Security Management Magazine Cover
​Beginning December 2016, Security Management will also be available as a PDF. View ​Issues available for Download

 April 2017 Online April 20172017-04-01T04:00:00Z<h4>​RISK MANAGEMENT </h4><p>For federal agencies, enterprise risk management (ERM) provides ways to better anticipate and manage risk. In a recent report,<em><a href=""> Enterprise Risk Management: Selected Agencies’ Experiences Illustrate Good Practices in Managing Risk​</a></em>, the U.S. General Accounting Office describes its enterprise risk management framework. It enumerates six essential elements for implementing ERM. The report also identifies what works and provides real-world examples of best practices from federal agencies that are using ERM.</p><h4>RETAIL SHRINK</h4><p>Two retail industry groups supported recent research exploring how retailers view the problem of loss across their business. <a href="" target="_blank">The resulting report</a> explains how a new definition and typology for shrinkage might better capture its impact.</p><h4>ELECTION INFLUENCE</h4><p>In an <a href="" target="_blank">unprecedented unclassified report</a>, the U.S. intelligence community detailed Russia’s recent efforts to influence the 2016 U.S. presidential election. </p><h4>TERRORISM PERCEPTION</h4><p>How does a t<a href="">errorist attack in a person’s own community </a>change their perception of terrorism? </p><h4>HATE CRIMES</h4><p>Of all religious groups, Jews continue to be the most targeted in the United States, according to the findings of a new report. The study, <em><a href="" target="_blank">Terrorist Incidents and Attacks Against Jews and Israelis in the United States, 1969-201</a></em>6, examined the FBI’s annual hate crimes report for the years under study. </p><h4>RANSOM </h4><p>The New America Foundation examines hostage taking and outcomes in a new report,<em> </em><a href=""><em>To Pay Ransom or Not to Pay Ransom</em></a>.</p><h4>GOVERNMENT CLEARANCES</h4><p>Charles Phalen, Jr., director of the U.S. National Background Investigations Bureau, talks about the government background checks and how he hopes to improve the process<a href="/Pages/A-Conversation-with-the-Director-of-the-U.S.-NBIB.aspx" target="_blank"> in an interview​</a> with Associate Editor Megan Gates.</p><h4>BIOMETRICS</h4><p>The global biometrics technology market is projected to be worth $41.5 billion by 2020. Find out more about expected market growth by biometric type and technology highlights from a <a href="/ASIS%20SM%20Documents/IFT042E_Report%20Overview.pdf">BCC Research report</a>.  ​</p><h4>SURVEILLANCE</h4><p>European Union (EU) member states may not impose general obligations on electronic communications services to retain data, <a href="" target="_blank">the EU Court of Justice recently ruled</a>. The decision was a blow to the recently enacted U.K. Investigatory Powers Law, which allows the U.K. Home Department to require public telecommunications operators to retain all data related to communications for no more than 12 months.</p><h4>PRIVACY</h4><p>U.S. agencies <a href="" target="_blank">published a final rule</a> that requires contract employees who handle personally identifiable information or work with a system of records to complete privacy training. </p><h4>CORRUPTION</h4><p>Global construction conglomerate Odebrecht S.A. and petrochemical company Braskem <a href="" target="_blank">pleaded guilty</a> and agreed to pay penalties of at least $3.5 billion to resolve U.S., Brazilian, and Swiss charges of bribery.</p> LossGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The world of retail has relied on the word “shrinkage” for more than 100 years to describe the losses companies experience as they go about their business. Shrinkage, however, is almost a euphemistic term describing a simple contraction in the size of the stock held by a company, without offering any real sense of what the cause might be. </p><p>In this way, the term is similar to “shoplifting”—a rather benign term often used by the industry to describe people actively engaging in criminal acts of theft in stores. For comparison’s sake, you rarely see burglars or robbers described as houselifters or purselifters.</p><p>Four buckets of loss tend to be included in survey descriptions of what shrinkage is: external theft, internal theft, administrative or process errors, and vendor fraud. The term “administrative error or process failures” is particularly vague; depending upon the type of retailer and the types of products sold, it can potentially cover an enormous array of types of loss, including damage, spoilage, product going out of date, and incorrect price adjustments. </p><p>A retailer selling food and using a shrink­age definition that includes food spoilage will have a dif­ferent level of loss compared to a retailer selling clothing or auto parts; yet, many shrinkage surveys continue to combine this data together to generate an overall figure for the industry. </p><p>To date, there is no consistent, detailed definition or typology of shrinkage. It is a term that is used throughout the industry, but interpreted in different ways depending on the retail environment and the prevailing organizational culture and practices.</p><p>There is a constant desire to understand what the root causes of shrinkage are: Is it mainly external thieves? Is it the staff employed by retailers helping themselves to the stock? Is it due to organizational inefficiencies? Or is it caused by retail suppliers wrongly delivering on purpose or through error?</p><p>Surveys will often provide numbers that supposedly apportion the total shrinkage losses to each of these types of losses, with external theft frequently—but not exclusively—seen as causing the largest amount. </p><p>The reality is that what these reported shrinkage numbers are actually measuring is what respondents think the causes of shrinkage might be. They are much more a gauge of how the loss prevention industry is feeling than any true measure of the breakdown of losses within the retail industry.</p><p>This is because the vast majority of current shrinkage data collected by retailers is based on periodic audit data collected in stores and sometimes in parts of the distribution network. This data captures the difference between the value of stock retailers think they have and the amount that can be physically counted. The difference between the two is how most companies measure their shrinkage.</p><p>But all this data does is provide a value of how much stock is not there. What it does not do is offer an explanation as to why it has gone missing: Was the stock delivered to the retailer? Did a customer steal it? Was it damaged or stolen in the supply chain? Did an employee steal it? </p><p>The causes could be many and varied, but what is clear is that audit data is rarely good at explaining why discrepancies exist; it simply captures the value of losses where the cause is unknown. Attempts to apportion causes to this data will always involve a high degree of guesswork and personal prejudice.</p><p>Retailing has gone through some profound changes since shrinkage was first used back in the 19th century, not least the introduction of open displays, the growth of branding, greater consumer choice, introduction of credit cards and debit cards, the rise of online shopping, and the widespread use of various types of self-service checkout systems, to name a few. </p><p>Yet, throughout this time of enormous change, the retail industry has continued to use a term that vaguely captures the difference between expected and actual stock values as the core measure of loss in their businesses.</p><p>Given this, it’s time to reconsider how retail companies understand and measure the losses they experience and to develop a more consistent approach to enable future benchmarking activities to offer more meaningful and applicable information.​</p><h4>Total Retail Loss<img src="/ASIS%20SM%20Callout%20Images/0417%20Cover%20Story%20Infographic.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;width:652px;" /></h4><p>Both the Retail Industry Leaders Association’s Asset Protection Leaders Council, based in the United States, and the ECR Community Shrinkage and On-shelf Availability Group, headquartered in Europe, supported a research project led by the author to explore how retailers currently view the problem of loss across their business and develop a new definition and typology that might better capture their impact. </p><p>The research, detailed in the report Beyond Shrinkage: Introducing Total Retail Loss, used several different methodologies: an extensive literature review; a questionnaire to a group of large European retailers; 100 face-to-face interviews with senior directors of 10 of the largest U.S. retailers; and a series of workshops and focus groups with loss prevention representatives from a range of European retailers and manufacturers.</p><p><strong>Loss versus cost. </strong>One of the difficulties of benchmarking any retail business using shrinkage is understanding what categories of retail loss are included or excluded. </p><p>Some companies taking part in this research adopted strict criteria: shrinkage is only the value of their unknown losses based upon the difference be­tween expected and actual values; anything else is regarded as known and, therefore, not included in the calculation.</p><p>Other companies were much more inclusive, incorporating other types of loss ranging from damages, wastage, spoilage, and price markdowns to the costs of burglaries and robberies.</p><p>Part of this definitional variance seemed to be based on how respondents interpreted the difference between what could be considered a “loss” compared with a “cost,” the latter being viewed as an everyday planned and necessary expenditure for the business to achieve its profit goals. Respondents varied considerably in how they interpreted the difference, although many made a key distinction between the value of the outcome and how this differentiated costs from losses.</p><p>“Costs—they bring value to the business; they are incurred because there is a perceived positive purpose in having them. They are part of the revenue generation process and without them, profits would be negatively impacted,” one respondent said. “Losses are things which, if they didn’t happen, there would be no negative impact upon profitability. They do not offer any real value to the business and simply act as a drain on profitability.”</p><p>It was also instructive to hear how some respondents adopted a process of normalizing what some considered to be losses into costs. One respondent explained that “we plan a lot of those costs [possible types of losses], so when we’re looking at it from a planning perspective, we have that built in—anything that we can account for and process and know what it is, we take more so as a cost rather than a loss when we’re defining it.”