other consultants to broaden their professional offerings.
For example, a security management consultant who recommends upgrading a company’s
access control system may form an alliance with a technical security consultant who can
actually specify, bid, and oversee the installation of the recommended system. Similarly, a
forensic security consultant may testify in a case brought against a client because of a
security deficiency, and then bring in an allied security management consultant to
recommend how to rectify the deficiency.
In all cases, understanding how to work effectively with a security consultant is the key to a
successful outcome, for both the consultant and the client.

Appendix A: Alphabetical Soup of Consulting
APPENDIX A
ALPHABETICAL SOUP OF CONSULTING (Sennewald, 2004)
Advise management on what’s current … that is, “state of the art.”
Build bridges between security and other departments.
Clarify and rewrite security policies, procedures, etc.
Define organizational goals and mission statements.
Expedite security projects.
Forecast protection needs in the future.
Guide management in the selection of personnel, equipment, and services.
Help hire qualified security personnel, especially at the executive level.
Identify problems.
Judge past and present performance.
Kindle new enthusiasm or interest.
Launch new programs by conducting orientation meetings.
Modify security operations when and where appropriate.
Negotiate on behalf of management for optimum contracts.
Objectively evaluate security programs, present and future.
Present new ideas and strategies.
Qualify senior security candidates for management’s consideration.
Review security budgets.
Supplement the security management staff on a temporary basis.
Train security employees.
Uncover unproductive policies, practices, and programs.
Validate existing or planned activities.
Warn management of risks and unnecessary exposure.
Yield unbiased and honest opinions.
Zealously provide the highest order of professional assistance and guidance.

Appendix B: Application for Consulting Assignment
APPENDIX B
APPLICATION FOR CONSULTING ASSIGNMENT
Power Munitions, Inc.

Name of consultant ______________________________________________________________________
Name of consultant’s firm ________________________________________________________________
Address of consultant’s firm _______________________________________________________________
Consultant’s phone ______________________ E-mail address __________________________________
Consultant’s Web site ____________________________________________________________________
Consultant’s primary expertise ____________________________________________________________
Last position prior to becoming a consultant ________________________________________________
Last employer ___________________________________________________________________________
Date consultant left last employer__________________________________________________________
Date consultant commenced practicing as a consultant ______________________________________
Total years practicing as a consultant _______________________________________________________
Years of education ___________ University/college __________________________________________
Professional/academic designations _______________________________________________________
Professional affiliations and memberships __________________________________________________
Length of such memberships _____________________________________________________________
Awards or recognition for achievement in the security industry ________________________________
If published, identify works _______________________________________________________________
________________________________________________________________________________________
Basic consulting fee ______________________________________________________________________

Appendix B: Application for Consulting Assignment
Reference #1: Name of client _____________________________________________________________
Name of contact person _____________________________________________________
Phone number of contact person _____________________________________________
E-mail address of contact person _____________________________________________
Primary thrust of that consulting project ______________________________________
Length of that consulting project _____________________________________________
Reference #2: Name of client _____________________________________________________________
Name of contact person _____________________________________________________
Phone number of contact person _____________________________________________
E-mail address of contact person _____________________________________________
Primary thrust of that consulting project ______________________________________
Length of that consulting project _____________________________________________
Attach copies of professional indemnity (or equivalent) insurance certificates.
Attach copies of liability insurance certificates (or equivalent).

Appendix C: Curriculum Vitae
APPENDIX C
CURRICULUM VITAE
CHARLES A. SMITH, CPP
EMPLOYMENT HISTORY
x Air Policeman, USAF, 3 ⁄2 years

1
x Deputy Sheriff, Los Angeles County, 6 years
x Chief of Security, Claremont Colleges, 2 years
x Director of Security, The Broadway Department Stores (52 major stores in 4 states), 18 years
TEACHING HISTORY
x Lecturer, Chaffey and Orange Coast Colleges, 1 year
x Assistant Professor, California State University at Los Angeles, 13 years
EDUCATION
x B.S. Degree, Police Science & Administration, California State University at Los Angeles
LITERARY CONTRIBUTIONS
x
nd rd
Effective Security Management, Security World Publishing, 1978; 2 Ed., 1985; 3 Ed., 1998;
th
4 Ed., 2003
x
nd
The Process of Investigation, Butterworth Publishing, 1981; 2 Ed., 2001
x
nd rd
Security Consulting, Butterworth Publishing, 1989 2 Ed., 1995; 3 Ed., 2004
x
nd
Shoplifting, (co-author) Butterworth-Heinemann Publishing, 1992; 2 Ed., 2003
x Shoplifters vs. Retailers, The Rights of Both, New Century Press, 2000
x Author of numerous articles and chapter contributions to a number of security industry

books as well as to Protection of Assets

Appendix C: Curriculum Vitae
PROFESSIONAL AFFILIATIONS AND ACCOMPLISHMENTS
x Founder and first president, International Association of Professional Security Consultants

(IAPSC)
x Holder of the professional designation Certified Management Consultant, CMC
x Holder of the professional designation Certified Protection Professional, CPP
x Member, ASIS International
x Member, Institute of Management Consultants
x Past president and member, International Foundation for Protection Officers (Canada)
x 1979 recipient of Security World Magazine’s Merit Award
x U.S. Security Industry Representative to Stockholm and Copenhagen in 1981 and to Hong
Kong, Taipei, and Tokyo in 1983, by appointment of the U.S. Department of Commerce
x 1995 recipient of the IAPSC Distinguished Service Accolade
CURRENT POSITIONS (1979 TO THE PRESENT)
x Consultant to corporate management
x Consultant to the legal profession
x Security industry seminar lecturer
Charles A. Smith, CPP • 450 Riverlake Run • Eastward, CA 92000 • (760) 757-7575

Appendix D: Professional Consulting Services Agreement
APPENDIX D
PROFESSIONAL CONSULTING SERVICES AGREEMENT
THIS AGREEMENT, made as of ____________________________________ between an individual,

_______________________________________ hereinafter referred to as the “Consultant,” and Client,
hereafter “Company,”
WITNESSETH:
WHEREAS Company and Consultant desire to enter into an agreement for the performance by
Consultant of professional services in connection with activities of Company.
NOW, THEREFORE, in consideration of the premises and of the mutual promises herein, the
parties hereto agree as follows:
1. RETAINER-TERM. This agreement is made with Consultant as an independent contractor

and not as an employee of Company. The Company hereby retains Consultant and Consultant
agrees to perform professional services for the Company commencing the date set forth above and
concluding _____________________ (date).
2. STATEMENT OF WORK. The work described in the attachment hereto entitled “Scope of
Work” and incorporated herein shall be performed by Consultant as requested from time to time
by Company, at such place or places as shall be mutually agreeable.
3. PAYMENT. (a) Company shall pay Consultant at the rate of ____________ for each
______________________________ spent on the work hereunder during the terms of this agreement.
Unless and until revised by a written amendment to this Agreement, Company shall not be
obligated to Consultant and Consultant shall not be entitled to payment from Company for more
than ____________ days/hours. Time spent in travel hereunder during normal working hours or
otherwise, if requested by Company, shall be paid for at the above rate. (b) Company shall pay or
reimburse Consultant for travel and other appropriate expenses incurred in the performance of
work hereunder in accordance with the attachment hereto entitled: “Consultant Expense.”
4. PATENT RIGHTS. Consultant will disclose promptly to Company all ideas, inventions,
discoveries and improvements, hereafter referred to as “Subject Inventions,” whether or not
patentable, relating to the work hereunder which are conceived or first reduced to practice by
Consultant in the performance of the work under this agreement and based upon nonpublic
information of the Company disclosed to or acquired by Consultant during this consulting
assignment. Consultant agrees to keep a written record of his technical activities and that all such
records and such Subject Inventions shall become the sole property of Company. During or
subsequent to the period of this agreement, Consultant will execute and deliver to Company all
such documents and take such other action as may be reasonably required by Company to assist it
in obtaining patents and vesting in the Company or its designee title to said Subject Inventions.

Appendix D: Professional Consulting Services Agreement
5. COPYRIGHTS. Consultant agrees that all writings produced by Consultant under this
agreement shall be the sole property of Company and Company shall have exclusive right to an
assignment of copyright in such writings in any country or countries; however, Company will
make its best efforts to grant a non-exclusive right to Consultant to publish such writings when
circumstances, including security regulations, will permit.
6. PROFESSIONAL STANDARDS. Consultant agrees that the work performed hereunder will
represent best efforts and will be of the highest professional standards and quality.
7. SECURITY. Company agrees to apprise Consultant of any information or items made

available hereunder to Consultant which are Classified or Restricted Data, and Consultant agrees
to comply with the security requirements imposed with respect thereto by the United States
Government or the Company. If it becomes necessary for Consultant to store classified material at
a place of business, other than the Company, a facility clearance will be required. In this event,
Consultant agrees to enter into a security agreement with the Department of Defense and to
maintain a system of security controls in accordance with the requirements set forth in
“Department of Defense Industrial Security Manual for Safeguarding Classified Security
Information.” Consultant further agrees that any classified material furnished to him by the
Company will be immediately returned to the Company upon termination of either the security
agreement or this Professional Services Agreement.
8. RISK OF LOSS. Consultant assumes all risk of personal injury, and all risk of damage to or
loss of personal property furnished by him. If Consultant employs others to perform work under
this Agreement on premises of the Company, Consultant agrees to furnish proof acceptable to the
Company of Commercial General Liability insurance in an amount not less than $ [______].
9. PRIVILEGED OR PROPRIETARY INFORMATION. Except as maybe required in the perfor-

mance of the work, Consultant agrees not to divulge any non-public, Company information
acquired by him as a Consultant to the Company from any source, including the Company, its
customers and associates or other contractors, without the prior written consent of the Company.
10. TERMINATION. Either party may terminate this agreement in whole or in part at any time
by giving written notice to the other.
IN WITNESS WHEREOF, the parties hereto have executed this agreement as of the day and year
first above written.
By Company By Consultant
Date Date

Appendix E: Consulting Security Agreement–Joint Certification
APPENDIX E
CONSULTING SECURITY AGREEMENT—JOINT CERTIFICATION
[Name] of [Street Address]
[City/State/Zip Code] Consultant, and the Company (hereinafter
called “Contractor”), hereby certify and agree as follows:
(1) Classified information shall not be removed physically from the premises of the
Company.
(2) Performance of the contract shall be accomplished on the premises of the Company.
(3) The Consultant and certifying employees shall not disclose classified information to
unauthorized persons.
CONSULTANT
Date
By: ____________________________________
Date: __________________________________

Appendix F: Conflict of Interest Statement
APPENDIX F
CONFLICT OF INTEREST STATEMENT
The undersigned warrants that, to the best of the undersigned consultant’s knowledge and belief,
and except otherwise disclosed, there are no relevant facts which could give rise to an organizational
conflict of interest and that the undersigned consultant has disclosed all relevant information.
The undersigned agrees that if an organizational conflict of interest is discovered, an immediate

and full disclosure in writing shall be made to the Contracting Officer which shall include a
description of the action which the undersigned has taken or proposes to take to avoid or mitigate
such conflicts.
Consultant
Date

Appendix G: Professional Services Log
APPENDIX G
PROFESSIONAL SERVICES LOG
Consultant
Contract Number
Contract Period
Number of days Requestor/Monitor
Instructions:
1. Record information on same day work is performed.

2. Compare completed form(s) with Statement of Professional Services submitted by con-
sultant for accuracy and completeness.
3. Fully explain all off-site work charge and car rental approvals. Consultant’s invoice should
correspond with the approval(s).
4. If more space is needed, use reverse side.
Identify Project or Task and Provide a

Date Time Job Order Brief Description and Evaluation of Work Performed
(Reference documents prepared by Consultant)
Signature of Requestor/Monitor: __________________________________________________________
(Retain this log for a minimum of 3 years)

Appendix H: Statement of Professional Services
APPENDIX H
STATEMENT OF PROFESSIONAL SERVICES
Consultant Week Ending 20
Address
City/State/Zip Code
Instructions: To facilitate prompt payment for consultant services and expenses, it is requested
that the following procedure be adopted.
1. Completely fill out the form below. (A separate form should be submitted for each trip,
except for consultants who live in the local area.)
2. Attach all vouchers, receipts, tickets, etc.
3. This statement must be signed by the consultant.
4. Retain a copy for your files and send the original to your Corporation monitor.
SERVICES:
Project
ENTER DATES
Designation
JOB CONTRACTS MON. TUE. WED. THUR. FRI. SAT. SUN. TOTALS
Total Hours/Days $
TRANSPORTATION EXPENSES:
(Attach all receipts)
From Date To Date Cost
Transportation Cost $

Appendix H: Statement of Professional Services
OTHER EXPENSES:
ITEM (Enter dates) Totals
Meal $ _____
Lodging $ _____
Auto Rental (1)(2) $ _____
Taxi or Local Bus (2) $ _____
Telephone (2) $ _____
Personal Car Mileage (3) $ _____
Parking (1) $ _____
Other (2)(4) $ _____
Amount Due $
(1) Attach all receipts

(2) Attach receipt if more than $5.00
(3) Mileage will be paid at current rate
(4) Please Explain: ______________________________________________________________________
Consultant Signature Date
Approved by Date
Audited by Date
COPY DISTRIBUTION: Accounting, Consultant’s Monitor

Appendix I: Policy on Consultant’s Expenses
APPENDIX I
POLICY ON CONSULTANT’S EXPENSES
All Consultants traveling on Company business must substantiate expenses incurred while in
travel status. To fulfill the Company’s travel policy reporting requirements, the Consultant must
submit a properly documented and approved travel expense report within 30 days after completion
of each trip. The original receipts, paid bills, or similar documentary evidence are required for all
expenditures except meals. However, receipts need not be submitted for expenses for which they
would not ordinarily be given; such as taxi or bus fares under $10.00 (one way). The Consultant
must keep an expense diary to substantiate the claim for reimbursement, and should retain it
permanently as a personal record unless requested to submit it with the travel expense report.
The requirements imposed by the Company with respect to substantiation of the above expenses
conform to the documentation requirements of IRS regulations. Substantiation in accordance with
Company policy is therefore considered to fulfill IRS requirements.
Travel Expenses
Consultant shall be reimbursed for actual and necessary personal expenses incurred during travel
authorized by the Company for lodging, subsistence, incidental expenses, and tourist-class
transportation costs or mileage at the current rate per mile when use of Consultant’s automobile is
authorized in lieu of air travel. Transportation costs, other than in the local area, shall not exceed
the cost of tourist accommodations unless schedules and availability of space do not permit this
class of service, or unless otherwise agreed.
Consultants who live within commuting distance of the organizational entity contracting for
services are not reimbursed for meals, or mileage. Company authorized travel between work
locations is reimbursable. (Commuting distance is interpreted as being in the immediate vicinity
or within 50-mile radius of the assigned work location.)
When Consultant is retained from outside the local area and a rental car is authorized upon arrival
at the work location area, the Company will be responsible for rental car charges necessary and
incidental to the work; mileage charges attributable to personal use are to be borne by the
Consultant.
Telephone and Other Telecommunications Expenses

The Company shall reimburse Consultant for reasonable and necessary telephone and other
telecommunications expenses.

Appendix I: Policy on Consultant’s Expenses
Other Expenses
The Company shall reimburse Consultant for all other reasonable and necessary expenses
incurred by Consultant in the performance of work hereunder, provided that written approval of
the Company is obtained and Consultant certifies that such expenses were necessary and
incidental to the work. Without limiting the foregoing, such expenses by way of example shall
include costs of using computers and rental of test equipment.
Substantiation of Expenses
IRS Regulations require substantiation by, both adequate records and sufficient documentary
evidence of the expenses to which they apply. They require that the following elements be
substantiated:
(a) Amount
(b) Time
(c) Place
(d) Business purpose
(e) Business relationship

Appendix J: Consultant Travel Policy
APPENDIX J
CONSULTANT TRAVEL POLICY

The Company Travel Policy and Practice applies primarily to employees. Nonetheless, the policy
extends to consultants traveling on behalf of the Company. Consultants are expected to adhere to
the provisions of the documents for purposes of establishing reasonableness and necessity for
travel and related costs.
Following are excerpts from referenced Travel Policy and Practice, which relate and offer guidance
to consultants traveling on behalf of the Company.
Mode of Travel
Individuals traveling on Company business are scheduled by the most direct transportation
available. Air travel by jet will normally be limited to less-than-first class accommodations. Travel
arrangements are made by the consultant and reported after completion of the travel on the
Statement of Professional Services. No cash advances or tickets may be provided by the Company.
a. All taxi fares in excess of $10.00 (one way) must be supported with a receipt attached to the
Statement of Professional Services.
b. Use of premium or luxury accommodations for Company travel, such as first class jet,
requires specific documentation, and will be limited to the following:
(1) Situations where schedules and availability of space do not permit less-than-first class
service.
(2) Where overnight departures are scheduled between 9:00 p.m. and 6:00 a.m. (local
[area] time) and flight time is four hours or longer.
(3) Where the traveler has a physical disability requiring first class accommodations; such
travel may be approved on the basis of a doctor’s certificate or the specific approval of
the appropriate management.
(4) First class accommodations may be authorized when in the judgment of line
supervision, useful and necessary work can be accomplished while en route only in
first class accommodations. Such travel requires the approval of the appropriate
management.

Use of Personal Vehicles

Consultant retained in the local area in which Consultant’s residence or office is maintained, and
in which the consulting work will be accomplished, is not entitled to meals or to mileage
reimbursement for travel between home or office and Company-assigned work location. Company
authorized travel between work locations is reimbursable. Commuting distance is interpreted as
being within fifty miles of the Company’s facility.
Use of personal motor vehicles on Company business may be authorized for domestic travel, and
is reimbursed at the current rate per mile but will not exceed the total cost of available less-than-
first class air fare. Travel time allowed is limited to normal air travel flight time. Any personal
vehicle travel time in excess of that limit is not chargeable to nor reimbursed by the Company.
Use of such conveyances is authorized only when the consultant complies with the following
requirements regarding minimum primary liability insurance coverage:
a. Motor Vehicles—The consultant must certify that the vehicles to be used on Company
business are covered with bodily injury liability insurance of $250,000 per person and
$500,000 per accident, and property damage liability insurance of $50,000 per accident.
The Company does not reimburse a consultant for the deductible portion of the insur-
ance if a collision or damage occurs while driving on Company business.
b. Use of personal aircraft, whether owned or leased, on Company business is prohibited.
Automobile Rental
Automobiles may be rented by consultants on travel status as necessary to accomplish business
objectives. Generally, an automobile may be rented if its prospective use will be at least twenty
miles per day. Normally, automobile rental is not authorized for local travel.
Automobile rentals must be approved and authorized in advance whenever possible. Automobile
rentals, when authorized, provide for standard or compact model cars only. The excess cost over
standard models for sports cars or luxury model rentals will not be reimbursed by the Company.
Mileage charges attributable to personal use are not to be borne by the Company.
The cost of automobile full collision insurance coverage purchased by the traveler from the rental
agency will be reimbursed.
Travelers using rented automobiles are responsible for:
a. Reporting accidents involving property damage or bodily injury promptly to the lessor,
local law enforcement agencies, the consultant’s monitor, and the Company’s Security
Control Center.
b. Returning the automobile to the lessor or an authorized representative.

Reporting
Travel expenditures should be reported to the Company within thirty days of the completion of the
trip.
The original receipts, paid bills, or similar documentary evidence are required for all expenditures
except meals. However, receipts need not be submitted for expenses for which they would not
ordinarily be given: such as taxi or bus fares.
a. Expenses which are unusual in nature, such as reasonable and necessary costs of secre-
tarial service, office equipment rental, and related expenditures shall be explained and
justified in each instance.
b. Valet and laundry service, if required, are reimbursed for trips in excess of four days or
under unusual circumstances which must be explained on the Professional Services
Statement.
c. Consultants are reimbursed all reasonable and necessary actual expenditures for meals
and lodging.
d. Telephone calls to the various Company facilities should be placed collect, and tie-lines
should be used wherever available.
Lodging
The maximum amount for lodging in the Company headquarters area considered “reasonable” by
the auditors is _______________________ per night, including tax.
Meals
The maximum amount considered “reasonable” for three meals per day in the Company head-
quarters area is _______________________.
Personal Losses
Responsibility for loss of cash or loss of or damage to personal property is not assumed by the
Company while the consultant is in travel status.
Deviations
Deviations from the Company’s Travel Policy or Practice may be approved in specific instances,
when unusual circumstances justify such action. Such deviations must be fully documented and
approved by the appropriate management.

References
REFERENCES
nd
Cohen, W. A. (1985). How to make it big as a consultant, 2 ed. New York, NY: AMA COM.
Forensic methodology best practice. (2000). International Association of Professional Security

Consultants.
General security risk assessment guideline. (2003). Alexandria, VA: ASIS International.
Poynter, D. (1997). Expert witness handbook: Tips and techniques for the litigation consultant.
Santa Barbara, CA: Para Publishing.
rd
Sennewald, C. A. (2004). Security consulting, 3 ed. Woburn, MA: Butterworth-Heinemann.
Vellani, K. H., & Nahoun, J. D. (2001). Applied crime analysis. Woburn, MA: Butterworth-
Heinemann.
Weiss, A. (2001). The ultimate consultant: Powerful techniques for the successful practitioner.
Somerset, NJ: Pfeiffer.

CHAPTER 9
EXECUTIVE PROTECTION IN THE
CORPORATE ENVIRONMENT
Executive protection—the field of safeguarding a key person from harm—is practiced in the
private world (for wealthy persons), in civilian government (for a few persons in top-level positions
or in jobs that place them in high-threat regions), in the military (for the highest-ranking officers),
and in the corporate world (for senior executives, employees, visitors and family members of ex-
pats who work in or travel to dangerous locales). This chapter focuses on executive protection (EP)
as practiced in the corporate sector for executives at high risk.
The sections that follow describe the key elements of EP. The discussion covers such topics as the
importance of EP, some philosophical underpinnings of the field, and specific methods of
protection in various settings
9.1 HISTORY OF EXECUTIVE PROTECTION

Political leaders have used bodyguards and special military details for protection throughout
history. One of the earliest well-documented examples is the Cohors Praetoria, or Praetorian
Guard, which began as a cohort of bodyguards for Roman generals in the second century BC
and evolved to become a protective force surrounding the Roman emperors. Eventually, it
became powerful enough to affect the appointment of emperors and was deemed to be a
disruptive force. Roman Emperor Constantine I disbanded the guard in 312 AD (Praetorian
Guard, 2004).

EXECUTIVE PROTECTION
9.1 History of Executive Protection
The Yeomen of the Guard was established by King Henry VII in 1485 to serve as the personal
protection organization for the ruler of England. In the beginning, the yeomen provided
travel security, attending to the king’s safety on journeys in Britain or overseas and in battle.
They also guarded palace entrances and tasted the king’s food. The Yeoman of the Guard
exists to this day but serves a mainly ceremonial function (Yeomen of the Guard, 2004).
Other personal protection groups in history include the samurai of Japan, the medieval
knights of many European states, the housecarls of Scandinavia, and the Vatican’s Swiss
Guard. These precursors of today’s executive protection organizations were essentially
military divisions that were assigned to protect a sovereign.
The modern history of executive protection begins with the formation of the United States
Secret Service in 1865. Originally established to investigate currency counterfeiting, the
Secret Service did not undertake EP work until 1894, when it began informal, part-time
protection of President Grover Cleveland. In 1901, Congress requested Secret Service
presidential protection, again informally, following the assassination of President William
McKinley. Finally, in 1902 the Secret Service assumed full-time responsibility for protecting
the U.S. President. Two operatives were assigned full-time to the White House detail (Secret
Service History—Timeline, 2004).
Executive protection (EP) in its current, corporate sense—that is, practiced without the vast
th
resources and law enforcement powers of the federal government—appears to be a mid-20
century innovation. As corporations established security departments, those departments
naturally looked to the protection of their top executives. At first, EP specialists—the actual
protective personnel—were drawn from the ranks of former Secret Service agents, police
department dignitary protection officers, and military personnel. Over time, another path to EP
work developed: staff would rise through the ranks of corporate security and develop EP skills at
private sector EP training programs. Such programs began to be seen in the early 1980s.
Interest in corporate executive protection began to grow in earnest in the early 1990s as a
result of a rise in all types of crime and the advent of workplace violence. The trend was
fueled by mainstream media reports of high-profile executive kidnappings, which led to
huge ransom payments and even deaths. Corporations began to see the value of providing
their top executives with personal protection, and executives welcomed the comfort zone
provided by having an EP specialist on staff. Organization such as ASIS International began
offering courses on executive protection to train security professionals in this specialty.
Demand for EP services grew further after the terrorist attacks of September 11, 2001. During
the subsequent war on terror, interest remained high, as terrorist attention expanded to
include “soft targets,” or persons who do not receive high-level government protection but
play a role in international affairs and the world economy. Many corporations turned to EP
for the first time at the urging of a corporate board that saw the potential for stock volatility
should their high-ranking executives be targeted.

9.2 Research on Executive Protection
9.2 RESEARCH ON EXECUTIVE PROTECTION

As a relatively new private security specialty, EP has not been the subject of any known
formal studies. It is not a field that lends itself to clinical trials, testing by engineers, or
reproducible experiments. Further, it is not yet practiced on a large enough scale to provide
statistically significant research. Studies are also inhibited because persons receiving executive
protection generally do not want to publicize that part of their security plans. In fact, secrecy is
often literally a condition of the kidnap-and-ransom insurance policies that accompany such
protection.
Research has been conducted on the specific EP subtopic of assassination, however. The
Exceptional Case Study Project performed by the U.S. Secret Service examined the thinking
and behavior of 83 persons known to have attacked or come close to attacking prominent
public officials and figures in the United States in the past 50 years.
The following points are among the study’s key findings:
x Mental illness only rarely plays a key role in assassination behaviors. Attacks on
prominent persons are the actions of persons who see assassination as a way to
achieve their goals or solve problems, which requires fairly rational thinking. Those
who made near-lethal approaches and the great majority of assassins were not
mentally ill. While none were models of emotional well-being, relatively few suffered
from serious mental illnesses that caused their attack behaviors.
x Persons who pose an actual threat often do not make threats, especially avoiding
direct threats. Although some who threaten others may pose a real threat, usually they
do not. The research found that none of the 43 assassins and attackers communicated
a direct threat to their targets before their attacks. This finding does not mean that
individuals should ignore threatening communications. However, careful attention
should also be paid to identifying, investigating, and assessing anyone whose behavior
suggests that he or she might pose a threat of violence, even if the individual does not
communicate direct threats to a target or to the authorities.
x Attackers and those who made near-lethal approaches described having a combi-
nation of motives. Eight specific motives were identified: to achieve notoriety or fame;
bring attention to a personal or public problem; avenge a perceived wrong; end
personal pain, be removed from society, or be killed; save the country or the world;
develop a special relationship with the target; make money; or bring about political
change.
x Inappropriate or unusual interest, coupled with action, increased the likelihood that
the person may pose a threat. Inappropriate or unusual interest alone is not cause for
great alarm. But if that interest also includes visits to the target’s home or office or
attempts to approach the target in a public place, the case is more serious.

9.3 Basics of Executive Protection
In addition, numerous articles and books have studied EP by examining and describing the
way it is practiced in different settings. The references at the end of this chapter provide
direction for additional reading.
9.3 BASICS OF EXECUTIVE PROTECTION

In the corporate world, executive protection is a business measure taken to preserve the
organization. EP is not a perquisite designed to pamper top staff; rather, where it is justified
by a careful risk assessment (see EP Risk Assessment), it is a necessity to maintain the
company’s ability to operate and to preserve confidence among employees, customers, and
investors. Even an attack that causes no serious injury can bring unflattering attention to an
organization and raise questions about its competence and preparedness.
In times when the general risk level is elevated, EP strives to (Oatman, 2003)
create an environment in which business can flourish. Executives face special dangers at
present, but these threats are not all equally relevant to every company decision-maker. EP
can help executives decide which dangers are serious and which are less so for their own
unique situations. EP can also reduce those dangers, enabling executives to concentrate on
business and giving them the necessary confidence to travel in search of opportunities.
9.4 FINANCIAL IMPLICATIONS OF EXECUTIVE PROTECTION

Threats to an executive constitute a business risk. By protecting the executive, a valuable
corporate asset, EP fulfills a legitimate part of the organization’s risk management mission.
In addition, EP maximizes the utility of that asset, enabling the executive to live safely in, and
move efficiently through, this dangerous world. Under proper protection, the executive need
not focus on his or her personal safety and can concentrate fully on the business at hand.
A good EP program costs less than the benefits it produces or the damage it prevents. The
financial argument in favor of EP is, in fact, overwhelming. For example, assume that a
corporation has a modest EP program, consisting of four EP specialists and an EP manager,
which costs $300,000 per year. Then suppose the chief executive is kidnapped, murdered, or
otherwise made incapable of running the company. The organization can expect three types
of financial losses: its stock price may slide following release of the bad news, which can
easily cost a company millions of dollars; the executive’s services will be lost either temporarily
or permanently, which can be calculated conservatively as the compensation he or she would
have been paid, again possibly millions of dollars; and employees may well be distracted
from their work, which is difficult to quantify but surely significant. Thus, while the cost of
the EP program was $300,000, the losses avoided could be millions of dollars.

