’-Data-in-2014.aspxGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Yahoo Confirms Hackers Stole at Least 500 Million Users' Data in 20140|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Compliance Trends|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465School Security Trends|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Illuminating Going Dark: A Conversation with the FBI|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Resilience Trends|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Book Review: Effective Security Management2016-09-26T04:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Book Review: Workplace Safety2016-09-26T04:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Book Review: Active Shooter2016-09-26T04:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465When Simulation Means Survival2016-04-01T04:00:00Z|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465A Failure to Communicate2016-07-01T04:00:00Z

Security Management

 Morning Security Brief

View RSS feed

 SM Weekly

Retrieving Data

 SM Daily

Retrieving Data
Not a Member? Join Now Security TrendsGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>School security often involves response tools, from mass notification to surveillance to reporting. However, experts note that trends are moving away from technology as a single solution to prevention-based programs centered around information sharing, all-hazards training, and public-private partnerships.</p><p>Preventing a tragedy often starts with getting critical information into the right hands. </p><p>Take the case of two teens in Spotsylvania County, Virginia, who were arrested and charged with conspiracy to commit murder in October 2015. The two had plans to phone in a bomb threat to their school, then shoot people as they evacuated, CNN reported. A school resource officer discovered that one of the boys had threatened violence on the Internet, and the resulting investigation uncovered the plot. </p><p>In December 2015, an anonymous tip was sent to a Denver school district’s “Text-a-Tip” threat reporting hotline. Based on that information, two 16-year-old girls were found with plans to commit a mass killing at Mountain Vista High School. They were arrested and charged with conspiracy to commit first-degree murder, reported Reuters. </p><p>These stories, and many like them, have a common thread throughout: critical information was reported and acted upon in a timely manner, stopping any plans to commit harm. While some security experts do not like to classify tragedies as preventable, they say there are key threat indicators that pointed to the mass shootings and other attacks before they occurred. If communities, schools, and law enforcement work together to identify and connect these dots, future threats could be stopped. </p><p><em>Security Management </em>speaks to experts about their experience conducting threat assessments in schools and communities. ​</p><h4>Connecting the Dots</h4><p>After the December 2012 Sandy Hook shooting that killed 20 elementary-age children and six educators, Connecticut Governor Dannel Malloy created a 16-member panel to review policies pertaining to school safety, gun-violence prevention, and mental health. The panel recommended in a 277-page report that all schools create safety committees that include police, first responders, administrators, and custodians. The report also urged each school to take an “all-hazards” approach to safety and security training for faculty, staff, and students. </p><p>Furthermore, the panel recommended that schools form threat assessment teams that “gather information from multiple sources in response to indications that a student, colleague, or other person’s behavior has raised alarms.” The report cites the U.S. Secret Service’s behavioral threat assessment model, which has been adopted for educational institutions, the workplace, and military settings. </p><p>“Once a team has identified someone who appears to be on a pathway to violence, the team ideally becomes a resource connecting the troubled child, adolescent, or adult to the help they need to address their underlying problems,” states the report, which goes on to say that such multidisciplinary teams can conduct risk assessments when questionable behaviors arise. “These would not only identify students at risk for committing violence, but also serve as a resource for children and families facing multiple stressors.” ​</p><h4>Partnerships</h4><p>As outlined in the Sandy Hook report, it is critical for organizations, schools, and communities to take an all-hazards approach to assessing and preparing for threats. If there is a dedicated platform or channel where they know they can report pertinent information, those dots can be connected in a meaningful way to prevent tragedy. </p><p>Two security experts share best practices with Security Management based on their experiences with threat assessments. These programs were bolstered by building partnerships with law enforcement and the community. </p><p>Working with stakeholders. Sometimes a threat assessment reveals an obvious problem that needs fixing, while other issues are uncovered only by working and communicating with stakeholders. Such was the case for school security professional Gary Sigrist, Jr., CEO and president at Safeguard Risk Solutions. </p><p>He tells Security Management that when he first started working at the South-Western City School district in Ohio, there were some obvious changes that needed to be made. “We had building principals who told their staff members they weren’t allowed to call 911 [in an emergency], that they have to call the office first,” he says. “We changed that.” </p><p>There was one building principal who told the cafeteria cooks that if there was a fire in the kitchen, not to pull the fire alarm until they had notified him first. “I brought the fire marshal in, and we had a conversation about that,” he notes. </p><p>Sigrist explains that working with law enforcement isn’t always a seamless process; sometimes schools and police in his district differed on their vision for a safe and secure environment. </p><p>“It’s not that the police were wrong, it’s just that some of their goals and objectives didn’t sync with the goals and objectives of the school,” according to Sigrist. But establishing regular meetings with law enforcement and other first responders was key to successful collaboration. “The police would say, ‘we think you should do this,’ and the school could say, ‘that’s not a bad idea, but let’s look at it from the point of view of the school,’” he notes. “Fire drills became better because we involved the fire department in the planning of our drills, where our command posts would be, and how we were going to check students in.” </p><p>He adds that first responder collaboration should go beyond just police and fire; schools rely on medical professionals when faced with health epidemics, for example. “When the Avian Flu and H1N1 sprang into effect, we worked with our county and state boards of health, and were able to develop a pandemic plan,” he says. “We had those subject matter experts.” </p><p>Over the course of his career at SouthWestern City Schools, Sigrist twice helped secure the Readiness and Emergency Management for Schools (REMS) Grant, in 2008 and 2010, from the U.S. Department of Homeland Security. These funds helped him establish many safety programs around the district. “Those are things people say, ‘wow, you must be a wonderful person to be able to get all of this done’–no, we had grant money,” he says. “It’s amazing what you can do with half a million dollars in grant money, and also the right support from the superintendents.” </p><p>No matter how prepared a school is for an emergency, those plans are truly put to the test when disaster strikes. Such was the case for South-Western City Schools when an explosion occurred at an elementary school. </p><p>“We had a building in a rural area, and the water table shifted, causing methane gas to build up in the basement. When it built up to a certain level with the right oxygen mix, there was an explosion,” Sigrist says. A custodian was injured, but everyone was able to evacuate the building safely as they had in many drills before. </p><p>The staff had been trained on how to function as a crisis team that was three members deep. Because the principal was not present at the time of the explosion, the building secretary assumed the role of incident commander, safely evacuating everyone from the building. “And it’s just evacuation training,” he says. “We never trained her on what to do when a building blew up.” </p><p>There were some key takeaways from the event that the district saw as areas of improvement. “Did we have lessons learned? Yes,” says Sigrist. “This happened almost right at dismissal, and we had school buses parked right in front of the building. Well–they didn’t move.” </p><p>These buses prevented fire trucks and other emergency vehicles from pulling right up to the scene. “And so one of our lessons learned is, if you have an incident, how are the buses going to pull out of the parking lot so the fire equipment can get in?” </p><p>Hometown security. Schools are a major focal point of the community, but they are not the only one. Societies are also made up of private businesses whose security is paramount to the overall environment of safety. Marianna Perry, CPP, a security consultant with Loss Prevention and Safety Management, LLC, explains that because about 85 percent of critical infrastructure in the United States is privately owned, “it makes sense that these businesses and communities partner with law enforcement to address problems.”  </p><p>Perry has more than 20 years of experience in conducting threat assessments for private businesses, as well as communities, including school districts. She recounts examples of how these reviews helped strengthen those localities, businesses, and law enforcement alike. </p><p>While Perry was the director of the National Crime Prevention Institute, there was a particular community with high crime rates, homelessness, and drug problems, as well as health-related issues. “There were abandoned properties, rental properties in disrepair, homes that had been foreclosed,” she says. “We were looking for a solution to help fix this community.” </p><p>Perry helped form a team of key stake­­holders and partners, including law en­forcement, a local university, security consultants, area churches, and the local health department. The public housing authority was also a major partner, as well as some local residents and business representatives. Initially, everyone came together for a week-long training program. The goal was to involve all partners in helping to develop strategies to improve the overall condition of the neighborhood, which in turn would help prevent crime. She says that much of the training was centered on crime prevention through environmental de­sign (CPTED), which predicates that the immediate environment can be designed in such a way that it deters criminal activity.  </p><p>She adds that the training wasn’t just focused only on preventing crime, but on several aspects of the community. “The goal was to improve the overall quality of life for everyone who lived or worked in that neighborhood,” says Perry. </p><p>The training also helped the partners learn to speak a common language. “We had all of these different people from different professional backgrounds and business cultures, and we needed them all on the same page,” she says. “They needed to be able to communicate with each other.” </p><p>A critical outcome of the training program, she says, was facilitating interaction among stakeholders, as well as developing and building trust. “It was a really successful partnership, and a lot of good was done for that community because everyone worked together to achieve common goals.” </p><p>Businesses also benefit from such assessments. Perry recently conducted a security assessment for one organization that was located in an area with one of the highest violent crime rates in the city. “Management was very concerned about the safety of their employees,” she notes. </p><p>During the assessment, Perry recommended that the company install additional cameras on the perimeter of their property for added surveillance and employee safety. The company could also share camera footage with law enforcement by tying their camera system into the citywide surveillance program. Perry worked with a local vendor to install IP cameras to cover a 10-block area. A control center operator would then monitor the cameras, and if he or she saw suspicious activity, either a security officer would be dispatched to respond, or 911 would be called. “I think people are now embracing the concept of public-private partnerships because they’re beginning to realize that they work,” Perry says.</p><p>Training. Preventing and detecting threats, while challenging, is possible when stakeholders share critical information. Having a centralized place for reporting such information is key, as well as training students, employees, and the community on how to use those platforms. </p><p>However, if the threat remains unde­tected or cannot be stopped, organiza­tions should conduct all-hazards training that covers a range of possible scenarios to ensure minimal damage and loss of life, says Kenneth Trump, president of National School Safety and Security Services. </p><p>“Active shooter is one concern, certainly, but it’s just that–one concern,” he says. “There’s a much greater likelihood that school employers are going to deal with a noncustodial parent issue multiple times during a school year than that they will ever deal­­—during their entire career working in the school—with an active shooter incident.” </p><p>Sigrist adds that having a laser-like focus on active shooter training can be a drawback for schools, because they lose sight of issues that have a greater likelihood of occurring. </p><p>“I asked one of my clients at a Head Start school how many times they have had a drunk parent show up to pick up a child, and they said, ‘it happens all the time,’” he says. “We still teach active shooter, but by teaching how to respond in an all-hazards approach, they will know how to take action.” </p> TrendsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">Security managers already know that culture is key, that understanding generational differences can reduce conflict, and that effective leadership can pave the way to the C-suite. The next trend in the management field, behavioral economics, can help security design programs that get buy-in from employees.</span></p><p>What is the underlying theory of your security program? It may be about punishing bad behavior, with employees written up by managers and then referred to counseling. Or, it may be about rewarding good behavior, such as praise and performance awards for security compliance. </p><p>Chances are it’s some combination of the two, using both carrots and sticks. But there’s another, perhaps deeper, question that is often telling—why do people make choices to either comply, or not comply, with your security program?</p><p>All around us, there are small clues guiding those choices. It’s time security leaders started shaping those clues to protect employees, customers, property, and other assets. They can do so by using the applications of one of latest trends in social science—behavioral economics.​</p><h4>Behavioral Economics</h4><p>Behavioral economics is the scientific examination of why people and organizations make the decisions they do, in an economic context. Its scientific pedigree has its origins in the 1970s, when technology was driving major improvements in brain research. At that time, new computing tools designed to assist in modeling, in tandem with Daniel Kahneman’s Nobel Prize–winning research on prospect theory (an economic theory that seeks to explain how people make decisions based on risk), provided a new research framework to explore how economic choices are made. Today, behavioral economics combines the practice of economics, neurobiology, and psychology to gain insight into why human beings act, or fail to act, in predictable ways.</p><p>At some level, most of us realize that <span style="line-height:1.5em;">our decision making is influenced by a variety of factors outside of our control, such as organizational norms, peer pressure, emotions, accepted stereotypes, and mental shortcuts. By closely analyzing these factors, behavioral economists can gain a sophisticated understanding of why people, and organizations, make the decisions they do—which factors take precedence over others, how different factors interact, and so on. They can also develop cues designed to steer a person or organization to a desired outcome. Such cues have been termed nudges; the people that help frame those decisions are called choice architects. </span></p><p>Public awareness of behavioral economics has slowly been gaining ground since the development of “nudge theory,” an offshoot of the science, by two academics, University of Chicago economist Richard Thaler and Harvard legal scholar Cass Sunstein. In their 2008 book Nudge: Improving Decisions about Health, Wealth, and Happiness, the two scholars postulate that there are subtle and blatant clues everywhere to influence behavior. (In the wake of his book’s success, Sunstein went on to serve as administrator of the White House office of information and regulatory affairs from 2009 to 2012.) Those clues may be accidental, but they can greatly impact the decisions we make, and there are scientific reasons for why they work or fail.</p><p>The authors argue that behaviors are guided just as much by on-the-spot decisions based on these clues, and the context these clues are found in, as they are by deeply held ethical or moral codes. Under the authors’ definition, a clue can be considered a nudge if two criteria are satisfied: the individual is free to choose it or not, and there is very little or no cost in choosing to go with the nudge as opposed to other options. In this way, nudges are meant to be subtle, not overtly coercive.  </p><p>The nudge concept isn’t entirely new. We’ve been nudged in many ways since birth. It only takes a trip to the grocery store to notice that the sugary sweet cereals are stocked at exactly the eye level of a seven-year-old, while bran flakes occupy the upper shelves. Consumers’ decisions about what action to take are influenced largely by what is put into their path. At any given time, our brains are processing a mountain of information and sensory input, so easy choices, which require less effort than searching for another option, are often viewed by the mind as the correct ones. This is especially true if the clues and context surrounding those choices don’t make them seem especially important.​</p><h4>Security Nudges</h4><p>Imagine having the ability to use nudges and clues as a designer and enforcer of a security program? The secret is that that you do. As a security manager, you have the ability to help make the correct choice for security the simplest choice for the user. In other words, you are a choice architect.</p><p>However, one concept must be understood before security managers can become effective choice architects. Thaler and Sunstein describe the concept as the difference between econs and humans. Econs are imaginary constructs developed by the writers of economics textbooks. They are people with the brilliance of Einstein, the self-control of Gandhi, and the logical prowess of a Vulcan who can predict reactions in a variety of environments. All econs do the same thing—and almost always, the correct thing—in any given situation.</p><p>In case you hadn’t noticed, we don’t work with econs. We work with humans. Humans are generally smart and well-meaning, but they are far from perfect in on-the-spot decision making. Further, humans are barraged every day with factors that drive them to do exactly the opposite of what their infinitely wise, long-range-thinking econ-selves would do.       </p><p>Unfortunately, the idea that econs and humans are interchangeable continues to stick around in the world of security. The overwhelming majority of security policies today treat employees as econs, not as the humans they truly are. Econs don’t need assistance complying with our complex security policies, humans do. So the idea is to help nudge the humans in the right direction—toward security compliance.      </p><p>Following are several examples of how nudge theory, and choice architecture, can be used in a security context. Gaming Speed   </p><p>An interesting example of a security nudge comes from law enforcement in the form of a speed camera that rewards speed compliance. In 2008, the city of Stockholm, Sweden, introduced a speed camera along a problematic stretch of road in a town center. Initially the camera was placed to record the speed and license plates of violators, but later it was made the focus of an experiment in nudging. The camera would record not only the speed and license tag numbers of speeders, but also the speed and license tags of those who were respecting the 30 kilometer-per-hour (kph) speed limit. </p><p>At the end of the experiment, all drivers who were photographed driving at or below the speed limit were entered into a raffle, with the winner awarded a check for 20,000 kroner (roughly $3,000) partially paid by the fines of speeders. This spurred a dramatic change in average speed. Prior to the experiment, the average speed on that stretch of roadway was 32 kph. After the introduction of the “speed lottery,” the average speed dropped 22 percent, to 25 kph.  </p><p>Besides being a successful nudge, the speed example is also an excellent example of gamification. It encouraged people to comply with speed limits and improve public safety, while also giving them entry into a larger game to win a tangible, but not budget-busting, prize.  ​</p><h4>Out of Pocket</h4><p>Security nudges have also been employed to increase security efficiency and compliance at airports. One of the first took place at the Nepalese airport of Tribhuvan, where officials noticed a marked increase in graft among airport customs inspectors. </p><p>Nepal was hard hit in the economic slowdown of 2008, and many Nepalese sought employment outside of the country to support family members. When these expatriates returned to Nepal, crooked customs inspectors preyed upon them by insisting on bribes in exchange for quick facilitation through customs while they were in possession of foreign currency, which otherwise could have delayed their entry. </p><p>Nepalese anticorruption authorities fought back by redesigning the uniforms of airport customs workers to remove all the pockets. Collecting payola becomes much more complicated without a convenient pocket to quickly stash the loot. The lack of pockets also served as a reminder for the customs workers to adjust their behavior and avoid illegal activity. Every time employees reached for their pockets, they were reminded about corruption and management’s refusal to condone it. Although there has been no formal study performed to assess the effectiveness of bribe-resistant trousers, news reports have found that graft and bribe-taking has been reduced at Tribhuvan airport.  </p><p>Creative nudges also help the flow of lines at U.S. airport security checkpoints. By and large, passengers choose the shortest available line to proceed through security screening. However, each passenger situation is different, so the shortest line may not necessarily turn out to be the fastest—six frequent business travelers familiar with airport security routine might proceed much faster than a vacationing family of four that fly infrequently.  </p><p>So, airports near ski resorts have taken to designing self-selection lines marked according to a ski slope theme: Green Circles for families and those needing special assistance, Blue Squares for frequent travelers somewhat familiar with TSA procedures, and Black Diamonds for the expert travelers.  </p><p>Under this system, there is no enforcement of lanes; passengers are free to choose whichever line they wish. However, by encouraging people to make proper line choices through color coding, security personnel are able to channel passengers toward the type of security screening they would be best served by, and increase the overall efficiency and security of the entire system. In nudge theory terms, this is a good example of placing a “designed decision” in front of a security customer.​</p><h4>Engage to Nudge</h4><p>The National Retail Federation estimated 2014 retail losses due to inventory shrinkage at $44 billion. Facing such challenges, the field of loss prevention is one of the most dynamic in security today, and is also a discipline full of nudges.  </p><p>Most retail stores have some form of CCTV monitoring for the prevention and investigation of theft, and this technology can be used to nudge customer behavior. The most visible nudge is conveyed through the placement of a live CCTV video feed at the store entrance.  This provides an immediate environmental reminder to would-be thieves that they are being watched and the store is on the lookout for shoplifters. </p><p>Another frequent nudge is conveyed through employee engagement with customers. According to the ASIS Retail Loss Prevention Council, a staff that greets customers and maintains active engagement with them can significantly reduce retail theft. </p><p>There are actually two nudges here. The first is the interaction between the employee and shopper; the customer is reminded that the employee is committed to the job, and consequently of the risk of getting caught if the shopper decides to shoplift. The second is the employer nudging the employee to habitually engage customers. This is usually accomplished when the employer sets default rules; it becomes the expected norm of all employees through training, feedback, and evaluations. The added benefit is that it allows security and customer service to be on the same side of an issue, and that’s an increasingly rare opportunity.  </p><p>Other possible nudge cues to deter shoplifting are explored in the paper Nudge, Don’t Judge: Using Nudge Theory to Deter Shoplifters, by Dhruv Sharma and Myles Scott of Lancaster University. They include signs that offer to donate profits not lost to shoplifting to charity; attention-grabbing events such as music or videos when customers interact with certain products; and applying the general premise of crime prevention through environmental design (CTPED) to store layouts to increase visibility and surveillance coverage. ​</p><h4>Nudge Training</h4><p>Security nudges have also been incorporated into awareness training. In 2014, the XL Group, a global insurance provider, sponsored an employee challenge. Each time an employee viewed one of the company’s security videos, XL would donate a dollar to charity. The videos were short (usually about a minute long), and focused on helping the employee secure not only vital company information, but personal information as well. The donations also appealed to an employee’s sense of social responsibility by involving a charity. The campaign managed to amass over 10,000 views of security videos, and a hefty charity donation.</p><p>Some U.S. government agencies are also using nudge theory practices in security training. In an effort to train employees on the proper ways to respond to email phishing attacks, one agency offered the following incentive: everyone who correctly followed procedure in a phishing attack exercise was made eligible for a small “Phishing Derby” prize. The cost of the prize was minimal (less than $50 dollars), but offering it greatly increased participation compared with previous exercises.  </p><p>Another agency took a different approach. When the agency sent out reminder notices to employees to complete mandatory security training, it made sure that the notices included the percentage of other employees who had already completed the training. Thus, this approach used peer pressure to conform in a nudge aimed at achieving the desirable result. The result was a higher completion rate, and in a shorter time, than previous years.  ​</p><h4>Developing Security Nudges</h4><p>Nudges can be used anywhere a user is offered a choice to do the correct thing versus the incorrect thing. The keys are understanding your security policy, understanding your users, and sustaining a willingness to experiment.   </p><p>The best place to start is with your own security metrics, especially those that are the most problematic. What areas, process, or programs have been the most troublesome in terms of compliance? A brainstorming session with a good cross section of security personnel (who in this context are serving as choice architects) often results in useful data and ideas for developing nudges. This cross section should include not only program leaders but program users, who are often the source of the most valuable insights—they provide the “ground truth” on how effective existing security measures really are, and on the parts of the program that are most at risk of noncompliance.  </p><p>It’s also important to recognize what kind of decision we’re trying to influence, in the terms sketched out by Thaler and Sunstein:</p><p> • A complex decision: A decision with many variables</p><p> • An overwhelming decision: A decision with many options</p><p> • An infrequent decision: A decision that comes up very rarely</p><p> • A low feedback decision: No obvious feedback from the decision</p><p> • A delayed consequences decision: Where the feedback comes much later</p><p><br> </p><p>Then, according to Thaler and Sunstein, we need to figure out what flavor of nudge to use:</p><p> • Default rules: Change the rule for everybody to a compliant default</p><p> • Environmental reminders: Posters, checklists</p><p><span style="line-height:1.5em;">- Commitment reminders: Constant reminders to steer behavior, like wearing a fitness band as a  reminder to take the stairs</span></p><p> • Designed decisions: Placing the correct decision in front of the customer at the instant the decision needs to be made</p><p><br> </p><p>When implementing nudges, it’s always important to keep two things in mind: ethics and metrics. Ethical nudges don’t compromise the autonomy or the integrity of employees and customers. They simply nudge them into making the correct decision regarding policies they have already agreed to.