Professional Documents
Culture Documents
OF ASSETS
SECURITY MANAGEMENT
PROTECTION
OF ASSETS
SECURITY MANAGEMENT
PROTECTION
OF ASSETS
SECURITY MANAGEMENT
ISBN 978-1-934904-25-1
Protection of Assets is furnished with the understanding that the publisher is not engaged in
rendering legal, accounting, or other professional services. It is designed as a ready reference and
guide to the covered subjects. While every effort has been made to ensure accuracy of contents
herein, it is not an official publication and the publisher can assume no responsibility for errors or
omissions.
All rights reserved. No part of this publication may be reproduced, translated into another
language, stored in a retrieval system, or transmitted, in any form or by any means, electronic,
mechanical, photocopying, recording, or otherwise without the prior written consent of the
copyright owner.
10 9 8 7 6 5 4 3 2 1
ACKNOWLEDGMENTS
ASIS International (ASIS), the world’s leading society for security professionals, originally founded
in 1955 as the American Society for Industrial Security, acquired Protection of Assets in December
2003. The acquisition of this work underscores the Society’s leadership role in professional
education. It is the sincere desire of ASIS and its editorial staff to continue to enhance the value of
this important reference.
Protection of Assets, which has been in existence since 1974, is recognized as the premier reference
for security professionals and the publisher wishes to acknowledge the two founding authors and
subsequent editors.
Editorial Associates
As we move forward, confronted with issues that present a challenge to the security industry, our
mission is to ensure that Protection of Assets provides the strategic solutions necessary to help
st
professionals meet the demands of the 21 century and beyond. We also pledge to assemble a
group of subject matter experts who will enhance this reference as necessary to achieve our
mission.
The need for such a comprehensive resource is quite widespread according to the editors, writers,
and many professional colleagues whose advice has been sought in compiling this text. The
growing size and frequency of all forms of asset losses, coupled with the related increasing cost
and complexity of countermeasures selection, demand a systematic and unified presentation of
protection doctrine in all relevant areas, as well as standards and specifications as they are issued.
Of course, it would be presumptuous to assume that any small group of authors could present
such material unaided. It is, therefore, a fundamental objective of Protection of Assets to draw upon
as large a qualified source base as can be developed. The writers, peer reviewers, and editors
attempt to distill from the available data, common or recurrent characteristics, trends, and other
factors, which identify or signal valid protection strategies. The objective is to provide a source
document where information on any protection problem can be obtained.
DIALOGUE
We hope that Protection of Assets becomes an important source of professional insight for those
who read it and that it stimulates serious dialogue between and among security professionals. Any
reader who is grappling with an unusual, novel, or difficult security problem and would appreciate
the opinions of others is encouraged to write a succinct statement describing the problem and
send it to us at ASIS [protectionofassets@asisonline.org]. At the reader’s request his identity will
not be disclosed, but the problem will be published with invitations for comment. Readers are also
encouraged to communicate agreement or disagreement with strategies or applications recom-
mended in POA and to suggest alternatives. We reserve the right to publish or refrain from
publishing submitted material. The editors also solicit statements of reader opinion on matters of
asset protection policy in which a cross-sectional view would be helpful.
SUPPLEMENTAL TRAINING
Readers with supervisory or management responsibility for other security and asset protection
personnel will find POA to be a useful resource from which to assign required readings. Such
readings could be elements of a formal training syllabus and could be assigned as part of related
course sessions.
With all these objectives in mind, we present to you Protection of Assets, in the sincere belief it will
enhance your expertise in the security field.
It is with sincere appreciation that I wish to thank the below-named individuals who contributed
to Protection of Assets.
PREFACE
CONTRIBUTORS
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
1.1 OVERVIEW
Security managers are, as the name suggests, both security specialists and business
managers. Most of Protection of Assets focuses on security-specific issues. However, to serve
their organizations effectively, security managers must also understand business principles.
With that knowledge, they can organize their efforts in a way that best supports the overall
vision and mission of their organization. Without that knowledge, they may focus on security
as an end in itself. Security managers who understand business are best positioned to
collaborate with top management and to turn their departments into valuable corporate
resources that support organizational success. Effective security managers are those that are
recognized within their organization as business partners.
In any business, people work and interact to produce a product, service, or both. This
interaction leverages the labor of individuals to enable the business to realize a net profit that
supports investors, managers, customers, and employees.
At some point a business must determine the type of product or service to sell and how to
develop, deliver, and finance that output. To manage this process successfully, managers
and owners must employ practices that support the goals of their business. They must also
develop metrics that define success and support business decisions. Ultimately these
practices aim to define business success not only in the near term, but also over the life of the
business through quantifiable metrics.
Which of the two restaurants is more successful? The Italian restaurant earns more profit per
plate of food than the fast food restaurant, yet the fast food restaurant can serve significantly
more customers. The success of each restaurant is determined by its management practices
and expectations. The management of the Italian restaurant wants the establishment to be a
premium dining facility serving customers looking for a high-end product. The fast food
restaurant, on the other hand, is focused on people who are busy and need a quick,
inexpensive bite to eat.
Clearly, a business must understand its purpose and create management practices that
support it. To define the business purpose, management typically writes a business strategy.
To implement that strategy, management develops appropriate administrative practices.
The organizational strategy serves as the foundation for developing business processes.
Those processes should support the overall business structure required to meet the
organizational strategy. Key metrics and performance indicators can be studied to determine
whether the processes accurately reflect the organizational strategy. Using this feedback, an
organization can, if necessary, change the implementation of the strategy or even shift the
strategic focus itself.
x What markets does the business want to serve? Are they narrow or broad?
x What products do those markets require? Is there stiff competition? What are the
technological costs to develop and sell the products?
x Will the company make money through low margins with high volume or high margins
with low volume?
x How will the company be financed? What revenues and profit margins are required to
sustain the business?
x What are the Strengths, Weaknesses, Opportunities and Threats involved in the
business venture (SWOT)?
Comparing the current company and the desired future company, leadership is likely to
observe some distance between the two. If the company is already meeting leadership’s vision,
the organizational strategy can be minimal, merely capturing existing practices to maintain
and adjust them over time. If the company’s current state is far different from its desired state,
the organizational strategy will play a greater role in setting the corporate direction.
Vision The vision of an organization is a specific description of where the business will
be in the long-term. The vision statement conveys a general understanding of
the business, its culture, and its future goals.
Mission The mission of the business specifies its types of products or services, level of
quality, and other tangible aspects of the business and its plans. This is a more
concrete statement.
While the vision states objectives and business goals, the mission com-
municates business functionality and operational methods.
Objectives This statement includes the specific organizational objectives so that all
involved parties can understand what needs to be done. The objectives should
highlight specific goals that the organization wants units to achieve in terms of
sales, market share, product differentiation, or other relevant metrics. The
objectives must be SMART (Specific, Measurable, Attainable, Relevant, and
Time-bound).
Management principles make it possible to tailor daily operations to support the organiza-
tional strategy. For example, if the organization wishes to redevelop a business unit and focus
on an emerging technology as opposed to relying on legacy products, then the operational
focus for human resources should be to find people who can support emerging technology.
Business principles define how an organization functions. Among the most important issues
they must address are human resource requirements, knowledge management, and corporate
structure.
While the HR department’s daily focus is staffing, it also promulgates corporate policies and
procedures to employees and provides training and performance measurement. In doing so,
the HR department must align its actions with the overall corporate strategy.
Staffing
The most visible component of the HR department is staffing. Whether a company
outsources staffing searches or handles them internally, it is important for an organization to
understand how to conduct an effective job requirements analysis, thorough candidate
profiles, and effective interviews and evaluations. It is difficult to assess a candidate based
solely on a résumé and a single interview.
Staffing decisions should be measured against a detailed job requirements analysis. The
analysis should be made not only by the manager responsible for hiring but also by other
team members and organizational leaders. The position requirements thus developed must
be narrow enough to be accurate but broad enough to include many good candidates.
How might this work in practice? In a hypothetical example, the head of security for a global
manufacturing firm might need a security manager for corporate headquarters. The security
manager would work with corporate executives, supervise headquarters security personnel,
and in general ensure that the facility is protected.
The job requirements analysis addresses both direct and indirect requirements. The direct
requirements are those that the candidate must meet to understand and function in the position.
The indirect requirements are skills that will increase the candidate’s likelihood of success.
x years of experience
x previous job responsibilities
x leadership ability
x ability to multitask
x organizational skills
x communication skills
The job requirements analysis should weigh which skills are most valuable for the position. If
a company needs a crane operator, the direct requirements may be more significant because
of the safety issues involved and the skills required to operate a crane at an industrial site.
However, if the company is trying to fill an engineering role, some of the indirect
requirements may have more weight because of the need for the engineer’s design work to
interface correctly with that of other engineers.
Returning to the example of the headquarters security manager, analysis of the job require-
ments shows that the candidate must be able to ensure the physical security of the building,
supervise security staff, and interact with corporate executives and high-level managers, who
are the primary occupants of the building. The ability to handle the primary security
functions is still the most valued requirement, but several other skills are also necessary,
such as leadership, management, and interpersonal skills. The head of security will need to
communicate these needs to the HR staff responsible for filling the position.
Internal recommendations are the best way to recruit a good candidate; most employees
would not recommend someone they did not believe could fill the position. Also, hiring
people who have worked with other company employees may help create a more cohesive
team. To encourage internal recommendations, HR should post jobs in a way that effectively
reaches an internal audience.
To reach a larger pool of candidates, it is useful to advertise the position in newspapers and
online. To deal with the many résumés that may be submitted in response to a public listing,
staff must filter the résumés and invite only the most viable candidates for an interview. One
way to reduce this labor is to hire external recruiters.
Once candidates have been selected, it is time to prepare for interviews. To appeal to the best
candidates, a company must impress them just as much as they must impress the company.
HR should ensure that interviewers provide a thorough overview of the company and the
benefits of working for that company.
The interviewer should also examine the candidate’s objective capabilities and subjective fit
with the team the candidate would work with. This latter measure is sometimes the more
important one.
Many types of regulations can affect company policy. In the United States, regulations
related to the following should be researched:
Different countries may have similar laws, and if conducting business abroad, the regulatory
issues of such countries should be considered as well.
Policies should be useful and simple and should not overload employees. When developing
policies, it is useful to work closely with the managers whose teams will be most affected by
the policies. They can provide details of current operations and the probable effects of policy
changes. Collaboration can also create management buy-in that increases the likelihood that
policies will be executed and maintained. Compliance with policies can also be strengthened
through training or certification that teaches employees the details of the policies and the
consequences of violating them.
In addition to corporate policies, which provide broad descriptions of how operations will be
conducted, specific procedures need to be developed so that employees will know how to
react to various issues. Clearly articulating company procedures helps prevent confusion.
These procedures should address a wide variety of topics and should be widely promulgated.
Further, staff understanding of the procedures should be refreshed regularly to ensure that
everyone is up-to-date and understands how to respond when an issue arises.
Procedures should encompass all topics that are important for daily functions. The following
are possible subjects of company procedures:
x security
x inclement weather
x building evacuation
x filing a complaint
x requesting leave
x timekeeping
x purchasing
x corporate property rights
The policies and procedures should reflect the ideal functionality of the organization. They
support proper staff behavior and lead to a hospitable, safe workplace.
Training may be provided within or outside the company. Internal training is typically aimed
at helping employees do their current jobs better. For instance, an electronics assembler can
be trained on more efficient assembly techniques with different tool sets. Other training
might foster employee growth by giving employees the opportunity to learn different disci-
plines within the company.
Training can also be conducted outside the organization. Employees may pay for the training
themselves, or the company may pay for it, and the training may take place on employees’
own time or during working hours. This external training may be taken in university courses,
at seminars or conventions, or in other venues. It often imparts information that is outside
the scope of the current work environment and that may promote innovative approaches to
work tasks.
The metrics for evaluating employees should align closely with the organizational strategy.
For example, if the strategy calls for growth, then the metric for mid-level managers may be
to grow their business units a certain percentage.
Employees should be measured on both how well they do their current jobs and how well
they contribute to the growth of the company as a whole. Some workers focus on their
current jobs and are content in those positions. Others use their current positions to gain
experience or insights that may help them move into other positions or expand the
responsibilities of their current positions. Measuring those two aspects separately allows for
fair evaluation of the employees and clarifies what they must do to excel at their current
positions, prepare for other positions, and contribute more to the company.
Metrics for assessing how well employees are doing their current jobs include the following:
x work quality
x performance on time
x performance within budget
x meeting of other requirements of the position
Metrics for assessing employees’ overall contribution to the company include the following:
Thus, an HR department can support the organizational strategy by establishing and com-
municating appropriate policies and procedures and by ensuring that the best people are
hired, retained, and provided with growth opportunities.
In addition, cross-unit knowledge sharing can enable one department to learn from the
processes, technologies, and ideas of another. For example, a company with two divisions—
computer memory chip manufacturing and hard drive manufacturing—might be able to apply
the efficiency techniques of the first division to improve efficiency in the second division.
Centralized knowledge systems can be used to collect data that measure the productivity and
performance of business units and individual employees. Such measurement enables an
organization to identify problems and spot opportunities to cut costs, increase efficiency, or
expand the business. Relevant metrics may include return on investment, inventory
turnover, and profit margins. If the organizational strategy emphasizes volume over
profitability, an important metric will be growth in revenue. In such a case, the knowledge
management system must be able to capture revenue streams and report them accurately.
Of course, a central knowledge management system may also create a security vulnerability.
Because the information could be accessed and exploited by competitors or other outsiders,
it is essential to keep the information system secure.
The initial step is to identify the essential business units. An engineering firm would likely
consider its engineering group to be the essential business unit. Supporting units might
include sales and marketing staff. If the company’s strategy calls for growth, marketing and
sales may grow in importance.
1.4 CONCLUSION
Management practices serve a company best when they are designed in accordance with its
strategic plan. These practices are largely expressed through human resource management,
knowledge management, and business structure. When the overall corporate strategy is
ingrained in daily administration practices, the organization will have the best chance of
success.
As members of their employers’ management teams, security managers must understand more
than security—they must also know business and finance. Knowledge of financial management is
especially important, as it explains how a business makes some decisions.
As a metaphorical example, a commuter with an unreliable car might weigh many factors when
considering a solution: repair costs; the likelihood of breakdowns; and the purchase, maintenance, and
insurance costs of various replacement cars. The person takes the time to make a justified financial
decision. Businesses use similar but more elaborate processes to help them make sound business
decisions. They may need to decide whether to purchase new equipment or extend credit, or they may
need to estimate the growth potential of prospective investments. Like the commuter, they look at
financial outlays, the expected returns on those outlays, and the potential risks associated with the
investment.
Financial management practices provide the analysis and decision tools that allow businesses to
monitor the financial operations of an organization and make better financial decisions. The basis of
financial management is understanding the accounting principles used in generating financial
reports. Through those reports it is possible to analyze the current state of business finances and
project how financial decisions will affect the business. From the financial analysis it is possible to
develop budgets and set expected goals for revenue or return on investment (ROI). The result is a
financial strategy that is based on thorough analysis and that employs sufficient controls to ensure
success.
Both publicly traded and privately owned companies must follow accounting and financial
reporting standards. Public companies must, by law, observe reporting standards (for investor
protection). Oversight responsibility should be separated from authority. This is the purpose of
having an independent auditor who analyzes the facts, draws conclusions and makes recom-
mendations on the company’s financial status. Private organizations must, in practice, observe
those standards when attempting to gain financing through a bank or when setting a value on a
business. Therefore, it is imperative that individuals charged with managing finances—including
security managers—understand the basics of financial management.
In establishing a financial strategy, the first step is to identify expected margins, or the profit
that businesses generally make. In the software industry, profit margins tend to be high,
perhaps because of the specialized nature of software and the low price of delivering it.
Manufacturing companies, by contrast, typically rely on smaller margins but higher volume.
Realistically a company has two options if it wishes to improve margins. It can reduce costs
or increase the price of its product or service. Reducing costs requires increasing efficiency,
perhaps by finding cheaper suppliers or by cutting overhead costs. Increasing price may or
may not be successful, as it may lead to a decline in sales volume.
Increasing revenue may involve expanding sales of a current product or identifying new
businesses to fund sales. The growth option usually involves additional costs, as it costs
money to produce more products or pursue new business ventures.
The question is how to fund growth. Growth can be funded from internal cash reserves or
through commercial financing and investors. Both approaches impose trade-offs. Using
internal cash reserves could limit the ability of an organization to pay bills if costs exceed
revenues. Use of external financing puts the company at risk if the investment does not
create the expected revenue. The way to make such financial decisions and project returns is
through analysis of financial statements.
Financial statements are created in accordance with generally accepted accounting principles
(GAAP). These principles vary somewhat from country to country. Many countries are
converging on the International Financial Reporting Standards (IFRS), established and
maintained by the International Accounting Standards Board. In the United States, they are
established by the American Institute of Certified Public Accountants, the Financial
Accounting Standards Board, and documented, standardized accounting practices. The pur-
pose of GAAP is to establish and maintain a standard for financial reporting that can be used
across all organizations.
The following sections outline the basics behind the three financial reports.
Revenue is the money a company receives for products or services. If its products sell for
$1,000 each and the company sells 100 products during the reporting period, the revenue for
that period is $100,000 (100 units times $1,000 per unit).
Expenses, of course, are the costs of creating and delivering the products or services. If it
costs the company $900 to produce and deliver each product, and 100 units are made, then
expenses equal $90,000.
Net income equals revenue minus expenses. Thus, in this case the company’s net income is
$10,000 ($100,000 minus $90,000).
Figure 2-1
Income Statement
Expenses are typically grouped into several categories, such as the following:
x Cost of goods sold. This is the cost of creating a product or service, accounting for
materials, labor, and other costs.
The income statement in Figure 2-1 shows how net income is derived from revenue and
expenses in a yearly report. The term EBITA in the left column refers to earnings before
interest, taxes, and amortization. Numbers in parentheses are negative—that is, meant to be
subtracted.
The income statement shows approximately 10 percent annual growth in product sales. It
also shows a near-doubling of service sales from Year 1 to Year 2. That growth coincides with
an increase in payroll, suggesting that the company may have hired more employees to meet
customer demand for services.
The income statement outlines the organization’s profitability but does not provide a picture
of the organization’s overall financial health. The balance sheet aids in that assessment.
An asset is anything that a company owns or has title to that may provide a future economic
benefit. Examples include land, buildings, retail inventory, and intellectual property, such as
trademarks and copyrights.
Liabilities are an organization’s financial commitments. Examples include loans, bills, and
other obligations.
Shareholder equity is the amount of ownership allocated to shareholders. This value is not
an asset or liability but rather the ownership stake for which shareholders are responsible. If
the liabilities of an organization far outweigh the assets, then shareholders are accountable
for the extended liability. In contrast, if an organization’s assets exceed its liabilities, then the
shareholders have positive equity (or ownership) in the company. Shareholder equity is
derived from retained earnings, net income, and dividend payout. Retained earnings equals
the amount of net income that is reinvested in an organization. If dividends are paid out or if
net income is actually a net loss, retained earnings decrease.
The balance sheet thus provides insight into the asset and liability mix and how it relates to
shareholder equity. Through understanding the asset and liability mix, it is possible to deter-
mine what a company owns and what it owes in the short term and long term.
Common terms used to describe assets on the balance sheet include the following:
x Cash. This is the amount of currency a company has in its accounts, including cash
savings, cash checking, and other currency deposits
x Inventory. This is the value of raw materials, works-in-progress, and finished goods
that are stored as inventory to be sold later.
x Accounts receivable. This is the amount due by customers for goods and services
already delivered.
x Property, plant, and equipment. This includes all relevant physical space (including
land and buildings) and equipment that an organization requires to produce goods or
services.
x Prepaid accounts. It is possible to pay ahead for insurance, leases, and even taxes.
These accounts are assets because they were paid before they were actually due.
x Accumulated depreciation. As buildings and equipment age, they begin to lose value.
The loss of value with each year is captured in accumulated depreciation to more
accurately reflect the book value of an asset.
x Accounts payable. These are accounts on which an organization owes money. Typical
accounts payable include utilities or services acquired under informal agreements.
x Leases. This is the amount owed on equipment and facility leases for that reporting
period.
x Current long-term debt. This includes the amount of principal that was paid for the
reporting period.
x Long-term debt. This is the amount that a company still owes on a loan or equity
financing.
Both assets and liabilities can be grouped into current accounts. Current accounts are assets
and liabilities that can be converted quickly. For example, current assets, such as cash or
accounts receivable, are those that can be used to cover costs or other business expenses for
that reporting period. Current assets are considered cash equivalents on the balance sheet.
Current liabilities are those that are paid in the reporting period.
Accounts Payable — — — — —
Current Leases — — — — —
Current Long-Term Debt 69,020 75,922 83,514 91,866 101,052
Current Liabilities 69,020 75,922 83,514 91,866 101,052
Long-Term Debt 868,235 792,313 708,799 616,933 515,881
Total Long-Term Liabilities 868,235 792,313 708,799 616,933 515,881
Total Liabilities 937,255 868,235 792,313 708,799 616,933
Retained Earnings — 200,621 440,770 752,606 1,144,027
Net Income (Loss) 200,621 240,149 311,836 391,421 479,723
Shareholder Equity 200,621 440,770 752,606 1,144,027 1,623,750
Figure 2-2
Balance Sheet
The balance sheet in Figure 2-2 shows assets, liabilities, and shareholder equity. Total assets
must equal total liabilities plus shareholder equity.
The balance sheet in Figure 2-2 shows that the company is generating cash from profits and
is repaying long-term debt. The balance sheet also provides insight into the company’s use of profit
to increase shareholder equity. In other words, the business is using profit to pay down debt.
Together, the balance sheet and income statement provide views of the company’s opera-
tions, financing, and investments, but they do not outline where cash is being allocated. That
insight comes from the cash flow statement.
x Net operating cash flow. This is the amount of cash generated (or consumed) through
company operations. Operations include production and sales of goods or services
during the defined period. Operating cash flow is based on net income generated for a
reporting period, as well as any changes in liabilities.
x Net investing cash flow. This is the amount of cash generated (or consumed) by
investing in other organizations or selling or acquiring buildings or property.
x Financing cash flow. If a company obtains a loan or other financing, the cash
generated is reported as financing cash flow.
By understanding these basic inflows and outflows, it is possible to identify where cash is
being generated to cover business operations. For example, Figure 2-3 shows where the long-
term debt on the balance sheet (Figure 2-2) comes from. In Year 1, the company secured a $1
million loan to support additional payroll to meet customer demand. The company did not
strictly require financing, as it was able to meet cash requirements for the year. However,
management may have felt that the financing would help the company through any cash
shortages in the first year of operation.
The cash flow statement also shows that the company has a simple financial structure—just
one loan outstanding and one source of income. It does not have any additional investing
cash flow and is free from other financing obligations.
Figure 2-3
Cash Flow Sheet
Profit Margins
Profit margins reflect a company’s profitability. The following are different measures of
margins:
x Gross profit margin. By measuring profit based strictly on sales and cost of goods
sold, this figure provides insight into the efficiency of manufacturing a product. The
higher the gross profit margin, the more efficient a company is at producing a
product. If the revenue does not cover the cost of the products, then the product
price may be too low or the manufacturing and materials costs too high. Gross profit
margin is calculated as follows:
Gross Profit Margin = (Revenue – Cost of Goods Sold – General and Administrative
Costs)/Revenue
x Operating margin. This equals earnings before interest, taxes, and amortization
(EBITA) divided by revenue. This margin demonstrates the company’s overall
operating efficiency in producing and selling a product. Operating margin is calculated
as follows:
x Net profit margin. This measures net profit after all expenses are included. It summa-
rizes the net income as a percentage of sales. The higher the net profit margin, the
more profitable the company is in its business. Net profit margin is calculated as
follows:
Figure 2-4 shows the margin values that can be calculated from the income statement in
Figure 2-1. These values show that the company has healthy margins, which dipped slightly
in Year 2 due to growth but then recovered in subsequent years. The growth did not
significantly improve gross margin or operating margin but did boost net margin
considerably. By providing more services and allowing product sales to grow slowly, the
company increased revenue without increasing total expenses.
Figure 2-4
Margins
Returns
Two ratios demonstrate how well a firm has done in making money for a reporting period:
x Return on assets (ROA). This ratio demonstrates the organization’s ability to generate
income based on its assets, independent of any financing. It is calculated as follows:
x Return on equity (ROE). This ratio indicates how well a company uses financed assets
to generate income. ROE is calculated as follows:
The practice of borrowing capital to purchase assets that can increase revenue is called
leveraging. For example, by taking out a loan a construction company can purchase more
equipment and hire more people to address a greater demand for the company’s services.
ROA measures how well a company makes profit on assets it already owns; ROE measures a
company’s effectiveness at using loans to generate a profit.
Figure 2-5 shows returns calculated from the income statement in Figure 2-1 and the balance
sheet in Figure 2-2.
Figure 2-5
Returns
The ROA figures suggest that the company is not focused on using its assets to improve
revenues. In fact, its growth relative to assets remains relatively stagnant.
The ROE numbers reflect the fact that the company had little equity in its business during
Year 1 and Year 2 but much more in subsequent years. The company has been able to
generate a return despite being highly leveraged and exposed to much financial risk.
Earnings
Two earnings-related ratios are commonly examined in financial analysis:
x Earnings per share (EPS). This is a useful metric for a company that has shares that
are publicly or privately owned. EPS represents how much income (or loss) is
generated per share of the organization. It is calculated as follows:
x Price to earnings (P/E). This ratio relates a company’s share price to its EPS. The P/E
ratio is useful in determining whether an organization is fairly valued. It can also be
used to value private shares if an investor is thinking of purchasing an interest in a
private organization. The general benchmark for publicly traded P/E values is around
17. The P/E ratio is derived from the following equation:
The various profitability ratios are useful in evaluating whether an organization is meeting
profit targets. A company’s profitability ratios should be compared to those in other companies
or across an industry and also to the company’s past ratios and projected future ratios.
x Current ratio. This examines the company’s ability to cover short-term obligations. It
is derived from the following equation:
If the current ratio is greater than one, the company has the ability to cover all its
current liabilities with its current assets. In other words, it can meet its short-term
obligations—assuming that the current assets can quickly be converted to cash
equivalents. Some current assets, such as inventory, may be difficult to convert to cash.
x Quick ratio. This measures an organization’s ability to cover current liabilities with
current assets that can quickly be converted to cash. Such assets include cash,
securities, and accounts receivable. The quick ratio (also known as the acid test) is
calculated as follows:
This ratio provides a more accurate picture of an organization’s ability to cover bills
for the current reporting period.
Debt to equity ratios above one demonstrate that a company is highly leveraged and
is financing itself with outside loans and funding. While that approach may result in
faster growth, it may also reduce profit because of interest expenses.
Figure 2-6 shows sample risk ratios based on the balance sheet in Figure 2-2.
Figure 2-6
Risk Ratios
To generate growth in service sales, the fictional company took on a heavy debt load in the
initial years but paid it back quickly to minimize risk should market conditions turn unfavor-
able.
Another limitation is that all organizations operate differently and target different markets,
even if their industry segments overlap. For instance, if one company is involved in manufac-
turing and services and a competitor simply manufactures products, then the analysis of
each company will yield different results.
The final limitation is that financial ratios are derived from numbers presented in financial
reports, and those reports must be accurate for the ratios to have any meaning. Through the
process of auditing, independent accounting firms attempt to determine whether the
financial statements produced by a company’s internal accountants are complete and
accurate. However, independent auditing firms do not always succeed in that mission.
In the United States, financial frauds involving Enron and WorldCom led to the Sarbanes-
Oxley Act (SOX), officially known as the Public Company Accounting Reform and Investor
Protection Act of 2002. SOX established a new regulatory entity, the Public Company
Accounting Oversight Board, which is meant to monitor the independent auditing of
publicly traded companies. In addition, SOX requires executive officers and chief financial
officers to personally certify financial reports that are released to the public.
2.5 BUDGETS
One of the main purposes for understanding financial accounting and financial analysis is to
be able to establish budgets. A budget is a process for planning where money is to be
allocated for the year. It is a financial tool that estimates costs and revenue and provides a
variance warning mechanism and fiscal uniformity for the company.
Zero-based budgeting, for example, is a process wherein funds are placed in a budget only to
the extent that planned expenditures are justified in detail. It also may force a manager to
consider alternative ways of getting the job done. The budget generally includes both
expenses and expected revenue. Thus, to meet budget requirements, businesses often need
to generate a certain amount of revenue as well as limit spending to predetermined amount.
The budget development process is often viewed as either a top-down or bottom-up process.
A variation on these approaches is to make the process an iterative one, either during its
initial developmental stages or through periodic re-forecasts of the original budget. In each
case, executive management’s choice of strategy will have a far-reaching impact. Some
organizations choose to implement their budget in a top-down approach to impose
performance goals on lower management. An example of this would be executive
management allocating a specific amount of money to the security department without input
from the security department. In a bottom-up approach, frontline managers, who are involved
in the day-to-day operations of their departments or divisions, are their organizations’ best
resource for realistic budget information and would set their own budget. Neither is ideal. A
more practical strategy is a combination of both where the lowest level of input will occur at
the divisional or department level so that executive management can determine a realistic
budget that is in line with the overall financial objectives of the company.
Budgets are usually drawn up on a yearly or other periodic basis. It is essential to maintain
consistency in the budget process so periods can be compared to understand budget effects.
For example, a warehouse for an online retailer must estimate its yearly facilities costs
(including utilities, labor, and leasing costs) so the proper amount of sales revenue can be set
aside to cover those costs.
Budget setting tends to be difficult and politically charged because the amount of capital that
can be spread across all departments is limited. However, budgets are effective tools for
allocating funds to business units based on the expected revenues they will generate. Using
the warehouse example, if the utilities are not paid, then the online retailer will not be able to
use the storage facility. Thus, it is essential to pay business expenses that allow a company to
generate revenue. Also, the line items (specific entries) in budgets can be tracked to ensure
that spending is within its predetermined limits. However, it can be costly to follow budgets
too strictly. Sometimes, spending beyond the budget may be necessary to take advantage of
opportunities that arise.
An effective way to set the value of line items is to look at each budget expense as an
investment and then calculate the expected return on that investment. In other words, one
looks at the benefit of the investment divided by the cost—in simpler terms, cost/benefit.
However, not all returns can easily be measured monetarily. For instance, a line item such as
free lunch for employees may not generate a direct monetary return but may instead
increase employee effectiveness or reduce turnover. To determine whether the lunch
investment creates a greater benefit than other possible investments, such as free gym
memberships for employees, it is useful to calculate the return on investment.
ROI is easy to calculate for investments with guaranteed or nearly guaranteed returns, such
as bank deposits. By contrast, ROI is more difficult to calculate for an item like research and
development (R&D), which has a less predictable return. However, a company may be able
to determine its average, historical return on R&D and use that estimate in its ROI calculations.
For example, if company figures show that a $1,500,000 investment in R&D typically returns
$630,000 in revenue within five years, the ROI calculation would be as follows:
The company may also consider paying down its debt instead of investing in R&D. An ROI
calculation is useful for comparing the two options. Paying additional funds toward debt
reduction is like an investment, and the interest avoided through early debt reduction is like
revenue. If a $2,000,000 investment in debt reduction would save the company $772,000 in
interest payments over five years, the ROI calculation would be as follows:
From an ROI perspective, R&D looks like the better choice. However, the ROI analysis does
not consider all factors. For example, it does not take into account the risk that the R&D may
be unproductive. However, despite its limitations, ROI analysis can be useful in determining
which line items of a budget are more important than others.
When it comes to security, measuring return on investment is difficult even though the
department may be adding to the company’s profits by preventing losses such as theft and
damage to company assets. However, the return on the implementation of an effective
security countermeasure can be measured by applying an efficiency versus cost, or cost
versus benefit, ratio to show the long-range cost savings to the company. Also, in some cases
the insurance premiums are lower when risk decreases.
The budget should be organized to resemble the income statement. That approach generates
the equivalent of a pro forma income statement, which projects future costs and revenue for
a defined period. (By contrast, a normal income statement presents past data.) To project
future revenue, a company may turn to its marketing and sales staff. They may be able to
calculate expected sales revenue based on market data, customer input, and the company’s
product or service offerings. It is unrealistic to expect sales projections to be very accurate.
However, having a general idea of expected revenue enables the company’s various subdivi-
sions to budget appropriately so they can support the expected sales.
For example, if a company manufactures products, its manufacturing operations will need to
estimate the costs of materials, labor, and other components required to create the needed
products. The human resources department must estimate the cost of the benefits it will
need to supply to the company’s personnel. The customer support department can
determine how much money it needs to assist buyers of the product. The requirements for
each unit are based on the company’s expected sales.
Next it is necessary to decide which expenditures to fund and to what degree. That determin-
ation depends largely on the company’s financial strategy. If the company is looking to cut
costs, it must analyze the budget to see where costs can be limited without affecting sales. On
the other hand, if the company is trying to grow quickly, it may need to spend more freely.
Budgets, too, must be aligned with the company’s financial strategy. If a defined profit
margin is to be achieved, executive-level management must work with the sales and produc-
tion teams to determine the optimal price at which to sell the product and the cost at which
it can be produced. From that discussion, budgets can be established. If a department is
expected to grow, its budget should be flexible so the department can pursue business
opportunities as they appear. However, spending must be carefully managed so the business
can still cover expenses.
Standards are also used in the security arena. When they are developed in accordance with
the principles of consensus, openness, due process, and transparency, they can help nations,
communities, societies, organizations, and individuals improve their resilience in the face of
security threats, both natural and man-made.
In the past, some parties expressed concern that security standards, even though voluntary,
might in practice force security professionals to conduct their work in a prescribed manner.
Others observed that security standards, when written in general terms, would allow security
professionals sufficient latitude in how they perform their jobs. Regardless of one’s view, the
trend toward international security standards is under way, and security professionals can
best influence the development of those standards by getting involved instead of leaving
standards development to nonsecurity personnel. Moreover, adopting robust security
standards may also reduce calls for intrusive government regulations—which would likely tie
security professionals’ hands more tightly than voluntary standards ever could. Thus,
standards development may not only help security professionals coordinate their efforts
around the globe but also preserve their freedom to employ their professional judgment as
they carry out their responsibilities.
In a nutshell, security standards have arrived, more are under development, and they are
likely to work best when security professionals participate in their development.
Over time, standards have evolved from a technical issue to a business issue of strategic
importance. When a well-developed standard is in place, it brings benefits to many parties.
Businesses can use standards to develop products and services that are widely accepted,
enabling those businesses to compete freely in markets around the world. Customers can
choose from a wide variety of products and services that are compatible with each other.
Customers can also more easily judge product quality if a product is in conformance with
certain standards.
Standards are of nine main types: basic, product, design, process, specification, code,
management systems, conformity assessment, and personnel certification. They require
periodic review to remain relevant and state-of-the-art.
x Codify best practices and processes and share lessons learned. The idea is not to
develop statements that are prescriptive but to share in a generic fashion what works
best, how it works, and how it can be used to help improve the services and activities
that an organization participates in. Unlike, for example, a standard addressing light
bulb dimensions, which must be highly specific to be useful, security management
standards do not dictate particular quantities (of staff or equipment) or techniques that
must be used.
A famous illustration of the cost of nonstandard equipment is the Great Baltimore Fire (Seck
& Evans, 2004, pp. 6-7):
Fire equipment responding from different cities to the Great Baltimore Fire in 1904 were
hampered or rendered useless by the incompatibility of hose and fire hydrant connections …
When fire hoses were first manufactured, the threads used to couple them differed among all
the manufacturers. The same is true with the fire hydrant connections … Differences in hose
connections on the hydrants, both diameters and threads, were part of the design that
protected manufacturers from competition. Cities with different hydrant suppliers had fire
fighting water supply systems with connections that were incompatible with those in other,
sometimes neighboring, communities. History demonstrates that in major urban fires, the
inability of fire fighting apparatus from other areas to utilize the water supply, because of
incompatible hose connections, was a contributing factor to increased fire damage.
The lack of uniform threads is commonly cited as a factor in the massive destruction of the
th
Great Baltimore Fire that started on Sunday afternoon, February 7 , 1904 … Engine
companies from Washington, DC, transported by train, arrived in Baltimore to assist in fire
fighting a few hours after the fire started. Unfortunately, their hoses would not fit Baltimore
hydrants due to the difference in threads. The fire continued to claim block after block of
buildings in the Baltimore business district as more fire companies arrived from surrounding
cities and counties, Altoona, Annapolis, Chester, Harrisburg, New York, Philadelphia,
Wilmington, and York. Some of the responding fire companies’ hoses fit the Baltimore
hydrant connections; others did not.
After the fire, the National Fire Protection Association adopted a national standard for
hydrant connections. Interestingly, 100 years later, only 18 of the 48 most populous U.S.
cities had installed national standard fire hydrants (Seck & Evans, 2004, p. 6).
rd
The issue of standards-based compatibility remains important. At the ASIS International 53
Annual Seminar and Exhibits in 2007, Stefan Tangen, ISO/TC 223 Secretary from the Swedish
Standards Institute, told attendees, “When standards work, you just don’t notice them. You
take them for granted. But when they are not working, then they become a problem.” He
offered the example of a bridge linking Malmo, Sweden, to Copenhagen, Denmark, which was
designed to comply with both countries’ road and rail standards. Unfortunately, planners did
not harmonize emergency standards for equipment such as fire hoses (Plentiful Preseminar
Programs, 2007, p. 44).
Likewise, F. Mark Geraci, CPP, Chairman of the ASIS Commission on Standards and
Guidelines, has observed, “Today’s security issues and challenges transcend borders and
jurisdictions. Natural disasters and intentional disruptions … do not recognize boundaries.
Therefore, ASIS is behind the effort to eliminate confusion by supporting … standards” (ASIS
Supports Global ISO Standards, 2008, p. 93).
Similarly, the National Fire Protection Association (NFPA) has issued several standards regard-
ing security issues, including standards on premises security and installation of electronic
premises security systems.
Other security standards have been developed by various government agencies (including,
in the United States, the Department of Agriculture) and by such organizations as the
American Chemistry Council and the Biometric Consortium. Many countries have their own
standards organizations (such as the American National Standards Institute in the United
States, the Deutsches Institut für Normung in Germany, and the Japanese Industrial
Standards Committee. With 159 member countries, the International Organization for
Standardization, ISO, is the world’s largest standards developer. Based on international
consensus, ISO standards address the global business community.
To influence the direction of security standards worldwide, ASIS launched its Global
Standards Initiative, which is discussed in detail in Section 3.5 below.
ISO does not regulate, legislate, or enforce. However, ISO standards often become recognized
as industry best practices and de facto market requirements. Therefore, what ISO does is
important to the security profession worldwide. Because ASIS has liaison status with various
ISO Technical Committees, ASIS is able to play a leading role in shaping standards that will
affect security practice.
These technical committees include experts from the industrial, technical, academic,
governmental, and business sectors that have asked for the standards and will put them to
use. Other members include representatives of organizations interested in or affected by the
standard’s subject matter. The committees prize balance, openness, and impartiality to
ensure that the content of a standard is relevant, credible, and broadly acceptable (How are
ISO standards developed? 2008).
ISO has a detailed, written process for moving a proposed standard through the various
stages of development and adoption. The slow, deliberative process is designed to build up
the credibility of the standard. By the time the standard is completed and sent into the
marketplace, it has a large constituency (those who participated in its development) that can
increase the standard’s acceptance. In most cases, the countries that participate in standards
development at the ISO level adopt ISO standards as their national standards.
Participation in a mirror committee is a convenient option for people who want to take part
in standards development but are unwilling or unable to travel internationally. A mirror
committee advises its country on what position it should take on the documents being
developed. The committee reviews the documents as they are being prepared and prepares
comments to submit to the ISO technical committee developing the standard. Then some
members attend ISO plenary meetings or technical committee meetings, present the
country’s position, and try to get their country’s views reflected in the standard. In brief, a
mirror committee’s main responsibility is to develop a national consensus to present to ISO.
In ISO, one of the committees working on security activities is ISO/TC 223: Societal Security.
The committee has a broad scope, addressing security, business continuity, crisis manage-
ment, disaster management, and emergency response. The committee examines crisis
management and organizational continuity related to all types of disasters and disruptions,
including intentional attacks, unintentional accidents, and natural disasters. The committee
focuses on what an organization should do before, during, and after an incident. The
committee also addresses interaction and interoperability between organizations.
ANSI is the only accreditor of U.S. voluntary consensus SDOs. Of the approximately 600
SDOs in the United States, some 200 are accredited by ANSI as developers of American
National Standards. Examples of ANSI-accredited standards developers are ASIS Interna-
tional, the National Fire Protection Association, and the Security Industry Association. ANSI
also conducts programs for accrediting third-party product certification.
ANSI is the sole U.S. representative to and dues-paying member of the two major non-treaty
international standards organizations: ISO and the International Electrotechnical Commis-
sion (IEC). The institute is designed to support a broad range of stakeholder engagement,
address emerging priorities and new technologies, and allow stakeholders to find the
solutions that best fit their needs. In addition, the ANSI system is market driven, flexible,
sector based, led by the private sector, and supported by the U.S. government.
The ANSI federation represents more than 125,000 companies and organizations and 3.5
million professionals worldwide. Members include academicians, individuals, government
agencies, manufacturers, companies, trade associations, professional societies, service
organizations, standards developers, consumer and labor interests, and more (About ANSI
Overview, 2008).
ANSI accreditation, mentioned earlier, signifies that the procedures sponsored by an SDO
satisfy ANSI’s requirements for an open, fair, consensus-based process that benefits
stakeholders and the American public. Procedures provide due process and legal safeguards.
Developers retain some flexibility in how they satisfy ANSI’s requirements. ANSI accredi-
tation is a precondition for submitting a standard for approval as an American National
Standard.
The emphasis on proper procedures is crucial for mitigating the risks of standards-developing
activities. The procedures require the following:
ANSI approval of a standard means the standard was developed in accordance with ANSI’s
requirements and is subject to ANSI’s procedural oversight, due process, and audit. The ANSI
designation means the standard was developed through a process that includes the following:
x consensus by a group that is open to all materially affected and interested parties
x broad-based public review and comment on draft standards
x consideration of and response to comments submitted by voting members of the
relevant consensus body, as well as by the public
x incorporation of submitted changes that meet the same consensus requirements into
a draft standard
x availability of an appeal by any participant alleging that these principles were not
respected during the standards process
x lack of requirement for compliance unless the standard is adopted into a regulation
or statute
ANSI also examines any evidence that a proposed national standard is contrary to the public
interest, contains unfair provisions, or is unsuitable for national use.
Management systems standards are widely accepted and used in many fields and disciplines.
The most famous management systems standards are ISO 9001:2008 Quality Management
Systems—Requirements and ISO 14001:2004 Environmental Management Systems—
Requirements with guidance for use.
A management systems standard can help an organization in several ways. For example, a
company in conformity with a management systems standard may thereby give its
customers, suppliers, and other stakeholders greater confidence in its reliability. Likewise, a
company that supplies materials to a large manufacturing corporation (that must meet
certain environmental standards) may better satisfy that company if it can show that it is in
conformity with the ISO 14001 environmental management systems standard. In the same
vein, if a company wishes to supply a critical piece in a supply chain, the customer may be
happy to know that the prospective supplier is in conformity with the ISO 28000:2007
Specification for Security Management for the Supply Chain and/or the ANSI/ASIS
Organizational Resilience Standard. The customer may feel the supplier is less likely to suffer
a disruption that would halt the customer’s production process.
Management systems standards also provide organizations with a forum and mechanism for
complying with regulations, industry requirements, and best practices. Of course, these
standards are not regulations. Instead, they are tools to help an organization meet its goals,
whether in terms of quality, environmental concerns, safety, security, preparedness, or
continuity. Most management systems standards are based on the Plan-Do-Check-Act
(PDCA or Deming Cycle) model of total quality management (TQM), which was developed
decades ago and has been proven in the field of management.
In sum, management systems standards include very generic requirements. They set a
framework for a holistic, strategic approach to management. They address what an org-
anization should do while leaving the details of how to achieve its objectives to the
organization. The organization then has the flexibility to define the scope of the program and
the means of implementing it.
The bottom line is that in working toward conformity with a management systems standard,
the implementer is changing the organization’s culture. In the case of a security management
systems standard, the implementer embeds a culture of security into the organization so all
stakeholders understand that security is an important objective of the organization and that
they are involved, will be held accountable, and should commit themselves to achieving the
goals named in the management system.
The same concept applies to security professionals. Being able to describe security goals in
terms that management uses helps both parties. Management will better understand
security issues, and security professionals will better understand management issues, which
are really the issues of making the organization successful. Security then may be viewed as a
strategic business and operational issue.
x Establishing benchmarks. These enable the organization to measure its progress and
outcomes. The implementer must demonstrate that the management system is
effective, and benchmarks help in doing so.
x Forcing the organization to systematically identify risks and problems as well as
potential solutions. Many organizations skip this step, make false assumptions, and
therefore focus on issues that do not matter and ignore important ones.
x Including more participants. A management systems standard requires the org-
anization to include all levels of employees and stakeholders in planning. This more
inclusive approach encourages normally reserved people to step forward and identify
problems the organization may have overlooked. It also gives more people a sense of
ownership of the process. They will then be more likely to get involved and participate
in reaching the goals of whatever management system is being implemented (e.g.,
quality, environmental, security).
x Providing problem-solving and decision-making tools. The standard also links those
tools to personnel training that will help employees do what the organization needs to
reach its goal.
x Leading the organization to study how standard operating procedures and
operational controls can enhance the organization’s performance. Often organi-
zations find that implementing a management systems standard improves their
production and quality of service in ways completely separate from the standard’s
particular goal.
x Protecting the organization’s reputation or brand. In many cases, implementing and
conforming with a management systems standard gives others greater confidence in
the organization. News reports often show how a minor mistake, such as a breach of
information security or a contamination problem, causes a company to lose market
share or stock value. Better management systems can help prevent mishaps that lead
to reputational damage.
x Providing a model for continual improvement. A management systems standard does
not call for a one-time action and specific output. Rather, the management system it
leads to is an ongoing system. When an organization is audited for conformity, it is
checked not for specific performance but for a mechanism for improving performance.
x Helping an organization coordinate its resources and programs. These may include
structure, responsibility, training, awareness, operational controls, and communica-
tion; policy and management commitment; planning and program development;
review and improvement; checking and corrective action; knowledge of the
organization; and planning, risk assessment, and impact analysis. These are all
important, but in the absence of an effective management system, they may be like
unconnected puzzle pieces and may not be usable in an effective, coordinated way.
Some specific outcomes that a management systems standard is likely to lead to include
better organizational performance through improved capabilities; strategic alignment of
improvement activities at all levels of the organization; the flexibility to react quickly to
opportunities and a changing environment; and optimization of resources.
Plan This most critical stage calls for identifying and analyzing the organization’s
problems—events that could disrupt operations—and assets. One identifies
the root causes of those problems and begins to rank them in terms of
importance.
Do Here one looks at the planning analysis, devises a solution, prioritizes next
steps, and develops a detailed action plan. The key word is action. The goal
is not to write a manual that sits on the shelf, gathering dust. Rather, the goal
is to develop a plan that will be used actively to engage the organization and
address problems and their causes—and then to implement that plan.
Check At this step, one examines the solutions devised to address the problems.
The point is to check whether the solutions are producing outcomes that
are consistent with the plan. It is necessary to have a way of identifying
deviations so one can analyze why some measures might not be working
and how they can be improved.
Act If the solutions are in fact addressing the organization’s problems, it is time
to act to standardize those solutions throughout the organization, review
the current list of problems, and start defining new problems and issues.
This is where the cycle, in effect, begins again.
A good way to start this process is to focus initially on a problem that is relatively easy to
solve. Picking a solvable problem provides practice in using the management system and
demonstrates the system’s effectiveness before the organization moves on to more serious or
difficult problems.
Plan
Define & Analyze a
Problem and Identify the
Root Cause
Act Do
Devise a Solution
Standardize Solution
Develop Detailed Action
Review and Define Next Issues Plan & Implement It
Systematically
Check
Confirm Outcomes Against Plan
Figure 3-1
Plan-Do-Check-Act-Cycle
The ISO 9000 family of standards addresses quality management to help an organization
meet customers’ quality requirements, enhance their overall satisfaction, satisfy regulatory
requirements, and continually improve the organization’s performance in pursuit of these
objectives. The ISO 14000 family of standards addresses environmental management, which
is a way of looking at the organization’s activities, products, and services to gauge their
environmental effect, find ways to minimize any harmful effects, and improve the cost-
effectiveness of the organization’s processes.
All ISO management systems standards are implemented using the same process and have
the same structure and components. Thus, a single, well-designed management system
within an organization can be used to show conformity to several standards.
3.5.1 PROCESS
An early step taken through the GSI was to have ASIS gain approval as a liaison in the major
national and international standards bodies. Not being a country, ASIS cannot participate
directly in ISO as a national member. However, as an international organization, ASIS was
able to seek liaison status, which enables full participation except for voting. Through the
GSI, ASIS is also developing strategic partnerships with other standards-developing bodies
around the world.
ASIS encourages its members to help identify standards of high priority to security
professionals and then to participate in developing drafts for circulation at the national,
regional, or international level. The goal is to get involved in the development of standards
regarding issues where standardization will make security professionals’ jobs easier and
improve the quality of security service delivery. Specifically, ASIS encourages members to
participate in developing standards on mirror committees in their home countries.
ASIS is also an ANSI accredited SDO. The GSI is actively developing ANSI American National
Standards (ANSI-ANS) in the U.S. As an example of ASIS standards-developing activity,
Figure 3-2 illustrates the ANSI-certified process ASIS follows to develop American National
Standards.
This chapter focuses on standards. It is worth noting, however, that before becoming
involved in standards, ASIS promulgated several guidelines. They were meant to be less
formal than standards in the sense that an organization could use some, none, or all of a
guideline’s elements—there was no issue of being in formal conformity. ASIS began issuing
guidelines in 2001 to help the private sector secure its business assets and critical
infrastructure. Where applicable, these guidelines are being modified into different types of
documents: either actual standards or handbooks for implementing actual standards. The
latter type is appropriate when the original guideline is too detailed and prescriptive to be a
standard but contains much useful guidance that practitioners may want to know as they
apply a standard.
ASIS conducts the five-day Security Lead Auditor Course for ISO 28000:2007, which is
accredited by the Registered Accredited Body, USA and Quality Standards Australia
(RAB/QSA). Upon successful completion of the program, participants receive the
internationally recognized Lead Auditor Competency Certification.
ASIS is also providing implementation guidance for ISO standards; leading education and
training on standards and guidelines issues; and developing auditor training and
certification (for auditing conformity with standards).
Start
Yes
Yes
No No
Draft Standard
Approved
End
Figure 3-2
ASIS Commission on Standards/American National Standards Institute
Standards Development Process
ASIS Guidelines
The following are the ASIS guidelines that are published or under development as of March
2011. All published guidelines can be downloaded from http://www.asisonline.org/guidelines/
published.htm.
x Chief Security Officer Guideline (2008). This guideline addresses the key responsibilities,
skills, and qualifications needed in an organization’s senior security executive. Status:
published.
x Private Security Officer Selection and Training Guideline (2010). This guideline sets
forth minimum criteria for the selection and training of private security officers. The
criteria may also be used to provide regulating bodies with consistent minimum
qualifications. Status: published but under revision.
ASIS Standards
The following are the ASIS American National Standards that are finished or under
development as of March 2011. All published standards are available at http://www.
asisonline.org/guidelines/published.htm.
Many of these standards are being worked at the international level as well.
x Chief Security Officer (CSO) Organizational Standard (2008). The standard provides a
model for organizations to use when developing a leadership position responsible for
providing comprehensive, integrated risk strategies to protect an organization from
security threats. The CSO’s role may be viewed as a stand-alone position or one that
has been incorporated within an organization’s existing leadership team. The standard
details the CSO reporting relationship, key responsibilities, core competencies,
experience, education, and compensation. It also provides a model position
description. Status: published as an ANSI-ANS.
x Workplace Violence Prevention and Intervention (2011). Joint standard with the
Society for Human Resource Management (SHRM) that provides an overview of
general security policies, processes, and protocols that organizations can adopt to help
prevent threatening behavior and violence affecting the workplace and better respond
to and resolve security incidents involving threats and episodes of actual violence.
Status: Published as an ANSI-ANS for WVPI.
x Resilience in the Supply Chain. Standard expands the scope of the ANSI ASIS
Organizational Resilience Standard to include resilience in the supply chain. It
provides a framework for evaluating the internal and external context of the
organization with regard to its supply chain, enabling it to develop a comprehensive,
balanced strategy to reducing both the likelihood and consequences of a disruptive
event. It also is consistent with the risk management principles and framework of the
ISO 31000. The standard provides auditable criteria to prevent, prepare for, respond
to and recover from a disruptive event using a comprehensive approach to managing
risks thereby eliminating the siloing of risks and their impacts. Status: Under
development.
x Risk Assessment. This standard provides a means of analyzing the efficacy of risk
management controls designed to protect an organization’s assets. Status: Under
development.
Standards Activity
ASIS has become involved in numerous security-related standards development projects in
concert with other organizations. Note that security in the ISO context is a very inclusive
term, referring to the entire flow of events that can take place surrounding a disruptive
incident, such as prevention, preparedness, mitigation, response, continuity, and recovery.
