’-Data-in-2014.aspxGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Yahoo Confirms Hackers Stole at Least 500 Million Users' Data in 20140|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Compliance Trends|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465School Security Trends|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Illuminating Going Dark: A Conversation with the FBI|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Resilience Trends|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465When Simulation Means Survival2016-04-01T04:00:00Z|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465A Failure to Communicate2016-07-01T04:00:00Z|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465ASIS 2016 Product Showcase2016-09-01T04:00:00Z|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Planning After Paris2016-03-01T05:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465School Security Trends2016-09-01T04:00:00Z

Security Management

 Morning Security Brief

View RSS feed

 SM Weekly

Retrieving Data

 SM Daily

Retrieving Data
Not a Member? Join Now Security TrendsGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>School security often involves response tools, from mass notification to surveillance to reporting. However, experts note that trends are moving away from technology as a single solution to prevention-based programs centered around information sharing, all-hazards training, and public-private partnerships.</p><p>Preventing a tragedy often starts with getting critical information into the right hands. </p><p>Take the case of two teens in Spotsylvania County, Virginia, who were arrested and charged with conspiracy to commit murder in October 2015. The two had plans to phone in a bomb threat to their school, then shoot people as they evacuated, CNN reported. A school resource officer discovered that one of the boys had threatened violence on the Internet, and the resulting investigation uncovered the plot. </p><p>In December 2015, an anonymous tip was sent to a Denver school district’s “Text-a-Tip” threat reporting hotline. Based on that information, two 16-year-old girls were found with plans to commit a mass killing at Mountain Vista High School. They were arrested and charged with conspiracy to commit first-degree murder, reported Reuters. </p><p>These stories, and many like them, have a common thread throughout: critical information was reported and acted upon in a timely manner, stopping any plans to commit harm. While some security experts do not like to classify tragedies as preventable, they say there are key threat indicators that pointed to the mass shootings and other attacks before they occurred. If communities, schools, and law enforcement work together to identify and connect these dots, future threats could be stopped. </p><p><em>Security Management </em>speaks to experts about their experience conducting threat assessments in schools and communities. ​</p><h4>Connecting the Dots</h4><p>After the December 2012 Sandy Hook shooting that killed 20 elementary-age children and six educators, Connecticut Governor Dannel Malloy created a 16-member panel to review policies pertaining to school safety, gun-violence prevention, and mental health. The panel recommended in a 277-page report that all schools create safety committees that include police, first responders, administrators, and custodians. The report also urged each school to take an “all-hazards” approach to safety and security training for faculty, staff, and students. </p><p>Furthermore, the panel recommended that schools form threat assessment teams that “gather information from multiple sources in response to indications that a student, colleague, or other person’s behavior has raised alarms.” The report cites the U.S. Secret Service’s behavioral threat assessment model, which has been adopted for educational institutions, the workplace, and military settings. </p><p>“Once a team has identified someone who appears to be on a pathway to violence, the team ideally becomes a resource connecting the troubled child, adolescent, or adult to the help they need to address their underlying problems,” states the report, which goes on to say that such multidisciplinary teams can conduct risk assessments when questionable behaviors arise. “These would not only identify students at risk for committing violence, but also serve as a resource for children and families facing multiple stressors.” ​</p><h4>Partnerships</h4><p>As outlined in the Sandy Hook report, it is critical for organizations, schools, and communities to take an all-hazards approach to assessing and preparing for threats. If there is a dedicated platform or channel where they know they can report pertinent information, those dots can be connected in a meaningful way to prevent tragedy. </p><p>Two security experts share best practices with Security Management based on their experiences with threat assessments. These programs were bolstered by building partnerships with law enforcement and the community. </p><p>Working with stakeholders. Sometimes a threat assessment reveals an obvious problem that needs fixing, while other issues are uncovered only by working and communicating with stakeholders. Such was the case for school security professional Gary Sigrist, Jr., CEO and president at Safeguard Risk Solutions. </p><p>He tells Security Management that when he first started working at the South-Western City School district in Ohio, there were some obvious changes that needed to be made. “We had building principals who told their staff members they weren’t allowed to call 911 [in an emergency], that they have to call the office first,” he says. “We changed that.” </p><p>There was one building principal who told the cafeteria cooks that if there was a fire in the kitchen, not to pull the fire alarm until they had notified him first. “I brought the fire marshal in, and we had a conversation about that,” he notes. </p><p>Sigrist explains that working with law enforcement isn’t always a seamless process; sometimes schools and police in his district differed on their vision for a safe and secure environment. </p><p>“It’s not that the police were wrong, it’s just that some of their goals and objectives didn’t sync with the goals and objectives of the school,” according to Sigrist. But establishing regular meetings with law enforcement and other first responders was key to successful collaboration. “The police would say, ‘we think you should do this,’ and the school could say, ‘that’s not a bad idea, but let’s look at it from the point of view of the school,’” he notes. “Fire drills became better because we involved the fire department in the planning of our drills, where our command posts would be, and how we were going to check students in.” </p><p>He adds that first responder collaboration should go beyond just police and fire; schools rely on medical professionals when faced with health epidemics, for example. “When the Avian Flu and H1N1 sprang into effect, we worked with our county and state boards of health, and were able to develop a pandemic plan,” he says. “We had those subject matter experts.” </p><p>Over the course of his career at SouthWestern City Schools, Sigrist twice helped secure the Readiness and Emergency Management for Schools (REMS) Grant, in 2008 and 2010, from the U.S. Department of Homeland Security. These funds helped him establish many safety programs around the district. “Those are things people say, ‘wow, you must be a wonderful person to be able to get all of this done’–no, we had grant money,” he says. “It’s amazing what you can do with half a million dollars in grant money, and also the right support from the superintendents.” </p><p>No matter how prepared a school is for an emergency, those plans are truly put to the test when disaster strikes. Such was the case for South-Western City Schools when an explosion occurred at an elementary school. </p><p>“We had a building in a rural area, and the water table shifted, causing methane gas to build up in the basement. When it built up to a certain level with the right oxygen mix, there was an explosion,” Sigrist says. A custodian was injured, but everyone was able to evacuate the building safely as they had in many drills before. </p><p>The staff had been trained on how to function as a crisis team that was three members deep. Because the principal was not present at the time of the explosion, the building secretary assumed the role of incident commander, safely evacuating everyone from the building. “And it’s just evacuation training,” he says. “We never trained her on what to do when a building blew up.” </p><p>There were some key takeaways from the event that the district saw as areas of improvement. “Did we have lessons learned? Yes,” says Sigrist. “This happened almost right at dismissal, and we had school buses parked right in front of the building. Well–they didn’t move.” </p><p>These buses prevented fire trucks and other emergency vehicles from pulling right up to the scene. “And so one of our lessons learned is, if you have an incident, how are the buses going to pull out of the parking lot so the fire equipment can get in?” </p><p>Hometown security. Schools are a major focal point of the community, but they are not the only one. Societies are also made up of private businesses whose security is paramount to the overall environment of safety. Marianna Perry, CPP, a security consultant with Loss Prevention and Safety Management, LLC, explains that because about 85 percent of critical infrastructure in the United States is privately owned, “it makes sense that these businesses and communities partner with law enforcement to address problems.”  </p><p>Perry has more than 20 years of experience in conducting threat assessments for private businesses, as well as communities, including school districts. She recounts examples of how these reviews helped strengthen those localities, businesses, and law enforcement alike. </p><p>While Perry was the director of the National Crime Prevention Institute, there was a particular community with high crime rates, homelessness, and drug problems, as well as health-related issues. “There were abandoned properties, rental properties in disrepair, homes that had been foreclosed,” she says. “We were looking for a solution to help fix this community.” </p><p>Perry helped form a team of key stake­­holders and partners, including law en­forcement, a local university, security consultants, area churches, and the local health department. The public housing authority was also a major partner, as well as some local residents and business representatives. Initially, everyone came together for a week-long training program. The goal was to involve all partners in helping to develop strategies to improve the overall condition of the neighborhood, which in turn would help prevent crime. She says that much of the training was centered on crime prevention through environmental de­sign (CPTED), which predicates that the immediate environment can be designed in such a way that it deters criminal activity.  </p><p>She adds that the training wasn’t just focused only on preventing crime, but on several aspects of the community. “The goal was to improve the overall quality of life for everyone who lived or worked in that neighborhood,” says Perry. </p><p>The training also helped the partners learn to speak a common language. “We had all of these different people from different professional backgrounds and business cultures, and we needed them all on the same page,” she says. “They needed to be able to communicate with each other.” </p><p>A critical outcome of the training program, she says, was facilitating interaction among stakeholders, as well as developing and building trust. “It was a really successful partnership, and a lot of good was done for that community because everyone worked together to achieve common goals.” </p><p>Businesses also benefit from such assessments. Perry recently conducted a security assessment for one organization that was located in an area with one of the highest violent crime rates in the city. “Management was very concerned about the safety of their employees,” she notes. </p><p>During the assessment, Perry recommended that the company install additional cameras on the perimeter of their property for added surveillance and employee safety. The company could also share camera footage with law enforcement by tying their camera system into the citywide surveillance program. Perry worked with a local vendor to install IP cameras to cover a 10-block area. A control center operator would then monitor the cameras, and if he or she saw suspicious activity, either a security officer would be dispatched to respond, or 911 would be called. “I think people are now embracing the concept of public-private partnerships because they’re beginning to realize that they work,” Perry says.</p><p>Training. Preventing and detecting threats, while challenging, is possible when stakeholders share critical information. Having a centralized place for reporting such information is key, as well as training students, employees, and the community on how to use those platforms. </p><p>However, if the threat remains unde­tected or cannot be stopped, organiza­tions should conduct all-hazards training that covers a range of possible scenarios to ensure minimal damage and loss of life, says Kenneth Trump, president of National School Safety and Security Services. </p><p>“Active shooter is one concern, certainly, but it’s just that–one concern,” he says. “There’s a much greater likelihood that school employers are going to deal with a noncustodial parent issue multiple times during a school year than that they will ever deal­­—during their entire career working in the school—with an active shooter incident.” </p><p>Sigrist adds that having a laser-like focus on active shooter training can be a drawback for schools, because they lose sight of issues that have a greater likelihood of occurring. </p><p>“I asked one of my clients at a Head Start school how many times they have had a drunk parent show up to pick up a child, and they said, ‘it happens all the time,’” he says. “We still teach active shooter, but by teaching how to respond in an all-hazards approach, they will know how to take action.” </p> Target TrendsGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>When most people think of Orlando, Florida, Walt Disney World Resort comes to mind. The world-renowned theme park makes Orlando the second most popular travel destination in the United States. But there is much more to the city than Mickey and Minnie Mouse. </p><p>Beyond the complex infrastructure that supports Orlando’s 2.3 million citizens, the city is filled with parks and wildlife, the largest university in the country, and a vast hospitality industry that includes more than 118,000 hotel rooms. And International Drive, an 11-mile thoroughfare through the city, is home to attractions such as Universal Orlando Resort, SeaWorld Orlando, and the Orange County Convention Center, the site of ASIS International’s 62nd Annual Seminar and Exhibits this month. </p><p>Hospitality goes hand-in-hand with security in Orlando, where local businesses and attractions see a constant flow of tourists from all over the world. And at the Dr. Phillips Center for the Performing Arts, which hosts events ranging from Broadway shows to concerts to community education and events, a new security director is changing the culture of theater to keep performers, staff, and visitors safe.​</p><h4>The Living Room of the City</h4><p>Open since November 2014, the Dr. Phillips Center spans two blocks and is home to a 2,700-seat main stage, a 300-seat theater, and the Dr. Phillips Center Florida Hospital School of the Arts. The building’s striking architecture, which includes a canopy roof, vast overhang, and a façade made almost entirely of glass, stretches across two blocks and is complemented by a front lawn and plaza.</p><p>After the June 11 shooting at Pulse nightclub less than two miles south of the theater, that lawn became the city’s memorial. Days after the shooting, the Dr. Phillips Center plaza, normally used for small concerts or events, hosted Orlando’s first public vigil. A makeshift memorial was established on the lawn, and dozens of mourners visited for weeks after the attack.</p><p>Chris Savard, a retired member of the Orlando Police Department, started as the center’s director of security in December, shortly after terrorists killed dozens and injured hundreds in attacks on soft targets in Paris. Prior to Savard, the center had no security director. Coming from a law enforcement background to the theater industry was a challenging transition, he says. </p><p>“Before I came here, I was with an FBI terrorism task force,” Savard says. “Bringing those ideologies here to the performing arts world, it’s just a different culture. Saying ‘you will do security, this is the way it is’ doesn’t work. You have to ease into it.”</p><p>The Dr. Phillips Center was up and running for a year before Savard started, so he had to focus on strategic changes to improve security: “The building is already built, so we need to figure out what else we can do,” he says. One point of concern was an overhang above the valet line right at the main entrance. Situated above the overhang is a glass-walled private donor lounge, and Savard notes that anyone could have driven up to the main entrance under the overhang and set off a bomb, causing maximum damage. “It was a serious chokepoint,” he explains, “and the building was designed before ISIS took off, so there wasn’t much we could do about the overhang.”</p><p>Instead, he shifted the valet drop-off point, manned by off-duty police officers, further away from the building. “We’ve got some people saying, ‘Hey, I’m a donor and I don’t want to walk half a block to come to the building, I want to park my vehicle here, get out, and be in the air conditioning.’ It’s a tough process, but it’s a work in progress. Most people have not had an issue whatsoever in regards to what we’ve implemented.”</p><p>Savard also switched up the use of off-duty police officers in front of the Dr. Phillips Center. He notes that it can be costly to hire off-duty police officers, who were used for traffic control before he became the security director, so he reduced the number of officers used and stationed them closer to the building. He also uses a K-9 officer, who can quickly assess a stopped or abandoned vehicle on the spot. </p><p>“When you pull into the facility, you see an Orlando Police Department K-9 officer SUV,” Savard explains. “We brought two other valet officers closer to the building, so in any given area you have at least four police cars or motorcycles that are readily available. We wanted to get them closer so it was more of a presence, a deterrent.” The exact drop-off location is constantly changing to keep people on their toes, he adds.</p><p>The Dr. Phillips Center was already using Andy Frain Services, which provides uniformed officers to patrol the center around the clock. Annette DuBose manages the contracted officers. </p><p>When he started in December, Savard says he was surprised that no bag checks were conducted. When he brought up the possibility of doing bag checks, there was some initial pushback—it’s uncommon for theater centers to perform any type of bag check. “In the performing arts world, this was a big deal,” Savard says. “You have some high-dollar clientele coming in, and not a lot of people want to be inconvenienced like that.”</p><p>When Savard worked with DuBose and her officers to implement bag checks, he said everyone was astonished at what the officers were finding. “I was actually shocked at what people want to bring in,” Savard says. “Guns, knives, bullets. I’ve got 25-plus years of being in law enforcement, and seeing what people bring in…it’s a Carole King musical! Why are you bringing your pepper spray?”