9.5 Philosophy of Protection
In addition, the cost of the EP program should be offset by the positive benefits it provides,
not just the avoidance of injury. If the EP program enables the executive to effectively work
an extra hour each day because his or her transportation is facilitated to and from the office,
for example, the corporation will have gained further productivity from its executive.
A specific example of an extreme case of corporate losses after an attack against company
principals occurred on July 1,1993, when Gian Luigi Ferri walked into the offices of the San
Francisco law firm Pettit & Martin, hauling a black canvas bag stuffed with guns and
ammunition. He entered a conference room and began shooting, then walked through two
floors of the firm’s offices, continuing to shoot. Ferri, a disgruntled client, killed eight people,
wounded six, and then shot himself. Less than two years later, the firm’s partners voted to
dissolve the firm, which at its height in the 1980s had employed 240 lawyers (Chicago
Tribune, 1993-1995).
9.5 PHILOSOPHY OF PROTECTION

In the corporate sphere, the person who oversees executive protection may be the chief
security officer (CSO) or a security manager or EP manager ranking below the CSO. The best
approach is to establish a crisis management team during the preplanning stage. The person
who performs the in-person, up-close service—who walks, rides, and flies with the executive—
is usually called the EP specialist. The term “bodyguard” is not favored in the EP field because
that term connotes a swaggering, blustery approach more like that of a bar’s bouncer who
often physically intimidates troublesome people. By contrast, the favored approach in
professional executive protection is to draw little attention to the principal as well as the
protector.
The EP specialist (EPS) should develop a particular mindset that focuses on preventing and
avoiding trouble rather than combating it. The following six principles can guide one’s
thinking about EP (Oatman, 1997):
x Prevent and avoid danger.
x Realize that anyone can protect anyone.

x Don’t stop to think.
x Keep clients out of trouble.

x Understand the security vs. convenience continuum.
x Rely on brains, not technology.

Prevent and avoid danger.

The principal and the EP specialist should make a conscious decision to seize control of
potential or real dangers that threaten the executive, deal with them firmly, and conquer
them. Avoiding danger may not have been a driving character trait of either the EPS or the
principal until they decided to engage in executive protection. Top executives are often risk-
takers, and individuals who become EP specialists often have backgrounds in law
enforcement and the military, where a mindset of heading toward trouble, rather than
retreating from it, prevails. Therefore, the executive and the EPS must make a deliberate,
firm commitment to prevent and avoid danger. Good results—and good fortune—follow
from thinking hard and working hard to stay at least a step ahead of trouble
To accomplish this goal, the EPS and the executive do not need to passively sit back and
receive what comes their way. Instead, they should reach out mentally to anticipate threats.
To counter potential problems, the strengths of the protection program and the resources
available to the EPS should be cataloged so they can be used when needed. Likewise, the
protection program’s vulnerabilities should also be identified (undoubtedly, the adversary
will find them). By predicting the adversary’s probable approach, he or she can be outwitted.
Finally, the EP specialist should quietly control the principal’s risks. For example, hotel
inspectors do not die if a poorly inspected hotel burns; the guests do. Therefore, the EPS can
and should prevent and avoid danger by selecting hotels with proven safety records and even
plotting fire escape routes and packing smoke masks.
Realize that with proper training anyone can protect anyone.

While protecting another human being is a daunting task, the EP specialist can combine his
or her personal strengths with those of others with different abilities. Perhaps a particular
EPS is brave, intelligent, and strong but has little experience in defensive driving. In that case,
the EPS can lobby for the hiring of a professional driver or can become one through training
and practice. Although the most visible components of EP involve physical acumen—for
example, driving cars, watching for attackers, or moving quickly to avoid threats—executive
protection is primarily a brain game. Therefore, anyone—that is, anyone who is intelligent,
trained, and physically fit—can protect anyone.
Don’t stop to think.

A thoughtful, deliberate reaction to a dangerous situation will almost always fail. When a
threat, attack, or danger actually arises, it typically explodes onto the scene, leaving no time
for a thoughtful, deliberate reaction. By remembering this principle, the EP specialist can
keep in mind the necessity of constantly practicing reactions to different scenarios. Such
practice should be physical, rehearsing protective movements and quick escapes or
practicing driving or shooting. It should also be mental, constantly asking “what if?” and
considering reactions. By maintaining both physical and mental acuity, the EPS has a better

chance of reacting to a real or potential emergency appropriately and immediately, without a

lengthy thought process because the thinking has already been done.
Assaults and assassination attempts start and end with astonishing rapidity. Being mentally
prepared to respond far outweighs the value of any other precaution.
Keep clients out of trouble.

Because EP specialists are not fighters, bodyguards, or soldiers, their primary job is not to
knock down, arrest, or kill the bad guys. Their primary job is to avoid dangerous persons or
conditions, such as fire, street crime, or embarrassment. In an encounter with a would-be
assassin, the EPS should move the principal out of harm’s way, shield him or her, and then
remove the subject from the area as quickly as possible. The EPS should not stand and fight
unless there is no alternative.
An example of getting the client out of trouble would occur if, upon spotting a nearby,
potentially violent disturbance, the EPS pushes the principal into a car and speeds away to
safety. An example of keeping an executive out of trouble occurs when the EP specialist and
the subject communicate subtly, with a nondescript phrase or visual cue, that it is time to
leave a certain group or place before an embarrassing or dangerous situation arises.
Understand the security vs. convenience continuum.

EP specialists often state that security and convenience inhabit opposite ends of a
continuum. At one end of the continuum is the highest degree of security as well as the
highest degree of risk. At the other end is the greatest degree of convenience along with the
fewest inhibitors to a person’s lifestyle. Movement toward one end results in an equal
movement away from the other end. In other words, the more security an executive
demands, the less convenience he will have, and the more freedom he demands, the less
security he will have.
This principle helps keep security measures in perspective. Clearly, neither extreme—total
convenience or total security—is practical. The principal and the agent must decide where
on the continuum the executive should be and what tradeoffs to make. Each time an EP
specialist develops a new strategy to protect the executive, this principle can serve as a
reminder that increasing security beyond a certain point may needlessly hobble the
executive, making him less effective and, essentially, a victim of protection instead of a
victim of attack.
Rely on brains, not technology.

Protective equipment, while necessary, is not by itself sufficient for the protection of an
executive. Firearms, alarm systems, armored cars, and two-way radios are useful tools in the
EP specialist’s collection, but not one or all of them can be relied on to protect an executive
for several reasons.

9.6 EP Risk Assessment
First, overreliance on security technology tends to place subjects in a vault. To fulfill their
corporate obligations, executives must move around. If sequestered, they are no longer
executives but prisoners. Second, adversaries are often intelligent enough to defeat security
equipment. A determined adversary can defeat or circumvent alarms, disable armored cars,
or eavesdrop on two-way radios.
An EPS can hope to buy defensive time with equipment, but when the adversary strikes,
salvation lies in the EPS’s conditioned responses for removing the principal from harm’s
way. Among gun battles that have taken place in the executive protection field, almost none
have lasted more than a few seconds. Likewise, in every U.S. presidential assassination
attempt to date, the Secret Service has chosen to follow its model of “cover and evacuate”
and has not opted to return fire. In other words, in crises, historically it has been shown to be
more important for EP specialists to use their heads, not their weapons or other security
equipment.
9.6 EP RISK ASSESSMENT

Executives in the United States may think of kidnapping as something that occurs only in
other countries. While kidnapping rates are much higher outside the United States, this
crime does happen within U.S. borders more often than one might imagine. Annual FBI
kidnapping statistics, excluding parental kidnappings, show the following number of
incidents in recent years: 304 in 2000, 263 in 2001, 201 in 2002, and 227 in 2003.
While no official list records business-related kidnappings, news accounts describe many
victims: Charles Geschke, president and chief executive officer of Adobe Systems Inc.; Kevyn
Wynn, daughter of casino tycoon Steve Wynn; and Harvey Weinstein, chief executive of Lord
West Formalwear. A typical incident occurred in January 2003, when three men abducted 40-
year-old hedge fund executive Edward Lampert and held him at a hotel for two days.
Lampert, worth an estimated $800 million, was grabbed in the parking garage of his
Greenwich, Connecticut, investment company headquarters. He was eventually freed
unharmed, even though a $5 million ransom demand was not met. When the police
cornered the perpetrators in their hotel room, they also found a mask, a shotgun, and seven
rounds of ammunition. Two of the three kidnappers were fresh from prison after serving
stretches for drug dealing (Scarponi, 2004).
Financial gain is only one of the many motives of corporate adversaries, however. Many large
corporations and many corporate executives are at risk of attack from many types of
dangerous individuals and groups. They may have personal grievances against the
corporation or its executives, may be animated by greed, or may object to such issues as
environmental or labor practices, political affiliation, or animal testing. The company’s role

9.6 EP Risk Assessment
in the global marketplace or its involvement in controversial biomedical issues may cause
some malcontents to plot harmful tactics against a corporate executive who, in their minds,
embodies the perceived corporate misdeeds.
To counter potential attacks, every company has a finite amount of protective resources.
Those resources, which include money, staff, influence, knowledge, and contacts, must be
spent wisely. It would be foolish and inefficient to divide the resources evenly across the
universe of conceivable threats. It makes more sense to allocate those resources toward
preventing the threats that present the greatest possibility of harm. The appropriate
allocation of resources to a specific situation is determined through a risk assessment.
In conducting an EP risk assessment, the specialist must consider two factors. First, the
threats that the executive faces must be analyzed based on multiple considerations such as
the executive’s position with the employer, access to and level of exposure among potential
adversaries, access to wealth or other lifestyle attributes, publicity, and travel practices. An
EP risk analysis answers questions such as the following:
x Who would want to harm the executive?
x How are adversaries gaining information about the executive?
x What is the current likelihood of the various identified threats?

x Does the executive desire, require, and accept protection during the work day? Only
when traveling? Twenty-four hours a day?
Second, the specialist must assess the likelihood that threats could be carried out
successfully. The range of threats to a person’s safety and well-being is vast. Perhaps the
most troubling are events that have been known to occur, but are unexpected. The following
list is only a sample of the real threats faced by many executives:
x assassination
x kidnapping
x extortion
x street violence
x attacks by insane persons or zealots
x workplace violence
x embarrassment (deliberate or accidental)
x injury (unintentional)
x illness or medical emergency

9.7 The Power of Information
The results of these two reviews will provide a relative risk ranking: negligible, low, moderate,
high, or critical.
At a given company, not all executives face the same risk level. Some executives represent
controversial aspects of the company and have a high public profile, while others operate
behind the scenes and are relatively unknown.
To arrive at an appropriate threat level for a particular executive, the EP risk assessment
should identify all potential threat elements, from protesters, criminals, extremists, and
terrorists to workplace violence and hazards due to the executive’s travel or other activities.
The specialist should then analyze whether each element poses a threat to the executive. The
assessment should ascertain how an event might unfold. It should also identify individuals
who have the capability and intent to harm, have a history of threatening the executive or
others, or have actually targeted the executive. Based on the results, the principal can be given
one of the risk rankings and provided with the appropriate protection.
A key feature of risk assessments is that they do not last. In other words, the level of risk shifts
often, so risk assessments must be performed on a recurring basis. An example of reassessing
risk in light of changing events and altering EP measures accordingly is illustrated in the
following report (Oatman, 2002):
[S]hortly after the September 11 terrorist attacks, one company … developed reliable
intelligence that its aircraft and passengers faced an elevated risk. To deal with this increased
threat, the company decided to send an executive protection specialist on every corporate
flight. The specialist not only provided security during flights but also was responsible for
ensuring physical and procedural security of aircraft on the ground.
9.7 THE POWER OF INFORMATION

The importance of conducting ongoing research about potential threats to the executive
cannot be overstressed. Details on changes in the executive’s status, new threat groups,
exposure in the media, and other factors need to be constantly monitored.
One of the key determinants of threat level is how well the executive is known to potential
adversaries. Access to information about an executive by those intent on doing harm
increases and facilitates several kinds of threats, such as identity theft, extortion, kidnapping
of family members or relatives, and efforts to do the executive personal injury. Also,
obtaining one piece of information makes it easier to obtain others. Dedicated adversaries
can generally build a thorough profile of an individual by learning the names of schools
attended by the executive or family members and by obtaining school yearbook
photographs, which can be parlayed into other information.

9.8 Office and Home
The Internet makes it almost effortless for researchers, both benevolent and malevolent, to
read current and past articles about any topic or person they choose. Even a cursory Web
search on many executives discloses the names of their spouses and children and their city of
residence. It is important to remember that the Web truly is worldwide, so adversaries in
other parts of the globe can research an executive just as easily as the executive’s next door
neighbor.
In addition, information seekers can learn more detailed information about their targets by
paying a small fee for vehicle title records, property records, voter registration records, birth
and death records, genealogical information, and other data. Such information can be
gathered either online or through visits to local record repositories, such as city halls.
Another common practice is simply to ask a target’s friends and neighbors for information,
using various pretexts.
In assessing risk, it is useful to know what information is available that could arouse envy,
hatred, or revenge or help an adversary locate and harm the executive or his family
(Shackley, 2003, p. 86):
If the executive can be thought of as having “deep pockets,” the possibility of kidnapping
ought to occur to him. Note, we are not talking here in terms of absolutes, but of how a
person appears to others within his environment. It is not his net worth that counts so
much as how he is perceived by a prospective kidnapper. And, we might add, whether he is
perceived. Any media publicity about a person’s wealth is harmful, and, unfortunately, the
press seems to take an excessive interest in the private financial affairs of the well-to-do.
One of our metropolitan newspapers recently published a list of the twenty best-paid
regional CEOs, together with the amount of their compensation and their photographs,
thereby handing potential kidnappers invaluable target intelligence.
9.8 OFFICE AND HOME

Most executives spend the majority of their time at their offices and their homes. While they
are in those locations, traditional security methods should be employed to protect them.
Those methods are described in detail elsewhere in Protection of Assets. Nevertheless, in
general, effective executive protection requires rings of protection: an outer perimeter, one
or more inner perimeters, and in some cases a safe room. (A safe room is a protected space in
the innermost part of the office or home to which the executive can safely retreat during an
attack.) Those rings are typically composed of physical security tactics such as perimeter
protection (using fences, gates, or other barriers), access control (using protective doors,
turnstiles, card readers, or other devices), lighting (to impede hiding and improve recog-
nition of adversaries), closed-circuit television (to identify visitors and to provide counter-

9.9 The Advance
surveillance on adversaries who may be watching the site), and intrusion alarm systems (to
announce penetrations).
Executives who are at risk of attack tend to be more aware of security at work than at home. An
adversary, however, may actually find it easier to attack an executive at his or her residence.
Historically, the home is a softer target simply because an executive, at the end of a busy day,
wants to relax in an atmosphere that does not resemble a corporate security setting with lights,
cameras, and other equipment. An infamous example of the risk in and around an executive’s
home concerns Sidney Reso, a New Jersey Exxon executive who was kidnapped as he left his
home April 29, 1992. He was shot in the arm when he was seized and died five days later, found
bound and gagged in a sweltering storage locker (Chicago Tribune, 1992).
9.9 THE ADVANCE

In executive protection, an advance is the process of researching a destination before the
principal arrives—in effect, a preemptive strike against confusion and exposure. Advance
work requires that a member of the protection team actually go to the destination to prepare
the way. However, advance work does not apply solely to long-distance travel. Any location
that the executive intends to visit should be advanced—even if it is just across the street. An
EPS who has done a proper advance has a much better chance of keeping the principal out of
trouble. Further, should a threatening event actually occur, the EPS will know how to remove
the executive from the situation, whom to summon for help, and where to get medical or any
other type of needed assistance.
When two EP specialists are available, both need not be assigned to accompany the traveling
executive. A preferred method is to have one conduct the advance while the other
accompanies the executive. Advance work is that important.
A good advance reduces the executive’s exposure by smoothing logistics. If hotel check-in,
billing, baggage handling, parking, and other matters are worked out by the EP specialist
handling the advance, then the executive can exit his car at a hotel’s front door, walk straight
through the lobby to the elevators, and arrive quickly at his or her room. Similarly, if an
advance agent has scouted out the route to an executive’s speaking engagement and has
properly studied the meeting location, then the agent accompanying the executive can lead
him or her into the building through a side door if necessary or can take an alternate route to
avoid unfavorable conditions and circumstances (Oatman, 1997). Obviously, these tactics
can keep the executive out of many potentially undesirable encounters and locations.

9.9 The Advance
Local Travel
If a protected executive must travel locally, the ideal arrangement will place the executive in
a suitable car driven by a trained security driver and accompanied by the EP specialist. The
route selected should be carefully previewed, and the rest of the company’s security function
should be aware of the plan.
While executives are vulnerable when they drive themselves, they do not need to be driven at
all times and to all places. The decision to use a car and driver should be based on a risk
assessment. If driven by someone else, however, the executive can work, rest, or, if an attack
occurs, lie down out of the line of fire.
The vehicle in which the executive is transported should provide generous interior space (for
the executive, the EP specialist, and any necessary equipment), substantial protective bulk
(for ramming), and a powerful engine (to escape attackers). The risk assessment should
determine whether an armored vehicle is needed. Most cars can be armored after manu-
facture, and some major automotive companies provide factory-armored vehicles. An
advantage of factory-armored vehicles is that they blend in with other vehicles and, thus, do
not attract attention to the principal.
Features of armored vehicles include bullet-resistant metal panels and glass; run-flat tires; an
anti-exploding fuel tank; a steel-reinforced front bumper designed for ramming; electric
dead bolt locks; a dual battery system; an inside/outside intercom; and a remote starter.
Many new cars, armored or not, now come with a device for opening the trunk from its
interior, which is useful if needed for escape. A car used for EP should also have a global
positioning system (GPS) to reduce the likelihood of getting lost; a locking gas cap; a mobile
phone; a protected exhaust pipe; an electronic aid system such as On-Star; and an alarm
system.
Regarding the driver, it is best to employ a trained security driver, not simply a chauffeur.
The security driver will know the protocol of a chauffeur plus have the ability to take evasive
action if needed (Scotti, 1995). If the security department’s staffing can accommodate it, the
security driver should be someone other than the EP specialist. If an EPS must also drive, he
or she will be unable to scan the travel route for potential threats and may have to drop the
principal at the destination and then park, leaving the executive alone during crucial arrival
and departure periods.
A key practice is for the EPS to call the main security office as soon as the executive’s trip gets
under way. By noting travel details, such as “We are leaving the plant and returning to the
office. It’s now 3:15 p.m., and we’re taking I-67 to U.S. 20,” the EPS makes it possible for other
security personnel or law enforcement authorities to retrace the executive’s steps if the car
should be missing. To prevent the communication from being heard by an adversary who

9.9 The Advance
may be eavesdropping, discreet or coded language should be used to describe who is

traveling and what route is being taken. The EP specialist should also search the car
thoroughly anytime it has been out of sight and unguarded. Because a thorough search is
time-consuming, the car should be kept in a locked, alarmed garage whenever possible.
Once the car has been searched, it only stays “sterile” if it is locked away or kept under
surveillance.
Finally, regarding the route, the driver should rely on advance work to ensure that the route
selected is fast, does not pass through dangerous areas, and requires a minimum of stopping.
The driver also needs to know several alternate routes, identify safe havens for stops along the
way, and find the location of hospitals, police stations, and other potentially vital resources
along the route. The driver should also investigate such factors as the time it takes to reach
various stages along the route, the likely level of traffic, road conditions, construction work or
detours, drawbridge openings, and other temporary conditions that could affect the trip. The
advance should be performed at the same time of the day the executive will be traveling so the
EP specialist can ascertain the traffic flow. An additional precaution would be to drive the
advance route in a different vehicle than the one in which the principal will be transported.
Long-Distance Travel
Out-of-town travel can present many risks to an executive. Some of those risks have to do
with the unfamiliarity of the place visited, while others have to do with making scheduled,
public appearances before potentially hostile audiences. Trips within the executive’s home
country present one level of risk; trips to other countries can be even more risky if the
destination is unfamiliar or especially dangerous.
In general, before taking the executive on a trip to another country, the EPS should complete
both research from home and advance travel. In the pre-travel research, the EP specialist
should first determine whether the trip is truly necessary. If the answer is “yes,” the EPS
should pursue the following “know before you go” steps:
x Conduct Internet research on current facts about the destination.

x Obtain a professional country briefing to learn the history and current affairs of the
country, including attitudes held there about the executive’s home country. Such
information is available from numerous governmental and commercial sources.
x Become familiar with the country’s climate, health conditions, time zone or zones, and
currency rates.
x Learn the key points of local social customs.

x Clarify why the principal is going on the trip, how he or she wishes to travel, and who
will attend scheduled meetings.

9.9 The Advance
Also, before the executive actually embarks on the trip, the EPS should take the following
steps:
x Conduct an advance mission to the proposed destination.
x Touch base with local security or law enforcement contacts and the local embassy or
consulate of the executive’s home country.
x Perform a risk assessment for the destination.
x Make reservations strategically, by choosing the safest lodgings and modes of

transportation, and discreetly, by not advertising to potential adversaries that the
executive will be traveling.
x Arrange appropriate travel documents such as visas, passports, and itineraries.
x Rehearse, mentally if not physically, security measures for travel by all modes that
could be used, including commercial and private planes, autos, boats, ships, and
trains.
x Review personal security tips with the executive.

x Examine health aspects of the trip. Pack appropriate health-related items and informa-
tion, and develop or refresh the plan that will be followed in health emergencies. Line
up all necessary emergency assistance, such as hospitals, trauma centers, medical
transportation, and suitable doctors.
When the trip actually takes place, the EPS should remember a three-part key security
concept: keep a low profile, stay away from problem areas and situations, and know what to
do if trouble arises. As was recommended for local travel, the EP specialist should also
communicate frequently with the security home base.
Avoid western gathering places. If you are traveling to a region designated as high risk by the
U.S. Department of State, there are additional measures that should be considered. Often,
terrorists will seek to identify and attack a location that will be certain to have a high
concentration of Americans or other westerners present at a specific time. For example, a
horrific practice, which has long been used by terror groups, is to target religious services at
houses of worship frequented by westerners. The reason is obvious. A Christian church
serving the international community will provide them a target, which is certain to be filled
every Sunday morning at 9:00 a.m. This presents a tough choice for an individual to whom
church service is an important part of life. The same is true for nightclubs and other locations
catering to Americans and western Europeans. If the State Department suggests avoiding
such places in a country to which the principal is traveling to, it is best to heed the warning.
Wherever the principal travels, it is always a good practice to immediately identify all
emergency exits and make sure they are functional. Many foreign countries do not have fire

9.10 Working the Principle
codes that mandate identifiable emergency exits in all public establishments. It is vital for the
EP specialist to know how to get out of any place he might take the principal into.
For some executives, the risk level warrants the use of private aircraft whenever possible.
Commercial air travel presents risks both on the ground and in the air. On the ground, at
large, busy airports, inconvenient delays can occur during pickup and drop-off; the executive
may be recognized and bothered by other travelers; airport lobbies (on the unsecured side)
are notorious terrorist targets; and busy security checkpoints can create opportunities for
losing personal property, missing flights, and enduring embarrassing searches.
By traveling in a private aircraft, the executive can avoid bothersome people and receive
individualized customer service. Further, the small lobbies used by general aviation fixed-
base operators (FBOs) are not prime targets for terrorists who wish to draw attention to their
cause. EP specialists can exert much more control over the security conditions of a general
aviation FBO and private aircraft than they can over large, bustling airports serving major
airlines.
A popular option for private travel is fractional aircraft ownership through an aircraft
management company. The principal’s corporation might, for example, purchase a one-
quarter share of a certain type and size of aircraft.
Flying via general aviation using private aircraft at terminals or airports that are separate
from those used by major air carriers reduces the likelihood of being in the wrong place at
the wrong time—that is, of happening to be at a major public airport during a significant
attack. Also, general aviation airports in the United States must abide by the detailed security
guidelines established by the Transportation Security Administration of the U.S. Department
of Homeland Security (Security Guidelines for General Aviation Airports, 2004).
Once a commercial aircraft takes off, the executive cannot know whether a dangerous person
is on board. By contrast, in private aviation, every passenger will probably be known to the
executive or someone else on the aircraft.
9.10 WORKING THE PRINCIPAL

The choreography used by the EP specialist to physically move about with the subject is
called “working the principal.” A combination of the risk level and the personal preferences
of the executive will determine the extent to which an EP specialist must personally
accompany the principal. The CSO, EP manager, or EP specialist should discuss this issue
with the executive. It may be that the risk level is high and the principal is willing to be
accompanied by an EP specialist at all times. Alternatively, despite the high risk, the principal

9.10 Working the Principal
may be unwilling to be accompanied by an EP specialist and may only tolerate using the EPS
as a driver. A lower risk level might suggest that the specialist only needs to be with the
executive when he or she is outside the home or leaves the office. There are many points on
that continuum of protection, and the issue can only be worked out through discussions
between the security staff and the principal.
If the CSO, EP manager, or EP specialist believes the risk level warrants close-in, personal
protection, the executive should understand that a trained EP specialist can blend into
professional settings and not look like a “bodyguard.” Some EP specialists now use the title
“assistant to the CEO” to blend in, standing off to the side of a meeting or social gathering
while performing their countersurveillance tactics.
The relationship between the EP specialist and the executive is an extremely important
component of executive protection. In some ways, the relationship calls for an odd
juxtaposition of roles. The executive is clearly the boss, yet the EP specialist must be able to
give orders in times of danger and advice at regular intervals. In executive protection, a
professional but not too personal relationship enables both the protector and the principal
to perform their jobs freely.
An interesting rule of thumb, from the perspective of the executive, comes from a former
high-ranking U.S. government official who is now receiving private protection. He tells his
protective detail, “Stand close enough to protect me, but not so close that I have to introduce
you.”
When working a principal, an EPS will find that conditions change. The EPS may safely bring
the executive to a destination, such as a conference at which he or she is speaking, but the
job does not end there. Once inside the meeting hall, for example, the EPS should start
scanning and calculating—that is, scanning the surroundings for items, people, or
arrangements that appear potentially threatening or seem somehow out of place, and
calculating possible reactions should trouble arise. This is the time for the EPS to take
notice—especially of people’s hands, of objects they may be carrying, or of visible signs of
nervousness—and to constantly ask, “What if?”
If the EPS conducted an advance visit to the site, he or she should try to discern what may
have changed since that visit. Is the layout different? Are entrances and exits temporarily
blocked? Are different people at key locations? What about that fidgety, inappropriately
dressed man in the front row? Who are those people in the back with signs, pushing their way
through the crowd?
Should an attack occur, all of the EP specialist’s instincts, training, and conditioning come
together. When an attacker pulls a knife, fires a shot, rams the executive’s car with his own,

9.10 Working the Principal
lunges at the executive, or makes some other clearly dangerous, aggressive move, the
specialist cannot stop and ponder how to react. The whole sequence, from the EPS’s first
sighting of the threat to the evacuation of the executive, might take as little as four seconds.
A good example of how fast an attack can happen and how fast the correct response must
take place is the March 30, 1981, assassination attempt against U.S. President Ronald Reagan
outside the Washington Hilton. The perpetrator, John Hinckley, fired six rounds into the
gathered crowd in less than three seconds. On hearing the shots, Secret Service Agent Jerry
Parr reacted instinctively and pushed the President into a waiting limousine, which rushed to
The George Washington University Hospital.
Many responses happened at once, which makes this case an interesting example of profes-
sional executive protection. In a matter of seconds, some members of the protective detail
shielded the President with their own bodies, others pushed him into the car, and the driver
knew where to take the wounded President. Still others surrounded and piled on top of the
assailant, who was arrested by police on the spot.
The Hinckley episode also illustrates a widely accepted chain of action that must occur
during an incident. The following list defines the four steps in the chain:
x Arm’s reach. If the attacker is within an arm’s reach of the EPS, the EPS should move to
immobilize him. If the attacker is beyond an arm’s reach, the EPS should move to cover
the executive.
x Sound off. The specialist shouts the type of weapon displayed and the direction, in
relation to the principal, from which it is coming. By shouting “Gun!” or “Gun to the
right!” the specialist alerts other EP specialists who may be present to spring into action
and attempts to involve other people in the resolving the situation.
x Cover. This term means far more than simply finding cover or a safe place to which the
agent and principal can flee. Its primary meaning is to call on the EPS to cover the
executive’s body with his or her own.
x Evacuate. The overriding need to get the executive out of danger underscores the
difference between the missions of executive protection specialists and of the police or
the military. The EPS mission—avoiding opponents rather than pursuing them—
cannot be overemphasized. Stopping to fight an adversary when it would be quicker to
dash out a side door raises, not lowers, the odds that the executive will be injured. The
protective detail should concentrate on shielding and removing the principal, leaving
apprehension of the attacker to the police.

9.11 Protection Resources
9.11 PROTECTION RESOURCES

A key phrase to remember in executive protection is “use your resources.” EP is a complicated
task, and the wise EPS makes use of all the resources at his or her disposal. The following are
several of the most important:
x Law enforcement contacts. Law enforcement contacts can provide intelligence and
specialized assistance such as off-duty staffing, if permitted. These contacts work best
when they are developed over time or at least during the advance visit.
x News and briefings. The EP specialist should periodically conduct Internet or other
research to discover and track information on the principal as well as on individuals,
organizations, and conditions that might pose a threat to the principal.
x Networking. By developing a network of colleagues from EP training or protective

assignments, the EP specialist will have a ready resource from which to extract answers
to such questions as which hotels in a given city are safe and convenient, which
airports have become impractical to use, which companies are good suppliers of
protection support personnel, which types of automobiles are especially useful in
protective operations, and which security driving services are the most reliable.
9.12 FUTURE OF EXECUTIVE PROTECTION

Though prediction is an inexact art, the risk level faced by corporate executives seems
unlikely to decline substantially anytime in the near future. Somewhat more predictable is
the march of technological progress and information exchange. The following developments
will most likely affect the future of executive protection:
x Technological miniaturization and combination. Now that mobile phones can take
digital photographs and video, EP specialists can capture images while conducting
advance visits and send the photos or video back to a security headquarters. Similarly,
as GPS devices are miniaturized to the point where they can be concealed in
wristwatches and belts, they can be used to track a principal if he or she is missing.
x Up-to-date travel information. Many companies provide around-the-clock intel-

ligence regarding travel destinations. They can even send immediate updates by
mobile phone to keep an EPS posted on such general information as travel delays or
weather problems, or specific details on a company’s striking employees or a city’s
political demonstration.