</p><p>Another respondent talked about how the planning and budgeting process enabled many losses to be redefined as costs. “If it goes above budget, then it becomes a loss; otherwise it is a cost,” the individual explained, while another respondent was blunter: “We try and convert as much of [losses] to costs; it’s then not on my agenda anymore. I deal with shrink.”</p><p><strong>Definition. </strong>From the interviews with senior U.S. retail executives and feedback from the roundtables held in Europe, definitions of costs and losses were eventually developed.</p><p>Costs were defined as “expenditure on activities and investments that are considered to make some form of recognizable contribution to generating current or future retail income.”</p><p>Losses were defined as “events and outcomes that negatively impact retail profitability and make no positive, identifiable and intrinsic contribution to generating income.” Using these definitions, various types of events and activities could then begin to be categorized accordingly. </p><p>For example, incidents of customer theft can be considered a loss—the event and outcome play no intrinsic role in generating retail profits—because it makes no identifiable contribution and were it not to happen, the business would only benefit.</p><p>Alternatively, incidents of customer compensation, such as providing a disgruntled shopper with a discounted price, can be seen as a cost. In this case, the business is incurring the cost because it believes compensating the aggrieved consumer makes the individual more likely to shop with the business in the future. The policy of compensating is an investment in future profit generation and is categorized as a cost—not a loss.</p><p>Another example of a loss is workers’ compensation, where a retailer will cover the legal, medical, and other costs associated with an accident at work, such as falling off a ladder. There is no intrinsic value to the business if an employee is injured at work; if it had not happened, the business would only benefit by not having to pay for the consequences of the event. Therefore, workers’ compensation is a loss.</p><p>While some respondents to this research argued that workers’ compensation is a predictable problem that can be—and is—budgeted for, it still remains an event that the retailer would prefer not happen because it negatively impacts overall profitability.</p><p>In contrast, expenditure on loss prevention activities and approaches, such as employing security officers or installing tagging systems, can be seen as a cost. The retailer has committed to this expenditure because it feels there will be some form of payback from the investment: lower levels of loss, which in turn will boost profits. Whether this payback is measured or achieved is open to debate.</p><p>What these examples focus on is not whether an activity or event can be controlled or whether the incurred cost was planned, but its fundamental role in generating current or future retail income. If a clearly identifiable link can be made between an activity and the generation of retail income, then it should be regarded as a cost; all those activities and events where no link can be found should be viewed as a loss.</p><p><strong>Categorizing losses</strong>. In developing the categories of the Total Retail Loss Typology, it was important to draw a distinction between the types of loss that can be measured in a way that is manageable for modern retail business, and those that cannot. </p><p>Additionally, it was important to consider the value of collecting data on a given loss indicator. Is it meaningful for the business to monitor a category of loss? Will its analysis offer potentially actionable outcomes that may help the business meet its objectives?</p><p>There is little point in developing a typology made up of a series of categories that are either impossible or implausibly difficult to measure or once measured offer little benefit to the business undertaking the exercise.</p><p>For example, most retailers would be keen to understand how often items are not scanned at a checkout. While it is theoretically possible to measure this, the reality for most retailers is that the ongoing cost would probably be prohibitive. </p><p>Determining whether proposed loss categories met the three M’s test (manageable, measurable, and meaningful) was an important part of creating a typology likely to achieve any form of adoption across a broad range of retail formats.</p><p><strong>Typology.</strong> The research identified 31 types of known loss that are included in the Total Retail Loss Typology covering a wide range of losses across the retail enterprise and incorporating events and outcomes beyond just the loss of merchandise. The typology is broken down into four locations of loss: store, retail supply chain, e-commerce, and corporate. Each location then has a variety of subcategories divided between malicious and nonmalicious. </p><p>For example, a malicious corporate retail loss would be fraud; a nonmalicious corporate retail loss would be workers’ compensation, regulatory fines, or bad debt. </p><p>However, the term does not encompass every form of loss that a retailer could conceivably experience. The word “total” is being used in this context to represent a much broader and more detailed interpretation of what can be regarded as a retail loss, rather than necessarily claiming to reflect the entirety of events and activities that could constitute a loss. In the future, the scope and range of the Total Retail Loss Typology will change to accommodate new forms of loss, and this is welcomed.</p><p>The typology is designed to enable the calculation of the value of retail losses, not necessarily the number of events; where an associated value cannot be calculated or there is no loss of value associated with an incident, it should not be included.</p><p>For instance, if shop thieves are apprehended leaving a retail store and the goods they were attempting to steal are successfully recovered and can be sold at full value at a later date, there is no financial loss associated with the incident. The retailer may still want to record that the attempted theft took place and was successfully dealt with, but that it would not be recorded in the Total Retail Loss Typology.​</p><h4>Potential </h4><p>The proposed Total Retail Loss Typology is a radical departure from how most retail companies have understood and defined the problem of loss within their companies, moving away from a definition focused primarily on unknown stock loss to one that encompasses a broader range of risks across a wider spectrum of locations.</p><p>While there is a simple elegance about the approach adopted in the past, based upon the four traditional buckets of shrinkage, it is increasingly recognized that these broad brush and ambiguously defined categories are no longer capable of accurately capturing the increasingly complex risk picture now found in modern retailing. Instead, the Total Retail Loss Typology has the potential to benefit retail organizations by managing complexity, encouraging transparency, creating opportunities, and maximizing loss prevention.</p><p><strong>Managing complexity. </strong>The retail landscape in which shrinkage was first described has been transformed by innovation and change. Simply relying upon the traditional four buckets of estimated losses to fully reflect and properly convey the scale, nature, and impact of retail losses is no longer appropriate, particularly as the retail environment becomes more dynamic and fast changing.</p><p><strong>Encouraging transp</strong><strong>arency.</strong> The ambiguous nature of most shrinkage calculations and the difficulty of understanding its root causes generate a lack of accountability, particularly within retail stores.</p><p>Store managers question the reliability of the number, especially where there is a pervasive sense that the supply chain may be foisting losses upon stores that are actually caused by inefficiencies. Unknown store losses can conveniently be blamed upon short shipments or roaming bands of organized thieves, rather than being apportioned to actual events taking place in the store.</p><p>Losses can also be moved between different categories, depending upon the performance measures in place—wastage can quickly become shrinkage if the former is identified as a key performance indicator. </p><p>By measuring a broader range of categories of loss, it becomes much more difficult to play this game; most losses will be measured somewhere, improving transparency and accountability throughout the organization.</p><p><strong>Creating opportunities.</strong> A recurring theme from the research was the lack of prioritization and urgency associated with categories of loss that had already been measured or for which a budget had been allocated.</p><p>Many respondents were quick to view these factors as a cost; therefore, not requiring any remedial action by the business. In effect, the process of capturing the loss or planning for it through budget allocation rendered them immune from concern over the actual loss.</p><p>By adopting a systematic approach and agreeing on the definition of a retail loss and bringing these together under a single typology, opportunities may arise to minimize the overall impact of loss upon the business.</p><p><strong>Maximizing loss prevention.</strong> Dealing with an unknown loss, which is what most loss prevention practitioners typically focus on, is probably one of the hardest challenges faced by a management team in retail. This requires the team to develop a high level of analytical and problem solving capacity.</p><p>Trying to solve problems where the cause is typically unknown is also at the hard end of the management spectrum. It requires creative thinking, imaginative use of data, and considerable experience. Imagine if these capabilities were used on the broader range of known problems encapsulated in the Total Retail Loss Typology. The impact could be profound.</p><p><strong>Using resources. </strong>By generating a broader, more detailed understanding of how losses are impacting a retail organization, it may be possible to take a more strategic approach to the allocation and use of existing resources.</p><p>The Total Retail Loss Typology could offer value in how businesses not only respond to existing loss-related challenges, but also use it to review the implication of any future business decisions. </p><p>The interplay between sales and losses needs to be viewed in the round and not as a series of cross-functional trade-offs where losses and profits are allocated separately, driving behaviors that are unlikely to benefit the business.</p><p>It’s within this context that the Total Retail Loss Typology has been developed—to enable retail organizations to better understand the nature, scale, and extent of losses across the entire business, and to use this information to make more informed choices about how to grow profits and improve customer satisfaction.