Construction

 

 

https://sm.asisonline.org/Pages/Disaster-Recovery.aspxDisaster RecoveryGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652014-09-01T04:00:00ZSean M. Scoot; Reviewed by Mayer Nudell ​Heritage Communications Ltd; theredguidetorecovery.com<br>172 pages; $19.95<br><br>The police, firemen, and other first responders have left, and you are taking stock of the emergency that has befallen you, your organization, or your family. What now? A Step-By-Step Guide to Disaster Recovery can help everyone prepare for and deal with such situations.<br><br>This compact, easy-to-use guide begins with the departure of the first responders and sets out the key considerations and pitfalls to be faced during recovery and reconstruction. Author Sean Scott brings more than 30 years of experience in construction and restoration to walk readers through the real world of “getting back to normal.” Chapters cover everything from insurance and choosing a contractor to trauma interventions, and an associated Web site provides tools, checklists, and templates for everything from home inventories to contractor questionnaires to lost pet posters. It is a comprehensive package that will help victims find a path to recovery without being victimized.<br><br>The publisher offers customization for use by agencies, corporations, universities, and other groups—for example, if an organization would like to have a custom cover and specific contact information added.<br><br> Reviewer: Mayer Nudell, CSC (Certified Security and Safety Consultant), is an independent consultant on crisis management and related issues. He is also an adjunct professor at Webster University and the coauthor of The Handbook for Effective Emergency and Crisis Management and No One a Neutral: Political Hostage-Taking in the Modern World. He is a member of ASIS.<br><br><br>

Construction

 

 

https://sm.asisonline.org/Pages/Disaster-Recovery.aspx2014-09-01T04:00:00ZDisaster Recovery
https://sm.asisonline.org/Pages/21st-century-security-and-cpted-designing-critical-infrastructure-protection-and-crime-prev-0.aspx2014-05-01T04:00:00Z21st Century Security and CPTED: Designing for Critical Infrastructure Protection and Crime Prevention, Second Edition.
https://sm.asisonline.org/Pages/security-design-abu-dhabi-0013246.aspx2014-04-01T04:00:00ZSecurity by Design in Abu Dhabi
https://sm.asisonline.org/Pages/hard-lessons-0010123.aspx2012-08-01T04:00:00ZHard Lessons
https://sm.asisonline.org/migration/Pages/greening-security.aspx2008-07-01T04:00:00ZThe Greening of Security
https://sm.asisonline.org/Pages/builders-contstruct-better-security.aspx2005-05-01T04:00:00ZBuilders Construct Better Security
https://sm.asisonline.org/Pages/cctv-lowers-stakes.aspx2005-04-01T05:00:00ZCCTV Lowers the Stakes
https://sm.asisonline.org/Pages/challenge-making-safer-structures.aspx2005-03-01T05:00:00ZThe Challenge of Making Safer Structures
https://sm.asisonline.org/Pages/buzz-over-zigbee.aspx2004-11-01T05:00:00ZThe Buzz Over ZigBee
https://sm.asisonline.org/migration/Pages/security-planning-and-design-guide-architects-and-building-design-professionals.aspx2004-06-01T04:00:00ZSecurity Planning and Design: A Guide for Architects and Building Design Professionals

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/hard-lessons-0010123.aspxHard Lessons<p>On April 2, 2012, One Goh, a former student at Oikos University, in Oakland, California, opened fire on the campus, killing seven people and wounding three others. That incident happened nearly five years to the day after the April 16, 2007, mass shooting at Virginia Polytechnic Institute and State University (Virginia Tech), in Blacksburg, Virginia. It was a sad reminder that, though rare, shootings are a threat to universities large and small, and school authorities must be prepared to handle them.</p><p>In the Virginia Tech tragedy, a current student first shot two students in a dormitory; a few hours later, he entered an academic building and opened fire in several classrooms before turning the gun on himself. Thirty-three people were killed in the massacre, including the gunman, Seung-Hui Cho. The Virginia Tech community has been through much since that day. It has also attempted to learn important lessons to limit the chances of a similar tragedy in the future. Other campuses have taken note. Ahead is a look at some of the long-term lessons and evolving best practices for communications, sheltering in place, and threat assessment teams.</p><p><strong><span style="font-size:medium;">Communications</span></strong></p><p>A key factor in the Virginia Tech shooting was that the gunman first murdered two students in the dorms in the morning. The university took more than an hour after that first incident to warn students that there had been a shooting on campus. The school was ultimately judged by the U.S. Department of Education (DOE) to have violated a provision in the applicable law, the Clery Act, which calls for “timely warnings” when reportable crimes occur on campus. Some examples of reportable Clery Act crimes are robbery, murder, and assault.</p><p>Virginia Tech officials disagreed with that judgment. According to Mark Owczarski, Virginia Tech’s director of news and information, while there was no clear definition of what constituted a “timely” warning at the time, precedent and DOE guidelines had those warnings coming out within 48 hours of the incident. An hour seemed reasonable in that context. Moreover, the Virginia Tech warnings were not more immediate because universities were expected to first determine the facts and then put as much information into the warning as possible, asserted Virginia Tech in its defense.</p><p>The reason for the delay was not accepted initially, and the school was fined $55,000. But in March 2012, the school got some vindication when the DOE’s chief administrative judge overturned the DOE fine. However, also in March, a civil trial jury awarded $4 million to two families of Virginia Tech victims who accused the school of negligence.