ASIS also has relationships with national bodies and is participating in developing standards
with them. The subsequent goal is to take completed standards and submit them to ISO for
consideration as international standards. Doing so accelerates the process and gives a larger
voice to security professionals so standards will truly address their needs and the services
they provide. Members are encouraged to volunteer to participate in technical committees
on standards that affect their areas of practice and expertise. The following are some key
areas of ASIS involvement:
x ISO/TC 223: Societal Security. ASIS Type A liaison status with ISO allows ASIS full
participation. ASIS is a member of the Chairman’s Advisory Group, the Resolutions
Committee, and all work groups and task groups involved. ASIS has been actively
involved in drafting the documents that have been circulated through the technical
committee.
x ISO/TC 247: Fraud and Countermeasures. ASIS Type A liaison status with ISO allows
ASIS full participation. ASIS has been actively involved in drafting the documents that
have been circulated through the technical committee.
x ISO/TC 8: Marine and Maritime. ASIS participates as a liaison, particularly in the ISO
28000 Security in the Supply Chain series.
x ISO/PC 262: Risk Management. ASIS Type A liaison status with ISO allows ASIS full
participation. ASIS has been actively involved in drafting the documents that have
been circulated through the technical committee.
x ISO/IEC JTC 1/SC 27: Information Security. ASIS participates as a liaison, particularly
in the ISO 27000 series.
x JTCG Task Force Auditing for the revision of ISO 19011. ASIS represents ISO/TTC 223
as a liaison to this group on auditing of security and security management systems.
This task force is looking at how to expand auditing (as is done in quality and
environmental management systems standards) to the realms of security, information
technology, occupational health and safety, and other fields where management
systems standards are being developed or have been developed.
x ISO/SAG-S: Strategic Advisory Group on Security. ASIS also participates in this group,
which advises the ISO Board on strategic issues related to security. The group is open
only to national bodies, not to liaisons, but ASIS sits at the table as a member of the
Dutch contingent (that is, as a technical expert with the Nederlands Normalisatie-
Instituut).
x Supply Chain Risk Leadership Council. ASIS participates in the Supply Chain Risk
Leadership Council in strategies to address supply chain standards development both
nationally and internationally.
x CEN/BT/TF 167: Security Services, CEN/BT/WG 161: Protection & Security of the
Citizen, CEN/PC 384: Airport and Aviation Security Services, CEN/TC 391: Societal
and Citizen Security, and CEN/TC 379: Supply Chain Security. ASIS participates in
CEN, the European Committee for Standardization, which is a consortium of European
standards bodies. In the first committee listed, ASIS has observer liaison status; in the
second committee, ASIS maintains close relationships with active members.
x ASIS International partners with National Standards Bodies (NSB) around the globe
to develop national standards, promotes collaboration between the local ASIS
Chapters and the NSB, and provides joint training programs.
x ANSI’s Board of Standards Review (BSR) body. ASIS is a voting member of the ANSI
BSR, which is responsible for the approval and withdrawal of American National
Standards and for hearing appeals of its decisions.
x ANSI’s Executive Standards Council (ExSC) body. ASIS is a voting member of the ANSI
ExSC which is responsible for the procedures and criteria for national and international
standards development activities of the Institute, and accredits national standards
developers and U.S. Technical Advisory Groups (TAGs) to ISO. The ANSI ExSC hears
appeals related to its areas of responsibility.
x ANSI National Policy Committee (NPC) body. ASIS is a member of the ANSI NPC,
which is responsible for broad-based policy and position decisions regarding national
standards issues and government relations and public policy issues.
x ANSI International Policy Committee (IPC) body. ASIS is a member of the ANSI IPC,
which is responsible for development of ANSI strategic directions and policies related
to international and regional standardization.
x ANSI ISO Council (AIC) body. ASIS is a member of the ANSI AIC, which is responsible
for developing ANSI positions and preparation of ANSI representatives to ISO General
Assembly and ISO Council and its subgroups, including ISO policy development
committees.
x ANSI Standards Boost Business (SBB) campaign. ASIS participates in the ANSI SBB
effort to increase executives’ and other private-sector leaders’ (C-level) understanding
of how the U.S. voluntary standards system and its activities can boost business
performance.
x ANSI Organizational Member Forum (OMF) body. ASIS is a member of the ANSI OMF,
which provides a forum for U.S. professional societies, trade associations, standards
developers, and academia to come together to discuss national and international
standards and conformity assessment issues of interest.
x ANSI Homeland Standards Security Panel (HSSP). ASIS is a member of the ANSI
HSSP, which identifies existing consensus standards, or, if none exists, assists the
Department of Homeland Security (DHS) and those sectors requesting assistance to
accelerate development and adoption of consensus standards critical to homeland
security. Additionally, ASIS is a member of the ANSI Homeland Standards Security
Panel Steering Committee, an advisory committee to the HSSP.
x Security Industry Standards Council (SISC). ASIS is a member of the SISC, which votes
on proposed standards that are being considered from other security-related SDOS in
addition to review and coordination of standards activities.
x U.S. Department of Homeland Security Title IX program (Voluntary Private Sector
Accreditation and Certification Preparedness Program). The ANSI ASIS Organi-
zational Resilience Standard has been adopted in the Title IX PS-Prep program.
The position of ASIS is that these areas represent the best thinking of security professionals
around the world and also help to ensure an organized approach to the challenges facing
corporations and the public and private sectors today.
This is a practical management systems standard that deals with organizational resilience. It
focuses on security, preparedness, and continuity management all in one management
systems standard. It looks at how an organization can prevent, prepare for, mitigate, respond
to, and recover from a disruptive incident that could, if not controlled, turn into an
emergency, crisis, or disaster. Like ISO standards, it uses the Plan–Do–Check–Act model.
The standard was designed to be business-friendly (improving its likelihood of adoption in the
marketplace) and is completely aligned and compatible with existing management systems
standards, such as ISO 9001:2000: Quality Management, ISO 14001:2004: Environmental
Management, ISO/IEC 27001:2005: Information Technology Security, and ISO 28000:2007:
Supply Chain Security Management. An advantage of this alignment is that an organization
can meet the requirements of other standards through the process of meeting the require-
ments of this organizational resilience standard. The standard is also meant to be an
auditable complement to the new ISO31000: Risk Management standard, thereby enabling
an organization to seamlessly integrate resilience and security management into its overall
risk management strategy.
The standard’s goal may be illustrated by considering a company that, on a normal day of
operation, is working at 100 percent capacity. Suddenly a disruptive incident occurs. Without
a plan in place, the company could completely lose capacity. Once that happens,
management may have no idea how long it will take to return to full capacity, if indeed the
company ever does. This standard encourages management to preempt the problem by
looking at what could potentially disrupt the operation, how to prevent it, and how, if it takes
place, to respond quickly to mitigate the impact of the incident (reduce the drop in capacity)
and shorten the recovery period. The standard also helps management consider how to
bring the most critical processes back online as quickly and efficiently as possible. The goal,
then, is to help the organization survive and thrive.
The following is a summary of the steps contained in the standard, as directed to security
management:
x Identify critical objectives, operation, functions, products, and services. Prioritize them
according to their importance to the organization’s survival.
x Make a preliminary determination of likely risk scenarios and consequences.
By understanding and prioritizes the issues most important to the organization, it is possible
to focus on problems that are manageable and for which one can effectively develop a
system. It is not advisable to deal with all problems of the organization at once. The process
should be approached from a business point of view with a continual improvement
perspective.
2.Security Policy
The next step is to obtain management commitment, participation, and leadership, which
are critical to the exercise. The standard is, after all, for a management system. Security
policy will be elevated to a critical interest of the organization and hence requires the
participation of the entire organization. The policy will state and constitute a commitment to
the protection of critical assets as well as commitment to continuous improvement.
Obviously, management demonstrates its commitment by providing adequate resources to
implement the management system.
3.Planning
This is the time to conduct a risk assessment and impact analysis. The standard simply states
that the organization must have a defined and documented method for doing so. The
organization may choose from the many existing risk assessment methodologies and means
of analyzing business impact, but it must choose a specific, formal methodology and not
merely rely on its general sense of the problem. It is recommended that the organization
follow the risk assessment process outlined in ISO31000:2009: Risk Management Guidelines.
At this stage it is also necessary to determine the legal and other requirements with which the
organization must comply and then choose a method of addressing them.
With these three analyses, the organization has a basis for developing objectives and
determining its means and resources for attaining them.
Plans for security management programs emphasize incident prevention, while plans for
response management emphasize reducing an incident’s impact and quickly returning to
full operation.
x Training, awareness, and competence. Programs must be developed that will give
employees the confidence and competence to do what they should. They should be
educated on what could happen and how they should respond.
x Incident preparedness and response plans. These contain the specifics of what should
be done to prevent an incident and mitigate its consequences, as well as what should
happen after an incident, covering such issues as alternative work sites, mutual aid
agreements, and meeting points.
x Important business records. This step addresses the need to identify, store, and
protect vital documents, as well as keep them accessible to the people who need them.
Again, the standard does not specify how to perform these tasks but merely insists that
the company have a specific plan for doing so.
x Audits. These make it possible to track the performance and effectiveness of all
required tasks.
6.Management Review
Information from all the preceding steps is then fed back for management review. This is the
stage to ensure that the management system is adequate and effective and to discuss any
need for improvement.
Then, for continuous improvement, one repeats steps 1 to 6 indefinitely. Figure 3-3 shows
the process in graphic form.
The standard’s structure is simple, but each step is rather involved. If the organization
contains a person who wishes to focus on security, preparedness, and continuity management,
that person may be the best candidate to bring this management systems standard to
management. Alternatively, an organization may use an external consultant with expertise in
developing such systems. However, the management system is implemented by the
organization with the advice and guidance of the consultant. Ownership throughout the
organization is the key to success.
Standards are nothing to fear. If the security community sits back and waits for others to
develop security standards—whether people from other disciplines or standards developers
with no security expertise or practical understanding—then the standards developed could
be overly prescriptive and make it more difficult for security professionals to do their jobs.
On the other hand, if the people who will use the standards get involved in developing them,
the standards are more likely to be useful tools.
Policy
Management Review - Management Commitment
- Adequacy and Effec veness - Commitment to Protec cal
- Need for Changes Assets and Con nuous Improvement
- es for Improvement - Commitment of Resources
Connua l
Planning
Checking & Corr ve Ac on Improvement - Risk Assessment and Impact Analysis
- Monitoring and Measurement
- Legal and Other Requirements
- Evalua on of compliance and
system performance - ves and Targets
- Nonconformity, Correc ve - Strategic Preven on, Preparedness
and Preven ve Ac on and Response Programs (Before,
er an Incident)
- Records
- Internal Audits
Figure 3-3
Organizational Resilience (OR) Management System Flow Diagram
REFERENCES
About ANSI Overview. (2008). American National Standards Institute. Available: http://www.ansi.
org/about_ansi/overview/overview.aspx?menuid=1 [2008, December 8].
ASIS supports global ISO standards. (2008, January). Security Management, 93.
How are ISO standards developed? (2008). International Organization for Standardization. Avail-
able: http://www.iso.org/iso/standards_development/processes_and_procedures.htm [2008, Dec-
ember 8].
Seck, M. D., & Evans, D. D. (2004). Major U.S. cities using national standard fire hydrants, one
century after the Great Baltimore Fire. National Institute of Standards and Technology.
Gaithersburg, MD.
Siegel, M., & Carioti, S. (Speakers.) (2008). Standards changing the world of security professionals
(ASIS Virtual Forum CD Recording EDUPRG.VF-06). Alexandria, VA: ASIS International.
Protecting an organization’s assets is a daunting task. The business world, the security arena, and
life itself are changing at lightning speed. Globalization, information technology, instant
communications, complex and asymmetric threats, public opinion, mergers and acquisitions,
conglomerates and partnerships, and regulation all have a major influence on how security
professionals must perform their mission. In addition to needing a broad array of security
expertise, today’s security professional must be an adaptable, strategic thinker, skilled in process
management and fast, accurate program implementation.
Protection of Assets is designed as a support tool for security professionals and others with similar
responsibilities. It provides information on all aspects of security and related functions and helps
readers balance costs and results in planning, developing, and implementing sound risk
management strategies.
Because of the rapid pace of change, POA is a living document. It features periodic updates and
guides readers to other sources for further information.
In considering all of an organization’s assets and all potential hazards, both natural and
man-made, the security function should take the lead on some matters and play a
supporting role in others. This approach helps ensure that the security function is, and is
seen to be, a value-adding element of the organization. The greatest protection of corporate
assets occurs when an appropriate mix of physical, procedural, and electronic security
measures is in place in relation to the assets being protected. This creates an effective
defense-in-depth asset protection program.
Graduate students in a security management program were recently asked to define assets
protection from their perspective. The students were all experienced, mid-career professionals
in security, law enforcement, or the military. Almost all the students mentioned elements like
asset definition, threat assessment, vulnerability and risk analysis, security methods for
reducing risk, and the need to balance security costs with the benefits of protective measures
employed. However, several additional aspects of assets protection emerged as well:
In addition, it is essential to know what needs to be protected. In many cases, asset owners
(such as business owners or managers) lack a thorough understanding of what their real
assets are. Some think purely in financial terms, while others focus on tangible goods, such
as facilities, inventory, vehicles, or equipment. A wider view of assets might include those
listed in Figure 4-1.
Figure 4-1
Examples of Organizational Assets by Type
Assets protection incorporates all security functions as well as many related functions, such
as investigations, risk management, safety, quality/product assurance, compliance, and
emergency management. Therefore, the senior assets protection professional must have
Over the centuries, upon arriving in a new country, immigrants from particular regions have
tended to settle together in communities that became known as ghettos. These ghettos have
had a strong assets protection aspect.
Like tribes, gangs today emphasize assets protection. Their assets may include “turf,” recogni-
tion, members, weapons, or market share of illegal activities.
Families, too, protect their assets, which include family members, the home and its contents,
vehicles, financial assets, pets, occupations, and status in the community. Families use such
methods as security equipment, insurance, education, communications procedures, and
neighborhood watch groups.
Different assets protection methods work in different situations (Webster University, 2006):
The protection of assets is not an exact science. What works in one situation may have
disastrous results in another. Asset owners and security professionals alike must analyze
specific situations or environments; recognize needs, issues and resources; and draw
conclusions regarding the most appropriate protection strategies and applications.
The concepts, techniques, tools, and philosophies of assets protection change as threats
mutate, technologies advance, management approaches develop, and business around the
world becomes transformed.
Another influence was the recognition of the vulnerability of critical infrastructure to both
natural and intentional attacks. In the United States, critical infrastructure was initially defined as
comprising the following industry sectors: transportation, oil and gas, water, emergency services,
government services, banking and finance, electrical power, and telecommunications. More
sectors were added later. Significantly, most U.S. critical infrastructure is owned or operated by
private enterprises. In the United States, attention to the security of critical infrastructure
increased greatly after the 1993 attack on the World Trade Center in New York City and the
bombing of the Alfred P. Murrah Federal Building in Oklahoma City two years later.
To security professionals, the terrorist attacks of September 11, 2001, represented the most
significant turning point in assets protection around the world. That attack
x led to increased security budgets and reduced constraints on security policies and
procedures,
In some cases, knee-jerk reactions to 9/11 wasted valuable resources. For example, one
company with facilities in several countries ordered each site to post a security officer at its
entrance. However, the new security officers had no idea of their roles and responsibilities
and had no way to communicate with other security staff at the sites. At best they were able
to provide a false sense of security. Similarly, after 9/11 many organizations spent much
more than necessary on security technology.
The shock of 9/11 also caused an overemphasis—in terms of security solutions—on terrorist
attacks instead of the broader spectrum of realistic security risks. Even now, resources that
could have been dedicated to information technology (IT) security, information asset protec-
tion, and traditional crime or loss prevention are being diverted to antiterrorism measures,
such as blast-resistant materials, stand-off zones, bollards, chemical/biological hazard
sensors, and similar items. Even in school security, interest in traditional, comprehensive
assets protection has often given way to preparation for terrorist attacks.
Over time, the 9/11 attacks have partly redefined assets protection. The following are some of
the beneficial changes:
x a change in public expectations and an increase in the level of security measures that
the public will tolerate
x more serious study of security and protective services budgets and strategies
x better information sharing within and between the security and law enforcement
communities, leading to improved crime-fighting capabilities
Sim
milarly, the 2001 anthrax scare in the e United Staates led to m
much greater emphasis o on the
security of maillroom operattions. In add
dition, the Saarbanes-Oxleey Act in the United State
es has
req
quired publiccly traded corrporations to
o perform mmore extensivve assessmen nt and reportting.
Pattterns of Chaange
In assets proteection, the period
p betwe een major p paradigm sh hifts (includiing technolo
ogical
devvelopments and
a concepttual shifts) has
h been deccreasing. As Figure 4-2 sshows, durin ng the
19550s and 196 60s several years
y passed d between m major parad digm shifts. In more recent
deccades, the in
nterval betwe
een those sh hifts has decrreased to the point wheere changes ttoday
follow each other rapidly.
Figure 4-2
m Shift Frequeency Model
Paradigm
Theese paradigm m shifts inc clude chang ges in surveeillance tech hnology, inttegrated seccurity
systtems, the scope of securrity professioonals’ dutiess, legal and lliability issue
es, the regullatory
env
vironment, the t use of computers inn the securitty function, public/privvate partnersships,
anttiterrorism, convergence
c e, and globall business reelationships.. Security prrofessionals must
be prepared
p forr rapid chang
ge in the worrkplace.
Anoother chang ge is that asssets protecttion is increeasingly bassed on the principle off risk
management, a term ratherr recently ap pplied to seccurity managgement and assets prote ection
(We ebster Unive ersity, 2006)). The ASIS Internation al 2006 Gen neral Risk Security Guid deline
deffines “risk” as the possibiility of loss re
esulting fromm a threat, seecurity incident, or eventt. The
con
ncept is a perrfect fit for asssets protecttion, the prim
mary objectivve of which iis to manage e risks
by balancing
b th
he costs and benefits
b of prrotection meeasures.
The Five Ds
This security approach complements the “legal” approaches
discussed above. In this concept, the first objective in
protecting assets is to deter any type of attack. The second
objective is to deny the adversary access to the asset, typically
through traditional security measures. The third objective, if
the first two fail, is to detect the attack or situation, often using
surveillance and intrusion detection systems, human
observation, or a management system that identifies short-
ages or inconsistencies. Once an attack or attempt is in
progress, the fourth objective is to delay the perpetrator
through the use of physical security and target hardening
methods, or use
e of force. Finally, in toda
ay’s terrorist environmen nt with more violent crim
minals,
it may
m become necessary
n to destroy the aggressor
a if th
he situation w
warrants it.
In short,
s assets protection should
s invollve a compreehensive straategy, not ju
ust piecemea
al ele-
ments (officers,, closed-circu
uit television
n, access con
ntrol systemss, etc.).
4.2.2 ASS
SETS PROTEC
CTION IN VA
ARIOUS SETTIINGS
Maany security principles
p an
nd procedure es are commmon across sectors, geog
graphic areass, and
variious sizes and
a types off organizatio ustry has its own
ons. Howeveer, each parrticular indu
cultture, environ
nment, and issues that in
nfluence asseets protection
n
Thee most serioous threats inn health carre involve woorkplace and d domestic violence, threats,
harrassment, intternal theft, vandalism, extremist acctivity, fraud, threats to h
high-risk or high-
ofile patients, and violenc
pro ce in emerge
ency departmments.
Heaalth care se
ecurity profe
essionals can
n gain man
nagement su
upport throu
ugh these m
means
(Ste
ewart, 2006)::
demonstra ating a knowlledge of hosp pital managem ment issues and respectin ng the busine
ess
aspects of the
t enterprise e maintaining a dialogue wiith managemeent to ensure tthey understa and
the hospita
al’s risks and vu
ulnerabilities, as well as the assets protecttion program itself
Educational Sector
Educational institutions range from preschools to universities and include both public and
private institutions. Schools at all levels have historically been viewed as somewhat insulated
from the ills of society, but in recent years more attention has been paid to school security.
At the lower academic levels, security responsibility may fall under the school board, county or
city, or local police department. Most colleges and universities maintain their own security
function, which may or may not be connected to the campus police department.
Educational institutions face a wide range of threats, such as assaults against students and
staff, facility damage, vandalism, theft of goods (computers, equipment, supplies, etc.), theft
of private information, attacks against IT, white-collar crime, liability, and natural disasters.
Universities also face the theft of research information.
At most schools, much of a security director’s time is spent on crisis management. Evacuation
planning, preparations for shelter-in-place situations, liaison with first responders, awareness,
training, and exercises are all critical in that environment. In addition, schools may be called
on to serve as community shelters or medical triage centers during disasters. Figure 4-3 lists
some of the common security issues at each educational level.
Universities include more than classrooms—they may also feature dormitories, restaurants,
stores, libraries, entertainment venues (clubs, theaters, bowling alleys, fitness centers, game
rooms, etc.), sporting facilities, worship centers, conference centers, and hospitals. Further
security issues are raised by the fact that some students may be living away from home for
the first time and may not behave as well as they should or show the right level of safety and
security consciousness. Universities also host many students from other countries, who may
violate bans on certain exports or may overstay their visas.
High crime rates, high-profile incidents, and a questionable campus safety record can harm a
university’s image and lead to a loss of students, revenue, grant money, and research projects.
Security directors in the educational environment must take a comprehensive risk manage-
ment approach to their assets protection program. In their security planning, they should
consider many factors, such as the size and demographics of the school, the characteristics
of the surrounding area, the mission and culture of the institution, the types and values of
assets, the school’s image, its management style, and any identifiable threats.
Level Considerations
Figure 4-3
School Security Considerations
The industry emphasizes cost control, margins, and profit and loss management. Thus,
assets protection professionals must focus on theft prevention, anti-fraud programs,
strategic planning, and supply chain/vendor/distribution integrity. The QSR industry employs
a range of security technology, including closed-circuit television (CCTV) tied to point-of-sale
systems (e.g., cash registers). Assets protection teams in the industry also investigate suspected
false claims of employee or customer injuries.
Because of the high employee turnover rate and the geographic dispersion of stores, security
training is both essential and difficult. Modern IT can enhance the company’s ability to
conduct safety and security training—for example, by facilitating distance learning. One
focus of employee training is simply teaching whom to call and how to report suspicious
activity. Most companies maintain toll-free hot lines. In addition, employee awareness can
be bolstered using security posters, changed regularly.
Telecommunications Sector
Assets protection in the telecommunications sector has changed in the wake of industry
deregulation; the boom in wireless, Internet, fiber optic, and other telecommunications
technologies; and, in the United States, the designation of the telecommunications system as
a national critical infrastructure. Assets protection in the telecom sector now encompasses
four major areas:
Aerospace Sector
The aerospace sector, which includes civil aircraft,
military aircraft, missiles, space systems, and aero-
space services, is characterized by fierce, global
competition; large, complex contracts; interna-
tional joint ventures; and a huge network of
vendors, all of which factors significantly complicate
assets protection strategies.
The larger aerospace firms maintain large security departments staffed with various
security specialties. By contrast, small aerospace vendors often have no security resources.
Therefore, it is best to discuss security support at the outset of a new project and agree who
will be responsible for various aspects of assets protection and what resources each player
will contribute.
Assets protection in the aerospace industry is also affected by the climate of risk taking; the
extent of high-value information that must be protected; and the industry’s high profile, which
attracts adversaries in the form of competitors, activist groups, and white-collar criminals.
These industry snapshots illustrate the wide variety of issues, concerns, and environmental
factors that affect assets protection programs. They highlight the meshing of security concerns
with business and management issues in planning for a safe and secure setting in which to
conduct the enterprise’s mission.
x globalization in business
Some of these forces are at least partially within an assets protection manager’s ability to
influence, while others are not. In either case, security professionals should study and
leverage these forces as they formulate tomorrow’s protective strategies.
Security professionals should take the time to ask questions and determine what the actual
problem is and then create a comprehensive assets protection strategy, not a short-sighted
quick fix.
On the other hand, some people see technology as the solution to everything. Most common
functions today consist of several layers of technology. If something does not work, the
tendency is to add another layer of technology (Naisbitt, 2006). Careful examination of the
problem might show that a solution blending technology and other solutions (training, poli-
cies, or personnel) is best.
The perception of violence as normal can also affect the reaction of security officials. If they
become desensitized to crime and violence, they may take incidents less seriously or react
more slowly than they should.
High technology plays an important role in assets protection, but it exacts ongoing costs,
such as training and maintenance. In many situations it makes sense to step back and take a
“back to basics” approach. For example, “Given a specific security challenge, imagine how
you would develop a solution if you had no access to technology at all. You can then think
outside the box and interject some traditional creativity into the problem-solving process”
(Naisbitt, 2006).
When planning for security, the professionals should always consider the culture of the
organization. … Does the corporate culture foster a sense of community? Do employees respect
and care for one another? Does the nature of their work allow them to develop relationships,
or do they work in a vacuum? How much human interaction is there?
In addition to the six preceding symptoms of high-tech intoxication, two other issues are
worth considering:
The bottom line is that human factors must always be considered in the development of
security strategies. For example, the security approach called crime prevention through envi-
ronmental design (CPTED) uses psychology, architecture, and other measures to encourage
desirable behavior and discourage undesirable behavior. Some critics claim that CPTED does
not show a conclusive link between the design concept and a reduction in crime. However,
where CPTED has been used, the recording agencies claim that there are fewer reported
incidents when compared to similar structures or developments within their jurisdiction.
Values and concepts [such as] political and economic openness, democracy and individual
rights, market economics, international trade, scientific rationalism, and the rule of law …
are being carried forward on the tide of globalization—money, people, information, tech-
nology, ideas, goods and services moving around the globe at higher speeds and with fewer
restrictions.
Our adversaries increasingly understand this link. … They are adept at using globalization
against us—exploiting the freer flow of money, people, and technology … attacking the
vulnerabilities presented by political and economic openness … and using globalization’s
“downsides.”
Globalization makes it necessary for assets protection managers to consider a wider variety
of customs, cultures, laws, business practices, economic factors, language issues, workforce
characteristics, and travel requirements. A more radical vision of the impact on organizational
structures is described in William Davidow and Michael Malone’s The Virtual Corporation.
They argue that the centerpiece of the new economy is a new kind of product: the virtual
product where major business functions are outsourced with hardly any internal departmen-
talization. This will give the corporate security manager even more challenges in the protection
of proprietary information, product security, supply chain security, and business continuity. As
in all cases the dissemination of sensitive or proprietary information should be on a need-to-
know basis. Security professionals should not erect barriers to international business but
instead should help their organizations overcome those challenges and comply with the many
regulations and standards that apply around the world (Heffernan, 2006).
Voluntary Standards
Standards from the well-known International Organization for Standardization (ISO) and the
American National Standards Institutes (ANSI) are voluntary but widely adopted. Some have
been integrated into various countries’ regulatory frameworks. ISO standards that are relevant
to assets protection involve such issues as safety and security lighting, identification cards,
radio frequency identification), protection of children, and IT and information security. In the
United States, voluntary standards are also set by the National Fire Protection Association
(NFPA). Many NFPA standards are incorporated into regulations, such as building codes.
Several standards from Underwriters Laboratories (UL) relate to security equipment, such as
locks, alarms, and access control systems. Other standards are set by trade and professional
associations, such as the Illuminating Engineering Society (lighting standards and practices)
and the Electronic Industries Association (electronic components and products).
Mixed Standards
The distinction between statutory and voluntary standards becomes blurred when voluntary
standards are incorporated into laws or regulations. For example, many of the requirements
in Occupational Safety and Health Administration directives are verbatim references to
standards from such organizations as the NFPA.
In other situations, a standard may remain technically voluntary but practically obligatory.
For example, security standards from UL or Factory Mutual may be used as criteria by
insurers. In other words, they may determine the availability and cost of casualty insurance
based on the use of UL-approved materials or UL-standardized practices. Contracts, too,
may incorporate standards as requirements.
INTERNATIONAL
UNITED STATES
Figure 4-4
Selected Standard-Setting Bodies
The International Foundation for Protection Officers offers several certifications for security
officers and supervisors: the Certified Protection Officer, Certified in Security Supervision
and Management, and Certified Protection Officer Instructor designations.
Several IT security certifications are also available, such as the Certified Information Systems
Security Professional (through the International Information Systems Security Certification
Consortium) and the Certified Information Security Manager (though the Information
Systems Audit and Control Association).
Specialized security certifications within particular industries are also becoming common in
such sectors as health care, hospitality and lodging, and finance. Finally, certification in crime
prevention is available through many state agencies and also through the International CPTED
Association.
Some jurisdictions require licensing of various types of security practitioners. Most licenses
require training, background screening, qualification, and registration. In the United States,
licensing is generally the purview of states or localities, but national licensing is under
consideration.
Figure 4-5
Selected Security Certification Web Sites
It is widely accepted that “companies’ assets are now increasingly information-based and
intangible, and even most physical assets rely heavily on information” (ASIS International,
2005). An approach using only physical or IT security measures is insufficient. Assets
protection managers must also employ traditional information security, personnel security,
technical security, and public relations and other external communications to protect
intangible assets. A true convergence approach would also employ security architecture and
design, crime prevention through environmental design, investigations, policies and
procedures, and awareness training.
From an assets protection perspective, reactions to the attack have been a mixed
development. On the positive side, 9/11 raised awareness of security among decision makers
and increased the respect paid to the security profession. It also made resources available for
security enhancements and led to increased interaction among security officials, first
responders, emergency planners, and the communities they serve. On the negative side, 9/11
caused knee-jerk reactions that resulted in wasteful spending, unnecessary security measures,
misdirection of needed funds, and the surfacing of dishonest or unqualified vendors.
Assets protection professionals should study those reactions and apply what they learn to
comprehensive assets protection strategies. That way, they can leverage the awareness and
resources available to improve their organizations’ security posture.
Still, there is a danger of overemphasizing the threat of terrorism and the practice of
homeland security. Assets protection professionals must address the broader security issues
relevant to their particular environment.
4.4 MA
ANAGEM
MENT OF ASSETS
S PROTE CTION
In addition
a to technical
t exp
pertise, assetts protection
n professionaals need a so olid groundiing in
org
ganizational managemen nt. Success in the fielld—which m may mean saving livess and
pro
otecting valuable assets—
—depends on n the proper balance of tthree manag gerial dimenssions:
tech
hnical expertise, manageement abilityy, and the abbility to deal w
with people.
Figure 4-6
Three Managerial
M Dim
mensions
In addition, management should be guided by two principles, called “who is the customer?”
and “quality.” These principles should become part of the organization’s culture.
Most organizations actually serve multiple customers. It is important to identify all of them
and to understand their interrelationships. Then the assets protection manager can sell the
program not just to executives but to all the customers of assets protection services. Figure 4-
7 lists some of those customers.
Figure 4-7
Assets Protection Customers
Taking a more comprehensive view of who the customers are and how best to meet their
needs can result in greater security team effectiveness. The large view also demonstrates the
assets protection manager’s commitment to the business mission as a whole, not just to the
security mission. That commitment often leads to greater respect for the assets protection
function and ultimately greater influence throughout the enterprise.
Quality
Some managers may think that quality is something in a plan on the shelf, something that is
done once, or something that belongs to the quality assurance experts. That view is wrong.
Quality “belongs to everyone, all the time” (Dalton, 2003, p.240).
Although a quality program may begin with tools, measures (metrics), and special processes,
the culture of quality should ideally become a part of the organization and be integrated into
all business practices.
A culture of quality can be developed in any type of security organization. For example, security
service providers are increasingly formalizing and standardizing their quality programs.
x Planning includes developing strategic goals and objectives, aligning assets protection
objectives with the organizational vision, organizing the assets protection function in
the way that best meets objectives, and determining how the mission will be
accomplished.
x Evaluation involves stepping back from day-to-day activities to objectively assess how
well objectives are being met and what factors are contributing to the success or lack
thereof. Reporting, documenting, and using information to make adjustments and
improvements are all important parts of evaluation.
These tools are as applicable in the security services or products arena as they are in the
corporate or organizational setting. In a quality assurance/quality control (QA/QC) program
in a firm that provides security officers, the tools could work as follows:
x Planning may entail developing the company’s QA/QC program, obtaining executive
buy-in, preparing documentation, training supervisors, and establishing procedures.
x Planning may entail setting strategic objectives consistent with the enterprise’s
mission and vision statements, organizing the security function within the enterprise,
determining resource requirements, establishing liaison relationships, developing
policies and procedures, and identifying staffing needs.
None of these functions should be neglected at the expense of the others. They should be
repeated in an ongoing cycle that results in up-to-date and appropriate assets protection
protocols, procedures, and practices.
The “span of control” principle suggests that a single person can supervise only a limited
number of staff members effectively. The specific number depends on such factors as the
nature of the work and type of organization, but as a general rule one manager can
Unity of command dictates that an individual report to only one supervisor. It is based on
the concept that a person cannot effectively serve the interests two or more masters (that is,
managers). It is the supervisor’s responsibility to ensure the best performance from the unit he
or she manages. Some company structures make unity of command less important, but in
most settings employees still need a clear understanding of which policies they need to adhere
to (primarily) and who will provide day-to-day direction, quality control, and conflict
resolution.
Placement of the security department within an organizational structure can greatly affect
the assets protection manager’s ability to exert influence, remain informed, and garner
resources to support his or her programs and strategies. Assets protection managers, by the
nature of their expertise, must have functional authority within the organization and be
identified as part of the corporate management team. The rule of thumb is that the senior
security or assets protection professional should be placed as high as possible in the
structure of an enterprise and report directly to senior or executive management. A common
discussion today is whether security should be placed under the chief information officer), IT
security should be placed under a chief security officer, or some other arrangement should
be made. If the enterprise includes a chief risk officer, assets protection may be placed in his
or her division.
More information on the chief security officer’s role in organizational management can be
found in the Chief Security Officer Guideline, published by ASIS International (2004). It dis-
cusses roles and responsibilities, success factors, key competencies, organizational issues,
and strategy development.
x Many security risks are the result of human threats, and behavioral science can yield
insights into human threat sources.
x Security management requires effective interaction with other people, including
collaboration, education, influence, supervision, and the most important, excellent
communication skills.
x An effective security manager must also have trust in his or her staff members and have
the ability to delegate to them not only the responsibility but also the authority to act
within their functional area.
Self-
actualization
Esteem
Affiliation
Security
Physiological
Figure 4-8
Maslow’s Hierarchy of Needs
Basic or lower-level needs must be met before a person is motivated by the next higher level
of needs.
The first set is job content (motivators), such as achievement, recognition, responsibility,
and satisfaction derived from the work itself.
The second set is job context (hygienes), such as the surroundings, physical work conditions,
salary, coworkers, and other factors that are external to the work itself.
Hygiene factors (such as a fresh coat of paint on the wall) will be able to move an individual
from a state of dissatisfaction to no satisfaction, but only motivation factors can move that
person from no satisfaction to satisfaction.
The lesson is that managers should avoid quick fixes. Manipulating hygiene factors may
alleviate dissatisfaction but will not result in a state of satisfaction. Allowing an individual to
reach a state of satisfaction requires changes in the work content itself, such as increased
autonomy or responsibility (Buhler, 2003).
Incident Management
Motivation theories may be useful in developing emergency plans, business continuity
plans, and incident response plans. A major factor in any incident is how people will react—
those directly involved in the incident, bystanders, indirectly affected persons, security forces,
and first responders.
Some data can be gathered from exercises and drills through documentation and after-
action reports. Interpreted through human motivation theories, that information may aid in
the development of plans and procedures that will help ensure a smooth response to a real
incident.
Motivation theory can contribute to the planning and development of a QA/QC program, a
department organizational structure, an advancement plan, assessment or evaluation criteria,
awards programs, discipline procedures, communications venues, and even dress codes.
Behavioral science plays a role in almost every aspect of personnel management.
Behavioral theories can guide both content and delivery methods for security training and
awareness, which has been recognized as one of the most cost-effective assets protection
tools (Webster University, 2006). In addition, security training and awareness efforts should
take account of adult learning styles and current instructional design methods. When
employees can relate to the information presented and the way it is presented, the training is
more effective. Managers need to set direction and establish a professional setting, but
through training they need to avoid making operating decisions that should be made by their
supervisors and officers. As an example, when a subordinate requests advice about a routine
operational problem, the supervisor should avoid giving a specific solution, opting instead to
guide the subordinate, through an open exchange of information, toward identifying the
solution himself or herself.
Corporate Ethics
One of the first questions that comes to mind after a large-scale corporate scandal is “What
could have possibly motivated those people to do that?” Behavioral science theories may
help answer that question. They can be applied to help prevent, respond to, and recover
from major white-collar crime incidents and can also contribute to programs that address
smaller-scale, everyday ethical lapses.
To become a more effective motivator, then, managers must understand as much as possible
about [motivation theory] and then pick and choose what best fits with which individuals.
The bigger the bag of motivational tools, the more likely the manager will be able to
understand employees’ needs and tailor rewards to better meet them. [This] enables
managers to get more done through others.
APPENDIX A
In many organizations, a current trend is the integration of insurance management into a broader
assets protection program. Therefore, this appendix describes the types and uses of insurance,
primarily in the corporate setting. Further information is available through resources listed at the end.
Most risk management tools are either proactive or reactive, but insurance is a combination of the
two. From a proactive stance, it is the best-known form of risk transfer and is actually considered
an asset of the organization. It is also reactive in that the insurance benefits are not used until after
a loss occurs.
Insurance is a formal undertaking between two parties—the insurer and the insured—under
which the insurer agrees to indemnify or compensate the insured for specified losses from
specified perils. Insurance is “a formal social device for reducing risk by transferring the risks of
several individual entities to an insurer. The insurer agrees, for a consideration, to assume, to a
1
specified extent, the losses suffered by the insured.”
In most cases, it is impossible to be fully compensated for a loss, regardless of how much
insurance coverage an enterprise has. Modern management is now more interested in preventing
losses than in trying to buy insurance to cover every possible risk.
In the insurance world, the portfolio theory involves a comprehensive analysis of business risks and
pure risks. A risk model might analyze movements in exchange rates, changes in raw material prices,
and downtime caused by a catastrophic event. This model would produce an aggregate loss
distribution to estimate the likelihood and effect of several events occurring simultaneously. By
treating the risks as parts of a single portfolio, separate insurance policies for each risk can be
eliminated. The theory is that by managing risks, little or no outside insurance is required.
1
Glossary of Insurance Terms, University of Calgary, Canada, 1998, http://wcmprodlb.ucalgary.ca/haskayneundergrad/rminlinks/glossary.
INSURANCE OVERVIEW
Insurance is often divided into two general categories: property and liability. Property coverage
includes building and equipment damage or loss, as well as items like cash and negotiable
instruments of all kinds. Liability coverage encompasses all employee risks and includes workers’
compensation and non-occupational coverage, as well as coverage for losses affecting the general
public, such as automobile liability, product liability, landlord liability, contractor liability, and
environmental liability.
The basis for coverage is the insurance policy, the written contract between the insurer and the
insured. Many insurance contracts or policies have been standardized; however, they are not all
alike in coverage. For that reason, each policy must be carefully examined to determine the
coverage offered. Contracts of insurance are seldom read in detail by the owners until a loss occurs.
To determine the protection offered by a policy, the following questions must be asked:
A policy may limit coverage by defining which part of the peril is covered or which part is not
covered. For example, a fire policy states the hazards not covered. The standard policy form
excludes fire losses resulting from action taken by military, naval, or air forces in an actual or
immediately impending enemy attack, invasion, insurrection, rebellion, revolution, civil war, or
usurped power. It also excludes fire losses resulting from neglect of the insured to use reasonable
2
Glossary of Insurance Terms.
means to protect his or her property, along with losses caused by order of civil authority (except
destruction of property to prevent the spread of a fire that did not originate from an excluded peril).
It is important to understand the terms burglary and robbery as they are used in insurance
policies. Burglary is generally defined as felonious abstraction of insured property by any
3
individual or individuals gaining entry to the premises by force. There must be visible marks on
the exterior of the premises at the place of entry, such as evidence of the use of tools, explosives,
electricity, or chemicals.
Robbery is usually defined as the felonious and forcible taking of property by violence inflicted
upon a custodian or messenger, either by putting the person in fear of violence or by an overt act
committed against the custodian or messenger who was cognizant of the act. Sneak thievery,
pickpocketing, confidence games, and other forms of swindling are not included in robbery
coverage.
A burglary contract does not cover robbery. Similarly, a robbery policy does not cover burglary.
Neither policy covers losses resulting from the felonious taking of property where there are no
visible marks of entry and where there has been no violence or threat of violence. A theft or larceny
policy is required to obtain coverage for such losses.
x The specific property excluded may be more easily covered under other forms of insurance.
x The moral hazard—a condition of the insured’s personal habits that increases the proba-
bility of loss—may be prohibitive.
x The property might be so uncommon to the average insured that the rate for the standard
policy should not include it.
3
In law, burglary is forced entry or exit with intention to commit a crime. The abstraction of property is actually a larceny. But
insurance policies combine the forceful entry and the taking or abstraction under the single term burglary.
x direct loss, such as the physical loss of or damage to the object concerned
x loss of use, such as the reduction of net income due to loss of use of the damaged or destroyed
object
x extra-expense losses, such as the costs of defending a liability suit and paying judgment or
hospital and medical expenses following a personal accident
Most policies cover direct losses only. Some may, in addition, cover a few forms of indirect losses.
For example, a standard fire insurance policy usually covers only the actual cash value of the
property at the time of the loss. Actual cash value is the cost to replace or restore the property at
4
prices prevailing at the time and place of the loss, less depreciation. It will not offer compensation
for additional expenses of rebuilding required by ordinances regulating construction or repair, and
it will not cover the loss of use while the property is being replaced. In addition, it will not pay for
the loss of income, such as loss of rent, while a building is being rebuilt.
Insurance carriers encountered difficulties matching premiums with losses that could still be
covered years after occurrence. As a result, a new form of contract was developed. This form,
known as the claims-made type, provides coverage only for losses that are reported during the
period the policy is in force.
If an insured with a claims-made policy leaves one carrier in favor of another, the new carrier will
probably not cover losses occurring before its own first contract date, even if the claim is made
during the contract period. This tends to lock insureds in with a single carrier. It also raises issues of
later endorsements to reduce coverage, the need for an insured to solicit claims against itself in order
to pass them to the carrier in a timely way, and the uncertainty of coverage or its cost when seeking
to terminate the contract. The solution to this problem is usually called “tail cover”—retrospective
coverage for events that occurred during a prior policy period but are raised during the tail period.
To change carriers, it is normally necessary to purchase tail cover from the prior carrier.
4
Glossary of Insurance Terms.
The limiting provisions may be either “while” clauses or “if” clauses. That is, coverage is
suspended while certain conditions exist or if defined situations exist. The fraud and concealment
clause found in many contracts is a typical “if” clause. It states that coverage is void if, either before
or after a loss, any material fact or circumstance concerning the insurance has been willfully
concealed or misrepresented. An example of a “while” clause would be a statement that the
insurance company will not be liable for loss while the hazard is increased by any method within
the control or knowledge of the insured. Another common example would be the vacancy clause,
which suspends coverage while a property stands vacant beyond a specified period.
In fidelity coverage, it is customary to exclude from coverage any person the insured knows to have
committed any fraudulent or dishonest act, in the insured’s service or otherwise. The exclusion
usually dates from the time the insured became aware of the fraudulent or dishonest act. The
insurance carrier may grant case-by-case exemptions to the exclusion. For example, should a
person be hired despite a minor dishonest act revealed in a preemployment investigation, an
exemption to the exclusion should be requested.
Endorsements
Insurance policies have been standardized by custom, law, or inter-company agreements.
Standard policies may be modified by endorsements—sometimes called riders—to increase or
decrease the coverage of the standard policy. Standard endorsements are available, but if they are
not adequate for the coverage desired, special endorsements may be written and added to the
standard policy. When in conflict with the standard policy, the endorsement governs unless it is
illegal.
Crime Coverage
Crime insurance is written to protect the insured against loss by burglary, robbery, theft, forgery,
embezzlement, and other dishonest acts. Two types of bonds may be used for protection: fidelity
and surety. Fidelity coverage is written to protect the employer from the dishonesty of employees.
Surety coverage is intended to guarantee the credit or performance of some obligation by an
individual.
Insurance coverage against crime may be obtained by purchasing a standard crime policy, then
adding the necessary endorsements. It is essential to understand the meaning of each criminal
term used by the insurance company in order to ensure that adequate protection is obtained.
Policies may exclude certain items or may not include certain crimes.
The comprehensive 3D policy is a combination fidelity crime insurance policy designed to offer
the widest possible protection. The standard form contains five insuring agreements. The insured
may select as many as needed and specify the amount of coverage on each. The following are the
basic coverages offered:
Assets protection managers should consider an endorsement for IT equipment and data if they are
not adequately covered in the policy. In determining whether coverage is adequate, the following
questions should be asked:
Business Interruption
Business interruption insurance offers a number of coverage choices. For example, coverage can
be written on a named peril or all-risk basis. If a building or machine sustains physical damage,
there will usually be at least an interruption of production or sales, resulting in financial loss. Other
incidents may not damage the physical facilities but may nevertheless cause a shutdown. For
example, a subcontractor might be required to shut down if the plant of the prime contractor is
destroyed, or a factory across from a chemical plant might be forced to lose a day’s production
because of noxious fumes from the chemical plant. These types of risks can be covered with
endorsements known as contingent business interruption loss forms.
A business that might not return to normal for some time after reopening following a shutdown
could consider another type of coverage: the endorsement extending the period of indemnity. An
example of a business requiring such coverage would be a bowling alley. A fire just prior to the
opening of a bowling season might cause league business to go elsewhere for the full season. Even
if the establishment is able to reopen in two months, it might not recover its normal business until
the following year. With standard business interruption insurance, the coverage would stop once
the facility was restored to operating condition. With the endorsement extending the period of
indemnity, the coverage would be extended for the amount of additional time purchased.
Another type of business interruption insurance is the business interruption and extra expense
endorsement. While the basic business interruption forms include coverage for normal extra
expenses, other expenses may be incurred. Such expenses may be incurred to keep a product on
the market regardless of cost or, for a bank, to function regardless of expense. When the situation is
not a clear-cut case of either loss of earnings or incurring extra expense, a combined endorsement
may offer good protection.
Liability Endorsements
Liability coverage in recent years has become increasingly important because of cases in which
organizations have been held liable for property damage and for injury to victims. Under tort law,
injury victims are entitled to collect for losses and mental anguish from anyone they can prove
responsible for intentionally or negligently injuring them or damaging their property.
Liability litigation is widespread, and the number of liability cases continues to rise. Products are
challenged as unsafe or badly designed, and such actions frequently result in large damage awards.
Professional liability suits against engineers, architects, physicians, and lawyers have multiplied,
and the cost of liability insurance for some professionals is enough to cause them to abandon their
practice.
In the security field, too, liability litigation has exploded, resulting in many large damage awards
against security personnel, contract security agencies, and employers or client companies.
A commercial general liability policy—the standard policy offering liability coverage—is less
comprehensive than generally assumed. As a result, to ensure the necessary coverage, several
endorsements should be added, such as those below.
EPLI covers defense costs, judgments, and settlements but may not cover punitive damages, fines,
or penalties. Workers’ compensation, bodily injury, and property damage, and any liability
covered specifically in another policy are generally not covered. EPLI usually covers the corporate
entity, employees, former employees, directors, and officers. Some policies also cover volunteers.
Product Liability
Product liability insurance is sold to manufacturers and dealers of goods. Protection is offered for
damage claims arising from the consumption or use of articles manufactured, sold, handled, or
distributed by the insured, if the damage occurs after possession of the goods or products has been
relinquished to others and if the damage occurs away from the insured’s premises. An exception
exists for organizations that serve food on the premises, for which special coverage is necessary.
Product liability suits may be based on either the tort theory of negligence or the contract theory of
breach of warranty. Since it is easier to prove breach of warranty than negligence, most claims
involving products are based on a breach of an express warranty or an implied warranty that the
product sold is reasonably fit for the particular purpose for which it was bought. Liability coverage
must be examined carefully to ensure that breach of warranty is included. If not, an endorsement
should be added for this protection.
The recall of products, which is excluded in standard liability coverage, can create an expensive
problem. Frequently, manufacturers are required to recall automobiles, television sets, food
products, or pharmaceuticals. The manufacturer is normally required to assume responsibility for
removing the defective item from the possession of all wholesalers and retailers.
Product recall coverage can be obtained by adding an endorsement to the comprehensive liability
policy. This coverage is known as product recall or product withdrawal expense. The coverage may
be written to cover recall of products only if bodily harm is threatened, or it may cover products
that threaten only property damage. The loss of the product itself is not covered.
Insurance Providers
Regardless of the type of insurance provider, customers should be able to expect rapid
compensation for losses incurred. As in any other business relationship, due diligence must be
exercised when selecting an insurance provider. The financial stability and claims settlement
record of the provider is critical to timely reimbursement of a loss. Most organizations select an
insurance provider and settle into a long-term business relationship without subsequent review of
the financial condition of the provider, but ongoing due diligence is necessary.
The size of the enterprise and its insurance needs typically suggest the type of provider that will be
most cost-effective. Small organizations tend to deal directly with the insurance company or use a
broker. Mid-size organizations have the same options but may also join a risk retention group.
Large organizations have all four of the options listed above. The four different sources of
insurance are discussed below.
Insurance Companies
The large number of insurance companies and the wide variety of policies they offer ensures that
coverage can be found for virtually any risk. In essence, uninsurable risk is only heretofore
uninsured risk. Many organizations merely select an insurance carrier with a good name, accept
the coverage that the representative suggests, and pay the policy premiums. Sound management
principles demand more.
A financially weak carrier tends not to pay claims in a timely manner. If the carrier becomes
insolvent, claimants can turn to the state guarantee trust fund for partial recovery. This is a lengthy
process, and claimants are limited to a certain dollar amount. In essence, choosing the wrong
insurance company can, in itself, be a high risk. The financial stability of the insurance carrier
should be reviewed before entering a contractual relationship, and subsequent reviews should be
conducted at least annually.
The financial stability of insurance carriers is rated by a number of rating services. Each service
uses a different formula, and the rating of a specific insurance company may vary among the
rating services. Prudent managers consult more than one rating service. A significant difference in
the ratings of a company should be a red flag denoting the need for further investigation. Rating
services measure the financial condition of the insurance carrier but do not measure the speed of
claims payments.
Government insurance departments are also valuable sources of information. In the United States,
in each state insurance companies are authorized to do business in, they must file annual financial
statements with the state insurance department. Other pertinent information includes the number
of complaints filed against the company and any disciplinary action taken against the company.
Insurance Brokers
Insurance brokers are marketing specialists who represent buyers of property and liability
insurance and who deal with either agents or companies in arranging for the coverage required by
5
the customer. Insurance brokers deal with more than one insurance company and can suggest the
company best suited to provide a specific type of policy. The expertise and responsiveness of a
broker should be verified by contacting other clients. A good broker keeps abreast of the financial
stability of the insurance companies with which insurance is placed. The broker who arranges
insurance coverage with an insurance company that becomes insolvent may become a defendant
in a civil action.
5
Glossary of Insurance Terms.
RRGs typically market their liability policies to purchasing groups (PGs), which consist of
organizations that have similar liability insurance needs because of the nature of their business. In
the security field, PGs have consisted of guard and investigations concerns. The PG can acquire
liability insurance for its members from the RRG. Typically, the attraction of such an approach has
been the availability of liability coverage and lower premiums. Some RRGs have experienced
funding or other difficulties and have either abandoned the field or otherwise caused problems for
the PG insureds. Overall, the RRG is a viable alternative to high premiums and the difficulty of
obtaining special coverage; however, the particular group and its track record should be studied
carefully.
Captive Carriers
One of the problems of liability insurance has been the high premium cost when using carriers
conventionally licensed within each state where they offer the coverage. One solution is the
captive insurer—a separate, wholly or principally owned firm, usually organized offshore, used to
write the insurance for the owning company. Sometimes a captive insurer is owned by an
association of two or more firms with common insuring interests. When appropriate, a captive
insurance carrier can make it easier to insure risks not acceptable to conventional carriers, can
help make a more favorable expense ratio, and can open reinsurance resources not otherwise
available. However, the captive carrier is generally a technique of larger firms.
INSURANCE RESOURCES
Business Insurance magazine and online resources, www.businessinsurance.com
The smart approach to protecting your business: Managing your risk, The Hartford in association
with the U.S. Small Business Administration, www.thehartford.com/corporate/losscontrol/SBA/
TIPS/2009/Product%20Liability%2019295.pdf
REFERENCES
ASIS International. (2004). Chief security officer guideline. Alexandria, VA: ASIS International.
ASIS International. (2005). Scope and emerging trends: Executive summary. Alexandria, VA: ASIS
International.
Buhler, P. M. (2003, December). Managing in the new millennium: Understanding the manager’s
motivational tool bag. Supervision.
Dalton, D. R. (2003). Rethinking corporate security in the post 9/11 era. Burlington, MA:
Butterworth-Heinemann.
Drucker, P. F. (1974). Management tasks, responsibilities, practices. New York, NY: Harper and Row.
Duffy, G. (2006, September 23). Vice President, American Society for Quality, www.asq.org.
Unpublished document.
th
Fennelly, L. J. (2004). Handbook of loss prevention and crime prevention (4 ed.). Burlington, MA:
Elsevier Butterworth-Heinemann.
th
Fischer, R. J., & Green, G. (2004). Introduction to security (7 ed.). Burlington, MA: Butterworth-
Heinemann.
Glassman, C. A. (2006, June 8). Complexity in financial reporting and disclosure regulation.
Presentation at the Security and Exchange Commission and Financial Reporting Institute
Conference, Pasadena, CA.
Heffernan, R. J., CPP. (2006, September 25). 2006 trends in proprietary information loss survey
results: An overview. Presentation at the ASIS International Seminar & Exhibits, San Diego, CA.
Naisbitt, J., Naisbit, N., & Phillips, D. (1999). High tech/high touch. New York, NY: Broadway Books.
Naisbitt, N. (2006, June 22). Founder and executive director, The Pinhead Institute, Telluride, CO.
Personal interview.
National Institute for Standards and Technology, Computer Security Resource Center. (2006).
History of computer security. Available: http://csrc.nist.gov/publications/history [2006, July
28].
Webster University. (2006). Business assets protection. Course materials for Business and
Organizational Security Management Program. Washington, DC: Webster University.