</p><p>As the pace of change in retail con­tinues to intensify, it’s time for the loss prevention industry to begin to move away from a notion of loss developed in the 19th century to one that better reflects and recognizes the complexities and challenges found in the 21st century.  </p><p><em><strong>Adrian Beck </strong>is a professor of criminology in the Department of Criminology at the University of Leicester in Leicester, United Kingdom. Beck undertook the study Beyond Shrinkage: Introducing Total Retail Loss commissioned by the Retail Industry Leaders Association’s Asset Protection Leaders Council and is an academic advisor to the ECR Community Shrinkage and On-Shelf Availability Group. ​ ​</em></p> Evolution of Airport AttacksGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The bustling Brussels Airport in Zaventem, Belgium, handles more than 500 flights a day, bringing more than 27,000 passengers into the facility with approximately the same number departing. Mornings are particularly busy at the airport, and amid the flurry of activity, it is little wonder that on March 22, 2016, three men emerging from a taxi outside of the departures hall passed through unnoticed. </p><p>The trio loaded their heavy suitcases onto baggage carts and entered the flow of people heading through the doors toward the ticket desks. Shortly after they entered the departures hall, the three split up to take their places in separate ticket lines.</p><p>Three minutes later, one of the men detonated his suitcase bomb, which had been packed with nails, as he stood in one of the check-in lanes. Approximately nine seconds after that, the second man detonated his suitcase bomb in another lane. The third suitcase bomb did not detonate immediately; surveillance camera footage showed that after being thrown to the ground by the second blast, the third man, Mohamed Abrini, simply got up and walked away from the airport toward the city center. </p><p>It is unknown whether he left because he got cold feet or because his device failed to detonate, but he was later arrested and charged with participation in the attack. Police bomb technicians destroyed Abrini’s bomb-filled suitcase, which they report may have been the largest of the three, in a controlled explosion. </p><p>The attack at Zaventem resulted in 17 deaths. Another 14 victims were killed when a fourth suicide bomb was detonated an hour later in a subway train at the Maalbeek metro station in Brussels. The coordinated attack was the deadliest in Belgian history. It was also a lethal reminder of the continuing threat to the soft parts of airports outside security checkpoints. ​</p><h4>Evolving Tactics<img src="/ASIS%20SM%20Callout%20Images/0417%20Feeature%204%20Infographic.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:466px;" /></h4><p>The air transit system has been considered a prime target since the beginning of the modern era of terrorism. From a terrorist’s perspective, hundreds of people trapped inside a pressurized metal tube at 30,000 feet are ideal targets not only because the victims are so vulnerable, but because of the heavy media coverage such attacks generate. </p><p>For example, the photos of TWA 847 pilot John Testrake in the plane’s cockpit window being held at gunpoint by a Hezbollah hijacker became some of the most iconic images of 1980s terrorism.</p><p>Terrorist threats to aircraft spurred a series of security improvements, which were in turn answered by changes in terrorist weapons and tactics. The evolutionary—and deadly—game of cat-and-mouse between terrorist planners and aviation security officials has been occurring since the 1960s.</p><p>Initially there was very little security provided to the air transportation system, but a sharp increase in commercial airline hijackings in the 1960s and early 1970s led to enhanced airline security in the United States and Europe. High-profile hijackings led to greater and more widespread improvements to aviation security worldwide. </p><p>As hijackings became more difficult to conduct, terrorists began to direct their attention to aircraft bombings. Palestinian bombmakers created plastic explosives to look like everyday items in increasingly elaborate efforts to bring them onto aircraft undetected. The result was a number of airline bombing plots in the 1980s using concealed devices. </p><p>In 1987, North Korean agents destroyed a plane using a device hidden inside a radio to set off liquid explosives hidden in a liquor bottle. In another incident in 1986, explosives and the detonating device were hidden in a suitcase under a false bottom and a pocket calculator. Security detected the device before it could be taken aboard the plane. </p><p>Perhaps the most famous of these bombings was Pan Am Flight 103 in 1988, a bombing that killed 243 passengers, including two of my colleagues, U.S. Diplomatic Security Service Special Agents Dan O’Connor and Ron Lariviere. </p><p>Despite security improvements, terrorists continued to focus on attacking aircraft. In 1994, an attacker assembled a bomb in the aircraft lavatory and left it on board when he deplaned at an intermediate stop on the flight’s course. The bombing was a dry run for a more complex strike against multiple airlines. </p><p>When security measures were improved in the 1990s to defend against this style of attack, terrorists adapted once again. While planning the 9/11 attack, hijackers used permissible carry-on items—like box cutters—to hijack planes and turn them into human-guided cruise missiles. </p><p>In response to post-2001 security crackdowns to protect against that type of attack, jihadists again shifted their tactics toward onboard suicide attacks with hidden bombs. The first of these was the failed December 2001 shoe bomb attack. When security officers began screening shoes routinely, aspiring airline bombers then shifted to a plot to fill camouflaged toiletry containers in carry-on baggage with liquid explosives.</p><p>The U.S. Transportation Security Administration subsequently intro­duced restrictions on the quantity of liquids that passengers could bring aboard an aircraft, and, in turn, a jihadist attempted an attack with a device that was sewn into a suicide operative’s underwear. </p><p>Once security measures were amend­ed to address the threat of underwear bombs, attackers turned to cargo aircraft, hiding improvised explosive devices in printer cartridges bound for the United States. </p><p>And the deadly escalation continues today. In November 2015, a bomb concealed in a soda can was smuggled onto an airliner in Egypt, killing 217. Three months later, another bomb, this one disguised in a laptop, was smuggled aboard a flight in Somalia. Fortunately, that bomb only killed the suicide operative when it detonated and the aircraft was able to return to the airport for an emergency landing.</p><p>However, not all attacks on aviation involve hijacking or smuggling bombs aboard aircraft. Just as terrorists adjusted for heightened security at embassies by targeting traveling diplomats, attackers have found ways to attack airline passengers even as it has become more difficult to attack aircraft. </p><p>Back in the mid-1980s, terrorists attacked crowds of airline passengers beyond the confines of airport security at ticket counters in Rome and Vienna. In November 2002, al Qaeda operatives attempted to attack an Israeli airliner in Kenya with a surface-to-air missile. A 2011 attack at Moscow’s Domodedovo airport took advantage of the facility’s soft areas, as did the Brussels attack. </p><p>In the wake of the Rome and Vienna attacks, perimeter security at airports in Europe was temporarily increased, but due to the cost and effort involved, soon reverted to business as usual. </p><p>Similar short-term increases in security posture at airports across the globe were seen in the wake of the 9/11 attacks and to a lesser extent following Domodedovo.  </p><p>The targeting of the soft side of airports is especially attractive to grassroots groups and individuals who lack the ability to construct bombs sophisticated enough to be smuggled through security. </p><p>The July 4, 2002, armed assault against a ticket counter at Los Angeles International Airport and the June 2007 attack against the Glasgow Airport using a poorly constructed vehicle bomb are examples of attacks against the soft side of airports by poorly trained grassroots jihadists.​</p><h4>Expanding Danger</h4><p>In response to recent attacks in Brussels and Istanbul against the soft side of airports, security has again been increased. However, in many places this increased security is not much more than a show of force intended to reassure the traveling public and to perhaps deter poorly trained would-be terrorists. Without names or bag checks, it is difficult to keep a professional terrorist—especially one who has a ticket—away from the facility. </p><p>In some places, more thorough checkpoints have been established away from the airport to conduct initial screening. This tactic can be quite effective at smaller airports, but cumbersome at larger, busier airports where the heavy volume of travelers causes a backlog at the inspection point, thus effectively pushing the target away from the building to the crowd of people awaiting screening.   </p><p>It is important to remember that the objective of terrorist planners is to create a high body count and a large amount of publicity. This means that an attack against the soft side of an airport can be almost as good as an attack against an aircraft, and a successful attack against an airport is better than a failed or thwarted attack against a harder target. </p><p>As the security at airports is pushed outward in response to attacks against the soft sides of airports, and checkpoints are established away from the building, this merely moves the real target—the vulnerable group of people awaiting screening from inside the building—to an area outside of it.   </p><p>This principle was demonstrated during the June 28, 2016, attack against Istanbul’s Ataturk International Airport. In that attack, three operatives armed with AK-47s and suicide vests launched an attack on the soft side of the airport. Coming in the wake of the Brussels attack, and due to the overall high terrorist threat inside of Turkey, security was increased at Turkish airports, and armed security checkpoints were established at the entrances to the departure hall to prevent terrorists from entering the hall like they did in Brussels. </p><p>Shortly after the three attackers exited their cab outside the departure hall, they were confronted by police and a firefight erupted between the police and the attackers. The first operative was able to approach the security checkpoint and detonate his device amid the crowd. This device shattered a large window that permitted the second attacker to enter the building and begin searching for a crowd of people to target with his suicide bomb. </p><p>Fortunately, the second attacker was shot and immobilized before he could do so. The third attacker was pursued by the authorities and detonated his device in a parking lot, causing minimal damage like the second bomber. Between the gunfire and the first bomb, however, 45 victims were killed—nearly three times more than in Brussels. The bulk of the victims were outside the security checkpoint at the door to the departure hall. ​</p><h4>Staying Ahead of the Game</h4><p>Moving the security checkpoint outward from the airport simply moves the chokepoint outward, and the crowd of people waiting to get through that checkpoint remains vulnerable. This principle applies to many circumstances and locations beyond airports as well, posing a significant challenge to security professionals. While not an easy problem to address, some methods exist to mitigate the threat.