</p><p>Metrics are necessary both to ensure that the nudges are effective and to justify resources needed to implement them. Few things in business are free; even things that seem small normally have some kind of cost attached to them. The best way to address management on these issues is the cost-benefit approach: have a story to tell, explain the financial and reputational costs of noncompliance, and come prepared with a full cost accounting of the nudge and a plan to for implementation. Make approving your plan the “easy” thing to do. If you haven’t caught on by now, you’re nudging your management. ​</p><h4>Sample Security Nudge</h4><p>Here’s an example case of how security nudges can be developed. Nudgella, the security manager at Company X, has noticed an increase in security incidents involving sensitive company information left unattended in the copy room. So Nudgella sets a meeting with the head of the guard force, along with representatives of human resources and IT, to determine the causes and seek solutions. </p><p>In the meeting, it is determined that the issue with the copy room is that employees are printing sensitive documents to the community printer and then failing to retrieve them. Thaler and Sunstein would call this a “delayed consequences decision.” The person actually printing the document doesn’t suffer any consequences for failing to retrieve it for a period of some time, if at all.  </p><p>Those attending the meeting brainstorm solutions, and three rise to the top for possible implementation: an environmental reminder in the form of signs placed around the office reminding employees of their responsibility to safeguard sensitive information; a default rule that would switch all employees to a “secure print” mode where they would be required to input a code at the printer to retrieve their document; and a commitment reminder in the form of a pop-up window reminding employees to retrieve their printouts every time the print button is clicked on.  </p><p>Now, the managers need to convince the C-suite. They arrange a meeting, and the security manager brings in a well-developed plan that can be implemented at minimal cost. Since the IT folks were brought in at the beginning, the technical solutions of secure printing and pop-up banners are well thought out. Since HR was part of the process, any concerns about ethics and privacy were addressed early on. The guard force has already agreed to make periodic rounds of the copy room to assess compliance and provide metrics reporting.  </p><p>The CEO and CIO couldn’t be happier with the effort. Nudge accomplished.  </p><h4>Embrace Choice, Embrace Change<br></h4><p>Here’s the big picture question for security managers: Is it easier for an employee to comply with specific security policies and procedures, or not comply? If the answer is not comply, some nudges may be in order.</p><p>Given its importance, security compliance can be seen as a high-value, all-encompassing moral imperative. But managers should also view it as a series of choices made every minute of every day by every individual. Thus, it is the job of the security professional to enable every individual to make the correct choice by making those choices the easiest and least painful ones. Security managers are not just compliance enforcers. They should also embrace their role as choice architects, which will lead them to become change architects as well. </p><p>--<br></p><p><em><strong>Sean Benson, CPP</strong>, is a program security specialist at ISS Action, Inc. He is currently leading technology protection efforts on NASA’s Space Launch System. He is the chairman of the ASIS North Alabama Chapter.</em></p> Target TrendsGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>When most people think of Orlando, Florida, Walt Disney World Resort comes to mind. The world-renowned theme park makes Orlando the second most popular travel destination in the United States. But there is much more to the city than Mickey and Minnie Mouse. </p><p>Beyond the complex infrastructure that supports Orlando’s 2.3 million citizens, the city is filled with parks and wildlife, the largest university in the country, and a vast hospitality industry that includes more than 118,000 hotel rooms. And International Drive, an 11-mile thoroughfare through the city, is home to attractions such as Universal Orlando Resort, SeaWorld Orlando, and the Orange County Convention Center, the site of ASIS International’s 62nd Annual Seminar and Exhibits this month. </p><p>Hospitality goes hand-in-hand with security in Orlando, where local businesses and attractions see a constant flow of tourists from all over the world. And at the Dr. Phillips Center for the Performing Arts, which hosts events ranging from Broadway shows to concerts to community education and events, a new security director is changing the culture of theater to keep performers, staff, and visitors safe.​</p><h4>The Living Room of the City</h4><p>Open since November 2014, the Dr. Phillips Center spans two blocks and is home to a 2,700-seat main stage, a 300-seat theater, and the Dr. Phillips Center Florida Hospital School of the Arts. The building’s striking architecture, which includes a canopy roof, vast overhang, and a façade made almost entirely of glass, stretches across two blocks and is complemented by a front lawn and plaza.</p><p>After the June 11 shooting at Pulse nightclub less than two miles south of the theater, that lawn became the city’s memorial. Days after the shooting, the Dr. Phillips Center plaza, normally used for small concerts or events, hosted Orlando’s first public vigil. A makeshift memorial was established on the lawn, and dozens of mourners visited for weeks after the attack.</p><p>Chris Savard, a retired member of the Orlando Police Department, started as the center’s director of security in December, shortly after terrorists killed dozens and injured hundreds in attacks on soft targets in Paris. Prior to Savard, the center had no security director. Coming from a law enforcement background to the theater industry was a challenging transition, he says. </p><p>“Before I came here, I was with an FBI terrorism task force,” Savard says. “Bringing those ideologies here to the performing arts world, it’s just a different culture. Saying ‘you will do security, this is the way it is’ doesn’t work. You have to ease into it.”</p><p>The Dr. Phillips Center was up and running for a year before Savard started, so he had to focus on strategic changes to improve security: “The building is already built, so we need to figure out what else we can do,” he says. One point of concern was an overhang above the valet line right at the main entrance. Situated above the overhang is a glass-walled private donor lounge, and Savard notes that anyone could have driven up to the main entrance under the overhang and set off a bomb, causing maximum damage. “It was a serious chokepoint,” he explains, “and the building was designed before ISIS took off, so there wasn’t much we could do about the overhang.”</p><p>Instead, he shifted the valet drop-off point, manned by off-duty police officers, further away from the building. “We’ve got some people saying, ‘Hey, I’m a donor and I don’t want to walk half a block to come to the building, I want to park my vehicle here, get out, and be in the air conditioning.’ It’s a tough process, but it’s a work in progress. Most people have not had an issue whatsoever in regards to what we’ve implemented.”</p><p>Savard also switched up the use of off-duty police officers in front of the Dr. Phillips Center. He notes that it can be costly to hire off-duty police officers, who were used for traffic control before he became the security director, so he reduced the number of officers used and stationed them closer to the building. He also uses a K-9 officer, who can quickly assess a stopped or abandoned vehicle on the spot. </p><p>“When you pull into the facility, you see an Orlando Police Department K-9 officer SUV,” Savard explains. “We brought two other valet officers closer to the building, so in any given area you have at least four police cars or motorcycles that are readily available. We wanted to get them closer so it was more of a presence, a deterrent.” The exact drop-off location is constantly changing to keep people on their toes, he adds.</p><p>The Dr. Phillips Center was already using Andy Frain Services, which provides uniformed officers to patrol the center around the clock. Annette DuBose manages the contracted officers. </p><p>When he started in December, Savard says he was surprised that no bag checks were conducted. When he brought up the possibility of doing bag checks, there was some initial pushback—it’s uncommon for theater centers to perform any type of bag check. “In the performing arts world, this was a big deal,” Savard says. “You have some high-dollar clientele coming in, and not a lot of people want to be inconvenienced like that.”</p><p>When Savard worked with DuBose and her officers to implement bag checks, he said everyone was astonished at what the officers were finding. “I was actually shocked at what people want to bring in,” Savard says. “Guns, knives, bullets. I’ve got 25-plus years of being in law enforcement, and seeing what people bring in…it’s a Carole King musical! Why are you bringing your pepper spray?”</p><p>Savard acknowledges that the fact that Florida allows concealed carry makes bag checks mandatory—and tricky. As a private entity, the Dr. Phillips Center can prohibit guns, but that doesn’t stop people from trying to bring them in, he notes. The Andy Frain officers have done a great job at kindly but firmly asking patrons to take their guns back to their cars, Savard says—and hav­ing a police officer nearby helps when it comes to argumentative visitors.