9.12 Future of Executive Protection
x Information Sharing and Analysis Centers (ISACs). ISACs in several industrial sectors
(such as chemical or financial services) share threat information and solutions with
each other and with the U.S. government. They are a potentially powerful source of
information for EP specialists.
x Improved training equipment. The newest firearms training simulators enable EP spe-
cialists to engage in realistic practice and problem solving.
x Protected vehicles. Protected cars, now being built by auto manufacturers, look
identical to ordinary cars and, therefore, do not draw attention to themselves or their
occupants.
x Body armor. The newest body armor is lightweight and can be worn comfortably and
unobtrusively if the need arises. However, it is not generally available to individuals in
the private sector.
In today’s corporate environment, executive protection, formerly an exotic service, has

become a mainstream security function. Many corporations have taken the initiative to
conduct risk assessments of their top executives, especially executives who are recognizable
representatives of the organization, travel extensively, or are exposed to other hazards.
If the risk level justifies protection, corporations choose from a continuum of service levels,
ranging from upgraded physical security measures at home and at work to full-time, in-
person protection by EP specialists. The corporation, the executive, and the EP specialist
cooperate to strike the right balance between convenience and security. Fortunately, when
EP is delivered skillfully, many executives find such protection to be both convenient and
comforting. The service adds valuable time to the executive’s day and relieves the executive
from having to focus on personal security concerns.
As with other fields in corporate security, a company’s investment in executive protection

pays dividends by protecting a key corporate asset: the executive’s life and well-being.

References
REFERENCES
Fein, Robert A., & Vossekuil, Bryan. (2000). Protective intelligence & threat assessment investigation:
A guide for state and local law enforcement officials. (Presents findings of the U.S. Secret Service
Exceptional Case Study Project.) Washington, DC: National Institute of Justice, U.S. Department
of Justice.
Encyclopædia Britannica [Online]. (2004.) Praetorian guard. Available: http://www.britannica.

com/eb/article?tocId 9061166 [2004, November 30].
Encyclopædia Britannica [Online]. 2004. Yeomen of the guard. Available: http://www.britannica.

com/eb/article?tocId 9077938 [2004, November 30].
Fox News [Online]. 2004. $5M kidnap thwarted by a pizza. Available: http://www.foxnews.com
[2003, January 14].
nd
Glazebrook, Jerry, & Nicholson, Nick. (2003). Executive Protection Specialist Handbook (2 ed.).
Shawnee Mission, KS: Varro Press.
Law firm dissolving after mass murder. (1995, March 7). Chicago Tribune.
Oatman, CPP, Robert L. (1997). The art of executive protection. Baltimore, MD: Noble House.
Oatman, CPP, Robert L. (2002, June). Airing on the side of safety. Security Management [Online].
Available: http://www.securitymanagement.com [2004, June 4].
Oatman, CPP, Robert L. (2003, June). Protecting Spirited Leaders. Security Management [Online].
Available: http://www.securitymanagement.com [2004, June 4].
Revenge motive seen in Exxon kidnapping. (1992, July 12). Chicago Tribune.
San Francisco carnage: Gunman kills 8, self. (1993, July 2). Chicago Tribune.
San Francisco gunman’s rage is revealed in four-page letter. (1993, July 4). Chicago Tribune.
Scarponi, Diane. (2004). Man gets jail for snatching executive [Online]. Associated Press. Available:
http://www.detnews.com [2004, September 2].
Scotti, Anthony (1995). Driving techniques. Ridgefield, NJ: Photo Graphics Publishing.
Security guidelines for general aviation airports. (2004). Transportation Security Administration,
Information Publication A-001, May 2004, Version 1.0.

References
Shackley, Theodore G. (2003). Still the target: Coping with terror and crime. Baltimore, MD: Noble
House.
United States Secret Service [Online]. (2004.) Secret Service history—Timeline. Available: http://
www.ustreas.gov/usss/history.shtml [2004, September 2].

CHAPTER 10
SECURITY AWARENESS
Security awareness means consciousness of an existing security program, its relevance, and the
effect of one’s behavior on reducing security risks. Security awareness is a continuing attitude that
can move individuals to take specific actions in support of enterprise security. While education
imparts general knowledge and training develops specific skills, security awareness efforts solicit
conscious attention. Employees and nonemployees who have been informed by security
awareness programs can act as a force multiplier for the security program. Security awareness is
vital because “the security of an organization rests squarely on the practices of employees” (Fay,
2006, p. 377).
10.1 LEVELS OF AWARENESS

Different levels of security awareness are appropriate for different categories of employees
and visitors.
10.1.1 EXECUTIVE MANAGEMENT

Chief executives, chief operating officers, and other senior personnel must be aware of the
security program because they are an enterprise’s top decision makers regarding risk and
resources. If they perceive the security program as an expense with no compensating return,
they may reduce or eliminate program funding.

SECURITY AWARENESS
10.1 Levels of Awareness
If the program is in fact valuable, security awareness efforts should focus on conveying the
following points:
x the program’s benefits
x the reasonableness of the program’s expenses compared to those benefits
For executive management, security awareness means awareness of the security program’s
financial contribution to the bottom line.
10.1.2 MIDDLE MANAGEMENT

Middle managers tend to be held accountable for the success of their individual
departments, so they view the security program in terms of its contribution toward that goal.
If a manager thinks the security program does not support the business goals or program
initiatives of the business unit, he or she may not support the program. The result may be
dislocations and strains that cause failures elsewhere in the enterprise.
For example, if the manager of a sensitive research laboratory believes the security require-
ments are unnecessary, he or she may disregard them and permit a general exchange of
information. In time, the widespread internal disclosure of sensitive data may result in an
unauthorized disclosure and the loss of a competitive advantage. The mere prospect of this
loss should encourage the lab manager to support security, as long as its requirements do
not impair research efforts.
10.1.3 FIRST-LINE SUPERVISION

First-line supervisors are typically concerned with specific processes or activities. For these
employees, security awareness focuses on how the security program aids or detracts from
specific performance objectives. For example, the head teller in a retail bank might be hostile
to a security practice involving bait money at teller positions because of the extended
counting time required at the close of the banking day. In addition, most complaints from
other employees about security are first raised with the supervisor. If many complaints are
lodged, the supervisor may view security as consuming an inordinate amount of his or her
time. Thus, security awareness efforts should show supervisors that the time and attention
required to comply with security rules are worthwhile in terms of supporting the supervisor’s
main tasks and protecting the employees and the business.

SECURITY AWARENESS
10.1 Levels of Awareness
10.1.4 INDIVIDUAL EMPLOYEES

Most modern management approaches to employee motivation assume that the employee is
willing and interested, and that while information and instruction are needed, coercion and
pressure are not. In many enterprises, the only formal exposure an employee gets to the
security program may be a brief reference to it on the first day of work. Such slight emphasis
on security awareness sends the message that the enterprise does not consider security to be
important.
If supervisors and managers are interested in and supportive of security, employees may gain
a favorable view of the program and support it by observing its rules. By contrast, if
supervisors and managers disapprove of the security program or show no interest in it,
employees may feel little motivation to support it.
10.1.5 NONEMPLOYEES
People who are not employees of the organization may also be affected by the security
program. They include vendors and suppliers, customers, service personnel, representatives
of government, and members of the public. Most of them have less opportunity than
employees to learn the applicable security requirements, but nevertheless it may be
important that they learn those requirements. For example, if a supplier will be given access
to sensitive proprietary information, he or she should be made aware of security procedures
that protect and account for such information.
Nonemployees may be more willing to comply with security procedures if they are given at
least a brief explanation of the reasons for the procedures. For example, a visitor may not
automatically perceive the wearing of a guest badge as useful or necessary. However, the
visitor may view the matter differently after a brief explanation that the badge permits
immediate recognition by and assistance from employees. In some cases, security awareness
must be supported formally with a confidentiality agreement.

SECURITY AWARENESS
10.2 Purposes of Security Awareness
10.2 PURPOSES OF SECURITY AWARENESS

Security awareness supports many important goals. Those who receive security awareness
instruction are better able to do the following:
x Protect company assets. First and foremost, the purpose of the security awareness
program is to educate employees on how to help protect company assets and reduce
losses. Everything else flows from this prime responsibility.
x Understand the relationship between security and successful operations. This purpose
is the prime one for awareness efforts directed toward executive management. Assets
protection professionals should devote the necessary time and talent to demonstrate
the program’s value and cost-effectiveness.
x Identify their obligations under the security program. It is important to identify

security obligations for all employees and nonemployees and to present those
obligations as reasonable and necessary. Employee orientation and periodic refreshers
can be used to teach people precisely which security requirements apply to them.
x Recognize the connection between security program objectives and selected security
measures. This purpose is important to middle management. Unit and department
heads must recognize (and, preferably, agree) that security measures are appropriate
and necessary.
x Be familiar with sources of help for carrying out security responsibilities. Security
awareness materials should address the specifics of implementing security
requirements. For example, if a security rule states that particular spaces or containers
must be locked, affected employees need to know how to obtain a lock and key. If
persons with legitimate questions or problems do not know where to go for assistance,
they might either (1) not consult anyone and simply improvise an answer or (2) consult
the wrong person and be needlessly delayed.
x Comply with statutory or common-law requirements for notice. This purpose applies
to both employees and nonemployees. Civil trespass to land is generally defined as
unauthorized entry into or presence on real property. To recover civil damages for
trespass, the landowner or other person in control must prove that the trespasser
intended to trespass. Physical, verbal, and symbolic indicators must make clear that
there is a boundary past which movement is not authorized.
Likewise, the owner of a trade secret must take positive actions to prevent its
unauthorized disclosure. One of those actions is to convey to employees entrusted with
the secret that the information is indeed secret and valuable. Developing programs for
conveying such notices, and documenting such notification, are phases of the security
awareness effort.

SECURITY AWARENESS
10.2 Purposes of Security Awareness
x Comply with regulatory requirements. Governments often require that specific

security-related information be conveyed to employees and others. In the United States,
for example, employee orientation is required by the Bank Protection Act and related
regulations of the Federal Reserve System and the Controller of the Currency. Other
agencies imposing security training and awareness requirements by regulation are the
Drug Enforcement Administration, the Department of Transportation, and the Nuclear
Regulatory Commission.
x Comply with contract obligations. Security awareness efforts may need to take account
of various contracts that apply to the enterprise. For example, in the United States the
National Industrial Security Program Operating Manual (which sets forth the security
obligations of contractors handling classified defense information) imposes numerous
requirements for briefings and for security education and training, including awareness
efforts.
Similarly, collective bargaining agreements typically require that discharges be for just
cause and that employees receive due notice of the rules they must follow—including
security rules.
Some insurance contracts, such as those covering kidnapping, require that specific
procedures be adopted and communicated to designated officials in regard to coverage
under the policy.
A contract on the use of another company’s proprietary information may require the
organization using that information to provide security awareness training to its
employees.
x Comply with company policies and procedures. Security awareness efforts should
facilitate the ability of employees and others to comply with established company
policies and procedures. These policies may address compliance with company
standards and procedures for such matters as access control requirements or with
program initiatives such as a “clean desk” initiative to protect proprietary company
information.
x Prepare the organization for emergencies. Organizations with security awareness pro-
grams are better prepared to respond to emergencies and nonroutine issues (Piazza,
2004). In particular, organizations that educate management and employees through
security awareness programs are better able to respond to cyber attacks and keep their
information secure (BSA-ISSA, 2003, p. 2).

SECURITY AWARENESS
10.3 Developing and Delivering a Security Awareness Program
x Reduce organizational liability. Security awareness efforts are an important part of an

organization’s liability reduction strategy. In defending lawsuits against a company, it
helps to “show that the company is aware of security and makes an effort to provide a
safe environment” (Ahrens & Oglesby, 2006, p. 82). Moreover, effective awareness pro-
grams make employees accountable for their actions (Whitman & Mattford, 2004, p. 34).
A company pursuing criminal charges against an employee will have greater success if it
can prove it has a security awareness program that was effectively communicated to
employees (Kovacich & Halibozek, 2003, p. 249).
x Communicate the value of the security department. A final goal of security awareness is
to convey the value of the department. Security personnel should not attempt to
frighten management and employees but instead should, though their security
awareness program, demonstrate they are providing a valuable service to the
organization (Gerloff, 2004, p. 26).
10.3 DEVELOPING AND DELIVERING A SECURITY AWARENESS

PROGRAM
Security awareness programs typically must address the following topics (Roper, Grau, &
Fischer, 2006, p. 90):
x why the organization requires protection strategies
x the value protection strategies bring to the organization

x what actions are required for the protection of specific assets
x what employees’ security responsibilities are
x how they can meet those responsibilities
x how employees can report program violations

x how employees can identify indicators of risk or danger and how they should react
Unlike detailed security training, security awareness material may not contain specific
security task information. It may instead direct recipients to security content available
elsewhere and focus on generating support for the security program. Finally, it should be
enjoyable and interesting, as “the best training tools engage staff and let them have fun”
(Gips, 2006, p. 20).

SECURITY AWARENESS
10.3.1 TECHNIQUES, MATERIALS, AND RESOURCES

Security awareness programs often make use of the following techniques and materials:
x Written material. This includes instructional or advisory material, agreements, and

acknowledgments. It also includes written security policies and procedures, posters,
and other informal reminders. The materials can be distributed in the form of
security department handbooks, pamphlets, and guides, or they can be incorporated
into materials used by other departments. Formats include pocket reminder cards,
desktop reference material, calendars, tri-fold information sheets, notepads,
bookmarks, letter openers, cups, pencils, rulers, key chains, newsletters, posters,
refrigerator magnets, stickers, posters, etc. Sometimes security awareness materials
can be integrated into materials distributed by professional organizations. For
example, one security department arranged to have its security awareness materials
added to the Annual Patient Nursing Assessment for Private Duty Patients, which
addresses violence prevention (Morris, Carter, & Krueger, 2002, p. 72).
Security awareness guides can address organizational assets, personal safety, safety
while traveling, information asset protection, terrorist threat awareness, safeguarding
classified materials, counterintelligence, cybercrime, personnel security, foreign
intelligence threats, operational security, responsible use of company equipment,
access control procedures, and potential penalties for violating security rules.
x Audiovisual material. Formats include audio and video tapes, interactive CD-ROMs,
films, 35 mm slides, software-based presentations, e-mail, and company and non-
company Web sites. However, it is important not to post sensitive information where it
is publicly accessible (Roper, Grau, & Fischer, 2006, p. 241).
x Formal security briefings. These can be done pre-and post-hiring, at new assignment
orientation, and at times of promotion or transfer. Briefings can be delivered to
individuals or groups.
x Integration into line operations. Security staff can use several means to integrate
security awareness into regular enterprise operations. Individual employees’ security
awareness can be examined in their performance reviews, can be considered in setting
bonuses, and can be reinforced in supervisory and management staff meetings.
Another technique is to include security tasks in job descriptions or employee
handbooks and standards, perhaps collaborating with other departments.
x Inside experts. In developing a security awareness program, security staff can get help
from company training staff and communications staff.
x Outside experts. Security professionals can call on outside experts in communications,

advertising, and public relations to add their knowledge, experience, and credibility to
the security awareness program.

SECURITY AWARENESS
Typically, a security awareness program must rely on a variety of delivery methods. Some
staff learn well by using computer-based instruction on their own, while others learn best
when they attend classes.
10.3.2 OBSTACLES TO AN EFFECTIVE AWARENESS PROGRAM

Creating employee and management buy-in to an awareness program is not automatic.
Security staff may face several obstacles in implementing a security awareness program
(Roper, Grau, & Fischer, 2006, pp. 91–92):
x Low credibility of security department. This may stem from previous performance of
departmental staff, a new department’s lack of a track record, biases that employees
bring from other organizations, a lack of professionalism within the security
department, or security staff’s lack of understanding of company functions.
x Organizational culture. A security awareness program can be hindered by a culture
that holds such views as “we’ve never done it that way before” or “we always do it this
way” (Dalton, 1998, p. 53). If a company believes security is not directly related to the
organization’s success, the security department will find it difficult to implement a
security awareness program.
x Naiveté. Organizations sometimes develop a mentality that bad things will not happen
to them, especially if they have not been victimized in the past. Likewise, they may
believe that employees will always do their utmost to protect company assets and
would never knowingly harm the organization. As a result, they may decide that an
awareness program is unnecessary.
x Perception of a minimal threat. Employees may feel less interested in increasing their
security awareness if they feel the relevant threat is insignificant or unlikely to occur.
For example (Roper, Grau, & Fischer, 2006, pp. 91–92):
Security educators in the 1990’s and later whose programs were geared to the
prevention of espionage have had to contend with the fact that perceptions of the
foreign intelligence threat have radically changed. Without the monolithic Soviet
adversary, security educators were hard-pressed to argue that critical information was
still at risk. However, the continuing frequency of espionage case associated with a
variety of foreign entities in recent years —Cuba, China, Saudi Arabia, South Korea—has
redefined the foreign intelligence threat and made it credible.
x Departmental or employee indifference. Some employees may not see security as

their responsibility. They may be overworked, or they may have a competing agenda
(e.g., if they are stealing from the company); or they may simply see security respon-
sibilities as undesirable extra work. Some employees believe that securing company
assets is the responsibility of the security department alone.

SECURITY AWARENESS
x Lack of reporting capability. It is essential that employees have access to an effective

reporting system. “Information collection is the basis of a security management plan”
(Kitteringham, 2006, p. 29), and the existence of a security reporting system, in itself,
has been found to heighten employee awareness, resulting in an increase in reporting
(Kellogg & McGloon, 2006, p. 98). With an incident reporting system in place, security
professionals are better positioned to measure their departments’ effectiveness and
report back to senior management.
10.3.3 MEASURING THE PROGRAM

Because security awareness efforts take time and money (and may briefly interrupt employees’
work), security staff may need to seek management approval to start and continue the
program. One way to gain support is through the use of metrics—that is, “a standard of
measurement using quantitative, statistical, and/or mathematical analysis” (Kovacich &
Halibozek, 2006, p. xxvii). Following are examples of potential measurements:
x company losses before and after the security awareness program was implemented
x number of persons briefed and number of briefings conducted in specific periods
x topics covered, projected or actual briefing completion date, and method of delivery
(Roper, Grau, & Fischer, 2006, pp. 134–135)
x cost of briefings per employee (Kovacich & Halibozek, 2006, p. 119–121)
If a program is new and lacks data on its effectiveness, one approach is to start with a limited
budget and build momentum over time. It is possible to create awareness literature cheaply
via desktop publishing. Further, by partnering with other departments, such as the human
resources department, security personnel can brief employees during regular training exer-
cises. Data can be collected and assessed until there is an opportune time to implement the
awareness program on a larger scale.

SECURITY AWARENESS
10.4 Engaging Employees to Prevent Losses
10.4 ENGAGING EMPLOYEES TO PREVENT LOSSES

All employees are responsible for helping to protect organizational assets, as security
personnel cannot be everywhere and see everything. By working with employees from other
departments and providing leadership in developing protective strategies, security staff can
increase the likelihood of employee cooperation. A cooperative employee is less likely to
circumvent security rules and measures.
Most enterprises devote at least some time to fostering security awareness among their
employees. However, knowing that a security program exists is not the same as playing an
active role in loss prevention. Every department and employee has a role in identifying,
preventing, and reducing losses.
Before developing a security awareness program that will teach employees what they need to
know, the security manager must become familiar with all elements of the organization’s
business—in order to know what assets must be protected from what risks. Losses that
employees may be able to help reduce include traditional physical concerns, such as theft of
money or goods or misuse of equipment or facilities. Through awareness training, employees
may also be able to help reduce other losses, including those related to contractual, statutory,
regulatory, insurance, or other concerns. Seemingly small losses can have expensive
ramifications. For example a laptop theft resulting in the loss of a client’s personal information
can be very costly, especially given emerging privacy legislation. One study (Ponemon
Institute, 2006) found that the average loss per corporate data breach was $4.8 million.
10.4.1 POSITIVE SECURITY CONTACTS

Success in security depends heavily on employees’ cooperation. To strengthen that support,
the security department should maximize the positive (helpful) contacts it has with
employees while still carrying out the primary security mission. One way security staff can
enhance the department’s reputation and build relationships is by promoting the personal
safety and security of employees and their families at work, at home, and elsewhere. The
following are examples of such measures:
x conducting home protection clinics

x lending property-marking devices
x offering group purchase opportunities for burglary and fire protection devices
x conducting personal protection programs
x conducting cyber security awareness programs
x conducting children’s fire prevention poster campaigns with cash prizes.
Employees themselves may be able to suggest other programs they would like the security
department to provide.

SECURITY AWARENESS
10.4 Engaging Employees to Prevent Losses
10.4.2 POLICIES AND PROCEDURES

One of the most important missions of security awareness programs is to familiarize
employees with the organization’s policies and procedures. Policies establish rules, while
procedures explain how to follow those rules. Security awareness programs can help
promulgate policies and procedures and ensure that employees understand specifically what
they should and should not do in a wide variety of situations.
Serious and costly outcomes can result when employees do not know or do not follow
company policies. For example, in 1999 a suspected shoplifter was apprehended in a grocery
store in Canada by two store clerks and a uniformed security officer. He died from accidental
restraint asphyxia during the arrest. A news report states that “the company employing the
store clerks insisted that it expressly forbids staff from using force on people suspected of
shoplifting. The inquest had heard that the employees who chased [the suspected shoplifter]
were unaware of the store’s policy to avoid using force with shoplifters” (CBC News, 2004). As
one writer on security policies observes (Roberts, 2002, p. 94):
Good polices are not enough to ensure that the staff will react properly to an incident.
Continuous training of a store’s retail staff is essential to ensure that they understand, and act
in accordance with, the stores policies for dealing with suspected shoplifters. Further, store
managers, loss prevention professionals, and human resource staff need to be monitoring
incidents that arise so that they can retrain or discipline employees who do not act in
accordance with store policies.
Some employees fail to follow company policies and procedures because they do not under-
stand what they are supposed to do, while others simply choose not to cooperate. An
examination of compliance with information technology (IT) policies (Mallery, 2007, pp. 40–
42) found two categories of users who fail to follow policies: (1) “uneducated users,” who
have a limited understanding of computers and the consequences of ignoring policies, and
(2) “arrogant users,” who feel they do not have to follow the rules that apply to others—“they
feel they are more powerful, intelligent and sophisticated than everyone else, so they can do
what they want on corporate systems.”
Ultimately, employees who refuse to follow policies and procedures, even after security
awareness efforts have brought those issues to their attention, must be disciplined.
Otherwise, the company may be needlessly exposed to a variety of losses and liabilities.

SECURITY AWARENESS
References
REFERENCES
Ahrens, S. A., & Oglesby, M. B. (2006, February). Levers against liability. Security Management. Vol.
50, No. 2.
Business Software Alliance and Information Systems Security Association. (2003). BSA-ISSA
information security study: Online survey of ISSA members. Washington, DC: Business Software
Alliance.
CBC News. (2004, April 23). Man died from accidental suffocation during arrest: inquest [Online].
Available: http://www.cbc.ca/canada/story/2004/04/23/Shandverdict_040423.html [2007, August 6].
Dalton, D. (1998). The art of successful security management. Burlington, MA: Butterworth-Heine-
mann.
nd
Fay, J. J. (2006). Contemporary security management, 2 ed. Burlington, MA: Elsevier Butterworth-
Heinemann.
Gerloff, J. (2004, December). Communicating security’s value. Security Management, Vol. 48, No. 12.
Gips, M. A. (2006, April). Identity theft can be fun. Security Management, Vol. 50, No. 4.
Kellogg, D., & McGloon, K. (2006, October). Distilled protection. Security Management, Vol. 50, No. 10.
Kitteringham, G. W. (2006). Security and life safety for the commercial high-rise. Alexandria, VA:
ASIS International.
Kovacich, G. L., & Halibozek, E. P. (2003). The manager’s handbook for corporate security.
Burlington, MA: Elsevier Butterworth-Heinemann.
Kovacich, G. L., & Halibozek, E. P. (2006). Security metrics management. Burlington, MA: Elsevier
Mallery, J. (2007, June). Policy enforcement. Security Technology & Design.
Morris, R., Carter, P., & Krueger, C. (2002, October). Nurses learn vital signs of safety. Security
Management, Vol. 46, No. 10.
Piazza, P. (2004, March). Companies better prepared for trouble. Security Management, Vol. 48, No. 3.
Ponemon Institute. (2006). 2006 annual study: Cost of a data breach. Elk Rapids, MI: Ponemon
Institute.
Roberts, J. R. (2002, September). The policy was perfect. Security Management, Vol. 46, No. 9.
Roper, C. A., Grau, J. A., & Fischer, L. F. (2006). Security education, awareness and training.
Burlington, MA: Elsevier Butterworth-Heinemann.
Whitman, M. E., & Mattford, H. J. (2004, November). Making users mindful of IT security. Security
Management, Vol. 48, No. 11.

CHAPTER 11
WORKPLACE SUBSTANCE ABUSE:
PREVENTION AND INTERVENTION
A drug is a chemical substance that alters the physical, behavioral, psychological, or emotional
state of the user. Drugs of abuse—psychoactive (mind-altering) substances—target the central
nervous system and impair the user’s ability to think and to process sensory stimuli, thereby
distorting the user’s perception of reality. Drugs of abuse include legal and illegal substances and
are often consumed socially. In this analysis, alcohol is considered a drug.
Substance abuse may harm a person physically, mentally, or emotionally. Abuse can often easily
lead to increased tolerance and eventual addiction or chemical dependency. Abuse can also create
personal, family, and financial problems beyond the abuser’s control.
National prosperity requires a healthy workforce. More than technology, industrial capability, or
natural resources, a nation’s workforce makes possible all the social and economic abundance a
country enjoys.
Substance abuse plagues nearly every nation. In the United States, illegal drugs are everywhere: in
schools, communities, factories, and offices. Substance abuse harms productivity and competi-
tiveness and destroys individuals, families, and jobs. It causes birth defects, industrial accidents,
business failures, and highway fatalities. The worldwide illicit drug trade is a multibillion-dollar
industry that spans national borders, deals almost exclusively in cash, and enforces its policies
with violence.
Drug abuse is more common among unemployed than employed persons. In 2006, among adults
aged 18 or older, the rate of drug use was higher for unemployed persons (18.5 percent) than for
those who were employed full-time (8.8 percent) or part-time (9.4 percent). Although the rate of
illicit drug use is highest among unemployed persons, most drug users are employed. Of the 17.9

WORKPLACE SUBSTANCE ABUSE
11.1 Historical Perspective
million current illicit drug users aged 18 or older in 2006, 13.4 million (74.9 percent) were employed
either full-or part-time (U.S. Department of Health and Human Services, National Survey, 2007).
Employers pay a high price. It is generally accepted that employee substance abuse does the
following:
x decreases productivity and morale

x increases turnover and absenteeism
x increases accidents
x increases insurance costs
x increases theft and dishonesty
x increases unnecessary consumption of benefits
x decreases profits
x increases potential liability of the company
x increases the potential for negative public exposure and image
Substance abuse can rob an organization of its talent, vitality, and enthusiasm. It can destroy
teamwork and cooperation and make organizations less competitive and less successful.
11.1 HISTORICAL PERSPECTIVE

Other than alcohol, opium may be the oldest compounded drug used by man. In 1500 BC,
the Egyptians used opium for medical purposes. In the Greco-Roman period, opium was
considered an important drug and was used to induce sleep and relieve pain. By the latter
th
part of the 18 century, doctors in other parts of Europe, too, were recommending opium as
a pain reliever.
The addictive properties of opium were not appreciated, and the problem of addiction grew
in the early 1800s with the discovery of two opium alkaloids: morphine and codeine.
Morphine became popular because of its potency—one grain of morphine is about as
effective as 10 grains of opium.
The newly invented hypodermic needle was used during the Civil War to administer
morphine to the wounded, and many soldiers returned to civilian life addicted to the drug.
As the hypodermic needle grew in popularity as a way to administer the drug, morphine
abuse began to spread in the United States.