</p><p>First, static security checkpoints themselves are not enough. It is necessary to establish outward-looking protective surveillance that extends beyond the property line. This surveillance also needs to focus on preoperational surveillance rather than just attack recognition. Once the attackers start shooting or detonating bombs, it can be helpful to quickly counter them and limit their access to additional victims, but it is far better to catch them at an earlier phase of the terrorist attack cycle. </p><p>Many large international airports are using surveillance technology that identifies suspicious behavior and alerts operators. The information collected by these programs can be shared with nearby airports, allowing them to keep an eye out for similar activity on their premises. </p><p>Terrorists often follow an attack planning cycle and are vulnerable to detection as they conduct the surveillance they require to carry out an attack. Terrorist operatives generally possess poor surveillance tradecraft and are not difficult to spot if people are looking for them. </p><p>But cops or soldiers manning a checkpoint at a door are not normally well positioned to spot such activity. This, ideally, needs to be accomplished by specialized units that have been trained in the craft of detecting surveillance and who are not tasked with manning checkpoints. Teams such as these will patrol parking areas and other spaces further away from the airport to identify potential threats.</p><p>This type of technology and information sharing between airports is imperative because attackers may scope out multiple facilities in a region. It is important for security teams at different airports to foster information sharing by alerting their counterparts to anomalous behavior.</p><p>Surveillance must also go beyond the use of cameras and should use a combination of human agents and cameras integrated with analytic software that can be used to help expand and direct the efforts of the humans. Cameras with nobody watching them are little better than no cameras at all. They may be useful for investigating an attack after the fact, but will be of little help in preventing an attack.  </p><p>Even in a case where the preoperational surveillance is missed and an attack is underway, personnel located beyond checkpoints can help to see problems as they are developing rather than allowing attackers to gain tactical surprise by permitting them to have free rein in areas where they can assemble and coordinate their attack.  </p><p>Furthermore, undercover operators can enjoy tactical surprise themselves and are in a great position to turn the tables on the attackers. Action is always faster than reaction, and if the attackers are permitted to draw and shoot first, it gives them a significant advantage over security forces. </p><p>A failed attack against a soft target venue in Garland, Texas, in May 2015, showed that security personnel manning the door of a facility can gain a life-or-death advantage in a firefight if they have advanced warning and a description of a potential threat. </p><p>In the Garland case, the FBI alerted local authorities of a potential threat to the event and provided the suspect’s vehicle description. This passing of critical intelligence prepared local officers for an impending attack. It also highlights the importance of intelligence sharing both horizontally and vertically within the law enforcement and security communities as they seek to secure airports and other soft targets.  </p><p><em><strong>Scott Stewart </strong>is vice president of tactical analysis at and lead analyst for Stratfor Threat Lens. ​</em></p> and Iris ScansGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Next time you fly the friendly skies and take a bite of your airline-provided meal, you may be eating food prepared by Gate Gourmet, a global provider of airline catering and services, which has approximately 130 locations in 28 countries. </p><p>“There’s a great deal of skill and care that goes into producing the food that we provide to our customers,” says Richard Newman, director of corporate security at Gate Gourmet for the United States and Canada. “It’s important to Gate Gourmet that we deliver the highest quality product that we can, in the safest way we can.”</p><p>With approximately 25 catering facilities nationwide, Gate Gourmet serves airline clients that fly out of major U.S. airports. </p><p>One of Gate Gourmet’s larger facilities is located at the Washington Dulles International Airport near Washington, D.C. Employees at the location produce 18,000 to 25,000 meals a day, depending on the season. </p><p>“The busiest fast food restaurant you can think of probably does about 8,000 meals a day,” Newman says. “We’re doing three to four times that just out of the Dulles kitchen.” </p><p>Who gains access to Gate Gourmet facilities is crucial. “As part of a layered approach to security, it’s important that we make sure that the people that are supposed to be on the inside can get inside, and the people that aren’t, don’t,” Newman says. <img src="/ASIS%20SM%20Callout%20Images/0417%20Case%20Study%20Stats.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;width:505px;" /></p><p>Beyond protecting its product and the customers it serves, Newman adds that the U.S. Transportation Security Administration (TSA) has its own security guidelines Gate Gourmet must adhere to. </p><p>“Because we’re in the aviation industry—and there is a layer of security that the industry puts on everything that goes on an airplane—those rules apply to us as well,” he explains.  </p><p>The operation at a Gate Gourmet kitchen is complex, Newman says. It includes preparing the meals, packing them onto trucks, and delivering them directly to the airplanes and the flight attendants who will ultimately serve the food. </p><p>“When the trucks come back from the airfield, they’ll bring the carts that have the dirty dishes into the kitchen, then we go through the dishwashing process, wash the equipment, and then the whole process starts again,” he says.</p><p>To monitor the employees coming in and out of work, Gate Gourmet had been using hand geometry at its Washington Dulles location. With this biometric technology, a user places his or her hand over a scanner that measures the shape of the palm. </p><p>While the palm method was effective at identifying employees, it wasn’t necessarily efficient for the company. “We wanted to move into something that was faster, easier, and touch-free,” Newman notes.</p><p>In 2013, Gate Gourmet was on the lookout for a new biometric access control solution, and came across the iCAM iris reader from Iris ID at that year’s ASIS International Seminar and Exhibits in Chicago. “I saw their booth at the convention; they gave me a demonstration, and I was impressed,” Newman explains. </p><p>The Iris ID iCAM is a black rectangular box that mounts to the wall with a built-in camera that measures the iris. When a user approaches the scanner, it adjusts to their height; once it enrolls a user, the technology will automatically return to that setting when the employee uses it again. The viewfinder can also be manually adjusted.</p><p> “For many people it can take the picture and recognize your eyes through your glasses, through your contact lenses—that’s helpful to us,” Newman adds. </p><p>When the system is ready for enrollment and iris capture, a user walks up to the reader, standing about an arm’s length away, and a yellow light appears. Once the administrator presses the enroll button, and the user has the camera properly centered on the bridge of his or her nose, the light turns green. The technology also has an automated voiceover that guides the user through the process. </p><p>Once the iris is properly captured, the administrator adds the rest of the enrollee’s information and registers them as a user in the system. “There’s actually not a photograph stored; it’s all reduced to a code through an algorithm and stored in a database,” Newman explains.</p><p>The company evaluated four different solutions from vendors to replace the palm scanner. After narrowing it down to two technologies, including Iris ID’s iCAM, Gate Gourmet began pilot testing the products in February 2014 at Washington Dulles. During the testing, which lasted for two months, the company deployed one technology at the entrance where employees report to work and another at the exit where they leave the premises. </p><p>Gate Gourmet was impressed with the speed of the iCAM, as well as with the price point, which was similar to the palm technology already in place. Newman found that enrollment takes a matter of minutes, and daily use is even faster. </p><p>“It takes one or two seconds to check an employee in, which is four times as fast as the technology it’s replacing,” Newman notes. </p><p>He adds that iris identification results in fewer false positives—when the system thinks the iris belongs to someone else who is registered—than other biometrics like palm reading technology. This is because there are so many unique points within the eye that can be mapped out and recorded by the system, says Newman. </p><p>The company ultimately chose to go with Iris ID, and Newman says the deployment process has been seamless. “Of all the technology that I’ve deployed since I’ve started with the company, this has probably been the easiest rollout just because of the nature of the technology.” </p><p>Employees are granted access in and out of the facilities at the beginning and end of their shifts by having their irises scanned in nearly the same way in which they enrolled. </p><p>To be granted access, Gate Gourmet requires dual authentication. In addition to using the iris scanner, employees must introduce a credential to a card scanner. Newman adds that the iris enrollment process is only for employees. Visitors have a sign-in and escort protocol, and “visitors are issued specific media to identify them,” according to Newman. </p><p>The iris identification registration system is administrated from the Gate Gourmet headquarters in Dulles, Virginia, but each location with iCAMs has the ability to enroll and remove people from the system. This allows the company to keep the registration updated when employees leave Gate Gourmet.</p><p>The iris scanners are still being deployed across many of its locations, and Gate Gourmet hopes to eventually install the Iris ID iCAMs at all of its U.S. locations.