</p><p>The fuzziness around the definition of what would be considered “timely” with regard to a warning prompted a legislative change in 2008, when the Clery Act was amended to include an additional responsibility for a more instantaneous emergency notification whenever a school has reason to believe that there is any imminent threat to the health and safety of students on campus. Situations meriting a notification might include chemical spills or even concerns about an infectious disease, in addition to crimes and active shooters.</p><p>Emergency notifications must be issued immediately even if all of the facts of the case are not yet gathered. The objective is to let people in and around the campus know that they may be in danger. “Immediate” is defined as meaning “as soon as law enforcement officers can confirm the threat,” says Owczarski.</p><p>The notification should be made by the police department as soon as possible after it responds to a call and confirms that there is a potentially threatening situation. When both an emergency notification and a timely warning would apply (Clery-reportable crimes, for example), the DOE has stated that a redundant timely warning is not necessary in addition to the emergency notification.</p><p>Conversely, when emergency notifications are not needed, the subsequent “timely warning” is still required under the law and should be issued after the school or police gather basic information. Schools have up to 48 hours to do that, but Owczarski says few, if any, institutions would wait that long today. </p><p>“The landscape has changed,” says Owczarski. “[I]n light of what happened five years ago, colleges and universities are far more likely to communicate first, think and respond second.”</p><p>Virginia Tech’s VT Alert system has about 10 mechanisms for disseminating information (more on these ahead). Each has its application. For example, outdoor sirens might be used for tornado warnings, but they would not likely be used in a timely-warning situation.</p><p>Communication is the most important aspect of security, says Paul Timm, PSP, president of RETA Security. Virginia Tech did have mass notification capabilities when the 2007 tragedy occurred, and it did use such mechanisms as e-mail to send out information about the shootings, but technology has made instant mass communications far easier since then.</p><p>For example, many notification systems in effect before the shooting did not use text messages. That was because it was complicated. “[Y]ou had to buy Sprint’s [service] or Verizon, or what have you, and you then had to carry their particular device,” explains Bob Lang, CPP, assistant vice president of safety and security at Kennesaw State University in Georgia.</p><p>A 2008 report called <em>The Ripple Effect of Virginia Tech</em> from the Midwestern Higher Education Compact found that nearly three-quarters of respondents whose schools did not previously possess the ability to send notification via text had since implemented a system capable of doing that or planned on implementing such a system.</p><p>Helping to facilitate this change is the fact that today’s notification systems can generally be used with all carriers, and most every student has a smartphone. Thus, it’s not just that mass notification systems are more widespread, says Timm, it’s that they are easier to implement and, therefore, end up being more useful.</p><p>Schools are also getting more students to sign up for notifications. That’s because “schools are speaking to other schools, and we’re learning from each other,” says Timm. “So we’re not just going to leave it up to the student to walk in and sign up. We’re saying ‘here, if you’re going to register for classes, the screen that you get before you’re allowed to register is the sign-up for mass notification.”</p><p>It is best practice to have numerous ways to reach members of the campus with pertinent information. In the International Association of Campus Law Enforcement Administrators (IACLEA) blueprint for safer campuses, “one of the things that we focused on was to have redundant systems so that if cell phones didn’t work because they were jammed, you had other ways of getting the word out to the campus if there was an imminent danger,” says Christopher G. Blake, IACLEA’s associate director and campus preparedness project director.</p><p>Virginia Tech’s current alert system includes text messaging, e-mail, message boards, sirens, and desktop alerts, among other mechanisms. “The bottom line to a lot of this is coming up with a layered approach to notifications,” says Lang.<br> Virginia Tech added digital message boards in classrooms and laboratories to its system after the 2007 tragedy. “Those are immediate; they literally will send a message within a second of deployment. Text messaging can take up to 20 minutes depending on cell phone service, the number of people, the number of subscribers, says Owczarski.</p><p>Owczarski says the university prioritized which classrooms would have the signs first, and the installation process is ongoing as opportunity and funding becomes available. For example, large lecture halls and the most widely used spaces received the signs initially. There are about 700 signs currently. University policy states that the boards must be included in new construction projects and renovations.</p><p>The notification process is ever-developing based upon technology improvements. For example, Virginia Tech has also added Twitter and Facebook to its cadre of notification media.</p><p>Content and context. Another issue universities have to wrangle with is exactly what the content of the message will be for any given situation.