​</p><h4>Culture, Community, and Customer Service</h4><p>There have been more than 300 performances since the Dr. Phillips Center opened, and with two stages, the plaza, classrooms, and event spaces, there can be five or six events going on at once. </p><p>“This is definitely a soft target here in Orlando,” Savard notes. “With our planned expansion, we can have 5,000 people in here at one time. What a target—doing something in downtown Orlando to a performing arts center.”</p><p>The contract officers and off-duty police carry out the core of the security- related responsibilities, but Savard has also brought in volunteers to augment the security presence. As a nonprofit theater, the Dr. Phillips Center has a large number of “very passionate” volunteers—there are around 50 at each show, he says. </p><p>The volunteers primarily provide customer service, but Savard says he wants them to have a security mindset, as well—“the more eyes, the better.” He teaches them basic behavioral assessment techniques and trends they should look for. </p><p>“You know the guy touching his lower back, does he have a back brace on or is he trying to keep the gun in his waistband from showing?” Savard says. “Why is that person out there videotaping where people are being dropped off and parking their cars? Is it a bad guy who wants to do something?”</p><p>All 85 staffers at the Dr. Phillips Center have taken active shooter training classes, and self-defense classes are offered as well. Savard tries to stress situational awareness to all staff, whether they work in security or not. </p><p>“One of the things I really want to do is get that active shooter mindset into this environment, because this is the type of environment where it’s going to happen,” Savard explains. “It’s all over the news.”</p><p>Once a month, Savard and six other theater security directors talk on the phone about the trends and threats they are seeing, as well as the challenges with integrating security into the performing arts world. </p><p>“Nobody wanted the cops inside the building at all, because it looked too militant,” Savard says. “And then we had Paris, and things changed. With my background coming in, I said ‘Listen, people want to see the cops.’” </p><p>Beyond the challenge of changing the culture at the Dr. Phillips Center, Savard says he hopes security can become a higher priority at performing arts centers across the country. The Dr. Phillips Center is one of more than two dozen theaters that host Broadway Across America shows, and Savard invited the organization’s leaders to attend an active shooter training at the facility last month. </p><p>“There’s a culture in the performing arts that everything’s fine, and unfortu­nately we know there are bad people out there that want to do bad things to soft targets right now,” Savard says. “The whole idea is to be a little more vigilant in regards to protecting these soft targets.”</p><p>Savard says he hopes to make wanding another new norm at performing arts centers. There have already been a number of instances where a guest gets past security officers with a gun hidden under a baggy Cuban-style shirt. “I’ll hear that report of a gun in the building, and the hair stands up on the back of my neck,” Savard says. “It’s a never- ending goal to continue to get better and better every time. We’re not going to get it right every time, but hopefully the majority of the time.”</p><p>The Dr. Phillips Center is also moving forward with the construction of a new 1,700-seat acoustic theater, which will be completed within the next few years. The expansion allows the center to host three shows at one time—not including events in private rooms or on the plaza. Savard is already making plans for better video surveillance and increasing security staff once the new theater is built.</p><p>“We really try to make sure that every­body who comes into the building, whether or not they’re employed here, is a guest at the building, and we want to make sure that it’s a great experience, not only from the performance but their safety,” according to Savard. “It’s about keeping the bad guys out, but it’s also that you feel really safe once you’re in here.” </p> TrendsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">“Thousands have lived without love, not one without water,” poet W.H. Auden famously said. In many countries, enjoying a safe and secure water supply is something most take for granted. The United States, for example, has had an “unrivalled tradition” of low-cost, universal access to drinking water, says Robert Glennon, a water policy expert at the University of Arizona and author of Unquenchable: America’s Water Crisis and What to Do About It. In actuality, a safe and secure water supply is never a given, and there are signs that the recent water crisis in Flint, Michigan (covered in Security Management’s May issue), may be a canary in the coal mine for the future of America’s water. The U.S. water and wastewater system is in urgent need of repair and replacement; some of the piping dates back to the Civil War era, experts say. But federal and state funding appropriations have been insufficient for keeping water supply infrastructure in good repair.</span></p><p>“For years, there’s been a general inadequacy in funding,” Glennon says.  As recent proof, Glennon cites the American Recovery and Reinvestment Act of 2009, commonly known as President Barack Obama’s $787 billion stimulus package. “A small fraction of that, less than 1 percent, was devoted to water and wastewater,” he explains.</p><p>The American Water Works Association has estimated that repairing the million-plus miles of water mains across the country, and expanding that infrastructure so that it can adequately serve the country’s growing population, could cost up to $1 trillion over the next 25 years. The U.S. Environmental Protection Agency (EPA) has a lower estimate: roughly $330 billion over 20 years.</p><p>Both of these estimates dwarf the existing $1.38 billion that state and local governments are spending annually on drinking water and wastewater infrastructure, according to statistics from the American Society of Civil Engineers (ASCE). (Using a comparable 20-year time frame, the ASCE estimate comes to roughly $28 billion, or only about 8 percent of the EPA’s estimate of needed funding.) </p><p> Besides inadequate funding for repair, demand is growing, not only from an increasing population but from high-tech industries. Large corporations with cloud computing operations occupy enormous industrial facilities that are air conditioned. “This requires a heck of a lot of water,” Glennon says. </p><p>In addition, environmental factors pose challenges to a secure U.S. water supply. In states like Florida, rising sea levels are pushing into coastal aquifers and causing saltwater intrusion, making the aquifers more saline and problematic for human consumption. </p><p>Worldwide, a possible future water crisis is a problem alarming many, in part because of its potentially disastrous cascading effects on the global economy. A survey released by the 2016 Global Economic Forum found that a water crisis is the top concern for business leaders over the next 10 years. Further in the future, the global water situation continues to look grim, by several measures. By 2030, a stable supply of good quality fresh water can no longer be guaranteed in many regions, and a 40 percent global shortfall in supply is expected, according to the Carbon Disclosure Program’s (CDP) Water Program.</p><p>By 2050, an inadequate supply of water could reduce economic growth in some countries by as much as 6 percent of GDP, “sending them into sustained negative growth,” says a recent World Bank report, High and Dry: Climate Change, Water, and the Economy. Regions facing this risk include India, China, the Middle East, and much of Africa. Water insecurity could also ramp up the risk of conflict and instability—droughts can spur a spike in food prices, which can in turn cause civil unrest and increase migration. While 2050 might seem quite far in the future, water-related challenges are happening right now. The World Bank report also found that 1.6 billion people currently live in nations that are subject to water scarcity, and that number could double over the next two decades.</p><p>Moreover, a water crisis can have a devastating effect on the global economy. The CDP’s Water Program estimates that, if current status quo water management policies are sustained worldwide, $63 trillion in assets will be put at risk. Such economic challenges are highlighting the importance of improved water governance, which includes an emphasis on positioning the water supply so that it is more resilient in the face of challenges due to demand, the environment, and other factors, says Hart Brown, who leads the organizational resilience practice at HUB International and is a member of the ASIS International Crisis Management and Business Continuity Council.</p><p>“In light of the case in Flint, as well as droughts, floods, and the potential competition for water resources, improved water governance is being brought to the forefront of many conversations,” Brown says. When resilience enters the conversation, the challenge becomes creating an “adaptive capacity,” or “diversification of the water and sanitation systems.” </p><p>However, there is no one resilience model that can be successfully replicated for all water supply and treatment plants, because each system is a unique combination of human, technological, and environmental factors, Brown explains. In the United States, a wide range of water systems could potentially benefit from resiliency upgrades, he says. Those include conventional utility piped water supply systems; dug wells and tube wells (wells in which a long pipe is bored into an underground aquifer); rainwater harvesting operations; unprotected water sources such as rivers and streams; and cooperative developments in areas that share transboundary water resources.