</p><p>Newman emphasizes that upgrading from the previous biometric solution has not compromised security, but only enhanced it, for Gate Gourmet. </p><p>“We’re replacing biometrics with biometrics,” Newman says. “We haven’t surrendered anything by having the iris scanners—this is just the next generation for us.”  </p><p><em>For more information: Tom DeWinter, Iris ID,,, 609/819-4724 ​</em></p> and StereotypesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Juveniles make up 40 percent of the shoplifters in the United States. Shoplifters, in total, contribute to billions of dollars of loss each year, according to the National Association for Shoplifting Prevention’s 2014 report <em>Shop­lifting Statistics.</em></p><p>To combat adolescent shoplifting, according to the report, retailers depend on private security officers combined with other security measures, including security cameras, observation mirrors, and radio-frequency identification (RFID) tags. </p><p>The key to apprehending juveniles during or after shoplifting, however, is to correctly determine whom to surveil. Security personnel often rely on a combination of common underlying physical characteristics—race, gender, and age—and behavioral indices—glancing at clerks nervously, assessing security measures, and loitering—to distinguish shoppers from potential shoplifters. </p><p>Are these surveillance decisions a result of bias? To find out, the authors conducted original academic research funded by the John Jay College of Criminal Justice of the City University of New York on how stereotypes play into who is suspected of shoplifting, how that suspect is dealt with, and what private security can do to limit discriminatory practices.​</p><h4>Existing Data</h4><p>A 2003 Journal of Experimental Psychology article, “The Influence of Schemas, Stimulus Ambiguity, and Interview Schedule on Eyewitness Memory Over Time,” which discussed research findings and lawsuits against retailers, concluded that stereotypes of juvenile shoplifters may unduly influence security officers to target juveniles on the basis of their physical characteristics, rather than their behaviors.</p><p>Over the past 20 years, the media has reported on cases in which the retail industry engaged in discriminatory practices. This is known as consumer racial profiling (CRP), “the use of race and or ethnicity to profile customers.” According to a 2011 study in the Criminal Justice Review, “Public Opinion on the Use of Consumer Racial Profiling to Identify Shoplifters: An Exploratory Study,” officers sometimes use CRP to determine which juvenile shoppers are potential or actual thieves. </p><p>Most people develop negative stereotypes about juvenile thieves through exposure to various types of media, particularly when they reside in areas that contain few minorities. The media has the unique ability to both shape and perpetuate society’s beliefs about which juveniles typically commit offenses through its selective coverage of crimes. </p><p>It is also common for the media to portray adolescents—particularly boys—as criminals. Biases are then used, whether consciously or unconsciously, in the private sector by retailers and security officers to target shoppers, and in the public sector by those in the legal system, including law enforcement officers, prosecutors, judges, and even legislators, to arrest and prosecute thieves.</p><p>The consequences of applying discriminatory practices can be seen in the private sector through lawsuits against retailers. Ethnic minority shoppers purport that they were targeted through excessive surveillance—and even through false arrests. </p><p>Researchers have shown that this automated bias occurs even when observers were trained to focus on behavioral cues, and it persists despite findings that shoplifting occurs across racial and ethnic groups, according to the 2004 Justice Quarterly article “Who Actually Steals? A Study of Covertly Observed Shoplifters.”</p><p>Stereotypes also affect retailers’ decisions on how to handle shoplifters, either formally by involving the police, or informally. The results of accumulated discrimination, accrued during each step in the legal process—initial involvement of police, decision to prosecute, conviction, and sentencing—continue in the legal system. This is evidenced by the disproportionate number of African- and Latin-American boys shown in the apprehension and arrest statistics of juvenile thieves, compared to their representation in the population, according to Our Children, Their Children: Confronting Racial and Ethnic Differences in American Juvenile Justice, a book published by the Chicago University Press. ​</p><h4>Current Research</h4><p>To test the premise that there is a widespread stereotype of the typical juvenile thief and shoplifter, our research team obtained information from young adults in two diverse areas:  97 psychology-major college students in a small city in the U.S. state of Kansas, and 156 security and emergency management majors at a college in a large city in New York state. </p><p><strong>Shoplifter profile. </strong>The psychology-major students were 83 percent European American. The rest of the students were represented as follows: 5 percent African American, 2 percent Asian American, 1 percent Latin American, and 9 percent of mixed or unknown descent.</p><p>The security and emergency management major students—72 percent of whom were male—came from a variety of backgrounds: 31 percent European American, 37 percent Latin American, 19 percent African American, 9 percent Asian American, and 2 percent Middle Eastern American.</p><p>Participants in both locations were asked to guess the common physical characteristics of a typical juvenile shoplifter—age, gender, ethnicity or race, and socioeconomic status. </p><p>The stereotypical juvenile shoplifters described by both the Kansas and New York respondents were remarkably similar: male, aged 14 to 17, and from lower- to middle-class families of African-American, Latin-American, or European-American descent. The two samples also indicated that the stereotypical thief was likely to have short or medium length brown or black hair and an identifying mark—such as a piercing. </p><p>These findings show commonality in the prevalence of certain physical characteristics, despite the diversity of the two groups of respondents, and demonstrate that American society has a well-developed juvenile shoplifter stereotype.</p><p><strong>Decision processes. </strong>After determining the stereotype, the research team considered whether juvenile shoplifter stereotypes affected respondents’ decisions. The goal was to determine the degree to which the respondents believed that physical characteristics influenced the security guards’ decisions regarding whom to surveil, and what consequences to apply when a youth was caught stealing.</p><p>The New York respondents read a brief scenario describing a juvenile shoplifter as either male or female and from one of five backgrounds: European American, African American, Asian American, Latin American, or Middle Eastern American. However, the description of the overt behaviors by the juvenile was the same for every scenario—selecting and returning shirts in a rack, glancing around the store, and stuffing a shirt into a backpack.</p><p>Respondents provided their opinions about the degree to which the security officer in the scenario relied on physical characteristics in surveilling a juvenile, and whether the retail manager and security officer should impose informal or formal sanctions on the shoplifter. Researchers reasoned that respondents should draw identical conclusions for surveillance and sanctions if they were simply evaluating the juvenile shoplifters’ behaviors, but that students would have different recommendations for these choices if their racial or ethnic stereotypes were activated.</p><p>Respondents who indicated a preference for applying informal sanctions did so more frequently for girls of African-American and Middle Eastern-American descent. These respondents also assessed that the officer described in the scenario based his or her surveillance decisions on physical characteristics. No other gender differences for race or ethnicity were notable when considering reliance on physical characteristics.</p><p>Stereotypes also affected decisions on how to sanction the shoplifter. Respondents were given the option of implementing one of four informal sanctions: speak to the juvenile, call parents to pick up the juvenile, get restitution, or ban the youth from the store. Their selection of the least severe sanction—talk to the juvenile—was doled out at a higher rate for boys than for girls of each ethnicity except European Americans, which did not differ.</p><p>The moderate level sanction—call the youth’s parents—was selected more for girls than for boys of African and Latin descent. The most severe level sanction—ban the youth from the store—was selected more for boys than for girls of African descent. However, it was selected more for girls than for boys of Asian, European, and Middle Eastern descent.<img src="/ASIS%20SM%20Callout%20Images/0417%20Feature%202%20Chart%201.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:510px;" /></p><p>Respondents who indicated a preference for applying formal sanctions attributed physical characteristics to the guards’ surveillance decision for girls more than for boys of Latin descent; gender differences were not apparent for the other ethnicities. </p><p>Respondents were also given five formal sanctions for the youths: involve the police, prosecute the theft as larceny, impose a fine, give the youth diversion or community service, or put the incident on the youth’s criminal record. Their selection of the least severe sanction—involve the police—was endorsed more for boys than for girls of Asian, European, and Latin descent, but more for girls than for boys of African descent. No gender difference was apparent for youths of Middle Eastern descent.</p><p>The most severe sanction—diversion or community service—was preferred more for boys than for girls of African descent. A small percentage of respondents endorsed a criminal record for the theft of a shirt, but only for girls of African and European descent and for boys of Middle Eastern descent.</p><p>Finally, a comparison of our data revealed that respondents believed informal—rather than formal—consequences should be imposed for girls rather than for boys of Asian and European descent, and for boys rather than for girls of Latin descent. ​<img src="/ASIS%20SM%20Callout%20Images/0417%20Feature%202%20Chart%202.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:519px;" /></p><h4>Lessons Learned</h4><p>Our findings clearly demonstrate that people have stereotypes about juvenile shoplifters. They also showed that people unconsciously use the typical physical characteristics of gender and race or ethnicity associated with their criminal stereotypes to make decisions and recommendations, such as whom to surveil and how to handle a shoplifting incident. Otherwise, there would not have been a difference in how the juvenile shoplifter was processed or punished, because the behaviors exhibited by all of the juveniles were identical across scenarios.