Wilson, T. R. (2002). Global threats and challenges. Statement to the U.S. Senate Armed Services
Committee by the Director of the Defense Intelligence Agency, March 19, 2002.
x Ensure that the operations are conducted in the least expensive, but cost effective way.
A historic, continuing problem is the inability to demonstrate that asset protection expendi-
tures lead to tangible, more valuable goals—in other words, to justify the cost of an asset
protection program to enterprise management.
One way to view the issue is to consider a business with gross annual sales of $250 million
and an asset protection operation costing $1 million annually. At that level, asset protection
constitutes 0.4 percent of sales. Senior management will want to know why $1 million should
be spent on asset protection rather than on something else. The “something else” could even
be a short-term investment in financial instruments. At a modest 4.5 percent annual return,
$1 million would earn $45,000 in a year. Thus, the $1 million expenditure actually costs the
enterprise $1,045,000 in a year. That cost must be weighed against the consequences of not
having a security program. Cost-effectiveness also applies within the asset protection
operation itself. An expense budget allocates monetary value to a department’s activities.
The security manager must consider whether a given resource is the most effective one
available at the stated cost. For example, if $30 padlocks are used to secure loaded semi-
trailers in the company lot, the security manager should attempt to answer these questions:
Senior management will inevitably view all operations from a financial perspective, because
the department that plays a direct role in the generation of revenue is a profit center. A
security professional lacking this perspective will be unable to justify continued funding of
the security program, especially if the enterprise is emphasizing financial austerity. The three
main expense categories that security professionals must consider when developing a budget
are salaries, operational expenses, and capital expenditures. An essential step in developing a
department budget is to review the organization’s overall strategy and goals to determine
how the security budget fits in. Is it in line or does it exceed what would be realistic and
acceptable to senior management?
Necessary protection programs are often substantially cut because, in the intense
competition for scarce funds, no persuasive argument is made for them. However, the
increased losses that might follow a security cutback could easily and greatly exceed the
presumed saving. The following are various financial concepts that can be used to show
value for money.
ROI can be measured in time saved, improved efficiency, reduced manpower, reduced losses,
lower liability or insurance payments, or greater customer satisfaction. It all translates into an
improved bottom line over time.
The expectation is that security measures should not merely be efficient but should provide a
positive return on investment. For example, security awareness programs may be judged as
effective when benefits are either commensurate with cost or exceed cost estimates. The return
varies in different organizations but may include increased customer satisfaction, happier,
more secure employees, increased productivity, reduced employee turnover, cost savings,
actual revenue, reduced false alarms, saved lives, or anything else that can be quantified.
However, many organizations do not make ROI calculations when judging security spending;
they merely adopt a budget based on historical experience or future estimates. According to
an Ernst & Young study (2003) of the information security field:
AL + R
= ROI
CSP
AL = Avoided loss
R = Recoveries made
CSP = Cost of security program, including personnel expenses, administrative expenses, and capital costs
Figure 5-1
Return on Investment (ROI) Formula
The next step was to determine the causes of the alarms. There were three factors: the age of
some equipment, a lack of training and familiarity with the fire alarm system, and a lack of
communication between staff and contractors working in the building. Once these factors
were identified, replacement parts were installed, a training program was initiated, and a
formal communication program was implemented. All costs were captured and compared.
The annual costs of nuisance alarms in Year 1 were compared to the same costs in Year 2,
after nuisance alarms were reduced. Nuisance fire alarms were found to have cost the
organization $50,000 in Year 1, before the security program reduced nuisance alarms. In Year
2, following the nuisance alarm reduction initiative, alarm costs dropped to $10,000,
resulting in an avoided loss of $40,000. The annual cost of the nuisance alarm reduction
initiative is $10,000. Hence, for an annual investment of $10,000, the organization saves
$40,000. In other words, for every $1 invested, the company saved $4.
Two-Way Radios
A company was using a trunk cellular two-way radio system. Staff complained of multiple
areas within the building where the radios did not work. The result was a waste of staff time
as they moved out of the dead spots to use their radios, an increase in staff risk when they
were out of radio range, and delayed responses to security, safety, and medical incidents.
Additionally, because of the radio system’s trunk cellular nature, the organization was paying
hard costs of $25,000 annually for air time. The soft costs were harder to quantify and were
left out of the equation. Prospective avoided losses (due to upgrading the radio system)
included possible lawsuits and workers’ compensation claims. Avoided losses were
estimated at $25,000 per year.
The length of the solution may alter the ROI calculation. One method of calculation would be
to multiply the savings by the number of years the original radio system would have been in
use before being replaced. For example, if the radio system had another 10 years in it, then
the annual savings can be multiplied by 10 to obtain the final figure.
A replacement system was researched and installed. The capital expenditure purchase and
installation of the system (cost of security program) was $60,000. Based on a single year, the
formula results in return of $0.41 for every dollar invested. Additionally, all other issues were
resolved to the satisfaction of staff and tenants, including delays in responding to incidents
where time was of the essence. If 10 years were factored into the formula, then the ROI would
be $4.10 for every dollar invested.
Mainstream security management has been slow to adopt a metrics-based approach, but the
trend is changing. Through the application of metrics, security managers are better able to
show the cost-effectiveness of asset protection.
A loss prevention program can collect metrics on arrests made, recoveries per year,
recoveries per officer, arrests per shift, arrests per location, and other topics. Metrics in the
commercial high-rise industry can be gathered on the number of thefts occurring, costs per
square foot, number of fire alarms per year, number of incidents, doors found open, number
of undesirable persons, recoveries made, investigations conducted, etc. Shopping mall
security management can collect metrics on arrests made, number of people banned from
the property, interactions with the public, loss prevention seminars conducted with retailers,
patrols conducted, cars stolen from the parking lot, etc. Corporate security can collect
metrics on investigations conducted, recoveries made, risk assessments conducted, travel
briefings provided to staff, etc.
Once baseline data is collected, security managers can experiment with and fine-tune the
asset protection program to increase its effectiveness. Data analysis may also suggest
whether specific security measures are effective at all. It is up to the individual security
manager to determine what should be measured. Those metrics may help the security
manager answer the following questions:
Despite its importance, the security department must compete with other departments for
funding. From an engineering department perspective, if a piece of equipment will fail if not
repaired or replaced, the decision to spend money can be made easily. Other departments,
such as security and marketing, may find it harder to gain funds and should use ROI figures
to convince decision makers.
When expense budgets total more than the available funds, budget reviews are conducted.
Reductions are made by deleting planned expenditures—typically personnel and operating
expenses. After operations have commenced, periodic reports of actual results against bud-
geted results will indicate whether further expense reductions are required.
Management strives to maintain the margin between gross sales and expenses, even in the
face of reduced sales. Accordingly, the only way an operating function can justify continued
funding is to demonstrate that the real costs to the enterprise would be greater if the level of
support for the activity were reduced. If the contribution of the operating function cannot be
quantified or, when quantified, cannot be shown to result in greater net revenue than would
be possible without the function, sound management practices dictate that the function be
reduced or eliminated.
Preventing crime, closing investigations, and maintaining order are all legitimate and neces-
sary objectives of an asset protection program, but only for the purpose of helping the
enterprise achieve its basic goal. For commercial organizations, the goal is to make and
distribute products or render services so as to earn the planned profit. For public service or
not-for-profit organizations, the basic goal is to render services within the limits of the
available funds.
For example, if a company had earlier determined that $30 padlocks were the best solution
for a particular protection need, the company now should evaluate whether $20 padlocks
might provide the required protection. Purchasing 500 padlocks per year at $20 instead of
$30 leads to an annual savings of $5,000.
Security departments can also examine whether it is more cost-effective to use a proprietary
security officer force or a contract force.
Figure 5-2
Problems Discoverable on Security Officer Patrols
The least dramatic of these—the light left burning when it should have been extinguished—
could be resolved by motion sensors that turn off a light if no motion is detected within a
predetermined period. However if the organization does not use this technology, three
questions can be asked that will allow assessment of the value of the patrol action in turning
the light off:
1. If the security patrol had not turned off the light, how long would it probably have
remained on until discovered by someone else?
2. What is the expense to the enterprise for a light of that wattage burning for an hour or
a shift?
3. What cost has been avoided by turning off the light? (Item 1 multiplied by Item 2)
The savings for one light that might otherwise have burned needlessly for an hour will be
insignificant. But, over the course of a year, preventing hundreds of lights from burning
thousands of bulb-hours will result in significant cost savings. The same factors apply to
turning off machinery, where reduction of wear and tear is an additional benefit.
There could be far more serious consequences than energy expense. If a temperature is too
low or too high, a process could fail or a vessel rupture.
Taken individually, these housekeeping losses are not major items. However, a large facility
features many such items, so the cumulative effect of reducing them may be significant and
should be documented.
Other Strategies
Security managers can use several other means of identifying acceptable asset protection
strategies. For example:
x The STEP (Social, Technological, Environmental, and Political) Model points out
potential sources of threats. The security manager can then conduct an analysis to
determine whether such threats are likely and where they could come from.
The use of specially designed incident reporting forms also fosters easy data collection. One
approach to using such forms is as follows:
1. Design a good report form. Much time can be saved if the data fields are properly
designed. The minimum information to be captured should include date, time,
location, relevant names, name of officer, type of incident (light on, machine off, etc.),
and department affected by and responsible for the issue reported.
2. Teach security staff how to use it. All members of the asset protection organization
should be prepared to use and process these forms. Of course, the primary security
task—dealing with the incident, not just reporting it—must also be emphasized.
3. Promptly collect data and conduct initial analysis. Because report forms provide data
necessary for asset protection operations, they should be analyzed immediately by a
responsible supervisor. Software in portable data terminals can generate an immediate
report if any abnormal events or conditions require a prompt response. Routine
analysis should determine whether costs can be quantified and totaled.
Gathering numbers is important, but considerable information can also be gathered from
personal interviews. For example, useful information on robbery and shoplifting has been
gathered from one-on-one interviews between researchers and prisoners. Surveys, too, can be
powerful tools for the security manager—for example, on a specific problem like laptop theft.
Figure 5-3
Main Methods Used in Social Science Research
Display of the aggregate data is just as important as the data itself. A security manager should
show information, such as the number of thefts per year, in a pie, bar, line, cone, scatter, or
other chart. One can also choose to display all thefts, both successful and unsuccessful, side
by side. People interpret information differently, so there is no one correct choice. Some
security managers may decide that information displayed in raw numbers will meet their
needs. However, there is truth in the saying that a picture is worth a thousand words.
Certainly, when presenting information to decision makers with limited time, graphical
display makes it easier to convey a security manager’s key points quickly.
losses caused by outsiders has a much larger deductible than its insurance for insider theft
(fidelity coverage).
A security investigation might uncover evidence to persuade the carrier of two points:
x An outsider could not have gained access to the location of the theft during the period
when the theft occurred because of access controls then in effect.
x The missing materials were not simply purchased components but had been worked
on by the enterprise. The components therefore had a labor cost element in addition to
a purchase cost element at the time of the theft.
If the claim had been made under the external theft coverage, it would have been less than
the deductible. But, thanks to the asset protection investigation, the fidelity claim is allowed.
Therefore, the net amount of the claim can be added to the security database for later
reporting.
Even more important are inculpatory statements by trade secret thieves. Such statements
may lead to actionable claims by the enterprise for financial recovery other than an
insurance claim. The net cash value of such claims should be assessed and the items
identified and added to the database. They, too, are asset increases or expense reductions
that would not exist without the asset protection effort. For litigation and future claims, the
amount may be postponed until collection.
If the matter were referred to security rather than to a collection agency, the funds might be
recovered more cost-effectively. Payment with a nonnegotiable check and failure to make
the check good is a criminal offense in most places. Security will normally be familiar with
the process of filing criminal complaints. Because there is no charge to file a criminal com-
plaint, the expense to the enterprise will be that of maintaining the records and the time of
the representative who files the case and attends the hearing. A copy of the letter requesting
payment, proof of receipt of the letter (postal receipt card), and the check will generally
provide a prima facie case. The court can then issue a restitution order. If the face value of
the check is $1,000, the collection agency fee would be $300 to $500. If the matter requires
three hours of a security representative’s time at a rate of $40 per hour, the cost of recovery
would be only $120.
A formal incident reporting system is essential if the full cost-effectiveness of asset protection
operations is to be achieved. An incident reporting system does two things that could not
otherwise be done:
The company can decide which incidents are important enough to be reported. Shopping
malls, financial organizations, oil companies, commercial high-rise buildings, and
warehouses all have unique incident reporting requirements. Over time, security
departments may find that the types of incidents being reported become standard and
change infrequently. However, changes in legislation on health, safety, or privacy could
change the types of incidents that a company wants to track.
Once the company has established guidelines regarding which types of incidents must be
written up, all such incidents should be reported to a central point. It is also essential that the
right details be captured. It is better to know when and where certain items—such as hand
tools, small meters, fractional horsepower motors, flashlights, etc.—are disappearing from
than merely to know the gross value of the lost items. With the right information, the security
department is in a much better position to act to reduce losses.
For incident reporting to function, a statement of enterprise policy is needed. The policy
should do the following:
x Assign reporting responsibility to the persons accountable for the various types of inci-
dents. For example, building engineering would be responsible for health and safety
incidents.
Appendix A presents a model incident reporting form. The form requests the time and
circumstances of the incident, the assets involved, and their value. Information on circum-
stances will go into incident profile and modus operandi files and will help in the
development of countermeasures or recovery efforts. The asset description and valuation
will go into the security vulnerability and cost-effectiveness files. The total number of reported
incidents may be used to establish, in part, the criticality of company exposure. The frequency
of incidents will help determine probability. These factors, in turn, are incorporated into the
overall estimate of event probability and criticality on which the asset protection program is
based.
It is efficient to create a blank electronic form so that employees can complete the form
electronically and transmit it to the asset protection organization. It may also be convenient
for employees to report incidents by telephone to asset protection clerical personnel for
entry directly into the incident reporting system.
Many asset protection organizations have automated their incident reporting systems by
providing a report form (in the form of a Web page) on the company network. Employees
can conveniently and securely key in the incident information and immediately route the
form to the security department. This process is easier than a manual system that requires
mailing and copying each report. These approaches encourage employees to make reports.
In many organizations, incidents are reported not to a central location but to a variety of
departments, making tracking more difficult. The most common situation is to ignore the
incident or expense the actual or suspected losses within the department that incurred the
loss. That approach may conceal losses and, over time, may encourage the inclusion of
incidents or losses—many of which are preventable—in production or operating standards.
Also, if incidents are not reported to a central database, they may be seen as a series of
unique events when in reality they may be linked in some way and may be leading up to a
major loss event (Toft & Reynolds, 1999).
If manufacturing output amounts to $10 million per year, a 0.3 percent allowance for
shrinkage, variance, or some other write-off account amounts to a loss of $30,000. If the
business has a 15 percent profit margin, $200,000 in new sales would be needed to generate
the amount written off. For larger companies, the losses and necessary new sales are
commensurately greater. For example, 0.3 percent loss from a $100 million manufacturing
output would be $300,000.
Although those losses may not ruin the enterprise, preventing them would certainly improve
performance. An annual write-off of $300,000 would support the following:
x security director with a salary of $75,000 plus 30 percent for benefits (totaling $97,500)
x two investigators at $45,000 per year plus benefits (totaling $117,000)
x two clerical personnel for the security group at an estimated total cost of $50,000 per
year
It is axiomatic in asset protection that a competent corporate security staff pays for itself
many times over. Proper attention to the reduction of shrinkage or variance losses not only
provides integrity to the organization but also permits reallocation of resources to intensified
asset protection efforts.
x All employees must notify their immediate supervisors of any incidents or known or
suspected asset losses. This might be done informally or formally. All employees
should be made aware of their personal responsibility for such notification.
x First-line supervisors should be responsible for completing reports for losses within
their areas of responsibility. Supervisors then provide the reports to security personnel.
x The security manager is responsible for reviewing the report. Corrections or modifica-
tions, if any are required, can then be made.
The database should be designed to sort and retrieve data based on the following data fields:
6
Extra analysis may be required to determine modus operandi or other event characteristics. Examples of significant modus
operandi information would be a particular technique for defeating locks or the presence of unusual materials at the scene of
the incident. The security department should develop that information even if another department manages the files.
This type of report could be widely circulated to all members of senior management. It
would give them a current picture of the extent and type of actual or probable theft losses.
This report would immediately alert units with unacceptable incident records to the need for
corrective management action.
If profit center managers do not recognize the benefit of submitting incident and loss
reports, they may fail to report such incidents. On the other hand, if losses are tracked to a
central reserve account instead of each manager’s account, they may be more likely to report
incidents and losses. It is better to identify and classify losses and to take any curative or
preventive action than to bury losses in a myriad of accounting ledgers.
x types of incidents
x slips, falls, and other incidents that expose the organization to lawsuits
x health and safety violations resulting in lost time, reduced productivity, and increased
workers’ compensation fees
x any incident type that costs the organization time, effort, or money
This information will enable the asset protection organization to allocate protective
resources cost-effectively. By tracking and analyzing incidents, the security manager can
gain insights into countermeasures that may prevent future losses. For example, if incident
reports show consistent losses of small, high-value items from a warehouse but no
significant losses from other warehouse stocks, special precautions limited to the target
items may suffice. The precautions might be as simple as installing a chain-link cage with a
reliable lock and interior space alarms. Other typical warehouse security measures—such as
intrusion alarms on doors and windows, security officer patrols, and closed-circuit television
surveillance—could then be dispensed with on the basis of incident report data.
The selection of countermeasures also depends on the return on investment. Each counter-
measure can be weighed against its likelihood of preventing losses, cost of implementation,
potential recoveries made, and value of avoided losses.
x Form an asset protection committee. A group very familiar with the company’s
products, materials, tools, and resources should be formed. It is important for senior
management to set the organizational climate for security and loss prevention by
requiring this to be a formal process that includes inspections. Typically, members
would be senior managers or other experienced representatives from the following
departments:
— manufacturing
— engineering
— quality control
— security
— others—such as insurance, accounting, or marketing—depending on the nature
of the business
The committee may be managed by the business ethics or internal control department.
The committee evaluates losses from a number of perspectives.
x Determine the criteria for events and incidents. The committee should research the
cost of events and incidents as well as the effect of non-monetary losses, such as
damage to reputation.
x Identify vulnerable items. The asset protection committee should consider all the
items the organization handles and the activities it engages in. The committee should
then determine the potential risks to those items and activities.
x Develop a system for item tracking. Once the target items have been identified, a flow
chart should be prepared depicting the exact movement of each asset through the
organization. In manufacturing companies, for example, items may travel through pur-
chasing, incoming inspection, raw materials inventory, assembly, and distribution.
x Assess vulnerability. When the assets are identified and the flow or process is clear, the
asset protection manager can assess the vulnerability of each asset at each stage of the
process.
x Select countermeasures. Based on the vulnerability assessment, the asset protection
manager can select the appropriate countermeasures for each area of exposure.
Over a controlled test period, actual losses can be tracked in the unprotected areas. For
example, careful inventories or other counts can be taken but no loss prevention efforts
employed even in the face of actual losses. The losses in the unprotected areas can then be
compared to the losses in the protected areas to gauge the effectiveness of the chosen
countermeasures. (Of course, if losses during a pilot test are unacceptably high, the test can
be narrowed or discontinued and countermeasures applied enterprise-wide immediately.)
Based on the pilot data, countermeasures should be adjusted as appropriate.
To be cost-effective, an asset protection program must consider not only the major incidents
and events it is designed to prevent but also the incidental cost avoidances and asset or value
recoveries that occur in the course of operations. The reasonableness of proposed security
expenditures, compared to the losses that might otherwise occur, will move management to
approve the program. Ongoing evidence of losses avoided through security countermeasures
is necessary to sustain management support of the security program.
Cost-effectiveness reporting demands a reliable database that can be created and maintained
through an enterprise-wide loss reporting system. By using return-on-investment and other
formulas, security managers should find it easier to make the case for security expenditures.
APPENDIX A
PA RT I [C OMPANY NA ME]
12. Date and time loss discovered 16. Date and time incident occurred
(best estimate)
13. Incident type
17. Hour loss occurred (best estimate)
14. Persons involved (suspect, witness,
complainant, victim, security 18. Nature of incident (brief description
personnel) of what event occurred)
15. Location of incident 19. History of document
[Here would go instructions on the number and routing of copies, the handling of file or suspense copies,
the filing period, etc.]
Items 12–18. These items are of the greatest significance to security recovery and prevention
efforts. If an incident reporting system is being adopted for the first time, instructions and
examples of completed reports must be provided to employees.
Item 19. Creating a document history helps in tracking changes made to the document. Often,
information is added to reports as more data becomes available and the reports are forwarded to
others for review, comment, and follow-up. Knowing that information has been added, acted on,
or changed may be particularly important with electronic reports.
APPENDIX B
The preservation of company assets, both human and material, is the responsibility of every
employee of the company. This responsibility includes taking appropriate measures to prevent
losses due to willful actions that would result in personal injury, property damage, or theft. Unit
managers have the additional responsibility of facilitating the gathering of reports of losses, which
will be forwarded to the appropriate security office for tabulation or investigation.
This reporting must be timely and accurate. It provides the basis for accurate tracking of security-
related problems. Tracking facilitates analysis, helps identify weaknesses in current business
processes, and provides early notification to minimize future losses and potentially recover assets
already lost.
Reports of all crime-related losses should be made to the appropriate security office by telephone,
if urgent, or by using the Security Loss/Incident Report form.
Further guidance as to the format, scope, and areas of responsibility can be obtained through
corporate security.
GENERAL
The Security Loss/Incident Report shall be submitted for each case in which misdeeds by
individuals cause damage, loss of company property, or injury to company employees. It should
be prepared by an employee who has direct knowledge of the incident; however, in certain
circumstances, it may be completed by administrative personnel who receive spoken information
on the incident.
It is important that data on all malicious acts against the company be entered into the system. This
will permit analysis that may establish patterns and help in solving some cases. Without full and
complete reporting, the security force is at a disadvantage in preventing future offenses against the
company.
Timely reporting is also significant. Telephone reports shall be made to district and area offices as
soon as possible after discovery of every security loss/incident. The telephone report shall be
followed up by submission of the Security Loss/Incident Report form within 48 hours.
REFERENCES
Ernst & Young. (2003). Global information security survey. New York, NY: Ernst & Young.
Kitteringham, G., CPP, & McQuate, C. A., CPP. (2003, September). Many happy returns. Security
Management.
Kovacich, G. L., & Halibozek, E. P. (2006). Security metrics management. Woburn, MA: Butterworth-
Heinemann.
nd
Toft, B., & Reynolds, S. (1999). Learning from disasters: A management approach, 2 edition. Lei-
cester, England: Perpetuity Press.
Theft and fraud are the most frequent and costly forms of dishonesty the security
professional will likely encounter. Today’s security practitioner needs to know the factors
that lead to theft and fraud, as well as the best methods of preventing it. The relevant facts or
elements of most economic crimes are motive, ability, and the opportunity to commit the
crime. Although theft and fraud are closely related and similarly motivated, the techniques
used to prevent them differ significantly. In particular, theft and fraud by employees may be
an organization’s greatest threat, second only to competition. Therefore, this document
7
focuses primarily on workplace theft and fraud.
7
According to Report to the Nation 2004 from the Association of Certified Fraud Examiners, the most cost-effective way to deal
with fraud is to prevent it. An organization that has been defrauded is unlikely to recover its losses. The median recovery
among victim organizations in the study was only 20 percent of the original loss. Almost 40 percent of victims recovered
nothing at all.
The following items offer insights into the extent of theft and fraud:
x The United States Chamber of Commerce estimates that 30 percent of business failures
result from employee theft, with over one half of them failing in the first three years of
their existence (Ferraro, 2006, p. 370).
x In 2004, fraud cost each U.S. resident approximately $2,444 (Association of Certified
8
Fraud Examiners, 2004).
x U.S. organizations lose 6 percent of their annual revenues to fraud. That share of the
U.S. gross domestic product would be $600 billion (KPMG, 2003).
x Small businesses suffer disproportionately larger losses than large businesses. In 2003,
the median loss suffered by small businesses was $98,000. The median loss from those
frauds committed by owners and executives was $900,000 (KPMG, 2003).
x More than 2 million shoplifter apprehensions are made every year. They are only a
fraction of the estimated 200 million annual shoplifting incidents. The estimated rate of
shoplifting translates to approximately 550,000 shoplifting incidents per day, with
losses totaling almost $30 million per day (Shoplifters Alternative, 2002).
x Various studies estimate that employees steal over a billion dollars a week from their
employers.
The following are some general observations about the characteristics of employee theft and
fraud:
x Some employees will generally steal to the extent the organization will allow.
x Clear organizational policies, procedures, and practices will significantly increase the
chances of detecting vulnerabilities and systemic gaps before losses occur.
x A key to preventing theft and fraud, and to increasing the reporting of suspected
incidents, is a continuous, well-developed, and well-delivered fraud awareness pro-
gram for all employees. Employees must feel confident that senior management takes
these issues seriously, will act with professionalism and discretion regarding reports
made by employees, and will steadily demonstrate their resolve to handle offenders
properly at all levels of the organization. An important prevention tool a company can
use to reduce the level of employee theft, fraud, and embezzlement is to maintain a
climate of trust, honesty, and cooperation throughout the workforce.
8
In a sense, fraud is a tax. Employee theft and fraud siphon off resources, making the victim organization less competitive.
Figure 6-1 describes the impact of theft or fraud on a company with $5 billion in revenue and
a pretax profit margin of 15 percent. Assuming the organization loses 1 percent of revenue as
a result of employee theft or fraud (a very conservative estimate for most industries), it would
need to generate an additional $333 million in sales to recover the losses.
Revenue $5,000,000,000
Figure 6-1
Financial Impact of Theft or Fraud
Thus, the loss should not be measured merely in terms of revenue. More accurately, the loss
should be measured by extrapolating the amount of sales and other costs such as downtime
and insurance rate changes necessary to cover the loss. In addition, losses avoided may be
determined by the difference between the losses estimated without a security program and
those with the program. The percentage of probable loss can be estimated for various
industries or based on the loss history of the particular organization. This method of
describing the effect of theft and fraud on profitability is a powerful tool for demonstrating
the need for comprehensive initiatives to identify and limit such losses.
In the retail industry, up to 70 percent of losses are perpetrated by employees, and for every
dollar lost to shoplifting, employees steal another $15. In the food service industry, employee
theft imposes a 4 percent tax on every customer dollar spent (Ferraro, 2006, p. 370). The
annual loss to the U.S. banking industry from employee embezzlement is estimated to
exceed $1 billion (Hart, 2004). A serious form of embezzlement in the workplace is fraudulent
cash disbursements.
Employees steal more than food and cash—they steal time. Efficiency consultants have
known this for years. Businesses have attempted to improve workplace efficiency since the
Industrial Revolution began. From Henry Ford’s first assembly line to the implementation of
modern robotics, companies have striven to improve worker efficiency.
Time theft is every employer’s nemesis. If each employee of a 200-person organization were
to steal 10 minutes a day, the employer would lose 2,000 minutes per day. If the work year
consisted of 260 workdays, the employer would have suffered a loss of 520,000 minutes, or
the equivalent of 4.1 man-years. In effect, the workforce of 200 individuals is doing the work
of 196. If the annual wage of an employee was $30,000, the cost of each employee stealing
just 10 minutes a day translates to about $125,000 a year! Reducing wasted time by just one
minute per day per employee would create a savings of $12,500 a year (Ferraro, 2006).
The crimes of employee theft and fraud share some other general characteristics:
x Time, finished goods, supplies, scrap and waste, and intellectual property are the assets
most often stolen.
x Lack of supervision and lack of effective processes are the primary contributors to
employee theft and fraud.
x Secretive relationships, missing documents, indicators of substance abuse, and
irregular hours of operation or building entry are clues that employee theft or fraud
may be occurring.
Unfortunately, these assumptions are untrue and misleading. They tend to lure employers
into using quick fixes and relying on inadequate safeguards. Organizations that do so will
unnecessarily place their assets at risk and jeopardize their employees, their reputations, and
possibly their very existence.
Historically, the focus of most sociological and criminological research has been on street
crime, especially violent crime. Much study has been devoted to the psychological
composition and personality of murderers, rapists, and bank robbers over the years. More
recently, researchers have studied the minds of white-collar offenders and other dishonest
employees. After the recent corporate scandals involving Enron, Global Crossing, ImClone,
and other companies, the factors leading to executive greed and employee theft have
become even more apparent.
Clark and Hollinger attempted to develop a consensus regarding the causes of employee
theft and the most effective means of deterring it. They examined employee theft in three
private-sector arenas: retailing, manufacturing, and hospitals. In doing so, they studied the
literature in criminology, sociology, psychology, anthropology, and industrial security. Their
review revealed these separate but interrelated sets of hypotheses commonly used to explain
employee theft: external economic pressures, youth and work, opportunity, job
dissatisfaction, and social control. Each is examined below:
x External economic pressures. Before the study, the most frequent justification of
employee theft was that employees steal from their employers because they have
personal problems involving alcohol, gambling, illicit affairs, or similar situations.
Clark and Hollinger observed that the connections between economic needs and the
manner in which the stolen materials satisfy those needs had not been established and
was vague at best.
x Youth and work. Another commonly expressed theory stated that younger employees
are not as honest or hardworking as people from previous generations. Two studies of
retail employees caught stealing merchandise had found that a disproportionate
number of younger, newly hired employees were involved in theft. However, no clear
and convincing evidence existed to support this theory.
x Opportunity. Security practitioners believed that the opportunity to steal items of
value was a primary factor in employee theft. It was generally held that every employee
is tempted to steal from his employer at one time or another, based on the opportunity
to steal. This theory was never empirically studied until Clark and Hollinger’s later
research in 1983.
x Job dissatisfaction. The idea that job dissatisfaction causes employee theft had not
been included in most studies of workplace theft until Clark and Hollinger conducted
their study. The theory suggests that the employer causes theft because management,
directly or indirectly, is responsible for employees’ job dissatisfaction.
x Social control. The social control theory suggests that the broadly shared formal and
informal social structure within an organization greatly influences whether theft will
occur. Although not empirically tested until Clark and Hollinger’s study, the theory
emphasized the role that individual workgroup norms played in deterring workplace
theft. In addition, there was evidence in existing studies that relationships between
supervisors and employees could deter or encourage employee theft. Both theories are
similar to the deterrence doctrine, which assumes that the threat of negative social
sanctions or criminal prosecution could affect the amount of theft in the organization.
In essence, the premise holds that employees are more likely to steal if they perceive
little threat of detection or punishment.
Clark and Hollinger found it difficult to separate theft from other forms of deviance. Their
study also examined production deviance, such as unauthorized or extended coffee and
lunch breaks, inappropriate use of sick time, punching time cards for other employees, and
arrive late or leaving early. Each of those acts, by today’s standards, constitutes theft of time.
sure and financial crimes committed by executives.) Aside from cashier-related embezzle-
ment and a few other types of theft, the vast majority of large-scale thefts are committed by
managers (Association of Certified Fraud Examiners, 2004). These large-scale thefts usually
fall under two classifications: embezzlement or defalcation. Embezzlement involves the
fraudulent appropriation of property by a person to whom it is entrusted, which can involve
material things such as art, property, and product, not just cash. Defalcation more
specifically deals with the misappropriation of trust funds or money held in a fiduciary
capacity (Bologna & Shaw, 1996).
Though not addressed in Clark and Hollinger’s work, it is self-evident that employees with
less tenure also have less invested in their job and the organization. Although that factor may
not translate directly into individual dishonesty, a less-tenured employee will likely be more
tolerant of theft.
x In hospitals, the majority of theft is committed by nursing staff rather than others with
the same access to various areas in the hospitals.
x The most consistent predictor of theft in all industries is the employee’s perceived
chance of being detected. Theft occurs most often when organizational sanctions or
rules against theft are not properly communicated or consistently enforced (see also
Ferraro, 2006, pp. 371-372).
x In addition, employees are greatly influenced by the informal social controls of
coworkers, such as peer group gossip, ridicule, and ostracism. Peer group sanctions
present a significant opportunity for management to reduce employee theft.
x Job dissatisfaction and theft are also correlated. Employees displeased with their
overall employment experience are most often those who seek redress by engaging in
theft and other antisocial behavior at work. Those who sense that their employer and
supervisor are concerned about their well-being do not engage in as much theft.
Security practitioners should focus on identifying the 5 percent of employees responsible for
the great majority (95 percent) of workplace theft. Practices that appear to punish all
employees are generally more expensive and likely to damage morale. By contrast,
anonymous incident reporting systems (sometimes called hot lines) can be used to deter
dishonest employees and empower honest ones. More occupational fraud is revealed by
anonymous tips provided by employees than by all formal internal audits combined
(Association of Certified Fraud Examiners, 2004).
In sum, loss prevention and asset protection efforts in today’s workplace should be crafted
based on the following:
By contrast, Cressy’s theory defines the problem as a violation of a position of financial trust.
He theorizes that trusted persons become trust violators when they visualize themselves as
having non-shareable financial problems and feel they can resolve the problems by violating
their position of trust. His theory is based on extensive interviews of individuals convicted of
various trust violations, particularly fraud. Cressy concludes that three elements must be
present before a fraud or similar crime can take place:
Unlike employee workplace theft, which often occurs spontaneously, fraud is premeditated.
Wells professes that if the three elements come together in almost any work-related
situation, a fraud will likely occur. He names several sources of financial pressures, such as
gambling debts, drug use, living beyond one’s means, and unexpected medical bills. Other
motivations include the desire to be, or appear to be, successful. However, the predominant
factor is greed.
Proving fraud tends to be difficult. The fact-finder must demonstrate the following:
The opportunity for fraud is generally created through the absence or weakness of internal
controls. Knowledge of situational pressures and symptoms of fraud also provides the
security professional with insights for preventing frauds. The following are several categories
of such warning signs:
The requirement to improve internal controls and provide more transparency has not been
without cost. SOX compliance (particularly with Section 404) significantly burdens companies’
officers and boards and imposes both civil and criminal penalties on violators. Whether those
burdens are worthwhile remains to be seen, given the limited effect of internal controls on
detecting fraud and the importance of open communication and setting the tone at the top
(ACFE, 2004).
Once the incident has been resolved, an organization usually slips back into a state of
acceptance, and any control procedures or processes that were implemented lose their
urgency. Should another problem occur, the organization simply follows the same model
and shifts into action to resolve that incident.
Accounting Theft of cash, altering bank deposits, fictitious accounts payable, unauthorized
cancellation or reduction of accounts receivable, use of company checks to pay
personal bills, false expenditures, lapping,1 kiting,2 conversion,3 and continually
restating income and expense items.
Purchasing Dummy suppliers, fictitious purchase orders, overstated prices and kickbacks from
vendors, bid rigging, personal work completed by contractors for inflated invoices,
and payment of duplicate invoices.
Payroll Ghost employees on the payroll, increasing hours paid but not worked, increasing
salaries without proper authorization, and theft of cash.
Warehousing and Theft of damaged goods, alteration or elimination of records of accountability, theft
Distribution of inventory, shipment of product to fictitious customers, falsified customer returns,
short-shipment of product, falsification of damaged goods reports, and falsification
of raw materials receipts.
Computer Operations False vendor/supplier/contractor invoices, false refund or credit claims, altered or
eliminated transactions, misdirected electronic funds transfers, and ghost
employees on the payroll.
Cashier Operations Theft of cash, diverting or eliminating cash receipts, also known as “skimming,”
and unauthorized or forged vouchers for petty cash.
Other Common Losses Inflated expense reports, submission of redeemed travel tickets for reimburse-
ment, use of higher-cost travel tickets to increase personal frequent traveler
awards, and theft of office supplies.
1. Lapping is the pocketing of small amounts from incoming invoice payments and then applying subsequent payment to cover the
missing cash from the previous invoice, and so on.
2. Kiting is any sort of fraud that involves drawing out money from a bank account that does not have sufficient funds to cover the
check.
3. Conversion is a term used for the receiving of money or property and fraudulently withholding or applying it for one’s own use.
Figure 6-2
Common Targets and Methods of Theft and Fraud
A more complete model for dealing with theft and fraud is shown in Figure 6-3. This model is
based on strong collaboration among staff and key stakeholders. Such collaboration requires
a clear delineation of roles and responsibilities between security, human resources, legal,
communications (both internal and external), facilities management, and affected line
managers.
Figure 6-3
Comprehensive Model of Theft and Fraud
Prevention, Investigation, and Program Testing
Element 2: Incident
An indicator of the effectiveness of prevention efforts is the quick and accurate reporting of
suspected thefts and fraud. Regardless of a program’s effectiveness, incidents will still occur.
The key is to ensure that incidents are reported as soon as they are suspected—perhaps with
an anonymous incident reporting system.
Element 4: Investigation
Investigations are more successful when investigative roles and responsibilities are clearly
defined. Whether conducting an internal compliance investigation, to determine if there is a
possible violation of company policy, or an actual internal theft incident, the investigator
needs to have clear guidelines on what he or she is expected to accomplish. An investigator’s
objective is to obtain information and evidence so that it can be presented in a factual final
report so senior management can take appropriate action. The main objective of any
preliminary investigation is to determine what crime or violation exists. Under most
circumstances internal thefts and fraud investigations are conducted by in-house or private
contractors and not by law enforcement. During this investigation the investigators should
interview complainants, witnesses, and any suspects, determine whether any evidence is
available to support the allegation, and prepare a report of the facts to be presented to senior
management or in-house counsel. The investigator may also need the assistance of a
financial specialist, such as a CPA, to conduct a fraud audit so that the financial transaction
process can be reconstructed to determine how the theft occurred.
Element 5: Action
This element refers to taking action based on a fair and impartial review of the facts
determined by a thorough investigation. Taking immediate action against theft and fraud
perpetrators is one of the strongest deterrents to future losses. If employees clearly
understand that their actions may put their jobs at risk and lead to criminal prosecution,
only the most determined risk-takers will break the rules.
Element 6: Resolution
Resolution of the case may include determining the appropriate discipline for guilty employ-
ees, estimating the actual loss, reporting the loss to an insurance carrier, and performing
other steps to close the investigation and obtain a recovery. Although discipline and
prosecution can be effective deterrents, nothing makes a point like the payment of
restitution by the perpetrator. In some instances, perpetrators can be made to pay not only
restitution but also the costs associated with the investigation. Even if the perpetrator must
pay installments over a long period, recovery of the loss and the cost of the investigation is
rewarding.
Element 7: Analysis
The concern here is how and why the loss occurred—in other words, the dynamics involved
from a human and control standpoint. Keeping in mind that the most common motivation
for an individual to commit an internal theft is one of economics or profit, the analysis also
has to consider the cost-effective steps that can be taken to prevent recurrences. How much
money should be spent on prevention versus the potential loss? In major incidents or
recurring patterns of losses, human resources, internal audit, finance, and other staff
functions can play a significant role in determining how to prevent future losses. Security
professionals should also maintain files detailing the theft or fraud method for future
awareness training.
Element 8: Publication
Organizations can use newsletters or bulletins to inform employees of incidents and their
resolution and show how the security organization provides value to the company. However,
naming names and publishing the details of incidents that have not been prosecuted may
constitute defamation and could be civilly actionable. A company that intends to publicize
the results of an investigation should first obtain the advice of an attorney.
In addition, when thefts or frauds go undetected, the victim business cannot recover the loss
through insurance or by treating the loss as a tax deduction. Losses also affect employee
morale, shareholder value, and public confidence in an organization. Few risks have such
far-reaching consequences, yet are so preventable.
Given employees’ perceived pressures and their ability to rationalize theft and fraud, losses
from these crimes will continue to be significant. Organizations that are unprepared or have
not implemented a comprehensive theft and fraud prevention program will incur even
greater losses. Security professionals should thus give priority to the prevention of theft and
fraud in their overall loss prevention strategy.
APPENDIX A
FLOWCHARTS
The following flowcharts suggest controls that can be adopted to discourage dishonesty in a
variety of functional areas. They are taken from How to Reduce Embezzlement Losses (New York,
NY: Royal-Globe Insurance Company) and are used with permission.
GENERAL
A BANK DEPOSITS
INCOMING FUNDS
FROM ALL SOURCES
RECORD OF
CASH
FUNDS
AND
RECEIVED
CHECKS
EMPLOYEE RECONCILING
RECORD
EMPLOYEE MAKING DEPOSIT RECORDS AND
OF
UP BANK DEPOSIT DEPOSIT INCOMING FUNDS
RECORDS
DUPLICATE
DEPOSIT
EMPLOYEE OPENING
BANK
SLIP INCOMING MAIL
GENERAL
B INCOMING MAIL
EMPLOYEE OPENING
INCOMING MAIL
EMPLOYEE RECONCILING
EMPLOYEE ACCOUNTS
EMPLOYEE MAKING DEPOSIT RECORDS AND
RECONCILING RECEIVABLE
UP BANK DEPOSIT INCOMING FUNDS
BANK STATEMENT DEPARTMENT
RECORDS
C SECURITIES
OFFICERS HAVING
ACCESS PROCEEDS EMPLOYEE MAKING
SAFE DEPOSIT BOX ACCESS TO
FROM SALE UP BANK DEPOSIT
SECURITIES
LIST OF
SECURITIES
PURCHASED
CHECK
SIGNERS
LIST OF LIST OF
SECURITIES SECURITIES
PURCHASED WITHDRAWN
EMPLOYEE MAINTAINING
EMPLOYEE RECONCILING
LIST OF
BANK STATEMENT
SECURITIES OWNED
COPY OF
PHYSICAL APPROVAL OF
VERIFICATION SALE
EMPLOYEE RECONCILING
OFFICER COPY OF
DEPOSIT RECORDS AND
CHECKING APPROVAL
OF SALE INCOMING FUNDS
SECURITIES
RECORDS
CREDIT OR
DISCOUNT
APPROVING
CUSTOMER
REQUEST OFFICER
CASH
ORIGINAL
ORDER
SALES FORM
APPROVAL
COPY OF COPY OF
CASH
SALES FORM SALES FORM
EMPLOYEE RECONCILING
COPY OF ACCOUNTS
EMPLOYEE MAKING DEPOSIT RECORDS AND CREDIT RECEIVABLE
UP BANK DEPOSIT INCOMING FUNDS SALES FORM DEPARTMENT
RECORDS
See Incoming Funds Credit for questions leading to completion of credit portion of this diagram
CUSTOMER
COPY OF COPY OF
CASH SALES FORM SALES FORM
EMPLOYEE RECONCILING
COPY OF ACCOUNTS
EMPLOYEE MAKING DEPOSIT RECORDS AND
CREDIT RECEIVABLE
UP BANK DEPOSIT INCOMING FUNDS SALES FORM DEPARTMENT
RECORDS
C MAIL ORDERS
CUSTOMER
ORDER
EMPLOYEE OPENING
INCOMING MAIL
CUSTOMERS
REQUEST
APPROVING
FOR CREDIT
OFFICER
RECORD OF ORDER
SHOWING AS
CASH OR CREDIT
ORDER SHOWING WRITTEN APPROVAL
CASH
AS CASH OR CREDIT OF
CREDIT REQUEST
EMPLOYEE RECONCILING
ACCOUNTS
EMPLOYEE MAKING SHIPPING DEPOSIT RECORDS AND
RECEIVABLE
UP BANK DEPOSIT DEPARTMENT INCOMING FUNDS
DEPARTMENT
RECORDS
See Incoming Funds Credit for questions leading to completion of credit portion of this diagram
D ADMISSIONS
CASH
TICKET TICKET
CUSTOMER TICKET
SELLER COLLECTOR
TICKET
CASH VOIDED
TICKET
EMPLOYEE RECONCILING
EMPLOYEE MAKING DEPOSIT RECORDS AND
UP BANK DEPOSIT INCOMING FUNDS
RECORDS
CASH
SALES
WRITTEN
FORM
APPROVAL
CASHIER
OR
SALES CLERK
COPIES OF
TAPES OR
SALES SLIPS
CASH
EMPLOYEE
“BLEEDING”
REGISTERS
COPIES OF
TAPES OR
SALES SLIPS
EMPLOYEE RECONCILING
COPIES OF ACCOUNTS
EMPLOYEE MAKING DEPOSIT RECORDS AND CREDIT RECEIVABLE
UP BANK DEPOSIT INCOMING FUNDS SALES SLIP DEPARTMENT
RECORDS
CUSTOMER
CASH
SALES
FORM
CASHIER
OR
SALES CLERK
COPIES OF
TAPES OR
SALES SLIPS
CASH
EMPLOYEE
“BLEEDING”
REGISTERS
COPIES OF
TAPES OR
SALES SLIPS
A PAYMENT BY MAIL
CUSTOMER
CREDIT REMITTANCE
REQUEST OR
COMPLAINT
WRITTEN BILLING
APPROVAL RECORD OF
REMITTANCE REMITTANCE
RECONCILIATION
EMPLOYEE RECONCILING
SHIPPING DEPARTMENT RECORD ACCOUNTS
DEPOSIT RECORDS AND EMPLOYEE MAKING
OR OF RECEIVABLE
SALE INCOMING FUNDS UP BANK DEPOSIT
SALES CLERK DEPARTMENT
RECORDS
RECONCILIATION
B PAYMENT IN PERSON
CUSTOMER
PAYMENT RECEIPT
EMPLOYEE EMPLOYEE
ADVICE OF
RECEIVING PAYMENT
COMPLETING
PAYMENT RECEIPT
PAYMENT COPY OF
RECEIPT
EMPLOYEE RECONCILING
ACCOUNTS
EMPLOYEE MAKING DEPOSIT RECORDS AND RECONCILIATION RECEIVABLE
UP BANK DEPOSIT INCOMING FUNDS
DEPARTMENT
RECORDS
COMPLAINT AND CREDIT APPROVAL SHOULD REQUIRE SAME PROCEDURES DIAGRAMMED IN (A) ABOVE.
PURCHASING
DEPARTMENT
EVIDENCE
OF ADVICE
DEBT OF
PAYMENT
COMPLETED CHECK
AND
EVIDENCE OF DEBT
EMPLOYEE
MAILING
CHECKS INITIALED
EVIDENCE
OF DEBT
EVIDENCE
CHECK
OF
DEBT
EMPLOYEE RECONCILING
PAYEE
BANK STATEMENT
CANCELED
CHECK
CHECK
CANCELED
EMPLOYEE OPENING
BANK CHECK
INCOMING MAIL
A CASH
EMPLOYEE
TIME CARDS OR OTHER PREPARING
EMPLOYMENT RECORDS PAYROLL
LIST LIST FOR
APPROVAL
EMPLOYEE CHECK
CHECK
CHECK CASHING BANK
SIGNERS
CHECK CASH
COPY OF CASH
LIST
EMPLOYEE
DISTRIBUTING
CANCELED
PAYROLL CHECK
CASH
ALL
EMPLOYEES
EMPLOYEE RECONCILING
CANCELED EMPLOYEE OPENING
BANK ACCOUNT
CHECK INCOMING MAIL
STATEMENT
B CHECK
EMPLOYEE
TIME CARDS OR OTHER PREPARING
EMPLOYMENT RECORDS PAYROLL LIST FOR
LIST APPROVAL
CHECK
SIGNERS
CHECKS
COPY OF
LIST
EMPLOYEE
DISTRIBUTING
PAYROLL
CHECKS
CANCELED
CHECKS
PERSON TO WHOM
EXPENDITURE
IS MADE
VOUCHERS CASH
OR
RECEIPTS
EMPLOYEE
EMPLOYEE DISBURSING CASH
AUTHORIZING AUTHORIZATION BANK
PETTY CASH CHECK
DISBURSEMENT
COPY OF
AUTHORIZATION
RECONCILIATION CHECK
REQUEST FOR
OF PETTY CASH
REPLENISHMENT
WITH RECORDS
CANCELED
CHECK
COPY OF
AUTHORIZATION
EMPLOYEE RECON-
CILING
BANK STATEMENT
INVENTORY – PURCHASING
EMPLOYEE
MAKING
REQUEST
REQUEST
PURCHASING PURCHASE
ORDER
SUPPLIER
DEPARTMENT
COPY OF
PURCHASE
ORDER
COPY OF (Quantity Omitted)
PURCHASE MERCHANDISE
ORDER
NOTIFICATION
OF RECEIPT OF
MERCHANDISE
ACCOUNTS
RECEIVING
PAYABLE
DEPARTMENT
DEPARTMENT
INVENTORY – RECEIVING
COPY OF
PURCHASE NOTIFICATION OF
ORDER RECEIPT OF
MERCHANDISE
NOTIFICATION OF
RECEIVING RECEIPT OF
ACCOUNTS PAYABLE
DEPARTMENT MERCHANDISE DEPARTMENT
B REFUNDS
CUSTOMER
MERCHANDISE
CHECK
EMPLOYEE
COPY OF CHECK
AUTHORIZING AUTHORIZATION SIGNERS
REFUNDS
COPY OF
AUTHORIZATION MERCHANDISE
(CREDIT ONLY)
ADVICES OF
REFUND
ACCOUNTS
RECEIVING
RECEIVABLE
DEPARTMENT
DEPARTMENT
NOTIFICATION OF RECEIPT
OF MERCHANDISE
RECONCILATION
(CREDIT ONLY)
REQUEST FOR
EMPLOYEE CONTROLLING WAREHOUSE RECEIPT
EMPLOYEE ISSUING WAREHOUSE
UNISSUED RECEIPT CUSTOMER
WAREHOUSE WAREHOUSE RECEIPTS
WAREHOUSE RECEIPTS
RECEIPT
SIGNED COPY OF
REQUEST FOR MERCHANDISE
WAREHOUSE RECEIPT
WAREHOUSE RECEIPT
PERPETUAL
RECEIVING
INVENTORY
DEPARTMENT
PERSONNEL
EMPLOYEE COPY OF
PERPETUAL
TAKING INVENTORY INVENTORY
INVENTORY PERSONNEL
PHYSICAL COPY OF
REQUEST FOR
INVENTORY REQUEST FOR
WITHDRAWAL
PROCEDURE WITHDRAWAL
REQUEST FOR
INVENTORY WITHDRAWAL ALL
STORAGE DEPARTMENTS
MERCHANDISE
WAREHOUSE HOLDER OF
OFFICER RECEIPT WAREHOUSE RECEIPT
CANCELED
WRITTEN
WAREHOUSE MERCHANDISE
AUTHORIZATION
RECEIPT
PERPETUAL ADVICE OF
RELEASE OF
INVENTORY
INVENTORY
MERCHANDISE STORAGE
PERSONNEL
EMPLOYEE
TAKING
INVENTORY
INVENTORY INVENTORY
PROCEDURE INVENTORY PROCEDURE
PROCEDURE
COPIES OF FORMS
SHOWING FORWARDED
MERCHANDISE
EMPLOYEE HAVING
NO ACCESS TO
INVENTORY
RECORDS OF
WITHDRAWALS, SCRAP
MATERIALS AND
INVENTORY FOR
RECONCILIATION
INVENTORY – SHIPPING
A DELIVERIES TO CUSTOMER
CUSTOMER
ORDER
RETURNED
MERCHANDISE
SALES MERCHANDISE
PERSONNEL
ORDER
SHIPPING MERCHANDISE
DELIVERY
DEPARTMENT MEDIUM
RECORD OF
SHIPMENT LIST OF LOADED
AND RETURNED
MERCHANDISE
LIST OF
RETURNED
RECORD OF MERCHANDISE
RECORD OF RETURNED
RETURNED MERCHANDISE
MERCHANDISE
INVENTORY EMPLOYEE
RETURNED
STORAGE CHECKING RETURNED
MERCHANDISE
AREA MERCHANDISE
B RETURNS TO SUPPLIERS
RECORD OF
SHIPMENT
ACCOUNTS PERPETUAL
PAYABLE RECONCILIATION INVENTORY
DEPARTMENT PERSONNEL
OUTSIDE EMPLOYEES
A SALESMAN
OFFICER
CREDIT
CUSTOMER ORDER SALESMAN REQUEST
APPROVING
CREDIT
PAYMENT
RECORD OF
PAYMENT
EMPLOYEE RECONCILING
ACCOUNTS
DEPOSIT RECORDS AND
RECEIVABLE
INCOMING FUNDS
DEPARTMENT
RECORDS
SHIPPING
DEPARTMENT
RECONCILIATION
PAYMENT
EMPLOYEE MAKING
UP BANK DEPOSIT
B COLLECTOR
COLLECTIONS
ACCOUNTS TO BE MADE PAYMENT
EMPLOYEE MAKING
RECEIVABLE COLLECTOR
RECORD OF UP BANK DEPOSIT
DEPARTMENT
COLLECTIONS
COLLECTION
REQUEST PAYMENT
SPOT
CHECK
VERIFICATION
CUSTOMER
RECORD
OF
RECONCILATION COLLECTION
EMPLOYEE RECONCILING
DEPOSIT RECORDS AND
INCOMING FUNDS
RECORDS
OFFICER
APPROVING
CREDIT
ADVICE OF ADVICE OF
CREDIT CREDIT
APPROVAL APPROVAL
LOADED
EMPLOYEE CHECKING MERCHANDISE ACCOUNTS
LOADED AND RETURNED S-C-D RECEIVABLE
MERCHANDISE RETURNED DEPARTMENT
MERCHANDISE
AND SALES FORMS
CASH
LIST OF LIST OF
LOADED & RETURNED LOADED & RETURNED
MERCHANDISE MERCHANDISE
SALES
FORMS PERPETUAL EMPLOYEE ADVICE OF
INVENTORY MAKING UP BANK ITEMS DELIVERED
PERSONNEL DEPOSITS ON CREDIT
EMPLOYEE RECONCILING
DEPOSIT AND INCOMING
FUNDS RECORDS
RETAIL – MISCELLANEOUS
A COUPONS
COUPONS EMPLOYEE
LOCKED
CASHIER COUPONS COLLECTING
BOX
COUPONS COUPONS
RECORD OF RECORD OF
VALUE VALUE COUPONS
OF COUPONS OF COUPONS
EMPLOYEE RECONCILING
ACCOUNTS
RECONCILIATION DEPOSIT RECORDS AND
RECEIVABLE SAFE
INCOMING FUNDS
DEPARTMENT
RECORDS
ADVICE OF EMPLOYEE
PHYSICAL
COUPONS CHECKING COUNT
ON HAND COUPONS
B TRADING STAMPS
EMPLOYEE OPENING
INCOMING MAIL
TRADING
STAMPS
RECEIVING TRADING
STAMPS SAFE
DEPARTMENT
PHYSICAL
COUNT
EMPLOYEE CHECKING
TRADING STAMPS
RECORD OF
PHYSICAL
COUNT
EMPLOYEE RECONCILING
PERPETUAL
DEPOSIT RECORDS AND
INVENTORY RECONCILIATION
INCOMING FUNDS
PERSONNEL
RECORDS
APPENDIX B
2. If you ask an employee to steal for you, don’t be surprised when he steals from you.
3. Theft is the ultimate sign of employee disrespect towards you and your organization.
That disrespect is usually predictable, based upon prior behavior.