</p><p> Improving the resiliency of any water system takes investment, but just as important, it takes sound science, Brown says. </p><p>“Water managers need access to the best available scientific information and water risk assessments to support these long-term water-related decisions, including the ability to forecast and plan for important capital expenditures,” he explains.  Businesses also have a role to play, especially those that rely on water for production, manufacturing, agriculture, and power generation purposes, he adds. Some businesses are already being strategic in this area; they consider shared responsibility and sustainability of water systems a core function. </p><p>“Partnerships with local communities are important in the ability to overcome shared water risks,” Brown says. </p><p>Globally, improved resiliency and water management practices, if given sufficient investment, have the potential to pay tremendous dividends, the World Bank report argues. It calls for a three-point approach: improving resiliency to extreme weather events by improving storage capacities, reusing facilities, and other tools; optimizing the use of water through better planning and incentives; and expansion of the water supply, where appropriate, through recycling, desalination, and damns.</p><p>“While adopting policy reforms and investments will be demanding, the costs of inaction are far higher. The future will be thirsty and uncertain,” the report says.</p> Going Dark: A Conversation with the FBIGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">The Going Dark debate. It's been ongoing and reached its boiling point earlier this year when the FBI filed suit against Apple in an attempt to force the company to create a tool to break its default encryption on an iPhone 5c used by one of the San Bernardino shooters.</span></p><p>While the FBI found an alternative method to crack that particular iPhone and the court case stalled, encryption and access to digital evidence is still posing a problem for the bureau when it comes to investigations. </p><p><em>Security Management</em> Assistant Editor Megan Gates sat down with Sasha Cohen O'Connell, the FBI's chief policy advisor for science and technology, to learn more about these issues and the FBI's view of Going Dark. Their conversation has been lightly edited for clarity.</p><p><strong>Gates: From the FBI's perspective, what is the Going Dark problem?</strong></p><p>O'Connell: The issue for us is the inability to get access to digital evidence. This is not a situation where the U.S. Department of Justice is looking for new authorities; it is about exercising the authority we already have…and our inability to access content data, even with due process.</p><p><strong>Gates: When did the FBI begin noticing that it was having a problem obtaining content? Was it before Apple decided to move to default end-to-end encryption on its iPhone operating system?</strong></p><p>O'Connell: It was definitely before that point. There are folks in [the FBI headquarters building] who've been working this for over a decade. </p><p>It's something we've seen coming, and have been trying to raise warning bells about. The big difference was, as you noted, when things started to go to default end-to-end encryption. With Apple's announcement a year ago, it's just an exponential growth. It's not just the bad guys seeking out end-to-end encryption; it's about the bad guys' associates, and the bad guys' victims, and trying to exonerate people falsely accused of crimes.</p><p>When you reach a world of default, you're touching all of those people as well as just the small sub-set that might seek out that kind of end-to-end encryption.</p><p><strong>Gates: Beyond encryption, what are some of the other issues that you're seeing when it comes to Going Dark?</strong></p><p>O'Connell: Things like anonymization. There are situations where it's increasingly difficult for us to get to attribution—the ability to operate anonymously creates a whole set of issues for us when it comes to investigations. That's one kind of classic example.</p><p>There's a more basic example around simple data retention, too. We serve a warrant on a company, and they just frankly don't keep the data. So again, the outcome is the same. We don't have access with legal process to that content that we need.</p><p>And then the encryption piece, of course, is just the end-to-end encryption. We don't have a problem with encryption. We love strong encryption; we use strong encryption. We encourage others to do so. We have no issue with encryption. The issue comes when it's only that end user that has access.</p><p>We work all the time with companies that use, what we term, provider access. That works wonderfully, in terms of matching up with legal process. The easiest way to explain it is to look at the phone I carry. Nothing on it is classified, but there's a lot of sensitive information on it and it is encrypted.</p><p>But you better believe if I get hit by a bus tomorrow, the bureau can get into this. That's because there's an enterprise access point, that obviously we carefully manage. But it exists. And most companies use the same model.</p><p>Major e-mail providers, for business reasons, that want to push ads or scan for malware and scan for spam do this. You can't do that if you can't take content, so that's provider and controlled access.</p><p><strong>Gates: Why do you think that encryption use has increased dramatically over the past few years? Is it because of the increase in data breaches or a rise in privacy concerns after the Edward Snowden leaks?</strong></p><p>O'Connell: We're certainly not the experts. We don't know why the market does what it does. But I think, we encourage the use of encryption. So the FBI is out there saying, 'Use strong encryption.' And that is again, because of the increased focus on data security. As our lives move online, and our personal information moves online, there's no doubt that there's an increased concern around data security. We're leading that charge; there is no doubt about it.</p><p>What we want to point out is not throwing the baby out with the bathwater—not having data security at any cost. There are multiple values, so it is a balance between data security and other kinds of public safety issues.</p><p>There's never going to be absolute data security, so the question is, where in that range can we be? We see products today that exist in that safe range that also allow us to exercise our lawful authorities. We just don't want to slip to a place where we're in a situation where it's data security at all costs, at the expense of any other values.</p><p>If we're heading that way, we just want to make sure that we're doing that in an informed way—that we understand what it means when we go all the way to the end for data security.</p><p><strong>Gates: What's your ideal solution to the current problem? If the FBI could have anything it wanted, what would it want to see done?</strong></p><p>O'Connell: Director Comey's addressed this recently. He said his job is two things. One, right now we need to keep investigations moving forward. We have no option—that's our obligation. So we will do what we need to do within legal parameters to do that. That's where you've seen some litigation in the past couple months. </p><p>Then the other thing is he feels a real obligation to help inform the country to make informed decisions. Because at the end of the day, it is not our decision to make. But what we want to ensure is that people understand the trade-offs and the implications.</p><p><strong>Gates: Right now, there's no immediate solution. Beyond what Congress may or may not do, do you think the FBI needs more resources and needs to increase its technical knowledge and skill to keep pace with technology?</strong></p><p>O'Connell: We can't resource our way out of this problem. This is a global problem; this is a problem for our state and local partners who will never have the resources. If we continue on the trajectory we're on, there's no way to resource out of that.</p><p><strong>Gates: Many counter-arguments have been raised about Going Dark. One report from Harvard University and Hewlett said we're not Going Dark, that we're living in a golden age of surveillance. What do you think of that criticism?</strong></p><p>O'Connell: There's more data available today, so there's two issues. One, what's the denominator? Everything's online now, so there's more accessible. But you also have to remember, there's nothing left in the pocket.</p><p>In the past, we'd get a subject and there'd be pocket litter or there might be a written diary, or notes by the phone. None of that exists anymore.</p><p>Then we get to the nature of the data that's available, and this gets to the metadata conversation. 'Well, can't you just use metadata? Doesn't that solve all your problems?' Metadata is wonderful, we use it all the time. But there are some things that it will never do for us. Metadata will tell me that I'm talking to you…but can never tell us definitively what the content of that conversation is.</p><p>That has a number of problems. Maybe we know, based on other things, that we're planning an attack and the timing is being discussed, and the FBI doesn't know. So content is king when it comes to investigation and also prosecution, when you think about showing intent.</p><p>As we move up and request authority from the courts or inside our building for additional authorities, we often have to show that the metadata is not enough. If you're going to go up on a wiretap, part of the thing you have to demonstrate is that metadata is not enough.</p><p><strong>Gates: Other experts, like those quoted in the MIT report </strong><strong><em>Keys Under Doormats </em></strong><strong>and in the Cryptographer's Panel at the RSA Conference keep saying that the type of encryption the FBI wants people to use, provider access, is introducing vulnerabilities that someone else could potentially exploit and is not a good idea. What's your response to that criticism?