</p><p>Owczarski says that in these situations it is important to keep information updated, “because of the world in which we live in; people tweet, people Facebook, rumors go rampant.” He says that if 30 minutes goes by with no news, he will repeat what has been said or confirm that police are continuing to investigate.</p><p>For example, in December 2011, a campus police officer was shot on the Virginia Tech campus following a routine traffic stop. The police sent out the initial emergency notification when the shooting was confirmed and then quickly updated it when they knew the shooter had been spotted in a parking lot, says Owczarski. He says he then took over the communications to flesh out the warnings and information being delivered to the community. The emergency response plan was implemented, and the school was in a state of emergency response until police could confirm that the gunman was no longer a threat to the community.</p><p>Every situation will require different directives. In a potential or actual active-shooter situation, for example, the message might be to shelter in place, which simply means not to leave the building you are in. That was the case after the December shooting, though some media called it a “lockdown.”</p><p>Owczarski says that “lockdown” is a word that his school does not use, because it’s probably impossible to accomplish on a campus the size of a small municipality.</p><p>By contrast, it is feasible to advise anyone on campus to shelter in place, though that has its limitations as well. “It is not enforceable, and it might even be counterproductive if the people are in the same building as the shooter when they receive the warning,” says Owczarski.</p><p>Communicating is challenging when you have maybe a minute or two to make a decision about what to say, he says. And part of the challenge is that things are reported over Twitter and rumors and facts are often confused in the heat of a moment. “Yet what litigation and lawsuits will often say is you’re better off saying something, anything, and then reacting second. And that’s one of the great challenges that all of higher education in all municipalities face,” he says.</p><p>Virginia Tech has developed a Web portal with emergency messages for authorized individuals to send. The portal walks the user through a series of steps. The person would first put in information such as which campus the message is for and the delivery mechanisms to use (in an emergency, the default is to use them all).</p><p>There are about 30 templates of scenarios to provide a starting point for the notification. The template provides language appropriate to each type of incident and delivery mechanism; for example, e-mails might be longer and more conversational than text messages. The messages go out simultaneously. The language for the templates has been refined, and new templates have been created as drills and real-life emergencies have yielded lessons.<br><strong><span style="font-size:medium;"><br> Threat Assessment Teams</span></strong></p><p>Virginia Tech shooter Cho had behavioral issues that professors and mental health professionals knew about. After the fact, there were discussions about whether he should have been monitored more closely or removed from campus before the tragedy. It is impossible to know whether anything might have prevented that situation, but schools are trying to do what they can to focus on potentially risky situations—or people in need of assistance on or outside of their campuses—and to spot red flags that might signal trouble ahead.</p><p>The Virginia Tech incident led to a state law that requires colleges to have threat assessment teams for just that purpose. When that law came about, Virginia Tech was already putting together its behavioral threat assessment program.</p><p>Dewey Cornell, clinical psychologist and professor of education at the Curry School of Education, University of Virginia, thinks colleges traditionally have spent more resources on dealing with a tragedy than preventing it, so he sees the rise of threat assessment teams as a positive change. “I really think more emphasis should be given to prevention than just to crisis response,” he says.</p><p>Virginia Tech has spent a lot of time on refining its behavioral threat assessment team. The team consists of various individuals from different departments and disciplines.</p><p>Gene Deisinger joined Virginia Tech as threat management director in 2009. He says the school threat management team evaluates a few hundred cases a year, most of which are closed if no threat is perceived.</p><p>There are numerous ways a case can be opened, including reports from an individual on campus. When a case is reported, the team must examine the risks and the behavior in the context of whatever the individual is going through. The team will talk to the individual directly to assess and address any problems. The team also gathers information from various resources. One of the first orders of business is to determine whether the person is already being helped by other counseling or campus services. If that help is deemed to be adequate or the team determines that the person poses no threat, the case is closed.</p><p>Cornell points out that revisions to Virginia law and clarifications by the DOE have been made to facilitate information sharing with law enforcement and other groups, such as those in the medical professions. For example, a DOE clarification of the Family Educational Rights and Privacy Act (FERPA) states that school officials are not prohibited from sharing information obtained through school officials’ observation and personal knowledge, such as threatening remarks.</p><p>That is not considered part of student educational records, which makes it easier for the information to be shared.