4. Employees involved in theft have usually been involved in other prior misconduct at the
company.
5. Employee theft is far more costly to the organization than just the value of the goods
stolen.
6. The employee who steals is more insidious than the outsider because that employee
violated your trust.
7. No employee who steals is a “good employee”—no matter how hard he or she otherwise
works.
12. Virtually every employee who steals has rationalized his or her dishonesty.
14. Employees who steal believe that everyone steals and that most steal more than they do,
no matter how much they have actually stolen.
15. Employees who steal from you do not consider themselves dishonest. They prefer to
think you are somehow responsible.
TOLERANCE OF THEFT
17. No theft, no matter how minor, should be tolerated or ignored.
18. Theft is like a cancer—if left untreated it will continue to grow and spread.
19. Employees who know of unreported theft are as bad as the thief.
21. Most employees appreciate a second chance—to steal from you again.
23. The employee who is closest to the loss (that is the one with the most access) is usually
the one who did it.
26. Your so-called sixth sense is usually pretty accurate (it’s actually a consolidation of all
your senses), so trust it.
27. Employees who deny guilt, but are willing to make restitution, are guilty.
28. When a number of employees suspect one person, there’s usually a pretty good reason.
30. Nothing you own is immune from theft, and no business is theft- or fraud-proof.
31. Most businesses are loath to install controls to prevent theft and fraud; the failure to do
so is itself a result of rationalization and denial.
32. For some reason, companies are more eager to detect theft after the fact than to prevent
it from happening, even though it is much cheaper to prevent it in the first place.
33. The best way to avoid employee theft is not to hire a thief.
34. The best way not to hire a thief is to investigate a potential employee’s background.
35. If a person has stolen from a previous employer, is it reasonable thinking he won’t steal
from you?
36. Constant and eclectic vigilance is required to prevent theft; there is no silver bullet.
38. Never let an employee be his or her own check and balance.
40. Effective security measures are not oppressive or burdensome. They go with the flow of
operation.
41. Asset protection is an insurance. The cost should be weighed against the risk.
43. You cannot rely on the criminal justice system to protect your assets, investigate theft, or
bring the culprit to justice.
44. The deterrent effect of any punishment is far shorter than you can imagine.
45. If you want to understand the physics of a black hole, bring your employee theft or fraud
case to the typical big city court.
46. The employee who says he is sorry usually is—sorry to have been caught.
48. If the only punishment the employee receives is termination, the proceeds of his theft are
his golden parachute.
49. If the dishonest employee offers to resign, accept it and avoid the urge to be vindictive.
50. Of the three “shuns” (termination, prosecution, and restitution), restitution, while the
most difficult, does the victim the most good.
REFERENCES
Albrecht. W. S., McDermott, E. A., & Williams, T. L. (1994, February). How companies can reduce
the cost of fraud. The Internal Auditor, pp. 28–34.
Association of Certified Fraud Examiners. (2004). Report to the Nation 2004. Available: http://
www.acfe.com/documents/2004RttN.pdf [2006, October 17].
Bologna, J., & Shaw, P. (1996). Corporate crime investigation. Boston: Butterworth-Heinemann.
Hollinger, R. C., & Clark, J. P. (1982). Formal and social controls of employee deviance. Sociological
Quarterly, 23, 333–343.
Ferraro, E. F. (2006). Investigations in the workplace. New York, NY: Auerbach Publications.
KPMG International. (2003). KPMG forensic fraud survey 2003. Available: http://www.kpmg.com/
aci/surveys.asp#fraud03 (2006, January 12].
Hart, K. M. (2004). Employee theft. Posted on New Jersey Law Blog. Available: http://www.
njlawblog.com/corporate-investigations-white-collar-employee-theft.html [2006, September 12].
Shoplifters Alternative. (2002). 2002 shoplifters survey. Jericho, NY: National Association for
Shoplifting Prevention.
Wells, J. T. (1997). Occupational fraud and abuse. Austin, TX: Obsidian Publishing.
ADDITIONAL READING
Albrecht, W. S., Romney, M. B., Cherrington, D. J., et al. (1982). How to detect and prevent business
fraud. Englewood Cliffs, NJ: Prentice-Hall.
Albrecht, W. S., Wernz, G., & Williams, T. L. (1995). Fraud: Bringing light to the dark side of
business. Burr Ridge, IL: Irwin Professional Publishing Co.
Bettencourt, K. C. (1990). Theft and drugs in the workplace. Saratoga, CA: R&E Publishers.
rd
Fennelly, L. J. (1996). Handbook of loss prevention and crime prevention (3 ed.). Woburn, MA:
Butterworth-Heinemann.
th
Fischer, R. J., & Green, G. (1998). Introduction to security (6 ed.). Woburn, MA: Butterworth-
Heinemann.
Healy, R., & Walsh, T. J. (1981). Principles of security management. New Rochelle, NY: Professional
Publications.
nd
Rusting, R. R. (1987). Theft in hospitals and nursing homes (2 ed.). Port Washington, NY: Rusting
Publications.
Snyder, N. H., Broome, O. W., Kehoe, W. J., Mcintyre, J. T., Jr., & Blair, K. E. (1991). Reducing
employee theft. New York, NY: Quorum Books.
7.1 INTRODUCTION
This chapter examines private security operations in the public realm. Specifically, that
realm includes streets, municipal parks, business districts, residential communities, and
other areas frequented by the public without any meaningful access restrictions. The public
realm also includes critical infrastructures. The areas discussed are also routinely patrolled
by municipal police departments. Private policing in public environments raises a number of
important considerations, including political, operational, legal, ethical, and societal
implications.
x First, this work in no way advocates the elimination, or even the diminishment, of
public policing agencies. Indeed, it illustrates that the expansion of security personnel
into the public realm is due to forces outside the control of policing agencies. The
growth of private police is not a reflection of poor public policing.
x Second, the use of private police is designed to supplement already overworked, and
often understaffed, law enforcement agencies. The work of public and private police
should be viewed as a division of labor.
As security professionals know, the provision of security and public safety services is not the
exclusive domain of government. Indeed, the majority of persons charged with security and
public safety services are employed by private firms. Of course, this does not minimize the
substantial role that public police officers contribute to public safety. The point is that
security and public safety are not exclusive to government.
Though commonly accepted within the security profession, the introduction of private
police into the public domain may cause some people concern or even alarm. This is
understandable, particularly in Western countries. Most contemporary observers view police
agencies as “normal,” as if their use was the natural state of law enforcement. It is not. Public
policing is a rather new phenomenon. When the first police department was organized by Sir
Robert Peel in London in 1829, many people viewed that change with concern or alarm. The
introduction of private policing can be viewed as going back to the future, in which private
citizens contribute more time and effort to the safety and security of their communities.
For centuries, people in the community acted as “security” within the community. The job
of security was not even a job. There was no police department to call. Instead, it was the
duty of all able-bodied men to protect their homes and their community (Pastor, 2003).
Thus, the people acted in self-defense or in defense of their community. Viewed in this
manner, security has historically been the province of the people. This assertion was even
reflected in one of Peel’s guiding principles: the people are the police, the police are the
people (Oliver, 2004; Pastor, 2006).
Before the formation of public policing agencies, self-help and self-protection were
considered the foundations of law enforcement and public order (Pastor, 2003; Nemeth,
1989; Shearing & Stenning, 1983). Kings were primarily concerned with conducting warfare,
not enforcing domestic tranquility. That arrangement changed when the enforcement of the
law—or, in broader terms, the justice process—was seen as a cash cow (Pastor, 2003;
Reynolds, 1994; Benson, 1990). This realization facilitated the expansion of government’s
role into the internal justice process through the expansion of the king’s peace. The king’s
peace, in essence, equated to law and order (Pastor, 2006).
As the power of the king evolved, many offenses previously regarded as intentional torts
(wrongs subject to civil tort law) became crimes against the king’s peace (Pastor, 2003;
Johnston, 1992). The change from a tort-centered to a crime-centered system inevitably
affected people who were to be compensated for the injury caused by the act (i.e., tort or
crime). Often victims desired crimes to be viewed as civil torts so they could collect financial
compensation (Pastor, 2003). Conversely, the king had an incentive to declare an act a crime
in order to derive a financial benefit. If the act was declared a crime, the king could
confiscate the criminal’s property and inflict corporal or capital punishment (Johnston,
1992). With these incentives, over time arson, robbery, murder, and other felonious and
violent actions were declared to be crimes (Reynolds, 1994).
The ever-increasing expansion of the criminal law was not without justification. Some
believed it would reduce retribution by private citizens, as well as provide legitimate
sanctions by the government (Pastor, 2003; Nemeth, 1989; Benson, 1990). State sanctioning
of criminals removed the need for the victim (or his or her family) to retaliate against the
offender. Instead, the state (or king) would avenge the harm done to the victim on behalf of
all the people. In return, crime prevention and control was also transferred to the king.
Many citizens were happy to transfer this duty because the costs, resources, and efforts
previously devoted to crime prevention and control would also transfer to the king (Pastor,
2003; Reynolds, 1994).
Notwithstanding this gradual transfer of retributive authority to the throne, the burden of
law and order rested on the citizenry for a large part of recorded history. To accomplish
crime control, towns were protected by citizens through the use of the “hue and cry”
(Pastor, 2003; Nemeth, 1989). Hue and cry was a call to order. When a hue and cry went
out, able-bodied men would lend assistance against criminals or criminal acts. This
ancient system of crime protection is remarkably similar to the “observe and report”
function of private security, absent the pursuit and capture of the criminal (Pastor, 2003).
The underlying purpose of observing and reporting is that the security officer should act as
a deterrent to crime. If a crime is observed, the security officer should gather information
about the criminal and the crime and then immediately report such to the public police.
This is deemed as being the eyes and ears of the police (Pastor, 2003).
Over time, a more defined crime control system was established. This system, known as
“watch and ward,” was administered by “shire reeves,” who were appointed by the king
(Pastor, 2003; Nemeth, 1989). The shire reeves appointed constables to deal with various
legal matters. Both the shire reeve (later shortened to sheriff) and the constable became the
forerunners of modern sworn law enforcement officers (Pastor, 2003; Nemeth, 1989). This
system furthered the legitimacy of public officers in crime prevention and control with the
appointment of individuals directly accountable to the king (Pastor, 2006).
The emergence of public police was not without problems and detractors. Some argued that
a full-time police force was too expensive. Obviously, the traditional sheriff-watch method
was much cheaper since much of this protection involved unpaid private citizens (Warner,
1968; Pastor, 2006). Other concerns came from a deeper level, relating to philosophical or
political arguments against government having a monopoly on policing (Pastor, 2003; John-
ston, 1992; Miller, 1977). The typical criticism centered on fears of excessive police power
(Miller, 1977). To those with this mindset, the cop on the beat represented an “ominous
intrusion upon civil liberty” (Miller, 1977). To others, the desire for security overrode esoteric
constitutional provisions. The tension was between the need for security and the desire to
maintain constitutional protections. This same concern is often echoed today relative to
public policing and by some who oppose private policing (Pastor, 2003).
Finally, the notion of sovereignty was a powerful argument in favor of municipal policing
agencies. Since the medieval period, there has been a gradual tendency to limit the use of
power or coercion. It was widely believed that the “eye for an eye” retribution standards
caused much violence, if only in response to the initial violent act. Notwithstanding the
potential for deterrence, or even the justification of retribution, the notion that government
should be the exclusive arbitrator of violence had compelling logic. With this viewpoint,
government was in charge of retribution and attempted to limit the use of violence by private
individuals. In turn, government was increasingly saddled with the burden of controlling
crime and capturing and punishing criminals (Pastor, 2006).
P R O V I S I O N
Substitute Supplement
x Corporate security x Corporate campuses
L O C A T I O N
Figure 7-1
Provision
In the Private/Substitute cell, the typical provision is that security personnel, either contract
or proprietary, provide the majority (if not all) of the security services. This does not mean
that public police officers do not or cannot enter into these private facilities and properties. It
simply means that public police do not routinely enter or patrol there. For example, public
police typically do not stand guard at the entrance to a manufacturing plant. Of course, if a
crime occurs, law enforcement personnel are often called to the private property. The cell is
not a complete substitute; however, it is largely a substitute, and for some firms it may be an
almost exclusive substitute. Consequently, this cell represents the norm in the security
industry.
In the Public/Substitute cell, the examples are the towns of Reminderville, Ohio, and Sussex,
New Jersey, which fired their police officers and hired security personnel in their place. The
security officers patrolled the town, answered calls for service, took reports, and made
arrests. The private security personnel acted as a substitute for the public police. These
services were provided within the public domain as if the security officers were the police.
These highly unusual and controversial substitute arraignments were terminated after a
short period. Too many problematic issues are tied to such arrangements.
The last two cells, Private/Supplement and Public/Supplement, are the growth environments
for the security industry. In these cells, the focus is on supplementing or enhancing the public
safety already provided by policing agencies. For example, college campuses often feature
undefined or loosely defined boundaries between themselves and the larger community.
Since university or campus police are often vested with police powers, they can conduct
themselves and make arrests as do municipal police officers. Although the police powers
may be derived from government, if these university or campus police officers are employed
by a security firm, then this is an illustration of private policing. An even more common and
clear example occurs within gated residential communities and on corporate campuses. In
these environments, the typical provision of security services is from private firms.
As in the Private/Substitute cell, there is overlap between the service provision of public and
private entities. The overlap is much more pronounced in the Private/Supplement cell.
There the public police may regularly or semi-regularly patrol the gated community or a
college or corporate campus. The involvement of public police in these areas is usually more
than in the Private/Substitute areas but substantially less than in public streets, parks, and
the like (i.e., in the public realm). The provision of security services by private firms in this
cell (Private/Supplement) is already extensive.
The Public/Supplement cell, then, is the focus of this chapter. It is there that the greatest
opportunities for the security industry exist. This is also where most of the problems and
pitfalls reside.
The prospect for private policing is likely to grow substantially. Factors driving this growth
include the following:
Each factor increases the need for private policing in public environments. Many countries
in Europe, such as England and Sweden, are well into this transformation. For example,
Project Griffin, a program of London’s Metropolitan Police Service and the City of London
Police, has three components: training, communications, and the deployment of security
officers in the event of a major incident. The training is provided to security officers by the
police. The communication methods include a “bridge call” every week, where the police
intelligence bureau updates security managers on current threats, recent crime trends, and
upcoming events. Deployment of security officers alongside police will occur in the event of
a major incident. To date, about 500 security officers have been trained for this deployment.
(More information is available at http://www.met.police.uk/projectgriffin and http://www.
cityoflondon.police.uk/CityPolice/Departments/CT/ProjectGriffin.)
Another European example was pioneered by the Sweden-based security firm Securitas,
which has provided a “time share” service to residential and commercial clients. This
concept provides patrol and other security services to numerous clients, who each pay a
proportionate share of the costs. In essence, the time share concept is similar to buying a
fractional share of a condo unit and gaining the right to use the unit for a proportionate
period per calendar year. This service is provided in public places in various European
locations, including Trondheim, Norway, where Securitas security officers patrol a business
district.
The use of private security personnel to provide services within public areas is illustrative of a
new policing model, which may be called public safety policing. This model is a blend of
public and private entities with a defined delegation of duties or functions. These duties or
functions can be considered a division of labor (Bayley & Shearing, 2001). This division of
labor should include a structural component that enables the entities to blend the delivery of
public safety services through operational and administrative processes.
Still, many people from both entities sensed that more formalized relations were necessary
to cope with growing crime and public safety concerns. The Law Enforcement Liaison
Council (LELC) and Private Security Services Council of ASIS International, along with the
Private Sector Liaison Committee of the International Association of Chiefs of Police (IACP)
and other significant associations, have set the stage for this transformation.
Innovations like Operation Cooperation have been instrumental in this development. Opera-
tion Cooperation is, in essence, a goal and a program. Its goal is to communicate certain
partnership models, where security and police work together to combat crime and deliver
public safety services. From a programmatic perspective, a group of law enforcement and
The cause of law enforcement–private security partnerships gained additional support more
recently when the Office of Community Oriented Policing Services, U.S. Department of
Justice, funded production of three valuable resources: a video detailing successful
partnerships, Law Enforcement & Private Security: On the Job Together (2008); a major guide
called Operation Partnership: Trends and Practices in Law Enforcement and Private Security
Collaborations (2009); and a free, one-hour e-learning course on forming such partnerships,
Team Up: Action Planner for Police-Security Partnerships (2010). All three resources are
available online.
The time has come to institutionalize coordination and cooperation between security and
police personnel through structural and contractual relationships. The value of partnerships
is limited unless more concrete ties are developed between private security and public
police. Personal relationships can be fickle, and existing partnerships have not completely
broken down the barriers between the two groups of professionals. Attitudes and histories
often die hard, but the insidious motivations of terrorists necessitate the acceleration of
structural cooperation between security and policing (Simeone, 2006). The details of future
relationships have yet to be articulated, but enhanced structural coordination would not be
possible without the tireless efforts of the professionals who developed and built
foundational partnerships.
The transition from a partnership model to a structural model can be illustrated by various
statistical trends. For example, as a consequence of the September 11, 2001, terrorist attacks,
certain security firms predicted revenue growth in the range of 10 to 12 percent per year
(Perez, 2002). In September 2001, there were 104,000 security officers in New York City. By
October 2003, the number of security officers had risen to 127,006 (National Policy Summit,
2004). This level of growth is not atypical in the security industry. For example, in England
there are now about 333,600 security personnel, compared to only 150,000 in 1996 (Sarre,
2005). In South Africa, private security personnel outnumber public police by a ratio of 5 to 1
(Sarre, 2005). In addition, statistics in continental Europe reveal a substantial presence of
security personnel. Recent estimates reveal that there are approximately 530,000 security
personnel, Germany having the most (Prenzler, 2005). Similarly, Australia witnessed an
increase in security personnel from 22,975 in 1986 to 34,854 in 2001, a 52 percent increase,
while police experienced only a 19 percent increase during the same period (Prenzler, 2005).
The growth of private security can be illustrated by two huge international firms that
dominate the security industry. Securitas had revenues of $5.8 billion with a net income of
$115.2 million in 2001 (Perez, 2002). Its revenues increased to $6.6 billion in 2005. The firm
employs 220,000 people worldwide, with 124,000 in the United States. Since 9/11, it has hired
about 10,000 more guards to serve U.S. accounts (Perez, 2002). Similarly, Group 4 Securicor,
a Danish firm, had 2001 revenues of $2.81 billion, with a net income of $3.7 million (Perez,
2002). This firm employs 58,000 guards worldwide, with 38,000 in the United States, of which
about 3-5 percent are directly attributable to 9/11 (Perez, 2002). In 2005, Securicor had
revenues of $4.13 billion dollars, employed 50,500 employees in the United States, and had
about 400,000 full- and part-time employees worldwide.
Those in the security industry are well acquainted with the Hallcrest reports (see
Cunningham et al., 1991). These reports sought to compare the U.S. security industry to
public law enforcement quantitatively. The data revealed that security personnel greatly
outnumber police officers (Pastor, 2003). More recent census data show that the number of
full-time sworn police personnel is estimated at 796,518. In comparison, security industry
estimates suggest that more than 2 million people were employed by security firms in 2000
(Zielinski, 1999). Whatever the exact numbers, the difference between the fields is so great
that some argue private security is now the primary protective resource in the United States
(Bailin, 2000; Cunningham et al., 1991).
The ratio of public police officers to reported crimes has seen an even greater change. In the
1960s, there were about 3.3 public police officers for every violent crime reported. By 1993,
the numbers had reversed, and there were 3.47 violent crimes reported for every public
police officer (Walinsky, 1993). Thus, each public police officer in the 1990s had to deal with
more than 10 times as many violent crimes as a police officer in the 1960s (Walinsky, 1993;
Pastor, 2003). Walinsky notes that to return to the 1960s ratio of police to violent crimes,
about 5 million new public police officers would have to be hired by local governments
(1993). That will not occur. Indeed, what did occur during this time frame was an explosive
growth of the security industry (Cunningham et al., 1991).
Data from the U.S. Department of Justice suggest that the cost of public policing increased
from $441 million in 1968 to about $10 billion in 1994. This represents a 2,100 percent
increase in the cost of public policing, while the number of violent crimes rose 560 percent
from 1960 to 1992 (Walinsky, 1993). As crime rates increased, the monies used to combat
crime also dramatically increased. The Justice Department reported approximately 1,383,000
violent crimes in 2003 (475.8 per 100,000 population) and 1,367,000 in 2004 (465.5 per
100,000 residents). These data reflect a generalized decrease in crime rates within the U.S. in
the past decade.
Some authors attribute this reduction of crime rates, at least in part, to the growth of private
security (Davis & Dadush, 2000), though the proposition is debatable. A related question is
whether any additional spending on public policing would result in a further reduction.
Based on this short historical and statistical overview, the answer appears to be negative.
The impact of security may even be more substantial than the data suggest. Indeed, the
growth of the security industry can be viewed by its involvement in businesses, homes, and
communities throughout the country (Pastor, 2003; Zielinski, 1999; Carlson, 1995; Goldberg,
1994). This involvement includes such diverse services as alarm systems, security guard
services, and investigative and consulting services. The growth of such services caused one
observer to note, “We are witnessing a fundamental shift in the area of public safety. It’s not
a loss of confidence in the police, but a desire to have more police” (Tolchin, 1985). Indeed,
th
today’s security industry is being compared to public policing in the mid-19 century. One
security firm owner stated, “This is a significant time for the private security industry. People
are just beginning to realize its potential. I see private security much like what public law
enforcement was in the 1850s” (Spencer, 1997). This assertion seems even more relevant in
the face of terrorism. Consequently, some see private policing as the “wave of the future”
(Goldberg, 1994; Benson, 1990). Numerous authors argue that there is a need for more
police, or at least more protective services (Dilulio, 1995; Walinsky, 1993; Cunningham et al.,
1990; Spitzer & Scull, 1977; Benson, 1990; Clotfelter, 1977; West, 1993; Seamon, 1995). Other
authors are more critical of the ability of the public police to provide an appropriate level of
protection (Benson, 1990; McLeod, 2002). Either way, another author observed, “People want
protection, and what they cannot get from the police, they will get from private security
companies” (Kolpacki, 1994). Consider the implications of these statements in the light of
terrorism. Police are finding that, in addition to their crime-fighting duties, they now have
significant homeland security responsibilities (National Policy Summit, 2004). This assertion
was echoed by Judith Lewis, former captain with the Los Angeles County Sheriff’s
Department, who observed (Stephens, 2005):
The expectations of law enforcement as first responders for homeland security have put an
almost unachievable burden on local law enforcement. Local law enforcement is not
designed organizationally to support the cooperation needed, and its officers don’t have the
training and technology to do the job. … Currently, traditional law enforcement is being left
behind.
The cost of public policing seems to increase steadily. For example, during the period 1967-
1973, the average salary for state and local police increased 56 percent, while the average
salary for employees of private security firms increased only 34 percent (Clotfelter, 1977).
Further, personnel expenditures are often the largest municipal budgetary line item. Just two
groups—police and fire—represent about 55 percent of the total expenditures for the City of
Chicago (Miranda, 1993). A study of New York City revealed that over a 25-year period, the
number of public police officers rose from 16,000 to 24,000. However, the total annual hours
worked by the entire force declined (Savas, 2000; Pastor, 2003).
Municipalities spend a large proportion of their budgets on the salaries and benefits of
public police officers. It is doubtful whether that pay structure can be sustained.
Several authors have argued that certain operational functions drive up the costs of public
safety services. For example, in the United States, citizens have been urged to call 911 for
decades. This computerized call-taking system has resulted in huge increases in workloads in
police departments. Calls for such conditions as barking dogs, street light repairs, noisy
neighbors, unruly children, alarm response, and the like have created a difficult unintended
consequence for police agencies (Pastor, 2005). The problem has been lessened with the use of
311 (nonemergency police response) and call stacking (prioritizing calls for dispatch based on
the level of seriousness). However, these approaches have not resolved the basic dilemma—
serving the community with the resources allocated to the department (Pastor, 2005).
The budgetary and operational dilemma for law enforcement officials may be best illustrated
by alarm response. Alarm response refers to police being dispatched to burglar, fire, or panic
alarms from commercial, industrial, and residential facilities. Often the problem with alarm
response is attributed to the high rate of false alarms, which is as high as 95 percent or more
(Benson, 1990; Olick, 1994; Cunningham et al., 1990). That is only part of the problem. In the
1980s, only 2 percent to 5 percent of residences had alarm systems. This figure was estimated
at 10 percent in the 1990s and about 20 percent from the year 2000 (Litsikas, 1994;
Cunningham et al., 1991). As the market for security alarms increased, the burden of alarm
response for police agencies also increased.
The impact of this one service hinders the ability of the police to perform their overall mission:
to serve and protect society. For example, according to the Seattle Police Department, alarm
response accounts for its second largest resource allocation. In just one year (2003), Seattle
police officers responded to over 22,000 alarm calls, averaging about 62 alarms a day at a total
estimated cost of $1.3 million.
Many police agencies are looking for ways to deal with this problem. Private policing may
provide the best way to resolve this financial and operational dilemma. For example, in
Johannesburg, South Africa, there is a growing market for alarm response conducted by
private firms. More than 450 registered companies provide alarm response services, serving
about 500,000 clients and employing about 30,000 private officers (Davis & Dadush, 2000).
These officers are equipped with 9mm weapons and bulletproof vests but have only normal
citizens’ arrest powers. The average response time to the protected facility is five minutes. At
least in part, this service provision evolved from the public’s lack of confidence in the
responsiveness of the police. Administration of these services seems professional when mea-
sured in terms of citizen complaints, use-of-force incidents, and the average response time
for alarm calls (Davis & Dadush, 2000).
Approximately 80 percent of police resources are used in “social worker, caretaker, baby-
sitter, and errand boy” activities (Benson, 1990; Pastor, 2003; Reynolds, 1994). Stated another
way, only 20 percent of police officer work is devoted to crime-related matters (Youngs,
2004). A Police Foundation study also found that instead of watching to prevent crime,
motorized police patrols are often merely waiting to respond to calls for assistance (Benson,
1990). The study asserted that about 50 percent of police duty time is spent simply waiting
for something to happen (Benson, 1990). While police officials claim this time is devoted to
preventive patrols, Benson argues that systematic observations suggest otherwise. Such
observations reveal that much of the time is occupied with conversations with other officers,
personal errands, and sitting in parked cars on side streets. While some of these activities
may be necessary, the compelling conclusion of these studies is that municipalities will not
be able to afford the status quo (Pastor, 2003). Partly as a result of this situation, the Toronto
Police Department reported that more than 60 percent of all calls to the police are handled
by alternative response units, which include private police acting as a supplement to public
police departments (Palango, 1998; Pastor, 2003).
Partly because of the widespread use of community policing, municipal police agencies have
reoriented their approach to crime control. This policing model has attempted to change
public policing away from its traditionally reactive approach toward proactive crime fighting.
That approach, however, presents its own operational difficulties and incentives. Typically,
security firms are more oriented toward pleasing their clients—typically by preventing prob-
lems, including crime. In contrast, public police have less incentive to prevent crime since
they are expected to produce arrest statistics and other quantifiable measures (Benson,
1990). The result is an operational incentive geared toward waiting for crimes to be
committed in order to make the arrest.
In recent years, the focus on crime prevention and community policing has changed this
incentive. However, a proactive crime control strategy is costly to administer and is very
labor-intensive (Pastor, 2003). Community policing has created additional tasks that were
largely ignored by traditional enforcement-oriented police departments (Moore & Trojanow-
icz, 1988; Trojanowicz & Carter, 1990). These tasks include beat meetings, crime prevention
missions, accountability sessions, and other service and communication tasks. While
community policing appears to have had some success in reorienting the police to a more
proactive, client-friendly approach, the monies used to support this strategy are now largely
exhausted (Pastor, 2006).
Notwithstanding the exhaustion of federal community policing monies, a basic problem with
fully implementing community policing involves the resources and personnel levels
associated with these tasks (Oliver, 2004). That challenge may lead public police to transfer
tasks to or supplement their strength with private security personnel. Crime prevention and
order maintenance have long been the forte of private security. With these functions in
mind, private policing is predicted to play an increasing role in public safety (Pastor, 2006).
The form of this new policing model may mirror the community policing approach, which is
premised on client service designed to prevent and control crime. In this sense, private
police will be used to supplement public police in service and order maintenance functions.
This allows public police officers more time for addressing serious crimes, including terrorist
violence. Carlson asserts that communities are certain to follow this approach because “they
may have to” (1995). For comparison, he observes that hospitals were forced to give more
responsibility to nurses due to rising medical costs. He adds:
Cities may find that sworn police officers—whom they must train, pay relatively well and
sustain pensions—are too expensive for fighting and deterring certain types of low-level
crimes. To maintain basic civic order, rent-a-cops may be a better deal.
Private police officers are not “rent-a-cops” but alternative service providers. Many needed
and valuable services can be performed at a lower cost compared to public police officers.
Contracting certain service tasks can be equated to the common business practice of
outsourcing (Youngs, 2004). These tasks include the following:
In sum, public police are overburdened with many service-oriented functions (Pastor, 2003).
Private police can help resolve both functional and economic constraints. Indeed, the threat
of terrorism will only exacerbate these constraints—thereby accelerating the need for
alternative service providers. For example, about 85 percent of all critical infrastructures in
the United States are already protected by private security personnel (Simeone, 2006).
Private police services are financed by business or property owners, either through special
taxing initiatives or more directly through contracts with property or community associations.
With these funding sources, private policing services could be sustained with little or no
municipal expenditure. Consequently, the economic benefits derived from privatized service
providers can help relieve already strained municipal budgets (Pastor, 2003).
Obtaining private security services through a taxing initiative usually involves the creation of
a special taxing district. The district may be given broad powers to promote economic
development or stability through health, safety, and environmental improvements. The spe-
cific source of the monies can be a tax on real property or a sales tax levy. Since the tax is
confined to a certain geographic area, the local property or business owners usually maintain
control over the authority vested in the district. Participation in this authority usually
requires a certain connection to the geographic area, such as being a property owner,
working in or owning a business within the district, or owning stock in a corporation within
the district (Pastor, 2003).
The theory underlying order maintenance contends that crime problems originate in
relatively harmless activities. Public drinking, graffiti on buildings, and youths loitering on
street corners are common activities in certain areas. If these activities go unchecked, the
level of fear and incivility begins to rise. Over time, more serious crimes, such as gang fights
or even drive-by shootings, may take place. Disorder tends to reduce the social controls
previously present in the area. This results, at least in theory, in increased crime, which
contributes to the further deterioration of the physical environment and the economic well-
being of the community (Pastor, 2003).
The development of order maintenance theories can be traced to a line of thinking that
initially focused on conditions in cities, particularly in slums. In these areas, conditions such as
“physical deterioration, high density, economic insecurity, poor housing, family disintegration,
transience, conflicting social norms, and an absence of constructive positive agencies” were
deemed contributors to criminal behavior (McLennan, 1970). Over time, researchers started to
shift their focus from socioeconomic factors toward the physical characteristics of the
community. For example, Cohen and Felson (1979) argued that the completion of a crime
requires the convergence in time and space of an offender, a suitable target, and the “absence
of guardians capable of preventing the violation.”
This focus on environmental factors was found in a number of other studies. Gibbs and
Erickson (1976) argued that the daily population flow in large cities “reduces the effectiveness
of surveillance activities by increasing the number of strangers that are routinely present in the
city, thereby decreasing the extent to which their activities would be regarded with suspicion.”
Similarly, Reppetto (1974) concluded that social cohesion and informal surveillance decline
when a large number of people live in a given area (Jackson, 1984). Lewis and Maxfield (1980)
took this logic to the next level. They focused on specific physical conditions within the
environment, seeking to assess the impact on those conditions on crime and the fear of crime.
Their research assessed such factors as abandoned buildings, teen loitering, vandalism, and
drug use. They believed those factors draw little attention from police partially because
police have limited resources to deal with them. The researchers noted that such problems,
nonetheless, are important indicators of criminality within any community.
The implications of these studies are clear. When faced with disorderly conditions, individuals
tend to feel a greater exposure to risk and a loss of control over their environment, and they are
more aware of the consequences of a criminal attack (Fisher & Nasar, 1995). This thinking
further advances the concept of situational crime prevention by assessing the circumstances
surrounding the crime. This assessment takes into account the intersection of potential
offenders with the opportunity to commit crime. Researchers argue that a particular crime
could be prevented through measures designed to reduce the offender’s ability (or even
propensity) to commit crimes at specific locations (Pastor, 2003).
These conclusions have been echoed by a number of other authors, including Kelling (1995).
He asserts that citizens regularly report their biggest safety concerns to be things like
“panhandling, obstreperous youths taking over parks and street corners, public drinking,
prostitution, and other disorderly behavior.” Each of these factors was identified as a
precursor to more serious crime. Moreover, the failure to correct disorderly behavior may be
perceived as a sign of indifference. This indifference communicates the message that no one
cares—which may, in turn, lead to more serious crime and urban decay (Kelling, 1995).
Consequently, the key to crime control is to address both the physical and social conditions
that foster crime.
Implicit in these findings is the desire to prevent crime or reduce the conditions or factors
that foster crime. These conclusions have been embraced by both public police and private
security. A key component of these preventive methods is order maintenance, which can be
accomplished in a number of ways, including the rehabilitation of physical structures, the
removal or demolition of seriously decayed buildings, and the improvement of land or
existing buildings by cleaning and painting. Other relatively simple environmental
improvements are recommended, such as planting flowers, trees, or shrubs to enhance the
“look and feel” of an area (Pastor, 2003). These physical improvements, coupled with efforts
to reduce or eliminate certain antisocial behaviors, such as loitering, drinking and drug use,
fighting, and other disorderly behaviors, are at the core of an order maintenance approach to
crime prevention. The goal is to correct these conditions and behaviors before more serious
crimes occur.
Viewed in this broad manner, security can encompass such diverse factors as trash collection,
planting flowers, and private police patrols. Each service is designed to improve conditions
within an area. The advent of terrorism will only magnify this environmental focus. For
example, an unattended package or an unidentified vehicle may actually contain a bomb.
While these threats are difficult to remedy, this focus on the environment has been echoed by
st
Kaplan, who views the environment as the security issue of the early 21 century (1994).
In public policing, these order maintenance techniques are encompassed in the concept of
community policing (Moore & Trojanowicz, 1988; Kelling, 1995; Palango, 1998; M. Robinson,
1997; Seamon, 1995; Kolpacki, 1994; Spencer, 1997; Cox, 1990; Johnston, 1992). In essence, a
core goal of community policing is to focus on fear reduction through order maintenance
techniques (Moore & Trojanowicz, 1988). In this sense, crime and fear reduction through
order maintenance are in accordance with the environmental theories articulated above.
Community policing also strives to reduce calls for service by addressing the underlying
reasons for the calls.
In the private sector, the focus has long been on prevention (Chaiken & Chaiken, 1987;
Shearing & Stenning, 1983; Cunningham et al., 1990). The similarity of private security and
community policing techniques can be narrowed to one core goal: both are intended to use
proactive crime prevention that is accountable to the client or the citizen, respectively
(Kolpacki, 1994; Pastor, 2003). Private security is particularly well suited to perform order
maintenance. At least partly because of that sector’s crime prevention focus, private security
personnel have replaced public police in the protection of business facilities, assets,
employees, and customers (Pastor, 2003). Private security personnel provided what the
public police could not. Specifically, security firms provided services for specific clients,
focusing on the protection of certain assets, both physical and human, as their primary or
even exclusive purpose.
Security personnel attempt to predict reasonably foreseeable crime and develop precautions
against it (Gordon & Brill, 1996). A substantial body of law has grown around the
environmental aspects of crime. Tort claims on grounds of premises liability or negligent
security have provided explosive business for personal injury attorneys (Pastor, 2003). These
lawsuits stem from a negligence-based legal theory that questions whether the business or
property owner knew or should have known that a criminal would commit a crime within the
property (Pastor, 2006).
This legal exposure helped create a significant consequence. Property and business owners
were motivated to institute security measures within and around their property or business
location. The exposure serves as both carrot and stick. The carrot is a safe and secure place to
do business and to live or work in. Of course, a safe and secure environment will not hurt the
reputation of the business or the viability of the property. The stick is potential liability with
substantial jury awards. In addition, media exposure stemming from crime, coupled with the
reputational and public relations damage associated with an incident, provides substantial
motivation to secure the premises from criminals. Consequently, security began to be seen
as an asset and crime control as a duty.
The result was a growing use of security personnel and methodologies. Business and
property owners started to think and worry about security, becoming more proactive in their
approach to a safe and secure environment. For security firms, the legal exposure created
opportunities. It brought security closer and closer into the realm of the average citizen.
Security personnel began to be used routinely at businesses and large corporations, which
began to focus on the protection of employees and clients instead of simply focusing on asset
protection. In this sense, security became more mainstream. It became part of people’s
workplaces, apartment buildings, and hospitals. Private security became “the people.” This
relationship of the security industry to mainstream society also increased the scope of
services provided by private police (Pastor, 2006).
As premises liability and negligent security lawsuits developed, the liability of business and
property owners expanded farther and farther from the protected facility. Indeed, it is now
common for security patrols for properties and businesses to extend into the streets and
other public areas to prevent crime and provide a safe and secure environment. Private
police have become another security layer in the public domain.
Public police had and still have a much more difficult task incorporating crime prevention
into their organizational structure. The challenge arises from their mission to enforce laws
uniformly throughout society, as well as the need to preserve democratic and constitutional
ideals. Considering the many burdens of public police, it is reasonable to conclude that the
role of private security will continue to increase. Many have advocated that private police
play a larger role in the prevention of crime in areas traditionally and exclusively patrolled by
public police (Chaiken & Chaiken, 1987; Palango, 1998; McLeod, 2002; Benson, 1990). The
use of order maintenance techniques will prove to be an important function used by private
policing (Pastor, 2003).
The levels of fear are greatest where there is a concern about both crime and incivility. If
incivility (or disorder) is not perceived to be a problem, then residents may be able to cope
with higher rates of crime (Lewis & Maxfield, 1980). This conclusion has important implica-
tions. Communities must deal with both the crime rate and the physical and social indicators
that lead to the perception of incivility and disorder (Lewis & Maxfield, 1980).
Another implication of these theories is that private police will increasingly be used to
combat or respond to crime (Benson, 1997; Tolchin, 1985; Cunningham et al., 1990; Spencer,
1997; Meadows, 1991; Walinsky, 1993; McLeod, 2002; Bailin, 2000). These authors and many
others have predicted or shown that private security personnel are being hired in response to
the incidence of crime. This assertion is echoed by Stephanie Mann, author of Safe Homes,
Safe Neighborhoods, who asserted that “people need to take responsibility for their safety. …
Citizens are the law and order in a community, not the police” (Litsikas, 1994). This view is
based on the impact of normal crime. With the threat of terrorism, it seems particularly
appropriate to assert that government cannot implement the necessary remedies to deal
with crime and terrorism (including the attendant fears) without the contribution of the
private sector (Pastor, 2003).
Still, there is ample evidence that private firms can deliver more efficient services at a lower
cost. Savings are typically based on the following (Donahue, 1989):
Proponents of privatization argue that market competition results in more efficient service
delivery, especially when many similarly situated firms are ready, willing, and able to provide
such services (Morgan, 1992; Donahue, 1989; Benson, 1990). The absence of competition in
the public sector allows for complacency, with little incentive to provide better service at the
lowest cost possible.
Opponents of privatization argue that reduced labor costs are illusory because they are
achieved through hiring less qualified and less trained personnel, providing inadequate
benefits to employees, using hiring practices that focus on part-time employees, and even
using creative accounting methods (Bilik, 1992). The cost of contract bidding and
administration must be assessed, as it adds to the bottom line and may even invite
corruption (Hebdon, 1995; Donahue, 1989; Chaiken and Chaiken, 1987). Other authors
contend that without adequate competition, the ill effects of monopolies will result (Shenk,
1995; Clemow, 1992; Schine et al., 1994; Bilik, 1992; Donahue, 1989; Hebdon, 1995).
The use of private service providers does not necessarily result in lower costs or better service
quality. However, the benefits of limited privatization far outweigh the negatives. This is
especially true in the case of public safety services, where the failure of law enforcement to
protect society is potentially measured in thousands or even hundreds of thousands of lives.
Given the threat posed by terrorists with weapons of mass destruction, the concerns voiced
by privatization opponents seem pale. Still, it is critical to maintain competition among
private sector vendors; enforce accountability; and develop and maintain standards for the
selection, training, and hiring practices of private security firms. As Donahue states, the
“evidence is overwhelming that where…negligence or the nature of the service itself
undercuts competition, the benefits of privatization shrink or vanish” (1989).
Carlson identifies five specific categories of distinction between public and private policing
(1995):
x Philosophical. Private police may lack the moral authority that government can give to
law enforcement.
x Legal. Private police are hobbled by the law, with only limited powers of arrest, usually
restricted to the commission of crimes within their presence. However, those with special
police status have nearly all powers of public police, including authority to make
arrests and carry guns.
x Security/Political. Private police give citizens more control over their own safety by
augmenting police efforts, helping to maintain order when police are spread thin. Also,
private policing encourages citizens to follow community standards in a way that police
officers cannot or do not.
These categories raise many questions. For example, the perception that security personnel
do not possess the same legal and moral authority as public police officers may affect how
private officers perform their jobs. When a private police officer directs someone to refrain
from loitering, the person’s willingness to comply may depend on whether the officer has the
authority, either legal or moral, to force compliance (Pastor, 2006).
Another issue involves the level of control over the functions of the private police and how
responsive the private police are to the needs of the client. It may not even be clear who the
client is. Is it the property owners who contribute their monies through real estate taxes? Is it
the larger community, or even anyone who happens to drive through the neighborhood? In a
community policing model, the public police are urged to be more accountable to the
citizens they serve. In this sense, the citizens are the clients.
Another way to distinguish public and private police is by the roles they take or functions
they perform. The distinctive aspects of these policing functions are outlined by Chaiken and
Chaiken (1987), as shown in Figure 7-2.
Figure 7-2 distinguishes the functions of private and public police dramatically. One of the
most profound distinctions regards the input—that is, the person for whom the service is
designed or intended. In private policing, the bill payer is usually deemed the client. In
public policing, the citizen or society is the client (Shearing & Stenning, 1983).
Figure 7-2
Functions of Private and Public Police
A corporation performs both a private and public function by hiring security personnel and
equipping them with uniforms, badges, and weapons. The generally accepted responsibility
or function of security in this context is to enforce certain rules or laws on the company’s
property (McKenzie, 1994). Consequently, this seemingly private function provides an
external benefit to the larger society, or at least to the citizens who happen to be within the
protected facility or area (Pastor, 2003).
This input distinction explains much about the service orientation of the two entities.
Particularly in the private sector, the need to please the client cannot be underestimated.
Private security personnel tend to view behavior in terms of whether it threatens the interests
of the client (Shearing & Stenning, 1983). However, what constitutes the interests of the
client is not always clear or consistent (Dalton, 1993). That presents a challenge because
knowledge of a client’s interests may affect how a security firm performs its duties.
Another important distinction regards the output of the service. Private security today tends to
focus on loss reduction or asset protection. However, the role of private security may be
shifting back to its historical roots. If so, private policing could renew some of its enforcement
orientation, which has become the almost exclusive realm of public policing agencies (Benson,
1997; Tolchin, 1985; Cunningham et al., 1990; Spencer, 1997; Meadows, 1991; Walinsky, 1993;
Bailin, 2000).
Perhaps the most important distinction involves the delivery system. For private police, the
delivery system is profit-oriented firms or corporations. With public police, it is government.
The competition in which companies engage drives better service and value. Conversely,
monopolies, such as police departments, tend to be less efficient, even complacent. If a
security firm is not performing well or is not providing good value, it can be fired. In public
policing, however, citizens cannot directly fire their police department. While they may
petition political leaders for redress, doing so is not nearly as effective as exercising a 30-day
termination clause, as is common in the security industry.
As Moore and Trojanowicz assert, police are responsible for managing crime and its effects.
No other government agency regards itself as specifically responsible for crime (1988).
However, if the police cannot prevent crime, one logical response is to hire private security
firms to do so. In this way, private police can be viewed as an additional layer of security for
the community. As Carlson explains, private security firms can help restore community life,
allowing people to worry less about crime and spend more time building families and
neighborhoods (1995). Few people would argue against targeting crime and reducing its
impact on society.
The scope and details of these arrangements vary widely. In rare cases, private security has
replaced public police in a jurisdiction. In most private policing initiatives, some level of
partnership forms the basis for the arrangement. Such partnerships make sense. The two
entities have many similar goals, such as reducing crime and fear through an environmental
or order maintenance approach. The commonality of goals may foster cooperation in the
spirit of public safety. For example, public police may rely on private police to carry out tasks
they prefer not to undertake. In return, public police provide some needed services, such as
expeditious response to calls for assistance (Chaiken & Chaiken, 1987). Most public police
officials welcome fuller partnership with private security if it frees up their officers for crime
fighting (Pastor, 2003).
The models presented below describe past or present privatized policing arrangements. Two
key factors in these models are the location of services and the provision of services. Locations
may be public or private, but sometimes the distinction is unclear. For example, a gated
neighborhood with a fenced perimeter has characteristics of both public and private locations.
(However, for present purposes such a space is deemed private because of its physical
separation from the larger community.)
As for provision of services, security personnel may be used to supplement public police,
replace public police, or provide a service that lies between those extremes. For example, in
some cases a private firm has only ancillary involvement in community safety. In other cases,
private security personnel may engage in proactive and tactical enforcement techniques,
designed to search out and arrest criminals. However, in most cases, the security firm acts
as a supplement to public police.
Accurate statistics on the scope of private policing are difficult to obtain. Thus, it is unknown
how common the following arrangements are.
The Frenchman’s Creek development in Florida hired a miniature tactical team called STOP
(Special Tactical and Operations Personnel). The team “roams the grounds every night
dressed in camouflage face paint to stay as unobtrusive as possible and give them the edge
on any intruder” (Cruickshank, 1994). This tactical team stays sharp by conducting exercises
with sophisticated equipment, including night vision gear and infrared detectors that
distinguish a human body from the surrounding vegetation. It also includes a marine patrol
and tickets speeders (Cruickshank, 1994).
Obviously, the scope of the project goes beyond what is traditionally viewed as security and
works to change both people’s perceptions and the physical environment. The New York Times
had described the area as “chaotic and forbidding, often filthy and sometimes dangerous”
(Carlson, 1995), but after two years of operation, the Grand Central Partnership saw crime drop
20 percent. After the fifth year, reported crime was down 53 percent (Carlson, 1995).
Explanations for the crime drop are varied. Some maintain that the private police perform
tasks in a cost-effective manner and are more flexible than public police (Carlson, 1995;
Patterson, 1995). GCP staffers offer other reasons. A retired New York City detective in charge
of GCP operations asserted, “Police are involved with other matters[;] they cannot concentrate
on the quality of life crime when they have major crimes. We are the eyes and ears of the police
department. …[T]hey appreciate our work because we try to solve some problems ourselves,
without police intervention” (Carlson, 1995). Another GCP staffer stated, “We don’t do
homicides, we don’t do rapes, but we do other quality of life things. … We do the work the
police have trouble getting [to] because they are so busy” (Carlson, 1995; Pastor, 2003).
These statements reflect an order maintenance approach, which is also demonstrated by the
workload handled by the security personnel. In 1994, the security personnel responded to
6,916 incidents. Only 624 of them required police assistance, and only 122 resulted in arrest
(Carlson, 1995). The result of this cooperative effort is that police are able to focus on more
serious crimes, and security personnel address the bulk of the service and order
maintenance duties (Pastor, 2003).
Selection criteria for these guards are similar to those for public police (Carlson, 1995). A
guard in the GCP must:
By contrast, their seven-day training is substantially less rigorous than training for public
police. Weekly follow-up training addresses use-of-force issues and security procedures.
Discipline within the ranks is strictly enforced. According to Carlson, absenteeism or
lateness, sloppy dress, smoking in public, and even minor rule violations are not tolerated
(1995). This level of discipline is particularly important because the security personnel wear
uniforms that resemble New York City police uniforms. They—like the police—also wear
radios and bulletproof vests.
Despite the favorable statistics, some people—including police officers—are not convinced
of the merits of this arrangement. The following statement sums up their reservations: “In
the eyes of the police, guards seem to occupy a confusing gray area between public official
and private citizen that many cops find disconcerting” (Carlson, 1995). However, other
private citizens and property owners care less about such legal niceties and more about their
own security. Some even claim that regardless of the cost paid for these services, the
protection received is well worth it (Carlson, 1995). One property owner stated, “Before the
security guards, there were no cops. Muggers would snatch a purse right in front of the store,
and they would be laughing, not even running away. … They can’t do that now. Without
guards, it’s like a jungle out there” (Carlson, 1995).
The GCP arrangement is built on the logic of order maintenance. The president of the GCP
stated, “When a citizen sees prostitutes, graffiti, rough talking panhandlers, and poorly
maintained buildings, he concludes that things are out of control and he forgoes use of that
street” (Blyskal, 1996).
The BID employs 28 private police officers. Candidate selection is highly competitive,
accepting only one of 25 applicants (Davis & Dadush, 2000). Each candidate must be 21 years
old, pass drug tests and psychological exams, submit to random drug tests, have a clean
felony record, and have no history of drug activity (Davis & Dadush, 2000). The starting salary
is $20,500, with an increase after one year, plus merit and promotional opportunities. Each
officer receives 96 hours of training at the NYPD academy on such topics as conflict
resolution, communication skills, legal topics, court procedures and testimony, investigative
techniques, and report writing (Davis & Dadush, 2000). These officers also receive in-service
training at roll calls and annual training in cardiopulmonary resuscitation (CPR) and baton
use. The officers do not carry firearms but do possess arrest powers. Approximately six
arrests are made per year, but only when the officers witness the crime. Incidents handled by
these officers usually relate to order maintenance and assistance to citizens (Davis &
Dadush, 2000).
Internal accountability is structured into this arrangement. Every private officer must pass
written exams each year. These exams focus on the code of conduct, post orders, and rules.
Merit increases are based on professional performance. In addition, the officers are under
CCTV surveillance and are subject to internal investigation complaints. Only six abuse
allegations have been made in nine years. These complaints are overseen by the BID’s public
safety committee and board. Finally, external accountability is accomplished by the court
system, the Department of Business Services, the NYPD, and, of course, the BID’s clients
(Davis & Dadush, 2000).
The district covers 80 square blocks, and 2,087 property owners pay a property tax surcharge
equal to 5 percent of the current city real estate levy (Seamon, 1995). In 1994, the budget was
$6.6 million. The budget is allocated to the following privately contracted services:
These allocations reflect a broad conception of security and an order maintenance approach.
The partnership also reflects a diverse combination of people and disciplines. A successful
privatization program requires city officials, police authorities, and security managers to
work together in a way that promotes trust and creates bonds between the public and private
sectors. The parties must also clearly understand their respective roles (Seamon, 1995). To
reach its goals, the partnership set up its daily operations to foster collaboration. City police
officers and the BID’s security officers (called community service representatives) share
headquarters and locker facilities, conduct joint roll calls, and are regularly addressed by
police detectives on current crime conditions (Seamon, 1995).
Philadelphia Police Department statistics reveal that from 1993 to 1994, crime decreased by 6
percent in the CCD area. By way of comparison, during the same period crime rose 1 percent
in the Central Police Division.
The security force consists of 45-50 officers. Their training curriculum ranges from problem-
solving techniques, customer service, and hospitality to police procedures, use of force, radio
communications, first aid, CPR, and victim assistance (Seamon, 1995). The minimum
standards include two years of college, an age of 21 years, and the completion of a background
investigation (Seamon, 1995). These are higher standards than those for typical security
guards (Pastor, 2003).
x market attractions
x special events
x private security
The tax revenues guarantee business owners their own security protection (Mokwa &
Stoehner, 1995). The security force consists of 6-30 patrol officers, depending on the shift or
the particular event. The St. Louis Police Department allocates 10 patrol vehicles and 30 foot
patrol officers to the downtown area. In addition, some off-duty police officers serve on the
security force. Partly because of the interrelationship between the security force and the
police, the security personnel have the same powers of arrest as police. Just like the police,
security officers wear uniforms and walk their beats—using reasonable force when necessary
to stop a crime (Mokwa & Stoehner, 1995; Pastor, 2003).
The selection criteria are sophisticated. A security officer must have an outgoing personality,
knowledge of the St. Louis metro area, and two years of prior experience in the security
industry. In addition, an officer must pass a psychological test and several personal
interviews. The training consists of a 16-hour course designed and administered by the St.
Louis Police Department. The training stresses police policies and procedures. The security
firm also conducts a 16-hour public relations course. When the training is completed, the
security officers are licensed by the St. Louis Police Department and are given arrest
authority by the city’s police board (Mokwa & Stoehner, 1995). With this regulation and
proclamation, the private police officers are vested with “special police” powers.