11.1 Historical Perspective
Opium was commonly taken orally, smoked, or pulverized and used in suppository form.
Opium and its derivatives could be purchased legally and inexpensively in pharmacies and
many rural general stores. They were used alone or as components in pharmaceutical
preparations or patent medicines.
Heroin, a morphine derivative, was first synthesized in 1898. At first, it was considered non-
addictive and was used for treatment of morphine addiction. It was also available in many
pharmaceutical preparations. Easy access to the drug led thousands into addiction.
11.1.1 A CHANGE OF MOOD

th
In the 19 century, opiate use in the United States was found at all levels of society but was
most prevalent among members of the middle and upper middle classes. (An exception was
opium smoking, which was associated with the underworld.). Among the prominent indivi-
th
duals of the 19 century who abused opium were the writers Edgar Allan Poe and Samuel
Coleridge. Thomas de Quincy, author of Confessions of an English Opium Eater, was
probably the best-known addict at the time.
Public attitudes began to change by the 1890s. Many physicians recognized the destructive
nature of addiction and publicized their findings. Some regarded addiction as an illness,
while others felt it was a vice. An addict could still purchase drugs legally and secure assist-
ance from doctors in the early 1900s; at that time, addiction did not appear to be linked with
criminal behavior.
11.1.2 LEGAL CONTROLS

In 1880, the United States and China completed an agreement that prohibited the shipment
of opium between the two countries. In 1887, the U.S. Congress enacted legislation making it
a misdemeanor to import opium from China. In the 1930s it became unlawful to possess or
cultivate marijuana in the United States.
The first major attempt to control opium use in the United States came in 1909 with a federal
act that limited the use of opium and derivatives except for medical purposes. Later, the 1914
Harrison Act attempted to control the production, manufacture, and distribution of
narcotics. The law required registration and payment of a tax by those dealing in narcotic
drugs. It specified that only physicians could dispense narcotics and that pharmacists could
sell drugs only on written prescription.
The rapid increase in the number of drug arrests by the mid-1950s prompted the passage of
the Narcotic Drug Control Act of 1956, which provided a mandatory minimum penalty of five

11.2 Human Cost of Substance Abuse
years’ imprisonment with no possibility of probation or parole for a first illegal sale.
Eventually, methadone was used as a substitute for heroin in the treatment of addicts.
11.1.3 WAR ON DRUGS

In 1971, U.S. President Nixon initiated a nationwide “war on drugs.” The effort increased
public awareness of the dangers of drug abuse, restricted supplies, and drove prices up. It
also amalgamated an already growing international network of producers, smugglers, and
wholesalers. As prices rose, more criminals entered the market and imported more illicit
drugs into the country. The upward trend in supply and demand did not seem to abate until
th
the end of the 20 century.
In 1988, the Reagan administration created the Office of National Drug Control Policy
(ONDCP). Its mission was to coordinate the government’s efforts to manage substance abuse
in the realms of legislation, security, diplomacy, research, and health. The director of ONDCP
is commonly known as the drug czar.
Today, the war on drugs is fought on many fronts by many people and organizations.
Although the most obvious battles are fought by law enforcement, important battles are
fought in the workplace as well.
11.2 HUMAN COST OF SUBSTANCE ABUSE

Compared to nonabusing employees, employees who engage in substance abuse may be
absent 16 times more often, claim three times as many sickness benefits, and file five times
as many workers’ compensation claims. Abusers are also more likely to be laid off or fired
(Ferraro, 1994).
Substance abuse affects abusers’ family members, too. For example, nonalcoholic members
of an alcoholic’s family use 10 times more sick leave than others. They are also more prone to
long-term illness, accidents, and divorce. Children of alcoholics are five times more likely to
become alcoholics than children of non-alcoholics (Ferraro, 1994).
Substance abuse also breeds dysfunctional relationships. Abusers have difficulty in getting
along with others. They tend to withdraw from friends and be more secretive. They spend
less time at home and work. They contribute less to meaningful relationships and avoid
opportunities to socialize with nonabusers.

11.3 Role of the Employer
For the employer, they grow less productive and creative and frequently become disciplinary
problems. They engage in denial and quickly blame others for their shortcomings and disap-
pointments. They become the 20 percent who consume 80 percent of management’s time.
11.3 ROLE OF THE EMPLOYER

Substance abuse—long considered a law enforcement or government problem—has now
become a workplace problem as well. Executives, managers, supervisors, employees, and
unions are looking for answers. Organizational leaders have learned that to create a drug-free
workplace they must do the following:
x Make a commitment.
x Set goals and objectives.
x Assign responsibility.
x Formulate a comprehensive policy.
x Communicate the policy.
x Equitably enforce the policy.
x Provide education and training.

x Provide help to those who want it.
x Audit the process regularly.
11.4 WHY THE WORKPLACE?
11.4.1 RATIONALIZATION
Rationalization is the use of superficial, apparently plausible explanations or excuses for
one’s behavior. Substance abusers rationalize constantly. They may rationalize that the use
of drugs is a constitutional right, that addiction and chemical dependency happen only to
others, and that drug use enhances their ability to perform, produce, and create. They may
rationalize that they can quit using anytime, that drug use at work is acceptable because it is
common, and that selling drugs to coworkers is a gesture of camaraderie. Often, they blur the
line between personal consumption off the job (what they do on their own time) and their
rationalization that such personal habits don’t affect their work performance.

11.4 Why the Workplace?
These rationalizations help substance abusers abandon their values, shirk their responsibilit-
ies, and lose respect for other people and their property. They may lie to their families, steal
from their friends and employers, and continue to use drugs without guilt, despite the
potential harm caused by their behavior.
11.4.2 OPPORTUNITY
For the substance abuser, the workplace abounds with opportunity. Here are the key reasons:
x They know one another. Workplace deals enable sellers and buyers to have regular
contact with one another that is not suspicious. Also, the workplace venue is generally
private property and therefore not under the direct scrutiny of law enforcement,
thereby creating somewhat of a safe haven for illicit activities to transpire.
x Better quality. Workplace dealers want repeat customers, and they recognize that
high-quality products keep them coming back.
x Fairer quantity. Illegal drugs are expensive. Because drugs are often sold in quantities
as small as 1/4 gram, accuracy in weight is important to the buyer. Again, because
workplace dealers recognize the importance of repeat business, they tend to sell
accurate quantities.
x Low risk. Abusers perceive supervisors and managers as uninformed or untrained and
often unwilling to confront them or their problems. Moreover, security measures—
such as barriers, fences, or locked doors—that protect company assets may also
protect abusers and dealers from monitoring or detection.
x High return on investment. An ounce of high-quality cocaine that is cut (diluted by

adding an impurity) and repackaged in 1 gram quantities can yield the dealer several
thousand dollars in profit. In a workforce of 100 employees or more, a single employee-
dealer may be able to sell an ounce of cocaine each week.
x Ability to buy and sell on credit. When “fronted,” drugs are sold to the employee-user
with the agreement that they will be paid for later. This agreement usually establishes
terms and consequences for the failure to pay. Fronting allows users to obtain drugs
even when they do not have money to buy them. For this service, employee-dealers
generally charge a small premium—typically the retention of a small amount of the
drug for personal use. This quantity is known as a pinch, and the practice is called
pinching.

11.5 Path of Workplace Substance Abuse
11.5 PATH OF WORKPLACE SUBSTANCE ABUSE

No one aspires to be drug addicted or chemically dependent. Involvement with drugs usually
begins with experimentation. This typically involves introduction to the drug by a friend or
family member. If the drug produces an enjoyable effect, experimentation may lead to
periodic use, often in social settings. If the progression is uninterrupted, users begin to
develop relationships with friends or coworkers who are involved with the same drug. As
these relationships solidify, relationships with former friends and coworkers are diminished
and may eventually end. Abusers’ appearance, behavior, interests, and relationships all
begin to change, and they become more secretive, suspicious, and paranoid.
Abusers’ attitudes toward the drug also change. They may defend the drug’s benefits, its
value to society, and their right to use it. They may frequently think about it, study it, and
talk about it.
In addition, abusers’ job performance deteriorates. They develop attendance problems,

usually with recognizable patterns. They appear less focused and claim to have more
personal problems. They use drugs more frequently and irresponsibly. They may drink and
drive, smoke marijuana while hunting or while handling firearms, or consume drugs in
public places with people they do not know.
Eventually, they begin to use drugs on the job. At first their use is discreet, but often it
becomes flagrant. In fact, they may enjoy testing the boundaries of acceptable behavior in
the workplace. They may drink in the parking lot during lunch and on breaks. They may
smoke marijuana in restrooms and locker rooms. They may consume cocaine or
methamphetamine at their desks or workstations. They may use drugs in company-owned
vehicles or while out of town on business. Given the opportunity, they may even use drugs
with customers and vendors. They may keep drugs in their desks, lockers, or toolboxes. In
addition, abusers may use the company mailroom or shipping department to distribute and
receive drugs and money. They may hide drugs in workplace safes, furniture, trash
containers, hazardous material containers, beverage containers, lunch boxes, briefcases,
purses, shoes, coats, raw materials, and finished goods. Employee substance abusers are
resourceful, cunning, and deceitful.
When given the opportunity, dealers may also secretly sell right in front of nonabusers,
supervisors, and managers. In some instances, it is hard to understand how any real work
gets done. Dealers tend to socialize more than others. They are constantly networking while
feverishly trying to avoid detection. Often they are absent or not where they belong. They
avoid interaction with management whenever possible. Though they tend not to make
trouble, if accused of misconduct they become belligerent. They often support employee
causes and enjoy creating strife between management and labor. Employee drug dealers
tend to resist team building, pursue secret agendas, and despise authority.

11.5 Path of Workplace Substance Abuse
If substance abusers exhaust their discretionary income, they generally resort to purchasing
their drugs on credit. Once their credit is exhausted, they may begin to sell drugs or engage in
theft. If they become dealers, they generally sell to colleagues at work. If they choose to steal,
the principal victim will be the employer.
Substance abuse-related employee theft often begins with stealing food from coworkers. It
eventually leads to the theft of petty cash, cash receipts, office equipment, and coworkers’
personal valuables. Left unchecked, the substance abuser will eventually steal to the extent the
organization allows. The stolen goods may range from scrap, raw materials, and finished goods
to intellectual property, such as client lists, confidential information, and trade secrets.
Employee substance abusers may also steal from customers and vendors. They may short a
shipment to an important customer, keeping and selling the difference. They may accept
kickbacks for miscounting, allowing overages, double shipping, approving improper or
unauthorized credits, or diverting a vendor’s delivery. The impact on the employer can be
devastating. Business relationships may be destroyed, and valuable vendors may withhold
service or materials. Customers may cancel contracts, refuse payment, or take legal action.
In addition, substance abusers are more likely to have accidents and get injured. They file
more health claims and consume more than their share of benefits. More illnesses and
injuries yield higher insurance costs. Abusers’ absences may be disruptive and costly and
require the recruiting, hiring, and training of replacements. Also, substance abusers are more
prone to file false claims and feign on-the-job injuries.
As abusers’ performance begins to slip, discipline begins. Abusers may foresee termination
but view it as unacceptable, as their jobs may be the only element of stability and normalcy
in their lives. For years they may have rationalized that continued employment is evidence
that they live a normal life. In extreme cases, they may give up their family, children, home,
and car but struggle to keep their job. Once the job is in jeopardy, they may choose to give up
drugs. However, a more common way of escaping workplace discipline is to feign an on-the-
job injury.
In abusers’ eyes, an extended absence can provide several benefits: relief from job
responsibilities, a break from the environment where they are most exposed to drugs and the
temptation to use them, and an opportunity to give up drugs and start anew. Usually,
however, these benefits go unrealized. Without the structure of a job, their life often begins
to unravel completely. Drug consumption may rise and financial burdens increase. Months
later, when abusers finally return to work, they are more chemically dependent, less
productive, and more likely to file another claim.
This cycle of destruction may repeat several times before the employee is terminated. At that
point, everyone is a loser: the employer, spouse, family, friends, and the abuser.

11.6 Drugs of Abuse
11.6 DRUGS OF ABUSE
11.6.1 CONTROLLED SUBSTANCE ACT

In the United States, the legal foundation for the federal strategy of reducing the
consumption of illegal drugs is the Comprehensive Substance Abuse Prevention and Control
Act of 1970, Title II (CSA). The law contains four fundamental parts: (1) mechanisms for
reducing the availability of controlled substances, (2) procedures for bringing a substance
under control, (3) criteria for determining control requirements, and (4) obligations incurred
through international treaties. Specifically, the law regulates the manufacturing, purchase,
and distribution of drugs according to their potential for abuse. The Drug Enforcement
Administration (DEA) is responsible for enforcement and oversees the classification of all
drugs. These classifications or schedules are as follows:
x Schedule I. The drug or substance has a high potential for abuse and currently has no
accepted use in medical treatment in the United States. Examples of Schedule I drugs
are hashish, marijuana, heroin, and lysergic acid diethylamide (LSD).
x Schedule II. The drug or substance has a high potential for abuse but currently has an
accepted medical use in the United States with severe restrictions. Abuse may lead to
severe psychological or physical dependency. Examples of Schedule II drugs are
cocaine, morphine, amphetamine, and phencyclidine (PCP).
x Schedule III. The drug or substance has a potential for abuse less than the drugs or
substances of schedules I and II and currently has an accepted medical use in the
United States. Abuse may lead to moderate or low physical dependency or high
psychological dependency. Examples of Schedule III drugs are codeine, Tylenol with
codeine, and Vicodin.
x Schedule IV. The drug or substance has a low potential for abuse relative to Schedule
III substances and currently has an accepted medical use in the United States. Abuse
may lead to limited physical or psychological dependency. Examples of Schedule IV
drugs are Darvon, Darvocet, phenobarbital, and Valium.
x Schedule V. The drug or substance has a low potential for abuse relative to Schedule IV
substances and currently has an accepted medical use in the United States. Abuse may
lead to a lower physical or psychological dependency than caused by Schedule IV
substances. Examples of Schedule V drugs are the low-strength prescription cold and
pain medicines found in most homes.

11.6 Drugs of Abuse
11.6.2 DEPRESSANTS
Depressants include such drugs as Quaalude (methaqualone), Valium (diazepam), Librium
(chlordiazepoxide), Nembutal (pentobarbital), Seconal (secobarbital), and alcohol.
In small doses, depressants produce a calm feeling and can be used for various medical
purposes. In larger doses, they can cause impaired reflexes, slurred speech, and uncontrollable
drowsiness. Abusers often combine depressants with other depressants or with stimulants. The
abuse of depressants can lead to birth defects, overdose, and even death.
Alcohol
Alcohol is a fast-acting central nervous system depressant that functions as an analgesic with
sedative affects. In small quantities, it produces a sense of well-being and slightly impaired
reflexes. In larger quantities, the sense of well-being is replaced by disorientation, reduced
inhibition, loss of coordination, and irrationality. Alcohol is addictive, and prolonged abuse
can cause brain, liver, and heart damage, as well as sexual dysfunction, gastritis, ulcers,
malnutrition, high blood pressure, cirrhosis of the liver, pancreatitis, cancer, and death.
According to the U.S. Department of Health and Human Services (Alcohol, 2007), alcohol
dependence, also known as alcoholism, includes four symptoms:
x craving: a strong need or compulsion to drink
x loss of control: the inability to limit one’s drinking
x physical dependence: the occurrence of withdrawal symptoms, such as nausea,

sweating, shakiness, and anxiety, when alcohol use is stopped after a period of heavy
drinking
x tolerance: the need to drink greater amounts of alcohol to get the desired feeling
Alcoholics are in the grip of a powerful craving that overrides their ability to stop drinking.
This need can be as strong as the need for food or water. The essential difference between a
social drinker and an alcoholic is a loss of control over the time, place, and amount of
drinking. Although some people are able to recover from alcoholism without help, the
majority of alcoholics need assistance. Alcoholism appears to be caused by both genetic and
environmental components.
11.6.3 NARCOTICS
In the medical sense, narcotics are opiates: opium, its derivatives, and synthetic substitutes.
Opiates (also called opiods) are indispensable in pain relief, but they are also highly addictive
and frequently abused.

11.6 Drugs of Abuse
Opiates include such drugs as morphine, heroin, and codeine. Usually taken orally or intrave-
nously, they can also be smoked. Opiates are relatively uncommon in the workplace, as they
are expensive and their physiological effects on the user are usually obvious.
In small doses, narcotics create effects like those of depressants. In larger doses, they induce
sleep, unconsciousness, and vomiting. Intravenous use increases the chance of contracting
such diseases as hepatitis and AIDS. Users describe the euphoric effect of these drugs as being
“high” or “on the nod.”
With repeated use of narcotics, tolerance and dependence develop. Tolerance is characterized
by a shortened duration and a decreased intensity of analgesia, euphoria, and sedation,
leading to the need to consume larger doses to attain the desired effect. Dependence is an
alteration of normal body functions such that the continued presence of a drug is needed to
prevent withdrawal symptoms. In general, shorter-acting narcotics tend to produce shorter,
more intense withdrawal symptoms, while longer-acting narcotics produce protracted but less
severe symptoms. Although unpleasant, withdrawal from narcotics is rarely life threatening.
Without intervention, the withdrawal syndrome disappears in seven to ten days. Psychological
dependence, however, may continue. Unless the physical environment and the behavioral
motivators that contributed to the abuse are altered, the user’s probability of relapse is high.
In the United States, some abusers of narcotics begin their drug use in the context of medical
treatment and escalate it by obtaining the drug through fraudulent prescriptions and “doctor
shopping” or by branching out to illicit drugs. Other abusers begin with experimental or
recreational uses of narcotics. The majority of individuals in this category may abuse narcotics
sporadically for months or even years. Although they may not become addicts, the social,
medical, and legal consequences of their behavior are very serious. Some experimental users
eventually become dependent. The younger an individual is when drug use is initiated, the
more likely the drug use will progress to dependence and addiction (DEA, 2006).
Over the past 30 years, the prescription painkiller oxycodone has been widely abused in the
workplace. It is a Schedule II narcotic analgesic, supplied as OxyContin (controlled release),
OxyIR and OxyFast (immediate release), Percodan (with aspirin), and Percocet (with acetamin-
ophen). The 1996 introduction of OxyContin, also known as OC, OX, Oxy, Oxycotton, hillbilly
heroin, and kicker, led to a marked escalation of its abuse.
Effects include analgesia, sedation, euphoria, feelings of relaxation, respiratory depression,

constipation, papillary constriction, and cough suppression. As an analgesic, a 10 mg dose of
orally administered oxycodone is equivalent to a 10 mg dose of subcutaneously administered
morphine. Oxycodone’s behavioral effects can last up to five hours. The controlled-release
product (OxyContin) lasts 8–12 hours.

11.6 Drugs of Abuse
Chronic use of opioids can result in tolerance for the drugs. Long-term use can lead to
physical dependence and addiction. Properly managed medical use of pain relievers is safe
and rarely causes clinical addiction. However, a large dose of an opioid can cause severe
respiratory depression that may lead to death.
11.6.4 STIMULANTS
Stimulants may make employees appear more alert, eager, and productive. However, what
appears to be productivity may actually be wasted efforts that lead to mistakes. Stimulant
abusers may believe the drugs enhance their creativity and endurance, but they are actually
being robbed of their energy and rationality. Abusers experience frequent, severe mood
swings, and they become difficult to manage and have trouble getting along with others.
Abusers often try to control their mood swings by using another drug, most often alcohol.
Prolonged abuse typically results in weight loss, drug-induced psychosis, and addiction to
multiple drugs.
Among the stimulants used in the workplace are cocaine, amphetamines, methamphetamine,
methcathinone, methylphenidate (Ritalin), and anorectic drugs (appetite suppressants).
Cocaine
Cocaine (cocaine hydrochloride) is a white, crystalline substance extracted from the coca
plant. Though it has some medicinal value as a topical anesthetic, it is a common drug of
abuse and is considered highly addictive. Most often ingested through the nose (snorted), it
can also be injected and smoked. Cocaine stimulates the central nervous system, and its
immediate effects include dilated pupils, elevated blood pressure, increased heart rate, and
euphoria. Crack or rock cocaine (usually smoked) is prepared from powdered cocaine,
baking soda, and water. The high lasts only a few minutes, leaving the user eager for more.
Being under the influence of cocaine is often referred to as being “wired” or “buzzed.”
Cocaine’s effects appear almost immediately after a dose and disappear within a few minutes
or hours. In small amounts (up to 100 mg), cocaine usually makes the user feel euphoric,
energetic, talkative, and alert. It can also temporarily decrease the need for food and sleep.
Some users find that the drug helps them perform simple physical and intellectual tasks
more quickly, while others experience the opposite effect.
The duration of cocaine’s euphoric effect depends on the route of administration. The faster
the absorption, the more intense but shorter the high. The high from snorting is relatively
slow in onset and may last 15–30 minutes, while that from smoking comes quickly and may
last 5–10 minutes.

11.6 Drugs of Abuse
Large doses (several hundred milligrams or more) intensify the user’s high but may also lead to
bizarre, erratic, or violent behavior, along with tremors, vertigo, muscle twitches, paranoia, or a
toxic reaction. Some users report restlessness, irritability, and anxiety. In rare instances,
sudden death can occur on the first use of cocaine or unexpectedly thereafter. Cocaine-related
deaths are often a result of cardiac arrest or seizures followed by respiratory arrest.
Cocaine is powerfully addictive. Some users develop a tolerance and must increase their
doses to attain the desired effects. Other users actually become more sensitive to the drug
over time and may die after low doses. Bingeing—that is, taking the drug repeatedly and in
increasing doses—may lead to irritability, restlessness, and paranoia. Eventually, the user
may develop paranoid psychosis, losing touch with reality and experiencing auditory
hallucinations (DEA, 2006).
Methamphetamine
Methamphetamine is a synthetic drug easily manufactured using common materials and
simple laboratory equipment. Also known as crank, meth, crystal meth, or speed, it has, in
many workplaces, replaced cocaine as a drug of choice among stimulant abusers. Metham-
phetamine can be smoked, snorted, swallowed, or injected.
The drug alters moods in different ways, depending on how it is taken. Immediately after
smoking the drug or injecting it intravenously, the user experiences an intense rush or
“flash” that lasts only a few minutes and is described as extremely pleasurable. Snorting or
swallowing produces euphoria—a high but not an intense rush. Snorting produces effects
within three to five minutes, and swallowing produces effects within 15 to 20 minutes.
Methamphetamine is usually used in a “binge and crash” pattern. Because tolerance for
methamphetamine occurs within minutes—meaning that the pleasurable effects disappear
even before the drug concentration in the blood falls significantly—users try to maintain the
high by bingeing on the drug.
Ice, a smokable form of methamphetamine, came into use in the 1980s. Ice is a large, usually
clear crystal of high purity that is smoked in a glass pipe (like that used for crack cocaine).
The smoke is odorless, leaves a residue that can be re-smoked, and produces effects that may
continue for 12 hours or more.
As a powerful stimulant, methamphetamine, even in small doses, can increase wakefulness

and physical activity and decrease appetite. A brief, intense sensation, or rush, is reported
by those who smoke or inject methamphetamine. Swallowing or snorting the drug
produces a long-lasting high (instead of a rush), which can continue for half a day. Both the
rush and the high are believed to result from the release of the neurotransmitter dopamine
into areas of the brain that regulate feelings of pleasure.

11.6 Drugs of Abuse
Methamphetamine has toxic effects as well. The large release of dopamine produced by
methamphetamine is thought to contribute to the drug’s toxic effects on nerve terminals in
the brain. High doses can elevate body temperature to dangerous, sometimes lethal levels, as
well as cause convulsions.
Long-term methamphetamine abuse results in many damaging effects, including addiction.

Chronic methamphetamine abusers may exhibit violent behavior, anxiety, severe mood
swings, weight loss, irritability, confusion, insomnia, and general deterioration of health.
They may also experience psychotic effects, including paranoia, auditory hallucinations,
mood disturbances, and delusions (for example, the sensation of insects creeping on the
skin, called formication). The paranoia can result in homicidal and suicidal thoughts.
With chronic use, tolerance for methamphetamine can develop. To intensify the desired
effects, users may take higher doses of the drug, take it more often, or change their method of
drug intake. In some cases, abusers forgo food and sleep while indulging in a form of
bingeing known as a run, injecting as much as a gram of the drug every two to three hours
over several days until the user runs out of the drug or is too disorganized to continue.
While under the influence of methamphetamine, users describe themselves as wired.

Regular users are referred to as speedsters or cranksters.
11.6.5 HALLUCINOGENS
Hallucinogens are mind-altering drugs that drastically alter users’ mood, sensory perception,
and ability to reason. For centuries, hallucinogens found in plants and fungi have been used
in shamanistic practices. More recently, even more powerful synthetic hallucinogens have
been produced.
The most commonly abused hallucinogens are LSD (lysergic acid diethylamide), also called
acid; MDA (methylenedioxyamphetamine); MDMA (methylenedioxymethamphetamine), also
called ecstasy; PCP (phencyclidine), often called angel dust; mescaline, which comes from
the peyote cactus; and certain mushrooms.
The biochemical, pharmacological, and physiological basis for hallucinogenic activity is not
well understood. Even the name for this class of drugs is not ideal, since hallucinogens do
not always produce hallucinations.
In nontoxic dosages, these substances produce changes in perception, thought, and mood.
Physiological effects include elevated heart rate, increased blood pressure, and dilated pupils.
Sensory effects include perceptual distortions. Psychic effects include disorders of thought
associated with time and space. Time may appear to stand still, and forms and colors seem to
change and take on new significance. This experience may be either pleasurable or frightening.

11.6 Drugs of Abuse
Users often experience vivid hallucinations, panic attacks, and even synaesthesia or sensory
crossover. In this state, users’ senses become confused, and they may actually believe they can
see sound or smell colors.
The effects of hallucinogens are unpredictable each time the drugs are used. In some
instances, weeks or even months after taking hallucinogens, a user may experience
flashbacks—fragmentary recurrences of certain aspects of the drug experience—without
actually taking the drug.
Some hallucinogens are neurotoxic. However, the most common danger is impaired
judgment, which may lead to rash decisions, accidents, injuries, and even death.
LSD
Lysergic acid diethylamide or LSD, a colorless, odorless, and tasteless drug, is one of the
most powerful hallucinogens. It was developed in a Swiss pharmaceutical laboratory in 1938.
LSD is sold as tablets, capsules, and sometimes a liquid. Ingested orally, it is called acid,
blotter acid, window pane, microdots, and mellow yellow. It is often added to absorbent
paper and divided into small decorated squares, each representing one dose. Users under
the influence of LSD are said to be tripping. The effects of LSD are described above in the
section on hallucinogens.
The use of LSD on the job is rare. However, in very small doses LSD may be substituted for
methamphetamine or another stimulant.
PCP
Phencyclidine or PCP was originally compounded as an anesthetic for large animals.
Because of its unpredictability and sometimes frightening side effects, its veterinary use
was discontinued.
PCP, often called angel dust, comes in both a liquid and powder form. Most often a liquid, it
has a strong ether-like odor and is kept in small, dark bottles. PCP is typically applied to a
tobacco or marijuana cigarette and smoked. Its effects often last for hours. Users refer to
being under the influence of the drug as being dusted.
PCP sometimes causes the eyes to twitch uncontrollably, one vertically and the other
horizontally. Overdose may result in convulsions, coma, and death.

11.6 Drugs of Abuse
11.6.6 MARIJUANA
After alcohol, marijuana is the second most common drug of abuse in the workplace. In
small quantities, marijuana produces effects similar to those of alcohol, and it is often
substituted for alcohol by recovering alcoholics. In larger doses, marijuana can cause
hallucinations, memory loss, and lethargy.
When two people share a single marijuana cigarette (which takes about seven minutes), the
effect is much that same as if they had each consumed six to eight mixed alcoholic
beverages. The effect may last two to six hours.
Marijuana, hashish, and hash oil are all derived from the hemp plant, cannabis sativa. The
principle psychoactive component, tetrahydrocannabinol or THC, is retained in the fatty
tissue of the body. Because THC is not easily eliminated, it can accumulate. As a result, the
user becomes less and less tolerant of the drug and steadily requires less of it to achieve the
desired effect. This condition is known as reverse tolerance. Abusers may smoke less, but
they tend to smoke more frequently.
Marijuana found in the workplace may be combined with other drugs to enhance its potency
and salability. Users can never be assured of consistent doses when smoking marijuana, and
the drug is sometimes treated with an opiate or PCP. Abusers can find themselves addicted
physically and psychologically not only to marijuana but also to other drugs that have been
mixed with it. Users describe their state while under the influence of marijuana as being
stoned or buzzed.
Hashish
Hashish consists of the THC-rich resinous material of the cannabis plant, which is collected,
dried, and then compressed into a variety of forms, such as balls, cakes, or cookie-like sheets.
Pieces are then broken off, placed in pipes, and smoked. The Middle East, North Africa,
Pakistan, and Afghanistan are the main sources of hashish. The THC content of hashish
available in the United States has increased significantly over the last decade.
11.6.7 ANALOGUE OR DESIGNER DRUGS

An analogue, also known as a designer drug, is a synthetic preparation with effects and
characteristics similar to those of a natural substance. Analogues are developed in
laboratories but, being different in formation from the substance they imitate, are not
initially classified as controlled substances—even though the imitated substance may be.
Many analogues are much more powerful than the imitated or natural substance; some have
led to deaths from overdose. Under provisions in the Controlled Substance Act, the U.S.
attorney general can institute emergency scheduling of analogue substances once they have
been seized and their properties confirmed (21 USC 813).

11.6 Drugs of Abuse
11.6.8 PRESCRIPTION DRUGS

Prescription drugs are frequently abused in the workplace. Those most often abused are
stimulants and sedatives. They may be prescribed by physicians but then overused or contin-
ued when no longer needed. Physical or psychological dependency may develop. If the user
can no longer obtain the drug legally, he or she may resort to illegal sources or substitute
another drug for it. Employees who sell these drugs at work usually think they are doing their
friend or coworker a favor.
The most common prescription drugs sold at work belong to the family of drugs known as
benzodiazepines, which are depressants designed to relieve anxiety, tension, and muscle
spasms. Librium, Xanax, and Valium are some of the more common benzodiazepines found in
the workplace.
Given the millions of prescriptions written for benzodiazepines, relatively few individuals
increase their dose on their own initiative or engage in drug-seeking behavior. Those who do
often maintain their supply by getting prescriptions from several doctors, forging prescrip-
tions, or buying diverted pharmaceutical products on the illicit market.
Abuse is associated with adolescents and young adults who take benzodiazepines to obtain a
high. This intoxicated state results in reduced inhibition and impaired judgment. Employee
abusers also frequently mix prescription drugs with alcohol, thus compounding the effect of
the drug. Mixing benzodiazepines with alcohol or another depressant can be life-threatening.
Abuse of benzodiazepines is particularly high among heroin and cocaine abusers. A large
percentage of people entering treatment for narcotic or cocaine addiction also report abusing
benzodiazepines.
Flunitrazepam (Rohypnol) is a benzodiazepine that is not manufactured or legally marketed in

the United States but is smuggled in by traffickers. Known as “rophies,” “roofies,” and “roach,”
flunitrazepam gained popularity among youth as a party drug. It has also been used as a date
rape drug, placed in the alcoholic drinks of unsuspecting victims to incapacitate them and
prevent resistance from sexual assault. Often, victims are unaware of what happened to them
and do not report the incident to authorities. Because of its effects, flunitrazepam is not often
used in the workplace but is sometimes sold there.