</p><p>The threat assessment team is separate from the CARE Team, which is a student aid team that was in existence prior to the 2007 shootings. The CARE Team will focus on student assistance issues, but some cases may go back and forth between CARE and threat assessment. For example, a financial-aid issue might start with CARE and then go to threat assessment if the student’s behavior becomes inflammatory. But both teams will not be working on the same case at once.</p><p>The threat assessment team is charged with identifying dangerous behaviors not just from students or faculty members but anyone who might pose a danger.</p><p>The threat assessment team mostly acts after concerns are reported, but Virginia Tech also introduced a proactive threat assessment element to the admissions process. During admissions, various background questions are asked in the application, and behavior is assessed during interaction with admissions officers.</p><p>If it is determined that an applicant has a history of violent offenses or other potentially disruptive behavior, for example, he or she would be referred to the threat assessment team. The team will then assess whether it’s possible to have a support plan to help that person be successful at the school. If the team doesn’t believe that’s possible, the applicant will not be permitted to attend the school. But, says Deisinger, “We recommend denial of very few applications.”</p><p><strong>Red flags.</strong></p><p>The school also tries to provide some guidance to the campus community with regard to what red flags they should look for. These are listed on Virginia Tech’s Web site, but Deisinger emphasizes that there is no absolutely reliable list of behaviors, and all behavior must be taken in context. Just because a person was violent in the past doesn’t mean they will be in the future. Similarly, a person with no violent past might still pose a risk.</p><p>Deisinger says that simplistic ways of predicting who is going to be violent have not worked, and he doesn’t anticipate that changing. He adds that though most of the referrals to his team do not end up requiring long-term monitoring, they’re still helpful.</p><p>“One side of the equation is, is the subject of concern dangerous or significantly disruptive? Even if the answer is no, if they’re perceived that way, there’s still an issue, because others will continue to respond to them based on the perception. And so, for many of the cases, we’re not actively working the subject of concern so much as we are the persons who shared the concern,” Deisinger says. The objective is “to share to the extent it’s lawful and appropriate to do so, the information that would help mitigate their concerns.”</p><p>Deisinger adds that it’s the nature of the beast of dealing with potentially violent and disruptive behavior that it’s unlikely that any individual in the community would be in a position to know the whole story, “so we set up a process that we know will [yield] false positives, because that enables us to look at potential linkages across the institution.”</p><p>Awareness training. Schools also are seeking ways to make students comfortable with reporting any issues or concerns. At the University of Virginia, Cornell says, they hold a series of meetings with students to discuss such issues. The school also developed a Web site with videos that depict different kinds of situations where people might want to seek help.</p><p>Additionally, many universities have special Web sites or systems set up to receive information or concerns. Deisinger stresses how important it is to do community outreach, because the campus population is always changing. “The things we did for outreach or awareness last year do not mean that this year the community knows what resources are available to assist with concerns,” he says, adding “So that has to be a continual process.”<br><strong><span style="font-size:medium;"><br>Response Coordination</span></strong></p><p>Another key issue is how various authorities will work together in the event of a major incident where they all respond to the scene. Many schools had good relationships with local law enforcement prior to the Virginia Tech tragedy, but even with good relations, coordinating activity on the scene can be challenging.</p><p>The National Incident Management System (NIMS) and the Incident Command System (ICS) lay out protocols for such situations. In recent years, more schools are adopting the NIMS and ICS approaches even when they are not required to follow them.</p><p>The basic ICS course is actually tailored for administrators in higher education, says Timm. “Now, not enough of them are taking advantage of that, but…we’re on a crusade to help them at least be aware and then get on board,” he says. He adds that it helps them become more familiar with first responders and gets everyone speaking the “same language.”</p><p>IACLEA’s Blake stresses the importance of mutual-aid agreements and working with local law enforcement. “You don’t want to be introducing yourself to these folks at the scene [of an incident]; you want to have working relationships with them in advance.”</p><p>Five years after the 2007 shooting, Virginia Tech received high marks for its reaction to the police officer shooting, says Blake. “They were really applauded by the media and others about what a fantastic job they did of getting the word out, almost immediately, to the community, and they had regular updates and so forth.”</p><p>That proficiency was the result of lessons learned the hard way after the 2007 tragedy. But at least they have been learned. “Virginia Tech sadly has a degree of experience that hopefully will serve us in the future for when those instances will happen again,” says Owczarski, adding, “And if we can help others prepare better for the instances that have yet to occur, [we are] glad to do that.”