</strong></p><p>O'Connell: When you talk about what is technically feasible it's important to distinguish between normative, academic conversation and a practical conversation. When you're in the world of normative and you're with folks who are academics—who I love and we want them involved in this process—the conversation is around perfect data security.</p><p>When you're in the world of real world limitations, we know there's no such thing as perfect security. People make tradeoffs every day. Perfect security outside of an academic context doesn't really exist. </p><p>Academically, they're correct. Any entry point, no matter how managed, does introduce vulnerability. Of course it does. But move over in the real world, where we use real products every day that for convenience, for advertising, for spam tracking, for a thousand reasons that also make sense to us, we're still within a reasonable risk or what the market has accepted as a risk. </p><p><strong>Gates: If the Going Dark issue isn't addressed, what's the worst case scenario from the FBI's perspective?</strong></p><p>O'Connell: We think about it in four buckets. One is we see a delay in cases. You see this, for example, in San Bernardino. There's a delay. If we can't get access to evidence, there's going to start to be a delay. </p><p>The second piece is, we see a diversion of resources. So when we have a situation, we ask people, 'Can you break in?' Sometimes we can. As our head of science and technology says, 'When the moon's aligned just right and I have a coat hanger, sometimes we can.'</p><p>But it takes a lot of resources, so we're taking those from other things we're doing. That has some impact on other work if we're just focused on one case and have a situation where we're successful, but it took three units of people two weeks. Again, you've got the delay problem, and now you also have the diversion of resources problem.</p><p>After that, you have the two scenarios we worry the most about. One, our inability to prevent something. In that time delay, something happens that we were unable to prevent because we couldn't see that content. Or, on the other side, we can't solve something. </p><p>Imagine a world where this is not solved. You're going to have the FBI slower, and state and local as well. You're going to see this across the country.</p><p><strong>Gates: The head of EUROPOL also recently came out and said that it's facing the same challenge. Do you see law enforcement beyond the United States having these same issues, and wanting similar access to data?</strong></p><p>O'Connell: Absolutely. All of our partners are in the same situation. Everyone we work with; everybody has the same challenges we do. </p><p>We're in a unique position because most of the companies that make the best products are here in the United States, so it amps up the issue for us. But there's no doubt that this is an international problem that will, probably, likely be solved with international norms. There's got to be some sort of consensus globally—to the extent that it can happen.</p><p><strong>Gates: Is it realistic to think that people are going to come together—internationally—to solve this Going Dark issue?</strong></p><p>O'Connell: I think that's what the companies want; frankly, it would be easier for them. What they don't want is a patch work of solutions…we've heard from companies that it would be nice if it was uniform globally because their worst case scenario is a patch work of different rules. And we're starting to head down that path. </p> TrendsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">Dashboards and cross-platform software systems are tech trends that can help security professionals organize data into actionable intelligence. A software manufacturer uses cloud technology to manage incidents, an airport uses data to track parking lot use, and a health insurance provider uses a real-time dashboard to provide improvements in everything from visitor management to officer dispatch times.</span></p><p><strong>High velocity and high volume. </strong>This basic definition of Big Data is logical to most security professionals. However, the industry has been grappling with the practical applications of all that information. Some practitioners see Big Data as a solution looking for a problem while others are waiting to see where the technology will lead.</p><p>Most industry professionals are just overwhelmed, according to Brian McIlravey, CPP, executive vice president of command center applications at Resolver in Toronto, Ontario, Canada. “In the old days we didn’t have quite as much information to deal with,” he says. “We had access control and cameras. It was easy to take data out and track small trends. The difference now is the sheer amount of data available.”</p><p>However, this difference is one of scale—not efficacy, according to McIlravey. “Companies shouldn’t need to search for answers in Big Data. It should be a perfect fit,” he says. “It should shout ‘we have found a problem in the data!’”</p><p>Following are the stories of three security professionals who listened to the data and heard it shout. Their experiences, they contend, are portents of Big Data successes to come. </p><h4>Connections </h4><p>“We want to be more efficient for our benefit and for our customers’ benefit. We are looking for real-time situational awareness across our organization,” explains Brian Weaver, telecommunication analyst for the Minneapolis-St. Paul International Airport, Metropolitan Airports Commission (MAC) in St. Paul, Minnesota. “MAC wants to capitalize on existing information we already have and use that data creatively while still keeping it secure and safe.”</p><p>Two years ago, MAC purchased a software platform to pull data from various sources and share it among MAC stakeholders. MAC, which operates the Minneapolis-St. Paul Airport as well as six other regional airports, generates data on everything from flight arrivals to parking statistics to access control data.</p><p>Approximately 300 end users operate the platform. This diverse group includes baggage handling system operators, tarmac operations, police, airlines, and Transportation Security Administration (TSA) representatives. “All these different groups are collaborating using the same information for their business needs. That’s why that data is so important,” says Weaver. “The goal is to control that data, use it, and audit it. The platform provides us a great deal of command and control.”</p><p>Weaver and his team use the platform to link video and data. For example, MAC will be using a point of sale (POS) system connected to the parking ramps. Customers will be able to pull into the lot and park their vehicles for 30 to 60 days. In some cases, drivers will claim to have lost their tickets forcing MAC to charge a standard, maximum fine.</p><p>Once implemented, the platform can tie the POS system to security’s license plate reader (LPR) software. By combining these two systems, the specific vehicle is linked to its transaction data, providing the accurate parking duration. “We can then say ‘no, your vehicle has been here for 60 days,’” explains Weaver. (He notes that the use of LPR data is restricted by both state and federal statute and MAC works within those guidelines to ensure that it does not collect or view the personal data of drivers.)</p><p>Weaver is currently in the process of expanding the program to newly constructed parking ramps. He will be running algorithms against the LPR data to determine how many drivers from different states are parking in certain areas of the ramps. This information helps elevate security within the organization by contributing to MAC’s strategic efforts. “This data will help the marketing department, parking operations, and police,” according to Weaver. “Say 500 cars are from Wisconsin or from Iowa. We can then target marketing to those particular states. Parking and police can track lost or stolen cars to a smaller physical section of the parking area and generate vehicle counts for ramp occupancy.”</p><p>Similarly, the data will eventually guide the parking group that manages the parking structures. The data can provide statistics on how long people park and where they park. “The data is not being fully used,” says Weaver. “It hasn’t been linked or tied into the various systems. It’s smart data but there is no intelligent means to search it or reorganize it.”</p><p>MAC currently has 25,000 parking spaces and the construction will add 5,000 new spaces. New data-gathering technology is being planned to integrate these systems into the project. For example, MAC is including an enterprise-level intercom system and associated mapping of those intercoms to tie back to the system, along with video camera feeds using geographic information system (GIS) locations.</p><p>Another big data project includes airline flight display data. Airlines use an overlay of that data—arrivals and departures—on the security camera feeds. This allows security and airline personnel to look at the video from a gate and instantly see that flight information data. </p><p>Using a grant from the TSA, Weaver obtained approval to significantly upgrade the system last year and has started connecting even more systems via the platform. “This summer, we are rebuilding our lab environment for testing the data interactions, then we will push solutions out to the production environment by the fall,” says Weaver.</p><p>An example of a project already in the works is integration of video, alarms, and the baggage handling system. If a bag jams or the belt is inoperable, the stoppage will trigger an alarm. Simultaneously, a video feed will automatically show the baggage jam to determine what is causing the problem and dispatch maintenance staff accordingly. Weaver hopes to tie various other airport systems together along with security camera feeds in a similar manner.