</p><p>Consumer racial profiling is a defective filtering system that may direct private security officers’ attention to characteristics that are not reflective of actual shoplifting conduct. Our data suggests that CRP not only hurts retail businesses by discouraging minority consumers from shopping in their stores, but also simultaneously prevents security officers from apprehending shoplifters.</p><p>Other research, such as from “Juvenile Shoplifting Delinquency: Findings from an Austrian Study” published in the 2014 Journal for Police Science and Practice, shows that only 10 percent of juveniles are caught shoplifting. Even more disconcerting, the typical shoplifter steals on average 48 to 150 times before being apprehended. Clearly, retailers need a better strategy if they are to reduce loss due to shoplifting.</p><p>Another issue that was addressed was the decision to involve the legal system. Many businesses, despite having posted prosecution warnings, reported only about half of the adolescent shoplifters they caught to the police. </p><p>Retailers instead focus on minimizing loss and negative publicity, and may rationalize against reporting the offense to the police because they do not want to stigmatize the adolescent or because they consider it a one-time incident, particularly when the juvenile admits to the theft and then pays for or returns the items, according to the U.S. Department of Justice’s (DOJ) Community Oriented Policing Services.</p><p>These beliefs, however, may be misguided. Though current research is scarce, a 1992 study—The Sociology of Shoplifting: Boosters and Snitches Today—indicated that 40 to 50 percent of apprehended adolescent shoplifters reported that they continued shoplifting. </p><p>There are benefits for retailers who involve the legal system, especially for informal police sanctions. </p><p>First, criminal justice diversion programs and psychological treatment and educational programs treatment may reduce recidivism. For example, shoplifters who attended and completed a diversion program had significantly fewer re-arrests compared to those who failed to complete or did not attend, a DOJ study found.</p><p>Second, the private sector needs the support of the public sector to reduce shoplifting. Shoplifters can be given an opportunity to participate in first offender programs and, upon completion of classes on the effects of shoplifting, have their charges dismissed or even erased. ​</p><h4>Recommendations</h4><p>Retailers and private security officers need training to make them aware of their own biases and how their stereotypes affect their choices. They also need training to learn which behavioral indices are most effective in distinguishing shoppers from shoplifters. </p><p>If retailers do not make significant changes in guiding their employees—particularly security officers—towards objective measures of vigilance to prevent shoplifting, their financial loss will continue to be in the billions of dollars. </p><p>Private security officers must be taught how to treat all potential shoplifters, regardless of their gender, in the same way to prevent making mistakes and subjecting retailers to lawsuits for discriminatory security practices.</p><p>Overcoming unconscious biases is difficult. Prior to specialized training in bias identification and behavioral profiling, it is important to determine the biases of security officers. Self-assessment measures similar to the ones the researchers used in their study can be administered. </p><p>The officers should also keep records that specify each incident of shoplifting, what behaviors drew their attention to warrant surveillance, what act occurred to provoke them to approach the juvenile shoplifter, the items that were taken, the method used, the shoplifter’s demographics, how the situation was handled, who made the decision, and reasons for the decision. The officers should then review these records with their retail managers.</p><p>Retailers should also implement a mandatory training program to provide private security officers with the tools needed to identify shoplifting behaviors to increase detection and reduce shrink. </p><p>The incident records could be introduced and used to help identify the impact biases have on private security professionals’ decisionmaking about juvenile shoplifters. It would also help security guards learn the various types of suspicious behaviors that shoplifters exhibit, such as juveniles who make quick glances at staff, examine items in remote aisles, monitor security cameras and mirrors, and purposefully draw employees’ attention away from others.</p><p>Additionally, a practical component would be to show surveillance videos of the behaviors exhibited by juvenile shoplifters of different gender and race or ethnicity. In this way, the findings of past studies showing the insignificance of race, ethnicity, or gender can be learned through real-world examples.  </p><p>--<br></p><p><em><strong>Dr. Lauren R. Shapiro </strong>is an associate professor in the Department of Security, Fire, and Emergency Management at John Jay College of Criminal Justice. She has published several journal articles and chapters on the role of stereotypes in perception and memory for crime and criminals. <strong>Dr. Marie-Helen (Maria) Maras</strong> is an associate professor at the Department of Security, Fire, and Emergency Management at John Jay College of Criminal Justice. She is the author of several books, including Cybercriminology; Computer Forensics: Cybercriminals, Laws, and Evidence; Counterterrorism; and Transnational Security.   ​</em></p> War GamesGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In the chaos of World War II, the U.S. Information Agency began a German radio broadcast to counter Nazi propaganda. The Voice of America (VOA) was designed to promote American values abroad, and after the end of the war, the United States enacted the Smith–Mundt Act to continue its broadcasts during peace time.</p><p>During the Cold War, VOA took on a new target—Soviet propaganda—and concentrated its message on communist nations in eastern and central Europe. By 1953, VOA was broadcasting 3,200 programs in 40 languages every week.</p><p>And America was not alone. The Soviet Union soon began adopting similar technology, attempting to influence elections through radio broadcasts, campaign funding, and recruitment efforts. In the 1970s, for example, during a U.S. presidential race, the Soviet KGB recruited a U.S. Democratic party activist to report on Democrat Jimmy Carter’s campaign and foreign policy plans.</p><p>Fast-forward to the present, when influence is no longer restricted to radio broadcasts or recruiting covert agents; it’s now being conducted on social media by nation-states. In an unprecedented unclassified report, the U.S. intelligence community detailed Russia’s most recent efforts to influence the 2016 U.S. presidential election in favor of candidate and eventual president Donald Trump. </p><p>The report, crafted by the U.S. National Security Agency (NSA), the CIA, and the FBI, and released by the U.S. Office of the Director of National Intelligence, found that Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the U.S. presidential election. </p><p>Putin’s goals, according to the report, were to undermine public faith in the U.S. democratic process, denigrate Democratic candidate former U.S. Secretary of State Hillary Clinton, and harm her electability and potential presidency.</p><p>“In trying to influence the U.S. election, we assess the Kremlin sought to advance its longstanding desire to undermine the U.S.-led liberal democratic order, the promotion of which Putin and other senior Russian leaders view as a threat to Russia and Putin’s regime,” the report explained.</p><p>To carry out this influence campaign, Russia used a messaging strategy that blended covert intelligence operations with overt efforts by Russian government agencies, state-funded media, third-party intermediaries, and paid social media users—known as trolls.</p><p>“The Kremlin’s campaign aimed at the U.S. election featured disclosures of data obtained through Russian cyber operations; intrusions into U.S. state and local electoral boards; and overt propaganda,” the report added. “Russian intelligence collection both informed and enabled the influence campaign.”</p><p>For instance, in July 2015 Russian intelligence organizations gained access to the U.S. Democratic National Committee’s (DNC’s) networks and maintained access to them until June 2016. Using this access, Russia’s General Staff Main Intelligence Directorate (GRU) compromised the personal email accounts of Democratic Party officials and political figures, including Clinton’s campaign chair, John Podesta. </p><p>Then, under the alias Guccifer 2.0, the GRU leaked those emails to and WikiLeaks, which shared information with RT—the Kremlin’s principal international propaganda outlet, which has more than 4 million Likes on Facebook and 2 million followers on Twitter. </p><p>“Russia’s state-run propaganda machine…contributed to the influence campaign by serving as a platform for Kremlin messaging to Russian and international audiences,” according to the report. “State-owned Russian media made increasingly favorable comments about President-elect Trump as the 2016 U.S. general and primary election campaigns progressed, while consistently offering negative coverage of Secretary Clinton.”</p><p>For instance, Russian media began to call Trump’s impending victory a “vindication of Putin’s advocacy of global populist movements” and the “latest example of Western liberalism’s collapse.”</p><p>Millions of people viewed these articles and shared them on social media, spreading them among U.S. voters. The U.S. intelligence community did not conduct opinion polls to see how Russian propaganda influenced voting behavior, said former Director of National Intelligence James Clapper in a Senate hearing. But he did reinforce the report’s assessment that Russia will apply lessons it learned from the campaign to future efforts to influence the United States and its allies.</p><p>And, because Americans elected Trump in the 2016 election, Russia is likely to view its influence campaign as a success and continue using similar methods to influence future elections.</p><p>“Putin’s public views of the disclosures suggest the Kremlin and the intelligence services will continue to consider using cyber-enabled disclosure operations because of their belief that these can accomplish Russian goals relatively easily without significant damage to Russian interests,” the report said.</p><p>Putin may hold this view because the United States responded to the influence campaign through targeted sanctions. One week before the U.S. intelligence community’s report was released, former U.S. President Barack Obama sanctioned two Russian intelligence services, four individual intelligence service officers, and three companies that provided material support to the Russian intelligence service’s cyber operations.