</p><p> </p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/21st-century-security-and-cpted-designing-critical-infrastructure-protection-and-crime-prev-0.aspx21st Century Security and CPTED: Designing for Critical Infrastructure Protection and Crime Prevention, Second Edition.<div class="body"> <p> <em> <span style="font-size:small;"> <span style="font-family:arial;">CRC Press. Available from ASIS, item #2078; 954 pages; $120 (ASIS member), $132 (nonmember). Also available as e-book.</span> </span> </em> </p> <p> <span style="font-size:small;"> <span style="font-family:arial;">As good as the first edition of 21st Century Security and CPTED was, this second edition surpasses it. Atlas, known in security circles as a consummate professional, has done an outstanding job in creating this second edition, which has twice as much material as the original edition. It also includes voluminous references and hundreds of outstanding clarifying photos in both color and black-and-white. Using humor and candid insight he incorporates all the concepts of CPTED, including design, construction, security countermeasures, and risk management strategies, and merges them into a highly informative reference manual for security practitioners at every level.</span> </span> </p> <p> <span style="font-size:small;"> <span style="font-family:arial;">There is a logical flow to the book. It lays a solid foundation by discussing architecture and its intent, as well as environmental crime control theories and premises liability. There is something here for everyone as it also discusses terrorism and critical infrastructure from differing perspectives. Several chapters on problem solving provide guidance on conducting threat, risk, and vulnerability assessments.</span> </span> </p> <p> <span style="font-size:small;"> <span style="font-family:arial;">Throughout, Atlas provides a roadmap for merging security and CPTED into management principles and practices in a wide variety of facility settings, including healthcare facilities, critical infrastructure, ATMs, office buildings, parking lots and structures, and parks and green spaces. The latter portion of the book is reserved for concepts including lighting, LEED and GREEN certification, workplace violence, signage, data capture and analysis, and conducting CPTED surveys.</span> </span> </p> <p> <span style="font-size:small;"> <span style="font-family:arial;">Atlas has created the definitive book on CPTED and security. Despite the magnitude and complexity of the science and art of security management, he has done an outstanding job of merging these and other disciplines and concepts together into a cogent display of information that the reader should be able to apply in a wide variety of locations and situations. If you are only going to buy one book this year, it is strongly suggested you purchase this one. </span> </span> </p> <hr /> <p> <span style="color:#800000;"> <strong> <span style="font-size:small;"> <span style="font-family:arial;">Reviewer:</span> </span> </strong> </span> <span style="font-size:small;"> <span style="font-family:arial;"> Glen Kitteringham, CPP, has worked in the security industry since 1990. He holds a master’s degree in security and crime risk management. He is president of Kitteringham Security Group Inc., which consults with companies around the globe. </span> </span> </p> </div>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Management-Trends.aspxManagement Trends<p>​<span style="line-height:1.5em;">Security managers already know that culture is key, that understanding generational differences can reduce conflict, and that effective leadership can pave the way to the C-suite. The next trend in the management field, behavioral economics, can help security design programs that get buy-in from employees.</span></p><p>What is the underlying theory of your security program? It may be about punishing bad behavior, with employees written up by managers and then referred to counseling. Or, it may be about rewarding good behavior, such as praise and performance awards for security compliance. </p><p>Chances are it’s some combination of the two, using both carrots and sticks. But there’s another, perhaps deeper, question that is often telling—why do people make choices to either comply, or not comply, with your security program?</p><p>All around us, there are small clues guiding those choices. It’s time security leaders started shaping those clues to protect employees, customers, property, and other assets. They can do so by using the applications of one of latest trends in social science—behavioral economics.​</p><h4>Behavioral Economics</h4><p>Behavioral economics is the scientific examination of why people and organizations make the decisions they do, in an economic context. Its scientific pedigree has its origins in the 1970s, when technology was driving major improvements in brain research. At that time, new computing tools designed to assist in modeling, in tandem with Daniel Kahneman’s Nobel Prize–winning research on prospect theory (an economic theory that seeks to explain how people make decisions based on risk), provided a new research framework to explore how economic choices are made. Today, behavioral economics combines the practice of economics, neurobiology, and psychology to gain insight into why human beings act, or fail to act, in predictable ways.