</p><p>Savard acknowledges that the fact that Florida allows concealed carry makes bag checks mandatory—and tricky. As a private entity, the Dr. Phillips Center can prohibit guns, but that doesn’t stop people from trying to bring them in, he notes. The Andy Frain officers have done a great job at kindly but firmly asking patrons to take their guns back to their cars, Savard says—and hav­ing a police officer nearby helps when it comes to argumentative visitors.​</p><h4>Culture, Community, and Customer Service</h4><p>There have been more than 300 performances since the Dr. Phillips Center opened, and with two stages, the plaza, classrooms, and event spaces, there can be five or six events going on at once. </p><p>“This is definitely a soft target here in Orlando,” Savard notes. “With our planned expansion, we can have 5,000 people in here at one time. What a target—doing something in downtown Orlando to a performing arts center.”</p><p>The contract officers and off-duty police carry out the core of the security- related responsibilities, but Savard has also brought in volunteers to augment the security presence. As a nonprofit theater, the Dr. Phillips Center has a large number of “very passionate” volunteers—there are around 50 at each show, he says. </p><p>The volunteers primarily provide customer service, but Savard says he wants them to have a security mindset, as well—“the more eyes, the better.” He teaches them basic behavioral assessment techniques and trends they should look for. </p><p>“You know the guy touching his lower back, does he have a back brace on or is he trying to keep the gun in his waistband from showing?” Savard says. “Why is that person out there videotaping where people are being dropped off and parking their cars? Is it a bad guy who wants to do something?”</p><p>All 85 staffers at the Dr. Phillips Center have taken active shooter training classes, and self-defense classes are offered as well. Savard tries to stress situational awareness to all staff, whether they work in security or not. </p><p>“One of the things I really want to do is get that active shooter mindset into this environment, because this is the type of environment where it’s going to happen,” Savard explains. “It’s all over the news.”</p><p>Once a month, Savard and six other theater security directors talk on the phone about the trends and threats they are seeing, as well as the challenges with integrating security into the performing arts world. </p><p>“Nobody wanted the cops inside the building at all, because it looked too militant,” Savard says. “And then we had Paris, and things changed. With my background coming in, I said ‘Listen, people want to see the cops.’” </p><p>Beyond the challenge of changing the culture at the Dr. Phillips Center, Savard says he hopes security can become a higher priority at performing arts centers across the country. The Dr. Phillips Center is one of more than two dozen theaters that host Broadway Across America shows, and Savard invited the organization’s leaders to attend an active shooter training at the facility last month. </p><p>“There’s a culture in the performing arts that everything’s fine, and unfortu­nately we know there are bad people out there that want to do bad things to soft targets right now,” Savard says. “The whole idea is to be a little more vigilant in regards to protecting these soft targets.”</p><p>Savard says he hopes to make wanding another new norm at performing arts centers. There have already been a number of instances where a guest gets past security officers with a gun hidden under a baggy Cuban-style shirt. “I’ll hear that report of a gun in the building, and the hair stands up on the back of my neck,” Savard says. “It’s a never- ending goal to continue to get better and better every time. We’re not going to get it right every time, but hopefully the majority of the time.”</p><p>The Dr. Phillips Center is also moving forward with the construction of a new 1,700-seat acoustic theater, which will be completed within the next few years. The expansion allows the center to host three shows at one time—not including events in private rooms or on the plaza. Savard is already making plans for better video surveillance and increasing security staff once the new theater is built.</p><p>“We really try to make sure that every­body who comes into the building, whether or not they’re employed here, is a guest at the building, and we want to make sure that it’s a great experience, not only from the performance but their safety,” according to Savard. “It’s about keeping the bad guys out, but it’s also that you feel really safe once you’re in here.” </p> TrendsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">Security managers already know that culture is key, that understanding generational differences can reduce conflict, and that effective leadership can pave the way to the C-suite. The next trend in the management field, behavioral economics, can help security design programs that get buy-in from employees.</span></p><p>What is the underlying theory of your security program? It may be about punishing bad behavior, with employees written up by managers and then referred to counseling. Or, it may be about rewarding good behavior, such as praise and performance awards for security compliance. </p><p>Chances are it’s some combination of the two, using both carrots and sticks. But there’s another, perhaps deeper, question that is often telling—why do people make choices to either comply, or not comply, with your security program?</p><p>All around us, there are small clues guiding those choices. It’s time security leaders started shaping those clues to protect employees, customers, property, and other assets. They can do so by using the applications of one of latest trends in social science—behavioral economics.​</p><h4>Behavioral Economics</h4><p>Behavioral economics is the scientific examination of why people and organizations make the decisions they do, in an economic context. Its scientific pedigree has its origins in the 1970s, when technology was driving major improvements in brain research. At that time, new computing tools designed to assist in modeling, in tandem with Daniel Kahneman’s Nobel Prize–winning research on prospect theory (an economic theory that seeks to explain how people make decisions based on risk), provided a new research framework to explore how economic choices are made. Today, behavioral economics combines the practice of economics, neurobiology, and psychology to gain insight into why human beings act, or fail to act, in predictable ways.</p><p>At some level, most of us realize that <span style="line-height:1.5em;">our decision making is influenced by a variety of factors outside of our control, such as organizational norms, peer pressure, emotions, accepted stereotypes, and mental shortcuts. By closely analyzing these factors, behavioral economists can gain a sophisticated understanding of why people, and organizations, make the decisions they do—which factors take precedence over others, how different factors interact, and so on. They can also develop cues designed to steer a person or organization to a desired outcome. Such cues have been termed nudges; the people that help frame those decisions are called choice architects. </span></p><p>Public awareness of behavioral economics has slowly been gaining ground since the development of “nudge theory,” an offshoot of the science, by two academics, University of Chicago economist Richard Thaler and Harvard legal scholar Cass Sunstein. In their 2008 book Nudge: Improving Decisions about Health, Wealth, and Happiness, the two scholars postulate that there are subtle and blatant clues everywhere to influence behavior. (In the wake of his book’s success, Sunstein went on to serve as administrator of the White House office of information and regulatory affairs from 2009 to 2012.) Those clues may be accidental, but they can greatly impact the decisions we make, and there are scientific reasons for why they work or fail.</p><p>The authors argue that behaviors are guided just as much by on-the-spot decisions based on these clues, and the context these clues are found in, as they are by deeply held ethical or moral codes. Under the authors’ definition, a clue can be considered a nudge if two criteria are satisfied: the individual is free to choose it or not, and there is very little or no cost in choosing to go with the nudge as opposed to other options. In this way, nudges are meant to be subtle, not overtly coercive.  </p><p>The nudge concept isn’t entirely new. We’ve been nudged in many ways since birth. It only takes a trip to the grocery store to notice that the sugary sweet cereals are stocked at exactly the eye level of a seven-year-old, while bran flakes occupy the upper shelves. Consumers’ decisions about what action to take are influenced largely by what is put into their path. At any given time, our brains are processing a mountain of information and sensory input, so easy choices, which require less effort than searching for another option, are often viewed by the mind as the correct ones. This is especially true if the clues and context surrounding those choices don’t make them seem especially important.​</p><h4>Security Nudges</h4><p>Imagine having the ability to use nudges and clues as a designer and enforcer of a security program? The secret is that that you do. As a security manager, you have the ability to help make the correct choice for security the simplest choice for the user. In other words, you are a choice architect.</p><p>However, one concept must be understood before security managers can become effective choice architects. Thaler and Sunstein describe the concept as the difference between econs and humans. Econs are imaginary constructs developed by the writers of economics textbooks. They are people with the brilliance of Einstein, the self-control of Gandhi, and the logical prowess of a Vulcan who can predict reactions in a variety of environments. All econs do the same thing—and almost always, the correct thing—in any given situation.