This supplemental private/public partnership has been credited with a reduction in crime.
The total number of crimes in downtown St. Louis declined almost 10 percent in one year
(from 306 in 1993 to 276 in 1994), and auto theft rates dropped 31 percent (Mokwa &
Stoehner, 1995).
Local property owners petitioned the state legislature to create the GGPMD. The legislature
approved the district in 1991, and a tax levy of 10 cents per $100 of assessed property value
was established (Robinson, 1996). The district is administered by a 22-member board of
directors appointed by the governor. The board is headed by an executive director, who is in
charge of operations. It also includes a security manager, who is in charge of security and
public safety.
The crime rate dropped 25 percent in the year following the implementation of the
initiatives. In addition, the occupancy rate of business units in the district rose to become
one of the highest in Houston (Robinson, 1996). In short, the arrangement was deemed to
have contributed to the betterment of the city’s overall environment.
vested with the same arrest powers as public police officers. They are well-trained, armed,
and wear uniforms that are similar but not identical to those of the local public police. After
the introduction of private patrols, crime decreased, bus ridership increased, and people’s
satisfaction with the bus system improved (Bureau of Justice Assistance, 2005).
The private police officers wear blue police-like uniforms, carry pepper spray, use radios, and
exhibit a friendly, courteous manner (Brown, 2004). The patrols take place on foot and on
bicycles. Training of these officers lasts three weeks or about 120 hours. A deputy chief of the
Dallas Police Department noted that this force will work as extra eyes and ears of the police
(Brown, 2004). It is interesting to note that Brown, writing in a police magazine, discussed
these private patrols in a negative manner. She stated that “inexplicably” the Dallas police
brass seem to be in favor of “losing department jobs to the private sector.” She characterized
this arrangement as “the front” in the “privatization war.” While it is unfortunate to describe
this public safety initiative with such critical language, the merits of these public/ private
arrangements are sure to survive the arrows of critics.
Starrett City
The Starrett City housing development in Brooklyn is a classic model of the benefits of
th
privatization. The development is located in the 75 police precinct, which consistently has
one of the highest murder rates in New York City (Carlson, 1995; Walsh et al., 1992). Some 90
percent of its residents receive government rent subsidies (Carlson, 1995).
The management company that administers the development hired private police officers.
By the late 1980s, 60 private police officers were employed, of whom approximately 40 were
armed. Each private police officer carries the “special police” designation and has full arrest
powers. These private police personnel handle about 10,000 service calls annually (Carlson,
1995). The average salary is $31,000, which represents about 70 percent of the average salary
of a police officer (Pastor, 2003).
Carlson observes that 20 years after hiring these security officers, Starrett City is as safe as
any affluent neighborhood. In 1994, this community of 20,000 people reported only 24 car
thefts, 12 burglaries, 6 aggravated assaults, and no rapes (Walsh, et al., 1992). In the same
year, Carlson notes, the complex reported only 67 robberies. This compares favorably to the
2,548 robberies reported in the neighborhood just outside its boundaries in 1995. Further,
overall crime rates in New York City were substantially higher than those in Starrett City.
New York averaged 84 felonies reported per 1,000 residents, while Starrett City reported just
th
7 felonies per 1,000. Similarly, in the 75 precinct, a residence outside Starrett City was 38
times more likely to be burglarized than one within Starrett City (Walsh et al., 1992). Signifi-
cantly, no physical boundaries or barriers separate Starrett City from other residents in the
precinct. The only real physical distinction is the private security personnel. The difference
between the neighborhoods is so stark that a Starrett City security supervisor described the
complex as “an oasis in a vast wilderness” (Carlson, 1995; Pastor, 2003).
The Patrol Special Police is a separately chartered law enforcement group that works under
the supervision of the San Francisco Police Department (SFPD). Patrol Special Officers are
governed by rules and procedures set by the San Francisco Police Commission. The commis-
sion is empowered to appoint patrol special police officers and may suspend or dismiss them
after a fair and impartial hearing on charges duly filed with the commission.
Each patrol special police officer must be at least 21 years of age at the time of appointment,
pass an extensive police background investigation, complete training at the San Francisco
Police Academy, and meet physical qualifications. These requirements are consistent with
those of the California Commission on Peace Officer Standards and Training. In addition,
these officers receive annual training from the SFPD and qualify with firearms at the police
department’s range. They wear uniforms approved by the police commission, carry firearms,
and use two-way SFPD radios. Each of these factors provides an excellent example of
structural interaction with the SFPD, including accountability measures designed to ensure
proper, consistent service.
Patrol special police officers are considered the owners of certain beats or territories that
may be established or rescinded by the commission. These beats are considered property
that may be bought, sold, leased, bequeathed by will, or otherwise conveyed to a person of
good moral character, approved by the police commission.
These private police officers are committed to community policing with an emphasis on
problem solving and community outreach. These goals are achieved through various tasks,
including walking the beat and getting to know people on an individual basis, attending
community meetings, and working closely with the police department and other city
agencies. This emphasis on community policing clearly reflects the need to serve clients and
perform an order maintenance function.
United Kingdom
Clapham, England, hired Guardforce Security Services to patrol the town with vehicles
equipped with video surveillance cameras (BBC News, 2004). In addition, the Kent County
Council allocated more than £1.4 million to the creation of its own private police force
(Short, 2001). The county will hire 12 neighborhood wardens, who will wear distinctive dark
red jackets with sheriff-style badges. The wardens are intended to be the eyes and ears of the
police. They will be trained by officers from the Kent Police Department (Short, 2001).
Toronto, Canada
The use of private police in the Toronto metropolitan area is best illustrated by the services
of Intelligarde. This security firm bills itself as “the law enforcement company.” According to
its Web site, the company is driven by the “belief that society and the individual have a
fundamental need for social order—a need unsatisfied by contemporary public policing.” In
response to this need, the firm’s personnel and programs are designed to “re-establish social
order where it is breaking down and then support social order on an ongoing basis”
(www.intelligarde.org). This assertion reflects an underlying order maintenance approach.
Intelligarde provides a wide variety of security services, including private police patrols in
numerous public environments. Its marketing materials boast “the largest mobile fleet of
marked and unmarked patrol vehicles in the Greater Toronto Area and also in Ottawa.”
Clients are provided verification of the time and location of patrols through the use of global
positioning system monitoring. Also provided are canine and mounted patrols, vehicle
patrols for alarm response, spot checks of specific locations, and sweeps of disorderly areas.
The officers also perform arrests to enforce various laws relating to incivility. This
enforcement orientation resulted in about 40,000 arrests over 25 years of work (Walmington,
2005). The willingness to make arrests is considered critical to the role of these private police
officers. The firm’s owner observes that enforcement and “social work” are both required. He
adds that the patrols must “be able to do the enforcement piece—but enforcement and
community development work together. One doesn’t work without the other.” The officers’
work requires “the denial of opportunity to the people who are intent on committing
criminal acts—the shooters, drug dealers and gang bangers. … In other words, you take away
the playing field.” This requires officers on-site who know the legitimate residents and check
out all the others coming onto the property. The firm’s owner uses the term “blended
policing” to describe “public safety officers” (that is, private police) working “hand in glove”
with the police (Walmington, 2005).
Marquette Park
In what may be the most comprehensive study of private policing to date, Pastor (2003)
conducted a multifaceted research study of the Marquette Park Special Service District on
th
the southwest side of Chicago. The boundaries of the special service area are from 67 Street
th
to 74 Street and Kedzie Avenue to Bell Street. Included within the area is approximately half
of Marquette Park, which is part of Chicago’s vast park district system. The name of the
special service district—and the neighborhood—reflects the name of the park.
The neighborhood consists of single-family residences, two- and three-story apartment build-
ings, and strips of businesses. The largest concentration of apartment buildings is on the east
side of the neighborhood. These apartment buildings are often poorly maintained or neglected.
Most of the single-family houses are better kept, yet some show signs of disrepair. The majority
of the deteriorated homes are found on the east side of the community (Pastor, 2003).
The streets are similar to those of a typical Chicago neighborhood, with trees on the
parkways between the street and the sidewalk. Businesses are located on the main arteries
that intersect the community. Many serve as hangouts for young people in the area. Citizens
expressed concerned that some youths appeared to be gang members, and many business
owners were fearful of their presence. Others seemed to cater to them, either for business or
possibly for protection. Indeed, the presence of loiterers, particularly gang members, was a
key concern of the community—and of the private patrol program (Pastor, 2003).
th
The special service district is part of the 8 Police District, which is segmented into 16 beats
and is one of the largest districts—in area and population—in Chicago. The special service
district is a separate taxing entity established in 1995. The decision to hire private security
patrols was done, at least partly, to stabilize the community. Long-term residents were moving
from the area. This flight from a community with generational ties dating back to the early
1900s created the desire to stop, or at least slow, the demographic changes. Before the
formation of the special service area, community groups petitioned for a ballot referendum. At
issue was whether property owners would vote to increase their real estate taxes for the
purpose of hiring private security patrols. These private patrols would supplement the police
department, seeking to reduce crime and minimize conditions that foster crime (Pastor, 2003).
There are certain requirements for the creation of special services districts. First, voters
within the area must pass a referendum to create the district as a legal entity. After the
referendum passes, it is referred to the city council. The formal establishment of the district
must be enacted pursuant to a resolution. This council resolution provides the legal
authority for the Cook County Collector to levy and collect real estate taxes from property
owners within the district. In this district, the service tax may not exceed .41 percent of the
assessed value of taxable property (Pastor, 2003).
Once a special service district is established, the alderman in the affected ward selects
individuals for the governing commission. They must be residents or business owners in the
community. Once appointed, each commission member serves a two-year term. There are
seven voting members within the governing commission. Each politically appointed
commission member is deemed a voting member. The commission also contains three non-
voting members, including the commander of the police district and two officials who
represent the Chicago Department of Planning and Development. These nonvoting
members are supposed to provide guidance to the voting members of the commission. The
commission is charged with overseeing the special service district, including preparing a
budget, conducting periodic community meetings, and arranging administrative matters to
operate the private police patrols.
The day-to-day affairs of the district are handled by the “sole service provider.” This commu-
nity-based organization acts as the intermediary between the community and the governing
commission and deals directly with the security firm. It addresses crime patterns and
incidents and performs other operational and administrative tasks, such as obtaining legal
counsel and insurance carriers. The sole service provider is also charged with hiring and
contracting with the security firm. This occurs after the governing commission makes the
selection based on a vote of board members. The hiring of a particular security firm is
accomplished through two separate contracts. One contract is between the City of Chicago
and the sole service provider, and the second contract is between the sole service provider
and the security firm.
Contract documents are drafted by the Chicago Department of Law. Oversight of the entire
process is accomplished by the city’s Department of Planning and Development (Pastor, 2003).
The budget to operate and administer the security patrols is approximately $200,000. These
monies come from the tax levy on real property within the special services district. The cost
for the average property owner is about $50 to $60 per year. Approximately $140,000 to
$150,000 goes to the security provider, another $5,000 is spent on insurance, and about $20,000
is used to pay for legal and other professional services. The remainder goes to office expenses
and administrative costs (Pastor, 2003).
The private police officers carry handguns and other police equipment. They use handcuffs,
flashlights, radios, and bulletproof vests. Each officer wears “civilian dress” clothing, which
looks almost identical to the attire worn by Chicago Police Department tactical officers. The
vehicles are also similar to those of the public police (Pastor, 2003). However, the officers are
not granted the “special police” designation. A couple of the officers are off-duty police, but
most have only private citizen arrest powers.
The study assessed three questions related to the privatized police services. The first
question was, “How do the private police officers perform their job?” Through ride-alongs,
interviews, and document analysis, the study found that the majority of their functional work
product was order maintenance (51.5 percent). Thirty-two percent of their work involved
observation and reporting, and 16.5 percent involved law enforcement (Pastor, 2003).
The second research question was, “Are these private police public actors?” The answer
affects whether constitutional provisions would apply to the actions of private police. The
study concluded that the private police were indeed public actors, so constitutional
provisions were applicable to their actions.
The third research question was related to whether the private police officers violated the
constitution in the performance of their duties. The study concluded that some private
police officers indeed violated the Fourth Amendment protection against unreasonable
searches and seizures. However, with inadequate training, a lack of policy guidelines, and
little accountability, the officers were doing the best job they could under demanding and
dangerous circumstances.
The examples in this section illustrate the effectiveness of privatization and the need for
cooperative efforts between private and public police. They demonstrate that such cooperative
efforts have been successful in combating crime and enhancing the environment within the
patrol arrangement. The mission of crime prevention within the security industry, coupled
with the ability of the police to arrest offenders, provides a dynamic combination of skills and
resources. The present focus on community policing may prefigure a widespread establish-
ment of privatized public safety services. Nonetheless, a difficult and uncertain transition lies
ahead. Functional, constitutional, and public policy considerations remain problematic
(Pastor, 2003).
x Can municipal police departments perform as first responders for homeland security
and at the same time operate with a community service orientation?
x What future role will alternative service providers have in the delivery of public safety
services?
The answer to the first question would appear to be no. First, it seems that terrorism will be a
fact of life for years to come. If so, police agencies will not only have to deal with the carnage
associated with terroristic violence but may also be targets of the violence. Indeed,
contemporary times reveal horrendous violence against Iraqi police and civil defense forces.
Being both a first responder and a target will create an environment that is extraordinarily
complex, in both operational and human terms.
The second part of this question is that community policing, which has been the widely
accepted policing model, is about to end. While this statement may be subject to criticism
from police, academics, and politicians, federal funding of community policing programs is
largely exhausted. Without additional monies, this policing model will slowly be
deemphasized into extinction. If the money for community policing is now directed to
homeland security, then police agencies will redirect their missions accordingly. However,
private police may prove to be excellent providers of community policing services because of
their responsiveness to their clients.
The answer to the second question is that, with the future police focus on terrorism and
violent crime (including street gangs, which are likely to graduate to terrorism), the need for
alternative service providers becomes paramount. Alternative service providers will be the
paraprofessionals of police departments. These alternative service providers include private
police, civilian employees of police agencies, and auxiliary (volunteer) officers. While it is
likely that all three types of alternative service providers will coexist, the most likely and
beneficial option is private police officers.
Figure 7-3
Public Safety Policing Model
While this figure excludes certain police functions (such as investigative and administrative
units), it captures the essence of the three key aspects of street policing. Tactical operations
would include heavy weapons/SWAT teams, gang and drug tactical teams, and saturation
units. This aspect of policing is likely to be much more militarized than at present. It will
focus on tactical techniques accomplished by highly trained public police officers.
The technological functions will also be greatly expanded. Many technologies commonly
used in security will be emphasized in police agencies, including networked cameras and
access control systems, predictive crime mapping software, and integrated identification
systems. These technologies will improve the “eyes and the ears” of policing agencies to
better respond to and even predict criminal or terrorist behavior. The key to this approach is
surveillance for crime prevention, apprehension, and enforcement.
Order maintenance operations will be the key component for alternative service providers.
The key will be to control the environment, focusing on both physical aspects and social
incivilities. The primary tasks of these service providers will be to provide routine service
functions, such as report writing, alarm response, traffic control, and “street corner security.”
Each of these tasks relates to either order maintenance or “observe and report” functions.
In these ways, alternative service providers will also enhance the “eyes and ears” of policing
agencies. The majority, if not the vast majority, of order maintenance functions will be
conducted by private police employed by security firms. This work product, however, must
be based on contractual provisions or be directly tied to the structure of the policing agency
within the jurisdiction. An excellent example of contracted arrangements is Wackenhut’s
agreement with the Durham Transit Authority to provide security on transit buses. A more
comprehensive structural arrangement is illustrated by the San Francisco Patrol Special
Police. This arrangement provides excellent accountability methods and is directly
connected through various structural components to the San Francisco Police Department.
These examples provide useful models for consideration by those who seek to implement
public safety services within public environments.
X X X
Private Citizen Special Police Peace Officer
Figure 7-4
Continuum of Governmental Authority
The figure depicts a continuum. On one extreme are private citizen arrest powers. On the
other extreme are peace (police) officer arrest powers. In the middle are special police
powers, which combine the private citizen role with the arrest powers of a peace officer
(public police officer). Peace officer arrest powers are only available to the special police
officer when he or she is on duty. This limitation should not be considered problematic as it
does not affect the work such officers are paid to perform (Pastor, 2006).
Certain benefits follow from being “blessed” by government, such as a moral and legal
authority that most citizens respect. The pronouncements and actions of an officer with
governmental authority are much more likely to be complied with. The common response
that “I don’t have to listen to you; you are not the police” would be largely negated with this
connection to governmental authority. Without this designation, a private police officer is
simply one private citizen telling another private citizen what to do.
This approach would give municipal police departments a larger force without the financial
and operational challenges of employing more police officers. In addition, this special police
designation may carry with it the protection of qualified immunity. Qualified immunity acts
as a liability shield to protect the officer (and his or her employer) from civil lawsuits.
Although this shield is not available for reckless or malicious conduct, it protects the
reasonable and prudent officer who makes a mistake in judgment or behavior. Further, it
reduces the legal exposure of the security firm and the insurance costs associated with the
service provision (Pastor, 2006).
Licensing standards directly relate to the issue of legal authority. To perform the work of the
public police, private police officers should be trained and selected in a manner
commensurate with their functional work product. In furtherance of this goal, ASIS
International has promulgated the Private Security Officer Selection and Training Guideline,
which states that “security officers … must also be able to work closely and effectively with
public safety personnel” (ASIS International, 2004). The guideline is by far the most
comprehensive approach to addressing the training and selection of security officers. It
recommends state regulation regarding background investigations, training, continuing
education, insurance, licensing, and oversight bodies. In addition, it suggests selection criteria
for new hires, including criminal history, education, citizenship, fingerprinting, photographs,
drug screening, and other personal information related to the applicant. Each of these factors
will go a long way toward establishing more professionalism in the security industry generally
and in those private police officers who operate within the public realm. Since the actions of
private police officers are likely to be much more visible in the public realm, the need to meet
or exceed these criteria is of critical importance (Pastor, 2006).
Still, the training and selection standards need not be equivalent to those for public police
officers, who typically receive 600 to 800 hours of training. Instead, the best practice would
be to develop a training curriculum that focuses on the particular role or function to be
performed. The different levels and types of training would then be regulated through
governmental licensure.
License: A B C D E
Figure 7-5
Functionality/Criticality Continuum
In this model, the key is to assess both the function and criticality of the job. As the
complexity of the work increases, or as the critical nature of the task increases, the level of
training and licensing should also increase. A comparison can be found in vehicle licensing
standards. For passenger vehicles, the typical training and licensing requirements are basic.
As the type of vehicle becomes more difficult to operate (e.g., a tractor-trailer), or as the nature
of the cargo becomes more important to protect (e.g., passengers in a bus or dangerous
chemicals in a tank car), the need for better trained and more highly skilled drivers also
increases (Pastor, 2006). The key is to train and license security officers in a manner that
adequately prepares them for the expected work product. For example, the tasks of a desk
greeter differ substantially from the tasks of a security officer at a nuclear power plant. Each
should be trained and licensed at a different level. The licensing should range from class A to
D or E, depending on the particular legislative approach. Similarly, training hours should
range from 20 or 40 at minimum to 200 to 600 for street patrols and critical infrastructure
security (Pastor, 2006).
Finally, the issue of accountability of private police should be addressed. Private police must
be—and must be perceived as—accountable to the community, the law, and the larger
society. Real and specific mechanisms must be in place. One of the most telling conclusions
from Pastor’s research is that privatized policing arrangements must develop formal
accountability standards and methods (Pastor, 2003).
There are several avenues for enhancing accountability. First, specific operating procedures
must be developed to address the realities of the job. Without such guidance, there is simply
too much discretionary decision making in the fluid environment of the street. Indeed,
discretion without judgment formed through proper guidance and experience is a recipe for
disaster.
The last critical element of accountability is to have some well-defined process for addressing
citizen complaints. This should be done by a separate board vested with subpoena powers, the
ability to conduct hearings, and the legal authority to levy warnings, fines, and other employ-
ment and contractual remedies (Pastor, 2006). Such authority could be granted to various
existing government agencies, such as a department of professional regulation or a civilian
oversight board that monitors police misconduct. However the board is constituted, it must be
able to deal with the types of complaints common to police departments (Pastor, 2006).
In conclusion, the coming years are likely to bring many challenges. All nations will be faced
with varying levels of political unrest, financial constraints, and the threat of violence and
terrorism. These factors cannot be completely avoided.
The challenges ahead present a massive potential market for security firms. Just as the new
asymmetric form of warfare is changing the way the military confronts and combats
terrorism, so too police agencies must reinvent their way of policing. This transformation will
leave a gap in how public safety services are delivered. Security firms are uniquely prepared
to bridge this gap and deliver order maintenance and related services. The former president
of the Illinois Association of Chiefs of Police notes that in the current climate what was once
considered a professional relationship between the public and private sectors has now
become a professional necessity (Braglia, 2004). This professional necessity presents the
largest increase in business opportunities for security firms since the 1850s, when security
personnel policed the American Wild West. This opportunity, however, is a double-edged
sword, replete with pitfalls for the unwary (Pastor, 2006).
The desire for professionalism in private policing must center on an even more basic
purpose: the safety of individuals and communities and the stability of their way of life. The
threat of terrorism is designed not only to kill people and damage property, but also to
destroy the social fabric. Those in the security industry, especially those protecting public
environments, trophy or symbolic buildings, and critical infrastructure, will be in the front
lines of this asymmetric conflict. Advancing standards and principles of professionalism is
the best defense (Pastor, 2006).
REFERENCES
ASIS International. (2010). Private security officer selection and training guideline. Available: http://
www.asisonline.org [2011, December 8].
Bayley, D. H., & Shearing, C. D. (2001). The new structure of policing. Washington, DC: National
Institute of Justice.
Benson, B. L. (1990). The enterprise of law: Justice without state. San Francisco, CA: Pacific
Research Institute for Public Policy.
Bilik, A. (1992). Privatization: Defacing the community. Labor Law Journal, pp. 338-343.
Brown, C. (2004, December). Outsourcing police jobs: Cops replaced by civilians to cut costs.
American Police Beat.
Bureau of Justice Assistance. (2005). Engaging the private sector to promote homeland security:
Law enforcement–private security partnerships.
Carlson, T. (1995). Safety Inc.: Private cops are there when you need them. Policy Review, 73, Summer.
Chaiken, M., & Chaiken, J. (1987, June). Public policing—privately provided. Washington: National
Institute of Justice.
Clemow, B. (1992). Privatization and the public good. Labor Law Journal, Vol. 43, pp. 344–349.
Clotfelter, C. T. (1977). Public services, private substitutes and the demand for protection against
crime. The American Economic Review, 67(5).
Cohen, L. E., & Felson, M. (1979). Social change and crime rate trends. American Sociological
Review, 44, 588–607.
Covington, J., & Taylor, R. B. (1991). Fear of crime in urban residential neighborhoods. The Socio-
logical Quarterly, 32(2), 231–249.
st
Cox, S. M. (1990). Policing into the 21 century. Police Studies, 13(4), 168-177.
Cunningham, W. C., Strauchs, J. J., & Van Meter, C. W. (1990). Private Security Trends 1970- 2000:
The Hallcrest Report II. Boston: Butterworth-Heinemann.
Dalton, D. R. (1993, January). Contract labor: The true story. Security Management.
Davis, R. C., & Dadush, S. (2000). The public accountability of private police: Lessons from New
York, Johannesburg, and Mexico City. Vera Institute of Justice. Available: http://www.vera.
org/download?file=225/privatepolice.pdf [2006, December 8].
DiIulio, J. J. (1995). Ten facts about crime. Washington, DC: National Institute of Justice.
Farnham, A. (1992, December 28). U.S. suburbs are under siege. Fortune.
Fisher, B., & Nasar, J. L. (1995). Fear spots in relation to microlevel physical cues: Exploring the
overlooked. Journal of Research in Crime & Delinquency, 32(2), 214–239.
Geyelin, M. (1993, June 1). Hired guards assume more police duties as privatization of public safety
spreads. The Wall Street Journal.
Gibbs, J. P., & Erickson, M. L. (1976). Crime rates of American cities in an ecological context.
American Journal of Sociology, 82, 605–620.
Goldberg, C. (1994, December). New roles for private patrols. Security Management.
Gordon, C., & Brill, W. (1996, April). The expanding role of crime prevention through environ-
mental design in premises liability. Washington, DC: National Institute of Justice.
Hebdon, R. (1995). Contracting out in New York State: The story the Lauder Report chose not to
tell. Labor Studies Journal, 20(1), 3–24.
Jackson, P. I. (1984). Opportunity and crime: A function of city size. Sociology & Social Research,
68(2), 173–193.
Kaplan, Robert (1994, February). The coming anarchy. The Atlantic Monthly.
Kelling, G. (1995, May/June). Reduce serious crime by restoring order. The American Enterprise.
Lewis, D. A., & Maxfield, M. G. (1980, July). Fear in the neighborhoods: An investigation of the
impact of crime. Journal of Research in Crime & Delinquency, pp. 160–189.
Liska, A. E., Lawrence, J. J., & Sanchirico, A. (1982). Fear of crime as a social fact. Social Forces,
60(3), 760–770.
Litsikas, M. (1994, September). Security system installations up in 1994. Security Distributing &
Marketing.
Meadows, R. J. (1991). Premises liability and negligent security: Issues and implications. Journal of
Contemporary Criminal Justice, 7(3), 112–125.
McKenzie, E. (1994). Privatopia: Homeowner associations and the rise of residential private
government. New Haven, CT: Yale University Press.
McLennan, B. N., ed. (1970). Crime in urban society. London: Cambridge University Press.
McLeod, R. (2002). Para-police. Toronto: Boheme Press.
Miller, W. R. (1977). Cops and bobbies: Police authority in New York and London, 1830–1870.
Chicago, IL: University of Chicago Press.
Miranda, R. A. (1993). Better city government at half the price. In Chicago’s Future in a Time of
Change, Richard Simpson, ed. Champaign, IL: Stipes.
Mokwa, J., & Stoehner T. W. (1995, September). Private security arches over St. Louis. Security
Management.
Moore, M. H., & Trojanowicz, R. C. (1988, November). Corporate strategies for policing. National
Institute of Justice Perspectives on Policing, No. 6.
National policy summit: Building private security/public policing partnerships to prevent and
respond to terrorism and public disorder. (2004). Washington, DC: U.S. Department of Justice.
Nemeth, C. P. (1989) Private security and the law. Cincinnati, OH: Anderson.
Olick, M. (1994, December). Private response: The no response solution. Security News.
Operation Cooperation: Guidelines for partnerships between law enforcement and private security
organizations. (2000). Washington: Bureau of Justice Assistance.
Palango, P. (1998, January 12). On the mean streets: As the police cut back, private cops are moving
in. MacLeans.
Pastor, J. F. (2003). The privatization of police in America: An analysis & case study. Jefferson, NC:
McFarland.
Pastor, J. F. (2005, November). Public safety policing. Law Enforcement Executive Forum, Vol. 5,
No. 6, pp. 13–27.
Perez, E. (2002, April 9). Demand for security still promises profit. The Wall Street Journal.
Prenzler, T. (2005). Mapping the Australian security industry. Security Journal, 18(4), 51–64.
Reynolds, M. O. (1994). Using the private sector to deter crime. National Center for Policy Analysis
Policy Report No. 181. Available: http://www.ncpa.org/pub/st181 [2006, December 8].
Robbins, S. P. (2003). Organizational behavior. Upper Saddle River, NJ: Prentice Hall.
Robinson, M. (1997, April 30). Why the good news on crime. Investor’s Business Daily.
Sarre, R. (2005). Researching private policing: Challenges and agendas for researchers. Security
Journal, 18(3), 57–70.
Schine, E., Dunham, R. S., & Farrell, C. (1994, December 12). America’s new watchword: If it
moves, privatize it. Business Week.
Seamon, T. M. (1995, September). Private forces for public good. Security Management.
Shearing, C. D., & Stenning, P. C. (1983). Private security: Implications for control. Social Problems,
30(5), 493–506.
Short, V. (2001). Kent County Council creates its own private police force. Available: http://
www.wsws.org [2006, May 23].
Simeone, M. J. (2006, May). The power of public-private partnerships: P3 networks in policing. The
Police Chief.
Smith, L., & Hill, G. D. (1991). Victimization and fear of crime. Criminal Justice and Behavior, 18(2),
217–240.
Spitzer, S., & Scull, A. T. (1977). Privatization and capitalist development: The case of the private
police. Social Problems, 25(1): 18–28.
Stephens, G. (2005, March/April). Policing the future: Law enforcement’s new challenges. The
Futurist, Vol. 39.
Tolchin, M. (1985, November 29). Private guards get new role in public law enforcement. The New
York Times.
Walinsky, A. (1993, July). The crisis of public order. The Atlantic Monthly.
Walmington, J. (2005). Good guys must seize and control turf. The Toronto Sun, December 31,
2005. Available: http://www.torontosun.com [2006, June 25].
Walsh, W. F., Donovan, E. J., & McNicholas, J. F. (1992). The Starrett Protective Service: Private
policing in an urban community. In Gary W. Bowman et al. (eds.), Privatizing the United States
Justice System. Jefferson, NC: McFarland.
Warner, S. B., Jr. (1968). The private city. Philadelphia, PA: University of Pennsylvania Press.
West, M. L. (1993, March). Get a piece of the privatization pie. Security Management.
Youngs, A. (2004, January). The future of public/private partnerships. FBI Law Enforcement
Bulletin.
Zielinski, M. (1999). Armed and dangerous: Private police on the march. CovertAction Quarterly.
Available http://mediafilter.org/caq/caq54p.police.html [2006, December 8].
ADDITIONAL READING
Benson, B. L. (1996). Are there tradeoffs between costs and quality in the privatization of criminal
justice? Journal of Security Administration, 19(2), 19–50.
Clutterbuck, R. (1975). The police and urban terrorism. The Police Journal.
Crenshaw, M., ed. (1983). Terrorism, legitimacy and power: The consequence of political violence.
Middleton, CT: Wesleyan University Press.
Cunningham, W. C., & Taylor, T. H. (1994). The growing role of private security. National Institute
of Justice.
Davis, J. R. (1982). Street gangs: Youth, biker and prison groups. Dubuque, IA: Kendall-Hunt.
DuCanto, J. N. (1999). Establishment of police and private security liaison. Manuscript presented
th
at 45 Annual Seminar of the American Society for Industrial Security International, Las Vegas,
Nevada.
Ezeldin, A. G. (1987). Terrorism and political violence. Chicago, IL: University of Illinois at Chicago
Press.
Feliton, J. R., & Owen, D. B. (1994, September). Guarding against liability. Security Management.
Graham, T., & Gurr, T., eds. (1971). History of violence in America. Princeton, NJ: Princeton Univer-
sity Press.
Greisman, H .C. (1979). Terrorism and the closure of society: A social impact projection.
Technological Forecasting and Social Change, Vol. 14.
th
Law Enforcement and Industrial Security Cooperation Act of 1996. (1996). H.R. 2996, 104
Congress.
Kolderie, T. (1986). The two different concepts of privatization. Public Administrative Review,
10(2), 285–290.
Landman, K. (2003). National survey of gated communities in South Africa. Available: http://
www.gatedcomsa.com [2006, June 20].
Nalla, M. & Newman, G. R. (1991). Public versus private control: A reassessment. Journal of
Criminal Justice, 19, 414–436.
Pastor, J. F. (2005). Terrorism & public safety policing. Crime &Justice International, 21(85), 4–8.
Robbins, S. P. (2003). Organizational behavior. Upper Saddle River, NJ: Prentice Hall.
Trojanowicz, R. C., & Carter, D. L. (1990, January). The changing face of America. FBI Law
Enforcement Bulletin.
U.S. Department of Justice (2004). Crime in the United States. Available: http://www.fbi.gov/
about-us/cjis/ucr/crime-in-the-u.s./2004 [2006, June 23].
Wolf, J. B. (1981). Fear of fear: Survey of terrorist operations and controls in open societies. New
York, NY: Plenum.
Young, R. (1977). Revolutionary terrorism, crime and morality. Social Theory and Practice, Vol. 4.
WEB SITES
http://www.cityoflondon.police.uk/CityPolice/Departments/CT/ProjectGriffin/
http://www.met.police.uk/projectgriffin/
http://www.intelligarde.org
http://www.sfpatrolspecpolice.com
Security consultants, niche professionals within the greater security industry, are the
principal resource for such assistance. On occasion, knowledgeable individuals within a
company may be called in to help, but typically, professional security consultants are the
resource security or corporate executives turn to for guidance. Independent security
consultants are often viewed as an invaluable resource since they do not promote or sell a
product but rather assess actual needs and recommend a mix of security solutions to reduce
threats.
For companies faced with liability concerns, an objective, third-party study of critical issues
is often preferred over an in-house analysis. Security consultants provide the company with
that objectivity, which is a distinct advantage when dealing with common security issues
such as liability and due diligence. Some companies also stagnate from a lack of ideas and
turn to consultants who can provide much-needed out-of-the-box thinking. Others look to
outside resources because they are not as susceptible to corporate politics or bureaucratic
red tape. Finally, contracting with outside resources is often less expensive than hiring addi-
tional staff as no capital outlay or payroll overhead is necessary, especially if the work is
periodic and therefore does not warrant the creation of a full-time position.
Though consultants are commonly accepted within today’s organizations, executives may
encounter some resistance from middle management and line employees, who may perceive
that their jobs are in jeopardy. Though this perception is mostly unfounded, it is an issue that
the consultant and management must address. Resistance to the use of a security consultant
usually reflects one or more of the following concerns:
x Asking for outside help suggests that the security staff is incompetent.
x A negative report from an outsider reflects unfavorably on the security program and
the organization.
x The organization and its policies and procedures could be compromised by an outsider
who would become intimately familiar with the enterprise.
The targeted focus of these two examples underscores a very important aspect of security
consulting called the scope of work. That topic is addressed later in this chapter.
Security consultants with specialties other than retail or amusement parks might also be
effective in addressing the needs posed in the previous examples. Experts in warehouse
operations, over-the-road trucking operations, delivery services, or shipping and receiving all
might qualify for the retail assignment, and a retail security or loss prevention consultant
might be fully capable of dealing with the theme park’s needs.
In fact, many security management consultants are generalists within the security discipline.
For example, a consultant who has a strong background in banking and finance will almost
certainly have a general knowledge of related specialties such as investigations, physical and
electronic security, and preemployment screening. While some of these may appear to be
technical specialties, management consultants will not cross into technical specifics. They
may be able to provide the functional concepts of a security system, but they will not be
specialists in the detailed design of the system.
x IT security
x personnel security
x convergence
Technical security consultants specialize in translating the concepts and functionality pro-
vided by the security management consultant into detailed blueprints and equipment
specifications. This capability requires years of technical training and experience. Some
technical security consultants also provide management services, such as writing security
procedures and policies, but they might also subcontract those services to a security
management consultant.
Security executives often call upon technical security consultants to assist with new
construction or renovation projects. These consultants can work with the architects and
design engineers to ensure that the needed security systems, such as access control, video
surveillance, and alarm monitoring, are integrated into the initial designs. Drawing on his or
her technical understanding of blueprints and design documents, the technical consultant
can uncover security concerns in the plans before they are finalized. Finally, this consultant
can recommend security hardware and software that is compatible with other building
systems and takes advantage of the overall planning concepts. Addressing these issues in the
design stages keeps security in the forefront of planning, which ensures that the security
agenda receives adequate attention. Using a technical consultant in this way saves money
because it eliminates having to retrofit security into a structure once it’s built.
Both security management consultants and technical security consultants may undertake
forensic assignments in civil lawsuits that involve a security-related matter. An example
might be defending a claim of excessive use of force by the security employee of a nightclub
when an intoxicated patron was physically ejected and, in the process, sustained serious
injuries. Alternatively, a consultant might be called on to testify in a false arrest lawsuit where
a shopper was detained for shoplifting, but the evidence proved no crime or theft had
occurred. The judicial system relies on experts who, in these examples, would be allowed to
testify as to whether the use of force by the security employee was reasonable or excessive
and whether there was probable cause for the shoplifting detention.
Some corporate risk managers have relied on security consultants with forensic experience
to evaluate incidents to determine if the claim of negligence is warranted or if insurance
demands hold merit. Some major security departments, working with their insurance carrier,
insist that certain forensic security consultants be retained in their defense based on prior
cases in which the consultant aided in successful litigation. (These topics and related
subjects are discussed at length in the Protection of Assets volume on legal issues.)
The purpose of the security advisory committee is to critically examine the security program
to ensure that all company assets are being protected, to maintain general oversight over the
program, and to assist the corporation in meeting corporate and government requirements.
The committee, chaired by a project coordinator, reviews the corporate security program at
least quarterly to determine if any additional protective measures are needed and advises on
any changes to policies or procedures. The group can review new program suggestions in
light of their effect on the company as a whole, on specific organizational units, and on
employees. Criticism or suggestions from supervisors or employees can be fielded by
committee members, and recommendations for corrective action can be considered.
Committee members should represent key corporate functions. Also, they should have
attained stature and creditability within the organization and have sufficient information
about the company’s operation to enable them to offer useful opinions about actions that
should be taken by internal security staff or by outside consultants.
In reality, however, the consultant will typically conduct a more thorough crime analysis,
which can be defined as follows (Vellani & Nahoun, 2001, p. 2):
Crime analysis is the logical examination of crimes which have penetrated preventive
measures, including the frequency of specific crimes, each incident’s temporal details (time
and day), and the risk posed to a property’s inhabitants, as well as the application of revised
security standards and preventive measures that, if adhered to and monitored, can be the
panacea for a given crime dilemma.
Through the analysis, the consultant will first determine what crimes have occurred in the
store and its parking lot. The consultant then evaluates the specific security measures in
place where the crimes occurred and makes note of any additional measures that should be
in place to block future opportunities for crime.
Nearly every security executive has had a program, request, or recommendation rejected by his
or her management. For example, a recommended series of barriers in a protection plan,
known as security-in-depth, may be proposed. Competition for resources is a fact of
organizational life, and there may be alternate claims on the resources required to implement
the barriers. An independent consultant can review the proposal and provide objective advice
as to whether the proposed barriers are an efficient and cost-effective method of reducing a
security exposure. Also, a consultant should be able to identify whether the barriers will create
additional hazards or issues and, if so, how these can be addressed In the previous example,
the outsider can see what those who worked at the store every day could not see, another
example of the effective use of a consultant who can look at an issue with a fresh set of eyes.
One of the best sources for finding a consultant is a referral from a colleague, preferably in a
similar business. Companies without security connections should look into industry
associations that have consultants as members. In the security industry, many independent
consultants belong to the International Association of Professional Security Consultants and
ASIS International. Consulting associations with members in a variety of fields are another
alternative. The Institute of Management Consultants is one such organization.
Other sources to consider are industry-specific associations such as the Building Owners and
Managers Association, the Institute for Real Estate Management, and the International
Association of Chiefs of Police or any of their local equivalent organizations. A search of the
Internet will reveal many more security associations worldwide, including the International
Professional Security Association, Professional Information Security Association, and
Information Systems Security Association.
To identify candidates, the first step, company representatives should talk to peers and
colleagues to elicit suggests of consultants they know. Additional names may be gleaned
from industry associations. Placing an advertisement in related publications may also bring
in candidates.
In the second step, the company should develop a custom application that asks for basic
information from each candidate that can be used for comparison. A sample application is
shown in Appendix B. As an alternative, the company can ask the candidates to submit
letters outlining their services, and the sample in Appendix B can be used as a checklist.
Candidates should be asked to attach a copy of their curriculum vitae (CV) to the application
or letter. In jurisdictions where security consultants are required to be licensed or registered,
appropriate proof must be provided.
A sample CV is shown in Appendix C. The application and the CV provide a uniform way to
compare the credentials of each candidate. Also, having to provide both an application and a
CV may discourage someone with weak qualifications from applying. Thus, the documents
themselves may disqualify poor candidates.
During step three, the quality of the documents and the candidates’ credentials are
compared. Another source of useful information can come from prior clients, and several
should be contacted from a list provided by the applicants. As top candidates emerge, a
background investigation should be performed by contacting references and using a
structured interview process to evaluate responses.
The two top candidates should be interviewed personally by at least two representatives of
the company, the fourth step in the hiring process. To help the discussion, the candidate
should be asked to bring redacted work samples to the interview for review. The same or very
similar questions should be put to each candidate so the interviews are comparable.
Questions should probe the candidate’s security philosophy to ensure that it is a close fit
with the company’s policies. If possible and when the scope of work includes physical
security measures, the candidate should be given a brief tour of the facility prior to the
interview to become familiar with the facility.
If the candidate does not live locally, the company should negotiate the cost of bringing the
candidate to the company, or an employee should travel to the consultant’s location for a
personal interview. Teleconferencing is an interview option, but a poor one. In the final step,
negotiations begin with the top candidate. Subjects to be negotiated are the scope of work,
the product to be delivered, the methodology, the timing, and related expenses. If
negotiations with the first candidate prove unsatisfactory, the company should move quickly
to the next choice. Once negotiations are successfully concluded, the company should be
prepared to present the consultant with a contract.
As with other professional disciplines, time and quality must be considered when analyzing a
range of consulting fees. A low fee might actually prove to be more costly in the long run
because a less skillful consultant might take longer to complete the assignment satisfactorily.
Also, the security industry has a long and rocky history of keen competition based on the
awarding of contracts to the lowest bidder. To increase their competitive advantage, some
security product and service companies will offer consulting services at a very low rate.
Clearly, the objectivity of the resulting recommendations must be questioned if the
consultant believes the solution might lead to the purchase of that company’s services or
equipment. If the fee proposed by a potential consultant seems to be a bargain, the client
should remember the Latin phrase caveat emptor: let the buyer beware!
The basis for higher billing by some medium-sized or large consulting firms, as opposed to
the independent sole proprietor or small consulting firm, often reflects a higher overhead.
The costs billed by individual consultants as well as by larger firms include direct charges,
such as time and travel, and overhead costs, such as office rental, clerical help, proposal
expense, publications, and professional taxes and licenses. As a result, a consultant’s daily
rate does not equate to an annual income since consultants may not work every day of the
year but their expenses continue.
Consultants, like other professional service providers, typically use software to track the time
and expenses related to each client’s project. In some cases, consultants keep a project
journal while others monitor activity through simple spreadsheets. Consultants may also use
specific billing software such as QuickBooks.
No matter how the consultant tracks and bills his or her time, the client should review
payment options and choose the one that fits the company’s accounting scheme as well as
the type of consulting assignment. Five options should be considered: hourly fees, daily fees,
fixed fees, not-to-exceed fees, and retainers. The company should also set parameters on
how miscellaneous and regular expenses should be billed and approved.
Hourly Fees
Paying a consultant an hourly fee is unusual in security management consulting, but it does
happen. This arrangement is most applicable when the assignment is expected to last less than
a day, but the exact amount of time needed is unclear. In this scenario, the client and
consultant could agree to “let the meter run” for the actual time spent. An example might be a
case where management is considering moving an employee to a new assignment, and the
consultant is retained to meet and interview the employee at a convenient time. If the
company expects the interview will only take 2.5 hours, the consultant could agree to be paid
for just that amount of time.
Forensic consulting is often billed by the hour, however. If a corporate legal or risk management
office brings in a security consultant for advice on how to avoid litigation, evaluate a case, or
arrange a settlement, the time is calculated by the hour and any fraction thereof.
Daily Fees
The daily fee is calculated by multiplying the consultant’s hourly rate by eight. In reality, this
arrangement often benefits the client because an eight-hour day can easily be extended for
any number of legitimate reasons, unless the contract clearly defines the number of hours in
the consultant’s day. Security consultants know that the time needed to meet the agreed goal
and submit a final report might exceed the typical day. Depending on the number of days in
the agreement, the consultant might propose a certain number at a fixed daily rate and a
slightly reduced rate for every day thereafter. Clearly, the daily fee can be flexible based on
the nature of the task and the services required.
Fixed Fees
A flat or fixed fee is the total amount to be paid by the client to the consultant for the
completion of a consulting assignment. More often than not the fixed fee includes all expenses,
so only one amount is negotiated. The consultant’s office time and expense calculations,
which could be based on his or her hourly rate plus an hourly rate for the office staff, is
translated into an estimate of what is needed to deliver the end product.
This arrangement is generally agreed to when the number of days required to accomplish the
work can be estimated accurately and controlled by the consultant. Usually a fixed fee will
only be acceptable to a consultant if the work to be done is limited to a study that is not
complex. The advantage to the client is that the company can easily compare competitive
bids and budget the exact amount that will be needed to complete the required work. Fixed
fee arrangements are usually not appropriate if the work involves implementing a
recommended program because the consultant often has to rely on other employees from
the client’s company to perform or arrange for the actual work. The danger in this case is that
the consultant could lose control of the time that could be spent but must absorb any
overtime. The scope of work in these situations must be very carefully defined to protect
both the client and the consultant.
Not-To-Exceed Fees
A not-to-exceed pay arrangement, similar to the fixed fee, is the consultant’s guarantee that
the total cost or time will be limited to the parameters agreed to in the contract. In this
instance, the consultant agrees that any costs connected with unforeseen events or delays
will not be passed on to the client, unless the client agrees to pay them. The difference
between not-to-exceed and fixed fees is this arrangement allows for a lesser fee than
originally estimated. For example, the consultant might state that he or she expects to
complete a task in five days but that the time spent is not to exceed seven days. If the task is
completed in five or six days, then the client just pays for that amount of time. If the task
should take eight days, the client still only pays for seven.
Retainers
A company that wishes to use a consultant on a regular basis might prefer to pay a retainer.
In this arrangement, the consultant agrees to work a specified number of days each year for
that client, and the client is guaranteed access to the consultant when needed. In a retainer
agreement, consultants typically provide their services at a substantially discounted rate. For
example, the agreement might state that the consultant will provide or be available to the
client for two days each month at a fixed rate per day, or 24 days a year at a set annual price.
In this case, the client is assured of receiving services for the minimum number of days
covered by the retainer. The consultant, on the other hand, is guaranteed an income.
Retainers can be quite negotiable. The client might use all of the agreed-upon days in the
first half of the year or only use the consultant less than half the days in the contract. The
consultant keeps the retainer even if the minimum days provided are not used by the client.
However, some consultants dislike committing to a retainer because it can cause scheduling
problems. For example, the consultant might be in the middle of a project for one client
when an urgent problem surfaces at another company that has already paid a retainer to that
consultant. To avoid this difficulty, it is recommended that retainer agreements identify
specific days to be applied to the client in specific months. If a schedule cannot be arranged,
then the consultant can agree to commence working for the client on the first available day
after notice is received.
Other options in a retainer agreement could cover the days used by the client in excess of
those in the contract. In one example, the client would continue to pay the discounted rate
for any extra days. In another case, those excess days would revert back to the consultant’s
normal fee.
Miscellaneous Arrangements
Other fee arrangements can be beneficial to both the client and the consultant. For example,
the consultant could agree to accept some equity in the client’s business for part or all of the
consulting fee. Alternatively, the fee could be set as a percentage of the savings realized as a
consequence of the consultant’s work, although this option is not common in security
management consulting.
If such innovative fee concepts are proposed, both parties should seek adequate legal counsel
while drafting an agreement to ensure that the interests of both are adequately defined. A
clear, binding agreement is the cornerstone for avoiding costly litigation or work disruption.
Expenses
The cost of outside consultants must allow for reasonable expenses to cover project-related
activities such as transportation, living costs, telephone, secretarial services, and
reproduction. Consulting expenses can sometimes be reduced if the consultant is allowed to
use amenities and services available at a client’s facility. Such items as clerical assistance,
office space, and reproduction services might be provided on-site. Consultant support is
discussed in more detail later in this chapter.
Expenses are usually reimbursed at actual costs, which should be substantiated by expense
reports submitted by the consultant. A reimbursement arrangement might also be based on
a per diem for living expenses plus actual costs for transportation and other expenses. Both
the consultant and the client must clearly understand how expenses will be paid and what
expenses are reimbursable. Any limitations on amounts to be spent should be defined. For
example, if the daily allowance for hotel accommodations and meals is a set amount, the
consultant should be informed of that limit during the selection process.
A common rule of thumb is that the consultant should receive the same travel allowances as
those given to members of the client’s senior management. Although commonly accepted
business practice limits air travel costs to coach accommodations unless first class or
business class accommodations are specifically approved, the client should not assume that
everyone understands or agrees with this policy. International travel almost always involves
at least two days of travel time (to and from the destination) and sometimes more. Special
arrangements should be made for compensation in these situations.
The bottom line in expense negotiations is that the details must be discussed and agreed
upon at the outset of the relationship. Most professional security consultants will have their
own forms and methods of providing clients with necessary and appropriate records of time
and expenses. To ensure that potential clients are aware of the requirements, the forms and
policies in Appendices G through J show expense reports and guidelines that apply to
consulting situations.
A consulting project coordinator, often a member of the security advisory committee, should
be assigned to work with the consultant and monitor progress. That person can provide
adequate information about the organization and provide assistance. Clear specifications for
the project should be outlined in a scope of work, which should include a work plan,
progress reports, and a final report.
The project manager should strive to include someone from within the organization who can
act as the project sponsor. A good candidate for this role is the individual who may have
originally suggested the concept that led to the consulting project. Both the consultant and
the project manager will find this person a valuable resource and ally throughout the course
of the project.
The mission of the project coordinator and the committee is to be a liaison between the
consultant and the company, and that task is critical. Committee members should represent
the sectors of the company involved in the work. They should be completely familiar with the
organization and the project and have sufficient credibility and clout in the company to
effectively meet the needs of the consultant, such as collecting data or scheduling interviews.
The more information the consultant has, the better he or she will be at meeting the client’s
expectations. To that end, the results of previous projects of a similar nature undertaken by
the company should be discussed with the consultant. Also, any unique or unusual
situations that might be encountered within the organization should be brought to light. All
companies have their own cultural idiosyncrasies. If the consultant is not made aware of
potential problems, some action, seemingly minor to the consultant, could trigger an
incident and negatively affect the project and everyone associated with it. On the other hand,
consultants are expected to be objective and independent observers with the freedom—in
fact the obligation—to state the facts, even if they point out idiosyncrasies that could affect
the outcome or success of the consultant’s work.
When a client seeks a consultant for work in a different country, the consultant is expected to
have a knowledge of the culture and customs of the country, working conditions, local
legislative requirements, visa requirements and conditions, etc.
A method for the proper handling of sensitive information developed or collected during the
progress of the work should also be devised. Such data could even be embarrassing to the
organization or its employees if it became known either inside or outside the organization.
Sensitive information could also include the conclusions or recommendations of the consul-
tant. Such information should be safeguarded by a limited number of individuals and only
be handled by personnel known to be trustworthy. Most importantly, written consulting
reports are subject to discovery by an adverse party in a lawsuit. Consideration should be
given to identifying the proper custodian and location for reports that might be sought
through subpoena.
Visits to other companies, other clients of the consultant, or other corporate locations may
be required. Such visits can often be expedited if the project coordinator assumes the
responsibility for making arrangements, such as procuring security clearances, airline or
company airplane schedules and tickets, rental cars, and hotel reservations.
The consultant’s methodology is critical to the success of the project. The methodology
should be sound and widely accepted within the industry. It would be impossible to outline
every method that could be used to complete the myriad projects taken on by security
consultants. Nonetheless, potential clients can review industry guidelines for various types of
projects. Commonly accepted and widely used methodologies in the security industry are
ASIS International’s General Security Risk Assessment Guideline, the International
Association of Professional Security Consultants’ Forensic Methodology Best Practice and ISO
Standard 31000, Risk Management.
Before the actual consulting assessment begins, the client and consultant should review the
project’s objectives, goals, scope of work, and deliverables. The project coordinator should
participate in the review along with project committee members and any others who may be
affected by the work to be done.
The “scope of work” refers to the central objective of the consulting task, or the clear focus of
the effort. Suppose the scope of work is to “reassess the company’s distribution system to
identify procedural deficiencies that could or do contribute to cargo losses.” In the perfor-
mance of the work, every physical inspection, interview, and document examined should be
guided by and limited to that objective. The initial project review, then, should address the
strategies that will achieve the objective.
This review also updates those who did not participate in the selection process and gives
everyone an opportunity to ask questions and clarify points. The consultant is now a
member of the team and should ask and answer questions that might not have been
appropriate in the earlier discussions.
Especially in lengthy projects, the project coordinator and the consultant should hold
frequent progress meetings to ensure that the project is on schedule. Ultimately, the
consultant is responsible for ensuring that the project stays on the right course while
traversing any unanticipated hurdles posed by corporate politics or culture. Measurement of
the project’s progress, sometimes referred to as an earned value analysis, should be
conducted by the consultant and project coordinator during these meetings to ensure that
the project objectives described in the scope of work are being met.
Those responsible for gathering information or performing support tasks should understand
that deadlines are important. If they are not met, the efforts of the consultant may be
hampered or work on the project may come to a halt. The project coordinator should assume
responsibility for ensuring that deadlines are met and that the project is on schedule at all
times.
Progress meetings should be attended by all personnel working on the project as well as by
interested management representatives. The coordinator, as the key company repre-
sentative, might personally record, publish, and distribute the results of the meeting or might
assign another team member to take minutes. The minutes should outline decisions made
during the meeting, detail the progress of the work, and specify any work assignments and
deadlines.
The frequency of project review meetings and written reports will, of course, depend to a
great extent on the size and complexity of the project. Scheduling review meetings too often
will interfere with work to be done, but if they are not scheduled often enough, control of the
project could be jeopardized. If the exchange during the meetings is adequate, the group
may choose to forego interim reports. They may also be skipped if the project is short, about
10 to 15 days, and if the review meeting reports are satisfactory.
A final report should begin with an executive summary, then address the results achieved,
and conclude with the recommendations. A simple approach to the report content is to
make the sequence consistent with the scope of work. The results section should identify
whether all the established goals were met, whether any items included in the work plan
were not accomplished, and the reasons why an item was not completed. The recom-
mendations should define any additional work that needs to be done together with
suggestions on how to accomplish it.
