Why Security Fails
Introduction
Security is a necessary irritation, something that we must undertake to protect ourselves, like health and safety or insurance. Security threats are often invisible and have a very low event occurrence. Occasional key events such as 11 September focus the mind but with passing time the immediate perception of threat fades and combines with a growing sense of invulnerability, the 'it wouldn't happen to us' mindset.
The task of maintaining a secure environment is costly and consists primarily of mundane and routine tasks that do not have a tangible outcome. A success is only declared when an attempt to breach security is successfully defeated. This combination of intangible threat and labour intensive activity results in security personnel demonstrating a wide range of behaviour.
Organization Failure
The potential pitfalls and reasons for the failure of security measures are numerous and may be found at every level of operation and decision-making. At the organization level the philosophy of the corporation or responsible individual will dictate the commercial and strategic decisions of the security policy adopted. Organizations with a risk averse culture that may appear the obvious choice for proactive security decision making, may perceive the short term associated risk of perceived scaremongering, increased costs, loss of trade and customer dissatisfaction, as being of more concern than the risk of a long term security threat. False alarms are detrimental financially as well as resulting in poor individual customer relations and PR - delayed or missed flights, lost trade through evacuating a shopping mall.
Security measures must be proportionate to the perceived threat and the benefits of implementing them must be apparent to those financing them. It is feasible to widen the scope of security so that it offers 'value added' features to an organization, making the cost-benefits more attractive in the short term. Security decision-making is poor if the threat is seen as vague and improbable, and policy implementation will fail if stakeholders are unable to see beyond short-term disadvantages.
The culture of the organization will reflect the status and tasks of the security personnel within it. Complacency and over confidence in what ultimately turn out to be inappropriate and incomplete measures are commonplace, and this may have a negative effect on training and equipment procurement policy. The organization's attitude to security has a huge impact on the attitudes of the individuals within it.
Individual Failure
Organizations are made up of individuals and policy will reflect the culture and beliefs of the individuals within it. The conflict of short term personal goals such as career enhancement, job retention, immediate turnover and spending will be primary considerations for a security decision maker and will be instrumental in the measures adopted.
The cost of false alarms and the resultant disruption to the organization can be considerable. The resultant displeasure of a CEO with incurred profit loss may be perceived as more of a threat to the Security Manager than the consequences of coping with a threat if and when it occurs. This is the first point of failure within an organization at the individual level.
When considering lower level causal factors of individual security failure it should be remembered that security tasks are as much about attitude and 'internal' soft issues as about physical skills. The ability of the individual to carry out threat assessments is much more than the ability to 'notice things'. It is the ability to recognize signals in context, to retain vigilance at all times, to interpret events and to form associations from what may appear to be trivial or unconnected events. The capacity to delegate and communicate is essential as is the need to maintain control, which may conflict with the need to have a wide and accurate overview of an unfolding crisis. The person in charge often does not wish to relinquish control or pass information on to guard it from those that may seem to have a poor perception of security. The effect of this may far outweigh the risks of the information getting into the wrong hands. The 'I can handle it by myself ' view invariably leads to a degree of failure.
Individual performances are also affected by external factors such as the work environment (noise, temperature, etc), fatigue and dehydration, stress and conflict, work overload and 'underload' (boredom), peer pressure, time pressure, distractions and interruptions and the quality of training. Any of these factors are capable of altering the performance of a normally competent individual. The results may be forgetfulness, physical error, loss of vigilance and alertness, slow or non-existent responses and irrational or inappropriate behaviour.
The role of the experienced operator may also on occasions hinder crisis resolution. Personal experience may get in the way of common sense and prevent recognition of what is actually unfolding. The effects of anticipation resulting in a failure to seek further clues because recognized familiar symptoms may lead to misjudgement and crisis escalation. Experts may often not consult because they are of the opinion that having managed worse situations they are fully capable of managing perceived minor events. This is not to suggest that experience is negative but that its potential pitfalls must be managed and controlled.