</p><p>In case you hadn’t noticed, we don’t work with econs. We work with humans. Humans are generally smart and well-meaning, but they are far from perfect in on-the-spot decision making. Further, humans are barraged every day with factors that drive them to do exactly the opposite of what their infinitely wise, long-range-thinking econ-selves would do.       </p><p>Unfortunately, the idea that econs and humans are interchangeable continues to stick around in the world of security. The overwhelming majority of security policies today treat employees as econs, not as the humans they truly are. Econs don’t need assistance complying with our complex security policies, humans do. So the idea is to help nudge the humans in the right direction—toward security compliance.      </p><p>Following are several examples of how nudge theory, and choice architecture, can be used in a security context. Gaming Speed   </p><p>An interesting example of a security nudge comes from law enforcement in the form of a speed camera that rewards speed compliance. In 2008, the city of Stockholm, Sweden, introduced a speed camera along a problematic stretch of road in a town center. Initially the camera was placed to record the speed and license plates of violators, but later it was made the focus of an experiment in nudging. The camera would record not only the speed and license tag numbers of speeders, but also the speed and license tags of those who were respecting the 30 kilometer-per-hour (kph) speed limit. </p><p>At the end of the experiment, all drivers who were photographed driving at or below the speed limit were entered into a raffle, with the winner awarded a check for 20,000 kroner (roughly $3,000) partially paid by the fines of speeders. This spurred a dramatic change in average speed. Prior to the experiment, the average speed on that stretch of roadway was 32 kph. After the introduction of the “speed lottery,” the average speed dropped 22 percent, to 25 kph.  </p><p>Besides being a successful nudge, the speed example is also an excellent example of gamification. It encouraged people to comply with speed limits and improve public safety, while also giving them entry into a larger game to win a tangible, but not budget-busting, prize.  ​</p><h4>Out of Pocket</h4><p>Security nudges have also been employed to increase security efficiency and compliance at airports. One of the first took place at the Nepalese airport of Tribhuvan, where officials noticed a marked increase in graft among airport customs inspectors. </p><p>Nepal was hard hit in the economic slowdown of 2008, and many Nepalese sought employment outside of the country to support family members. When these expatriates returned to Nepal, crooked customs inspectors preyed upon them by insisting on bribes in exchange for quick facilitation through customs while they were in possession of foreign currency, which otherwise could have delayed their entry. </p><p>Nepalese anticorruption authorities fought back by redesigning the uniforms of airport customs workers to remove all the pockets. Collecting payola becomes much more complicated without a convenient pocket to quickly stash the loot. The lack of pockets also served as a reminder for the customs workers to adjust their behavior and avoid illegal activity. Every time employees reached for their pockets, they were reminded about corruption and management’s refusal to condone it. Although there has been no formal study performed to assess the effectiveness of bribe-resistant trousers, news reports have found that graft and bribe-taking has been reduced at Tribhuvan airport.  </p><p>Creative nudges also help the flow of lines at U.S. airport security checkpoints. By and large, passengers choose the shortest available line to proceed through security screening. However, each passenger situation is different, so the shortest line may not necessarily turn out to be the fastest—six frequent business travelers familiar with airport security routine might proceed much faster than a vacationing family of four that fly infrequently.  </p><p>So, airports near ski resorts have taken to designing self-selection lines marked according to a ski slope theme: Green Circles for families and those needing special assistance, Blue Squares for frequent travelers somewhat familiar with TSA procedures, and Black Diamonds for the expert travelers.  </p><p>Under this system, there is no enforcement of lanes; passengers are free to choose whichever line they wish. However, by encouraging people to make proper line choices through color coding, security personnel are able to channel passengers toward the type of security screening they would be best served by, and increase the overall efficiency and security of the entire system. In nudge theory terms, this is a good example of placing a “designed decision” in front of a security customer.​</p><h4>Engage to Nudge</h4><p>The National Retail Federation estimated 2014 retail losses due to inventory shrinkage at $44 billion. Facing such challenges, the field of loss prevention is one of the most dynamic in security today, and is also a discipline full of nudges.  </p><p>Most retail stores have some form of CCTV monitoring for the prevention and investigation of theft, and this technology can be used to nudge customer behavior. The most visible nudge is conveyed through the placement of a live CCTV video feed at the store entrance.  This provides an immediate environmental reminder to would-be thieves that they are being watched and the store is on the lookout for shoplifters. </p><p>Another frequent nudge is conveyed through employee engagement with customers. According to the ASIS Retail Loss Prevention Council, a staff that greets customers and maintains active engagement with them can significantly reduce retail theft. </p><p>There are actually two nudges here. The first is the interaction between the employee and shopper; the customer is reminded that the employee is committed to the job, and consequently of the risk of getting caught if the shopper decides to shoplift. The second is the employer nudging the employee to habitually engage customers. This is usually accomplished when the employer sets default rules; it becomes the expected norm of all employees through training, feedback, and evaluations. The added benefit is that it allows security and customer service to be on the same side of an issue, and that’s an increasingly rare opportunity.  </p><p>Other possible nudge cues to deter shoplifting are explored in the paper Nudge, Don’t Judge: Using Nudge Theory to Deter Shoplifters, by Dhruv Sharma and Myles Scott of Lancaster University. They include signs that offer to donate profits not lost to shoplifting to charity; attention-grabbing events such as music or videos when customers interact with certain products; and applying the general premise of crime prevention through environmental design (CTPED) to store layouts to increase visibility and surveillance coverage. ​</p><h4>Nudge Training</h4><p>Security nudges have also been incorporated into awareness training. In 2014, the XL Group, a global insurance provider, sponsored an employee challenge. Each time an employee viewed one of the company’s security videos, XL would donate a dollar to charity. The videos were short (usually about a minute long), and focused on helping the employee secure not only vital company information, but personal information as well. The donations also appealed to an employee’s sense of social responsibility by involving a charity. The campaign managed to amass over 10,000 views of security videos, and a hefty charity donation.</p><p>Some U.S. government agencies are also using nudge theory practices in security training. In an effort to train employees on the proper ways to respond to email phishing attacks, one agency offered the following incentive: everyone who correctly followed procedure in a phishing attack exercise was made eligible for a small “Phishing Derby” prize. The cost of the prize was minimal (less than $50 dollars), but offering it greatly increased participation compared with previous exercises.  </p><p>Another agency took a different approach. When the agency sent out reminder notices to employees to complete mandatory security training, it made sure that the notices included the percentage of other employees who had already completed the training. Thus, this approach used peer pressure to conform in a nudge aimed at achieving the desirable result. The result was a higher completion rate, and in a shorter time, than previous years.  ​</p><h4>Developing Security Nudges</h4><p>Nudges can be used anywhere a user is offered a choice to do the correct thing versus the incorrect thing. The keys are understanding your security policy, understanding your users, and sustaining a willingness to experiment.   </p><p>The best place to start is with your own security metrics, especially those that are the most problematic. What areas, process, or programs have been the most troublesome in terms of compliance? A brainstorming session with a good cross section of security personnel (who in this context are serving as choice architects) often results in useful data and ideas for developing nudges. This cross section should include not only program leaders but program users, who are often the source of the most valuable insights—they provide the “ground truth” on how effective existing security measures really are, and on the parts of the program that are most at risk of noncompliance.  </p><p>It’s also important to recognize what kind of decision we’re trying to influence, in the terms sketched out by Thaler and Sunstein:</p><p> • A complex decision: A decision with many variables</p><p> • An overwhelming decision: A decision with many options</p><p> • An infrequent decision: A decision that comes up very rarely</p><p> • A low feedback decision: No obvious feedback from the decision</p><p> • A delayed consequences decision: Where the feedback comes much later</p><p><br> </p><p>Then, according to Thaler and Sunstein, we need to figure out what flavor of nudge to use:</p><p> • Default rules: Change the rule for everybody to a compliant default</p><p> • Environmental reminders: Posters, checklists</p><p><span style="line-height:1.5em;">- Commitment reminders: Constant reminders to steer behavior, like wearing a fitness band as a  reminder to take the stairs</span></p><p> • Designed decisions: Placing the correct decision in front of the customer at the instant the decision needs to be made</p><p><br> </p><p>When implementing nudges, it’s always important to keep two things in mind: ethics and metrics. Ethical nudges don’t compromise the autonomy or the integrity of employees and customers. They simply nudge them into making the correct decision regarding policies they have already agreed to.