11.7 Addiction and Chemical Dependency
11.7 ADDICTION AND CHEMICAL DEPENDENCY
11.7.1 ADDICTION
Addiction is the disease of compulsion. One may be addicted to or by anything. Most often,
however, one thinks of addiction as the uncontrollable, repeated use of a substance or
performance of a behavior. In the case of substance abuse, the addict often becomes
addicted not only to the effects of the drug but also to the social behaviors surrounding it
(including the rituals for obtaining, preparing, and using it).
Addiction progresses through three stages:
x Stage One. The first stage is characterized by an increased tolerance to the drug, occa-
sional memory lapse, and lying about how much and how often it is used. Supervisors,
friends, and family members begin to become concerned. They notice behavior
changes and a reduced interest in friends, family, and job.
x Stage Two. The second stage is characterized by increases in rationalization, more fre-
quent lies, unreasonable resentment (particularly of supervision and management),
suspiciousness, increased irritability, and remorse. Abusers often plead for forgiveness
and promise managers and family members that they will change. The change,
however, is increased isolation, greater irritability, and more rationalization.
x Stage Three. In this final stage, use becomes an obsession. Use is no longer a
behavior— it is a destructive way of life. Frequent memory loss, unusual on-and off-
the-job accidents, unexplained absences, and on-the-job impairment are common.
Paranoia, depression, and anger also begin to set in. Problems may escalate with the
law, at home, and at work, which in turn may affect the abusers’ productivity,
performance, and continued employment. Left unmanaged, this stage is frequently
terminal.
As the addiction progresses, it takes more and more away from the addict. In many ways the
addict becomes a dues payer. The drug addict or alcoholic pays the following prices:
x impaired driving arrests and convictions

x hangovers and blackouts
x dysfunctional relationships
x confrontations with family, friends, and employers
x disciplinary actions
x demotions
x terminations
x loss of freedom (through imprisonment)
x bodily injury and death

Addictions are treatable. In some instances, addiction can be broken without help. However,
in most cases professional help is required. That help may be available through the
organization’s employee assistance program or any number of public programs. The
following are some U.S. examples:
x National Drug Information and Referral Line, 800-662-HELP
x National Council on Alcoholism and Drug Dependence, 800-NCA-CALL
x Narcotics Anonymous, 818-780-3951
x Food Addiction Hotline, 800-872-0088
x National Council on Problem Gambling, 800-522-4700
11.7.2 CHEMICAL DEPENDENCY

Chemical dependency is an integral component of addiction. It is the physiological craving
brought on by chemical changes in the body. These changes are both mental and physical.
Substance abusers experience a craving for the drug relieved only by the consumption of it.
People who are chemically dependent may lose all rationality and do anything to obtain their
drug.
Repeated use of a drug can also lead to tolerance. As the body becomes accustomed to the
effects of the drug, progressively larger doses are required to achieve the desired effect.
Abstinence or drug deprivation usually results in painful physiological responses collectively

known as withdrawal. Withdrawal is the result of the body’s attempt to chemically adapt in
the absence of the drug. It may be painful and sometimes very violent. Symptoms may
include irritability, vomiting, tremors, sweating, insomnia, and convulsions.
11.7.3 FUNCTIONAL ABUSERS

Addiction and chemical dependency manifest themselves in various ways. Sometimes
abusers appear to be able to manage their dependency. However, if the drug use is obsessive,
they may require the drug just to function “normally.” In that case, they are called functional
abusers. In many ways functional abusers look like everyone else. They keep steady jobs,
work regular hours, have families, and appear happy. However, they lead two distinct lives—
one seen, the other secret.
These abusers usually use drugs every day. On the job they appear to contribute and be
productive. However, when they are deprived of their drug, they are entirely different people.

11.7.4 DENIAL
Denial is the condition or state of mind in which people refuse to believe or consciously
acknowledge that their behavior is harming them and those around them. Abusers in denial
rationalize that their behavior is acceptable and minimize the adverse impact of their
conduct.
They deny that their involvement with drugs is affecting their health, job, and family. They
deny the existence of a relationship with their drug of choice and the ever-escalating cost of
that relationship. Abusers in denial say (and often believe) such statements as the following:
x I can quit anytime.
x It doesn’t affect me like other people.
x What I do on my own time is my own business.
x I’ve never hurt anybody.
x I don’t use enough to become addicted.
x It doesn’t affect my work.
x My wife (or husband) doesn’t care.

x I can handle it.
Friends and coworkers may also be in denial. They usually deny the abuser has a problem. If
they do admit it, they rationalize that the problem is temporary or even justified. Denial by
friends and coworkers may encourage the abuser to continue by suggesting that the behavior
is normal, acceptable, or even expected. An abuser who is supported by friends in denial will
not accept the advice of his or her spouse. The spouse, then, is viewed as abnormal, and
continued involvement in drugs is seen as a natural response to the problem at home. Naive
friends may even discourage therapy, treatment, or abstinence.
Supervisors, managers, and even organizations also engage in denial. Supervisors and
managers sometimes deny that an employee has a problem even in the face of obvious
proof. Organizations in denial fail to create sound substance abuse policies, fail to enforce
the policies they have, and fail to respond to workplace incidents involving substance abuse.
Managers in denial make statements like these:
x We don’t have a drug problem here.
x If we had a drug problem, we would see it.

x We’re only concerned about the dealers, not the users.
x We know a few employees smoke pot on lunch break, but what is the harm in that?
x If we enforced our policies, we couldn’t get anybody to work here.

x This industry doesn’t have those kinds of problems.

x Those kinds of people don’t work here.
Out of fear and unwillingness to confront the truth, organizations in denial deny the abuser
the help he or she needs. In doing so, they participate in the progression of the abuser’s
disease and the ruin of some of their most important employees.
11.7.5 ENABLING
Enabling consists of consciously or unconsciously allowing or encouraging the destructive
behavior of others. Enabling often extends from denial. The enabler’s actions shield the
abuser from experiencing the full impact and consequences of substance abuse. The enabler
helps maintain everyone’s delusion that the abuser is fine and does not have a problem.
Family members enable when they call in sick for the abuser, make excuses to their bosses
for them, and lie to protect them from discipline. Such behavior may seem kind and
protective, but it feeds the abuser’s rationalizations and allows him or her to continue in
denial and abuse.
Family members also enable when they forgive. Promises and commitments by the abuser
are continuously broken and become a pattern. Enablers come back for more.
Supervisors and managers enable also. They cover up for the abuser at work. They accept the
abuser’s excuses for attendance problems and weak performance. They enable when they
believe an abuser’s rationalizations, such as the following:
x I have a lot of problems at home.
x It will never happen again.
x I can handle it. Just give me more time.

x I’m not the only one who has problems around here.
x I promise …
Most people find it easier to enable abusers than to confront reality. Dealing with difficult
employees and the problems they bring to work is unpleasant and even frightening.
Managers and supervisors may doubt their own judgment and worry about how their actions
might affect their careers. Abusers may use those worries to their advantage.

Supervisors and managers should do the following:
x Know and understand their organization’s substance abuse policy and how it is to be
enforced.
x Know the symptoms of substance abuse and when to get help.
x Accurately document employee performance.
x Recognize enabling behaviors and stop them when they occur.
x Communicate their expectations and hold employees accountable.
x Document their efforts and results.

x Communicate with upper management.
Breaking the cycle of enabling requires honest confrontation of the problem.
11.7.6 CODEPENDENCY
Codependency is another destructive behavior common in the workplace. People are
codependent when they allow the behavior of another to overshadow their own values and
judgment. Codependency consists of not standing up for what one knows is right. The
resultant dynamic virtually assures the destruction of the relationship.
Those who are codependent typically
x feel they have to do more than their fair share of the work to keep the relationship
going,
x are preoccupied and consumed with a partner’s or coworker’s chemical dependency

problem,
x are afraid to express their feelings about the abuser,
x accept the abuser’s inability to keep promises and commitments, and

x fear disciplining an employee out of concern that the employee will leave and have to
be replaced.
Codependency involves such feelings as anger, isolation, guilt, fear, embarrassment, despair,
and loss of control. For fear of rocking the boat, they may provide the abuser with a support
mechanism to continue substance abuse. Codependents become rescuers, caretakers, com-
plainers, and adjusters. They also sometimes become overachievers in an attempt to be a
role model for the abuser. At other times they may actually join the abuser in his or her
substance abuse.

11.8 Role of Supervisors and Managers
To avoid codependency, supervisors and managers should do the following:
x Focus on performance. Do not allow the manipulative behavior of the abuser to over-
shadow what management knows is right.
x Set limits and boundaries for the abuser. Tolerate only what is acceptable.
x Get help from internal resources, such as the human resources department and the
organization’s employee assistance program (EAP).
x Refer the problem employee to resources that can help.
x Document efforts and results.

To be effective, supervisors and managers must understand the intricacies of addiction and
chemical dependency. They should also understand and be able to recognize the destructive
behaviors of denial, enabling, and codependency. Failure to confront those behaviors is
uncaring and cruel.
11.8 ROLE OF SUPERVISORS AND MANAGERS
11.8.1 DRUG-FREE WORKPLACE POLICY

For the creation of a drug-free workplace, a policy is absolutely necessary. The policy must
be practical, functional, and enforceable. It should also be written, effectively
communicated, acknowledged in writing by every employee, and equitably enforced. An
effective policy should do the following:
x State the organization’s objective—to create a drug-free workplace—and explain why a

drug-free workplace is important to all employees.
x State the unacceptability of drug and alcohol abuse at work and prohibit the use, sale,
or possession of controlled substances (as well as the offer to sell them) in the
workplace or while on the clock.
x Define on-the-job impairment.
x Describe how and when employee drug testing will conducted. The policy should
describe what constitutes a positive drug test and state the consequences of failing to
provide a specimen for testing.
x Define what constitutes an infraction of the policy and describe the consequences.
x Recognize that drug problems and abuse are treatable and spell out the availability of
treatment and rehabilitation options.

x Define the function of the organization’s employee assistance program and explain
how to gain access to it.
x Answer any questions that might be asked about substance abuse, the policy, or policy
enforcement.
The policy should avoid the term “under the influence.” Only for alcohol is there a legal
definition of “under the influence.” No such standard exists for the other drugs of abuse.
Thus, proving that an individual is under the influence of anything other than alcohol is not
possible.
Once the policy has been created, the organization should institute an appropriate waiting
period during which to educate the employees. Once the implementation date arrives, supervi-
sors and managers should state their willingness to enforce it. Such communication is one of
the most significant yet least recognized deterrents against employee substance abuse.
More than ferreting out substance abuse and employee substance abusers, supervisors and
managers must monitor performance. They should not be expected to catch employees
using and selling drugs. Instead, they should be expected to evaluate employee performance
and be able to take remedial action when performance is not adequate.
11.8.2 INVESTIGATION AND DOCUMENTATION

Sometimes employees violate company policy. When they do, management must respond
swiftly and effectively. Part of that response is often an investigation of the circumstances and
individuals involved. A workplace investigation is a fact-finding process, ideally separated
from the decision-making process. If such separation is not feasible, the fact finder must not
let any preexisting bias influence his or her findings and conclusions.
An investigation can be simple and informal (for example, confronting the suspected violator
and asking questions) or complicated and formal. Effective investigations must, at
minimum, be fair and impartial, factual and objective, thorough, and well documented, and
they must protect the rights of suspected violators and witnesses.
In addition, workplace investigations must not violate the law, company policy, labor agree-
ments, or anyone’s right to privacy. They must also be confidential. Evidence, findings,
notes, reports, and conclusions should only be shared with those who need to know. Upper
management and the human resources department should always be involved. Disciplinary
action should only take place after a detailed review of the investigation’s findings by
qualified management. Frequently, the findings of a workplace investigation do not call for
discipline. In such cases, the most appropriate response for supervisors and managers is
intervention.

11.8.3 EMPLOYEE HOT LINES

In the wake of the corporate scandals of the late 1990s and early 2000s, organizations have
scrambled to provide new ways to receive employee reports of misconduct. Still, fear of
retaliation often impedes employees from making a report, even anonymously, though the
implementation of modern anonymous incident reporting systems has curbed some of that
fear. Open-door policies are not enough to ensure that an organization gains the information
necessary to prevent and detect employee substance abuse.
Legal Mandates
In the United States, the Sarbanes-Oxley Act of 2002 requires all publicly traded companies
to establish a confidential means by which questionable accounting or auditing activities can
be reported anonymously by employees, customers, and vendors. Organizations are further
charged with ensuring proper “receipt, retention, and treatment of complaints.” Employers
can use these same tools to obtain information about employee substance abuse.
A challenge to multinational businesses is that hot lines, required in some countries, may be
illegal in others. These conflicting legal mandates likely reflect cultural attitudes toward
whistleblowers. European countries have historically felt uneasy about employees who
anonymously report the behavior of others.
Early Warning Systems

Anonymous employee hot lines allow for all types of employee misconduct to be detected
sooner than they might otherwise be, enabling organizations to address the problems before
significant losses accrue and their reputation is tarnished. Human resources officers and
security managers have quickly realized the benefit of receiving reports of employee miscon-
duct and substance abuse through workplace hot lines. The cost of implementing an anony-
mous employee hot line is minimal compared to the potential losses that can be avoided.
Establishment of an anonymous incident reporting solution shows employees that their

concerns are taken seriously and that the organization is committed to ensuring safety and
security for employees. Such a system encourages employees to act when they discover
coworkers behaving inappropriately.
Selecting a System
Outsourcing hot lines provides many advantages. First, Sarbanes-Oxley limits an organiza-
tion’s ability to provide strictly internal reporting mechanisms. Second, reporting system
vendors tend to have better technology for the task. Third, vendors generally employ better-
trained call takers who can collect the data most pertinent to the issue being reported.

11.8.4 INTERVENTION
Intervention is the calculated interruption of the destructive behaviors of a substance abuser
and those around that person. Intervention is not discipline. It is a caring behavior in which
those involved plan, prepare, and act. Through intervention, an organization can bring the
consequences of the abuser’s actions to his or her attention. Intervention is an attempt to
salvage the troubled employee and eventually return the person to work as a productive
contributor.
For intervention to be effective, employee performance must be documented. Supervisors

and managers must escape the state of denial and abandon the assumption that the employee
will improve if left alone. Moreover, they must not rationalize or accept substandard perfor-
mance or inappropriate behavior. In many cases, management intervention is the substance
abuser’s only hope prior to discipline.
Supervisors and managers should take the following steps in an intervention:
x Observe and document performance. Be objective and fair. Ensure that employees
understand what is expected of them. Observe and document inappropriate behavior.
Obtain the opinion of another supervisor or manager if there is any doubt as to the
appropriateness of an employee’s behavior. Take immediate action if it is necessary to
prevent an accident or serious mistake.
x Confront the problem employee. Remove the problem employee from his or her
immediate work area and confront the employee in private. Do not do or say anything
that may embarrass or shame the employee.
x Interview and discuss. Once in private, interview the employee. Have a witness present
if possible. Include a union representative if appropriate or required. If an investigation
has preceded the interview, share with the employee any information that is
appropriate. State only specifics and never generalize. Provide the employee
documentary proof of substandard performance (such as attendance records or
timecards). Describe in detail what is expected of the employee, referring to written
policy whenever possible. If witnesses assisted in the investigation, do not identify
them unless absolutely necessary. Do not accuse the employee or attempt to diagnose
or rationalize the employee’s behavior.
Next, offer the employee the opportunity to provide an explanation. Be open-minded,

but remember that the employee may be steeped in denial and might easily rationalize
away responsibility. Document the employee’s responses and comments.
Ask the employee what the organization might reasonably do to help him or her meet
the desired expectations. Empathize, but do not make a commitment; just listen and
attempt to understand the request. Suggest that the employee seek professional assis-

tance, such as that offered through the organization’s employee assistance program or
community resources. Be prepared to provide the employee with the appropriate tele-
phone numbers or literature if available.
Again, specify the employee’s shortcomings and the organization’s expectations.

Define boundaries and the specific consequences that will occur if those boundaries
are violated (for example, stating, “Your next absence will result in a final written
warning.”). Indicate that the employee’s performance will continue to be monitored,
and identify when his or her efforts will formally be reviewed and discussed (for
example, stating, “In 30 days, we’ll meet again here in my office to review your
progress.”).
Conclude the discussion on a positive note. Indicate that it is anticipated the employee
will improve his or her performance and meet expectations. Ensure that the employee
knows he or she has the support of the organization. Make clear that his or her success
will be a win-win. Then send the employee back to work.
x Document results. Next, document what took place: what was said by all parties, the
employee’s demeanor, and the employee’s response to the demand for better perfor-
mance. Put the follow-up meeting on the calendar, and ensure, in writing if necessary,
that the employee knows the date.
x Communicate with upper management. Thoroughly brief upper management and the
human resources department. Provide that department with copies of notes and
supporting documents from the meeting. If appropriate, suggest that a human
resources representative participate in the next meeting.
x Follow up. As scheduled, meet again with the employee. The meeting should be short
and direct. Those who attended the first meeting ought to be in attendance. Review the
employee’s progress. If the employee has met prescribed expectations, state
appreciation and congratulate him or her. If the employee has not, invoke the
progressive action or discipline described in the prior meeting. Set goals and establish
a follow-up date.
Intervention is an important management tool design to correct, not punish. Used properly,
it can enable supervisors and managers to salvage a problem employee. In the long run,
intervention can prevent unnecessary discipline, reduce employee turnover, and maybe
even save a life.

11.8.5 WHEN INTERVENTION FAILS

Sometimes intervention is not enough. Substance abusers do not always respond as hoped.
Sometimes addiction and chemical dependency are too much for the abuser to overcome
alone, no matter how accommodating the organization may be. At this stage the abuser may
be resentful, seemingly uncaring, and even angry. If the person has surrendered to the
disease, progressive discipline may be the only answer.
Documented progressive discipline is the incremental escalation of discipline in response to

continued performance shortcomings. It often begins with oral warnings, followed by
written warnings, suspensions, and ultimately termination. The escalation of discipline
clearly sends the message to the abuser that his or her relationship with drugs has a cost.
Progressively the abuser may begin trading things of value for that relationship. As the abuser
slides down this slippery slope, the last thing he or she will surrender is the job. The abuser
may already have given up his or her family, friends (except those also involved in drugs),
home, car, savings, and even health. The only remaining constant may be the job.
In such circumstances, the job represents more than a source of income. It represents the
last bastion of normalcy and order in the life of the abuser. As a result, abusers often cling to
it desperately. They may rationalizes that they are not sick, addicted, or chemically depen-
dent as long as they can keep a job. The abuser at this stage is capable of almost anything—
except giving up drugs. He or she may lie, cheat, and steal to keep the job and may even
resort to violence if the job is threatened.
11.8.6 EMPLOYEE ASSISTANCE PROGRAMS

Another management option is to refer the abuser to an employee assistance program (EAP).
EAPs first came into being in the 1940s. Known then as occupational alcoholism programs,
they were designed to address the problem of alcohol in the workplace. Today, EAPs address
a broader range of issues, including alcohol and substance abuse, family problems, marital
problems, and other personal issues. The services of the employer-provided EAP are free and
are usually available to family members as well as the employee. The relationship that the
employee or family member (both are called clients) has with the EAP is held in strict
confidence. Even the employer is not told the names of clients.
EAP professionals develop a community referral network to serve their clients. Clients are
usually provided with several consultations over the telephone (sometimes in person) to
determine their specific needs. Once an assessment is made, the client is provided the names
of several resources. It is then up to the client to follow through and seek the appropriate
help. For the purpose of support, the EAP may monitor the client’s progress, but actual
treatment is provided by independent, outside professionals. Any counseling or treatment
performed is confidential. Treatment costs may be covered by the employee’s medical insur-

ance. Leaves of absence are granted to accommodate the client-employee. In the United
States, the Americans with Disabilities Act (ADA) requires reasonable accommodation of
employees and job applicants who are recovering drug or alcohol abusers. Current users are
not protected.
In effect, the EAP is a clearinghouse for employee-help services. EAPs do not conduct
investigations or drug tests. They simply connect people with high-quality, professional help.
Employees can voluntarily seek help through an EAP, or they can be referred by manage-
ment. Management referrals typically include the following elements:
x mandatory participation
x professional diagnosis
x professional treatment or therapy
x progress reports and feedback to management
x goal setting
x monitoring
Like intervention and progressive discipline, management referral is an incremental

approach that encourages performance and behavior modification. Participation is
mandatory. Treatment or therapy is professionally administered, and management is
provided progress reports and feedback. Upon completion of treatment, and sometimes
during treatment, performance and behavior goals are negotiated. The recovering employee,
as a condition of employment, agrees to be monitored and is fully informed of the
consequences of not meeting the goals. Monitoring usually includes periodic drug testing.
Continued therapy or counseling may also be part of the negotiations. Eventually,
monitoring may be discontinued and the status of conditional employment removed.
11.8.7 BEHAVIOR MODIFICATION THROUGH ROLE MODELING

Role modeling consists of setting an example through one’s own behavior. Parents do it,
teachers do it, and so can employers. By setting a good example and doing what they expect
others to do, supervisors and managers can encourage employees to change their behavior.
If enough people participate, the entire organization’s culture can be altered.
Substance abusers prefer to work in environments where others like them work, and they
resent the social boundaries that a healthy corporate culture imposes on them. Most of all,
they resent the inability to rationalize their substance abuse. Positive peer pressure can force
substance abusers to confront their behavior. What they find is that they can no longer lie
and deceive.

11.8.8 REINTEGRATION OF THE RECOVERING EMPLOYEE

Recovery for the abuser is a long, painful process. Following treatment, the recovering abuser
often chooses to return to work—the same environment in which the abuse may have begun.
If it is an environment controlled by abusers, the recovering employee may find it difficult to
remain clean and sober. If other abusers control the culture, they may make it impossible for
the recovering addict to remain drug-free.
On the other hand, if the recovering employee returns to a healthy environment, his or her
chances for recovery and long-term sobriety are good. A healthy and caring culture can
provide various support mechanisms. Non-abusing coworkers can offer encouragement,
positive role models, and an environment free of temptation. Supervisors and managers can
hold the recovering employee accountable, set reasonable expectations, and providing
positive reinforcement when goals are achieved. The net effect is an environment conducive
to recovery and long-term health.
11.8.9 EMPLOYEE EDUCATION AND SUPERVISOR TRAINING

Training for employees at all levels should be provided as part of an overall substance abuse
program. All employees should be given accurate information about the dangers of substance
abuse and about the organization’s policies and expectations.
The human resources staff should be trained to identify applicants who may be substance
abusers in order screen them out. In addition, all human resources representatives should
become familiar with all aspects of the organization’s policies and practices since they will
usually be responsible for implementing corrective action and discipline.
Training for supervisors and managers is also critically important. While only a trained
healthcare professional can definitely diagnose a substance abuse problem, training can
provide supervisors and managers the tools they need to properly enforce work rules and
administer policies.

11.9 Drug Testing
11.9 DRUG TESTING

There is little doubt that workplace substance abuse harms performance and productivity.
As a result, employers have long looked to workplace drug testing as a tool for prevention
and detection. Preemployment drug testing aids in the detection of potential workplace
abusers before they are hired. For those who are already on the job, tests can be conducted
based on reasonable suspicion, after an accident or injury, at random intervals, after a return
to duty following a violation, and as a follow-up to treatment. Workplace drug testing also
serves as a deterrent, creating a fear of being caught.
Employers have both a right and a duty to promote a drug-free workplace. Drug testing is
now widely considered an important component in maintaining a safe and healthy
workplace and is used widely. In the United States, the Drug-Free Workplace Act of 1988
requires all businesses contracting with the federal government and receiving grants over
$25,000 to certify that they have policies for creating and maintaining a drug-free workplace.
Other legislation and regulations require periodic drug testing for some workers in the
transportation and public service industries.
11.9.1 METHODS
Drug testing is a scientific examination of a biological specimen for the presence of a specific
drug or its metabolite (a chemical byproduct left behind after the body metabolizes the
substance). The type of specimen analyzed most often is urine, but blood, hair, and saliva
may also be tested. Urine testing is preferred because collection is not considered intrusive
(that is, the body does not need to be punctured to collect the specimen as it is in the
drawing of blood). Collection techniques follow careful protocols ensuring the privacy of the
provider. Once the specimen is collected, it is sealed, labeled, and sent to a laboratory for
examination.
Usually the sample is split; part is used for testing and the rest is preserved (usually frozen)
for future examination if necessary. The testing sample is then subjected to one or more
preliminary tests, such as immunoassays, radioimmunoassay, and thin-layer chromato-
graphy. Of these, thin-layer chromatography (TLC) is the most common and least expensive.
Radioimmunoassay (RIA) is the most accurate and can detect drug concentrations on the
order of 1 to 5 nanograms per milliliter (1 to 5 parts per billion).
If the preliminary test discovers a drug or its metabolite, a confirmatory test is used.
Confirmatory tests typically use advanced technologies that are more accurate. They identify
both the type of drug or metabolite present and its concentration. The more common types
of confirmatory tests include high-performance liquid chromatography, gas chromato-
graphy, and gas chromatography/mass spectrometry. Of these, gas chromatography/mass

11.9 Drug Testing
spectrometry (GC/MS) is considered the most accurate. However, all methods can yield
accurate results and have withstood rigorous legal challenges.
Once the specimen has been confirmed positive, the results are confidentially commu-
nicated to the employer or its representative (as in the case of an employer’s use of a medical
review officer). Because specimens are labeled by number, not name, even the lab does not
know to whom the specimen belongs. Employer responses to a positive result vary depending
on circumstances and policy.
11.9.2 ACCURACY
Drug testing is extremely accurate. A very small percentage of tests may result in a false
positive, but confirmatory tests are performed in those cases. Laboratories that perform drug
tests are regulated and subject to rigorous performance requirements and quality assurance
procedures. Certification by the National Institute on Substance Abuse (NIDA) is difficult and
expensive. Under NIDA requirements, every specimen, procedure, and test is documented.
Control specimens are frequently tested to ensure accuracy and system integrity. NIDA claims
that of the roughly 16 million drug tests its labs perform annually, fewer than 16 produce
positive results when a drug is not present.
11.9.3 STRATEGY
Many states regulate drug and alcohol testing, and organizations must be mindful of
jurisdictional differences as they establish their drug-testing strategies. The following is an
examination of some of the issues that should be contemplated when developing an
organization’s strategy (Ferraro & Judge, 2003).
For which substances should the organization test?

Federal or state law, collective bargaining agreements, and contractual obligations may limit
this decision Under federal regulations, for example, an employer may test for alcohol and
five controlled substances: marijuana, cocaine, amphetamines, opiates, and PCP. These five
drugs are typically referred to as the DHHS-5 (Department of Health and Human Services 5).
Some states require employers (federally regulated or not) to follow federal rules when
adopting and administering workplace drug and alcohol programs. Employers with
operations in those states would, therefore, be limited to testing for the DHHS-5. Other
states, such as Iowa, permit testing for additional substances. Still other states, such as Ohio,
provide financial incentives if testing includes additional drugs.
Employers who are thinking of testing for substances beyond the DHHS-5 should also
consider the impact of the Americans with Disabilities Act (ADA), which limits medical
inquiries by employers. Strangely, under the ADA, a drug test is not considered a medical

11.9 Drug Testing
examination but an alcohol test is. Thus, it is advisable to test only after an employment offer
is made. Potentially, an ADA claim could be raised by a non-safety employee disciplined
9
because of a test that detected a substance other than one of the DHHS-5.
When should testing be performed?

This is the most difficult and controversial decision in developing a drug testing policy. Tests
may be performed before an employment offer is made, upon reasonable suspicion, after an
accident or injury, on a random basis, after return to duty following a violation, and as a
follow-up to treatment. Federal Highway Administration rules (49 CFR 382) require that
commercial truck drivers submit to a test under each of those circumstances.
Organizations that are exempt from federal rules should check state laws. Eleven states and
two cities have laws related to when employers can or cannot conduct drug testing. For
example, Vermont prohibits random testing, while Oklahoma permits post-accident testing
only if there is a reasonable suspicion of illicit drug use at the time of the accident. After
examining federal and state laws, organizations should determine which type of testing best
fits their circumstances. The two most common types of testing are preemployment and
random.
Employers may also want to consider reasonable-suspicion testing, which researchers

Ferraro and Judge (2003) have found in some cases to be a more effective deterrent to drug
use. For example, one of the researchers interviewed approximately 2,500 workers nation-
wide who tested positive for drugs or alcohol and subsequently lost their jobs. In the
interviews, the workers indicated that they knew their employers tested for drugs on a
random basis, but they did not consequently change their drug use. Statistical analysis
suggests this to be a good bet. Even in organizations that randomly test 8 percent of their
workforce monthly (unusually frequent but necessary to provide the probability that each
employee will be selected at least once a year), a substance abuser who uses twice a week
stands only a 2.45 percent chance of testing positive in any given month. A cocaine or
methamphetamine abuser who uses once a week would have just a .61 percent chance of
testing positive in any given month. The likelihood of being caught is further diminished by
absenteeism, holidays, vacations, and collection site availability.
By contrast, the workers interviewed said they were concerned about reasonable-suspicion
testing. In workplaces where employers actively tested on a reasonable-suspicion or for-
cause basis, the workers reported that they had attempted to stop using drugs on the job. It
appears that for-cause testing programs convinced the workers that the employers were
serious and would enforce their drug-testing policies. Case laws suggests that employers may
not conduct such tests without some evidence of possible drug use, and reasonable suspicion
requires more than a simple hunch.
9 th
See Jane Roe v. Cheyenne Mountain Conference Resort, Inc., No. 96-1086 (10 Cir. 1997).