Sometimes a final briefing for top management is specified in the statement of work or
requested at the project’s conclusion. The salient features of the written report can be
incorporated into such a briefing, which should be done by the consultant. The project
coordinator and others from the company should be on hand to give advice and assist in the
briefing since they will be most familiar with the requirements of top management.
If the report itemizes recommendations, each should be numbered for future reference, as
follows:
Recommendation #23: Use of part-time police officers to protect cash offices should be
discontinued. Security for cash offices should be in the form of operating procedures and
state-of-the-art physical barriers, including a two-door “man trap” with remote electronic
access control.
If additional work is to be implemented as a result of the consultant’s efforts, the final written
report should include enough detail so that personnel in the client organization can
complete the tasks by following the guidelines included in the report. After reviewing the
report, however, the client may decide that additional assistance from the consultant will be
required to implement the recommendations. In that case, an additional contract or a
contract amendment should be prepared for the consultant’s signature, and a new scope of
work to implement the recommendation should be defined.
For example, suppose a security consultant has completed a vulnerability study for an
organization and recommends a comprehensive protection program. Once the final report is
presented, the organization’s management realizes that they will need to hire one or more
experienced security professionals to implement and manage the recommended program.
The consultant might then enter into a contract with the company to search for and pre-
qualify a security executive to implement and manage the recommended program. The
usual fee for this kind of service is 25 percent to 30 percent of the new security executive’s
salary for the first year, plus expenses incurred during the search.
An example might be crime analysis. In the past, companies may have had security
employees who focused on this task. Today, however, those employees have been promoted
or have moved on to perform more generalized security functions. When companies
encounter a case where crime analysis is needed, they turn to consultants who specialize in
this niche.
Another trend can be seen in the way consulting fees are established. Rather than bill at
hourly rates, many consultants are moving toward project-based pricing. Based on the scope
of work, experienced consultants can accurately assess the time needed to complete a
project. This arrangement is of great benefit to companies that use consultants since they
have a closed-end cost that can be used for accurate budgeting.
Both of the trends mentioned have led to a third: consulting alliances. Consultants with
specialties have seen the need to provide a range of services to a client when completing a
project, and they have teamed with other consultants to broaden their professional offerings.
For example, a security management consultant who recommends upgrading a company’s
access control system may form an alliance with a technical security consultant who can
actually specify, bid, and oversee the installation of the recommended system. Similarly, a
forensic security consultant may testify in a case brought against a client because of a
security deficiency, and then bring in an allied security management consultant to
recommend how to rectify the deficiency.
In all cases, understanding how to work effectively with a security consultant is the key to a
successful outcome, for both the consultant and the client.
APPENDIX A
Identify problems.
APPENDIX B
________________________________________________________________________________________
APPENDIX C
CURRICULUM VITAE
EMPLOYMENT HISTORY
x Director of Security, The Broadway Department Stores (52 major stores in 4 states), 18 years
TEACHING HISTORY
EDUCATION
x B.S. Degree, Police Science & Administration, California State University at Los Angeles
LITERARY CONTRIBUTIONS
x
nd rd
Effective Security Management, Security World Publishing, 1978; 2 Ed., 1985; 3 Ed., 1998;
th
4 Ed., 2003
x
nd
The Process of Investigation, Butterworth Publishing, 1981; 2 Ed., 2001
x
nd rd
Security Consulting, Butterworth Publishing, 1989 2 Ed., 1995; 3 Ed., 2004
x
nd
Shoplifting, (co-author) Butterworth-Heinemann Publishing, 1992; 2 Ed., 2003
x Shoplifters vs. Retailers, The Rights of Both, New Century Press, 2000
x Past president and member, International Foundation for Protection Officers (Canada)
x U.S. Security Industry Representative to Stockholm and Copenhagen in 1981 and to Hong
Kong, Taipei, and Tokyo in 1983, by appointment of the U.S. Department of Commerce
Charles A. Smith, CPP • 450 Riverlake Run • Eastward, CA 92000 • (760) 757-7575
APPENDIX D
WITNESSETH:
WHEREAS Company and Consultant desire to enter into an agreement for the performance by
Consultant of professional services in connection with activities of Company.
NOW, THEREFORE, in consideration of the premises and of the mutual promises herein, the
parties hereto agree as follows:
2. STATEMENT OF WORK. The work described in the attachment hereto entitled “Scope of
Work” and incorporated herein shall be performed by Consultant as requested from time to time
by Company, at such place or places as shall be mutually agreeable.
3. PAYMENT. (a) Company shall pay Consultant at the rate of ____________ for each
______________________________ spent on the work hereunder during the terms of this agreement.
Unless and until revised by a written amendment to this Agreement, Company shall not be
obligated to Consultant and Consultant shall not be entitled to payment from Company for more
than ____________ days/hours. Time spent in travel hereunder during normal working hours or
otherwise, if requested by Company, shall be paid for at the above rate. (b) Company shall pay or
reimburse Consultant for travel and other appropriate expenses incurred in the performance of
work hereunder in accordance with the attachment hereto entitled: “Consultant Expense.”
4. PATENT RIGHTS. Consultant will disclose promptly to Company all ideas, inventions,
discoveries and improvements, hereafter referred to as “Subject Inventions,” whether or not
patentable, relating to the work hereunder which are conceived or first reduced to practice by
Consultant in the performance of the work under this agreement and based upon nonpublic
information of the Company disclosed to or acquired by Consultant during this consulting
assignment. Consultant agrees to keep a written record of his technical activities and that all such
records and such Subject Inventions shall become the sole property of Company. During or
subsequent to the period of this agreement, Consultant will execute and deliver to Company all
such documents and take such other action as may be reasonably required by Company to assist it
in obtaining patents and vesting in the Company or its designee title to said Subject Inventions.
5. COPYRIGHTS. Consultant agrees that all writings produced by Consultant under this
agreement shall be the sole property of Company and Company shall have exclusive right to an
assignment of copyright in such writings in any country or countries; however, Company will
make its best efforts to grant a non-exclusive right to Consultant to publish such writings when
circumstances, including security regulations, will permit.
6. PROFESSIONAL STANDARDS. Consultant agrees that the work performed hereunder will
represent best efforts and will be of the highest professional standards and quality.
8. RISK OF LOSS. Consultant assumes all risk of personal injury, and all risk of damage to or
loss of personal property furnished by him. If Consultant employs others to perform work under
this Agreement on premises of the Company, Consultant agrees to furnish proof acceptable to the
Company of Commercial General Liability insurance in an amount not less than $ [______].
10. TERMINATION. Either party may terminate this agreement in whole or in part at any time
by giving written notice to the other.
IN WITNESS WHEREOF, the parties hereto have executed this agreement as of the day and year
first above written.
By Company By Consultant
Date Date
APPENDIX E
(1) Classified information shall not be removed physically from the premises of the
Company.
(2) Performance of the contract shall be accomplished on the premises of the Company.
(3) The Consultant and certifying employees shall not disclose classified information to
unauthorized persons.
CONSULTANT
Date
By: ____________________________________
Date: __________________________________
APPENDIX F
The undersigned warrants that, to the best of the undersigned consultant’s knowledge and belief,
and except otherwise disclosed, there are no relevant facts which could give rise to an organizational
conflict of interest and that the undersigned consultant has disclosed all relevant information.
Consultant
Date
APPENDIX G
Consultant
Contract Number
Contract Period
Instructions:
APPENDIX H
Address
City/State/Zip Code
Instructions: To facilitate prompt payment for consultant services and expenses, it is requested
that the following procedure be adopted.
1. Completely fill out the form below. (A separate form should be submitted for each trip,
except for consultants who live in the local area.)
2. Attach all vouchers, receipts, tickets, etc.
3. This statement must be signed by the consultant.
4. Retain a copy for your files and send the original to your Corporation monitor.
SERVICES:
Project
ENTER DATES
Designation
JOB CONTRACTS MON. TUE. WED. THUR. FRI. SAT. SUN. TOTALS
Total Hours/Days $
TRANSPORTATION EXPENSES:
(Attach all receipts)
Transportation Cost $
OTHER EXPENSES:
Meal $ _____
Lodging $ _____
Amount Due $
Approved by Date
Audited by Date
APPENDIX I
All Consultants traveling on Company business must substantiate expenses incurred while in
travel status. To fulfill the Company’s travel policy reporting requirements, the Consultant must
submit a properly documented and approved travel expense report within 30 days after completion
of each trip. The original receipts, paid bills, or similar documentary evidence are required for all
expenditures except meals. However, receipts need not be submitted for expenses for which they
would not ordinarily be given; such as taxi or bus fares under $10.00 (one way). The Consultant
must keep an expense diary to substantiate the claim for reimbursement, and should retain it
permanently as a personal record unless requested to submit it with the travel expense report.
The requirements imposed by the Company with respect to substantiation of the above expenses
conform to the documentation requirements of IRS regulations. Substantiation in accordance with
Company policy is therefore considered to fulfill IRS requirements.
Travel Expenses
Consultant shall be reimbursed for actual and necessary personal expenses incurred during travel
authorized by the Company for lodging, subsistence, incidental expenses, and tourist-class
transportation costs or mileage at the current rate per mile when use of Consultant’s automobile is
authorized in lieu of air travel. Transportation costs, other than in the local area, shall not exceed
the cost of tourist accommodations unless schedules and availability of space do not permit this
class of service, or unless otherwise agreed.
Consultants who live within commuting distance of the organizational entity contracting for
services are not reimbursed for meals, or mileage. Company authorized travel between work
locations is reimbursable. (Commuting distance is interpreted as being in the immediate vicinity
or within 50-mile radius of the assigned work location.)
When Consultant is retained from outside the local area and a rental car is authorized upon arrival
at the work location area, the Company will be responsible for rental car charges necessary and
incidental to the work; mileage charges attributable to personal use are to be borne by the
Consultant.
Other Expenses
The Company shall reimburse Consultant for all other reasonable and necessary expenses
incurred by Consultant in the performance of work hereunder, provided that written approval of
the Company is obtained and Consultant certifies that such expenses were necessary and
incidental to the work. Without limiting the foregoing, such expenses by way of example shall
include costs of using computers and rental of test equipment.
Substantiation of Expenses
IRS Regulations require substantiation by, both adequate records and sufficient documentary
evidence of the expenses to which they apply. They require that the following elements be
substantiated:
(a) Amount
(b) Time
(c) Place
APPENDIX J
Following are excerpts from referenced Travel Policy and Practice, which relate and offer guidance
to consultants traveling on behalf of the Company.
Mode of Travel
Individuals traveling on Company business are scheduled by the most direct transportation
available. Air travel by jet will normally be limited to less-than-first class accommodations. Travel
arrangements are made by the consultant and reported after completion of the travel on the
Statement of Professional Services. No cash advances or tickets may be provided by the Company.
a. All taxi fares in excess of $10.00 (one way) must be supported with a receipt attached to the
Statement of Professional Services.
b. Use of premium or luxury accommodations for Company travel, such as first class jet,
requires specific documentation, and will be limited to the following:
(1) Situations where schedules and availability of space do not permit less-than-first class
service.
(2) Where overnight departures are scheduled between 9:00 p.m. and 6:00 a.m. (local
[area] time) and flight time is four hours or longer.
(3) Where the traveler has a physical disability requiring first class accommodations; such
travel may be approved on the basis of a doctor’s certificate or the specific approval of
the appropriate management.
(4) First class accommodations may be authorized when in the judgment of line
supervision, useful and necessary work can be accomplished while en route only in
first class accommodations. Such travel requires the approval of the appropriate
management.
Use of personal motor vehicles on Company business may be authorized for domestic travel, and
is reimbursed at the current rate per mile but will not exceed the total cost of available less-than-
first class air fare. Travel time allowed is limited to normal air travel flight time. Any personal
vehicle travel time in excess of that limit is not chargeable to nor reimbursed by the Company.
Use of such conveyances is authorized only when the consultant complies with the following
requirements regarding minimum primary liability insurance coverage:
a. Motor Vehicles—The consultant must certify that the vehicles to be used on Company
business are covered with bodily injury liability insurance of $250,000 per person and
$500,000 per accident, and property damage liability insurance of $50,000 per accident.
The Company does not reimburse a consultant for the deductible portion of the insur-
ance if a collision or damage occurs while driving on Company business.
Automobile Rental
Automobiles may be rented by consultants on travel status as necessary to accomplish business
objectives. Generally, an automobile may be rented if its prospective use will be at least twenty
miles per day. Normally, automobile rental is not authorized for local travel.
Automobile rentals must be approved and authorized in advance whenever possible. Automobile
rentals, when authorized, provide for standard or compact model cars only. The excess cost over
standard models for sports cars or luxury model rentals will not be reimbursed by the Company.
Mileage charges attributable to personal use are not to be borne by the Company.
The cost of automobile full collision insurance coverage purchased by the traveler from the rental
agency will be reimbursed.
a. Reporting accidents involving property damage or bodily injury promptly to the lessor,
local law enforcement agencies, the consultant’s monitor, and the Company’s Security
Control Center.
Reporting
Travel expenditures should be reported to the Company within thirty days of the completion of the
trip.
The original receipts, paid bills, or similar documentary evidence are required for all expenditures
except meals. However, receipts need not be submitted for expenses for which they would not
ordinarily be given: such as taxi or bus fares.
a. Expenses which are unusual in nature, such as reasonable and necessary costs of secre-
tarial service, office equipment rental, and related expenditures shall be explained and
justified in each instance.
b. Valet and laundry service, if required, are reimbursed for trips in excess of four days or
under unusual circumstances which must be explained on the Professional Services
Statement.
c. Consultants are reimbursed all reasonable and necessary actual expenditures for meals
and lodging.
d. Telephone calls to the various Company facilities should be placed collect, and tie-lines
should be used wherever available.
Lodging
The maximum amount for lodging in the Company headquarters area considered “reasonable” by
the auditors is _______________________ per night, including tax.
Meals
The maximum amount considered “reasonable” for three meals per day in the Company head-
quarters area is _______________________.
Personal Losses
Responsibility for loss of cash or loss of or damage to personal property is not assumed by the
Company while the consultant is in travel status.
Deviations
Deviations from the Company’s Travel Policy or Practice may be approved in specific instances,
when unusual circumstances justify such action. Such deviations must be fully documented and
approved by the appropriate management.
REFERENCES
nd
Cohen, W. A. (1985). How to make it big as a consultant, 2 ed. New York, NY: AMA COM.
General security risk assessment guideline. (2003). Alexandria, VA: ASIS International.
Poynter, D. (1997). Expert witness handbook: Tips and techniques for the litigation consultant.
Santa Barbara, CA: Para Publishing.
rd
Sennewald, C. A. (2004). Security consulting, 3 ed. Woburn, MA: Butterworth-Heinemann.
Vellani, K. H., & Nahoun, J. D. (2001). Applied crime analysis. Woburn, MA: Butterworth-
Heinemann.
Weiss, A. (2001). The ultimate consultant: Powerful techniques for the successful practitioner.
Somerset, NJ: Pfeiffer.
Executive protection—the field of safeguarding a key person from harm—is practiced in the
private world (for wealthy persons), in civilian government (for a few persons in top-level positions
or in jobs that place them in high-threat regions), in the military (for the highest-ranking officers),
and in the corporate world (for senior executives, employees, visitors and family members of ex-
pats who work in or travel to dangerous locales). This chapter focuses on executive protection (EP)
as practiced in the corporate sector for executives at high risk.
The sections that follow describe the key elements of EP. The discussion covers such topics as the
importance of EP, some philosophical underpinnings of the field, and specific methods of
protection in various settings
The Yeomen of the Guard was established by King Henry VII in 1485 to serve as the personal
protection organization for the ruler of England. In the beginning, the yeomen provided
travel security, attending to the king’s safety on journeys in Britain or overseas and in battle.
They also guarded palace entrances and tasted the king’s food. The Yeoman of the Guard
exists to this day but serves a mainly ceremonial function (Yeomen of the Guard, 2004).
Other personal protection groups in history include the samurai of Japan, the medieval
knights of many European states, the housecarls of Scandinavia, and the Vatican’s Swiss
Guard. These precursors of today’s executive protection organizations were essentially
military divisions that were assigned to protect a sovereign.
The modern history of executive protection begins with the formation of the United States
Secret Service in 1865. Originally established to investigate currency counterfeiting, the
Secret Service did not undertake EP work until 1894, when it began informal, part-time
protection of President Grover Cleveland. In 1901, Congress requested Secret Service
presidential protection, again informally, following the assassination of President William
McKinley. Finally, in 1902 the Secret Service assumed full-time responsibility for protecting
the U.S. President. Two operatives were assigned full-time to the White House detail (Secret
Service History—Timeline, 2004).
Executive protection (EP) in its current, corporate sense—that is, practiced without the vast
th
resources and law enforcement powers of the federal government—appears to be a mid-20
century innovation. As corporations established security departments, those departments
naturally looked to the protection of their top executives. At first, EP specialists—the actual
protective personnel—were drawn from the ranks of former Secret Service agents, police
department dignitary protection officers, and military personnel. Over time, another path to EP
work developed: staff would rise through the ranks of corporate security and develop EP skills at
private sector EP training programs. Such programs began to be seen in the early 1980s.
Interest in corporate executive protection began to grow in earnest in the early 1990s as a
result of a rise in all types of crime and the advent of workplace violence. The trend was
fueled by mainstream media reports of high-profile executive kidnappings, which led to
huge ransom payments and even deaths. Corporations began to see the value of providing
their top executives with personal protection, and executives welcomed the comfort zone
provided by having an EP specialist on staff. Organization such as ASIS International began
offering courses on executive protection to train security professionals in this specialty.
Demand for EP services grew further after the terrorist attacks of September 11, 2001. During
the subsequent war on terror, interest remained high, as terrorist attention expanded to
include “soft targets,” or persons who do not receive high-level government protection but
play a role in international affairs and the world economy. Many corporations turned to EP
for the first time at the urging of a corporate board that saw the potential for stock volatility
should their high-ranking executives be targeted.
Research has been conducted on the specific EP subtopic of assassination, however. The
Exceptional Case Study Project performed by the U.S. Secret Service examined the thinking
and behavior of 83 persons known to have attacked or come close to attacking prominent
public officials and figures in the United States in the past 50 years.
x Mental illness only rarely plays a key role in assassination behaviors. Attacks on
prominent persons are the actions of persons who see assassination as a way to
achieve their goals or solve problems, which requires fairly rational thinking. Those
who made near-lethal approaches and the great majority of assassins were not
mentally ill. While none were models of emotional well-being, relatively few suffered
from serious mental illnesses that caused their attack behaviors.
x Persons who pose an actual threat often do not make threats, especially avoiding
direct threats. Although some who threaten others may pose a real threat, usually they
do not. The research found that none of the 43 assassins and attackers communicated
a direct threat to their targets before their attacks. This finding does not mean that
individuals should ignore threatening communications. However, careful attention
should also be paid to identifying, investigating, and assessing anyone whose behavior
suggests that he or she might pose a threat of violence, even if the individual does not
communicate direct threats to a target or to the authorities.
x Attackers and those who made near-lethal approaches described having a combi-
nation of motives. Eight specific motives were identified: to achieve notoriety or fame;
bring attention to a personal or public problem; avenge a perceived wrong; end
personal pain, be removed from society, or be killed; save the country or the world;
develop a special relationship with the target; make money; or bring about political
change.
x Inappropriate or unusual interest, coupled with action, increased the likelihood that
the person may pose a threat. Inappropriate or unusual interest alone is not cause for
great alarm. But if that interest also includes visits to the target’s home or office or
attempts to approach the target in a public place, the case is more serious.
In addition, numerous articles and books have studied EP by examining and describing the
way it is practiced in different settings. The references at the end of this chapter provide
direction for additional reading.
In times when the general risk level is elevated, EP strives to (Oatman, 2003)
create an environment in which business can flourish. Executives face special dangers at
present, but these threats are not all equally relevant to every company decision-maker. EP
can help executives decide which dangers are serious and which are less so for their own
unique situations. EP can also reduce those dangers, enabling executives to concentrate on
business and giving them the necessary confidence to travel in search of opportunities.
A good EP program costs less than the benefits it produces or the damage it prevents. The
financial argument in favor of EP is, in fact, overwhelming. For example, assume that a
corporation has a modest EP program, consisting of four EP specialists and an EP manager,
which costs $300,000 per year. Then suppose the chief executive is kidnapped, murdered, or
otherwise made incapable of running the company. The organization can expect three types
of financial losses: its stock price may slide following release of the bad news, which can
easily cost a company millions of dollars; the executive’s services will be lost either temporarily
or permanently, which can be calculated conservatively as the compensation he or she would
have been paid, again possibly millions of dollars; and employees may well be distracted
from their work, which is difficult to quantify but surely significant. Thus, while the cost of
the EP program was $300,000, the losses avoided could be millions of dollars.
In addition, the cost of the EP program should be offset by the positive benefits it provides,
not just the avoidance of injury. If the EP program enables the executive to effectively work
an extra hour each day because his or her transportation is facilitated to and from the office,
for example, the corporation will have gained further productivity from its executive.
A specific example of an extreme case of corporate losses after an attack against company
principals occurred on July 1,1993, when Gian Luigi Ferri walked into the offices of the San
Francisco law firm Pettit & Martin, hauling a black canvas bag stuffed with guns and
ammunition. He entered a conference room and began shooting, then walked through two
floors of the firm’s offices, continuing to shoot. Ferri, a disgruntled client, killed eight people,
wounded six, and then shot himself. Less than two years later, the firm’s partners voted to
dissolve the firm, which at its height in the 1980s had employed 240 lawyers (Chicago
Tribune, 1993-1995).
The EP specialist (EPS) should develop a particular mindset that focuses on preventing and
avoiding trouble rather than combating it. The following six principles can guide one’s
thinking about EP (Oatman, 1997):
To accomplish this goal, the EPS and the executive do not need to passively sit back and
receive what comes their way. Instead, they should reach out mentally to anticipate threats.
To counter potential problems, the strengths of the protection program and the resources
available to the EPS should be cataloged so they can be used when needed. Likewise, the
protection program’s vulnerabilities should also be identified (undoubtedly, the adversary
will find them). By predicting the adversary’s probable approach, he or she can be outwitted.
Finally, the EP specialist should quietly control the principal’s risks. For example, hotel
inspectors do not die if a poorly inspected hotel burns; the guests do. Therefore, the EPS can
and should prevent and avoid danger by selecting hotels with proven safety records and even
plotting fire escape routes and packing smoke masks.
Assaults and assassination attempts start and end with astonishing rapidity. Being mentally
prepared to respond far outweighs the value of any other precaution.
An example of getting the client out of trouble would occur if, upon spotting a nearby,
potentially violent disturbance, the EPS pushes the principal into a car and speeds away to
safety. An example of keeping an executive out of trouble occurs when the EP specialist and
the subject communicate subtly, with a nondescript phrase or visual cue, that it is time to
leave a certain group or place before an embarrassing or dangerous situation arises.
This principle helps keep security measures in perspective. Clearly, neither extreme—total
convenience or total security—is practical. The principal and the agent must decide where
on the continuum the executive should be and what tradeoffs to make. Each time an EP
specialist develops a new strategy to protect the executive, this principle can serve as a
reminder that increasing security beyond a certain point may needlessly hobble the
executive, making him less effective and, essentially, a victim of protection instead of a
victim of attack.
First, overreliance on security technology tends to place subjects in a vault. To fulfill their
corporate obligations, executives must move around. If sequestered, they are no longer
executives but prisoners. Second, adversaries are often intelligent enough to defeat security
equipment. A determined adversary can defeat or circumvent alarms, disable armored cars,
or eavesdrop on two-way radios.
An EPS can hope to buy defensive time with equipment, but when the adversary strikes,
salvation lies in the EPS’s conditioned responses for removing the principal from harm’s
way. Among gun battles that have taken place in the executive protection field, almost none
have lasted more than a few seconds. Likewise, in every U.S. presidential assassination
attempt to date, the Secret Service has chosen to follow its model of “cover and evacuate”
and has not opted to return fire. In other words, in crises, historically it has been shown to be
more important for EP specialists to use their heads, not their weapons or other security
equipment.
While no official list records business-related kidnappings, news accounts describe many
victims: Charles Geschke, president and chief executive officer of Adobe Systems Inc.; Kevyn
Wynn, daughter of casino tycoon Steve Wynn; and Harvey Weinstein, chief executive of Lord
West Formalwear. A typical incident occurred in January 2003, when three men abducted 40-
year-old hedge fund executive Edward Lampert and held him at a hotel for two days.
Lampert, worth an estimated $800 million, was grabbed in the parking garage of his
Greenwich, Connecticut, investment company headquarters. He was eventually freed
unharmed, even though a $5 million ransom demand was not met. When the police
cornered the perpetrators in their hotel room, they also found a mask, a shotgun, and seven
rounds of ammunition. Two of the three kidnappers were fresh from prison after serving
stretches for drug dealing (Scarponi, 2004).
Financial gain is only one of the many motives of corporate adversaries, however. Many large
corporations and many corporate executives are at risk of attack from many types of
dangerous individuals and groups. They may have personal grievances against the
corporation or its executives, may be animated by greed, or may object to such issues as
environmental or labor practices, political affiliation, or animal testing. The company’s role
in the global marketplace or its involvement in controversial biomedical issues may cause
some malcontents to plot harmful tactics against a corporate executive who, in their minds,
embodies the perceived corporate misdeeds.
To counter potential attacks, every company has a finite amount of protective resources.
Those resources, which include money, staff, influence, knowledge, and contacts, must be
spent wisely. It would be foolish and inefficient to divide the resources evenly across the
universe of conceivable threats. It makes more sense to allocate those resources toward
preventing the threats that present the greatest possibility of harm. The appropriate
allocation of resources to a specific situation is determined through a risk assessment.
In conducting an EP risk assessment, the specialist must consider two factors. First, the
threats that the executive faces must be analyzed based on multiple considerations such as
the executive’s position with the employer, access to and level of exposure among potential
adversaries, access to wealth or other lifestyle attributes, publicity, and travel practices. An
EP risk analysis answers questions such as the following:
Second, the specialist must assess the likelihood that threats could be carried out
successfully. The range of threats to a person’s safety and well-being is vast. Perhaps the
most troubling are events that have been known to occur, but are unexpected. The following
list is only a sample of the real threats faced by many executives:
x assassination
x kidnapping
x extortion
x street violence
x attacks by insane persons or zealots
x workplace violence
x embarrassment (deliberate or accidental)
x injury (unintentional)
x illness or medical emergency
The results of these two reviews will provide a relative risk ranking: negligible, low, moderate,
high, or critical.
At a given company, not all executives face the same risk level. Some executives represent
controversial aspects of the company and have a high public profile, while others operate
behind the scenes and are relatively unknown.
To arrive at an appropriate threat level for a particular executive, the EP risk assessment
should identify all potential threat elements, from protesters, criminals, extremists, and
terrorists to workplace violence and hazards due to the executive’s travel or other activities.
The specialist should then analyze whether each element poses a threat to the executive. The
assessment should ascertain how an event might unfold. It should also identify individuals
who have the capability and intent to harm, have a history of threatening the executive or
others, or have actually targeted the executive. Based on the results, the principal can be given
one of the risk rankings and provided with the appropriate protection.
A key feature of risk assessments is that they do not last. In other words, the level of risk shifts
often, so risk assessments must be performed on a recurring basis. An example of reassessing
risk in light of changing events and altering EP measures accordingly is illustrated in the
following report (Oatman, 2002):
[S]hortly after the September 11 terrorist attacks, one company … developed reliable
intelligence that its aircraft and passengers faced an elevated risk. To deal with this increased
threat, the company decided to send an executive protection specialist on every corporate
flight. The specialist not only provided security during flights but also was responsible for
ensuring physical and procedural security of aircraft on the ground.
One of the key determinants of threat level is how well the executive is known to potential
adversaries. Access to information about an executive by those intent on doing harm
increases and facilitates several kinds of threats, such as identity theft, extortion, kidnapping
of family members or relatives, and efforts to do the executive personal injury. Also,
obtaining one piece of information makes it easier to obtain others. Dedicated adversaries
can generally build a thorough profile of an individual by learning the names of schools
attended by the executive or family members and by obtaining school yearbook
photographs, which can be parlayed into other information.
The Internet makes it almost effortless for researchers, both benevolent and malevolent, to
read current and past articles about any topic or person they choose. Even a cursory Web
search on many executives discloses the names of their spouses and children and their city of
residence. It is important to remember that the Web truly is worldwide, so adversaries in
other parts of the globe can research an executive just as easily as the executive’s next door
neighbor.
In addition, information seekers can learn more detailed information about their targets by
paying a small fee for vehicle title records, property records, voter registration records, birth
and death records, genealogical information, and other data. Such information can be
gathered either online or through visits to local record repositories, such as city halls.
Another common practice is simply to ask a target’s friends and neighbors for information,
using various pretexts.
In assessing risk, it is useful to know what information is available that could arouse envy,
hatred, or revenge or help an adversary locate and harm the executive or his family
(Shackley, 2003, p. 86):
If the executive can be thought of as having “deep pockets,” the possibility of kidnapping
ought to occur to him. Note, we are not talking here in terms of absolutes, but of how a
person appears to others within his environment. It is not his net worth that counts so
much as how he is perceived by a prospective kidnapper. And, we might add, whether he is
perceived. Any media publicity about a person’s wealth is harmful, and, unfortunately, the
press seems to take an excessive interest in the private financial affairs of the well-to-do.
One of our metropolitan newspapers recently published a list of the twenty best-paid
regional CEOs, together with the amount of their compensation and their photographs,
thereby handing potential kidnappers invaluable target intelligence.
surveillance on adversaries who may be watching the site), and intrusion alarm systems (to
announce penetrations).
Executives who are at risk of attack tend to be more aware of security at work than at home. An
adversary, however, may actually find it easier to attack an executive at his or her residence.
Historically, the home is a softer target simply because an executive, at the end of a busy day,
wants to relax in an atmosphere that does not resemble a corporate security setting with lights,
cameras, and other equipment. An infamous example of the risk in and around an executive’s
home concerns Sidney Reso, a New Jersey Exxon executive who was kidnapped as he left his
home April 29, 1992. He was shot in the arm when he was seized and died five days later, found
bound and gagged in a sweltering storage locker (Chicago Tribune, 1992).
When two EP specialists are available, both need not be assigned to accompany the traveling
executive. A preferred method is to have one conduct the advance while the other
accompanies the executive. Advance work is that important.
A good advance reduces the executive’s exposure by smoothing logistics. If hotel check-in,
billing, baggage handling, parking, and other matters are worked out by the EP specialist
handling the advance, then the executive can exit his car at a hotel’s front door, walk straight
through the lobby to the elevators, and arrive quickly at his or her room. Similarly, if an
advance agent has scouted out the route to an executive’s speaking engagement and has
properly studied the meeting location, then the agent accompanying the executive can lead
him or her into the building through a side door if necessary or can take an alternate route to
avoid unfavorable conditions and circumstances (Oatman, 1997). Obviously, these tactics
can keep the executive out of many potentially undesirable encounters and locations.
Local Travel
If a protected executive must travel locally, the ideal arrangement will place the executive in
a suitable car driven by a trained security driver and accompanied by the EP specialist. The
route selected should be carefully previewed, and the rest of the company’s security function
should be aware of the plan.
While executives are vulnerable when they drive themselves, they do not need to be driven at
all times and to all places. The decision to use a car and driver should be based on a risk
assessment. If driven by someone else, however, the executive can work, rest, or, if an attack
occurs, lie down out of the line of fire.
The vehicle in which the executive is transported should provide generous interior space (for
the executive, the EP specialist, and any necessary equipment), substantial protective bulk
(for ramming), and a powerful engine (to escape attackers). The risk assessment should
determine whether an armored vehicle is needed. Most cars can be armored after manu-
facture, and some major automotive companies provide factory-armored vehicles. An
advantage of factory-armored vehicles is that they blend in with other vehicles and, thus, do
not attract attention to the principal.
Features of armored vehicles include bullet-resistant metal panels and glass; run-flat tires; an
anti-exploding fuel tank; a steel-reinforced front bumper designed for ramming; electric
dead bolt locks; a dual battery system; an inside/outside intercom; and a remote starter.
Many new cars, armored or not, now come with a device for opening the trunk from its
interior, which is useful if needed for escape. A car used for EP should also have a global
positioning system (GPS) to reduce the likelihood of getting lost; a locking gas cap; a mobile
phone; a protected exhaust pipe; an electronic aid system such as On-Star; and an alarm
system.
Regarding the driver, it is best to employ a trained security driver, not simply a chauffeur.
The security driver will know the protocol of a chauffeur plus have the ability to take evasive
action if needed (Scotti, 1995). If the security department’s staffing can accommodate it, the
security driver should be someone other than the EP specialist. If an EPS must also drive, he
or she will be unable to scan the travel route for potential threats and may have to drop the
principal at the destination and then park, leaving the executive alone during crucial arrival
and departure periods.
A key practice is for the EPS to call the main security office as soon as the executive’s trip gets
under way. By noting travel details, such as “We are leaving the plant and returning to the
office. It’s now 3:15 p.m., and we’re taking I-67 to U.S. 20,” the EPS makes it possible for other
security personnel or law enforcement authorities to retrace the executive’s steps if the car
should be missing. To prevent the communication from being heard by an adversary who
Finally, regarding the route, the driver should rely on advance work to ensure that the route
selected is fast, does not pass through dangerous areas, and requires a minimum of stopping.
The driver also needs to know several alternate routes, identify safe havens for stops along the
way, and find the location of hospitals, police stations, and other potentially vital resources
along the route. The driver should also investigate such factors as the time it takes to reach
various stages along the route, the likely level of traffic, road conditions, construction work or
detours, drawbridge openings, and other temporary conditions that could affect the trip. The
advance should be performed at the same time of the day the executive will be traveling so the
EP specialist can ascertain the traffic flow. An additional precaution would be to drive the
advance route in a different vehicle than the one in which the principal will be transported.
Long-Distance Travel
Out-of-town travel can present many risks to an executive. Some of those risks have to do
with the unfamiliarity of the place visited, while others have to do with making scheduled,
public appearances before potentially hostile audiences. Trips within the executive’s home
country present one level of risk; trips to other countries can be even more risky if the
destination is unfamiliar or especially dangerous.
In general, before taking the executive on a trip to another country, the EPS should complete
both research from home and advance travel. In the pre-travel research, the EP specialist
should first determine whether the trip is truly necessary. If the answer is “yes,” the EPS
should pursue the following “know before you go” steps:
x Become familiar with the country’s climate, health conditions, time zone or zones, and
currency rates.
Also, before the executive actually embarks on the trip, the EPS should take the following
steps:
x Touch base with local security or law enforcement contacts and the local embassy or
consulate of the executive’s home country.
x Rehearse, mentally if not physically, security measures for travel by all modes that
could be used, including commercial and private planes, autos, boats, ships, and
trains.
When the trip actually takes place, the EPS should remember a three-part key security
concept: keep a low profile, stay away from problem areas and situations, and know what to
do if trouble arises. As was recommended for local travel, the EP specialist should also
communicate frequently with the security home base.
Avoid western gathering places. If you are traveling to a region designated as high risk by the
U.S. Department of State, there are additional measures that should be considered. Often,
terrorists will seek to identify and attack a location that will be certain to have a high
concentration of Americans or other westerners present at a specific time. For example, a
horrific practice, which has long been used by terror groups, is to target religious services at
houses of worship frequented by westerners. The reason is obvious. A Christian church
serving the international community will provide them a target, which is certain to be filled
every Sunday morning at 9:00 a.m. This presents a tough choice for an individual to whom
church service is an important part of life. The same is true for nightclubs and other locations
catering to Americans and western Europeans. If the State Department suggests avoiding
such places in a country to which the principal is traveling to, it is best to heed the warning.
Wherever the principal travels, it is always a good practice to immediately identify all
emergency exits and make sure they are functional. Many foreign countries do not have fire
codes that mandate identifiable emergency exits in all public establishments. It is vital for the
EP specialist to know how to get out of any place he might take the principal into.
For some executives, the risk level warrants the use of private aircraft whenever possible.
Commercial air travel presents risks both on the ground and in the air. On the ground, at
large, busy airports, inconvenient delays can occur during pickup and drop-off; the executive
may be recognized and bothered by other travelers; airport lobbies (on the unsecured side)
are notorious terrorist targets; and busy security checkpoints can create opportunities for
losing personal property, missing flights, and enduring embarrassing searches.
By traveling in a private aircraft, the executive can avoid bothersome people and receive
individualized customer service. Further, the small lobbies used by general aviation fixed-
base operators (FBOs) are not prime targets for terrorists who wish to draw attention to their
cause. EP specialists can exert much more control over the security conditions of a general
aviation FBO and private aircraft than they can over large, bustling airports serving major
airlines.
A popular option for private travel is fractional aircraft ownership through an aircraft
management company. The principal’s corporation might, for example, purchase a one-
quarter share of a certain type and size of aircraft.
Flying via general aviation using private aircraft at terminals or airports that are separate
from those used by major air carriers reduces the likelihood of being in the wrong place at
the wrong time—that is, of happening to be at a major public airport during a significant
attack. Also, general aviation airports in the United States must abide by the detailed security
guidelines established by the Transportation Security Administration of the U.S. Department
of Homeland Security (Security Guidelines for General Aviation Airports, 2004).
Once a commercial aircraft takes off, the executive cannot know whether a dangerous person
is on board. By contrast, in private aviation, every passenger will probably be known to the
executive or someone else on the aircraft.
may be unwilling to be accompanied by an EP specialist and may only tolerate using the EPS
as a driver. A lower risk level might suggest that the specialist only needs to be with the
executive when he or she is outside the home or leaves the office. There are many points on
that continuum of protection, and the issue can only be worked out through discussions
between the security staff and the principal.
If the CSO, EP manager, or EP specialist believes the risk level warrants close-in, personal
protection, the executive should understand that a trained EP specialist can blend into
professional settings and not look like a “bodyguard.” Some EP specialists now use the title
“assistant to the CEO” to blend in, standing off to the side of a meeting or social gathering
while performing their countersurveillance tactics.
The relationship between the EP specialist and the executive is an extremely important
component of executive protection. In some ways, the relationship calls for an odd
juxtaposition of roles. The executive is clearly the boss, yet the EP specialist must be able to
give orders in times of danger and advice at regular intervals. In executive protection, a
professional but not too personal relationship enables both the protector and the principal
to perform their jobs freely.
An interesting rule of thumb, from the perspective of the executive, comes from a former
high-ranking U.S. government official who is now receiving private protection. He tells his
protective detail, “Stand close enough to protect me, but not so close that I have to introduce
you.”
When working a principal, an EPS will find that conditions change. The EPS may safely bring
the executive to a destination, such as a conference at which he or she is speaking, but the
job does not end there. Once inside the meeting hall, for example, the EPS should start
scanning and calculating—that is, scanning the surroundings for items, people, or
arrangements that appear potentially threatening or seem somehow out of place, and
calculating possible reactions should trouble arise. This is the time for the EPS to take
notice—especially of people’s hands, of objects they may be carrying, or of visible signs of
nervousness—and to constantly ask, “What if?”
If the EPS conducted an advance visit to the site, he or she should try to discern what may
have changed since that visit. Is the layout different? Are entrances and exits temporarily
blocked? Are different people at key locations? What about that fidgety, inappropriately
dressed man in the front row? Who are those people in the back with signs, pushing their way
through the crowd?
Should an attack occur, all of the EP specialist’s instincts, training, and conditioning come
together. When an attacker pulls a knife, fires a shot, rams the executive’s car with his own,
lunges at the executive, or makes some other clearly dangerous, aggressive move, the
specialist cannot stop and ponder how to react. The whole sequence, from the EPS’s first
sighting of the threat to the evacuation of the executive, might take as little as four seconds.
A good example of how fast an attack can happen and how fast the correct response must
take place is the March 30, 1981, assassination attempt against U.S. President Ronald Reagan
outside the Washington Hilton. The perpetrator, John Hinckley, fired six rounds into the
gathered crowd in less than three seconds. On hearing the shots, Secret Service Agent Jerry
Parr reacted instinctively and pushed the President into a waiting limousine, which rushed to
The George Washington University Hospital.
Many responses happened at once, which makes this case an interesting example of profes-
sional executive protection. In a matter of seconds, some members of the protective detail
shielded the President with their own bodies, others pushed him into the car, and the driver
knew where to take the wounded President. Still others surrounded and piled on top of the
assailant, who was arrested by police on the spot.
The Hinckley episode also illustrates a widely accepted chain of action that must occur
during an incident. The following list defines the four steps in the chain:
x Arm’s reach. If the attacker is within an arm’s reach of the EPS, the EPS should move to
immobilize him. If the attacker is beyond an arm’s reach, the EPS should move to cover
the executive.
x Sound off. The specialist shouts the type of weapon displayed and the direction, in
relation to the principal, from which it is coming. By shouting “Gun!” or “Gun to the
right!” the specialist alerts other EP specialists who may be present to spring into action
and attempts to involve other people in the resolving the situation.
x Cover. This term means far more than simply finding cover or a safe place to which the
agent and principal can flee. Its primary meaning is to call on the EPS to cover the
executive’s body with his or her own.
x Evacuate. The overriding need to get the executive out of danger underscores the
difference between the missions of executive protection specialists and of the police or
the military. The EPS mission—avoiding opponents rather than pursuing them—
cannot be overemphasized. Stopping to fight an adversary when it would be quicker to
dash out a side door raises, not lowers, the odds that the executive will be injured. The
protective detail should concentrate on shielding and removing the principal, leaving
apprehension of the attacker to the police.
x Law enforcement contacts. Law enforcement contacts can provide intelligence and
specialized assistance such as off-duty staffing, if permitted. These contacts work best
when they are developed over time or at least during the advance visit.
x News and briefings. The EP specialist should periodically conduct Internet or other
research to discover and track information on the principal as well as on individuals,
organizations, and conditions that might pose a threat to the principal.
x Technological miniaturization and combination. Now that mobile phones can take
digital photographs and video, EP specialists can capture images while conducting
advance visits and send the photos or video back to a security headquarters. Similarly,
as GPS devices are miniaturized to the point where they can be concealed in
wristwatches and belts, they can be used to track a principal if he or she is missing.
x Information Sharing and Analysis Centers (ISACs). ISACs in several industrial sectors
(such as chemical or financial services) share threat information and solutions with
each other and with the U.S. government. They are a potentially powerful source of
information for EP specialists.
x Improved training equipment. The newest firearms training simulators enable EP spe-
cialists to engage in realistic practice and problem solving.
x Protected vehicles. Protected cars, now being built by auto manufacturers, look
identical to ordinary cars and, therefore, do not draw attention to themselves or their
occupants.
x Body armor. The newest body armor is lightweight and can be worn comfortably and
unobtrusively if the need arises. However, it is not generally available to individuals in
the private sector.
If the risk level justifies protection, corporations choose from a continuum of service levels,
ranging from upgraded physical security measures at home and at work to full-time, in-
person protection by EP specialists. The corporation, the executive, and the EP specialist
cooperate to strike the right balance between convenience and security. Fortunately, when
EP is delivered skillfully, many executives find such protection to be both convenient and
comforting. The service adds valuable time to the executive’s day and relieves the executive
from having to focus on personal security concerns.
REFERENCES
Fein, Robert A., & Vossekuil, Bryan. (2000). Protective intelligence & threat assessment investigation:
A guide for state and local law enforcement officials. (Presents findings of the U.S. Secret Service
Exceptional Case Study Project.) Washington, DC: National Institute of Justice, U.S. Department
of Justice.
Fox News [Online]. 2004. $5M kidnap thwarted by a pizza. Available: http://www.foxnews.com
[2003, January 14].
nd
Glazebrook, Jerry, & Nicholson, Nick. (2003). Executive Protection Specialist Handbook (2 ed.).
Shawnee Mission, KS: Varro Press.
Law firm dissolving after mass murder. (1995, March 7). Chicago Tribune.
Oatman, CPP, Robert L. (1997). The art of executive protection. Baltimore, MD: Noble House.
Oatman, CPP, Robert L. (2002, June). Airing on the side of safety. Security Management [Online].
Available: http://www.securitymanagement.com [2004, June 4].
Oatman, CPP, Robert L. (2003, June). Protecting Spirited Leaders. Security Management [Online].
Available: http://www.securitymanagement.com [2004, June 4].
Revenge motive seen in Exxon kidnapping. (1992, July 12). Chicago Tribune.
San Francisco carnage: Gunman kills 8, self. (1993, July 2). Chicago Tribune.
San Francisco gunman’s rage is revealed in four-page letter. (1993, July 4). Chicago Tribune.
Scarponi, Diane. (2004). Man gets jail for snatching executive [Online]. Associated Press. Available:
http://www.detnews.com [2004, September 2].
Scotti, Anthony (1995). Driving techniques. Ridgefield, NJ: Photo Graphics Publishing.
Security guidelines for general aviation airports. (2004). Transportation Security Administration,
Information Publication A-001, May 2004, Version 1.0.
Shackley, Theodore G. (2003). Still the target: Coping with terror and crime. Baltimore, MD: Noble
House.
United States Secret Service [Online]. (2004.) Secret Service history—Timeline. Available: http://
www.ustreas.gov/usss/history.shtml [2004, September 2].
Security awareness means consciousness of an existing security program, its relevance, and the
effect of one’s behavior on reducing security risks. Security awareness is a continuing attitude that
can move individuals to take specific actions in support of enterprise security. While education
imparts general knowledge and training develops specific skills, security awareness efforts solicit
conscious attention. Employees and nonemployees who have been informed by security
awareness programs can act as a force multiplier for the security program. Security awareness is
vital because “the security of an organization rests squarely on the practices of employees” (Fay,
2006, p. 377).
If the program is in fact valuable, security awareness efforts should focus on conveying the
following points:
For executive management, security awareness means awareness of the security program’s
financial contribution to the bottom line.
For example, if the manager of a sensitive research laboratory believes the security require-
ments are unnecessary, he or she may disregard them and permit a general exchange of
information. In time, the widespread internal disclosure of sensitive data may result in an
unauthorized disclosure and the loss of a competitive advantage. The mere prospect of this
loss should encourage the lab manager to support security, as long as its requirements do
not impair research efforts.
If supervisors and managers are interested in and supportive of security, employees may gain
a favorable view of the program and support it by observing its rules. By contrast, if
supervisors and managers disapprove of the security program or show no interest in it,
employees may feel little motivation to support it.
10.1.5 NONEMPLOYEES
People who are not employees of the organization may also be affected by the security
program. They include vendors and suppliers, customers, service personnel, representatives
of government, and members of the public. Most of them have less opportunity than
employees to learn the applicable security requirements, but nevertheless it may be
important that they learn those requirements. For example, if a supplier will be given access
to sensitive proprietary information, he or she should be made aware of security procedures
that protect and account for such information.
Nonemployees may be more willing to comply with security procedures if they are given at
least a brief explanation of the reasons for the procedures. For example, a visitor may not
automatically perceive the wearing of a guest badge as useful or necessary. However, the
visitor may view the matter differently after a brief explanation that the badge permits
immediate recognition by and assistance from employees. In some cases, security awareness
must be supported formally with a confidentiality agreement.
x Protect company assets. First and foremost, the purpose of the security awareness
program is to educate employees on how to help protect company assets and reduce
losses. Everything else flows from this prime responsibility.
x Understand the relationship between security and successful operations. This purpose
is the prime one for awareness efforts directed toward executive management. Assets
protection professionals should devote the necessary time and talent to demonstrate
the program’s value and cost-effectiveness.
x Recognize the connection between security program objectives and selected security
measures. This purpose is important to middle management. Unit and department
heads must recognize (and, preferably, agree) that security measures are appropriate
and necessary.
x Be familiar with sources of help for carrying out security responsibilities. Security
awareness materials should address the specifics of implementing security
requirements. For example, if a security rule states that particular spaces or containers
must be locked, affected employees need to know how to obtain a lock and key. If
persons with legitimate questions or problems do not know where to go for assistance,
they might either (1) not consult anyone and simply improvise an answer or (2) consult
the wrong person and be needlessly delayed.
x Comply with statutory or common-law requirements for notice. This purpose applies
to both employees and nonemployees. Civil trespass to land is generally defined as
unauthorized entry into or presence on real property. To recover civil damages for
trespass, the landowner or other person in control must prove that the trespasser
intended to trespass. Physical, verbal, and symbolic indicators must make clear that
there is a boundary past which movement is not authorized.
Likewise, the owner of a trade secret must take positive actions to prevent its
unauthorized disclosure. One of those actions is to convey to employees entrusted with
the secret that the information is indeed secret and valuable. Developing programs for
conveying such notices, and documenting such notification, are phases of the security
awareness effort.
x Comply with contract obligations. Security awareness efforts may need to take account
of various contracts that apply to the enterprise. For example, in the United States the
National Industrial Security Program Operating Manual (which sets forth the security
obligations of contractors handling classified defense information) imposes numerous
requirements for briefings and for security education and training, including awareness
efforts.
Similarly, collective bargaining agreements typically require that discharges be for just
cause and that employees receive due notice of the rules they must follow—including
security rules.
Some insurance contracts, such as those covering kidnapping, require that specific
procedures be adopted and communicated to designated officials in regard to coverage
under the policy.
A contract on the use of another company’s proprietary information may require the
organization using that information to provide security awareness training to its
employees.
x Comply with company policies and procedures. Security awareness efforts should
facilitate the ability of employees and others to comply with established company
policies and procedures. These policies may address compliance with company
standards and procedures for such matters as access control requirements or with
program initiatives such as a “clean desk” initiative to protect proprietary company
information.
x Prepare the organization for emergencies. Organizations with security awareness pro-
grams are better prepared to respond to emergencies and nonroutine issues (Piazza,
2004). In particular, organizations that educate management and employees through
security awareness programs are better able to respond to cyber attacks and keep their
information secure (BSA-ISSA, 2003, p. 2).
x Communicate the value of the security department. A final goal of security awareness is
to convey the value of the department. Security personnel should not attempt to
frighten management and employees but instead should, though their security
awareness program, demonstrate they are providing a valuable service to the
organization (Gerloff, 2004, p. 26).
Unlike detailed security training, security awareness material may not contain specific
security task information. It may instead direct recipients to security content available
elsewhere and focus on generating support for the security program. Finally, it should be
enjoyable and interesting, as “the best training tools engage staff and let them have fun”
(Gips, 2006, p. 20).
x Audiovisual material. Formats include audio and video tapes, interactive CD-ROMs,
films, 35 mm slides, software-based presentations, e-mail, and company and non-
company Web sites. However, it is important not to post sensitive information where it
is publicly accessible (Roper, Grau, & Fischer, 2006, p. 241).
x Formal security briefings. These can be done pre-and post-hiring, at new assignment
orientation, and at times of promotion or transfer. Briefings can be delivered to
individuals or groups.
x Integration into line operations. Security staff can use several means to integrate
security awareness into regular enterprise operations. Individual employees’ security
awareness can be examined in their performance reviews, can be considered in setting
bonuses, and can be reinforced in supervisory and management staff meetings.
Another technique is to include security tasks in job descriptions or employee
handbooks and standards, perhaps collaborating with other departments.
x Inside experts. In developing a security awareness program, security staff can get help
from company training staff and communications staff.
Typically, a security awareness program must rely on a variety of delivery methods. Some
staff learn well by using computer-based instruction on their own, while others learn best
when they attend classes.
x Low credibility of security department. This may stem from previous performance of
departmental staff, a new department’s lack of a track record, biases that employees
bring from other organizations, a lack of professionalism within the security
department, or security staff’s lack of understanding of company functions.
x Organizational culture. A security awareness program can be hindered by a culture
that holds such views as “we’ve never done it that way before” or “we always do it this
way” (Dalton, 1998, p. 53). If a company believes security is not directly related to the
organization’s success, the security department will find it difficult to implement a
security awareness program.
x Naiveté. Organizations sometimes develop a mentality that bad things will not happen
to them, especially if they have not been victimized in the past. Likewise, they may
believe that employees will always do their utmost to protect company assets and
would never knowingly harm the organization. As a result, they may decide that an
awareness program is unnecessary.
x Perception of a minimal threat. Employees may feel less interested in increasing their
security awareness if they feel the relevant threat is insignificant or unlikely to occur.
For example (Roper, Grau, & Fischer, 2006, pp. 91–92):
Security educators in the 1990’s and later whose programs were geared to the
prevention of espionage have had to contend with the fact that perceptions of the
foreign intelligence threat have radically changed. Without the monolithic Soviet
adversary, security educators were hard-pressed to argue that critical information was
still at risk. However, the continuing frequency of espionage case associated with a
variety of foreign entities in recent years —Cuba, China, Saudi Arabia, South Korea—has
redefined the foreign intelligence threat and made it credible.
x company losses before and after the security awareness program was implemented
x number of persons briefed and number of briefings conducted in specific periods
x topics covered, projected or actual briefing completion date, and method of delivery
(Roper, Grau, & Fischer, 2006, pp. 134–135)
x cost of briefings per employee (Kovacich & Halibozek, 2006, p. 119–121)
If a program is new and lacks data on its effectiveness, one approach is to start with a limited
budget and build momentum over time. It is possible to create awareness literature cheaply
via desktop publishing. Further, by partnering with other departments, such as the human
resources department, security personnel can brief employees during regular training exer-
cises. Data can be collected and assessed until there is an opportune time to implement the
awareness program on a larger scale.
Most enterprises devote at least some time to fostering security awareness among their
employees. However, knowing that a security program exists is not the same as playing an
active role in loss prevention. Every department and employee has a role in identifying,
preventing, and reducing losses.