</p><p>Metrics are necessary both to ensure that the nudges are effective and to justify resources needed to implement them. Few things in business are free; even things that seem small normally have some kind of cost attached to them. The best way to address management on these issues is the cost-benefit approach: have a story to tell, explain the financial and reputational costs of noncompliance, and come prepared with a full cost accounting of the nudge and a plan to for implementation. Make approving your plan the “easy” thing to do. If you haven’t caught on by now, you’re nudging your management. ​</p><h4>Sample Security Nudge</h4><p>Here’s an example case of how security nudges can be developed. Nudgella, the security manager at Company X, has noticed an increase in security incidents involving sensitive company information left unattended in the copy room. So Nudgella sets a meeting with the head of the guard force, along with representatives of human resources and IT, to determine the causes and seek solutions. </p><p>In the meeting, it is determined that the issue with the copy room is that employees are printing sensitive documents to the community printer and then failing to retrieve them. Thaler and Sunstein would call this a “delayed consequences decision.” The person actually printing the document doesn’t suffer any consequences for failing to retrieve it for a period of some time, if at all.  </p><p>Those attending the meeting brainstorm solutions, and three rise to the top for possible implementation: an environmental reminder in the form of signs placed around the office reminding employees of their responsibility to safeguard sensitive information; a default rule that would switch all employees to a “secure print” mode where they would be required to input a code at the printer to retrieve their document; and a commitment reminder in the form of a pop-up window reminding employees to retrieve their printouts every time the print button is clicked on.  </p><p>Now, the managers need to convince the C-suite. They arrange a meeting, and the security manager brings in a well-developed plan that can be implemented at minimal cost. Since the IT folks were brought in at the beginning, the technical solutions of secure printing and pop-up banners are well thought out. Since HR was part of the process, any concerns about ethics and privacy were addressed early on. The guard force has already agreed to make periodic rounds of the copy room to assess compliance and provide metrics reporting.  </p><p>The CEO and CIO couldn’t be happier with the effort. Nudge accomplished.  </p><h4>Embrace Choice, Embrace Change<br></h4><p>Here’s the big picture question for security managers: Is it easier for an employee to comply with specific security policies and procedures, or not comply? If the answer is not comply, some nudges may be in order.</p><p>Given its importance, security compliance can be seen as a high-value, all-encompassing moral imperative. But managers should also view it as a series of choices made every minute of every day by every individual. Thus, it is the job of the security professional to enable every individual to make the correct choice by making those choices the easiest and least painful ones. Security managers are not just compliance enforcers. They should also embrace their role as choice architects, which will lead them to become change architects as well. </p><p>--<br></p><p><em><strong>Sean Benson, CPP</strong>, is a program security specialist at ISS Action, Inc. He is currently leading technology protection efforts on NASA’s Space Launch System. He is the chairman of the ASIS North Alabama Chapter.</em></p> TrendsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">In r</span><span style="line-height:1.5em;">ecent years, security professionals have been bombarded with rules and regulations on corruption as well as court rulings on discrimination and harassment. The upcoming compliance trend centers around safety and health. A new rule on reporting workplace fatalities, injuries, and illnesses will bring workplace safety practices under scrutiny. Almost 5,000 U.S. employees were killed at work in 2014, a 5 percent increase from the number of reported fatal work injuries in 2013. And nearly 3 million people experienced a workplace injury or illness in 2014, according to the U.S. Department of Labor’s (DOL) Bureau of Labor Statistics (BLS). </span></p><p>To make data about these incidents more accessible to the public, the DOL’s Occupational Safety and Health Administration (OSHA) issued a final rule, Improve Tracking of Workplace Injuries and Illnesses, in May 2016, that requires many employers to electronically submit information about workplace injuries and illnesses to the government. The government, in turn, will then make this information available online in a public database.</p><p>“Since high injury rates are a sign of poor management, no employer wants to be seen publicly as operating a dangerous workplace,” Assistant Secretary of Labor for Occupational Safety and Health Dr. David Michaels said in a statement. “Our new reporting requirements will ‘nudge’ employers to prevent worker injuries and illnesses to demonstrate to investors, job seekers, customers, and the public that they operate safe and well-managed facilities.”</p><p>Additionally, Michaels said that greater access to injury data will also help OSHA better target compliance assistance and enforcement resources to “establishments where workers are at greatest risk, and enable ‘big data’ researchers to apply their skills to making workplaces safer.”​</p><h4>What’s in the new rule?</h4><p>Under the Occupational Safety and Health Act of 1970, employers are responsible for providing a safe workplace for employees. As part of this act, OSHA already required many employers to keep a record of injuries and illnesses, identify hazards, fix problems, and prevent additional injuries and illnesses. </p><p>Under the new rule, all employers with 250 or more employees at a single facility covered by the recordkeeping regulation must electronically submit injury and illness information to OSHA in three forms: 300 (log of work-related illnesses and injuries), 300A (summary of work-related illnesses and injuries), and 301 (injury and illness incident report).</p><p>OSHA argues that, together, these forms will paint a picture of the number of injuries, number of fatalities, lost time, total lost days, total restricted work days, and the total number of employees at each location of a company.</p><p>And OSHA will be able to use it to answer certain questions. For example, within a given industry, what are the characteristics of establishments with the highest injury and illness rates? What are the characteristics of establishments with the lowest rates of injuries and illnesses? What is the relationship between an establishment’s injury and illness data and data from other agencies?</p><p>Facilities with 20 to 249 employees in certain high-risk industries will also be required to submit information from form 300A electronically. These are 67 industries identified by OSHA that have historically high rates of occupational injury and illness, including manufacturing, construction, urban transit systems, utilities, and more.</p><p>The requirement for facilities to submit the 300A summaries electronically goes into effect on July 1, 2017. If required, facilities must submit forms 300 and 301 electronically by July 1, 2018, and will be required to submit all three forms electronically by March 2, 2019.</p><p>OSHA will upload this data, after ensuring that no personally identifiable information is included, to a publicly accessible database. The details of the database, however, have not yet been released because OSHA is still creating it.</p><p>OSHA’s mission is to protect the safety and health of workers. This new rule, OSHA’s Office of Communications tells Security Management, will support that mission.</p><p>First, as previously noted, access to injury data will help OSHA better target compliance assistance and enforcement resources to establishments where workers are at greatest risk.</p><p>“The final rule’s provisions requiring regular electronic submission of injury and illness data will allow OSHA to obtain a much larger data set of more timely, establishment-specific information about injuries and illnesses in the workplace,” the rule says. “This information will help OSHA use its enforcement and compliance assistance resources more effectively by enabling OSHA to identify the workplaces where workers are at greatest risk.”</p><p>One example OSHA gives in the rule itself is that the data will help it identify small and medium-sized employers who report high overall injury and illness rates for referral to its consultation program. </p><p>“OSHA could also send hazard-specific educational materials to employers who report high rates of injuries or illnesses related to those hazards, or letters notifying employers that their reported injury and illness rates were higher than the industry-wide rates,” the rule explains.</p><p>The practice of sending high-rate notification letters, for instance, has been associated with a 5 percent decrease in lost workday injuries and illnesses in the following three years, OSHA says.</p><p>OSHA also maintains that publicly disclosing work injury data will encourage employers to prevent work-related injuries and illnesses.