</p><p>The U.S. Department of the Treasury also sanctioned two Russian individuals for using cyber-enabled means to misappropriate funds and steal personal identifying information. The U.S. Department of State also shut down two Russian compounds in Maryland and New York that were used by Russia for intelligence purposes, and declared 35 Russian intelligence operatives “persona non-grata.”</p><p>“These actions are not the sum total of our response to Russia’s aggressive activities,” Obama said in a statement. “We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized.”</p><p>While some experts are not surprised by Russia’s actions, one expert has said he was surprised at Russia’s willingness to engage in a disruptive cyberattack against U.S. institutions. </p><p>Adam Segal, Ira A. Lipman chair in emerging technologies and national security and director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations, published The Hacked World Order at the beginning of 2016, saying that he thought states on the periphery—Estonia, Georgia, and Ukraine—would conduct disruptive attacks on each other, but that major nation-states would not.</p><p>“Clearly, I underestimated the willingness of Russia to use disruptive attacks on the United States,” Segal said at an event hosted by the American Bar Association in January. “I never considered disruptive attacks on the United States focused on institutions, even though I thought those might be the most vulnerable to attacks in the future.”</p><p>Disruptive attacks, like the Russian influence campaign, will be a difficult area for the Trump administration moving forward, especially based on the U.S. response to the activity. </p><p>Segal, who had just returned from China before speaking at the event, said that the Chinese “seem to see no deterrent value” in the U.S. response to Russia and that the response needed to be stronger to send a clear message not just to Russia, but to other adversaries who might try something similar.</p><p>That message was further muddled when just weeks into Trump’s presidency, the U.S. Department of the Treasury eased sanctions to end a ban on selling information technology products to Russia. The ban was originally put in place by Obama in 2015 in response to alleged “malicious cyber-enabled activities” by Russia’s security service in the U.S. electoral process.</p><p>Despite the deficient response to the disruptive attack, however, Segal said he still thinks that Russia and China are unlikely to use destructive cyberattacks against the United States—such as targeting critical infrastructure and causing damage—unless their national interests are threatened.</p><p>“The Chinese definition of core interests is unfortunately expanding,” Segal said. “But the Chinese know that the United States is going to attribute an attack to them, so they have to be ready for escalation.”</p><p> An escalation of destructive cyberattacks is something Leo Taddeo, former special agent in charge of the FBI’s New York Cybercrime Office and current CSO of Cryptzone, a network security and compliance software provider, says he sees happening in 2017. In an interview with <em>Security Management</em>, Taddeo says he sees nation-states—including the United States—taking a more aggressive position on international cybersecurity, leading to a cyber escalation between nation-states.</p><p>The U.S. public has an “appetite for more aggressive cyberactivity” and for “striking back” against those who conduct cyberattacks against American interests, according to Taddeo.</p><p>However, Taddeo says he is concerned that the U.S. private sector will be caught in the crossfire of this escalation involving the United States, Russia, China, and possibly Iran, when banks, power companies, and other critical infrastructure—largely controlled by the private sector in the United States—are targeted. </p><p>“The Russians don’t have that problem as much as the United States does because Russia is more autocratic,” Taddeo adds. “The private sector there doesn’t complain without permission from the regime and can tolerate more in a crisis.”</p><p>Those attack methods are also likely to trickle down to regional conflicts between nation-states with less cyber prowess, such as India and Pakistan. For instance, Taddeo says to look at the attack on the Bank of Bangladesh in 2016 when hackers stole $81 million. </p><p>“That type of attack may have been committed by a nation-state to obtain much needed cash resources or to embarrass a smaller state,” Taddeo says. “I think we’ll see more types of cyber conflict…some adopted by nation-states, some by super powers, but with all of these different tools becoming part of the arsenal.”</p><p>Taddeo adds that, with today’s technological advances and hacking services for hire, it doesn’t take a great deal of expertise to steal information and share it with organizations like WikiLeaks.</p><p>Either way, Taddeo says the “genie is out of the bottle” and actors and nation-states are now using cyber methods to conduct influence campaigns for strategic goals. </p><p>For the Kremlin, this includes gathering information and attempting to influence public—and government—opinion via social media in favor of Russia.</p><p>“Immediately after Election Day, we assess Russian intelligence began a spearphishing campaign targeting U.S. government employees and individuals associated with U.S. think tanks and NGOs in national security, defense, and foreign policy fields,” the U.S. intelligence report said. “This campaign could provide material for future influence efforts, as well as foreign intelligence collection on the incoming administration’s goals and plans.”   ​</p> EngagementGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Each day, pollsters at the Gallup company monitor the upticks and downticks of America’s pulse. They track large-scale indicators like the country’s unemployment rate, the citizenry’s economic confidence, and the president’s approval rating. But among these tracked statistics at Daily lies a less publicized marker: what percentage of U.S. workers say they are engaged at their jobs? </p><p>For managers, the answer may be discouraging: only about one-third of American workers are engaged on the job, Gallup now finds. The employee engagement rate has stayed in that low range for the last 15 years—from 26 percent (on a yearly average basis) in 2000 to 33 percent in 2016, according to Jim Harter, chief scientist of Gallup’s international workplace management and well-being practices.</p><p>Actively disengaged employees cost the United States $450 billion to $550 billion per year, according to Gallup’s research. Employee disengagement can increase turnover, pollute office culture, and lead to more mistakes in the workplace—the last of which can be dangerous in the security industry, where oversights and errors can result in damaging breaches.   </p><p>Conversely, Gallup researchers found that organizations that successfully sustain high employee engagement reap serious benefits. On average, profitability is 22 percent higher; productivity, 21 percent higher; absenteeism, 37 percent lower; and there are 48 percent fewer staff safety incidents.</p><p>Moreover, experts say there are many best practices that organizations and managers can follow to maximize employee engagement. From strength building to safe-space dialogue to stronger mission connection, a security manager’s approach and an organization’s leadership can make all the difference.​</p><h4>Energy and Flow</h4><p>Employee engagement is not a new workplace concept; it has been discussed and studied for more than 25 years. But with more and more recent research illustrating its benefits, and the hazards of disengagement, the concept of employee engagement is now “much more integrated into how we look at work,” says management expert David Zinger, a Canada-based consultant who runs The Employee Engagement Network, an online resource. </p><p>Zinger and other experts argue that Gallup’s methodology (a 12-question survey that poses core value questions such as “at work, do I have the opportunity to do what I do best every day”), leads to exceedingly low engagement scores. Other methodologies put the U.S. employee engagement rate at about 50 percent, these experts say. Still, almost all agree that whatever metric is used, the rate is still too low.   </p><p>By definition, employees who are engaged are usually involved in and enthusiastic about their work, and are making valuable contributions to their organization. Bob Kelleher, an expert who runs The Employee Engagement Group consultancy, says he thinks of engagement as a successful partnership between an employer and employee.</p><p>“The employer is helping the employee reach his or her potential, while the employee is helping the employer reach its potential,” he explains. “It’s the ultimate win–win. The byproduct is this partnership is a discretionary effort.”</p><p>And that discretionary effort from the employee often comes naturally, because of the positive energy generated by simply being engaged. </p><p>“When an employee is engaged, they experience a state of flow. They are energized. They are learning. They have fun,” says Pi Wen Looi, a workplace expert who heads the Novacrea consulting firm. “As a result, they are more likely to recommend their company as a great place to work, stay longer with the company, and go above and beyond their role.”​</p><h4>Natural Selection</h4><p>Managers play a crucial role in maximizing employee engagement in the workplace—and that management effort should start with the hiring process, experts say. </p><p>Looi mentions recent research she was involved in that was aimed at identifying employees’ sense of purpose to help them find jobs that were in tune with their personal values. The research showed how an employee-employer values alignment at the start led to greater engagement. </p><p>“If you want to have engaged employees, you’ll need to make sure you are recruiting the right talent—a passion and value match, a culture fit, and with the right skills,” she says.</p><p>In part, that’s because high salaries are ultimately not enough to ensure high engagement, she adds. “What motivates employees comes from their own heart. You may have market competitive pay and benefits, but these extrinsic motivators are not sufficient to propel employees forward,” she explains. “It’s the intrinsic motivators such as pursuing their values and passion, continual learning, and building good relationships with peers that will keep a person going and thriving.”  </p><p>Kelleher illustrates this by using the acronym BEST. Employers tend to hire for the middle two letters, education (E) and skills (S), in hopes that they will be the most reflective of performance. But it is the first and last letters, behaviors (B) and traits (T), that best reflect employees’ values. </p><p>Since a values alignment is key to engagement, employers should also focus on behaviors and traits in the hiring process. Sometimes, disengagement is the result of the fact that the values of the company and the employee were never a match. “I often tell clients, ‘You don’t have an engagement issue, you have a selection issue,’” Kelleher says. </p><p>The importance of the hiring and selection process also applies to managers, Gallup’s Harter says. Many who become managers don’t yet have the skills and training to be effective. </p><p>“A lot of people are put into the role because they are successful in a previous position, but that position was not a managerial one,” he says. “Or, they are selected because they have been around a long time in the organization, so it becomes a rite of passage.”</p><p>Indeed, based on his decades-long study of engagement and the U.S. workplace, Harter says that sound manager selection is one of the three most effective ways an organization can increase engagement. The other two ways are managerial practices—a focus on building employee strengths, and a sustained two-way coaching dialogue between managers and employees.  </p><p>These last two ways are effective in part because they are being driven from below, Harter explains. Newer workers, the 20- and early 30-somethings who are members of the millennial generation, “want a coach type of manager who focuses on strength-based development, as opposed to a manager who is an expert in their weaknesses,” he says. </p><p>In a strengths-based workplace culture, employees often learn their roles more quickly, produce better work, and are more engaged, he adds.</p><p>In its own recent research, Gallup found that 67 percent of employees who say that their manager focuses on their strengths are engaged, compared with only 31 percent of the employees who say that their manager focuses on their weaknesses.​</p><h4>Continual Conversation</h4><p>Besides a strength-based approach, younger workers are also asking for a managerial approach that does not focus on a once-a-year performance review, but features a continuous two-way conversation in a coaching manner, Harter says. </p><p>Other experts agree. Zinger, who consults on employee engagement around the world, says that one commonality he has noticed is that employees in virtually every country want their managers to care about them. Kelleher also stresses this. </p><p>“Empathy is a significant leadership competency—especially in 2017,” Kelleher says. “Employees who think their employers care about them as people are more likely to give above and beyond.”  </p><p>A 2016 Gallup report, What Great Managers Do to Engage Employees, drew the same conclusion. </p><p>“A productive workplace is one in which people feel safe…enough to experiment, to challenge, to share information, and to support one another,” the study finds. “In this type of workplace, team members are prepared to give the manager and their organization the benefit of the doubt. But none of this can happen if employees do not feel cared about.”</p><p>This feeling of being cared about is built through regular conversation, during which the manager learns about the values, goals, and passions of the employee. </p><p>“Conversations are in many ways the lifeblood of the organization,” Zinger says. But they do not have to take up hours and hours every week. Some days, brief check-ins are fine, and help maintain engagement.  </p><p>“Some managers may think, ‘Oh my gosh, I have so much on my plate. Now you want me to have these conversations?’ But it can be as quick as 45 seconds,” Zinger explains. Even a short text or email can be productive, he adds. </p><p>Gallup’s Great Managers study confirmed this link. It found that consistent communication—whether it occurs in person, over the phone, or electronically—is linked to higher engagement. Employees who have regular meetings with their managers are almost three times as likely to be engaged, compared with workers who don’t, the report found. </p><p>Moreover, these conversations are a good opportunity for managers to draw attention to employees’ accomplishments. Here, Kelleher’s advice to managers is simple: “Recognize, recognize, and recognize.”</p><p>“Recognition is a significant engagement driver. It is almost always free, has lasting impact, and managers tend to see a replication of the positive results that they are looking to recognize,” he says. “There is simply no downside.”  </p><p>In addition to conversation, a manager’s behavior is also important because it can have a mirroring effect, Zinger says. Based on that behavior, it’s easy for employees to see how connected a manager is to his or her own work, and the organization at large. A manager who encourages engagement, but is cynical or uncaring in his or her own work relationship will be quickly seen as inauthentic. </p><p>And the mirroring effect can work both ways, he adds. Let’s say a security manager has a staff of 10, and two of the 10 workers seem disengaged. Out of frustration, the manager may start avoiding and minimizing his or her conversations and interactions with them. In effect, the manager is following the employee’s lead; from the employee’s point of view, the manager is becoming disengaged.  </p><p>Finally, Kelleher advises managers to establish what he calls “a line of sight” between an employee’s work and the mission of the organization. To do this, managers need to explain where the company is going and its vision for the future; the strategy for how the company intends to get there; and how the employee’s work is a part of that. </p><p>“Line of sight is critically important to engagement. Employees should not be working in a vacuum,” he explains. ​</p><h4>What Organizations Can Do</h4><p>Managers are not the only ones who influence employee engagement. Organizations as a whole, through both their policies and executive leadership, can also have a significant effect, experts say. </p><p>For example, a company may want to consider reworking its performance review process so that engagement is discussed during reviews. These should be two-way, safe-space conversations, in which employees are comfortable talking about when they feel disengaged, for what reasons, and what could be done differently. </p><p>“Frame performance conversations as a way to look forward and help employees grow, not as a backward-looking, punitive means,” Looi says.</p><p>Some organizations may even want to consider replacing annual performance reviews with robust monthly check-in conversations that focus on the development of the employee. </p><p>“Get rid of the intimidating phrase ‘performance appraisals’ and replace it with a new forward-looking phrase—‘the employee development planning process,’” Kelleher says. </p><p>The organization’s executive leadership, not just middle managers and human resources staff, should also be focused on engagement. Successful companies, experts say, are often proactive on engagement; their leaders are focused on making their firm more attractive in the eyes of the employees, so that more workers will be committed to their jobs. </p><p>Some of these successful companies conduct informal stay interviews with staff. Instead of an exit interview, in which managers try to find out why employees are leaving, managers conducting stay interviews try to find out what it would take for an employee to stay. ​</p><h4>The Future Is Now</h4><p>While Gallup’s U.S. engagement rate has been at or below 33 percent for most of the last 15 years, some experts do see signs that employment engagement may improve in upcoming years. </p><p>Looi points to research advances in behavior economics and nudge theory, which can be used to improve workplace cultures so that greater engagement is inherently encouraged. </p><p>“When applied appropriately and ethically, you can use nudges to increase employee learning, performance, and engagement,” she says. (For more details on nudge theory see “Management Trends,” by Sean Benson, CPP, in the September 2016 issue of Sec­urity Management.)</p><p>Zinger explains that Fitbit-like devices that measure engagement, by way of physical indicators that signal when employees are holding their phones or sitting in a chair, may become more commonplace.  </p><p>And Harter, who describes himself as “hopeful,” sees new workers continuing to transform the U.S. workplace. The millennial generation, which has been driving an increased focus on engagement, will make up three-quarters of the nation’s workforce in just over a decade, according to demographic projections. This generation is keen on being engaged with work that has a purpose, and that is a positive reflection on their values. Studies show, for example, that recent MBAs with high earning power will work for a significantly lower salary if they truly believe in their jobs.</p><p>“There’s not as much separation between work and life. People want their work to be representations of who they are,” Harter says.   ​</p> in Liability 2017 Letters to the Editor and the Private Sector,-CPP,-PSP.aspx2017-03-01T05:00:00ZCertification Profile: Shawn Reilly, CPP, PSP to the Masses in Executive Protection Trouble SSH Facts Review: Security Culture Art of Servant Leadership Security Handbook News March 2017 is Instrumental Chain Strategies on Empty Road to Resilience Online February 2017,-CPP,-PCI,-PSP.aspx2017-02-01T05:00:00ZCertification Profile: C. Joshua Villines, CPP, PCI, PSP

- Issues

April 2017 March 2017 February 2017 January 2017 December 2016 November 2016 October 2016 September 2016 August 2016 July 2016 June 2016 May 2016 April 2016 March 2016 February 2016 January 2016 December 2015 November 2015 October 2015 September 2015 August 2015 July 2015 June 2015 May 2015 April 2015 March 2015 February 2015 January 2015 December 2014 November 2014 October 2014 September 2014 August 2014 July 2014 June 2014 May 2014 April 2014 March 2014 February 2014 January 2014 December 2013 November 2013 October 2013 September 2013 August 2013 July 2013 June 2013 May 2013 April 2013 March 2013 February 2013 January 2013 December 2012 November 2012 October 2012 September 2012 August 2012 July 2012 June 2012 May 2012 April 2012 March 2012 February 2012 January 2012 December 2011 November 2011 October 2011 September 2011 August 2011 July 2011 June 2011 May 2011 April 2011 March 2011 February 2011 January 2011 December 2010 November 2010 October 2010 September 2010 August 2010 July 2010 June 2010 May 2010 April 2010 March 2010 February 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 December 2007 November 2007 October 2007 September 2007 August 2007 July 2007 June 2007 May 2007 April 2007 March 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 June 2002 May 2002 April 2002 March 2002 February 2002 January 2002 December 2001 November 2001 October 2001 September 2001 August 2001 July 2001 June 2001 May 2001 April 2001 March 2001 February 2001 January 2001 December 2000 November 2000 October 2000 September 2000 August 2000 July 2000 June 2000 May 2000 April 2000 March 2000 February 2000 January 2000