Recruiting and Training Policy
The training and education of individuals and teams will always play a significant role in the success of threat detection and incident management. The validity of the scenarios rehearsed is a critical contributor to recognition of events when they occur in the real world, but so too are the individual differences of personnel.
The skills of the individual must be maintained and as the scope of the threat widens from maintaining secure IT to dealing with weapons of mass destruction and becomes increasingly complex, there is a parallel growth in the range of counter-measure techniques. The personality types and skills for routine search, for example, may not be the same as are necessary for the full range of 'higher risk' tasks and personnel selection may benefit from addressing the issues that frequently contribute to security failure.
Motivation encompasses the reasons for joining, the reaction to a lack of tangible outcomes (in the case of a search, successful target location), the effects of numerous false alarms and at management level, identifying and delivering the feedback requirements for recognition of a job well done. An individual's knowledge and attitude to technology including overconfidence in equipment, operator competence and an understanding of functions and role within the suite of equipments available is a key aspect. So too is resilience to social pressures from an angry public and peer teasing in response to the initiation of false alarms.
Other key factors are an individual's level of tolerance to external pressures and the ability to problem solve by bounding, the recognition of causal and contributory events and their consequences, the ability to provide the correct trade off between conflicting requirements such as Human Rights Laws and the need to maintain a high state of awareness and vigilance. The sheer number of ways that security can be breached may be overwhelming and selection and training must embrace the need for flexibility and an ability to react swiftly to the unfolding situation. Crisis management, leadership and negotiating skill training will mitigate the many situations created from a lack of understanding at higher levels of management through a failure to recognize or request the relevant information, or to understand the relationship of information coming from the security operators.
Teams and Collective Groups
Another element that threatens the overall performance levels of threat and incident management is the concept of collective training. Failure to address collective training is becoming a primary cause for error when multiple organization responses attend infrequently occurring events. The training of a disparate but collective group is not an extension of team training. When a group of individuals from different organizations must form an ad hoc team, the differences in culture, training and expectations often cause conflict and misunderstandings. Under such circumstances incorrect assumptions are often made about who has done what and who has responsibility for tasks. Individual 'tribal' differences may appear, resulting in point scoring or knowledge protection being the focus of effort.
Equipment
The complexity and variety of evolving threats is spawning the development of a huge range of
complex equipments. These equipments are often duplicated with minor differences and no means of controlling performance quality or standardizing the interface design. Some items of equipment are complementary elements of a suite and others are only necessary in particular scenarios. Most are needed infrequently and many are designed for other industries and have a far greater capability and degree of complexity than is appropriate for security personnel. No individual equipment is capable of defeating all the threats and an increased training burden is a consequence of investing in technology. Equipment procurement should be kept in perspective; a preoccupation with advanced techniques and complex scenarios may lead to the oversight of basic threats.
'Risk Homeostasis'
The promotion of the virtues of specific equipment may result in an organization perceiving it as the solution to all problems. Overconfidence in the selected item may result in complacency and a feeling of unjustified safety if the equipment has not detected a target. This often results in 'risk homeostasis', where the operator feels protected, and therefore fails to carry out normal safety precautions. A typical example is a driver braking later and harder than might otherwise be expected because ABS is fitted.
Conclusions
The causes and contributory factors to security failures are diverse and far-reaching. It is not possible to list all of them, to do justice to the role that they play or to place an accurate emphasis on any particular aspect. Human creativity in producing novel and interesting behaviour makes it impossible to predict them all. What is apparent is that the introduction of technology to prevent one set of errors will result in an accompanying new set. Security industry bespoke training is essential to ensure personnel possess the appropriate physical and mental skills to maximize the mitigation of individual and group life-threatening situations. By raising causal awareness it is possible to facilitate the recognition of indicators and initiate the timely implementation of preventative procedures.
Nikki Heath is Senior Performance Consultant with Symbiotics Ltd.