</p><p>The new reporting requirements are also designed to save government time and money. The agency believes that the new rule will convince “employers to abate hazards and thereby prevent workplace injuries and illnesses, without OSHA having to conduct onsite inspections.” ​</p><h4>What else does the rule do?</h4><p>Along with the electronic reporting requirements, the rule also reemphasizes whistleblower provisions for employees to report injury and illness without fear of retaliation. </p><p>“The rule clarifies the existing implicit requirement that an employer’s procedure for reporting work-related injuries and illnesses must be reasonable and not deter or discourage employees from reporting,” the office explains. “It also incorporates the existing statute that prohibits retaliation against employees for reporting work-related injuries or illnesses.” </p><p>Including the term “reasonable” is new for OSHA, says Edwin Foulke, Jr., partner at Fisher Phillips who cochairs the firm’s Workplace Safety and Catastrophe Management Practice Group and who was the head of OSHA from 2006 to 2008. </p><p>“Before, you were required to make sure that your employees knew that there was a system to report,” he adds. Now, however, OSHA requires that that system be a reasonable one.</p><p>While it is unclear how exactly OSHA is defining “reasonable,” it does explain in the rule that “for a reporting procedure to be reasonable and not unduly burdensome, it must allow for reporting of work-related injuries and illnesses within a reasonable timeframe after the employee has realized that he or she has suffered a work-related injury or illness.”</p><p>If employers are caught discouraging employees from reporting illness or injury, they can be cited by OSHA for retaliation. “Before, the employee had to file a complaint. Now, for an employer to get cited and to be penalized, OSHA can do that in an inspection under this new standard,” Foulke says. “So this is a whole new area, and they’re going to be looking.” </p><p>Actions that could be considered retaliation include termination, reduction in pay, reassignment to a less desirable position, or any other adverse action that “could well dissuade” a reasonable employee from making a report, the rule explains.</p><p>OSHA also has taken the stance in the rule that “blanket post-injury drug testing policies deter proper reporting” of workplace injuries and illnesses. Because of this, the rule prohibits employers from using drug testing—or the threat of drug testing—as a form of adverse action against employees who report injuries or illnesses.</p><p>“To strike the appropriate balance here, drug testing policies should limit post-incident testing to situations in which employee drug use is likely to have contributed to the incident, and for which the drug test can accurately identify impairment caused by drug use,” the rule says. </p><p>For instance, OSHA says it would not be reasonable to drug-test an employee who reports a bee sting or a repetitive strain injury. </p><p>“Such a policy is likely only to deter reporting without contributing to the employer’s understanding of why the injury occurred, or in any other way contributing to workplace safety,” OSHA explains.</p><p>However, if workers’ compensation laws require an employer to conduct drug testing, then this type of drug testing would not be considered retaliatory, OSHA adds.​</p><h4>What should employers do? </h4><p>Because of potential liability and opportunities for citations, Foulke recommends that companies take several actions in response to the new rule. </p><p>For instance, employers should look at how they advise their employees to report injuries and illnesses under the record keeping standard. OSHA has said that companies can meet this requirement by posting the “Job Safety and Health—It’s the Law” workers’ rights poster from April 2015.</p><p>Employers should make sure that their reporting process is “reasonable and doesn’t somehow discourage people, because, if it is, they are going to get cited for it and maybe open themselves up to a whistleblower retaliation claim,” according to Foulke.</p><p>A whistleblower retaliation claim could be likely because this is an issue that OSHA has been increasingly focused on during the Obama administration’s second term, he says. </p><p>Employers also need to know their rights during an OSHA inspection, a process that many are unfamiliar with. For example, Foulke says that when OSHA comes in to do an inspection based on a complaint it has received, it will frequently attempt to expand the visit into a “wall-to-wall” inspection.</p><p>“If the employer doesn’t assert their rights and allows a wall-to-wall, then potentially they could have many more citations,” Foulke explains.</p><p>Additionally, the business community has expressed concerns that the new rule will force them to publicly reveal secret business details that were previously considered privileged and confidential.</p><p>“When you fill out the 300 logs and also the 300A summaries, they are going to talk about departments and processes—especially in the 301, you may have some information that may be somewhat proprietary,” Foulke says. “Employers are going to have to be very careful about what they put when they’re submitting their data, that they basically look and provide only the minimum that they are required to provide.”</p><p>And employers should also recognize how the data they submit to OSHA may be used once it is publicly available. This is because using the information from the 300 and 301 forms, analysts will be able to determine the death, injury, and illness rate of a particular company to compare it to the industry average. </p><p>“Now that data could be used by union organizers who want to try to organize a company to show how bad at safety they are,” Foulke explains. “They can take that data and say, ‘Look how many injuries and illnesses this company has.’”</p><p> “Plaintiffs’ lawyers could look at it and say, ‘Look at this company. They have all these injuries there. Obviously something is going on there, so I need to go out to that plant, find one of those employees who got injured, and throw a class action against the company for all these injuries,’” Foulke says.   ​</p> TrendsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">“Thousands have lived without love, not one without water,” poet W.H. Auden famously said. In many countries, enjoying a safe and secure water supply is something most take for granted. The United States, for example, has had an “unrivalled tradition” of low-cost, universal access to drinking water, says Robert Glennon, a water policy expert at the University of Arizona and author of Unquenchable: America’s Water Crisis and What to Do About It. In actuality, a safe and secure water supply is never a given, and there are signs that the recent water crisis in Flint, Michigan (covered in Security Management’s May issue), may be a canary in the coal mine for the future of America’s water. The U.S. water and wastewater system is in urgent need of repair and replacement; some of the piping dates back to the Civil War era, experts say. But federal and state funding appropriations have been insufficient for keeping water supply infrastructure in good repair.</span></p><p>“For years, there’s been a general inadequacy in funding,” Glennon says.  As recent proof, Glennon cites the American Recovery and Reinvestment Act of 2009, commonly known as President Barack Obama’s $787 billion stimulus package. “A small fraction of that, less than 1 percent, was devoted to water and wastewater,” he explains.</p><p>The American Water Works Association has estimated that repairing the million-plus miles of water mains across the country, and expanding that infrastructure so that it can adequately serve the country’s growing population, could cost up to $1 trillion over the next 25 years. The U.S. Environmental Protection Agency (EPA) has a lower estimate: roughly $330 billion over 20 years.</p><p>Both of these estimates dwarf the existing $1.38 billion that state and local governments are spending annually on drinking water and wastewater infrastructure, according to statistics from the American Society of Civil Engineers (ASCE). (Using a comparable 20-year time frame, the ASCE estimate comes to roughly $28 billion, or only about 8 percent of the EPA’s estimate of needed funding.) </p><p> Besides inadequate funding for repair, demand is growing, not only from an increasing population but from high-tech industries. Large corporations with cloud computing operations occupy enormous industrial facilities that are air conditioned. “This requires a heck of a lot of water,” Glennon says. </p><p>In addition, environmental factors pose challenges to a secure U.S. water supply. In states like Florida, rising sea levels are pushing into coastal aquifers and causing saltwater intrusion, making the aquifers more saline and problematic for human consumption. </p><p>Worldwide, a possible future water crisis is a problem alarming many, in part because of its potentially disastrous cascading effects on the global economy. A survey released by the 2016 Global Economic Forum found that a water crisis is the top concern for business leaders over the next 10 years. Further in the future, the global water situation continues to look grim, by several measures. By 2030, a stable supply of good quality fresh water can no longer be guaranteed in many regions, and a 40 percent global shortfall in supply is expected, according to the Carbon Disclosure Program’s (CDP) Water Program.</p><p>By 2050, an inadequate supply of water could reduce economic growth in some countries by as much as 6 percent of GDP, “sending them into sustained negative growth,” says a recent World Bank report, High and Dry: Climate Change, Water, and the Economy. Regions facing this risk include India, China, the Middle East, and much of Africa. Water insecurity could also ramp up the risk of conflict and instability—droughts can spur a spike in food prices, which can in turn cause civil unrest and increase migration. While 2050 might seem quite far in the future, water-related challenges are happening right now. The World Bank report also found that 1.6 billion people currently live in nations that are subject to water scarcity, and that number could double over the next two decades.