Before developing a security awareness program that will teach employees what they need to
know, the security manager must become familiar with all elements of the organization’s
business—in order to know what assets must be protected from what risks. Losses that
employees may be able to help reduce include traditional physical concerns, such as theft of
money or goods or misuse of equipment or facilities. Through awareness training, employees
may also be able to help reduce other losses, including those related to contractual, statutory,
regulatory, insurance, or other concerns. Seemingly small losses can have expensive
ramifications. For example a laptop theft resulting in the loss of a client’s personal information
can be very costly, especially given emerging privacy legislation. One study (Ponemon
Institute, 2006) found that the average loss per corporate data breach was $4.8 million.
Employees themselves may be able to suggest other programs they would like the security
department to provide.
Serious and costly outcomes can result when employees do not know or do not follow
company policies. For example, in 1999 a suspected shoplifter was apprehended in a grocery
store in Canada by two store clerks and a uniformed security officer. He died from accidental
restraint asphyxia during the arrest. A news report states that “the company employing the
store clerks insisted that it expressly forbids staff from using force on people suspected of
shoplifting. The inquest had heard that the employees who chased [the suspected shoplifter]
were unaware of the store’s policy to avoid using force with shoplifters” (CBC News, 2004). As
one writer on security policies observes (Roberts, 2002, p. 94):
Good polices are not enough to ensure that the staff will react properly to an incident.
Continuous training of a store’s retail staff is essential to ensure that they understand, and act
in accordance with, the stores policies for dealing with suspected shoplifters. Further, store
managers, loss prevention professionals, and human resource staff need to be monitoring
incidents that arise so that they can retrain or discipline employees who do not act in
accordance with store policies.
Some employees fail to follow company policies and procedures because they do not under-
stand what they are supposed to do, while others simply choose not to cooperate. An
examination of compliance with information technology (IT) policies (Mallery, 2007, pp. 40–
42) found two categories of users who fail to follow policies: (1) “uneducated users,” who
have a limited understanding of computers and the consequences of ignoring policies, and
(2) “arrogant users,” who feel they do not have to follow the rules that apply to others—“they
feel they are more powerful, intelligent and sophisticated than everyone else, so they can do
what they want on corporate systems.”
Ultimately, employees who refuse to follow policies and procedures, even after security
awareness efforts have brought those issues to their attention, must be disciplined.
Otherwise, the company may be needlessly exposed to a variety of losses and liabilities.
REFERENCES
Ahrens, S. A., & Oglesby, M. B. (2006, February). Levers against liability. Security Management. Vol.
50, No. 2.
Business Software Alliance and Information Systems Security Association. (2003). BSA-ISSA
information security study: Online survey of ISSA members. Washington, DC: Business Software
Alliance.
CBC News. (2004, April 23). Man died from accidental suffocation during arrest: inquest [Online].
Available: http://www.cbc.ca/canada/story/2004/04/23/Shandverdict_040423.html [2007, August 6].
Dalton, D. (1998). The art of successful security management. Burlington, MA: Butterworth-Heine-
mann.
nd
Fay, J. J. (2006). Contemporary security management, 2 ed. Burlington, MA: Elsevier Butterworth-
Heinemann.
Gerloff, J. (2004, December). Communicating security’s value. Security Management, Vol. 48, No. 12.
Gips, M. A. (2006, April). Identity theft can be fun. Security Management, Vol. 50, No. 4.
Kellogg, D., & McGloon, K. (2006, October). Distilled protection. Security Management, Vol. 50, No. 10.
Kitteringham, G. W. (2006). Security and life safety for the commercial high-rise. Alexandria, VA:
ASIS International.
Kovacich, G. L., & Halibozek, E. P. (2003). The manager’s handbook for corporate security.
Burlington, MA: Elsevier Butterworth-Heinemann.
Kovacich, G. L., & Halibozek, E. P. (2006). Security metrics management. Burlington, MA: Elsevier
Butterworth-Heinemann.
Morris, R., Carter, P., & Krueger, C. (2002, October). Nurses learn vital signs of safety. Security
Management, Vol. 46, No. 10.
Piazza, P. (2004, March). Companies better prepared for trouble. Security Management, Vol. 48, No. 3.
Ponemon Institute. (2006). 2006 annual study: Cost of a data breach. Elk Rapids, MI: Ponemon
Institute.
Roberts, J. R. (2002, September). The policy was perfect. Security Management, Vol. 46, No. 9.
Roper, C. A., Grau, J. A., & Fischer, L. F. (2006). Security education, awareness and training.
Burlington, MA: Elsevier Butterworth-Heinemann.
Whitman, M. E., & Mattford, H. J. (2004, November). Making users mindful of IT security. Security
Management, Vol. 48, No. 11.
A drug is a chemical substance that alters the physical, behavioral, psychological, or emotional
state of the user. Drugs of abuse—psychoactive (mind-altering) substances—target the central
nervous system and impair the user’s ability to think and to process sensory stimuli, thereby
distorting the user’s perception of reality. Drugs of abuse include legal and illegal substances and
are often consumed socially. In this analysis, alcohol is considered a drug.
Substance abuse may harm a person physically, mentally, or emotionally. Abuse can often easily
lead to increased tolerance and eventual addiction or chemical dependency. Abuse can also create
personal, family, and financial problems beyond the abuser’s control.
National prosperity requires a healthy workforce. More than technology, industrial capability, or
natural resources, a nation’s workforce makes possible all the social and economic abundance a
country enjoys.
Substance abuse plagues nearly every nation. In the United States, illegal drugs are everywhere: in
schools, communities, factories, and offices. Substance abuse harms productivity and competi-
tiveness and destroys individuals, families, and jobs. It causes birth defects, industrial accidents,
business failures, and highway fatalities. The worldwide illicit drug trade is a multibillion-dollar
industry that spans national borders, deals almost exclusively in cash, and enforces its policies
with violence.
Drug abuse is more common among unemployed than employed persons. In 2006, among adults
aged 18 or older, the rate of drug use was higher for unemployed persons (18.5 percent) than for
those who were employed full-time (8.8 percent) or part-time (9.4 percent). Although the rate of
illicit drug use is highest among unemployed persons, most drug users are employed. Of the 17.9
million current illicit drug users aged 18 or older in 2006, 13.4 million (74.9 percent) were employed
either full-or part-time (U.S. Department of Health and Human Services, National Survey, 2007).
Employers pay a high price. It is generally accepted that employee substance abuse does the
following:
Substance abuse can rob an organization of its talent, vitality, and enthusiasm. It can destroy
teamwork and cooperation and make organizations less competitive and less successful.
The addictive properties of opium were not appreciated, and the problem of addiction grew
in the early 1800s with the discovery of two opium alkaloids: morphine and codeine.
Morphine became popular because of its potency—one grain of morphine is about as
effective as 10 grains of opium.
The newly invented hypodermic needle was used during the Civil War to administer
morphine to the wounded, and many soldiers returned to civilian life addicted to the drug.
As the hypodermic needle grew in popularity as a way to administer the drug, morphine
abuse began to spread in the United States.
Opium was commonly taken orally, smoked, or pulverized and used in suppository form.
Opium and its derivatives could be purchased legally and inexpensively in pharmacies and
many rural general stores. They were used alone or as components in pharmaceutical
preparations or patent medicines.
Heroin, a morphine derivative, was first synthesized in 1898. At first, it was considered non-
addictive and was used for treatment of morphine addiction. It was also available in many
pharmaceutical preparations. Easy access to the drug led thousands into addiction.
Public attitudes began to change by the 1890s. Many physicians recognized the destructive
nature of addiction and publicized their findings. Some regarded addiction as an illness,
while others felt it was a vice. An addict could still purchase drugs legally and secure assist-
ance from doctors in the early 1900s; at that time, addiction did not appear to be linked with
criminal behavior.
The first major attempt to control opium use in the United States came in 1909 with a federal
act that limited the use of opium and derivatives except for medical purposes. Later, the 1914
Harrison Act attempted to control the production, manufacture, and distribution of
narcotics. The law required registration and payment of a tax by those dealing in narcotic
drugs. It specified that only physicians could dispense narcotics and that pharmacists could
sell drugs only on written prescription.
The rapid increase in the number of drug arrests by the mid-1950s prompted the passage of
the Narcotic Drug Control Act of 1956, which provided a mandatory minimum penalty of five
years’ imprisonment with no possibility of probation or parole for a first illegal sale.
Eventually, methadone was used as a substitute for heroin in the treatment of addicts.
In 1988, the Reagan administration created the Office of National Drug Control Policy
(ONDCP). Its mission was to coordinate the government’s efforts to manage substance abuse
in the realms of legislation, security, diplomacy, research, and health. The director of ONDCP
is commonly known as the drug czar.
Today, the war on drugs is fought on many fronts by many people and organizations.
Although the most obvious battles are fought by law enforcement, important battles are
fought in the workplace as well.
Substance abuse affects abusers’ family members, too. For example, nonalcoholic members
of an alcoholic’s family use 10 times more sick leave than others. They are also more prone to
long-term illness, accidents, and divorce. Children of alcoholics are five times more likely to
become alcoholics than children of non-alcoholics (Ferraro, 1994).
Substance abuse also breeds dysfunctional relationships. Abusers have difficulty in getting
along with others. They tend to withdraw from friends and be more secretive. They spend
less time at home and work. They contribute less to meaningful relationships and avoid
opportunities to socialize with nonabusers.
For the employer, they grow less productive and creative and frequently become disciplinary
problems. They engage in denial and quickly blame others for their shortcomings and disap-
pointments. They become the 20 percent who consume 80 percent of management’s time.
x Make a commitment.
x Assign responsibility.
x Formulate a comprehensive policy.
11.4.1 RATIONALIZATION
Rationalization is the use of superficial, apparently plausible explanations or excuses for
one’s behavior. Substance abusers rationalize constantly. They may rationalize that the use
of drugs is a constitutional right, that addiction and chemical dependency happen only to
others, and that drug use enhances their ability to perform, produce, and create. They may
rationalize that they can quit using anytime, that drug use at work is acceptable because it is
common, and that selling drugs to coworkers is a gesture of camaraderie. Often, they blur the
line between personal consumption off the job (what they do on their own time) and their
rationalization that such personal habits don’t affect their work performance.
These rationalizations help substance abusers abandon their values, shirk their responsibilit-
ies, and lose respect for other people and their property. They may lie to their families, steal
from their friends and employers, and continue to use drugs without guilt, despite the
potential harm caused by their behavior.
11.4.2 OPPORTUNITY
For the substance abuser, the workplace abounds with opportunity. Here are the key reasons:
x They know one another. Workplace deals enable sellers and buyers to have regular
contact with one another that is not suspicious. Also, the workplace venue is generally
private property and therefore not under the direct scrutiny of law enforcement,
thereby creating somewhat of a safe haven for illicit activities to transpire.
x Better quality. Workplace dealers want repeat customers, and they recognize that
high-quality products keep them coming back.
x Fairer quantity. Illegal drugs are expensive. Because drugs are often sold in quantities
as small as 1/4 gram, accuracy in weight is important to the buyer. Again, because
workplace dealers recognize the importance of repeat business, they tend to sell
accurate quantities.
x Low risk. Abusers perceive supervisors and managers as uninformed or untrained and
often unwilling to confront them or their problems. Moreover, security measures—
such as barriers, fences, or locked doors—that protect company assets may also
protect abusers and dealers from monitoring or detection.
x Ability to buy and sell on credit. When “fronted,” drugs are sold to the employee-user
with the agreement that they will be paid for later. This agreement usually establishes
terms and consequences for the failure to pay. Fronting allows users to obtain drugs
even when they do not have money to buy them. For this service, employee-dealers
generally charge a small premium—typically the retention of a small amount of the
drug for personal use. This quantity is known as a pinch, and the practice is called
pinching.
Abusers’ attitudes toward the drug also change. They may defend the drug’s benefits, its
value to society, and their right to use it. They may frequently think about it, study it, and
talk about it.
Eventually, they begin to use drugs on the job. At first their use is discreet, but often it
becomes flagrant. In fact, they may enjoy testing the boundaries of acceptable behavior in
the workplace. They may drink in the parking lot during lunch and on breaks. They may
smoke marijuana in restrooms and locker rooms. They may consume cocaine or
methamphetamine at their desks or workstations. They may use drugs in company-owned
vehicles or while out of town on business. Given the opportunity, they may even use drugs
with customers and vendors. They may keep drugs in their desks, lockers, or toolboxes. In
addition, abusers may use the company mailroom or shipping department to distribute and
receive drugs and money. They may hide drugs in workplace safes, furniture, trash
containers, hazardous material containers, beverage containers, lunch boxes, briefcases,
purses, shoes, coats, raw materials, and finished goods. Employee substance abusers are
resourceful, cunning, and deceitful.
When given the opportunity, dealers may also secretly sell right in front of nonabusers,
supervisors, and managers. In some instances, it is hard to understand how any real work
gets done. Dealers tend to socialize more than others. They are constantly networking while
feverishly trying to avoid detection. Often they are absent or not where they belong. They
avoid interaction with management whenever possible. Though they tend not to make
trouble, if accused of misconduct they become belligerent. They often support employee
causes and enjoy creating strife between management and labor. Employee drug dealers
tend to resist team building, pursue secret agendas, and despise authority.
If substance abusers exhaust their discretionary income, they generally resort to purchasing
their drugs on credit. Once their credit is exhausted, they may begin to sell drugs or engage in
theft. If they become dealers, they generally sell to colleagues at work. If they choose to steal,
the principal victim will be the employer.
Substance abuse-related employee theft often begins with stealing food from coworkers. It
eventually leads to the theft of petty cash, cash receipts, office equipment, and coworkers’
personal valuables. Left unchecked, the substance abuser will eventually steal to the extent the
organization allows. The stolen goods may range from scrap, raw materials, and finished goods
to intellectual property, such as client lists, confidential information, and trade secrets.
Employee substance abusers may also steal from customers and vendors. They may short a
shipment to an important customer, keeping and selling the difference. They may accept
kickbacks for miscounting, allowing overages, double shipping, approving improper or
unauthorized credits, or diverting a vendor’s delivery. The impact on the employer can be
devastating. Business relationships may be destroyed, and valuable vendors may withhold
service or materials. Customers may cancel contracts, refuse payment, or take legal action.
In addition, substance abusers are more likely to have accidents and get injured. They file
more health claims and consume more than their share of benefits. More illnesses and
injuries yield higher insurance costs. Abusers’ absences may be disruptive and costly and
require the recruiting, hiring, and training of replacements. Also, substance abusers are more
prone to file false claims and feign on-the-job injuries.
As abusers’ performance begins to slip, discipline begins. Abusers may foresee termination
but view it as unacceptable, as their jobs may be the only element of stability and normalcy
in their lives. For years they may have rationalized that continued employment is evidence
that they live a normal life. In extreme cases, they may give up their family, children, home,
and car but struggle to keep their job. Once the job is in jeopardy, they may choose to give up
drugs. However, a more common way of escaping workplace discipline is to feign an on-the-
job injury.
In abusers’ eyes, an extended absence can provide several benefits: relief from job
responsibilities, a break from the environment where they are most exposed to drugs and the
temptation to use them, and an opportunity to give up drugs and start anew. Usually,
however, these benefits go unrealized. Without the structure of a job, their life often begins
to unravel completely. Drug consumption may rise and financial burdens increase. Months
later, when abusers finally return to work, they are more chemically dependent, less
productive, and more likely to file another claim.
This cycle of destruction may repeat several times before the employee is terminated. At that
point, everyone is a loser: the employer, spouse, family, friends, and the abuser.
x Schedule I. The drug or substance has a high potential for abuse and currently has no
accepted use in medical treatment in the United States. Examples of Schedule I drugs
are hashish, marijuana, heroin, and lysergic acid diethylamide (LSD).
x Schedule II. The drug or substance has a high potential for abuse but currently has an
accepted medical use in the United States with severe restrictions. Abuse may lead to
severe psychological or physical dependency. Examples of Schedule II drugs are
cocaine, morphine, amphetamine, and phencyclidine (PCP).
x Schedule III. The drug or substance has a potential for abuse less than the drugs or
substances of schedules I and II and currently has an accepted medical use in the
United States. Abuse may lead to moderate or low physical dependency or high
psychological dependency. Examples of Schedule III drugs are codeine, Tylenol with
codeine, and Vicodin.
x Schedule IV. The drug or substance has a low potential for abuse relative to Schedule
III substances and currently has an accepted medical use in the United States. Abuse
may lead to limited physical or psychological dependency. Examples of Schedule IV
drugs are Darvon, Darvocet, phenobarbital, and Valium.
x Schedule V. The drug or substance has a low potential for abuse relative to Schedule IV
substances and currently has an accepted medical use in the United States. Abuse may
lead to a lower physical or psychological dependency than caused by Schedule IV
substances. Examples of Schedule V drugs are the low-strength prescription cold and
pain medicines found in most homes.
11.6.2 DEPRESSANTS
Depressants include such drugs as Quaalude (methaqualone), Valium (diazepam), Librium
(chlordiazepoxide), Nembutal (pentobarbital), Seconal (secobarbital), and alcohol.
In small doses, depressants produce a calm feeling and can be used for various medical
purposes. In larger doses, they can cause impaired reflexes, slurred speech, and uncontrollable
drowsiness. Abusers often combine depressants with other depressants or with stimulants. The
abuse of depressants can lead to birth defects, overdose, and even death.
Alcohol
Alcohol is a fast-acting central nervous system depressant that functions as an analgesic with
sedative affects. In small quantities, it produces a sense of well-being and slightly impaired
reflexes. In larger quantities, the sense of well-being is replaced by disorientation, reduced
inhibition, loss of coordination, and irrationality. Alcohol is addictive, and prolonged abuse
can cause brain, liver, and heart damage, as well as sexual dysfunction, gastritis, ulcers,
malnutrition, high blood pressure, cirrhosis of the liver, pancreatitis, cancer, and death.
According to the U.S. Department of Health and Human Services (Alcohol, 2007), alcohol
dependence, also known as alcoholism, includes four symptoms:
x tolerance: the need to drink greater amounts of alcohol to get the desired feeling
Alcoholics are in the grip of a powerful craving that overrides their ability to stop drinking.
This need can be as strong as the need for food or water. The essential difference between a
social drinker and an alcoholic is a loss of control over the time, place, and amount of
drinking. Although some people are able to recover from alcoholism without help, the
majority of alcoholics need assistance. Alcoholism appears to be caused by both genetic and
environmental components.
11.6.3 NARCOTICS
In the medical sense, narcotics are opiates: opium, its derivatives, and synthetic substitutes.
Opiates (also called opiods) are indispensable in pain relief, but they are also highly addictive
and frequently abused.
Opiates include such drugs as morphine, heroin, and codeine. Usually taken orally or intrave-
nously, they can also be smoked. Opiates are relatively uncommon in the workplace, as they
are expensive and their physiological effects on the user are usually obvious.
In small doses, narcotics create effects like those of depressants. In larger doses, they induce
sleep, unconsciousness, and vomiting. Intravenous use increases the chance of contracting
such diseases as hepatitis and AIDS. Users describe the euphoric effect of these drugs as being
“high” or “on the nod.”
With repeated use of narcotics, tolerance and dependence develop. Tolerance is characterized
by a shortened duration and a decreased intensity of analgesia, euphoria, and sedation,
leading to the need to consume larger doses to attain the desired effect. Dependence is an
alteration of normal body functions such that the continued presence of a drug is needed to
prevent withdrawal symptoms. In general, shorter-acting narcotics tend to produce shorter,
more intense withdrawal symptoms, while longer-acting narcotics produce protracted but less
severe symptoms. Although unpleasant, withdrawal from narcotics is rarely life threatening.
Without intervention, the withdrawal syndrome disappears in seven to ten days. Psychological
dependence, however, may continue. Unless the physical environment and the behavioral
motivators that contributed to the abuse are altered, the user’s probability of relapse is high.
In the United States, some abusers of narcotics begin their drug use in the context of medical
treatment and escalate it by obtaining the drug through fraudulent prescriptions and “doctor
shopping” or by branching out to illicit drugs. Other abusers begin with experimental or
recreational uses of narcotics. The majority of individuals in this category may abuse narcotics
sporadically for months or even years. Although they may not become addicts, the social,
medical, and legal consequences of their behavior are very serious. Some experimental users
eventually become dependent. The younger an individual is when drug use is initiated, the
more likely the drug use will progress to dependence and addiction (DEA, 2006).
Over the past 30 years, the prescription painkiller oxycodone has been widely abused in the
workplace. It is a Schedule II narcotic analgesic, supplied as OxyContin (controlled release),
OxyIR and OxyFast (immediate release), Percodan (with aspirin), and Percocet (with acetamin-
ophen). The 1996 introduction of OxyContin, also known as OC, OX, Oxy, Oxycotton, hillbilly
heroin, and kicker, led to a marked escalation of its abuse.
Chronic use of opioids can result in tolerance for the drugs. Long-term use can lead to
physical dependence and addiction. Properly managed medical use of pain relievers is safe
and rarely causes clinical addiction. However, a large dose of an opioid can cause severe
respiratory depression that may lead to death.
11.6.4 STIMULANTS
Stimulants may make employees appear more alert, eager, and productive. However, what
appears to be productivity may actually be wasted efforts that lead to mistakes. Stimulant
abusers may believe the drugs enhance their creativity and endurance, but they are actually
being robbed of their energy and rationality. Abusers experience frequent, severe mood
swings, and they become difficult to manage and have trouble getting along with others.
Abusers often try to control their mood swings by using another drug, most often alcohol.
Prolonged abuse typically results in weight loss, drug-induced psychosis, and addiction to
multiple drugs.
Among the stimulants used in the workplace are cocaine, amphetamines, methamphetamine,
methcathinone, methylphenidate (Ritalin), and anorectic drugs (appetite suppressants).
Cocaine
Cocaine (cocaine hydrochloride) is a white, crystalline substance extracted from the coca
plant. Though it has some medicinal value as a topical anesthetic, it is a common drug of
abuse and is considered highly addictive. Most often ingested through the nose (snorted), it
can also be injected and smoked. Cocaine stimulates the central nervous system, and its
immediate effects include dilated pupils, elevated blood pressure, increased heart rate, and
euphoria. Crack or rock cocaine (usually smoked) is prepared from powdered cocaine,
baking soda, and water. The high lasts only a few minutes, leaving the user eager for more.
Being under the influence of cocaine is often referred to as being “wired” or “buzzed.”
Cocaine’s effects appear almost immediately after a dose and disappear within a few minutes
or hours. In small amounts (up to 100 mg), cocaine usually makes the user feel euphoric,
energetic, talkative, and alert. It can also temporarily decrease the need for food and sleep.
Some users find that the drug helps them perform simple physical and intellectual tasks
more quickly, while others experience the opposite effect.
The duration of cocaine’s euphoric effect depends on the route of administration. The faster
the absorption, the more intense but shorter the high. The high from snorting is relatively
slow in onset and may last 15–30 minutes, while that from smoking comes quickly and may
last 5–10 minutes.
Large doses (several hundred milligrams or more) intensify the user’s high but may also lead to
bizarre, erratic, or violent behavior, along with tremors, vertigo, muscle twitches, paranoia, or a
toxic reaction. Some users report restlessness, irritability, and anxiety. In rare instances,
sudden death can occur on the first use of cocaine or unexpectedly thereafter. Cocaine-related
deaths are often a result of cardiac arrest or seizures followed by respiratory arrest.
Cocaine is powerfully addictive. Some users develop a tolerance and must increase their
doses to attain the desired effects. Other users actually become more sensitive to the drug
over time and may die after low doses. Bingeing—that is, taking the drug repeatedly and in
increasing doses—may lead to irritability, restlessness, and paranoia. Eventually, the user
may develop paranoid psychosis, losing touch with reality and experiencing auditory
hallucinations (DEA, 2006).
Methamphetamine
Methamphetamine is a synthetic drug easily manufactured using common materials and
simple laboratory equipment. Also known as crank, meth, crystal meth, or speed, it has, in
many workplaces, replaced cocaine as a drug of choice among stimulant abusers. Metham-
phetamine can be smoked, snorted, swallowed, or injected.
The drug alters moods in different ways, depending on how it is taken. Immediately after
smoking the drug or injecting it intravenously, the user experiences an intense rush or
“flash” that lasts only a few minutes and is described as extremely pleasurable. Snorting or
swallowing produces euphoria—a high but not an intense rush. Snorting produces effects
within three to five minutes, and swallowing produces effects within 15 to 20 minutes.
Methamphetamine is usually used in a “binge and crash” pattern. Because tolerance for
methamphetamine occurs within minutes—meaning that the pleasurable effects disappear
even before the drug concentration in the blood falls significantly—users try to maintain the
high by bingeing on the drug.
Ice, a smokable form of methamphetamine, came into use in the 1980s. Ice is a large, usually
clear crystal of high purity that is smoked in a glass pipe (like that used for crack cocaine).
The smoke is odorless, leaves a residue that can be re-smoked, and produces effects that may
continue for 12 hours or more.
Methamphetamine has toxic effects as well. The large release of dopamine produced by
methamphetamine is thought to contribute to the drug’s toxic effects on nerve terminals in
the brain. High doses can elevate body temperature to dangerous, sometimes lethal levels, as
well as cause convulsions.
With chronic use, tolerance for methamphetamine can develop. To intensify the desired
effects, users may take higher doses of the drug, take it more often, or change their method of
drug intake. In some cases, abusers forgo food and sleep while indulging in a form of
bingeing known as a run, injecting as much as a gram of the drug every two to three hours
over several days until the user runs out of the drug or is too disorganized to continue.
11.6.5 HALLUCINOGENS
Hallucinogens are mind-altering drugs that drastically alter users’ mood, sensory perception,
and ability to reason. For centuries, hallucinogens found in plants and fungi have been used
in shamanistic practices. More recently, even more powerful synthetic hallucinogens have
been produced.
The most commonly abused hallucinogens are LSD (lysergic acid diethylamide), also called
acid; MDA (methylenedioxyamphetamine); MDMA (methylenedioxymethamphetamine), also
called ecstasy; PCP (phencyclidine), often called angel dust; mescaline, which comes from
the peyote cactus; and certain mushrooms.
The biochemical, pharmacological, and physiological basis for hallucinogenic activity is not
well understood. Even the name for this class of drugs is not ideal, since hallucinogens do
not always produce hallucinations.
In nontoxic dosages, these substances produce changes in perception, thought, and mood.
Physiological effects include elevated heart rate, increased blood pressure, and dilated pupils.
Sensory effects include perceptual distortions. Psychic effects include disorders of thought
associated with time and space. Time may appear to stand still, and forms and colors seem to
change and take on new significance. This experience may be either pleasurable or frightening.
Users often experience vivid hallucinations, panic attacks, and even synaesthesia or sensory
crossover. In this state, users’ senses become confused, and they may actually believe they can
see sound or smell colors.
The effects of hallucinogens are unpredictable each time the drugs are used. In some
instances, weeks or even months after taking hallucinogens, a user may experience
flashbacks—fragmentary recurrences of certain aspects of the drug experience—without
actually taking the drug.
Some hallucinogens are neurotoxic. However, the most common danger is impaired
judgment, which may lead to rash decisions, accidents, injuries, and even death.
LSD
Lysergic acid diethylamide or LSD, a colorless, odorless, and tasteless drug, is one of the
most powerful hallucinogens. It was developed in a Swiss pharmaceutical laboratory in 1938.
LSD is sold as tablets, capsules, and sometimes a liquid. Ingested orally, it is called acid,
blotter acid, window pane, microdots, and mellow yellow. It is often added to absorbent
paper and divided into small decorated squares, each representing one dose. Users under
the influence of LSD are said to be tripping. The effects of LSD are described above in the
section on hallucinogens.
The use of LSD on the job is rare. However, in very small doses LSD may be substituted for
methamphetamine or another stimulant.
PCP
Phencyclidine or PCP was originally compounded as an anesthetic for large animals.
Because of its unpredictability and sometimes frightening side effects, its veterinary use
was discontinued.
PCP, often called angel dust, comes in both a liquid and powder form. Most often a liquid, it
has a strong ether-like odor and is kept in small, dark bottles. PCP is typically applied to a
tobacco or marijuana cigarette and smoked. Its effects often last for hours. Users refer to
being under the influence of the drug as being dusted.
PCP sometimes causes the eyes to twitch uncontrollably, one vertically and the other
horizontally. Overdose may result in convulsions, coma, and death.
11.6.6 MARIJUANA
After alcohol, marijuana is the second most common drug of abuse in the workplace. In
small quantities, marijuana produces effects similar to those of alcohol, and it is often
substituted for alcohol by recovering alcoholics. In larger doses, marijuana can cause
hallucinations, memory loss, and lethargy.
When two people share a single marijuana cigarette (which takes about seven minutes), the
effect is much that same as if they had each consumed six to eight mixed alcoholic
beverages. The effect may last two to six hours.
Marijuana, hashish, and hash oil are all derived from the hemp plant, cannabis sativa. The
principle psychoactive component, tetrahydrocannabinol or THC, is retained in the fatty
tissue of the body. Because THC is not easily eliminated, it can accumulate. As a result, the
user becomes less and less tolerant of the drug and steadily requires less of it to achieve the
desired effect. This condition is known as reverse tolerance. Abusers may smoke less, but
they tend to smoke more frequently.
Marijuana found in the workplace may be combined with other drugs to enhance its potency
and salability. Users can never be assured of consistent doses when smoking marijuana, and
the drug is sometimes treated with an opiate or PCP. Abusers can find themselves addicted
physically and psychologically not only to marijuana but also to other drugs that have been
mixed with it. Users describe their state while under the influence of marijuana as being
stoned or buzzed.
Hashish
Hashish consists of the THC-rich resinous material of the cannabis plant, which is collected,
dried, and then compressed into a variety of forms, such as balls, cakes, or cookie-like sheets.
Pieces are then broken off, placed in pipes, and smoked. The Middle East, North Africa,
Pakistan, and Afghanistan are the main sources of hashish. The THC content of hashish
available in the United States has increased significantly over the last decade.
The most common prescription drugs sold at work belong to the family of drugs known as
benzodiazepines, which are depressants designed to relieve anxiety, tension, and muscle
spasms. Librium, Xanax, and Valium are some of the more common benzodiazepines found in
the workplace.
Given the millions of prescriptions written for benzodiazepines, relatively few individuals
increase their dose on their own initiative or engage in drug-seeking behavior. Those who do
often maintain their supply by getting prescriptions from several doctors, forging prescrip-
tions, or buying diverted pharmaceutical products on the illicit market.
Abuse is associated with adolescents and young adults who take benzodiazepines to obtain a
high. This intoxicated state results in reduced inhibition and impaired judgment. Employee
abusers also frequently mix prescription drugs with alcohol, thus compounding the effect of
the drug. Mixing benzodiazepines with alcohol or another depressant can be life-threatening.
Abuse of benzodiazepines is particularly high among heroin and cocaine abusers. A large
percentage of people entering treatment for narcotic or cocaine addiction also report abusing
benzodiazepines.
11.7.1 ADDICTION
Addiction is the disease of compulsion. One may be addicted to or by anything. Most often,
however, one thinks of addiction as the uncontrollable, repeated use of a substance or
performance of a behavior. In the case of substance abuse, the addict often becomes
addicted not only to the effects of the drug but also to the social behaviors surrounding it
(including the rituals for obtaining, preparing, and using it).
x Stage One. The first stage is characterized by an increased tolerance to the drug, occa-
sional memory lapse, and lying about how much and how often it is used. Supervisors,
friends, and family members begin to become concerned. They notice behavior
changes and a reduced interest in friends, family, and job.
x Stage Two. The second stage is characterized by increases in rationalization, more fre-
quent lies, unreasonable resentment (particularly of supervision and management),
suspiciousness, increased irritability, and remorse. Abusers often plead for forgiveness
and promise managers and family members that they will change. The change,
however, is increased isolation, greater irritability, and more rationalization.
x Stage Three. In this final stage, use becomes an obsession. Use is no longer a
behavior— it is a destructive way of life. Frequent memory loss, unusual on-and off-
the-job accidents, unexplained absences, and on-the-job impairment are common.
Paranoia, depression, and anger also begin to set in. Problems may escalate with the
law, at home, and at work, which in turn may affect the abusers’ productivity,
performance, and continued employment. Left unmanaged, this stage is frequently
terminal.
As the addiction progresses, it takes more and more away from the addict. In many ways the
addict becomes a dues payer. The drug addict or alcoholic pays the following prices:
Addictions are treatable. In some instances, addiction can be broken without help. However,
in most cases professional help is required. That help may be available through the
organization’s employee assistance program or any number of public programs. The
following are some U.S. examples:
Repeated use of a drug can also lead to tolerance. As the body becomes accustomed to the
effects of the drug, progressively larger doses are required to achieve the desired effect.
These abusers usually use drugs every day. On the job they appear to contribute and be
productive. However, when they are deprived of their drug, they are entirely different people.
11.7.4 DENIAL
Denial is the condition or state of mind in which people refuse to believe or consciously
acknowledge that their behavior is harming them and those around them. Abusers in denial
rationalize that their behavior is acceptable and minimize the adverse impact of their
conduct.
They deny that their involvement with drugs is affecting their health, job, and family. They
deny the existence of a relationship with their drug of choice and the ever-escalating cost of
that relationship. Abusers in denial say (and often believe) such statements as the following:
Friends and coworkers may also be in denial. They usually deny the abuser has a problem. If
they do admit it, they rationalize that the problem is temporary or even justified. Denial by
friends and coworkers may encourage the abuser to continue by suggesting that the behavior
is normal, acceptable, or even expected. An abuser who is supported by friends in denial will
not accept the advice of his or her spouse. The spouse, then, is viewed as abnormal, and
continued involvement in drugs is seen as a natural response to the problem at home. Naive
friends may even discourage therapy, treatment, or abstinence.
Supervisors, managers, and even organizations also engage in denial. Supervisors and
managers sometimes deny that an employee has a problem even in the face of obvious
proof. Organizations in denial fail to create sound substance abuse policies, fail to enforce
the policies they have, and fail to respond to workplace incidents involving substance abuse.
Managers in denial make statements like these:
x We know a few employees smoke pot on lunch break, but what is the harm in that?
x If we enforced our policies, we couldn’t get anybody to work here.
Out of fear and unwillingness to confront the truth, organizations in denial deny the abuser
the help he or she needs. In doing so, they participate in the progression of the abuser’s
disease and the ruin of some of their most important employees.
11.7.5 ENABLING
Enabling consists of consciously or unconsciously allowing or encouraging the destructive
behavior of others. Enabling often extends from denial. The enabler’s actions shield the
abuser from experiencing the full impact and consequences of substance abuse. The enabler
helps maintain everyone’s delusion that the abuser is fine and does not have a problem.
Family members enable when they call in sick for the abuser, make excuses to their bosses
for them, and lie to protect them from discipline. Such behavior may seem kind and
protective, but it feeds the abuser’s rationalizations and allows him or her to continue in
denial and abuse.
Family members also enable when they forgive. Promises and commitments by the abuser
are continuously broken and become a pattern. Enablers come back for more.
Supervisors and managers enable also. They cover up for the abuser at work. They accept the
abuser’s excuses for attendance problems and weak performance. They enable when they
believe an abuser’s rationalizations, such as the following:
Most people find it easier to enable abusers than to confront reality. Dealing with difficult
employees and the problems they bring to work is unpleasant and even frightening.
Managers and supervisors may doubt their own judgment and worry about how their actions
might affect their careers. Abusers may use those worries to their advantage.
x Know and understand their organization’s substance abuse policy and how it is to be
enforced.
x Know the symptoms of substance abuse and when to get help.
11.7.6 CODEPENDENCY
Codependency is another destructive behavior common in the workplace. People are
codependent when they allow the behavior of another to overshadow their own values and
judgment. Codependency consists of not standing up for what one knows is right. The
resultant dynamic virtually assures the destruction of the relationship.
x feel they have to do more than their fair share of the work to keep the relationship
going,
Codependency involves such feelings as anger, isolation, guilt, fear, embarrassment, despair,
and loss of control. For fear of rocking the boat, they may provide the abuser with a support
mechanism to continue substance abuse. Codependents become rescuers, caretakers, com-
plainers, and adjusters. They also sometimes become overachievers in an attempt to be a
role model for the abuser. At other times they may actually join the abuser in his or her
substance abuse.
x Focus on performance. Do not allow the manipulative behavior of the abuser to over-
shadow what management knows is right.
x Set limits and boundaries for the abuser. Tolerate only what is acceptable.
x Get help from internal resources, such as the human resources department and the
organization’s employee assistance program (EAP).
To be effective, supervisors and managers must understand the intricacies of addiction and
chemical dependency. They should also understand and be able to recognize the destructive
behaviors of denial, enabling, and codependency. Failure to confront those behaviors is
uncaring and cruel.
x State the unacceptability of drug and alcohol abuse at work and prohibit the use, sale,
or possession of controlled substances (as well as the offer to sell them) in the
workplace or while on the clock.
x Describe how and when employee drug testing will conducted. The policy should
describe what constitutes a positive drug test and state the consequences of failing to
provide a specimen for testing.
x Define what constitutes an infraction of the policy and describe the consequences.
x Recognize that drug problems and abuse are treatable and spell out the availability of
treatment and rehabilitation options.
x Define the function of the organization’s employee assistance program and explain
how to gain access to it.
x Answer any questions that might be asked about substance abuse, the policy, or policy
enforcement.
The policy should avoid the term “under the influence.” Only for alcohol is there a legal
definition of “under the influence.” No such standard exists for the other drugs of abuse.
Thus, proving that an individual is under the influence of anything other than alcohol is not
possible.
Once the policy has been created, the organization should institute an appropriate waiting
period during which to educate the employees. Once the implementation date arrives, supervi-
sors and managers should state their willingness to enforce it. Such communication is one of
the most significant yet least recognized deterrents against employee substance abuse.
More than ferreting out substance abuse and employee substance abusers, supervisors and
managers must monitor performance. They should not be expected to catch employees
using and selling drugs. Instead, they should be expected to evaluate employee performance
and be able to take remedial action when performance is not adequate.
An investigation can be simple and informal (for example, confronting the suspected violator
and asking questions) or complicated and formal. Effective investigations must, at
minimum, be fair and impartial, factual and objective, thorough, and well documented, and
they must protect the rights of suspected violators and witnesses.
In addition, workplace investigations must not violate the law, company policy, labor agree-
ments, or anyone’s right to privacy. They must also be confidential. Evidence, findings,
notes, reports, and conclusions should only be shared with those who need to know. Upper
management and the human resources department should always be involved. Disciplinary
action should only take place after a detailed review of the investigation’s findings by
qualified management. Frequently, the findings of a workplace investigation do not call for
discipline. In such cases, the most appropriate response for supervisors and managers is
intervention.
Legal Mandates
In the United States, the Sarbanes-Oxley Act of 2002 requires all publicly traded companies
to establish a confidential means by which questionable accounting or auditing activities can
be reported anonymously by employees, customers, and vendors. Organizations are further
charged with ensuring proper “receipt, retention, and treatment of complaints.” Employers
can use these same tools to obtain information about employee substance abuse.
A challenge to multinational businesses is that hot lines, required in some countries, may be
illegal in others. These conflicting legal mandates likely reflect cultural attitudes toward
whistleblowers. European countries have historically felt uneasy about employees who
anonymously report the behavior of others.
Selecting a System
Outsourcing hot lines provides many advantages. First, Sarbanes-Oxley limits an organiza-
tion’s ability to provide strictly internal reporting mechanisms. Second, reporting system
vendors tend to have better technology for the task. Third, vendors generally employ better-
trained call takers who can collect the data most pertinent to the issue being reported.
11.8.4 INTERVENTION
Intervention is the calculated interruption of the destructive behaviors of a substance abuser
and those around that person. Intervention is not discipline. It is a caring behavior in which
those involved plan, prepare, and act. Through intervention, an organization can bring the
consequences of the abuser’s actions to his or her attention. Intervention is an attempt to
salvage the troubled employee and eventually return the person to work as a productive
contributor.
x Observe and document performance. Be objective and fair. Ensure that employees
understand what is expected of them. Observe and document inappropriate behavior.
Obtain the opinion of another supervisor or manager if there is any doubt as to the
appropriateness of an employee’s behavior. Take immediate action if it is necessary to
prevent an accident or serious mistake.
x Confront the problem employee. Remove the problem employee from his or her
immediate work area and confront the employee in private. Do not do or say anything
that may embarrass or shame the employee.
x Interview and discuss. Once in private, interview the employee. Have a witness present
if possible. Include a union representative if appropriate or required. If an investigation
has preceded the interview, share with the employee any information that is
appropriate. State only specifics and never generalize. Provide the employee
documentary proof of substandard performance (such as attendance records or
timecards). Describe in detail what is expected of the employee, referring to written
policy whenever possible. If witnesses assisted in the investigation, do not identify
them unless absolutely necessary. Do not accuse the employee or attempt to diagnose
or rationalize the employee’s behavior.
Ask the employee what the organization might reasonably do to help him or her meet
the desired expectations. Empathize, but do not make a commitment; just listen and
attempt to understand the request. Suggest that the employee seek professional assis-
tance, such as that offered through the organization’s employee assistance program or
community resources. Be prepared to provide the employee with the appropriate tele-
phone numbers or literature if available.
Conclude the discussion on a positive note. Indicate that it is anticipated the employee
will improve his or her performance and meet expectations. Ensure that the employee
knows he or she has the support of the organization. Make clear that his or her success
will be a win-win. Then send the employee back to work.
x Document results. Next, document what took place: what was said by all parties, the
employee’s demeanor, and the employee’s response to the demand for better perfor-
mance. Put the follow-up meeting on the calendar, and ensure, in writing if necessary,
that the employee knows the date.
x Communicate with upper management. Thoroughly brief upper management and the
human resources department. Provide that department with copies of notes and
supporting documents from the meeting. If appropriate, suggest that a human
resources representative participate in the next meeting.
x Follow up. As scheduled, meet again with the employee. The meeting should be short
and direct. Those who attended the first meeting ought to be in attendance. Review the
employee’s progress. If the employee has met prescribed expectations, state
appreciation and congratulate him or her. If the employee has not, invoke the
progressive action or discipline described in the prior meeting. Set goals and establish
a follow-up date.
Intervention is an important management tool design to correct, not punish. Used properly,
it can enable supervisors and managers to salvage a problem employee. In the long run,
intervention can prevent unnecessary discipline, reduce employee turnover, and maybe
even save a life.
In such circumstances, the job represents more than a source of income. It represents the
last bastion of normalcy and order in the life of the abuser. As a result, abusers often cling to
it desperately. They may rationalizes that they are not sick, addicted, or chemically depen-
dent as long as they can keep a job. The abuser at this stage is capable of almost anything—
except giving up drugs. He or she may lie, cheat, and steal to keep the job and may even
resort to violence if the job is threatened.
EAP professionals develop a community referral network to serve their clients. Clients are
usually provided with several consultations over the telephone (sometimes in person) to
determine their specific needs. Once an assessment is made, the client is provided the names
of several resources. It is then up to the client to follow through and seek the appropriate
help. For the purpose of support, the EAP may monitor the client’s progress, but actual
treatment is provided by independent, outside professionals. Any counseling or treatment
performed is confidential. Treatment costs may be covered by the employee’s medical insur-
ance. Leaves of absence are granted to accommodate the client-employee. In the United
States, the Americans with Disabilities Act (ADA) requires reasonable accommodation of
employees and job applicants who are recovering drug or alcohol abusers. Current users are
not protected.
In effect, the EAP is a clearinghouse for employee-help services. EAPs do not conduct
investigations or drug tests. They simply connect people with high-quality, professional help.
Employees can voluntarily seek help through an EAP, or they can be referred by manage-
ment. Management referrals typically include the following elements:
x mandatory participation
x professional diagnosis
x professional treatment or therapy
x progress reports and feedback to management
x goal setting
x monitoring
Substance abusers prefer to work in environments where others like them work, and they
resent the social boundaries that a healthy corporate culture imposes on them. Most of all,
they resent the inability to rationalize their substance abuse. Positive peer pressure can force
substance abusers to confront their behavior. What they find is that they can no longer lie
and deceive.
On the other hand, if the recovering employee returns to a healthy environment, his or her
chances for recovery and long-term sobriety are good. A healthy and caring culture can
provide various support mechanisms. Non-abusing coworkers can offer encouragement,
positive role models, and an environment free of temptation. Supervisors and managers can
hold the recovering employee accountable, set reasonable expectations, and providing
positive reinforcement when goals are achieved. The net effect is an environment conducive
to recovery and long-term health.
The human resources staff should be trained to identify applicants who may be substance
abusers in order screen them out. In addition, all human resources representatives should
become familiar with all aspects of the organization’s policies and practices since they will
usually be responsible for implementing corrective action and discipline.
Training for supervisors and managers is also critically important. While only a trained
healthcare professional can definitely diagnose a substance abuse problem, training can
provide supervisors and managers the tools they need to properly enforce work rules and
administer policies.
Employers have both a right and a duty to promote a drug-free workplace. Drug testing is
now widely considered an important component in maintaining a safe and healthy
workplace and is used widely. In the United States, the Drug-Free Workplace Act of 1988
requires all businesses contracting with the federal government and receiving grants over
$25,000 to certify that they have policies for creating and maintaining a drug-free workplace.
Other legislation and regulations require periodic drug testing for some workers in the
transportation and public service industries.
11.9.1 METHODS
Drug testing is a scientific examination of a biological specimen for the presence of a specific
drug or its metabolite (a chemical byproduct left behind after the body metabolizes the
substance). The type of specimen analyzed most often is urine, but blood, hair, and saliva
may also be tested. Urine testing is preferred because collection is not considered intrusive
(that is, the body does not need to be punctured to collect the specimen as it is in the
drawing of blood). Collection techniques follow careful protocols ensuring the privacy of the
provider. Once the specimen is collected, it is sealed, labeled, and sent to a laboratory for
examination.
Usually the sample is split; part is used for testing and the rest is preserved (usually frozen)
for future examination if necessary. The testing sample is then subjected to one or more
preliminary tests, such as immunoassays, radioimmunoassay, and thin-layer chromato-
graphy. Of these, thin-layer chromatography (TLC) is the most common and least expensive.
Radioimmunoassay (RIA) is the most accurate and can detect drug concentrations on the
order of 1 to 5 nanograms per milliliter (1 to 5 parts per billion).
If the preliminary test discovers a drug or its metabolite, a confirmatory test is used.
Confirmatory tests typically use advanced technologies that are more accurate. They identify
both the type of drug or metabolite present and its concentration. The more common types
of confirmatory tests include high-performance liquid chromatography, gas chromato-
graphy, and gas chromatography/mass spectrometry. Of these, gas chromatography/mass
spectrometry (GC/MS) is considered the most accurate. However, all methods can yield
accurate results and have withstood rigorous legal challenges.
Once the specimen has been confirmed positive, the results are confidentially commu-
nicated to the employer or its representative (as in the case of an employer’s use of a medical
review officer). Because specimens are labeled by number, not name, even the lab does not
know to whom the specimen belongs. Employer responses to a positive result vary depending
on circumstances and policy.
11.9.2 ACCURACY
Drug testing is extremely accurate. A very small percentage of tests may result in a false
positive, but confirmatory tests are performed in those cases. Laboratories that perform drug
tests are regulated and subject to rigorous performance requirements and quality assurance
procedures. Certification by the National Institute on Substance Abuse (NIDA) is difficult and
expensive. Under NIDA requirements, every specimen, procedure, and test is documented.
Control specimens are frequently tested to ensure accuracy and system integrity. NIDA claims
that of the roughly 16 million drug tests its labs perform annually, fewer than 16 produce
positive results when a drug is not present.
11.9.3 STRATEGY
Many states regulate drug and alcohol testing, and organizations must be mindful of
jurisdictional differences as they establish their drug-testing strategies. The following is an
examination of some of the issues that should be contemplated when developing an
organization’s strategy (Ferraro & Judge, 2003).
Employers who are thinking of testing for substances beyond the DHHS-5 should also
consider the impact of the Americans with Disabilities Act (ADA), which limits medical
inquiries by employers. Strangely, under the ADA, a drug test is not considered a medical
examination but an alcohol test is. Thus, it is advisable to test only after an employment offer
is made. Potentially, an ADA claim could be raised by a non-safety employee disciplined
9
because of a test that detected a substance other than one of the DHHS-5.
Organizations that are exempt from federal rules should check state laws. Eleven states and
two cities have laws related to when employers can or cannot conduct drug testing. For
example, Vermont prohibits random testing, while Oklahoma permits post-accident testing
only if there is a reasonable suspicion of illicit drug use at the time of the accident. After
examining federal and state laws, organizations should determine which type of testing best
fits their circumstances. The two most common types of testing are preemployment and
random.
By contrast, the workers interviewed said they were concerned about reasonable-suspicion
testing. In workplaces where employers actively tested on a reasonable-suspicion or for-
cause basis, the workers reported that they had attempted to stop using drugs on the job. It
appears that for-cause testing programs convinced the workers that the employers were
serious and would enforce their drug-testing policies. Case laws suggests that employers may
not conduct such tests without some evidence of possible drug use, and reasonable suspicion
requires more than a simple hunch.
9 th
See Jane Roe v. Cheyenne Mountain Conference Resort, Inc., No. 96-1086 (10 Cir. 1997).
How drug and alcohol tests are carried out is also an important consideration. Thirteen
states require split-specimen samples for all substance abuse tests. For example, an Iowa law
requires that every sample must be split into two sub-samples. The first is used for testing
purposes. If the test result is positive, the remaining sample is offered to the providing
employee, who can have it tested at an independent laboratory. The impact of such a rule is
significant. If a sample is not split in a state that requires it, the person being tested must be
reinstated even if the test is positive.
Employers should check state law first, but the following is a general testing guide:
Twelve states provide premium reductions, ranging from 5 percent to 20 percent. Those
states include Alabama, Alaska, Arizona, Arkansas, Florida, Georgia, Idaho, Mississippi, Ohio,
South Carolina, Tennessee, and Virginia.
Another monetary benefit is found when paying workers’ compensation claims. With few
exceptions, employers and their insurers need not pay workers’ compensation claims in two
conditions: if the worker violated a known safety rule and if the worker’s intoxication is the
cause of the injury. When such cases go to court, often the employer must prove alcohol or
drug use was the cause of the injury, not just a contributing factor.
An illustrative case is Garcia v. Naylor Concrete Co. (2002). Juan Mario Garcia was employed
as a welder for Naylor Concrete Company at a shopping mall project. As part of his job,
Garcia was required to weld decking to a metal roof. To access the work site, Garcia had to
climb a 20-foot ladder and then walk about 90 feet across four-inch joists to reach the
decking. On September 30, 1997, Garcia had been welding for about an hour when he slid off
the edge of the roof and was seriously injured. At the hospital, a blood test showed his blood-
alcohol level as .094 percent.
Garcia applied for workers’ compensation benefits. Naylor refused to grant the benefits,
arguing that Garcia’s intoxication was the cause of his injuries. Garcia argued that he had
been drinking the night before the accident but had not consumed alcohol on the day of the
incident. The state Workers’ Compensation Commission denied the benefits on the basis of
Garcia’s elevated blood alcohol level on the day of the accident. The commission reaffirmed
the decision on appeal, and the state district court agreed during a judicial review. Finally,
the state’s Supreme Court upheld the decision, ruling that no matter when Garcia consumed
the alcohol, he was still legally drunk at work.
However, it may sometimes be difficult for companies to prove that drug or alcohol use
caused an employee’s injury. For example, in Kennedy v. Camellia Garden Manor (2003), the
court found in favor of the employee because the employer could not prove that the
employee’s prior use of marijuana had caused his injuries.
Herman Kennedy was employed as an orderly for Camellia Garden Manor, a nursing home.
On June 1, 2001, Kennedy injured his lower back while trying to lift a struggling quadriplegic
resident out of a whirlpool bath. Kennedy was ordered to provide a urine specimen for drug
testing purposes. The test was positive for marijuana. The employer fired Kennedy and
refused to pay his workers’ compensation claim because of the positive drug test.
Kennedy appealed to the state workers’ compensation board, claiming that the injury was
caused by lifting the struggling resident and not by any prior use of marijuana. The board
found in favor of Kennedy, ruling that the company could not prove that intoxication was the
cause of his injuries. On appeal, the district court upheld the board’s decision. The employer
was ordered to pay the claim.
Another financial incentive comes in the form of immunity from prosecution in certain
employment-related lawsuits. For example, in Idaho, employers who fire an employee as a
result of a positive drug test or refusal to provide a specimen for testing are given immunity
from lawsuits. Such immunity is waived in cases where the test results were false and the
employer knew or clearly should have known they were false.
Four states—Arkansas, Iowa, Minnesota, and North Dakota—provide immunity for disclosure
of records when requested by a prospective employer. For example, an Arkansas law provides
for disclosure of the results of drug or alcohol tests administered within one year prior to the
request. Iowa law, however, stipulates the conditions under which such information may be
released. The law says that immunity is waived if the employer knowingly provides
information to a person who has no legitimate or common interest in receiving the work-
related information. Similarly, immunity is waived if the work-related information is not
relevant to the inquiry being made, is provided with malice, or is provided in bad faith.
11.9.5 LIABILITY
Though drug testing programs can provide monetary rewards, poorly managed programs
can lead to costly outcomes in court. A rule governing all federal employers requires that all
personnel who collect specimens from employees be qualified. The rule also applies to
private employers if state laws require that they follow federal rules. For example, 18 states
require certain employers to follow federal laws. Even if collection personnel work for a third
party, they are considered agents of the employer, leaving the employer liable if that party
breaks the law.
Private employers not covered by the law must still be cautious about the way a drug testing
program is conducted. If an employer has its own employees (not outside professionals)
collect urine samples, the employer must collect the samples in a reasonable manner, in
accordance with appropriate procedures.
An additional complication is the issue of chain of custody. The chain of custody establishes
who handled the specimen from the time it was provided to the time testing results were
rendered. Should the chain of custody be broken, the result is deemed invalid. Poor record
keeping can bring challenges to the chain of custody and easily jeopardize the validity of a
test result. Employers that collect their own specimens are most at risk. Unless the employer
establishes strict handling procedures and tightly manages its record keeping, broken chain
of custody claims cannot be defended. The employer may not only see the test result invali-
dated but also end up in court.