</p><p>At some level, most of us realize that <span style="line-height:1.5em;">our decision making is influenced by a variety of factors outside of our control, such as organizational norms, peer pressure, emotions, accepted stereotypes, and mental shortcuts. By closely analyzing these factors, behavioral economists can gain a sophisticated understanding of why people, and organizations, make the decisions they do—which factors take precedence over others, how different factors interact, and so on. They can also develop cues designed to steer a person or organization to a desired outcome. Such cues have been termed nudges; the people that help frame those decisions are called choice architects. </span></p><p>Public awareness of behavioral economics has slowly been gaining ground since the development of “nudge theory,” an offshoot of the science, by two academics, University of Chicago economist Richard Thaler and Harvard legal scholar Cass Sunstein. In their 2008 book Nudge: Improving Decisions about Health, Wealth, and Happiness, the two scholars postulate that there are subtle and blatant clues everywhere to influence behavior. (In the wake of his book’s success, Sunstein went on to serve as administrator of the White House office of information and regulatory affairs from 2009 to 2012.) Those clues may be accidental, but they can greatly impact the decisions we make, and there are scientific reasons for why they work or fail.</p><p>The authors argue that behaviors are guided just as much by on-the-spot decisions based on these clues, and the context these clues are found in, as they are by deeply held ethical or moral codes. Under the authors’ definition, a clue can be considered a nudge if two criteria are satisfied: the individual is free to choose it or not, and there is very little or no cost in choosing to go with the nudge as opposed to other options. In this way, nudges are meant to be subtle, not overtly coercive.  </p><p>The nudge concept isn’t entirely new. We’ve been nudged in many ways since birth. It only takes a trip to the grocery store to notice that the sugary sweet cereals are stocked at exactly the eye level of a seven-year-old, while bran flakes occupy the upper shelves. Consumers’ decisions about what action to take are influenced largely by what is put into their path. At any given time, our brains are processing a mountain of information and sensory input, so easy choices, which require less effort than searching for another option, are often viewed by the mind as the correct ones. This is especially true if the clues and context surrounding those choices don’t make them seem especially important.​</p><h4>Security Nudges</h4><p>Imagine having the ability to use nudges and clues as a designer and enforcer of a security program? The secret is that that you do. As a security manager, you have the ability to help make the correct choice for security the simplest choice for the user. In other words, you are a choice architect.</p><p>However, one concept must be understood before security managers can become effective choice architects. Thaler and Sunstein describe the concept as the difference between econs and humans. Econs are imaginary constructs developed by the writers of economics textbooks. They are people with the brilliance of Einstein, the self-control of Gandhi, and the logical prowess of a Vulcan who can predict reactions in a variety of environments. All econs do the same thing—and almost always, the correct thing—in any given situation.</p><p>In case you hadn’t noticed, we don’t work with econs. We work with humans. Humans are generally smart and well-meaning, but they are far from perfect in on-the-spot decision making. Further, humans are barraged every day with factors that drive them to do exactly the opposite of what their infinitely wise, long-range-thinking econ-selves would do.       </p><p>Unfortunately, the idea that econs and humans are interchangeable continues to stick around in the world of security. The overwhelming majority of security policies today treat employees as econs, not as the humans they truly are. Econs don’t need assistance complying with our complex security policies, humans do. So the idea is to help nudge the humans in the right direction—toward security compliance.      </p><p>Following are several examples of how nudge theory, and choice architecture, can be used in a security context. Gaming Speed   </p><p>An interesting example of a security nudge comes from law enforcement in the form of a speed camera that rewards speed compliance. In 2008, the city of Stockholm, Sweden, introduced a speed camera along a problematic stretch of road in a town center. Initially the camera was placed to record the speed and license plates of violators, but later it was made the focus of an experiment in nudging. The camera would record not only the speed and license tag numbers of speeders, but also the speed and license tags of those who were respecting the 30 kilometer-per-hour (kph) speed limit. </p><p>At the end of the experiment, all drivers who were photographed driving at or below the speed limit were entered into a raffle, with the winner awarded a check for 20,000 kroner (roughly $3,000) partially paid by the fines of speeders. This spurred a dramatic change in average speed. Prior to the experiment, the average speed on that stretch of roadway was 32 kph. After the introduction of the “speed lottery,” the average speed dropped 22 percent, to 25 kph.  </p><p>Besides being a successful nudge, the speed example is also an excellent example of gamification. It encouraged people to comply with speed limits and improve public safety, while also giving them entry into a larger game to win a tangible, but not budget-busting, prize.  ​</p><h4>Out of Pocket</h4><p>Security nudges have also been employed to increase security efficiency and compliance at airports. One of the first took place at the Nepalese airport of Tribhuvan, where officials noticed a marked increase in graft among airport customs inspectors. </p><p>Nepal was hard hit in the economic slowdown of 2008, and many Nepalese sought employment outside of the country to support family members. When these expatriates returned to Nepal, crooked customs inspectors preyed upon them by insisting on bribes in exchange for quick facilitation through customs while they were in possession of foreign currency, which otherwise could have delayed their entry. </p><p>Nepalese anticorruption authorities fought back by redesigning the uniforms of airport customs workers to remove all the pockets. Collecting payola becomes much more complicated without a convenient pocket to quickly stash the loot. The lack of pockets also served as a reminder for the customs workers to adjust their behavior and avoid illegal activity. Every time employees reached for their pockets, they were reminded about corruption and management’s refusal to condone it. Although there has been no formal study performed to assess the effectiveness of bribe-resistant trousers, news reports have found that graft and bribe-taking has been reduced at Tribhuvan airport.  </p><p>Creative nudges also help the flow of lines at U.S. airport security checkpoints. By and large, passengers choose the shortest available line to proceed through security screening. However, each passenger situation is different, so the shortest line may not necessarily turn out to be the fastest—six frequent business travelers familiar with airport security routine might proceed much faster than a vacationing family of four that fly infrequently.  </p><p>So, airports near ski resorts have taken to designing self-selection lines marked according to a ski slope theme: Green Circles for families and those needing special assistance, Blue Squares for frequent travelers somewhat familiar with TSA procedures, and Black Diamonds for the expert travelers.  </p><p>Under this system, there is no enforcement of lanes; passengers are free to choose whichever line they wish. However, by encouraging people to make proper line choices through color coding, security personnel are able to channel passengers toward the type of security screening they would be best served by, and increase the overall efficiency and security of the entire system. In nudge theory terms, this is a good example of placing a “designed decision” in front of a security customer.​</p><h4>Engage to Nudge</h4><p>The National Retail Federation estimated 2014 retail losses due to inventory shrinkage at $44 billion. Facing such challenges, the field of loss prevention is one of the most dynamic in security today, and is also a discipline full of nudges.  </p><p>Most retail stores have some form of CCTV monitoring for the prevention and investigation of theft, and this technology can be used to nudge customer behavior. The most visible nudge is conveyed through the placement of a live CCTV video feed at the store entrance.  This provides an immediate environmental reminder to would-be thieves that they are being watched and the store is on the lookout for shoplifters. </p><p>Another frequent nudge is conveyed through employee engagement with customers. According to the ASIS Retail Loss Prevention Council, a staff that greets customers and maintains active engagement with them can significantly reduce retail theft. </p><p>There are actually two nudges here. The first is the interaction between the employee and shopper; the customer is reminded that the employee is committed to the job, and consequently of the risk of getting caught if the shopper decides to shoplift. The second is the employer nudging the employee to habitually engage customers. This is usually accomplished when the employer sets default rules; it becomes the expected norm of all employees through training, feedback, and evaluations. The added benefit is that it allows security and customer service to be on the same side of an issue, and that’s an increasingly rare opportunity.  </p><p>Other possible nudge cues to deter shoplifting are explored in the paper Nudge, Don’t Judge: Using Nudge Theory to Deter Shoplifters, by Dhruv Sharma and Myles Scott of Lancaster University. They include signs that offer to donate profits not lost to shoplifting to charity; attention-grabbing events such as music or videos when customers interact with certain products; and applying the general premise of crime prevention through environmental design (CTPED) to store layouts to increase visibility and surveillance coverage. ​</p><h4>Nudge Training</h4><p>Security nudges have also been incorporated into awareness training. In 2014, the XL Group, a global insurance provider, sponsored an employee challenge. Each time an employee viewed one of the company’s security videos, XL would donate a dollar to charity. The videos were short (usually about a minute long), and focused on helping the employee secure not only vital company information, but personal information as well. The donations also appealed to an employee’s sense of social responsibility by involving a charity. The campaign managed to amass over 10,000 views of security videos, and a hefty charity donation.</p><p>Some U.S. government agencies are also using nudge theory practices in security training. In an effort to train employees on the proper ways to respond to email phishing attacks, one agency offered the following incentive: everyone who correctly followed procedure in a phishing attack exercise was made eligible for a small “Phishing Derby” prize. The cost of the prize was minimal (less than $50 dollars), but offering it greatly increased participation compared with previous exercises.  </p><p>Another agency took a different approach. When the agency sent out reminder notices to employees to complete mandatory security training, it made sure that the notices included the percentage of other employees who had already completed the training. Thus, this approach used peer pressure to conform in a nudge aimed at achieving the desirable result. The result was a higher completion rate, and in a shorter time, than previous years.  ​</p><h4>Developing Security Nudges</h4><p>Nudges can be used anywhere a user is offered a choice to do the correct thing versus the incorrect thing. The keys are understanding your security policy, understanding your users, and sustaining a willingness to experiment.   </p><p>The best place to start is with your own security metrics, especially those that are the most problematic. What areas, process, or programs have been the most troublesome in terms of compliance? A brainstorming session with a good cross section of security personnel (who in this context are serving as choice architects) often results in useful data and ideas for developing nudges. This cross section should include not only program leaders but program users, who are often the source of the most valuable insights—they provide the “ground truth” on how effective existing security measures really are, and on the parts of the program that are most at risk of noncompliance.  </p><p>It’s also important to recognize what kind of decision we’re trying to influence, in the terms sketched out by Thaler and Sunstein:</p><p> • A complex decision: A decision with many variables</p><p> • An overwhelming decision: A decision with many options</p><p> • An infrequent decision: A decision that comes up very rarely</p><p> • A low feedback decision: No obvious feedback from the decision</p><p> • A delayed consequences decision: Where the feedback comes much later</p><p><br> </p><p>Then, according to Thaler and Sunstein, we need to figure out what flavor of nudge to use:</p><p> • Default rules: Change the rule for everybody to a compliant default</p><p> • Environmental reminders: Posters, checklists</p><p><span style="line-height:1.5em;">- Commitment reminders: Constant reminders to steer behavior, like wearing a fitness band as a  reminder to take the stairs</span></p><p> • Designed decisions: Placing the correct decision in front of the customer at the instant the decision needs to be made</p><p><br> </p><p>When implementing nudges, it’s always important to keep two things in mind: ethics and metrics. Ethical nudges don’t compromise the autonomy or the integrity of employees and customers. They simply nudge them into making the correct decision regarding policies they have already agreed to.</p><p>Metrics are necessary both to ensure that the nudges are effective and to justify resources needed to implement them. Few things in business are free; even things that seem small normally have some kind of cost attached to them. The best way to address management on these issues is the cost-benefit approach: have a story to tell, explain the financial and reputational costs of noncompliance, and come prepared with a full cost accounting of the nudge and a plan to for implementation. Make approving your plan the “easy” thing to do. If you haven’t caught on by now, you’re nudging your management. ​</p><h4>Sample Security Nudge</h4><p>Here’s an example case of how security nudges can be developed. Nudgella, the security manager at Company X, has noticed an increase in security incidents involving sensitive company information left unattended in the copy room. So Nudgella sets a meeting with the head of the guard force, along with representatives of human resources and IT, to determine the causes and seek solutions. </p><p>In the meeting, it is determined that the issue with the copy room is that employees are printing sensitive documents to the community printer and then failing to retrieve them. Thaler and Sunstein would call this a “delayed consequences decision.” The person actually printing the document doesn’t suffer any consequences for failing to retrieve it for a period of some time, if at all.  </p><p>Those attending the meeting brainstorm solutions, and three rise to the top for possible implementation: an environmental reminder in the form of signs placed around the office reminding employees of their responsibility to safeguard sensitive information; a default rule that would switch all employees to a “secure print” mode where they would be required to input a code at the printer to retrieve their document; and a commitment reminder in the form of a pop-up window reminding employees to retrieve their printouts every time the print button is clicked on.  </p><p>Now, the managers need to convince the C-suite. They arrange a meeting, and the security manager brings in a well-developed plan that can be implemented at minimal cost. Since the IT folks were brought in at the beginning, the technical solutions of secure printing and pop-up banners are well thought out. Since HR was part of the process, any concerns about ethics and privacy were addressed early on. The guard force has already agreed to make periodic rounds of the copy room to assess compliance and provide metrics reporting.  </p><p>The CEO and CIO couldn’t be happier with the effort. Nudge accomplished.  </p><h4>Embrace Choice, Embrace Change<br></h4><p>Here’s the big picture question for security managers: Is it easier for an employee to comply with specific security policies and procedures, or not comply? If the answer is not comply, some nudges may be in order.</p><p>Given its importance, security compliance can be seen as a high-value, all-encompassing moral imperative. But managers should also view it as a series of choices made every minute of every day by every individual. Thus, it is the job of the security professional to enable every individual to make the correct choice by making those choices the easiest and least painful ones. Security managers are not just compliance enforcers. They should also embrace their role as choice architects, which will lead them to become change architects as well. </p><p>--<br></p><p><em><strong>Sean Benson, CPP</strong>, is a program security specialist at ISS Action, Inc. He is currently leading technology protection efforts on NASA’s Space Launch System. He is the chairman of the ASIS North Alabama Chapter.</em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465