</p><p>Moreover, a water crisis can have a devastating effect on the global economy. The CDP’s Water Program estimates that, if current status quo water management policies are sustained worldwide, $63 trillion in assets will be put at risk. Such economic challenges are highlighting the importance of improved water governance, which includes an emphasis on positioning the water supply so that it is more resilient in the face of challenges due to demand, the environment, and other factors, says Hart Brown, who leads the organizational resilience practice at HUB International and is a member of the ASIS International Crisis Management and Business Continuity Council.</p><p>“In light of the case in Flint, as well as droughts, floods, and the potential competition for water resources, improved water governance is being brought to the forefront of many conversations,” Brown says. When resilience enters the conversation, the challenge becomes creating an “adaptive capacity,” or “diversification of the water and sanitation systems.” </p><p>However, there is no one resilience model that can be successfully replicated for all water supply and treatment plants, because each system is a unique combination of human, technological, and environmental factors, Brown explains. In the United States, a wide range of water systems could potentially benefit from resiliency upgrades, he says. Those include conventional utility piped water supply systems; dug wells and tube wells (wells in which a long pipe is bored into an underground aquifer); rainwater harvesting operations; unprotected water sources such as rivers and streams; and cooperative developments in areas that share transboundary water resources.</p><p> Improving the resiliency of any water system takes investment, but just as important, it takes sound science, Brown says. </p><p>“Water managers need access to the best available scientific information and water risk assessments to support these long-term water-related decisions, including the ability to forecast and plan for important capital expenditures,” he explains.  Businesses also have a role to play, especially those that rely on water for production, manufacturing, agriculture, and power generation purposes, he adds. Some businesses are already being strategic in this area; they consider shared responsibility and sustainability of water systems a core function. </p><p>“Partnerships with local communities are important in the ability to overcome shared water risks,” Brown says. </p><p>Globally, improved resiliency and water management practices, if given sufficient investment, have the potential to pay tremendous dividends, the World Bank report argues. It calls for a three-point approach: improving resiliency to extreme weather events by improving storage capacities, reusing facilities, and other tools; optimizing the use of water through better planning and incentives; and expansion of the water supply, where appropriate, through recycling, desalination, and damns.</p><p>“While adopting policy reforms and investments will be demanding, the costs of inaction are far higher. The future will be thirsty and uncertain,” the report says.</p> TrendsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">Dashboards and cross-platform software systems are tech trends that can help security professionals organize data into actionable intelligence. A software manufacturer uses cloud technology to manage incidents, an airport uses data to track parking lot use, and a health insurance provider uses a real-time dashboard to provide improvements in everything from visitor management to officer dispatch times.</span></p><p><strong>High velocity and high volume. </strong>This basic definition of Big Data is logical to most security professionals. However, the industry has been grappling with the practical applications of all that information. Some practitioners see Big Data as a solution looking for a problem while others are waiting to see where the technology will lead.</p><p>Most industry professionals are just overwhelmed, according to Brian McIlravey, CPP, executive vice president of command center applications at Resolver in Toronto, Ontario, Canada. “In the old days we didn’t have quite as much information to deal with,” he says. “We had access control and cameras. It was easy to take data out and track small trends. The difference now is the sheer amount of data available.”</p><p>However, this difference is one of scale—not efficacy, according to McIlravey. “Companies shouldn’t need to search for answers in Big Data. It should be a perfect fit,” he says. “It should shout ‘we have found a problem in the data!’”</p><p>Following are the stories of three security professionals who listened to the data and heard it shout. Their experiences, they contend, are portents of Big Data successes to come. </p><h4>Connections </h4><p>“We want to be more efficient for our benefit and for our customers’ benefit. We are looking for real-time situational awareness across our organization,” explains Brian Weaver, telecommunication analyst for the Minneapolis-St. Paul International Airport, Metropolitan Airports Commission (MAC) in St. Paul, Minnesota. “MAC wants to capitalize on existing information we already have and use that data creatively while still keeping it secure and safe.”</p><p>Two years ago, MAC purchased a software platform to pull data from various sources and share it among MAC stakeholders. MAC, which operates the Minneapolis-St. Paul Airport as well as six other regional airports, generates data on everything from flight arrivals to parking statistics to access control data.</p><p>Approximately 300 end users operate the platform. This diverse group includes baggage handling system operators, tarmac operations, police, airlines, and Transportation Security Administration (TSA) representatives. “All these different groups are collaborating using the same information for their business needs. That’s why that data is so important,” says Weaver. “The goal is to control that data, use it, and audit it. The platform provides us a great deal of command and control.”</p><p>Weaver and his team use the platform to link video and data. For example, MAC will be using a point of sale (POS) system connected to the parking ramps. Customers will be able to pull into the lot and park their vehicles for 30 to 60 days. In some cases, drivers will claim to have lost their tickets forcing MAC to charge a standard, maximum fine.</p><p>Once implemented, the platform can tie the POS system to security’s license plate reader (LPR) software. By combining these two systems, the specific vehicle is linked to its transaction data, providing the accurate parking duration. “We can then say ‘no, your vehicle has been here for 60 days,’” explains Weaver. (He notes that the use of LPR data is restricted by both state and federal statute and MAC works within those guidelines to ensure that it does not collect or view the personal data of drivers.)</p><p>Weaver is currently in the process of expanding the program to newly constructed parking ramps. He will be running algorithms against the LPR data to determine how many drivers from different states are parking in certain areas of the ramps. This information helps elevate security within the organization by contributing to MAC’s strategic efforts. “This data will help the marketing department, parking operations, and police,” according to Weaver. “Say 500 cars are from Wisconsin or from Iowa. We can then target marketing to those particular states. Parking and police can track lost or stolen cars to a smaller physical section of the parking area and generate vehicle counts for ramp occupancy.”</p><p>Similarly, the data will eventually guide the parking group that manages the parking structures. The data can provide statistics on how long people park and where they park. “The data is not being fully used,” says Weaver. “It hasn’t been linked or tied into the various systems. It’s smart data but there is no intelligent means to search it or reorganize it.”</p><p>MAC currently has 25,000 parking spaces and the construction will add 5,000 new spaces. New data-gathering technology is being planned to integrate these systems into the project. For example, MAC is including an enterprise-level intercom system and associated mapping of those intercoms to tie back to the system, along with video camera feeds using geographic information system (GIS) locations.</p><p>Another big data project includes airline flight display data. Airlines use an overlay of that data—arrivals and departures—on the security camera feeds. This allows security and airline personnel to look at the video from a gate and instantly see that flight information data. </p><p>Using a grant from the TSA, Weaver obtained approval to significantly upgrade the system last year and has started connecting even more systems via the platform. “This summer, we are rebuilding our lab environment for testing the data interactions, then we will push solutions out to the production environment by the fall,” says Weaver.</p><p>An example of a project already in the works is integration of video, alarms, and the baggage handling system. If a bag jams or the belt is inoperable, the stoppage will trigger an alarm. Simultaneously, a video feed will automatically show the baggage jam to determine what is causing the problem and dispatch maintenance staff accordingly. Weaver hopes to tie various other airport systems together along with security camera feeds in a similar manner.