</p><p>Weaver notes that while some of the projects in the pipeline are hypothetical at this point, they are all feasible if integrated properly. Even something as simple as a sensor for a burst pipe, for example, can be tied in with cell phones, GPS systems, and maintenance dispatch. “The video system has traditionally been only a security tool, but now we are looking at the organization-wide applications for real time situational awareness,” says Weaver. “It’s a better return on investment and we are providing a business use case for this data.”​</p><h4>Virtualization </h4><p>As senior director for global security technology, investigations, and services for Microsoft Corporation, Brian Tuskan knows that he had a head start in the race to use Big Data. “I see a lot of security directors get in trouble with the latest hardware that doesn’t integrate,” he says. “The benefit of working for Microsoft is the integration. Whatever tech we build within our infrastructure has to be on the Microsoft platform.”</p><p>The advantage is critical for Tuskan, whose overall responsibility for enter­prisewide security means he must un­derstand and manage the physical security needs of the global organization with the help of 18 full-time employees and 350 contract security officers.</p><p>Leveraging the advanced state of integration at Microsoft, Tuskan and his team built software to monitor the data gathered from physical security devices to assess the health of the overall program. “We already had a tool that many data centers use to manage the health of their servers,” Tuskan explains. “It measures run time and failure rates, for example, to help you plan for life cycle and repair maintenance.”</p><p>Two years ago, one of Microsoft’s third-party contractors approached Tuskan with the idea for using the same type of system to assess every IP device on the network. Microsoft approved the project, and now more than 15 types of devices, including duress alarms, cameras, and access control points, are monitored. </p><p>More than 27,000 security devices are constantly pinging the operations center, providing real-time information on their operational health. A dashboard organizes and displays the data. The systems center operations manager then uses an algorithm to analyze that information. </p><p>Mapping software allows for easy visualization of the equipment. Not only does the software help avoid the problem of finding out that a camera has failed after an incident, it also shows security all the hot spots—what needs to be repaired immediately and what sensors are near failure. “Now, we can build in a budget for repair and maintenance,” says Tuskan. “The data informs a priority matrix detailing what needs to be worked on first and allows for an accurate rollout of maintenance and replacement.”</p><p>With two complete years of data gathered, Tuskan’s team plans to do an assessment to quantify the cost savings. </p><p>One unexpected benefit of the program is its value to the device manufacturers. Security will be able to provide accurate failure rates for all types of equipment. “The software allows us to see when devices are failing in real time,” says Tuskan. “In the future, we hope to be able to predict when devices will need servicing or replacing.”</p><p>Based on the success of this project, Tuskan and his team have turned Big Data loose on Microsoft’s security operations centers. Several years ago, the company merged all 15 of its local security operations centers around the world into three global operations centers.</p><p>A year ago, security was able to reduce those three centers into one global operations center, located outside of Seattle, and a call service center in India. “We saw the power of the cloud. We took data that we used to house in our own servers and pushed it to the cloud,” Tuskan says. “We had availability, redundancy, and a robust IT environment.”</p><p>Using data on operations center calls, Tuskan found that close to 90 percent of activities in the operations center were noncritical. “These were routine events,” Tuskan explains. “These calls were: ‘I’m locked out of my office’ or ‘there’s a door forced open alarm in the cafeteria.’ All this noise for only a few truly significant events.”</p><p>Tuskan’s team is currently using data to hand off the routine inquiries to a third party, leaving the fusion center free to focus on incidents that require decision making. To do this, Microsoft is turning the existing security operations center into a virtual security operations center or VSOC. Instead of having operators managing multiple calls on mundane issues, they will only focus on high-level, life safety, mission-critical calls.</p><p>Security recently held a four-day summit with all key stakeholders to determine what technology would exist in a perfect version of a VSOC. A process mapping expert attended the meeting to focus the group and organize the results. “Dream states get very expensive,” says Tuskan. “But you have to have that discussion. There’s a balance where you need to determine how to change operationally and evolve over time into this new way of leveraging technology.” </p><p>Security is evaluating more than 116 technologies to determine whether they can contribute products to the VSOC. Tuskan and his team must now assess them to see whether they fit into the overall vision of the project. </p><p>Tuskan says they are looking to build a tool for operations that will pull out the information needed and put it on a white wall—a single-view platform. Key decision makers could carry a device that displays the command center virtually anywhere, even in a hotel room halfway around the world. </p><p>No matter how high-tech the solutions get, Tuskan notes that the goal is to get appropriate solutions to meet quantified needs. “We can accurately assess what sort of funds we will need. Many security departments are forced to budget through fear. We use data.”​</p><h4>Operations</h4><p>In charge of building security for an insurance company, Jonathon Carrell manages 24 facilities in four states and protects the 4,000 employees who use them. Almost two years ago, Carrell wanted to use data to help guide his team of around 20 in-house employees and 50 contract staff members. </p><p>“All of our data was largely trapped in silos with few viable options to correlate data between systems. For the most part, we were left with the lackluster reporting tools built in to each individual system,” says Carrell. “These tools have often proven to be pretty limiting and not very conducive to meaningful data analysis.”</p><p>When Carrell started assessing the company’s data collection and analysis system, he found that some functions had reporting features built in. However, most of these were inflexible and provided information only from predesigned fields. Much of the existing data could not be retrieved or filtered. The few systems that did have custom reporting allowed the user to choose a specific field, but did not allow more complex analysis, such as through nested queries, for example. </p><p>However, had the reporting function been flexible, it would still have been insufficient, according to Carrell. “Even with the best reporting, we still couldn’t blend information from multiple databases,” he says.</p><p>Carrell purchased a product manufactured by Tableau in Seattle, Washington, that allows him to pull data from multiple sources, blend it, and place it into a real-time dashboard.</p><p>After Tableau was installed, Carrell began integrating the company’s various reporting systems to automate different processes. The result is live data connections companywide. “If someone is terminated, that is noted in the HR system and then goes to security’s watch list. Then the visitor management system deactivates the former employee’s badge,” explains Carrell. </p><p>Efficiency was the driving factor from senior management, according to Carrell. “I wanted to know what we were spending our time doing and how we could better allocate staff,” he explains.</p><p>An early discovery was that the operational specialists in the security department were running audit reports for access control and video management systems. However, the staff members responsible for those systems were already trained to do those reports and were far more familiar with the systems in question. Switching audit reporting duties resulted in greater efficiency and accuracy.</p><p>Carrell has used the system to assess the security department’s performance. “After tracking our alarm response time over the last two years, we noticed a big difference between the dispatch times of our in-house staff and our contract staff,” he says.</p><p>To combat the problem, Carrell established a mentorship program for in-house staff to tutor the contract staff. Though there’s still a gap in performance, that gap has closed significantly and now meets corporate targets. “Our plan is that the mentoring program will slowly and steadily improve contract performance until it matches our in-house team,” he says.</p><p>With the project’s success, Carrell says that the rest of the company has become more open to sharing and analyzing data. “We’ve witnessed a huge push to begin integrating our systems largely for operational benefits, but this also had an interesting side effect,” he says. “Once we began talking about how the different systems could interact and communicate with one another, we began considering a broader spectrum of questions that could be asked when blending data between various data sets.”</p><p>For example, after replacing an aging access control system, Carrell and his team began to explore the possibilities to determine whether they can integrate video management or tie into HR or internal audits. “At first, we had some pushback from employees,” he says. “But over the last year, we’ve seen a lot more openness.”</p><p>Carrell says that the system sells itself as security successfully integrates more systems. Employees become more confident and they can easily see how they could benefit from the technology.</p><p>“The ability to easily correlate data among corporate systems gives us a much broader lens to evaluate not just what’s happening now, but in some cases, to identify corporate risks before an event takes place and take action,” says Carrell.  ​</p>