Drug testing offers many potential benefits, including improved safety and reduced injuries.
However, organizations that test for drugs must devise sound written policies and be
prepared to navigate the ever-changing rules and regulations.
APPENDIX A
DRUG GLOSSARY
APPENDIX B
No. Although passive inhalation can occur, typically the amounts ingested in that manner are so
low that impairment is nearly impossible, as is the possibility for testing positive.
No. Drug testing under most circumstances is not considered discriminatory or illegal. Employers
have the right to create and maintain a drug-free workplace. Drug testing is one of the many legal
tools available to the employer to ensure a safe and healthy workplace.
An employer cannot force an employee to take a drug test. However, refusal to take a drug test may
be a violation of the employer’s drug policy or may be considered insubordinate. Before refusing,
an employee should read the policy or talk to a human resources representative.
Not typically. Before providing a specimen, the employee is asked to identify any medication or
other substances that may influence test results. The answers are kept confidential and can aid in
ensuring accurate test results.
The length of time a drug remains in one’s system is based on a number of factors, including the
type of drug, amount ingested, body weight, and metabolism. The length of time drugs remain
detectable in the body is called the window of detection.
Does a positive drug test indicate that the employee was impaired or under the influence?
Not necessarily. Only alcohol has legal blood limits. However, in most instances the mere presence
of a controlled substance in one’s system constitutes a policy violation.
They should contact the employee assistance program or a human resources representative.
APPENDIX C
SUPERVISOR’S CHECKLIST
This checklist includes behaviors and symptoms that may be indicators of substance abuse.
However, the presence of some of the indicators does not necessarily mean a person has a
substance abuse problem. Users of this checklist are encouraged to look for clusters of behaviors
and symptoms merely as an aid to identifying potential employee substance abuse.
x abnormal number of visits to restroom x calling in sick after denial for vacation
x absences due to accidents on and off x requests for sick leave extensions
the job x extending sick leave repeatedly
x absence before and after paydays
Performance
x repeated procrastination x general lack of interest in work or
x repeated lateness in completing product
assignments x difficulty in handling difficult
x irresponsibility in completing assignments
assignments x difficulty in recalling previous
x faulty decision-making mistakes
Interpersonal Relationships
x inappropriate emotional outbursts x isolation from coworkers and friends
x mood swings, early or late in day x physical volatility
x overreacting to criticism x exaggerated self-importance
x constantly blaming others x unbending and unreasonable manner
x making inappropriate statements or x excessive time on the telephone
comments x failure to keep commitments
x rambling, incoherent speech x failure to keep appointments
APPENDIX D
INTERVENTION CHECKLIST
The purpose of intervention is to correct, not punish. For best results, supervisors and managers
should follow these steps:
APPENDIX E
The act states that it is not a violation for a covered entity (employer) to adopt reasonable policies
or procedures, including drug testing, to ensure that rehabilitated individuals are no longer using
drugs illegally.
The Drug Free Workplace Act also requires the employer, within 30 days after receiving notice
from an employee of a drug conviction, to take appropriate action against that employee (up
to and including termination), or to require the employee to participate satisfactorily in a drug
abuse assistance or rehabilitation program that has been approved by a federal, state, or local
health, law enforcement or other appropriate agency. A specific provision in section
12114(c)(3) of the ADA permits employers to require employees to comply with the provisions
of the Drug Free Workplace Act.
The act defines a serious health condition as an “injury, illness, impairment or physical or mental
condition” that involves inpatient medical care or continuing treatment by a health care provider.
The leave may be unpaid, but an employer who grants less than 12 weeks of personal, sick, or
vacation leave annually may require the employee to exhaust that leave as part of the leave
provided under the act. Any remaining leave needed to make up the full 12 weeks, should they be
required, is unpaid. Upon timely return from leave, the employee is reinstated to the same or
equivalent position and suffers no loss of benefits or seniority. (This last provision does not apply
to salaried employees who are among the highest-paid 10 percent of the workforce.)
Because both the Vocational Rehabilitation Act and the Americans with Disabilities Act protect
employees in rehabilitation programs, and because detoxification or other medical need arising
from such participation could be described and certified as a serious health condition, there will
be situations in which such leave is sought. An employer who seeks to deny or interfere with rights
under the act, or to discriminate against employees who file charges or give testimony in a
proceeding held under provisions of the act, is liable to an aggrieved employee for civil damages of
x any lost wages or actual costs up to 12 weeks’ pay;
x interest on that amount;
x liquidated damages in an amount equal to the actual costs;
x the costs of the action; a reasonable attorney’s fee; and
x equitable relief, including reinstatement, employment, and promotion, as appropriate.
APPENDIX F
Scope
XYZ Company is a drug-free workplace and does not permit its employees to be impaired by drugs
or alcohol while on Company time or property. Violation of any of the rules and regulations,
procedures, requirements, or the spirit of this guideline will result in corrective action. Depending
on the circumstances, appropriate corrective action may include termination from employment,
suspension, warning, probation, or any lesser sanction; or other action in the Company’s
discretion deemed to be commensurate with the problem.
The only exception to this rule is that, on occasion, alcohol may be served at Company-sponsored
events, such as a holiday party. In those instances, responsible, moderate consumption of alcoholic
beverages is not a violation of this policy.
Impairment
Appearing for work or performing any job duties or Company business while impaired by alcohol
or drugs is prohibited. Employees who are believed to be impaired on the job may, in addition to
any other appropriate action, be suspended, sent home, or reassigned for safety reasons while the
situation is evaluated.
Off-Duty Use
The use of alcohol off-duty and off-premises in any manner that results in impairment on the job,
that adversely affects attendance or job performance, or that otherwise adversely reflects on the
Company is prohibited. The use of illegal drugs by employees, whether on-or off-duty and whether
on-or off-premises, is prohibited under all circumstances.
Legal Drugs
The use of legal drugs (over-the-counter or prescription medications) in accordance with a doctor’s
orders or manufacturer’s recommendations is not prohibited. Abuse of legal drugs shall be
considered to be the same as use of illegal drugs under this policy. If use of legal drugs in accordance
with a doctor’s orders or manufacturer’s recommendations may impair the employee’s ability to
safely and effectively perform his or her job, the employee must so notify his or her supervisor in
advance, so that any necessary arrangements can be made to protect safety and productivity.
Drug Convictions
Any employee who is convicted of any criminal drug violation occurring in the workplace must so
notify his or her supervisor within five days after the conviction. XYZ Company may be required to
report such information to governmental agencies with which it contracts.
Job Applicants
XYZ Company will not knowingly hire a job applicant who is currently abusing alcohol or legal
drugs or currently using illegal drugs.
Right of Inspection
XYZ Company reserves the right to inspect with or without notice at any time all vehicles, lunch
containers, purses, boxes, packages, desks, lockers, and other personal property of employees on
XYZ Company premises for the purpose of enforcing this policy or other safety and security
reasons. XYZ Company premises include all employee parking areas and company-designated
parking lots.
Preemployment. Preemployment testing shall be required for all job applicants within specified
facilities or job categories as determined by management from time to time. Applicants who fail
to pass a preemployment drug or alcohol test will be ineligible for employment for a minimum
of one year.
Reasonable suspicion. XYZ Company may require any employee to be tested for the presence
of drugs or alcohol based on reasonable suspicion. Reasonable suspicion shall be defined as a
reasonable suspicion, by a supervisor or above, concurred with by the senior manager available
within the affected facility or department, that an employee’s faculties are impaired on the job
or that an employee has used or possessed illegal drugs. This determination of a reasonable
suspicion may be based on a variety of factors, including but not limited to the following:
Universal. Universal drug testing may be required of all employees within specified facilitates
or departments designated by XYZ Company management from time to time. Selection of
covered employees to be tested (randomization) shall be conducted by XYZ Company’s testing
service provider according to systems established by the provider, which shall notify XYZ
Company of the employees to be tested. Universal testing may be conducted at unannounced
times spread throughout the year.
Testing Process
Scope. Drug and alcohol testing of applicants or employees may include a urinalysis and/or
breath analysis sample testing as determined by XYZ Company and the testing service provider.
Testing may include, but may not be limited to, detecting the presence of marijuana, cocaine,
opiates, amphetamines, and phencyclidine (PCP). XYZ Company may increase or decrease the list
of substances for which testing is conducted at any time, with or without notice. In addition, XYZ
Company may require separate samples if multiple tests are conducted. Test levels and standards
will be established by XYZ Company and the testing service provider.
Confirmation. Initial positive tests shall be confirmed using a second test in accordance with
applicable law.
Specimen for testing. Testing shall be conducted at a facility designated by XYZ Company. Job
applicants and employees selected for universal or reasonable cause testing shall appear at the
facility and provide the necessary sample at the precise time and place specified by XYZ
Company. Employees tested based on a suspicion that the employee may be impaired shall be
transported to the testing site by a supervisor or another person designated by XYZ Company.
The applicant or employee must sign any consent requested and provide any other requested
information; failure or refusal to do so may result in discharge or denial of employment.
Testing an injured employee. An employee who is seriously injured and cannot provide a
specimen at the time of the accident shall provide the necessary authorization to obtain
hospital reports and other documents that may indicate whether there were any controlled
substances or alcohol in his or her system.
Notification of results. Employees and applicants will receive notification of positive test results
and will be given an opportunity to explain such results. Failure to timely respond may result in
an uncontested positive verification
Rehabilitation
Purpose and responsibility. XYZ Company recognizes that drug dependency and alcoholism
are health problems and, in management’s sole discretion, on a case-by-case basis, will attempt
to work with and assist an employee who becomes dependent on drugs or alcohol. The
employee will be assisted in identifying rehabilitation services, referral agencies, or other
resources to help the employee in dealing with his or her problem. It is the employee’s
responsibility, however, to see that such problems do not interfere with proper job performance
or expose others to the risk of harm. All employees are urged to obtain any necessary help
before a personal problem becomes an employment problem.
Costs
Mandatory drug/alcohol testing costs shall be paid by XYZ Company; treatment costs shall be the
responsibility of the employee to the extent not covered by the employee’s health insurance.
Definitions
Impairment. This is a condition induced by any drug or alcohol or the combination of any drug
and alcohol that affects the employee in any physically or mentally detectable manner. The
symptoms of impairment are not confined to those consistent with misbehavior or of obvious
impairment of physical or mental ability, such as slurred speech, difficulty in maintaining
balance, or the odor of alcohol. A determination of impairment may be established by any
supervisor or manager, a medical professional, a scientifically conducted test such as urinalysis,
or in some instances by a layperson. Furthermore, in some cases lacking any objective or
subjective indicator, the mere consumption of a drug and/or alcohol may constitute
impairment.
Illegal drugs. An illegal drug is any drug that is (a) not legally obtainable or (b) legally obtainable
but has not been legally obtained or used. The term includes prescribed drugs not legally
obtained and prescribed drugs not being used for prescribed purposes. Included are
prescription drugs shared with a coworker under any circumstances.
Legal drug. A legal drug is any prescribed drug or over-the-counter drug that has been legally
obtained and is being used for the purpose for which it was prescribed or manufactured.
Drug paraphernalia. These are items, tools, and devices commonly used in the preparation,
storage, and administration of illegal drugs. Examples include but are not limited to rolling
papers, roach clips, glass pipes, water pipes and bongs, drug vials, straws and spoons, and in
some cases hypodermic syringes.
Serious injury. This is any work-related injury resulting in the stoppage of work and requiring
medical attention of any kind.
REFERENCES
Code of Federal Regulations. (2007). Controlled substances and alcohol use and testing. 49 CFR 382.
Ferraro, E. F. (1994). Employer’s guide to a drug-free workplace. Golden, CO: Business Controls, Inc.
Ferraro, E. F., & Judge, W. J. (2003, May). Put your drug policy to the test. Security Management.
th
Jane Roe v. Cheyenne Mountain Conference Resort, Inc., No. 96-1086 (10 Cir. 1997).
Department of Health and Human Services. (2007). Results from the 2006 National Survey on Drug
Use and Health: National findings. Available: http://www.oas.samhsa.gov/nsduh/2k6nsduh/
2k6Results.cfm#2.10 [2007, September 14].
United States Code. (2007). Treatment of controlled substance analogues. 21 USC 813.
12.1 INTRODUCTION
People have long been concerned about violence, but the use of behavioral assessment and
th th
intervention to prevent violent behavior is fairly new. During the late 19 and early 20
centuries in the United States, the legal system began to ask “alienists,” who are now called
psychiatrists, to render opinions concerning the propensity (likelihood) of identified
individuals to commit violence in the future. These opinions were used in both criminal and
civil proceedings to determine whether people should be incarcerated and for how long,
where they should be held, and under what circumstances they should be released.
Unfortunately, psychological studies from the 1960s to the 1990s show that psychiatrists and
psychologists who use only their own judgment in such cases are only 40 to 70 percent
accurate in predicting violent behavior, depending on how violence is defined, the duration
of the prediction follow-up, and the population assessed. Clinical judgments alone rarely
10
outperform actuarial approaches alone. These studies spurred an explosion of psycho-
logical research on how to increase the accuracy of predictions and created a specialty called
violence risk assessment and management.
10
See two meta-analyses covering a wide range of studies: (1) William M. Grove and Paul E. Meehl, “Comparative Efficiency of
Informal (Subjective, Impressionistic) and Formal (Mechanical, Algorithmic) Prediction Procedures: The Clinical-Statistical
Controversy,” Psychology, Public Policy, and Law, Vol. 2, No. 2, 1996, pp. 293-323, and (2) Douglas Mossman, “Assessing
Predictions of Violence: Being Accurate about Accuracy,” Journal of Consulting and Clinical Psychology, Vol. 62, No. 4, 1994, pp.
783-792.
At the same time, the public began to hear about more violence in the workplace, particu-
larly single and mass homicides. In addition, the U.S. government began to gather statistics
and develop expectations of what employers should do to provide a safe workplace. A
study by the National Institute for Occupational Safety and Health for the period 1980 to
1995 (National Institute for Occupational Safety and Health, 2001) showed that murder was
the leading cause of death in the workplace for women and the second leading cause of
death in the workplace for all workers in the United States during that period. However, the
number of workplace homicides per capita has decreased in the United States since those
peak years in the early 1990s (see Figure 12-1).
Most workplace homicides result from robberies and similar criminal violence. An
examination of workplace violence incidents not involving robbery reveals that perpetrators
progressively move through stages resulting in violence. However, a more disturbing subset
of violence has become more prominent and is an ongoing concern for employers and
employees—mass murder by individuals who are closely connected with the workplace.
They include employees, spouses or significant others, long-time customers or clients,
shareholders, and suppliers to the business. They commit targeted acts of violence against
company personnel who, in their view, have caused them a loss of some type.
Even when these individuals do not commit homicide, they cause problems that must be
assessed and resolved. A study by Northwestern National Life Insurance Company (1993)
stated that 2 million Americans were attacked in the workplace in 1992, 6 million were
threatened, and 16 million were harassed. Incidents of homicide, assault, threats, and
harassment in the workplace will likely continue to contribute to the turbulence of modern
society and reinforce some individuals’ perception that violence is an acceptable way to
accomplish their goals.
1,000 927
900 860
800 714
677
700 651 643
609 632 628
559 567 540 526 542
600
500
400
1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009
Figure 12-1
U.S. Fatal Occupational Injuries by Event or Exposure, 1994–2009
Security programs aim first to divert someone from committing an unsafe or harmful act and
then, if diversion is unsuccessful, to delay the person’s progress in committing the act until
trained individuals are notified and respond to the problem. All effective security programs
assume that an effective response by properly trained personnel will occur if the perpetrator is
not diverted. In the case of threats of workplace violence, this means that one of the planned
responses should be (at a predetermined threshold of assessed potential for immediate,
physical violence) a response by correctly trained, armed personnel who will handle the
situation. In some workplace violence situations, these responders may be law enforcement
personnel. However, because of law enforcement’s average response time to crimes of violence
11
(more than 11 minutes in 40 percent of cases in the United States ) and a company’s prior
notice of the problem, the only legally defensible option may be to use properly qualified
private security personnel.
Like a typical security program, a violence risk assessment program employs diversion,
delay, and response, but they are the last elements in the program. The most distinctive and
important elements are behavioral recognition, notification, assessment, and intervention by
planned disruption. Those elements are used before physical security elements come into
play. The long-term solution to each situation of potential workplace violence lies in under-
standing the emotional and mental state of the aggressor and diverting him or her from
violence, not solely in strengthening security measures. Early awareness of the problem
allows for a thorough assessment and successful intervention. Consequently, companies
should develop a comprehensive violence risk assessment and management system that
requires reporting of threats to a central position in the company, a thorough assessment of
the threats, and a coordinated response to the assessment, involving legal, human resources,
security, behavioral, and other organizational and community elements.
11
Bureau of Justice Statistics, National Criminal Victimization Survey, 2003 (Washington, DC: U.S. Department of Justice, 2005).
NCJ 207811, available at http://bjs.ojp.usdoj.gov/.
A violence risk assessment program must address a variety of workplace behaviors. Policies
and programs dealing with inappropriate workplace conduct, including harassment,
intimidation, and discrimination, should be seen as related to the violence risk assessment
program because in some cases such behaviors are early warning signs that can lead to
violence. Other behaviors that would fall directly into a violence risk assessment program
include oral or written threats, assaults with or without battery, stalking, sabotage or
vandalism, and homicide.
Business-related concerns that the program should address include liability, productivity,
workplace morale, and associated costs. The primary source of concern may be the cost of
being proven liable for negligence in a tragic incident of workplace violence. There is good
reason for concern, as lawsuits claiming negligent security continue to grow in number and
cost to businesses throughout the United States. Judgments and settlements for wrongful
death cases are averaging more than $2.8 million dollars (Anderson, 2002). However, the
greatest economic cost to organizations for acts of violence may come from the loss of morale
and productivity. Hundreds of thousands of dollars per incident can be lost in work group
productivity due to the absenteeism, sick leave, work slowdowns, management and worker
distraction, and general disruption that may follow workplace violence. The costs for treating
injuries, too, should not be ignored. Treatment for a single crime-related injury can easily cost
tens of thousands of dollars. Further information on productivity and injury costs can be found
in Victim Costs and Consequences: A New Look (National Institute of Justice, 1996).
A further consideration is the level of outside support that the company can tap into for a
violence risk assessment and management program. The company must be ready to contend
with the following problems: (1) limited law enforcement resources to respond to potential
violence in the workplace; (2) limited but growing legal experience in workplace violence
management; (3) limited number of defensible experts in the psychopathologies and behaviors
associated with violence; and (4) limited number of security firms that understand the limits
of their role and are capable of providing the broad spectrum of responses necessary. Many
unqualified individuals and companies claim expertise in violence risk assessment and
12
management.
In addition, certain legal duties and tort concepts have become associated with claims and
lawsuits arising from workplace violence. Some workplace violence lawsuits have been filed
13
under claims of violations of Title VII discrimination protections, violations of the Americans
with Disabilities Act, violations of the Rehabilitation Act, defamation, slander, invasion of
privacy, harassment, negligent security, negligent hiring, negligent supervision, negligent
retention, employer’s vicarious liability, and other torts. Examples include the following:
x former employee returning to kill coworkers after employee assistance program claims he can
be fired safely (Allman v. Dormer Tools, Inc.)
x supervisor/coworker battery (Clark v. Pangan, 2000)
12
For more information on qualifying security consultants and contractors, see Chapter 8, Consultants as a Protection
Resource.
13
Title VII of the U.S. Civil Rights Act of 1964.
x security director’s threat of violence against an employee (Herrick v. Quality Inn Hotel, 1993)
x employee shooting of a supervisor (Smith v. National Railroad Passenger Corporation, 1988)
These legal issues are addressed in detail in other sections of Protection of Assets.
It is important that the company research, document, and understand the method by which
it or its employees can obtain restraining or protective orders against individuals who
threaten to harm them. In many jurisdictions such orders can only be obtained by individual
(natural person) victims. However, the law is beginning to recognize that business entities
can also be the victims of threats and harassment and may need court orders for protection
(e.g., 527.8 California Code of Civil Procedure). Some individuals question the value of a
piece of paper as protection from violence. Studies (such as Meloy, 1997) have shown that
the majority of protective or restraining orders aid in the cessation of violence. However, it is
important to obtain them early in the cycle of violence. For example, in 1988, after stalking a
coworker for years, even after being fired, Richard Farley went on a shooting spree at his
former workplace, Electromagnetic Systems Labs in California, killing seven and wounding
three. The object of his stalking, Laura Black, did not obtain a restraining order against him
until two years after he was fired for his stalking behavior, and she now believes that
14
obtaining it earlier might have prevented the tragedy.
For security practitioners. the most effective means of preventing workplace violence is early
detection of this behavioral, emotional, and psychological dynamic. The way to detect
individuals who are destabilized and seeking control is to assess their mental and emotional
levels along a continuum of violent behavior and then develop a plan to divert them from
violence through a case-specific use of communication, company resources, community
resources, and the legal system.
14
Television interview of Laura Black on 2/9/93 by KPIX TV (Channel 5), San Francisco, CA, following a presentation of the
Laura Black Story.
It is beyond the scope of this document to explain thoroughly the difference between
psychopathic and affective (emotion-based) violence. Suffice it to say that in the early
investigation and assessment of any aggression, the assessor should be attentive to the
clusters of behavior that would signal that the aggressor may be a psychopath. Appropriate
intervention is much more complex when dealing with psychopaths. For more information
on psychopathy, a good starting point is Without Conscience: The Disturbing World of the
Psychopaths Among Us (Hare, 1993). This book discusses behavioral elements and clusters to
watch for, but only trained, experienced violence risk assessors should attempt to intervene
in cases involving a potential psychopath. Because the vast majority of cases involve
emotion-based aggressors, this document focuses on them, not psychopaths.
In general, the continuum of violent behavior starts with general disgruntlement with a
business or a person (Calhoun & Weston, 2003, p. 60). Then, as the situation escalates, one
may observe nonspecific spoken intimidation, nonspecific spoken threats, specific spoken
threats, written threats, physical violence against property, stalking, physical violence against
people without the use of weapons, and finally physical violence against people with the use
of weapons. In any individual case, the aggressor could exhibit one or more of these
behaviors, escalating or de-escalating them over time. In general, in more serious cases, as
cycling occurs, each movement back up the curve involves more serious behavior. The entire
process leading to physical violence can occur within a short period if enough influential
factors are in place. Figure 12-2 provides a graphic depiction of a potential escalation curve.
The curve was the outcome of research by James S. Cawood, CPP, that attempted to identify
a consensus among violence risk assessment professionals concerning their ranking of
aggressor behaviors by perceived emotional intensity.
Figure 12-2
A Theoretical Behavioral Escalation Curve for Emotion-Based Violence
This simple structure can be successfully implemented by one team for a multinational
corporation or a single-location organization. Some larger enterprises have established
regional teams along with an enterprise-wide oversight team to facilitate consistency of
practice, communicate lessons learned, and provide support. Since this role of situation
assessment and intervention is similar to the role of crisis management teams, it may be
possible to assign an existing team to handle violence risk assessment or develop a subset of
the established team to take on that role.
Outside members of the team may be added as necessary to provide a higher level of
experience in the central aspects of the process, including the legal, behavioral assessment,
and security aspects. Operational support members might advise the IMT during the
development of certain portions of the incident plan or carry out instructions from the IMT
but do not normally serve on the IMT itself.
It is essential that the IMT be empowered to commit company assets and personnel to
resolve an incident. If the IMT must brief other manager to obtain a decision on employment
actions, deployment of personnel, or payment of costs, the assessment process will slow
down and the risk of an unsuccessful resolution will increase significantly. The following
organizational functions are typically represented on an IMT and among its resources:
12.7.1 NOTIFICATION
Notification can come from sources inside or outside the company. In either case, the
company needs policy, procedures, and training that direct reporting of inappropriate
precursor behaviors, incidents, or reports to a particular person or group in the company
that is responsible for initial intake of the report and initial assessment for immediate risk.
This means that after notification from any source, by any means (e.g., observation, e-mail,
postal mail, phone call, text message, fax, etc.), company operators, receptionists, managers,
supervisors, customer service representatives, and other employees will know that they should
pass that notification to the appropriate person or group immediately. Company receivers of
the notification may need to be available 24 hours a day, seven days a week, and be trained to
handle these notifications appropriately. Violence may escalate if management does not
respond to early warning signs.
12.7.2 ASSESSMENT
Several levels of assessment may occur after notification, depending on whether the
aggressor is known or unknown and the quantity and quality of the information provided in
the initial notification. If the aggressor’s identity is not known (because, for example, the
threatening communications were anonymous), a valid violence risk assessment cannot be
conducted. Some preliminary behavioral analysis can be done from the material presented,
but the validity of the violence risk assessment will be low. Valid violence risk assessments
require a depth of information available only for known subjects. This is one of the
differences between behavioral investigative analysis (profiling) and violence risk
assessment. Profiling is used to exclude people from an investigative pool of subjects so as to
conserve investigative resources, while violence risk assessment is focused on a particular
individual’s risk of committing a violent act. If the individual is unknown, investigations can
be conducted to determine who the person is, and organizational response to the actions of
the unknown aggressor will be driven by other policies or procedures. If the individual is
known, at least by name, further assessment can be initiated.
Known subject assessment can be broken down into three levels of assessment: initial,
threshold, and comprehensive. Each level of assessment is performed by one or more
members of the IMT and attempts to determine which resources and what level of resources
are appropriate. The first level, initial assessment, attempts to determine whether there is an
immediate risk of harm. If the initial assessment points to a significant possibility of
immediate harm, emergency procedures are activated until the situation is stable enough to
allow further, nonemergency actions.
If the initial assessment suggests there is not a significant possibility of immediate harm,
then further assessment is conducted leading to a threshold assessment. This assessment
determines whether assessment should continue (based on the risk assessment thresholds
determined by the company) or whether the situation only requires monitoring.
Initial Assessment
When notification is made, the receiver of that information decides, based on company
criteria, whether the situation calls for an immediate emergency response. Certainly,
managers and supervisors should be taught to respond to immediate risks by notifying
community emergency resources. However, they do not always do so. Therefore, the initial
assessment must examine what has happened and what has been done, if anything, in
deciding whether to contact community emergency resources for help.
If the initial assessment leads to a decision to call for immediate community emergency
resources, then the person who received the notification must be able to make that call or
direct someone to do so. A company with multiple locations in various countries, regions,
states, or cities needs advance information on the quantity and quality of community emer-
gency resources, as well as contact information.
The next decision, based on the availability of the community emergency resources, may be
whether to evacuate the facility or in the case of a bomb threat, employees are best suited to
search the premises. A lot can happen in the time it takes for law enforcement officers to
15
respond. The company must consider whether locking down, sheltering in place, or
evacuating the facility would best protect employees and other occupants. For example,
when an aggressor has a firearm on the premises, a preferred strategy is a 360-degree
evacuation in which evacuees move away from the building and find shelter in other
buildings or out of sight of the building, preferably behind other objects (such as buildings or
trees). This approach minimizes pooling of potential victims the aggressor can shoot. If the
shooter is outside the building, then a lockdown might be appropriate. If the perimeter is
breached, then evacuation might be necessary. The use of a single, unchanging process, such
15
In this context, locking down means going into classrooms or other securable spaces and locking the door until help arrives.
Sheltering in place means finding any place that is immediately available to provide concealment and hiding there, hoping
that the person does not discover those who are hiding. Locking down occurs in securable space, while sheltering in place
does not.
as locking students in classrooms regardless of the location of the shooter, does not work.
This is illustrated by both the 1999 Columbine High School shooting and the 2005 Red Lake
High School shooting in the United States. In those incidents, students were shot as they
huddled in the library (Columbine) or were locked in a classroom (Red Lake). As was learned
in the 101 California Street office shooting in San Francisco in 1993, “those that run live and
those that hide die” (Cawood, 2005).
Once a situation is stabilized, further assessment will most likely need to be done. If the
aggressor is not dead, further violence risk assessment needs to be conducted to determine
whether the individual or related individuals (e.g., spouse, family members, community
members, ideologically aligned individuals, etc.) pose a continued risk of harm to the
company and its personnel and guests. Some considerations in this regard might be whether
the aggressor is still in the community, could get bail, or has stated a desire to continue
attacking the target. This comprehensive violence risk assessment would be in done in
conjunction with efforts to manage trauma, conduct incident debriefings, and return
operations to normal. If the aggressor is dead, the company might still initiate trauma
management, incident debriefing, and post-incident assessment (what was known, when it
was known, and what was done about it) to help return the company to full operation and
manage such issues as publicity, lawsuits, and community questions.
Threshold Assessment
If the initial assessment suggests there is no significant possibility of immediate harm, then a
threshold assessment is conducted to determine whether, based on the violence risk assess-
ment thresholds determined by the company, the situation warrants further action or only
monitoring. This assessment can be conducted by the same person or persons who
conducted the initial assessment or could involve other trained IMT members. Including at
least two trained individuals at this level of assessment has some distinct advantages: the
workload is shared, multiple points of view are involved, and every case will be guaranteed to
have at least two people who know its details (in case one individual becomes unavailable).
x matches between the behavioral information learned from these sources and an
objective violence risk assessment tool adopted by the company.
Comprehensive Assessment
The comprehensive assessment uses the most detailed information and resources available
to thoroughly assess the potential violence risk. All legally obtainable information is gathered
and reviewed to determine the aggressor’s behavioral history and current stressors. Such
information usually includes the following:
When determining what records to access and what individuals to interview, care must be
taken to determine how the aggressor might react if he or she learned of the assessment. It is
usually prudent to conceal the investigation if possible. If the potential reaction of the
aggressor supersedes the value of the information that might be obtained from a given
record or source (if the contact was prematurely disclosed), it might be better to postpone or
forgo the use of that source.
Placing this detailed information in chronological order makes it possible to analyze patterns
of past behavior from a cause-and-effect perspective. Seeing the behavioral choices the
aggressor made in response to certain events can provide an understanding of the range of
behavior the aggressor might choose in the future. In conjunction with the time line, the use
of a valid assessment tool can provide a more objective way to determine the current
violence potential of this aggressor compared to other aggressors that the tool has been
designed around. Some tools or assessment instruments have been developed for special
populations, and others have been used against a wider range of aggressors. For example, if
the aggressor was potentially attacking a spouse, the appropriate tool might be the Spousal
Assault Risk Assessment Guide (SARA, 1995). If the aggressor was going to attack a coworker
or community member, the appropriate tool might be the HCR-20 version 2, the Risk
Assessment Guideline Elements for Violence (RAGE-V), or the Assessment/Response Grids.
In most cases, after gathering detailed information, developing a behavioral chronology, and
using an assessment tool, a violence risk assessment is completed by assigning a value to the
risk, such as low, moderate, or high. Based on the assigned level of violence risk and the
behavioral data gathered, an intervention and situational resolution plan is designed and
implemented.
x
16
interviews, including “knock and talks”
x administrative or disciplinary actions, including fitness for duty evaluations
x cease-and-desist requests (oral or written)
x no-trespass orders
x restraining or protective orders
x voluntary or involuntary mental health evaluations
x criminal case filing and prosecution
x probation and parole with close monitoring
The choice of an intervention type depends on the assessment of the aggressor’s probable
reaction to the intervention and whether the intervention has a probability of correcting the
aggressor’s perception of the target.
16
The term “knock and talk” refers to interviews that are conducted on the aggressor’s property or at places frequented by the
aggressor, rather than on property controlled by the target or persons related to the target.
impulsivity, and boundaries but may also allow the interviewer and aggressor to reframe the
aggressor’s goals, pose and discuss alternative methods of behavior, discuss cause and effect,
discuss consequences, and find other means to solve the problem. Restraining and
protective orders create a boundary but only have real value if the target reports violations
and the orders are quickly enforced.
In many cases, the intervention starts with one technique but readies other techniques that
might be needed. For example, before the aggressor interview begins, the language and
affidavits for a restraining order might be drafted, a disciplinary warning or termination
package might be prepared, and law enforcement might be contacted (to determine what
crimes the behavior might constitute, how to make a criminal report, and what responses
law enforcement could provide).
12.7.4 MONITORING
Monitoring for new behavior is a critical and underappreciated part of the violence risk
assessment process. Monitoring creates the behavioral feedback loop that allows the
violence risk assessment to be updated, the value of the interventions to be tested, and final
resolution of the incident or situation to be determined. In any given case, the IMT can
establish passive monitoring or active monitoring. Passive monitoring relies on the target
and others who might witness new behavior to report that behavior to the IMT on a timely
basis. This is effective only in very low risk cases, in which a lapse in immediate reporting
would not lead to a significant risk of harm. An example would be a victim who has received
a single anonymous e-mail or voice mail saying, “I hate you and you’re going to pay.” If
further investigation finds no other cause for concern, a viable strategy would be to take a
“wait and see” approach and passively monitor the situation by asking the victim to report
any further contacts or disturbing events to the IMT.
Active monitoring means the assessor actively pursues new behavioral information rather
than passively waiting for a report. The more elevated the risk, the more often the contacts
are made. Active monitoring is the best option for a moderate-to high-risk situation or one in
which the target or witnesses cannot be relied on to report new behavior. This lack of
reporting reliability could be due to shock, denial, rationalization, minimization, or other
psychological defense mechanisms; fear of retaliation or retribution; or a misperception of
the target’s ability to handle the situation without help. Regardless of the reason, the
information is actively pursued. An example of this might be a domestic violence risk where
the target, at work, receives threatening calls in which the aggressor says he or she will make
the target pay and threatens to come to the workplace to confront the target. In an interview,
the target says the aggressor is not a threat and expects that nothing will happen, but
investigation reveals that the aggressor has a history of perpetrating domestic violence
against the target and prior partners, including confrontations in a prior partner’s workplace.
In this case, the target may conceal or play down any contact from the aggressor (because of
embarrassment, concern about keeping his or her job, or a belief that he or she is safe) and
might not be a reliable source of information on new interactions. In this case, the IMT might
locate workers who could witness new contacts from the aggressor and could be relied on to
report the contacts. The IMT might also check with them several times a day to see if new
contacts occurred. If new contacts are reported, the IMT could contact the target and ask for
an update. If the target denies an interaction, the IMT could attempt to lower the target’s
resistance to providing the information. The frequency of the active monitoring could be
increased or decreased depending on the level of current assessed risk of imminent violence.
Debriefing incidents and gleaning lessons learned is a critical part of incident management
and process improvement. It allows for a strategy-level look at how a particular incident
might affect process improvement on a larger scale. Some companies conduct short incident
debriefings after the initial round of assessment and intervention and then conduct monthly,
quarterly, semiannual, or annual debriefings to provide updates on specific cases and
discuss possible process improvements.
Incident reviews, debriefings, or a blend of both can allow for continuous improvement in
the management of a particular case and the overall process.
Regarding intervention, new methodologies and laws may provide more tools to divert
aggressors in specific cases. Austria and Germany have recently passed new stalking laws and
are looking to use them to protect their citizens from behaviors that have not been managed
legally before.
Regarding monitoring, global positioning system (GPS) technology is being used in the
criminal justice system to manage offenders (via, for example, ankle bracelets). Functional
magnetic resonance imaging (fMRI) is currently being explored for use in mapping brain
17
function to detect deception in individuals. In the future, this technology, coupled with
research on aggression and violent behavior, might lead to the ability to monitor aggressors’
neuron changes that would signal their immediate intent to cause physical harm. This and
other technological improvements, along with new methodologies to encourage and support
victim and witness participation in the process of behavioral monitoring, may lead to
significant improvements in the safety of individuals, communities, and nations.
17
See www.cephoscorp.com for information on the work of Cephos Corporation with the Medical University of South Carolina.
APPENDIX A
Nothing is more important to [YOUR COMPANY NAME] than the safety and security of its
personnel; therefore violence against employees, visitors, guests, or other individuals by anyone
on [YOUR COMPANY NAME] property will not be tolerated.
Any person who makes threats, exhibits threatening behavior, or engages in intimidating,
threatening, or violent acts on [YOUR COMPANY NAME] property should be removed from the
premises as quickly as safety permits, and should remain off [YOUR COMPANY NAME] premises
pending the outcome of an investigation into the incident(s). Should the investigation substantiate
that violations of this policy have occurred, [YOUR COMPANY NAME] will follow through with the
implementation of a decisive and appropriate response. This response may include, but is not
limited to, suspension and/or termination of any business relationship, reassignment of job duties,
suspension or termination of employment, and/or seeking arrest and prosecution of the person or
persons involved.
In carrying out all [YOUR COMPANY NAME] policies, it is essential that all personnel understand
that no existing [YOUR COMPANY NAME] policy, practice, or procedure should prohibit decisions
designed to prevent a threat from being carried out, a violent act from occurring, or a life-
threatening situation from developing.
An essential element in this policy is that all personnel are responsible for notifying the below-
designated management representative (DMR) of any threats or perceived threats which they have
witnessed, received, or have been told that another person has witnessed or received. They should
also alert this representative to any behavior they have witnessed which they regard as
intimidating, threatening, or violent when that behavior is job-related or the employee has a belief
that the behavior of concern might be, or could be, carried out on a company-controlled site or is
connected to company business. Employees are responsible for making this report regardless of
the nature of the relationship between the individual who initiated the threat(s) or behavior(s) of
concern and the person or persons who were threatened or were the focus of the threatening or
violent behavior(s).
This policy also requires all individuals who apply for or obtain a protective or restraining order,
which lists company locations as being protected areas, to provide a copy of the petition and
declarations used to seek the protective or restraining order, a copy of any temporary protective or
restraining order which is granted, and a copy of any protective or restraining order which is made
permanent to the same below-listed designated management representative. [YOUR COMPANY
NAME] has an obligation to provide a safe workplace and protect employees from threats to their
safety and that cannot be effectively accomplished unless [YOUR COMPANY NAME] is provided
information concerning individuals who have been told by the courts, or other legally constituted
entities, to maintain a distance from [YOUR COMPANY NAME] company locations.
[YOUR COMPANY NAME] understands the sensitivity of this information and has developed
procedures for it to be received, maintained, and acted on, which recognize the privacy of the
reporting employee(s).
Name:
Position:
Telephone:
E-Mail:
Office Mail:
REFERENCES
Allman v. Dormer Tools, Inc. (1999). N.C. Super. Ct., No. 97CVS1161.
Anderson, T. (2002, October). Laying down the law: A review of trends in liability lawsuits. Security
Management.
Anderson, T. (2002, October). Laying down the law: A review of trends in liability lawsuits. Security
Management [Online]. Available: http://www.securitymanagement.com [2006, April 17].
Bureau of Labor Statistics. (1997–2002). Census of fatal occupational injuries. Washington, DC: U.S.
Department of Labor.
Calhoun, F.S. & Weston, S.W. (2003). Contemporary threat management: A practical guide for
identifying, assessing and managing individuals of violent intent. San Diego, CA: Specialized
Training Services.
Cawood, J., CPP, PCI, PSP. (2005, May 17). Speech at ASIS International Advanced Protection
Course II on violence risk assessment and management.
Clark v. Pangan. (2000). 2000 UT 37, 998 P.2d 268, case number 981694, decided 4/7/2000, Utah
Supreme Court.
Corcoran, M., & Cawood, J. (2003). Violence assessment and intervention: The assessor’s handbook.
Boca Raton, FL: CRC Press.
Grossman, D. (1996). On killing: The psychological cost of learning to kill in war and society.
Boston: Back Bay Books.
Grove, W. M., & Meehl, P. E. (1996). Comparative efficiency of informal (subjective, impression-
istic) and formal (mechanical, algorithmic) prediction procedures: The clinical-statistical
controversy. Psychology, Public Policy, and Law, 2, No. 2, 293–323.
Hare, R. D. (1993). Without conscience: The disturbing world of the psychopaths among us. New York:
Pocket Books.
Herrick v. Quality Inn Hotel, 24 Cal. Rptr. 2d 203 (Cal. App. 2 Dist. 1993).
Meloy, J. R., et al. (1997). Domestic protection orders and the prediction of subsequent criminality
and violence toward protectees. Journal of Psychotherapy, 34, No. 447.
Mossman, D. (1994). Assessing predictions of violence: Being accurate about accuracy. Journal of
Consulting and Clinical Psychology, 62, No. 4, 783–792.
National Institute of Justice. (1996). Victim costs and consequences: A new look. NCJ 155282.
Washington, DC: Author.
Northwestern National Life Insurance Company. (1993). Fear and violence in the workplace.
Minneapolis, Minnesota: Author.
nd
Smith v. National Railroad Passenger Corporation (Amtrak), 856 F. 2d 467, 2 Cir. 1988.
Tepel v. Equitable Life Assurance Society. (1990). San Francisco, California, Superior Court Case
No. 801363.
U.S. Merit Systems Protection Board. (2003). The federal selection interview: Unrealized potential.
Washington, DC: Author.
ADDITIONAL READING
Barish, R. (2001). Legislation and regulations addressing workplace violence in the United States
and British Columbia. American Journal of Preventive Medicine, 20, 149–154.
Baron, R. A., & Neuman, J. H. (1996). Workplace violence and workplace aggression: Evidence on
their relative frequency and potential causes. Aggressive Behavior, 22, 161–173.
Bennett, J. B., & Lehman, W. E. K. (1996). Alcohol, antagonism, and witnessing violence in the
workplace: Drinking climates and social alienation-integration. In G. R. VandenBos & E. Q.
Bulatao (Eds.), Violence on the job: Identifying risks and developing solutions (pp. 105–152).
Washington, DC: American Psychological Association.
Bies, R. J., Tripp, T. M., & Kramer, R. M. (1997). At the breaking point: Cognitive and social dynamics
of revenge in organizations. In R. A. Giacalone & J. Greenberg (Eds.), Antisocial behavior in
organizations (pp. 18–36). London: Sage Publications.
Björkqvist, K., Österman, K., & Hjelt-Ba¨ck, M. (1994). Aggression among university employees.
Aggressive Behavior, 20, 173–184.
Bolton, R. (1979). Differential aggressiveness and litigiousness: Social support and social status
hypotheses. Aggressive Behavior, 5, 233–255.
Borum, R., Fein, R., Vossekuil, B., and Berglund, J. (1999). Threat assessment: Defining an
approach for evaluating risk of targeted violence. Behavioral Sciences and the Law, 17, 323–337.
Boye, M. W., & Jones, J. W. (1997). Organizational culture and employee counterproductivity. In R.
A. Giacalone & J. Greenberg (Eds.), Antisocial behavior in organizations (pp. 172–184). London:
Sage Publications.
Calhoun, F. S. (1996). Hunters and howlers. Washington, DC: United States Marshals Service.
Calhoun, F. S., & Weston, S. W. (2000). Defusing the risk to judicial officials. Alexandria, VA: Nation-
al Sheriff’s Association.
Carll, E. K. (1999). Workplace and community violence. In E. K. Carll (Ed.), Violence in our lives (pp.
3–4). Boston: Allyn and Bacon.
Cole, L., Grubb, P. L., Sauter, S. L., Swanson, N. G., & Lawless, P. (1997). Psychosocial correlates of
harassment, threats and fear of violence in the workplace. Scandinavian Journal of Work,
Environment & Health, 23, 450–457.
Cornell, D. G., Warren, J., Hawk, G., & Stafford, E. (1996). Psychopathy in instrumental and reactive
violent offenders. Journal of Consulting and Clinical Psychology, 64(4), pp. 783–790.
Davis, R. C., & Smith, B. (1995). Domestic violence reforms: Empty promises or fulfilled expectations?
Crime and Delinquency, 41, 541–552.
Davis, R. C., Smith, B. E., & Nickles, L. B. (1998). The deterrent effect of prosecuting domestic
violence misdemeanors. Crime & Delinquency, 44, 434–442.
Dolan, M., & Doyle, M. (2000). Violence risk prediction: Clinical and actuarial measures and the role
of psychopathy checklist. British Journal of Psychiatry, 177, 303–311.
Douglas, S. C., & Martinko, M. J. (2001). Exploring the role of individual differences in the predict-
ion of workplace aggression. Journal of Applied Psychology, 86, 547–559.
Ekman, P. (2003). Emotions revealed: Recognizing faces and feelings to improve communication
and, emotional life. New York: Henry Holt.
Farrington, D. P. (1994). The causes and prevention of offending, with special reference to
violence. In J. Shepherd (Ed.), Violence in health care: A practical guide to coping with violence
and caring for victims (pp. 149–180). New York: Oxford University Press.
Folger, R., & Baron, R. A. (1996). Violence and hostility at work: A model of reactions to perceived
injustice. In G. R. VandenBos, & E. Q. Bulatao (Eds.), Violence on the job: Identifying risks and
developing solutions (pp. 51–85). Washington, DC: American Psychological Association.
Gall, T. L., Lucas, D. M., Kratcoski, P. C., & Kratcoski, L. D. (Eds.). (1996). Statistics on weapons and
violence. New York: Gale Research.
Greenberg, L., & Barling, J. (1999). Predicting employee aggression against coworkers, subordinates
and supervisors: The roles of person behaviors and perceived workplace factors. Journal of
Organizational Behavior, 20, 897–913.
Harris, G. T., Rice, M. E., & Cormier, C. A. (1991). Psychopathy and violent recidivism. Law and
Human Behavior, 15, 625–637.
HCR-20, version 2. Burnaby, Canada: Mental Health, Law, and Policy Institute, Simon Fraser
University.
Hurrell, J. J., Worthington, K. A., & Driscoll, R. J. (1996). Job stress, danger and workplace violence:
Analysis of assault experiences of state employees. In G. R. VandenBos & E. Q. Bulatao (Eds.),
Violence on the job: Identifying risks and developing solutions (pp. 163–170). Washington, DC:
American Psychological Association.
Kaplan, S. G., & Wheeler, E. G. (1983). Survival skills for working with potentially violent clients.
Social Casework, 64, 339–346.
Kroner, D. G., & Mills, J. F. (2001). The accuracy of five risk appraisal instruments in predicting
institutional misconduct and new convictions. Criminal Justice and Behavior, 28, 471–489.
Labig, C. E. (1995). Preventing violence in the workplace. New York: American Management Assoc-
iation.
Lewis, G. W., & Zare, N. C. (1999). Workplace hostility: Myth and reality. Philadelphia: Accelerated
Development.
Maggio, M. J. (1996). Keeping the workplace safe: A challenge for managers. Federal Probation, 60,
67–71.
Maiuro, R. D., Vitaliano, P. P., & Cahn, T. S. (1987). A brief measure for assessment of anger and
aggression. Journal of Interpersonal Violence, 2, 166–178.
McClure, L. F. (1996). Risky business: Managing employee violence in the workplace. New York:
The Haworth Press.
Mehrabian, A., & Epstein, N. (1972). A measure of emotional empathy. Journal of Personality, 40,
525–543.
Meloy, J. R. (Ed.). (1998). The psychology of stalking: Clinical and forensic perspectives. Burlington,
MA: Academic Press.
Meloy, J. R. (2000). Violence risk and threat assessment: A practical guide for mental health and
criminal justice professionals. San Diego, CA: Specialized Training Services.
Meloy, J. R., Cowett, P. Y., Parker, S. B., Hofland, B., & Friedland, A. (1997). Domestic protection
orders and the prediction of subsequent criminality and violence toward protectees. Psycho-
therapy: Theory, Research, Practice, Training, 34, 447–458.
Miller, M. J. (2001). The prediction and assessment of violence in the workplace: A critical review
(Doctoral dissertation, United States International University, 2001). Dissertation Abstracts
International, 62, 2070.
Mohandie, K. (2000). School violence threat management. San Diego, CA: Specialized Training
Services.
Monahan, J., Steadman, H., Robbins, P., Appelbaum, P., Banks, S., et al. (2005). An actuarial model
of violence risk assessment for persons with mental disorders. Psychiatric Services, 56, 810–815.
Monahan, J. (1981). Predicting violent behavior: An assessment of clinical techniques. London: Sage
Publications.
Monahan, J., & Steadman, H. (2001). Rethinking risk assessment: The MacArthur study of mental
disorder and violence. New York: Oxford University Press.
Moos, R. H. (1988). Psychosocial factors in the workplace. In S. Fisher & J. Reason (Eds.), Handbook
of life stress, cognition and health (pp. 193–209). New York: John Wiley and Sons.
National Institute for Occupational Safety and Health. (2001). Fatal injuries to civilian workers in
the United States, 1980–1995: National profile (p. 16, Table US-7). Washington, DC: Department
of Health and Human Services.
Neuman, J. H., & Baron, R. A. (1997). Aggression in the workplace. In R. A. Giacalone & J. Greenberg
(Eds.), Antisocial behavior in organizations (pp. 37–67). London: Sage Publications.
Neuman, J. H., & Baron, R. A. (1998). Workplace violence and workplace aggression: Evidence
concerning specific forms, potential causes, and preferred targets. Journal of Management, 24,
391–419.
Peek-Asa, C., Runyan, C. W., & Zwerling, C. (2001). The role of surveillance and evaluation research
in the reduction of violence against workers. American Journal of Preventive Medicine, 20, 141–
148.
Roehl, J., O’Sullivan, C., Webster, D., & Campbell, J. (2005, May). Intimate partner violence risk
assessment validation study: Final report (NCJRS 209731). Washington, DC: U.S. Department of
Justice.
Roehl, J., O’Sullivan, C., Webster, D., & Campbell, J. (2005, May). Intimate partner violence risk
assessment validation study: The RAVE study assessor summary and recommendations:
Validation of tools for assessing risk from violent intimate partners (NCJRS 209732). Wash-
ington, DC: U.S. Department of Justice.
Slora, K. B., Joy, D. S., Jones, J. W., & Terris, W. (1991). The prediction of on-the-job violence. In J.
W. Jones (Ed.), Preemployment honesty testing: Current research and future directions. Westport,
CT: Quorum Books.
Slora, K. B., Joy, D. S., & Terris, W. (1991). Personnel selection to control employee violence.
Journal of Business and Psychology, 3, 417–426.
Spector, P. E. (1997). The role of frustration in antisocial behavior at work. In R. A. Giacalone & J.
Greenberg (Eds.), Antisocial behavior in organizations (pp. 1–17). London: Sage Publications.
nd
SARA: Spousal assault risk assessment guide, 2 edition. (1995). Vancouver, Canada: British
Columbia Institute on Family Violence.
Thistlethwaite, A., Wooldredge, J., & Gibbs, D. (1998). Severity of dispositions and domestic
violence recidivism. Crime and Delinquency, 44, 388–398.
Tobin, T. J. (2001). Organizational determinants of violence in the workplace. Aggression & Violent
Behavior, 6, 91–102.
Trafford, C., Gallichio, E., & Jones, P. (1995). Managing violence in the workplace. In P. Cotton
(Ed.), Psychological health in the workplace: Understanding and managing occupational stress
(pp. 147–158). Brisbane, Australia: Australian Psychological Society.
Turner, J. T., & Gelles, M.G. (2003). Threat assessment: A risk management approach. Binghamton,
NY: The Haworth Press.
Waters, J. A., Lynn, R. I., & Morgan, K. J. (2002). Workplace violence: Prevention and intervention,
theory and practice. In L. A. Rapp-Paglicci, A. R. Roberts, & J. S. Wodarski (Eds.), Handbook of
violence (pp. 378–413). New York: John Wiley and Sons.
Weber, R. (1995). Suicide prevention at the workplace. In P. Cotton (Ed.), Psychological health in
the workplace: Understanding and managing occupational stress (pp. 171–182). Brisbane,
Australia: Australian Psychological Society.
White, T. W. (1996). Research, practice, and legal issues regarding workplace violence: A note of
caution. In G. R. VandenBos & E. Q. Bulatao (Eds.), Violence on the job: Identifying risks and
developing solutions (pp. 87–100). Washington, DC: American Psychological Association.
Williams, K. R., & Hawkins, R. (1989). Controlling male aggression in intimate relationships. Law
and Society Review, 23, 591–612.
9/11, security reaction to, 68, 83, 185, 187 consultants, 85, 227
controls, financial, 30, 172
convergence (of traditional and IT security), 66, 83
A
corporate structure, 5, 11
addiction. See substance abuse cost avoidance, 114, 117, 119, 130
aerospace sector, 75 cost reduction, 113
alcohol. See substance abuse cost-effectiveness, 47, 93, 107, 112, 202, 294
American National Standards Institute, 37, 40, 48, crime analysis, 232, 246
81 crime prevention, 82, 86, 91, 179, 189, 192, 198,
Americans with Disabilities Act, 333, 336, 348, 362 205
armoring, vehicle, 273, 279, 286 crime prevention through environmental design
assassination, 268, 273, 274, 284 (CPTED), 78, 83, 232
assets protection, forces shaping, 76 crime, fear of, 182, 191, 193, 194
assets protection, management of, 84 culture, of organization, 5, 44, 71, 78, 85, 298, 333
assets, types of, 65 customers (of security professionals), 85
ASTM International, 36, 81
awareness, security, 58, 72, 74, 83, 92, 109, 138,
152, 291, 300, 348
D
data analysis, 112, 119
Deutsches Institut für Normung, 37
B
Drug Enforcement Administration, 295, 313
background investigation, 114, 128 Drug Free Workplace Act, 348
balance sheet, 15, 17, 19, 23, 26 drug testing, 327, 333, 335, 343, 352
behavioral science, 89, 91 drugs. See substance abuse
benchmark, 24, 35, 44, 52 due diligence, 102, 227, 230
briefings. See security awareness
budgets, 10, 13, 27, 30, 68, 109, 113, 237
business improvement district/special taxing district,
E
190, 201, 210 earnings, 17, 24
business processes, 2, 133 educational sector, 72
employee assistance program (EAP), 323, 327, 331,
332, 344, 362
C
employee performance measurement and review, 6,
cash flow statement, 20 9, 297, 326, 328, 330
certifications, 6, 40, 49, 56, 65, 82 employees' role in security. See security awareness
community policing, 189, 192, 209, 212, 217 executive protection, 267
conflict of interest, 255 expert witness, 230