</p><p>Weaver notes that while some of the projects in the pipeline are hypothetical at this point, they are all feasible if integrated properly. Even something as simple as a sensor for a burst pipe, for example, can be tied in with cell phones, GPS systems, and maintenance dispatch. “The video system has traditionally been only a security tool, but now we are looking at the organization-wide applications for real time situational awareness,” says Weaver. “It’s a better return on investment and we are providing a business use case for this data.”​</p><h4>Virtualization </h4><p>As senior director for global security technology, investigations, and services for Microsoft Corporation, Brian Tuskan knows that he had a head start in the race to use Big Data. “I see a lot of security directors get in trouble with the latest hardware that doesn’t integrate,” he says. “The benefit of working for Microsoft is the integration. Whatever tech we build within our infrastructure has to be on the Microsoft platform.”</p><p>The advantage is critical for Tuskan, whose overall responsibility for enter­prisewide security means he must un­derstand and manage the physical security needs of the global organization with the help of 18 full-time employees and 350 contract security officers.</p><p>Leveraging the advanced state of integration at Microsoft, Tuskan and his team built software to monitor the data gathered from physical security devices to assess the health of the overall program. “We already had a tool that many data centers use to manage the health of their servers,” Tuskan explains. “It measures run time and failure rates, for example, to help you plan for life cycle and repair maintenance.”</p><p>Two years ago, one of Microsoft’s third-party contractors approached Tuskan with the idea for using the same type of system to assess every IP device on the network. Microsoft approved the project, and now more than 15 types of devices, including duress alarms, cameras, and access control points, are monitored. </p><p>More than 27,000 security devices are constantly pinging the operations center, providing real-time information on their operational health. A dashboard organizes and displays the data. The systems center operations manager then uses an algorithm to analyze that information. </p><p>Mapping software allows for easy visualization of the equipment. Not only does the software help avoid the problem of finding out that a camera has failed after an incident, it also shows security all the hot spots—what needs to be repaired immediately and what sensors are near failure. “Now, we can build in a budget for repair and maintenance,” says Tuskan. “The data informs a priority matrix detailing what needs to be worked on first and allows for an accurate rollout of maintenance and replacement.”</p><p>With two complete years of data gathered, Tuskan’s team plans to do an assessment to quantify the cost savings. </p><p>One unexpected benefit of the program is its value to the device manufacturers. Security will be able to provide accurate failure rates for all types of equipment. “The software allows us to see when devices are failing in real time,” says Tuskan. “In the future, we hope to be able to predict when devices will need servicing or replacing.”</p><p>Based on the success of this project, Tuskan and his team have turned Big Data loose on Microsoft’s security operations centers. Several years ago, the company merged all 15 of its local security operations centers around the world into three global operations centers.</p><p>A year ago, security was able to reduce those three centers into one global operations center, located outside of Seattle, and a call service center in India. “We saw the power of the cloud. We took data that we used to house in our own servers and pushed it to the cloud,” Tuskan says. “We had availability, redundancy, and a robust IT environment.”</p><p>Using data on operations center calls, Tuskan found that close to 90 percent of activities in the operations center were noncritical. “These were routine events,” Tuskan explains. “These calls were: ‘I’m locked out of my office’ or ‘there’s a door forced open alarm in the cafeteria.’ All this noise for only a few truly significant events.”</p><p>Tuskan’s team is currently using data to hand off the routine inquiries to a third party, leaving the fusion center free to focus on incidents that require decision making. To do this, Microsoft is turning the existing security operations center into a virtual security operations center or VSOC. Instead of having operators managing multiple calls on mundane issues, they will only focus on high-level, life safety, mission-critical calls.</p><p>Security recently held a four-day summit with all key stakeholders to determine what technology would exist in a perfect version of a VSOC. A process mapping expert attended the meeting to focus the group and organize the results. “Dream states get very expensive,” says Tuskan. “But you have to have that discussion. There’s a balance where you need to determine how to change operationally and evolve over time into this new way of leveraging technology.” </p><p>Security is evaluating more than 116 technologies to determine whether they can contribute products to the VSOC. Tuskan and his team must now assess them to see whether they fit into the overall vision of the project. </p><p>Tuskan says they are looking to build a tool for operations that will pull out the information needed and put it on a white wall—a single-view platform. Key decision makers could carry a device that displays the command center virtually anywhere, even in a hotel room halfway around the world. </p><p>No matter how high-tech the solutions get, Tuskan notes that the goal is to get appropriate solutions to meet quantified needs. “We can accurately assess what sort of funds we will need. Many security departments are forced to budget through fear. We use data.”​</p><h4>Operations</h4><p>In charge of building security for an insurance company, Jonathon Carrell manages 24 facilities in four states and protects the 4,000 employees who use them. Almost two years ago, Carrell wanted to use data to help guide his team of around 20 in-house employees and 50 contract staff members. </p><p>“All of our data was largely trapped in silos with few viable options to correlate data between systems. For the most part, we were left with the lackluster reporting tools built in to each individual system,” says Carrell. “These tools have often proven to be pretty limiting and not very conducive to meaningful data analysis.”</p><p>When Carrell started assessing the company’s data collection and analysis system, he found that some functions had reporting features built in. However, most of these were inflexible and provided information only from predesigned fields. Much of the existing data could not be retrieved or filtered. The few systems that did have custom reporting allowed the user to choose a specific field, but did not allow more complex analysis, such as through nested queries, for example. </p><p>However, had the reporting function been flexible, it would still have been insufficient, according to Carrell. “Even with the best reporting, we still couldn’t blend information from multiple databases,” he says.</p><p>Carrell purchased a product manufactured by Tableau in Seattle, Washington, that allows him to pull data from multiple sources, blend it, and place it into a real-time dashboard.</p><p>After Tableau was installed, Carrell began integrating the company’s various reporting systems to automate different processes. The result is live data connections companywide. “If someone is terminated, that is noted in the HR system and then goes to security’s watch list. Then the visitor management system deactivates the former employee’s badge,” explains Carrell. </p><p>Efficiency was the driving factor from senior management, according to Carrell. “I wanted to know what we were spending our time doing and how we could better allocate staff,” he explains.</p><p>An early discovery was that the operational specialists in the security department were running audit reports for access control and video management systems. However, the staff members responsible for those systems were already trained to do those reports and were far more familiar with the systems in question. Switching audit reporting duties resulted in greater efficiency and accuracy.</p><p>Carrell has used the system to assess the security department’s performance. “After tracking our alarm response time over the last two years, we noticed a big difference between the dispatch times of our in-house staff and our contract staff,” he says.</p><p>To combat the problem, Carrell established a mentorship program for in-house staff to tutor the contract staff. Though there’s still a gap in performance, that gap has closed significantly and now meets corporate targets. “Our plan is that the mentoring program will slowly and steadily improve contract performance until it matches our in-house team,” he says.</p><p>With the project’s success, Carrell says that the rest of the company has become more open to sharing and analyzing data. “We’ve witnessed a huge push to begin integrating our systems largely for operational benefits, but this also had an interesting side effect,” he says. “Once we began talking about how the different systems could interact and communicate with one another, we began considering a broader spectrum of questions that could be asked when blending data between various data sets.”</p><p>For example, after replacing an aging access control system, Carrell and his team began to explore the possibilities to determine whether they can integrate video management or tie into HR or internal audits. “At first, we had some pushback from employees,” he says. “But over the last year, we’ve seen a lot more openness.”</p><p>Carrell says that the system sells itself as security successfully integrates more systems. Employees become more confident and they can easily see how they could benefit from the technology.</p><p>“The ability to easily correlate data among corporate systems gives us a much broader lens to evaluate not just what’s happening now, but in some cases, to identify corporate risks before an event takes place and take action,” says Carrell.  ​</p>