11.9 Drug Testing
What type of testing should be conducted?

Employers must determine what types of samples to test—urine, saliva, blood, hair, or
breath. In federally regulated workplaces and in states that require employers to follow
federal rules, urine must be used for drug tests and saliva or breath for alcohol tests.
Employers should look to statutes in each state in which they operate and follow that
definition. State laws vary widely. For example, Iowa law prohibits blood tests in workplace
testing programs, while Mississippi prohibits alcohol tests using urine.
How drug and alcohol tests are carried out is also an important consideration. Thirteen
states require split-specimen samples for all substance abuse tests. For example, an Iowa law
requires that every sample must be split into two sub-samples. The first is used for testing
purposes. If the test result is positive, the remaining sample is offered to the providing
employee, who can have it tested at an independent laboratory. The impact of such a rule is
significant. If a sample is not split in a state that requires it, the person being tested must be
reinstated even if the test is positive.
Who should be tested?

This decision may not be entirely at the employer’s discretion. If workers are protected by a
collective bargaining agreement, the decision on whom to test will be determined bilaterally.
Likewise, the Federal Highway Administration requires commercial carriers to institute and
maintain a drug and alcohol testing program for all commercial drivers. Similarly, if an
employer does business with the federal government or is regulated by the Department of
Transportation, Nuclear Regulatory Commission, or Department of Defense, it will have to
follow any applicable federal regulations concerning drug testing.
Employers should check state law first, but the following is a general testing guide:
Whom to Test When to Test

all workers preemployment
all workers reasonable suspicion
all workers post-accident/injury
all workers return to duty
all workers follow up
only safety-sensitive workers randomly
Who should collect the specimens?

Some states, such as Minnesota, require that sample collection be performed only by
licensed medical professionals. Federal regulations that took effect January 31, 2003, require
that the person collecting the specimen be “qualified.” Some states have passed laws that
require even nonregulated employers to use only trained collectors. Under federal regu-
lations only properly trained “breath alcohol technicians” may conduct alcohol tests and
only “screen test technicians” may conduct alcohol screening.

11.9 Drug Testing
Where should the specimens be collected?

The choice is whether to have properly trained technicians collect the specimens at the job
site or to have employees go to a medical facility and provide specimens there. Instant, on-
site test kits are not currently permitted under federal rules, but in New York, for example,
employers can conduct instant, on-site testing if they obtain approval from the state’s health
department. Moreover, only certain labs can analyze a urine sample for drug use under some
applicable laws. For federal employers, only a laboratory certified by the Department of Health
and Human Services or the College of American Pathology (CAP) can analyze workplace
samples for controlled substances. Many states have passed laws imposing that same require-
ment or more restrictive rules. Many collective bargaining agreements and other contractual
relationships also require the use of a DHHS-certified or CAP-approved facility.
Who should receive the test results?

Essentially, federal and state laws require that laboratory test results go through the
confidential process of medical review before being reported to the employer. In a
confidential telephone or in-person interview with the specimen donor, a licensed medical
doctor called a medical review officer (MRO) will attempt to determine whether the
laboratory result is medically justified—that is, whether something other than an illegally
used controlled substance caused the positive result. If not, the MRO reports the positive test
result to the employer. It is prudent for all organizations to treat test results as confidential
medical information in order to protect the employee’s privacy and shield the organization
from potential liability.
11.9.4 EMPLOYER INCENTIVES

Organizations that implement drug-testing policies should take full advantage of available
state incentives. These incentives are typically found under the workers’ compensation laws
in the form of reduced annual premiums or presumed denial of benefits when a worker is
found to have used prohibited substances at the time of an injury.
Twelve states provide premium reductions, ranging from 5 percent to 20 percent. Those
states include Alabama, Alaska, Arizona, Arkansas, Florida, Georgia, Idaho, Mississippi, Ohio,
South Carolina, Tennessee, and Virginia.
Another monetary benefit is found when paying workers’ compensation claims. With few
exceptions, employers and their insurers need not pay workers’ compensation claims in two
conditions: if the worker violated a known safety rule and if the worker’s intoxication is the
cause of the injury. When such cases go to court, often the employer must prove alcohol or
drug use was the cause of the injury, not just a contributing factor.

11.9 Drug Testing
An illustrative case is Garcia v. Naylor Concrete Co. (2002). Juan Mario Garcia was employed
as a welder for Naylor Concrete Company at a shopping mall project. As part of his job,
Garcia was required to weld decking to a metal roof. To access the work site, Garcia had to
climb a 20-foot ladder and then walk about 90 feet across four-inch joists to reach the
decking. On September 30, 1997, Garcia had been welding for about an hour when he slid off
the edge of the roof and was seriously injured. At the hospital, a blood test showed his blood-
alcohol level as .094 percent.
Garcia applied for workers’ compensation benefits. Naylor refused to grant the benefits,
arguing that Garcia’s intoxication was the cause of his injuries. Garcia argued that he had
been drinking the night before the accident but had not consumed alcohol on the day of the
incident. The state Workers’ Compensation Commission denied the benefits on the basis of
Garcia’s elevated blood alcohol level on the day of the accident. The commission reaffirmed
the decision on appeal, and the state district court agreed during a judicial review. Finally,
the state’s Supreme Court upheld the decision, ruling that no matter when Garcia consumed
the alcohol, he was still legally drunk at work.
However, it may sometimes be difficult for companies to prove that drug or alcohol use
caused an employee’s injury. For example, in Kennedy v. Camellia Garden Manor (2003), the
court found in favor of the employee because the employer could not prove that the
employee’s prior use of marijuana had caused his injuries.
Herman Kennedy was employed as an orderly for Camellia Garden Manor, a nursing home.
On June 1, 2001, Kennedy injured his lower back while trying to lift a struggling quadriplegic
resident out of a whirlpool bath. Kennedy was ordered to provide a urine specimen for drug
testing purposes. The test was positive for marijuana. The employer fired Kennedy and
refused to pay his workers’ compensation claim because of the positive drug test.
Kennedy appealed to the state workers’ compensation board, claiming that the injury was
caused by lifting the struggling resident and not by any prior use of marijuana. The board
found in favor of Kennedy, ruling that the company could not prove that intoxication was the
cause of his injuries. On appeal, the district court upheld the board’s decision. The employer
was ordered to pay the claim.
Another financial incentive comes in the form of immunity from prosecution in certain
employment-related lawsuits. For example, in Idaho, employers who fire an employee as a
result of a positive drug test or refusal to provide a specimen for testing are given immunity
from lawsuits. Such immunity is waived in cases where the test results were false and the
employer knew or clearly should have known they were false.

11.9 Drug Testing
Four states—Arkansas, Iowa, Minnesota, and North Dakota—provide immunity for disclosure
of records when requested by a prospective employer. For example, an Arkansas law provides
for disclosure of the results of drug or alcohol tests administered within one year prior to the
request. Iowa law, however, stipulates the conditions under which such information may be
released. The law says that immunity is waived if the employer knowingly provides
information to a person who has no legitimate or common interest in receiving the work-
related information. Similarly, immunity is waived if the work-related information is not
relevant to the inquiry being made, is provided with malice, or is provided in bad faith.
11.9.5 LIABILITY
Though drug testing programs can provide monetary rewards, poorly managed programs
can lead to costly outcomes in court. A rule governing all federal employers requires that all
personnel who collect specimens from employees be qualified. The rule also applies to
private employers if state laws require that they follow federal rules. For example, 18 states
require certain employers to follow federal laws. Even if collection personnel work for a third
party, they are considered agents of the employer, leaving the employer liable if that party
breaks the law.
Private employers not covered by the law must still be cautious about the way a drug testing
program is conducted. If an employer has its own employees (not outside professionals)
collect urine samples, the employer must collect the samples in a reasonable manner, in
accordance with appropriate procedures.
An additional complication is the issue of chain of custody. The chain of custody establishes
who handled the specimen from the time it was provided to the time testing results were
rendered. Should the chain of custody be broken, the result is deemed invalid. Poor record
keeping can bring challenges to the chain of custody and easily jeopardize the validity of a
test result. Employers that collect their own specimens are most at risk. Unless the employer
establishes strict handling procedures and tightly manages its record keeping, broken chain
of custody claims cannot be defended. The employer may not only see the test result invali-
dated but also end up in court.
Drug testing offers many potential benefits, including improved safety and reduced injuries.
However, organizations that test for drugs must devise sound written policies and be
prepared to navigate the ever-changing rules and regulations.

Appendix A: Drug Glossary
APPENDIX A
DRUG GLOSSARY
STREET NAME MEANING STREET NAME MEANING

acid LSD heat the police
angel dust phencyclidine high under the influence
bag packet of drugs hip non-threatening
base base cocaine joint marijuana cigarette
bindle packet of drugs killer weed PCP-treated marijuana
blotter acid LSD meth methamphetamine
bread money microdot LSD
bunk low quality substance nickel bag $5 quantity
busted arrested pop inject drugs
chipping occasional use pot marijuana
coke cocaine reefer marijuana cigarette
connection drug dealer roach marijuana butt
cop to obtain drugs rock smokable cocaine
cop out to inform or sell out rush euphoria
crack smokable cocaine sinsemilla seedless marijuana
crash to sober up skin popping injecting under skin
crystal methamphetamine smack heroin
cut additive or impurity smoke marijuana
dealer drug dealer snort inhale through nose
dime bag $10 quantity speed methamphetamine
flake cocaine speedball cocaine with heroin
freebase smoke cocaine stick marijuana cigarette
grass marijuana weed marijuana
h heroin whites amphetamines
hash hashish, marijuana white stuff cocaine or heroin
hash oil hashish oil works paraphernalia

Appendix B: Common Questions About Drug Testing
APPENDIX B
COMMON QUESTIONS ABOUT DRUG TESTING
What do drug tests typically test for?

x alcohol x cocaine
x amphetamines and x opiates

methamphetamines
x phencyclidine
x marijuana (and marijuana derivatives)
Could a person be affected or test positive as a result of secondhand marijuana smoke?
No. Although passive inhalation can occur, typically the amounts ingested in that manner are so
low that impairment is nearly impossible, as is the possibility for testing positive.
Aren’t drug tests discriminatory? Don’t they violate employees’ rights?
No. Drug testing under most circumstances is not considered discriminatory or illegal. Employers
have the right to create and maintain a drug-free workplace. Drug testing is one of the many legal
tools available to the employer to ensure a safe and healthy workplace.
What happens if an employee refuses to be tested?
An employer cannot force an employee to take a drug test. However, refusal to take a drug test may
be a violation of the employer’s drug policy or may be considered insubordinate. Before refusing,
an employee should read the policy or talk to a human resources representative.
Can vitamins or other substances cause false positives?
Not typically. Before providing a specimen, the employee is asked to identify any medication or
other substances that may influence test results. The answers are kept confidential and can aid in
ensuring accurate test results.
How long do most drugs stay in a person’s system?
The length of time a drug remains in one’s system is based on a number of factors, including the
type of drug, amount ingested, body weight, and metabolism. The length of time drugs remain
detectable in the body is called the window of detection.

Appendix B: Common Questions About Drug Testing
Does a positive drug test indicate that the employee was impaired or under the influence?
Not necessarily. Only alcohol has legal blood limits. However, in most instances the mere presence
of a controlled substance in one’s system constitutes a policy violation.
Where can employees get more information?
They should contact the employee assistance program or a human resources representative.

Appendix C: Supervisor’s Checklist
APPENDIX C
SUPERVISOR’S CHECKLIST
This checklist includes behaviors and symptoms that may be indicators of substance abuse.
However, the presence of some of the indicators does not necessarily mean a person has a
substance abuse problem. Users of this checklist are encouraged to look for clusters of behaviors
and symptoms merely as an aid to identifying potential employee substance abuse.
Tardiness and Absenteeism

x taking frequent breaks x absence before and after holidays
x taking long lunches x absence Mondays and Fridays
x repeated tardiness x immediate use of vacation earned
x arriving late and leaving early x absence during period of heavy
x absence from area or office workloads
x abnormal number of visits to restroom x calling in sick after denial for vacation
x unexplained absences x requests for vacation extensions
x absences due to accidents on and off x requests for sick leave extensions
the job x extending sick leave repeatedly
x absence before and after paydays
Performance
x repeated procrastination x general lack of interest in work or
x repeated lateness in completing product
assignments x difficulty in handling difficult
x irresponsibility in completing assignments
assignments x difficulty in recalling previous
x faulty decision-making mistakes
x increased accident rates x alternate periods of high and low

productivity
x increased errors in judgment
x missed deadlines
x unnecessary wasted materials and
scrap x mistakes due to poor judgment
x unnecessary damage to equipment x customer or client complaints
x excessive time taken to perform x inappropriate behavior around others

assigned tasks x general carelessness
x difficulty in recalling instructions x sloppy work habits

Appendix C: Supervisor’s Checklist
Interpersonal Relationships
x inappropriate emotional outbursts x isolation from coworkers and friends
x mood swings, early or late in day x physical volatility
x overreacting to criticism x exaggerated self-importance
x constantly blaming others x unbending and unreasonable manner
x making inappropriate statements or x excessive time on the telephone
comments x failure to keep commitments
x rambling, incoherent speech x failure to keep appointments
Appearance and Mood

x inappropriate clothing x withdrawn demeanor
x personal hygiene ignored x unusually deep sadness
x body odor, unkempt hair x inappropriate laughter
x little interest in general appearance x suspiciousness
x glazed or red eyes x paranoia
x slurred speech x extreme sensitivity
x staggered gait x unusual irritability
x outbreaks of heavy perspiration x preoccupation with death and illness
x use of sunglasses at inappropriate times

Appendix D: Intervention Checklist
APPENDIX D
INTERVENTION CHECKLIST
The purpose of intervention is to correct, not punish. For best results, supervisors and managers
should follow these steps:
x Observe and document.

x Confront the problem employee in private.
x Discuss performance and behavior.
x Affirm expectations.
x Offer reasonable accommodations.
x Set goals.
x Document results.
x Follow up.
They should never:

x Diagnose a personal problem.
x Take responsibility for other people’s personal problems or issues.
x Generalize.
x Moralize.
x Cover up.
x Self-treat.
x Engage in a confidential or protective relationship.
They should always:

x Monitor performance and behavior.
x Document specifics.
x Follow organizational policy and procedures.
x Consult with employee in private.
x Interview with a witness.
x Offer professional assistance.
x Let the employee know they care.
x Let the employee make a choice.

Appendix E: U.S. Federal Legislation
APPENDIX E
U.S. FEDERAL LEGISLATION
Vocational Rehabilitation Act (29 USC 701, et seq.)

Under the Vocational Rehabilitation Act, an individual with a disability does not include “an
individual who is currently engaging in the illegal use of drugs, when a covered entity [employer]
acts on the basis of such use,” or “an individual who is an alcoholic whose current use of alcohol
prevents such individual from performing the duties of the job in question or whose employment,
by reason of such current alcohol abuse, would constitute a direct threat to property or the safety
of others.” The act also states that one will not be excluded as “an individual with a disability” who
has successfully completed a drug rehabilitation program and is no longer engaging in the illegal
use of drugs, or has otherwise been rehabilitated successfully and is no longer engaging in such
use, or is currently participating in a rehabilitation program and no longer using drugs illegally.
The act states that it is not a violation for a covered entity (employer) to adopt reasonable policies
or procedures, including drug testing, to ensure that rehabilitated individuals are no longer using
drugs illegally.
Americans with Disabilities Act (42 USC 12101, et seq.)

The Americans with Disabilities Act (ADA) states in Section 12114(d)(1) that a test to determine
illegal use of drugs shall not be regarded as a medical examination. (A medical examination may
not be required unless an employment offer has been made and may only be required following an
employment offer if all candidates are examined, not merely those with disabilities.) In
12114(d)(2), the ADA states that it “does not encourage, prohibit or authorize” tests for illegal drug
use by applicants or employees. In other words, it is neutral. As long as job discrimination is not
based on former use or abuse that does not currently affect job performance or safety, firms
subject to the ADA will not be prevented from screening.
Drug Free Workplace Act (41 USC 701, et seq.)

The Drug Free Workplace Act imposes duties on individuals and other entities that contract with
or receive grants from the federal government, and on their employees. The act requires that
employers pledge to maintain a drug-free work-place by
x publishing a statement that unlawful manufacture, distribution, possession, or use of a
controlled substance is prohibited in the workplace;
x providing all employees with a copy of the statement;
x making all employees aware that they must abide by the terms of the statement and notify
the employer within five days of any drug statute conviction for a violation occurring in the
workplace;

Appendix E: U.S. Federal Legislation
x imposing a sanction on or requiring satisfactory participation in a drug abuse assistance or

rehabilitation program by any employee so convicted;
x notifying the government within 10 days of receiving notice of an employee drug convic-
tion; and
x maintaining a credible drug-free awareness program.
The Drug Free Workplace Act also requires the employer, within 30 days after receiving notice
from an employee of a drug conviction, to take appropriate action against that employee (up
to and including termination), or to require the employee to participate satisfactorily in a drug
abuse assistance or rehabilitation program that has been approved by a federal, state, or local
health, law enforcement or other appropriate agency. A specific provision in section
12114(c)(3) of the ADA permits employers to require employees to comply with the provisions
of the Drug Free Workplace Act.
Family and Medical Leave Act (29 USC 2601, et seq.)

The Family and Medical Leave Act obliges employers of 50 or more employees within 75 miles of
the facility to grant leave of up to 12 work weeks to employees who have been employed at least 12
months and worked at least 1,250 hours during the previous 12-month period. The leave must be
granted, among other reasons, to an employee who has a serious health condition that makes the
individual unable to perform the functions of the position.
The act defines a serious health condition as an “injury, illness, impairment or physical or mental
condition” that involves inpatient medical care or continuing treatment by a health care provider.
The leave may be unpaid, but an employer who grants less than 12 weeks of personal, sick, or
vacation leave annually may require the employee to exhaust that leave as part of the leave
provided under the act. Any remaining leave needed to make up the full 12 weeks, should they be
required, is unpaid. Upon timely return from leave, the employee is reinstated to the same or
equivalent position and suffers no loss of benefits or seniority. (This last provision does not apply
to salaried employees who are among the highest-paid 10 percent of the workforce.)
Because both the Vocational Rehabilitation Act and the Americans with Disabilities Act protect
employees in rehabilitation programs, and because detoxification or other medical need arising
from such participation could be described and certified as a serious health condition, there will
be situations in which such leave is sought. An employer who seeks to deny or interfere with rights
under the act, or to discriminate against employees who file charges or give testimony in a
proceeding held under provisions of the act, is liable to an aggrieved employee for civil damages of
x any lost wages or actual costs up to 12 weeks’ pay;
x interest on that amount;
x liquidated damages in an amount equal to the actual costs;
x the costs of the action; a reasonable attorney’s fee; and
x equitable relief, including reinstatement, employment, and promotion, as appropriate.

Appendix F: Sample Substance Abuse Policy
APPENDIX F
SAMPLE SUBSTANCE ABUSE POLICY
Scope
XYZ Company is a drug-free workplace and does not permit its employees to be impaired by drugs
or alcohol while on Company time or property. Violation of any of the rules and regulations,
procedures, requirements, or the spirit of this guideline will result in corrective action. Depending
on the circumstances, appropriate corrective action may include termination from employment,
suspension, warning, probation, or any lesser sanction; or other action in the Company’s
discretion deemed to be commensurate with the problem.
Use or Possession at Work

The use or possession of alcoholic beverages or illegal drugs, and the unlawful manufacture,
distribution, dispensation, possession, or offer of, or use of a controlled substance, while on
Company property, on the job, or performing Company business, is prohibited. This includes
possession of drug paraphernalia or empty alcohol containers on company time or company
property.
The only exception to this rule is that, on occasion, alcohol may be served at Company-sponsored
events, such as a holiday party. In those instances, responsible, moderate consumption of alcoholic
beverages is not a violation of this policy.
Impairment
Appearing for work or performing any job duties or Company business while impaired by alcohol
or drugs is prohibited. Employees who are believed to be impaired on the job may, in addition to
any other appropriate action, be suspended, sent home, or reassigned for safety reasons while the
situation is evaluated.
Off-Duty Use
The use of alcohol off-duty and off-premises in any manner that results in impairment on the job,
that adversely affects attendance or job performance, or that otherwise adversely reflects on the
Company is prohibited. The use of illegal drugs by employees, whether on-or off-duty and whether
on-or off-premises, is prohibited under all circumstances.

Legal Drugs
The use of legal drugs (over-the-counter or prescription medications) in accordance with a doctor’s
orders or manufacturer’s recommendations is not prohibited. Abuse of legal drugs shall be
considered to be the same as use of illegal drugs under this policy. If use of legal drugs in accordance
with a doctor’s orders or manufacturer’s recommendations may impair the employee’s ability to
safely and effectively perform his or her job, the employee must so notify his or her supervisor in
advance, so that any necessary arrangements can be made to protect safety and productivity.
Drug Convictions
Any employee who is convicted of any criminal drug violation occurring in the workplace must so
notify his or her supervisor within five days after the conviction. XYZ Company may be required to
report such information to governmental agencies with which it contracts.
Job Applicants
XYZ Company will not knowingly hire a job applicant who is currently abusing alcohol or legal
drugs or currently using illegal drugs.
Right of Inspection
XYZ Company reserves the right to inspect with or without notice at any time all vehicles, lunch
containers, purses, boxes, packages, desks, lockers, and other personal property of employees on
XYZ Company premises for the purpose of enforcing this policy or other safety and security
reasons. XYZ Company premises include all employee parking areas and company-designated
parking lots.
Drug and Alcohol Testing Policy

XYZ Company may require any employee or job applicant to submit to a breath and/or urine test
for drugs or alcohol, in the following circumstances:
Preemployment. Preemployment testing shall be required for all job applicants within specified
facilities or job categories as determined by management from time to time. Applicants who fail
to pass a preemployment drug or alcohol test will be ineligible for employment for a minimum
of one year.
Reasonable suspicion. XYZ Company may require any employee to be tested for the presence
of drugs or alcohol based on reasonable suspicion. Reasonable suspicion shall be defined as a
reasonable suspicion, by a supervisor or above, concurred with by the senior manager available
within the affected facility or department, that an employee’s faculties are impaired on the job
or that an employee has used or possessed illegal drugs. This determination of a reasonable
suspicion may be based on a variety of factors, including but not limited to the following:

x direct observation or reports reasonably believed to be reliable from coworkers or others

x possession of drugs or alcohol on the premises, or use of drugs or alcohol at work, prior to
work or on breaks (such that the employee is impaired while on company premises)
x behavior, speech, or other physical signs consistent with impairment
x a pattern of abnormal conduct or erratic behavior, which is not otherwise satisfactorily
explained
x unexplained accidents, on-the-job injuries, or property damage
x a combination of some of the above factors and/or other factors in the judgment of
management
Management’s determination of reasonable cause shall be discretionary and shall be final.
Universal. Universal drug testing may be required of all employees within specified facilitates
or departments designated by XYZ Company management from time to time. Selection of
covered employees to be tested (randomization) shall be conducted by XYZ Company’s testing
service provider according to systems established by the provider, which shall notify XYZ
Company of the employees to be tested. Universal testing may be conducted at unannounced
times spread throughout the year.
Refusal to submit to or cooperate in the administration of requested testing, or testing positive

for illegal drugs or alcohol, will result in termination of employment, except as provided in the
Rehabilitation section of the Substance Abuse guideline.
Testing Process
Scope. Drug and alcohol testing of applicants or employees may include a urinalysis and/or
breath analysis sample testing as determined by XYZ Company and the testing service provider.
Testing may include, but may not be limited to, detecting the presence of marijuana, cocaine,
opiates, amphetamines, and phencyclidine (PCP). XYZ Company may increase or decrease the list
of substances for which testing is conducted at any time, with or without notice. In addition, XYZ
Company may require separate samples if multiple tests are conducted. Test levels and standards
will be established by XYZ Company and the testing service provider.
Confirmation. Initial positive tests shall be confirmed using a second test in accordance with
applicable law.
Specimen for testing. Testing shall be conducted at a facility designated by XYZ Company. Job
applicants and employees selected for universal or reasonable cause testing shall appear at the
facility and provide the necessary sample at the precise time and place specified by XYZ
Company. Employees tested based on a suspicion that the employee may be impaired shall be

transported to the testing site by a supervisor or another person designated by XYZ Company.
The applicant or employee must sign any consent requested and provide any other requested
information; failure or refusal to do so may result in discharge or denial of employment.
Testing an injured employee. An employee who is seriously injured and cannot provide a
specimen at the time of the accident shall provide the necessary authorization to obtain
hospital reports and other documents that may indicate whether there were any controlled
substances or alcohol in his or her system.
Notification of results. Employees and applicants will receive notification of positive test results
and will be given an opportunity to explain such results. Failure to timely respond may result in
an uncontested positive verification
Rehabilitation
Purpose and responsibility. XYZ Company recognizes that drug dependency and alcoholism
are health problems and, in management’s sole discretion, on a case-by-case basis, will attempt
to work with and assist an employee who becomes dependent on drugs or alcohol. The
employee will be assisted in identifying rehabilitation services, referral agencies, or other
resources to help the employee in dealing with his or her problem. It is the employee’s
responsibility, however, to see that such problems do not interfere with proper job performance
or expose others to the risk of harm. All employees are urged to obtain any necessary help
before a personal problem becomes an employment problem.
Evaluation and treatment. An employee may be allowed, as an alternative to discipline or

discharge for violation of this policy, to undergo an evaluation for chemical dependency. This
alternative may be offered on a case-by-case basis, in the sole discretion of XYZ Company
management. If recommended by an evaluation, enrollment in and successful completion of an
approved program of chemical dependency or alcoholism treatment may, in the sole discretion
of XYZ Company management, be offered once as an alternative to disciplinary action of an
employee (not applicable to job applicants) and as a condition of continuing employment.
Eligibility to return to work, and any special conditions on the employee’s work, shall be
determined on a case-by-case basis considering all relevant circumstances, including XYZ
Company’s interest in safety and operational efficiency.
Costs
Mandatory drug/alcohol testing costs shall be paid by XYZ Company; treatment costs shall be the
responsibility of the employee to the extent not covered by the employee’s health insurance.

Definitions
Impairment. This is a condition induced by any drug or alcohol or the combination of any drug
and alcohol that affects the employee in any physically or mentally detectable manner. The
symptoms of impairment are not confined to those consistent with misbehavior or of obvious
impairment of physical or mental ability, such as slurred speech, difficulty in maintaining
balance, or the odor of alcohol. A determination of impairment may be established by any
supervisor or manager, a medical professional, a scientifically conducted test such as urinalysis,
or in some instances by a layperson. Furthermore, in some cases lacking any objective or
subjective indicator, the mere consumption of a drug and/or alcohol may constitute
impairment.
Illegal drugs. An illegal drug is any drug that is (a) not legally obtainable or (b) legally obtainable
but has not been legally obtained or used. The term includes prescribed drugs not legally
obtained and prescribed drugs not being used for prescribed purposes. Included are
prescription drugs shared with a coworker under any circumstances.
Legal drug. A legal drug is any prescribed drug or over-the-counter drug that has been legally
obtained and is being used for the purpose for which it was prescribed or manufactured.
Drug paraphernalia. These are items, tools, and devices commonly used in the preparation,
storage, and administration of illegal drugs. Examples include but are not limited to rolling
papers, roach clips, glass pipes, water pipes and bongs, drug vials, straws and spoons, and in
some cases hypodermic syringes.
Serious injury. This is any work-related injury resulting in the stoppage of work and requiring
medical attention of any kind.

References
REFERENCES
Code of Federal Regulations. (2007). Controlled substances and alcohol use and testing. 49 CFR 382.
Drug Enforcement Administration. (2006). Drug information. Available: http://www.usdoj.gov/

dea/concern/concern.htm [2007, September 9].
Ferraro, E. F. (1994). Employer’s guide to a drug-free workplace. Golden, CO: Business Controls, Inc.
Ferraro, E. F., & Judge, W. J. (2003, May). Put your drug policy to the test. Security Management.
Garcia v. Naylor Concrete Co., 650 N.W.2d 87, 90 (Iowa 2002).
th
Jane Roe v. Cheyenne Mountain Conference Resort, Inc., No. 96-1086 (10 Cir. 1997).
Kennedy v. Camellia Garden Manor, Louisiana Circuit Court, 2003.
Department of Health and Human Services. (2007). Alcohol. Available: https://ncadistore.samhsa.

gov/catalog/facts.aspx?topic=3&h= [2007, September 3].
Department of Health and Human Services. (2007). Results from the 2006 National Survey on Drug
Use and Health: National findings. Available: http://www.oas.samhsa.gov/nsduh/2k6nsduh/
2k6Results.cfm#2.10 [2007, September 14].
United States Code. (2007). Treatment of controlled substance analogues. 21 USC 813.

CHAPTER 12
ADDRESSING WORKPLACE VIOLENCE
THROUGH VIOLENCE RISK ASSESSMENT
AND MANAGEMENT
12.1 INTRODUCTION
People have long been concerned about violence, but the use of behavioral assessment and
th th
intervention to prevent violent behavior is fairly new. During the late 19 and early 20
centuries in the United States, the legal system began to ask “alienists,” who are now called
psychiatrists, to render opinions concerning the propensity (likelihood) of identified
individuals to commit violence in the future. These opinions were used in both criminal and
civil proceedings to determine whether people should be incarcerated and for how long,
where they should be held, and under what circumstances they should be released.
Unfortunately, psychological studies from the 1960s to the 1990s show that psychiatrists and
psychologists who use only their own judgment in such cases are only 40 to 70 percent
accurate in predicting violent behavior, depending on how violence is defined, the duration
of the prediction follow-up, and the population assessed. Clinical judgments alone rarely
10
outperform actuarial approaches alone. These studies spurred an explosion of psycho-
logical research on how to increase the accuracy of predictions and created a specialty called
violence risk assessment and management.
10
See two meta-analyses covering a wide range of studies: (1) William M. Grove and Paul E. Meehl, “Comparative Efficiency of
Informal (Subjective, Impressionistic) and Formal (Mechanical, Algorithmic) Prediction Procedures: The Clinical-Statistical
Controversy,” Psychology, Public Policy, and Law, Vol. 2, No. 2, 1996, pp. 293-323, and (2) Douglas Mossman, “Assessing
Predictions of Violence: Being Accurate about Accuracy,” Journal of Consulting and Clinical Psychology, Vol. 62, No. 4, 1994, pp.
783-792.

WORKPLACE VIOLENCE
12.1 Introduction
At the same time, the public began to hear about more violence in the workplace, particu-
larly single and mass homicides. In addition, the U.S. government began to gather statistics
and develop expectations of what employers should do to provide a safe workplace. A
study by the National Institute for Occupational Safety and Health for the period 1980 to
1995 (National Institute for Occupational Safety and Health, 2001) showed that murder was
the leading cause of death in the workplace for women and the second leading cause of
death in the workplace for all workers in the United States during that period. However, the
number of workplace homicides per capita has decreased in the United States since those
peak years in the early 1990s (see Figure 12-1).
Most workplace homicides result from robberies and similar criminal violence. An
examination of workplace violence incidents not involving robbery reveals that perpetrators
progressively move through stages resulting in violence. However, a more disturbing subset
of violence has become more prominent and is an ongoing concern for employers and
employees—mass murder by individuals who are closely connected with the workplace.
They include employees, spouses or significant others, long-time customers or clients,
shareholders, and suppliers to the business. They commit targeted acts of violence against
company personnel who, in their view, have caused them a loss of some type.
Even when these individuals do not commit homicide, they cause problems that must be
assessed and resolved. A study by Northwestern National Life Insurance Company (1993)
stated that 2 million Americans were attacked in the workplace in 1992, 6 million were
threatened, and 16 million were harassed. Incidents of homicide, assault, threats, and
harassment in the workplace will likely continue to contribute to the turbulence of modern
society and reinforce some individuals’ perception that violence is an acceptable way to
accomplish their goals.

WORKPLACE VIOLENCE
12.1 Introduction
Workplace Homicide, United States

1,200
1,080 1,036
1,100
1,000 927
900 860
800 714
677
700 651 643
609 632 628
559 567 540 526 542
600
500
400
1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009
Fatal Occupational Injuries, Average Average Average

2008 2009
by Cause 1994-1997 1998-2002 2003-2007
Assaults and violent acts 1219 910 831 816 837
Homicides 976 659 585 526 542
Shootings 791 519 458 421 434
Stabbings 70 61 54 33 49
Other (including bombings) 115 79 73 72 59
Self-inflicted 214 218 202 263 263
Source: Census of Fatal Occupational Injuries, Bureau of Labor Statistics, U.S. Department of Labor, http://www.bls.gov/
iif/osh_nwrl.htm#cfoi. Note: The homicide figures show a marked decline from the 1994 high of 1,080 workplace homicides.
These figures are for private-sector workplaces only.
Figure 12-1
U.S. Fatal Occupational Injuries by Event or Exposure, 1994–2009

WORKPLACE VIOLENCE
12.2 Conceptual Framework
12.2 CONCEPTUAL FRAMEWORK

The security profession has developed ample means to deal with robberies and other
criminal acts that can lead to violence: lighting, locks, bandit barriers, timed safes, closed-
circuit television, and more. But only in the last 20 years has a new approach evolved—an
interdisciplinary workplace violence risk assessment and management process that allows
for the identification and assessment of individuals so they can be diverted from violence
before they act. Like other forms of risk assessment, violence risk assessment provides
information that aids in appropriate allocation of resources to minimize harm. Violence risk
assessment helps differentiate between individuals who pose a threat and those who solely
make threats.
Security programs aim first to divert someone from committing an unsafe or harmful act and
then, if diversion is unsuccessful, to delay the person’s progress in committing the act until
trained individuals are notified and respond to the problem. All effective security programs
assume that an effective response by properly trained personnel will occur if the perpetrator is
not diverted. In the case of threats of workplace violence, this means that one of the planned
responses should be (at a predetermined threshold of assessed potential for immediate,
physical violence) a response by correctly trained, armed personnel who will handle the
situation. In some workplace violence situations, these responders may be law enforcement
personnel. However, because of law enforcement’s average response time to crimes of violence
11
(more than 11 minutes in 40 percent of cases in the United States ) and a company’s prior
notice of the problem, the only legally defensible option may be to use properly qualified
private security personnel.
Like a typical security program, a violence risk assessment program employs diversion,
delay, and response, but they are the last elements in the program. The most distinctive and
important elements are behavioral recognition, notification, assessment, and intervention by
planned disruption. Those elements are used before physical security elements come into
play. The long-term solution to each situation of potential workplace violence lies in under-
standing the emotional and mental state of the aggressor and diverting him or her from
violence, not solely in strengthening security measures. Early awareness of the problem
allows for a thorough assessment and successful intervention. Consequently, companies
should develop a comprehensive violence risk assessment and management system that
requires reporting of threats to a central position in the company, a thorough assessment of
the threats, and a coordinated response to the assessment, involving legal, human resources,
security, behavioral, and other organizational and community elements.
11
Bureau of Justice Statistics, National Criminal Victimization Survey, 2003 (Washington, DC: U.S. Department of Justice, 2005).
NCJ 207811, available at http://bjs.ojp.usdoj.gov/.

WORKPLACE VIOLENCE
12.3 Focus Areas
12.3 FOCUS AREAS

Every employer in the United States has an obligation to provide a safe workplace. This
obligation could arise from federal laws, state laws, local ordinances, case law precedents, or
all those sources. The obligation extends to employees, contractors, visitors, and guests on
the premises and generally does not distinguish between internal and external sources of
danger. Consequently, if an employer or its representative has reasonable cause to believe
that someone may commit an act of violence on the premises or against one of the
organization’s employees who is acting within the scope of his or her duties at another
location, the employer has an obligation to protect the potential victim. It does not matter
whether the aggressor is an employee, spouse or significant other of an employee,
shareholder, contractor, supplier, vendor, client, guest, or third party. For example, in Tepel
v. Equitable Life Assurance Society (1990) an employee whose husband came to her office and
assaulted her successfully sued her employer. The jury held that the employer had known
about the husband’s prior threats to harm the employee and had not taken adequate steps to
protect her or her coworkers. This level of obligation may be greater than what is understood
by the business community, but it has been enforced consistently in state and federal courts
and regulatory proceedings.
A violence risk assessment program must address a variety of workplace behaviors. Policies
and programs dealing with inappropriate workplace conduct, including harassment,
intimidation, and discrimination, should be seen as related to the violence risk assessment
program because in some cases such behaviors are early warning signs that can lead to
violence. Other behaviors that would fall directly into a violence risk assessment program
include oral or written threats, assaults with or without battery, stalking, sabotage or
vandalism, and homicide.
Business-related concerns that the program should address include liability, productivity,
workplace morale, and associated costs. The primary source of concern may be the cost of
being proven liable for negligence in a tragic incident of workplace violence. There is good
reason for concern, as lawsuits claiming negligent security continue to grow in number and
cost to businesses throughout the United States. Judgments and settlements for wrongful
death cases are averaging more than $2.8 million dollars (Anderson, 2002). However, the
greatest economic cost to organizations for acts of violence may come from the loss of morale
and productivity. Hundreds of thousands of dollars per incident can be lost in work group
productivity due to the absenteeism, sick leave, work slowdowns, management and worker
distraction, and general disruption that may follow workplace violence. The costs for treating
injuries, too, should not be ignored. Treatment for a single crime-related injury can easily cost
tens of thousands of dollars. Further information on productivity and injury costs can be found
in Victim Costs and Consequences: A New Look (National Institute of Justice, 1996).

WORKPLACE VIOLENCE
12.4 Liability and Legal Considerations
A further consideration is the level of outside support that the company can tap into for a
violence risk assessment and management program. The company must be ready to contend
with the following problems: (1) limited law enforcement resources to respond to potential
violence in the workplace; (2) limited but growing legal experience in workplace violence
management; (3) limited number of defensible experts in the psychopathologies and behaviors
associated with violence; and (4) limited number of security firms that understand the limits
of their role and are capable of providing the broad spectrum of responses necessary. Many
unqualified individuals and companies claim expertise in violence risk assessment and
12
management.
12.4 LIABILITY AND LEGAL CONSIDERATIONS

Various laws and regulations require U.S. employers to provide a safe workplace. An example
of relevant federal law is OSHA 29 U.S.C. § 654(a)(1). Many states, such as California, have
enacted similar or additional guidelines (e.g., California Labor Code-6400 and Injury and
Illness Prevention Program (6401.7)). A company with locations in several jurisdictions
should research the laws in each location. Types of statutes to look for include those that
cover threats or threatening behavior, terroristic threats, stalking, threatening or harassing
phone calls, trespassing after issuing a threat, violation of a restraining or protective order,
possession of illegal or dangerous weapons, brandishing or exhibiting a deadly weapon,
assault, battery, assault with a deadly weapon, rape, robbery, armed robbery, maiming,
attempted homicide, kidnapping, and homicide.
In addition, certain legal duties and tort concepts have become associated with claims and
lawsuits arising from workplace violence. Some workplace violence lawsuits have been filed
13
under claims of violations of Title VII discrimination protections, violations of the Americans
with Disabilities Act, violations of the Rehabilitation Act, defamation, slander, invasion of
privacy, harassment, negligent security, negligent hiring, negligent supervision, negligent
retention, employer’s vicarious liability, and other torts. Examples include the following:
x former employee returning to kill coworkers after employee assistance program claims he can
be fired safely (Allman v. Dormer Tools, Inc.)
x supervisor/coworker battery (Clark v. Pangan, 2000)
x domestic violence in the workplace (Civil Action, 2001)
12
For more information on qualifying security consultants and contractors, see Chapter 8, Consultants as a Protection
Resource.
13
Title VII of the U.S. Civil Rights Act of 1964.

WORKPLACE VIOLENCE
12.5 Behavioral Dynamic of Workplace Violence
x security director’s threat of violence against an employee (Herrick v. Quality Inn Hotel, 1993)
x employee shooting of a supervisor (Smith v. National Railroad Passenger Corporation, 1988)
These legal issues are addressed in detail in other sections of Protection of Assets.
It is important that the company research, document, and understand the method by which
it or its employees can obtain restraining or protective orders against individuals who
threaten to harm them. In many jurisdictions such orders can only be obtained by individual
(natural person) victims. However, the law is beginning to recognize that business entities
can also be the victims of threats and harassment and may need court orders for protection
(e.g., 527.8 California Code of Civil Procedure). Some individuals question the value of a
piece of paper as protection from violence. Studies (such as Meloy, 1997) have shown that
the majority of protective or restraining orders aid in the cessation of violence. However, it is
important to obtain them early in the cycle of violence. For example, in 1988, after stalking a
coworker for years, even after being fired, Richard Farley went on a shooting spree at his
former workplace, Electromagnetic Systems Labs in California, killing seven and wounding
three. The object of his stalking, Laura Black, did not obtain a restraining order against him
until two years after he was fired for his stalking behavior, and she now believes that
14
obtaining it earlier might have prevented the tragedy.
12.5 BEHAVIORAL DYNAMIC OF WORKPLACE VIOLENCE

Before committing violence, a workplace aggressor must first determine that violence is an
acceptable means to establish or reestablish control (Corcoran and Cawood, 2003, p. 6).
Next, the aggressor selects targets (against which attacks will give the person a sense of
control) and locations (that will allow the aggressor to succeed). Then the act of violence can
occur (Corcoran and Cawood, 2003, p. 6). In deciding to commit violence, aggressors do not
“snap” but go through a process of emotional escalation or, in the case of psychopaths, non-
emotional decision making.
For security practitioners. the most effective means of preventing workplace violence is early
detection of this behavioral, emotional, and psychological dynamic. The way to detect
individuals who are destabilized and seeking control is to assess their mental and emotional
levels along a continuum of violent behavior and then develop a plan to divert them from
violence through a case-specific use of communication, company resources, community
resources, and the legal system.
14
Television interview of Laura Black on 2/9/93 by KPIX TV (Channel 5), San Francisco, CA, following a presentation of the
Laura Black Story.

WORKPLACE VIOLENCE
12.5 Behavioral Dynamic of Workplace Violence
It is beyond the scope of this document to explain thoroughly the difference between
psychopathic and affective (emotion-based) violence. Suffice it to say that in the early
investigation and assessment of any aggression, the assessor should be attentive to the
clusters of behavior that would signal that the aggressor may be a psychopath. Appropriate
intervention is much more complex when dealing with psychopaths. For more information
on psychopathy, a good starting point is Without Conscience: The Disturbing World of the
Psychopaths Among Us (Hare, 1993). This book discusses behavioral elements and clusters to
watch for, but only trained, experienced violence risk assessors should attempt to intervene
in cases involving a potential psychopath. Because the vast majority of cases involve
emotion-based aggressors, this document focuses on them, not psychopaths.
In general, the continuum of violent behavior starts with general disgruntlement with a
business or a person (Calhoun & Weston, 2003, p. 60). Then, as the situation escalates, one
may observe nonspecific spoken intimidation, nonspecific spoken threats, specific spoken
threats, written threats, physical violence against property, stalking, physical violence against
people without the use of weapons, and finally physical violence against people with the use
of weapons. In any individual case, the aggressor could exhibit one or more of these
behaviors, escalating or de-escalating them over time. In general, in more serious cases, as
cycling occurs, each movement back up the curve involves more serious behavior. The entire
process leading to physical violence can occur within a short period if enough influential
factors are in place. Figure 12-2 provides a graphic depiction of a potential escalation curve.
The curve was the outcome of research by James S. Cawood, CPP, that attempted to identify
a consensus among violence risk assessment professionals concerning their ranking of
aggressor behaviors by perceived emotional intensity.
Behavioral assessment is very information-intensive and requires as much information

about the individual as possible. Particular attention should be paid to the aggressor’s
history of stressful events (death, divorce, job loss, financial pressure, etc.) and his or her
reaction to it. One dictum on which all psychological researchers in this field agree is that
“the best predictor of future behavior is past behavior” (U.S. Merit Systems Protection Board,
2003). Consequently, the more one knows about the aggressor’s emotional history, violence
history, recent behavior, reactions to stress, and current stressors, the better one can assess
the aggressor’s current level of violence risk to the company or its employees.

WORKPLACE VIOLENCE
12.6 Incident Management Team and Resources
Figure 12-2
A Theoretical Behavioral Escalation Curve for Emotion-Based Violence
12.6 INCIDENT MANAGEMENT TEAM AND RESOURCES

A comprehensive approach to workplace violence includes the creation of an incident
management team (IMT). The IMT should include, at a minimum, a senior management
representative, a senior human resources manager, a senior security manager, and a legal
representative who is familiar with labor and employment law and litigation. The role of the
team may be defined differently in different organizations. The simplest role is to
x take reports of workplace aggression, threats, stalking, or potential violence from

managers, supervisors, employees, and other parties,
x assess those reports,
x gather further information as necessary, and
x intervene as appropriate to maintain the safety of the organization.

WORKPLACE VIOLENCE
12.6 Incident Management Team and Resources
This simple structure can be successfully implemented by one team for a multinational
corporation or a single-location organization. Some larger enterprises have established
regional teams along with an enterprise-wide oversight team to facilitate consistency of
practice, communicate lessons learned, and provide support. Since this role of situation
assessment and intervention is similar to the role of crisis management teams, it may be
possible to assign an existing team to handle violence risk assessment or develop a subset of
the established team to take on that role.
Outside members of the team may be added as necessary to provide a higher level of
experience in the central aspects of the process, including the legal, behavioral assessment,
and security aspects. Operational support members might advise the IMT during the
development of certain portions of the incident plan or carry out instructions from the IMT
but do not normally serve on the IMT itself.
It is essential that the IMT be empowered to commit company assets and personnel to
resolve an incident. If the IMT must brief other manager to obtain a decision on employment
actions, deployment of personnel, or payment of costs, the assessment process will slow
down and the risk of an unsuccessful resolution will increase significantly. The following
organizational functions are typically represented on an IMT and among its resources:
x Incident management team (one member of which needs to be a senior management

representative)
— Human resources
— Company security
— Legal counsel
x Outside consulting resources
— Violence risk assessment professional
— Security and investigations professionals
— Additional legal support
x Operational support resources
— Employee assistance program (EAP)
— Public affairs, media relations, or corporate communications
— Records and benefits
— Personnel liaison
— Health services
— Facility services
— On-site contract security

WORKPLACE VIOLENCE
12.7 Violence Risk Assessment Process
12.7 VIOLENCE RISK ASSESSMENT PROCESS
12.7.1 NOTIFICATION
Notification can come from sources inside or outside the company. In either case, the
company needs policy, procedures, and training that direct reporting of inappropriate
precursor behaviors, incidents, or reports to a particular person or group in the company
that is responsible for initial intake of the report and initial assessment for immediate risk.
This means that after notification from any source, by any means (e.g., observation, e-mail,
postal mail, phone call, text message, fax, etc.), company operators, receptionists, managers,
supervisors, customer service representatives, and other employees will know that they should
pass that notification to the appropriate person or group immediately. Company receivers of
the notification may need to be available 24 hours a day, seven days a week, and be trained to
handle these notifications appropriately. Violence may escalate if management does not
respond to early warning signs.
12.7.2 ASSESSMENT
Several levels of assessment may occur after notification, depending on whether the
aggressor is known or unknown and the quantity and quality of the information provided in
the initial notification. If the aggressor’s identity is not known (because, for example, the
threatening communications were anonymous), a valid violence risk assessment cannot be
conducted. Some preliminary behavioral analysis can be done from the material presented,
but the validity of the violence risk assessment will be low. Valid violence risk assessments
require a depth of information available only for known subjects. This is one of the
differences between behavioral investigative analysis (profiling) and violence risk
assessment. Profiling is used to exclude people from an investigative pool of subjects so as to
conserve investigative resources, while violence risk assessment is focused on a particular
individual’s risk of committing a violent act. If the individual is unknown, investigations can
be conducted to determine who the person is, and organizational response to the actions of
the unknown aggressor will be driven by other policies or procedures. If the individual is
known, at least by name, further assessment can be initiated.
Known subject assessment can be broken down into three levels of assessment: initial,
threshold, and comprehensive. Each level of assessment is performed by one or more
members of the IMT and attempts to determine which resources and what level of resources
are appropriate. The first level, initial assessment, attempts to determine whether there is an
immediate risk of harm. If the initial assessment points to a significant possibility of
immediate harm, emergency procedures are activated until the situation is stable enough to
allow further, nonemergency actions.

WORKPLACE VIOLENCE
If the initial assessment suggests there is not a significant possibility of immediate harm,
then further assessment is conducted leading to a threshold assessment. This assessment
determines whether assessment should continue (based on the risk assessment thresholds
determined by the company) or whether the situation only requires monitoring.
If a predetermined threshold has been reached, additional information is gathered and a

comprehensive assessment is completed. This assessment uses additional information
sources, both inside and outside the company, and provides the basis for the design and
implementation of a non-immediate emergency resolution plan. Each of these three
assessments is discussed in more detail below.
Initial Assessment
When notification is made, the receiver of that information decides, based on company
criteria, whether the situation calls for an immediate emergency response. Certainly,
managers and supervisors should be taught to respond to immediate risks by notifying
community emergency resources. However, they do not always do so. Therefore, the initial
assessment must examine what has happened and what has been done, if anything, in
deciding whether to contact community emergency resources for help.
If the initial assessment leads to a decision to call for immediate community emergency
resources, then the person who received the notification must be able to make that call or
direct someone to do so. A company with multiple locations in various countries, regions,
states, or cities needs advance information on the quantity and quality of community emer-
gency resources, as well as contact information.
The next decision, based on the availability of the community emergency resources, may be
whether to evacuate the facility or in the case of a bomb threat, employees are best suited to
search the premises. A lot can happen in the time it takes for law enforcement officers to
15
respond. The company must consider whether locking down, sheltering in place, or
evacuating the facility would best protect employees and other occupants. For example,
when an aggressor has a firearm on the premises, a preferred strategy is a 360-degree
evacuation in which evacuees move away from the building and find shelter in other
buildings or out of sight of the building, preferably behind other objects (such as buildings or
trees). This approach minimizes pooling of potential victims the aggressor can shoot. If the
shooter is outside the building, then a lockdown might be appropriate. If the perimeter is
breached, then evacuation might be necessary. The use of a single, unchanging process, such
15
In this context, locking down means going into classrooms or other securable spaces and locking the door until help arrives.
Sheltering in place means finding any place that is immediately available to provide concealment and hiding there, hoping
that the person does not discover those who are hiding. Locking down occurs in securable space, while sheltering in place
does not.

WORKPLACE VIOLENCE
as locking students in classrooms regardless of the location of the shooter, does not work.
This is illustrated by both the 1999 Columbine High School shooting and the 2005 Red Lake
High School shooting in the United States. In those incidents, students were shot as they
huddled in the library (Columbine) or were locked in a classroom (Red Lake). As was learned
in the 101 California Street office shooting in San Francisco in 1993, “those that run live and
those that hide die” (Cawood, 2005).
Once a situation is stabilized, further assessment will most likely need to be done. If the
aggressor is not dead, further violence risk assessment needs to be conducted to determine
whether the individual or related individuals (e.g., spouse, family members, community
members, ideologically aligned individuals, etc.) pose a continued risk of harm to the
company and its personnel and guests. Some considerations in this regard might be whether
the aggressor is still in the community, could get bail, or has stated a desire to continue
attacking the target. This comprehensive violence risk assessment would be in done in
conjunction with efforts to manage trauma, conduct incident debriefings, and return
operations to normal. If the aggressor is dead, the company might still initiate trauma
management, incident debriefing, and post-incident assessment (what was known, when it
was known, and what was done about it) to help return the company to full operation and
manage such issues as publicity, lawsuits, and community questions.
Threshold Assessment
If the initial assessment suggests there is no significant possibility of immediate harm, then a
threshold assessment is conducted to determine whether, based on the violence risk assess-
ment thresholds determined by the company, the situation warrants further action or only
monitoring. This assessment can be conducted by the same person or persons who
conducted the initial assessment or could involve other trained IMT members. Including at
least two trained individuals at this level of assessment has some distinct advantages: the
workload is shared, multiple points of view are involved, and every case will be guaranteed to
have at least two people who know its details (in case one individual becomes unavailable).
The threshold assessment is driven by
x information obtained by interviewing key witnesses of behavior,

x review of easily obtainable, pertinent company records, and
x matches between the behavioral information learned from these sources and an
objective violence risk assessment tool adopted by the company.
If a predetermined threshold is reached, a comprehensive assessment is triggered. If that

threshold is not reached, appropriate individuals are notified to report any further behavior
of concern, and no further action might be taken at that time.

WORKPLACE VIOLENCE
Comprehensive Assessment
The comprehensive assessment uses the most detailed information and resources available
to thoroughly assess the potential violence risk. All legally obtainable information is gathered
and reviewed to determine the aggressor’s behavioral history and current stressors. Such
information usually includes the following:
x contacts with law enforcement

x civil and criminal court records
x other community records
x financial status
x medical information
x personal relationships, including family relationships and support structures
x use of alcohol or other substances that affect behavior
x ownership of, access to, and training in the use of weapons or explosives
x employment history
x foreseeable events that could increase stress
When determining what records to access and what individuals to interview, care must be
taken to determine how the aggressor might react if he or she learned of the assessment. It is
usually prudent to conceal the investigation if possible. If the potential reaction of the
aggressor supersedes the value of the information that might be obtained from a given
record or source (if the contact was prematurely disclosed), it might be better to postpone or
forgo the use of that source.
Placing this detailed information in chronological order makes it possible to analyze patterns
of past behavior from a cause-and-effect perspective. Seeing the behavioral choices the
aggressor made in response to certain events can provide an understanding of the range of
behavior the aggressor might choose in the future. In conjunction with the time line, the use
of a valid assessment tool can provide a more objective way to determine the current
violence potential of this aggressor compared to other aggressors that the tool has been
designed around. Some tools or assessment instruments have been developed for special
populations, and others have been used against a wider range of aggressors. For example, if
the aggressor was potentially attacking a spouse, the appropriate tool might be the Spousal
Assault Risk Assessment Guide (SARA, 1995). If the aggressor was going to attack a coworker
or community member, the appropriate tool might be the HCR-20 version 2, the Risk
Assessment Guideline Elements for Violence (RAGE-V), or the Assessment/Response Grids.
In most cases, after gathering detailed information, developing a behavioral chronology, and
using an assessment tool, a violence risk assessment is completed by assigning a value to the

WORKPLACE VIOLENCE
risk, such as low, moderate, or high. Based on the assigned level of violence risk and the
behavioral data gathered, an intervention and situational resolution plan is designed and
implemented.
12.7.3 INTERVENTION AND NONEMERGENCY SITUATIONAL RESOLUTION

The primary goal of intervention and resolution is the short-term and ideally long-term
safety of the identified target or targets. Intervention and situational resolution are meant to
divert or deflect the aggressor from acts of aggression or violence to more socially acceptable
behaviors in order to resolve his or her perceived need for control. In any intervention and
resolution strategy, the overriding consideration is, first, to do no harm to either the target or
the aggressor. That goal is accomplished when the aggressor willingly chooses to end the
behaviors of concern. Anything less than a willing choice is a less valuable solution, because,
with the exception of the death of the aggressor, a unwilling resolution is likely only
temporary. Therefore, interventions that involve restraining or protective orders, arrest, or
criminal or mental health incarcerations are only short-term, stabilizing interventions. If the
aggressor’s attitude toward the target is unchanged, these measures will eventually fail.
Intervention options can generally be classified as follows (Cawood, 2005):
x
16
interviews, including “knock and talks”
x administrative or disciplinary actions, including fitness for duty evaluations
x cease-and-desist requests (oral or written)
x no-trespass orders
x restraining or protective orders
x voluntary or involuntary mental health evaluations
x criminal case filing and prosecution
x probation and parole with close monitoring
The choice of an intervention type depends on the assessment of the aggressor’s probable
reaction to the intervention and whether the intervention has a probability of correcting the
aggressor’s perception of the target.
Any form of communication or interaction, whether direct or indirect (through other

parties), should be considered an intervention. For example, interviewing the aggressor not
only provides information about his or her perception, emotional and cognitive levels,
16
The term “knock and talk” refers to interviews that are conducted on the aggressor’s property or at places frequented by the
aggressor, rather than on property controlled by the target or persons related to the target.

WORKPLACE VIOLENCE
impulsivity, and boundaries but may also allow the interviewer and aggressor to reframe the
aggressor’s goals, pose and discuss alternative methods of behavior, discuss cause and effect,
discuss consequences, and find other means to solve the problem. Restraining and
protective orders create a boundary but only have real value if the target reports violations
and the orders are quickly enforced.
In many cases, the intervention starts with one technique but readies other techniques that
might be needed. For example, before the aggressor interview begins, the language and
affidavits for a restraining order might be drafted, a disciplinary warning or termination
package might be prepared, and law enforcement might be contacted (to determine what
crimes the behavior might constitute, how to make a criminal report, and what responses
law enforcement could provide).
12.7.4 MONITORING
Monitoring for new behavior is a critical and underappreciated part of the violence risk
assessment process. Monitoring creates the behavioral feedback loop that allows the
violence risk assessment to be updated, the value of the interventions to be tested, and final
resolution of the incident or situation to be determined. In any given case, the IMT can
establish passive monitoring or active monitoring. Passive monitoring relies on the target
and others who might witness new behavior to report that behavior to the IMT on a timely
basis. This is effective only in very low risk cases, in which a lapse in immediate reporting
would not lead to a significant risk of harm. An example would be a victim who has received
a single anonymous e-mail or voice mail saying, “I hate you and you’re going to pay.” If
further investigation finds no other cause for concern, a viable strategy would be to take a
“wait and see” approach and passively monitor the situation by asking the victim to report
any further contacts or disturbing events to the IMT.
Active monitoring means the assessor actively pursues new behavioral information rather
than passively waiting for a report. The more elevated the risk, the more often the contacts
are made. Active monitoring is the best option for a moderate-to high-risk situation or one in
which the target or witnesses cannot be relied on to report new behavior. This lack of
reporting reliability could be due to shock, denial, rationalization, minimization, or other
psychological defense mechanisms; fear of retaliation or retribution; or a misperception of
the target’s ability to handle the situation without help. Regardless of the reason, the
information is actively pursued. An example of this might be a domestic violence risk where
the target, at work, receives threatening calls in which the aggressor says he or she will make
the target pay and threatens to come to the workplace to confront the target. In an interview,
the target says the aggressor is not a threat and expects that nothing will happen, but
investigation reveals that the aggressor has a history of perpetrating domestic violence

WORKPLACE VIOLENCE
against the target and prior partners, including confrontations in a prior partner’s workplace.
In this case, the target may conceal or play down any contact from the aggressor (because of
embarrassment, concern about keeping his or her job, or a belief that he or she is safe) and
might not be a reliable source of information on new interactions. In this case, the IMT might
locate workers who could witness new contacts from the aggressor and could be relied on to
report the contacts. The IMT might also check with them several times a day to see if new
contacts occurred. If new contacts are reported, the IMT could contact the target and ask for
an update. If the target denies an interaction, the IMT could attempt to lower the target’s
resistance to providing the information. The frequency of the active monitoring could be
increased or decreased depending on the level of current assessed risk of imminent violence.
12.7.5 REVIEW AND DEBRIEFING

Incident review occurs on an ongoing basis as new behavioral information is learned from all
sources. This ongoing cycle of reassessment, review of intervention options, implementation
of intervention options, and monitoring for new behavioral cues continues until the
situation is considered resolved by IMT standards. Review can be used continuously to fine-
tune operational and tactical processes to provide the greatest safety.
Debriefing incidents and gleaning lessons learned is a critical part of incident management
and process improvement. It allows for a strategy-level look at how a particular incident
might affect process improvement on a larger scale. Some companies conduct short incident
debriefings after the initial round of assessment and intervention and then conduct monthly,
quarterly, semiannual, or annual debriefings to provide updates on specific cases and
discuss possible process improvements.
Incident reviews, debriefings, or a blend of both can allow for continuous improvement in
the management of a particular case and the overall process.

WORKPLACE VIOLENCE
12.8 Future of Workplace Violence
12.8 FUTURE OF WORKPLACE VIOLENCE

Improvements in assessment, intervention, and monitoring are leading to a greater under-
standing of the behavioral cues that signal impending violent behavior. In addition, the
psychological research literature available on workplace violence has mushroomed in the
last decade. Alliant University in the United States is attempting to develop an accredited
forensic psychology program with a specialization in workplace violence. Such a program
will most likely be followed by others that reflect the same type of specialization seen in
business degree programs with a security focus. New tools, including more accurate
computerized behavioral assessment programs, also seem likely in the future.
Regarding intervention, new methodologies and laws may provide more tools to divert
aggressors in specific cases. Austria and Germany have recently passed new stalking laws and
are looking to use them to protect their citizens from behaviors that have not been managed
legally before.
Regarding monitoring, global positioning system (GPS) technology is being used in the
criminal justice system to manage offenders (via, for example, ankle bracelets). Functional
magnetic resonance imaging (fMRI) is currently being explored for use in mapping brain
17
function to detect deception in individuals. In the future, this technology, coupled with
research on aggression and violent behavior, might lead to the ability to monitor aggressors’
neuron changes that would signal their immediate intent to cause physical harm. This and
other technological improvements, along with new methodologies to encourage and support
victim and witness participation in the process of behavioral monitoring, may lead to
significant improvements in the safety of individuals, communities, and nations.
17
See www.cephoscorp.com for information on the work of Cephos Corporation with the Medical University of South Carolina.

WORKPLACE VIOLENCE
Appendix A: Model Policy for Workplace Violence
APPENDIX A
MODEL POLICY FOR WORKPLACE VIOLENCE
Nothing is more important to [YOUR COMPANY NAME] than the safety and security of its
personnel; therefore violence against employees, visitors, guests, or other individuals by anyone
on [YOUR COMPANY NAME] property will not be tolerated.
Any person who makes threats, exhibits threatening behavior, or engages in intimidating,
threatening, or violent acts on [YOUR COMPANY NAME] property should be removed from the
premises as quickly as safety permits, and should remain off [YOUR COMPANY NAME] premises
pending the outcome of an investigation into the incident(s). Should the investigation substantiate
that violations of this policy have occurred, [YOUR COMPANY NAME] will follow through with the
implementation of a decisive and appropriate response. This response may include, but is not
limited to, suspension and/or termination of any business relationship, reassignment of job duties,
suspension or termination of employment, and/or seeking arrest and prosecution of the person or
persons involved.
In carrying out all [YOUR COMPANY NAME] policies, it is essential that all personnel understand
that no existing [YOUR COMPANY NAME] policy, practice, or procedure should prohibit decisions
designed to prevent a threat from being carried out, a violent act from occurring, or a life-
threatening situation from developing.
An essential element in this policy is that all personnel are responsible for notifying the below-
designated management representative (DMR) of any threats or perceived threats which they have
witnessed, received, or have been told that another person has witnessed or received. They should
also alert this representative to any behavior they have witnessed which they regard as
intimidating, threatening, or violent when that behavior is job-related or the employee has a belief
that the behavior of concern might be, or could be, carried out on a company-controlled site or is
connected to company business. Employees are responsible for making this report regardless of
the nature of the relationship between the individual who initiated the threat(s) or behavior(s) of
concern and the person or persons who were threatened or were the focus of the threatening or
violent behavior(s).
This policy also requires all individuals who apply for or obtain a protective or restraining order,
which lists company locations as being protected areas, to provide a copy of the petition and
declarations used to seek the protective or restraining order, a copy of any temporary protective or
restraining order which is granted, and a copy of any protective or restraining order which is made
permanent to the same below-listed designated management representative. [YOUR COMPANY
NAME] has an obligation to provide a safe workplace and protect employees from threats to their

WORKPLACE VIOLENCE
Appendix A: Model Policy for Workplace Violence
safety and that cannot be effectively accomplished unless [YOUR COMPANY NAME] is provided
information concerning individuals who have been told by the courts, or other legally constituted
entities, to maintain a distance from [YOUR COMPANY NAME] company locations.
[YOUR COMPANY NAME] understands the sensitivity of this information and has developed
procedures for it to be received, maintained, and acted on, which recognize the privacy of the
reporting employee(s).
The designated management representative is:
Name:
Position:
Telephone:
E-Mail:
Office Mail:

WORKPLACE VIOLENCE
REFERENCES
Allman v. Dormer Tools, Inc. (1999). N.C. Super. Ct., No. 97CVS1161.
Anderson, T. (2002, October). Laying down the law: A review of trends in liability lawsuits. Security
Management.
Anderson, T. (2002, October). Laying down the law: A review of trends in liability lawsuits. Security
Management [Online]. Available: http://www.securitymanagement.com [2006, April 17].
Bureau of Labor Statistics. (1997–2002). Census of fatal occupational injuries. Washington, DC: U.S.
Department of Labor.
Calhoun, F.S. & Weston, S.W. (2003). Contemporary threat management: A practical guide for
identifying, assessing and managing individuals of violent intent. San Diego, CA: Specialized
Training Services.
Cawood, J., CPP, PCI, PSP. (2005, May 17). Speech at ASIS International Advanced Protection
Course II on violence risk assessment and management.
Civil Action 01-CV-4277 (2001, August 22). U.S.D.C., E.D. Pa.
Clark v. Pangan. (2000). 2000 UT 37, 998 P.2d 268, case number 981694, decided 4/7/2000, Utah
Supreme Court.
Corcoran, M., & Cawood, J. (2003). Violence assessment and intervention: The assessor’s handbook.
Boca Raton, FL: CRC Press.
Grossman, D. (1996). On killing: The psychological cost of learning to kill in war and society.
Boston: Back Bay Books.
Grove, W. M., & Meehl, P. E. (1996). Comparative efficiency of informal (subjective, impression-
istic) and formal (mechanical, algorithmic) prediction procedures: The clinical-statistical
controversy. Psychology, Public Policy, and Law, 2, No. 2, 293–323.
Hare, R. D. (1993). Without conscience: The disturbing world of the psychopaths among us. New York:
Pocket Books.
Herrick v. Quality Inn Hotel, 24 Cal. Rptr. 2d 203 (Cal. App. 2 Dist. 1993).
Meloy, J. R., et al. (1997). Domestic protection orders and the prediction of subsequent criminality
and violence toward protectees. Journal of Psychotherapy, 34, No. 447.

WORKPLACE VIOLENCE
Mossman, D. (1994). Assessing predictions of violence: Being accurate about accuracy. Journal of
Consulting and Clinical Psychology, 62, No. 4, 783–792.
National Institute of Justice. (1996). Victim costs and consequences: A new look. NCJ 155282.
Washington, DC: Author.
Northwestern National Life Insurance Company. (1993). Fear and violence in the workplace.
Minneapolis, Minnesota: Author.
nd
Smith v. National Railroad Passenger Corporation (Amtrak), 856 F. 2d 467, 2 Cir. 1988.
Tepel v. Equitable Life Assurance Society. (1990). San Francisco, California, Superior Court Case
No. 801363.
U.S. Merit Systems Protection Board. (2003). The federal selection interview: Unrealized potential.
Washington, DC: Author.
ADDITIONAL READING
Barish, R. (2001). Legislation and regulations addressing workplace violence in the United States
and British Columbia. American Journal of Preventive Medicine, 20, 149–154.
Barling, J. (1996). The predication, experiences, and consequences of workplace violence. In G. R.

VandenBos & E. Q. Bulatao (Eds.), Violence on the job: Identifying risks and developing solutions
(pp. 29–49). Washington, DC: American Psychological Association.
Baron, R. A., & Neuman, J. H. (1996). Workplace violence and workplace aggression: Evidence on
their relative frequency and potential causes. Aggressive Behavior, 22, 161–173.
Bennett, J. B., & Lehman, W. E. K. (1996). Alcohol, antagonism, and witnessing violence in the
workplace: Drinking climates and social alienation-integration. In G. R. VandenBos & E. Q.
Bulatao (Eds.), Violence on the job: Identifying risks and developing solutions (pp. 105–152).
Washington, DC: American Psychological Association.
Bies, R. J., Tripp, T. M., & Kramer, R. M. (1997). At the breaking point: Cognitive and social dynamics
of revenge in organizations. In R. A. Giacalone & J. Greenberg (Eds.), Antisocial behavior in
organizations (pp. 18–36). London: Sage Publications.
Björkqvist, K., Österman, K., & Hjelt-Ba¨ck, M. (1994). Aggression among university employees.
Aggressive Behavior, 20, 173–184.

WORKPLACE VIOLENCE
Bolton, R. (1979). Differential aggressiveness and litigiousness: Social support and social status
hypotheses. Aggressive Behavior, 5, 233–255.
Borum, R., Fein, R., Vossekuil, B., and Berglund, J. (1999). Threat assessment: Defining an
approach for evaluating risk of targeted violence. Behavioral Sciences and the Law, 17, 323–337.
Boye, M. W., & Jones, J. W. (1997). Organizational culture and employee counterproductivity. In R.
A. Giacalone & J. Greenberg (Eds.), Antisocial behavior in organizations (pp. 172–184). London:
Sage Publications.
Calhoun, F. S. (1996). Hunters and howlers. Washington, DC: United States Marshals Service.
Calhoun, F. S., & Weston, S. W. (2000). Defusing the risk to judicial officials. Alexandria, VA: Nation-
al Sheriff’s Association.
Carll, E. K. (1999). Workplace and community violence. In E. K. Carll (Ed.), Violence in our lives (pp.
3–4). Boston: Allyn and Bacon.
Cole, L., Grubb, P. L., Sauter, S. L., Swanson, N. G., & Lawless, P. (1997). Psychosocial correlates of
harassment, threats and fear of violence in the workplace. Scandinavian Journal of Work,
Environment & Health, 23, 450–457.
Cornell, D. G., Warren, J., Hawk, G., & Stafford, E. (1996). Psychopathy in instrumental and reactive
violent offenders. Journal of Consulting and Clinical Psychology, 64(4), pp. 783–790.
Davis, R. C., & Smith, B. (1995). Domestic violence reforms: Empty promises or fulfilled expectations?
Crime and Delinquency, 41, 541–552.
Davis, R. C., Smith, B. E., & Nickles, L. B. (1998). The deterrent effect of prosecuting domestic
violence misdemeanors. Crime & Delinquency, 44, 434–442.
Dolan, M., & Doyle, M. (2000). Violence risk prediction: Clinical and actuarial measures and the role
of psychopathy checklist. British Journal of Psychiatry, 177, 303–311.
Douglas, S. C., & Martinko, M. J. (2001). Exploring the role of individual differences in the predict-
ion of workplace aggression. Journal of Applied Psychology, 86, 547–559.
Ekman, P. (2003). Emotions revealed: Recognizing faces and feelings to improve communication
and, emotional life. New York: Henry Holt.
Farrington, D. P. (1994). The causes and prevention of offending, with special reference to
violence. In J. Shepherd (Ed.), Violence in health care: A practical guide to coping with violence
and caring for victims (pp. 149–180). New York: Oxford University Press.

WORKPLACE VIOLENCE
Folger, R., & Baron, R. A. (1996). Violence and hostility at work: A model of reactions to perceived
injustice. In G. R. VandenBos, & E. Q. Bulatao (Eds.), Violence on the job: Identifying risks and
developing solutions (pp. 51–85). Washington, DC: American Psychological Association.
Gall, T. L., Lucas, D. M., Kratcoski, P. C., & Kratcoski, L. D. (Eds.). (1996). Statistics on weapons and
violence. New York: Gale Research.
Goleman, D. (1995). Emotional Intelligence. New York: Bantam Books.
Greenberg, L., & Barling, J. (1999). Predicting employee aggression against coworkers, subordinates
and supervisors: The roles of person behaviors and perceived workplace factors. Journal of
Organizational Behavior, 20, 897–913.
Harris, G. T., Rice, M. E., & Cormier, C. A. (1991). Psychopathy and violent recidivism. Law and
Human Behavior, 15, 625–637.
HCR-20, version 2. Burnaby, Canada: Mental Health, Law, and Policy Institute, Simon Fraser
University.
Hurrell, J. J., Worthington, K. A., & Driscoll, R. J. (1996). Job stress, danger and workplace violence:
Analysis of assault experiences of state employees. In G. R. VandenBos & E. Q. Bulatao (Eds.),
Violence on the job: Identifying risks and developing solutions (pp. 163–170). Washington, DC:
American Psychological Association.
Kaplan, S. G., & Wheeler, E. G. (1983). Survival skills for working with potentially violent clients.
Social Casework, 64, 339–346.
Kroner, D. G., & Mills, J. F. (2001). The accuracy of five risk appraisal instruments in predicting
institutional misconduct and new convictions. Criminal Justice and Behavior, 28, 471–489.
Labig, C. E. (1995). Preventing violence in the workplace. New York: American Management Assoc-
iation.
Lewis, G. W., & Zare, N. C. (1999). Workplace hostility: Myth and reality. Philadelphia: Accelerated
Development.
Maggio, M. J. (1996). Keeping the workplace safe: A challenge for managers. Federal Probation, 60,
67–71.
Maiuro, R. D., Vitaliano, P. P., & Cahn, T. S. (1987). A brief measure for assessment of anger and
aggression. Journal of Interpersonal Violence, 2, 166–178.

WORKPLACE VIOLENCE
McClure, L. F. (1996). Risky business: Managing employee violence in the workplace. New York:
The Haworth Press.
Mehrabian, A., & Epstein, N. (1972). A measure of emotional empathy. Journal of Personality, 40,
525–543.
Meloy, J. R. (Ed.). (1998). The psychology of stalking: Clinical and forensic perspectives. Burlington,
MA: Academic Press.
Meloy, J. R. (2000). Violence risk and threat assessment: A practical guide for mental health and
criminal justice professionals. San Diego, CA: Specialized Training Services.
Meloy, J. R., Cowett, P. Y., Parker, S. B., Hofland, B., & Friedland, A. (1997). Domestic protection
orders and the prediction of subsequent criminality and violence toward protectees. Psycho-
therapy: Theory, Research, Practice, Training, 34, 447–458.
Miller, M. J. (2001). The prediction and assessment of violence in the workplace: A critical review
(Doctoral dissertation, United States International University, 2001). Dissertation Abstracts
International, 62, 2070.
Mohandie, K. (2000). School violence threat management. San Diego, CA: Specialized Training
Services.
Monahan, J., Steadman, H., Robbins, P., Appelbaum, P., Banks, S., et al. (2005). An actuarial model
of violence risk assessment for persons with mental disorders. Psychiatric Services, 56, 810–815.
Monahan, J. (1981). Predicting violent behavior: An assessment of clinical techniques. London: Sage
Publications.
Monahan, J., & Steadman, H. (2001). Rethinking risk assessment: The MacArthur study of mental
disorder and violence. New York: Oxford University Press.
Moos, R. H. (1988). Psychosocial factors in the workplace. In S. Fisher & J. Reason (Eds.), Handbook
of life stress, cognition and health (pp. 193–209). New York: John Wiley and Sons.
National Institute for Occupational Safety and Health. (2001). Fatal injuries to civilian workers in
the United States, 1980–1995: National profile (p. 16, Table US-7). Washington, DC: Department
of Health and Human Services.
Neuman, J. H., & Baron, R. A. (1997). Aggression in the workplace. In R. A. Giacalone & J. Greenberg
(Eds.), Antisocial behavior in organizations (pp. 37–67). London: Sage Publications.

WORKPLACE VIOLENCE
Neuman, J. H., & Baron, R. A. (1998). Workplace violence and workplace aggression: Evidence
concerning specific forms, potential causes, and preferred targets. Journal of Management, 24,
391–419.
Peek-Asa, C., Runyan, C. W., & Zwerling, C. (2001). The role of surveillance and evaluation research
in the reduction of violence against workers. American Journal of Preventive Medicine, 20, 141–
148.
Roehl, J., O’Sullivan, C., Webster, D., & Campbell, J. (2005, May). Intimate partner violence risk
assessment validation study: Final report (NCJRS 209731). Washington, DC: U.S. Department of
Justice.
Roehl, J., O’Sullivan, C., Webster, D., & Campbell, J. (2005, May). Intimate partner violence risk
assessment validation study: The RAVE study assessor summary and recommendations:
Validation of tools for assessing risk from violent intimate partners (NCJRS 209732). Wash-
ington, DC: U.S. Department of Justice.
Slora, K. B., Joy, D. S., Jones, J. W., & Terris, W. (1991). The prediction of on-the-job violence. In J.
W. Jones (Ed.), Preemployment honesty testing: Current research and future directions. Westport,
CT: Quorum Books.
Slora, K. B., Joy, D. S., & Terris, W. (1991). Personnel selection to control employee violence.
Journal of Business and Psychology, 3, 417–426.
Spector, P. E. (1997). The role of frustration in antisocial behavior at work. In R. A. Giacalone & J.
Greenberg (Eds.), Antisocial behavior in organizations (pp. 1–17). London: Sage Publications.
nd
SARA: Spousal assault risk assessment guide, 2 edition. (1995). Vancouver, Canada: British
Columbia Institute on Family Violence.
Thistlethwaite, A., Wooldredge, J., & Gibbs, D. (1998). Severity of dispositions and domestic
violence recidivism. Crime and Delinquency, 44, 388–398.
Tobin, T. J. (2001). Organizational determinants of violence in the workplace. Aggression & Violent
Behavior, 6, 91–102.
Trafford, C., Gallichio, E., & Jones, P. (1995). Managing violence in the workplace. In P. Cotton
(Ed.), Psychological health in the workplace: Understanding and managing occupational stress
(pp. 147–158). Brisbane, Australia: Australian Psychological Society.
Turner, J. T., & Gelles, M.G. (2003). Threat assessment: A risk management approach. Binghamton,
NY: The Haworth Press.

WORKPLACE VIOLENCE
Waters, J. A., Lynn, R. I., & Morgan, K. J. (2002). Workplace violence: Prevention and intervention,
theory and practice. In L. A. Rapp-Paglicci, A. R. Roberts, & J. S. Wodarski (Eds.), Handbook of
violence (pp. 378–413). New York: John Wiley and Sons.
Weber, R. (1995). Suicide prevention at the workplace. In P. Cotton (Ed.), Psychological health in
the workplace: Understanding and managing occupational stress (pp. 171–182). Brisbane,
Australia: Australian Psychological Society.
White, S., and Cawood, J. Assessment/response grids.
White, T. W. (1996). Research, practice, and legal issues regarding workplace violence: A note of
caution. In G. R. VandenBos & E. Q. Bulatao (Eds.), Violence on the job: Identifying risks and
developing solutions (pp. 87–100). Washington, DC: American Psychological Association.
Wilkinson, C. W. (2001). Violence prevention at work: A business perspective. American Journal of

Preventive Medicine, 20, 155–160.
Williams, K. R., & Hawkins, R. (1989). Controlling male aggression in intimate relationships. Law
and Society Review, 23, 591–612.
Wodarski, J. S., & Dulmus, C. N. (2002). Preventing workplace violence. In L. A. Rapp-Paglicci, A. R.

Roberts, & J. S. Wodarski (Eds.), Handbook of violence (pp. 349–377). New York: John Wiley and
Sons.

INDEX
9/11, security reaction to, 68, 83, 185, 187 consultants, 85, 227
controls, financial, 30, 172
convergence (of traditional and IT security), 66, 83
A
corporate structure, 5, 11
addiction. See substance abuse cost avoidance, 114, 117, 119, 130
aerospace sector, 75 cost reduction, 113
alcohol. See substance abuse cost-effectiveness, 47, 93, 107, 112, 202, 294
American National Standards Institute, 37, 40, 48, crime analysis, 232, 246
81 crime prevention, 82, 86, 91, 179, 189, 192, 198,
Americans with Disabilities Act, 333, 336, 348, 362 205
armoring, vehicle, 273, 279, 286 crime prevention through environmental design
assassination, 268, 273, 274, 284 (CPTED), 78, 83, 232
assets protection, forces shaping, 76 crime, fear of, 182, 191, 193, 194
assets protection, management of, 84 culture, of organization, 5, 44, 71, 78, 85, 298, 333
assets, types of, 65 customers (of security professionals), 85
ASTM International, 36, 81
awareness, security, 58, 72, 74, 83, 92, 109, 138,
152, 291, 300, 348
D
data analysis, 112, 119
Deutsches Institut für Normung, 37
B
Drug Enforcement Administration, 295, 313
background investigation, 114, 128 Drug Free Workplace Act, 348
balance sheet, 15, 17, 19, 23, 26 drug testing, 327, 333, 335, 343, 352
behavioral science, 89, 91 drugs. See substance abuse
benchmark, 24, 35, 44, 52 due diligence, 102, 227, 230
briefings. See security awareness
budgets, 10, 13, 27, 30, 68, 109, 113, 237
business improvement district/special taxing district,
E
190, 201, 210 earnings, 17, 24
business processes, 2, 133 educational sector, 72
employee assistance program (EAP), 323, 327, 331,
332, 344, 362
C
employee performance measurement and review, 6,
cash flow statement, 20 9, 297, 326, 328, 330
certifications, 6, 40, 49, 56, 65, 82 employees' role in security. See security awareness
community policing, 189, 192, 209, 212, 217 executive protection, 267
conflict of interest, 255 expert witness, 230

F International Organization for Standardization, 37,
38, 79, 81
false/nuisance alarms, 109, 110, 188 investigation, 30, 66, 82, 112, 119, 148, 152, 328,
Family and Medical Leave Act, 8, 349 370
fast food sector, 2, 74 ISO 9000, 40, 47
financial analysis, 13, 21
financial statements, 15, 26, 148
J
financial strategy, 14, 30
firearms, 203, 208, 286, 368 Japanese Industrial Standards Committee, 37
fraud, 26, 54, 97, 119, 137, 315. See also theft
fraud prevention, 74, 137
K
fraud, elements of, 146
kidnapping, 268, 269, 274, 276, 295
knowledge management, 10
G
Global Standards Initiative, ASIS, 48, 56
L
globalization, 63, 78
guidelines, ASIS, 48, 50, 242. See also Global Law Enforcement Liaison Council (ASIS), 183
Standards Initiative law enforcement/private security partnerships, 68,
guns. See firearms 91, 177
legislation, 69, 148, 347
liability, 69, 94, 96, 193, 296, 341
H
licensing, 79, 82, 197, 205, 215, 234
health care sector, 71, 82
hiring. See staffing
M
homeland security, 36, 50, 55, 83, 186, 213
homicide. See workplace violence management, administrative, 1
hot lines, employee, 74, 144, 328 management, financial, 13
human resources, 5, 6, 52, 326, 344 management, organizational, 3, 56, 85, 129
management, personnel, 91, 300
metrics, 1, 3, 9, 59, 111, 299
I
mission, 5, 85, 300
incident management, 91, 365
incident reporting/data capture, 11, 110, 116, 122,
131, 328 N
income statement, 15, 29 National Fire Protection Association, 36, 40, 79, 81
inspection (search), 144, 201, 212, 280, 282, 350,
368
insurance, 29, 80, 93, 119, 231 O
internal theft. See theft by employees
objectives, 5, 43, 58, 86, 116, 242, 294

order maintenance, 182, 191, 202, 212, 218 S
organization (of security within enterprise), 85, 87,
91 Sarbanes-Oxley Act, 26, 69, 148, 329
Organizational Resilience Standard, 43, 51, 56 search. See inspection (search)
organizational strategy, 3, 9 security advisory committee, 231, 240
security awareness. See awareness, security
staffing, 6, 87, 91
P standards development, 34, 36, 39, 41, 49, 55
performance indicators. See metrics standards, ASIS. See Global Standards Initiative,
ASIS
plan-do-check-act cycle, 43, 46, 51
standards, management systems, 42, 47
policies and procedures, 6, 8, 68, 87, 145, 229, 295,
301, 334, 361 standards, security, 44, 48, 53, 205, 215
policing, private. See public environments, private strategic plan. See organizational strategy
security in substance abuse, 140, 305
policing, public, 178, 185, 194, 198
predictive modeling, 128, 214
T
principles (of business administration), 1, 5, 13, 85,
87 technology, 76, 271
Private Sector Liaison Committee (IACP), 183 telecommunications sector, 74
Private Security Services Council (ASIS), 183 theft, 119, 123, 137, 206, 311. See also fraud
privatization. See public environments, private theft by employees, 138, 141, 142, 171
security in
threats, uttered by potential attackers, 52, 269, 360,
profit margins, 14, 22, 139 361, 364, 375
profitability ratios, 22, 24, 109 training, 9, 51, 58, 82, 92, 110, 202, 216, 268, 334
public environments, private security in, 190, 196, travel and transportation, 112, 261, 270, 279, 285
204
public/private partnerships. See law
enforcement/private security partnerships UV
vision, 5, 86, 87
Q Vocational Rehabilitation Act, 347
quality management, 10, 33, 40, 43, 47, 52, 86
W
R workplace violence, 50, 52, 358
return on investment, 28, 109, 110
risk assessment, 35, 51, 53, 58, 242, 270, 274, XYZ
358, 360, 367
risk management, 53, 57, 69, 93, 270 zero-based budgeting, 27, See also budgets
risk ratios, 25

CPP Security Management

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CPP Security Management

Uploaded by

Copyright:

Available Formats

PROTECTION

ASIS International | 1625 Prince Street | Alexandria, VA 22314 USA | www.asisonline.org

Printed in the United States of America.

Timothy J. Walsh, CPP Richard J. Healy, CPP

Timothy L. Williams, CPP

David G. Aggleton, CPP

Michael E. Knoke, CPP

Eva Giercuszkiewicz, MLS, Project Manager

OBJECTIVES OF PROTECTION OF ASSETS

Protection of Assets Copyright © 2012 by ASIS International v

Michael E. Knoke, CPP

vi Protection of Assets Copyright © 2012 by ASIS International

Teresa M. Abrahamsohn, CPP Lucien G. Canton, CPP Donald J. Fergus

Protection of Assets Copyright © 2012 by ASIS International vii

viii Protection of Assets Copyright © 2012 by ASIS International

Chapter 1. ADMINISTRATIVE MANAGEMENT PRINCIPLES . . . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 2. FINANCIAL MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Chapter 3. STANDARDS IN SECURITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Protection of Assets Copyright © 2012 by ASIS International ix

Chapter 4. INTRODUCTION TO ASSETS PROTECTION . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Chapter 5. COST-EFFECTIVENESS AND LOSS REPORTING . . . . . . . . . . . . . . . . . . . . . . 107

x Protection of Assets Copyright © 2012 by ASIS International

Chapter 6. THEFT AND FRAUD PREVENTION IN THE WORKPLACE . . . . . . . . . . . . . . . . . 137

Protection of Assets Copyright © 2012 by ASIS International xi

Chapter 8. CONSULTANTS AS A PROTECTION RESOURCE . . . . . . . . . . . . . . . . . . . . . . 227

xii Protection of Assets Copyright © 2012 by ASIS International

Chapter 9. EXECUTIVE PROTECTION IN THE CORPORATE ENVIRONMENT . . . . . . . . . . . . . 267

Chapter 10. SECURITY AWARENESS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Protection of Assets Copyright © 2012 by ASIS International xiii

xiv Protection of Assets Copyright © 2012 by ASIS International

Chapter 12. ADDRESSING WORKPLACE VIOLENCE THROUGH

Protection of Assets Copyright © 2012 by ASIS International xv

2-1 Income Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3-1 Plan-Do-Check-Act Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

4-1 Examples of Organizational Assets by Type . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

5-1 Return on Investment (ROI) Formula . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

6-1 Financial Impact of Theft or Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

7-1 Provision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

12-1 U.S. Fatal Occupational Injuries by Event or Exposure, 1994-2009. . . . . . . . . . . . . 359

xvi Protection of Assets Copyright © 2012 by ASIS International

Protection of Assets Copyright © 2012 by ASIS International 1

Two hypothetical food service businesses illustrate these themes:

Expensive Italian restaurant. A famous chef opened a high-end restaurant to serve

Inexpensive quick-service restaurant. Several blocks closer to the downtown offices,

Both businesses can be considered successful because their management-defined business

2 Protection of Assets Copyright © 2012 by ASIS International

The following example teaches the same lesson differently:

Paper products company. The executive committee at a paper products company

1.2 ORGANIZATIONAL STRATEGY

Defining an organization’s overall strategic purpose is essential for developing company-

Protection of Assets Copyright © 2012 by ASIS International 3

In developing an organizational strategy, it is helpful to ask such questions as the following:

x Who will sell the products: the company, wholesalers, retailers?

x What quality of product or service will be provided?

1.2.1 DEVELOPING THE STRATEGY

4 Protection of Assets Copyright © 2012 by ASIS International

1.2.2 COMMUNICATING THE STRATEGY

1.3 PRINCIPLES OF BUSINESS ADMINISTRATION

Protection of Assets Copyright © 2012 by ASIS International 5

1.3.1 HUMAN RESOURCE MANAGEMENT

The following are examples of direct requirements:

x certifications, such as technical or driving certifications

x knowledge of computer applications, such as Microsoft Word or Excel

6 Protection of Assets Copyright © 2012 by ASIS International