As we already knofw, a good cost effective security system is the kind that addresses the most feasible vulnerabilities and threats to critical assets within the security budget restrains.
In order to get there, we map our assets and conduct threat assessments to the latter as a part of our security survey methodology.
So far so good, but more often than not, at that stage it becomes clear to us that the cost of an adequate security blanket for the highlighted vulnerabilities exceeds budget limits.When confronted with this all too common problem there are a few ways one can go about it, the first: campaign for the missing bucks, "since any reduction of our plan will leave our company exposed and subsequently bleeding…"The second: to go over the threat assessment once again and lower the initial paranoia level or in other words run our security plan through a diet program.
In most cases it will be a combination of both approaches that will get the CSO through a security plan approval without getting kicked out the door and down the stairs.
In order to concentrate on the absolute essentials and trim the plan where it will least hurt, we have to go back to the basic, known to all, yet never fully exploited principle of "Knowing our enemy", since if you can't mend all the holes in your system you should, at least, concentrate on the ones that are crime magnets and enablers, and in order to do so effectively one should learn the rationale and methodology that characterizes most premeditated criminal activities.
A good way of describing the rational behind a criminal act (seasoned criminals and first- timers alike) is the following equation:
Temptation + Opportunity + Rationalization = Crime Potential
Temptation – Expected benefits
Opportunity – "The hole in the fence"
Rationalization – The state of mind & reasoning that leads a potential perpetrator to think that "he/she can get away with it“
Crime Potential – The threat
Focusing on the security-system elements that eliminate / minimize the effect of one or more factors from the left side of the equation and you minimize Crime Potential.
Knowing the methodology of a potential adversary and putting that knowledge to use for better preventive practices is a bit more complex but it pays getting acquainted with.
The 9 steps from Marking to Harvesting are characteristic to most premeditated crimes
Marking – choosing a target ("Mark" in criminal lingo)
Intelligence gathering – mainly open sources, but also hum-Int. (source running)
Surveillance – confirming the intelligence and routine by physical surveillance, eves dropping, "hacking“
Planning – choosing the method and putting the bits and peaces together into an operational plan
Tooling up / Infrastructure – Needed Equipment & logistical support
Rehearsing, training – dry runs and practice
Executing - the actual act / attack
Disengaging / Getaway – leaving the scene
Harvesting – Capitalizing on a successful act / loot / payment
Let us analyze these steps through rehearse engineering and see if we can improve our defense system and prevention tactics, while reducing costs.
It should be clear, that not all steps lend themselves for preventing / intercepting criminal actions, since not every phase exposes the aggressor in such a manner that we can flash him, yet a heightened awareness to the crime methodology, can supply us with the needed hints so we might be able to apply countermeasures when something bad is "cooking".
Prevention / interception ideas in the various stages, from end to start:
Harvesting – adapting an ongoing strict policy of going after a perpetrator or the loot (not just cutting the losses) and publicizing successes (if & when they occur) can deter certain perpetrators to take on an organization that treats its mal-doers with vengeance.
Getaway – in some businesses (primarily the ones that depend on public access) it is hard to deny potential perpetrators access to guarded assets. Installing systems that automatically shut exits, eliminating escape routes (certain banks & museums have this kind of systems) can create the necessary deterrence. Another example set by certain E.P. (
Executive Protection) outfits, that in order to take away the edge from motor-bikers, attacking in dense traffic situations, deploy their own motorbike-mounted-agents that have the same advantages and can foil such attacks and cut-off the aggressor's getaway routes.
Executing – when an attack is in process it means that our prevention practices and alarm systems have failed. Well prepared and rehearsed counter attacks and proactive practices can mitigate the impact and reduce the damage. In those cases were we've managed to anticipate the type of attack that eventually occurred; some surprise responses / countermeasures, prepared in advance, could be activated in order to distract the aggressor and foil his original plan. Since no security system can fully protect any given organization certain threats can only be covered by well designed ERP (Emergency Recovery Plan) / DRP (Disaster Recovery Plan). It is the policy of some companies to reduce expenditure on security (because of its coverage limits) and instead, invest the money in a good DRP / ERP to ensure BC (Business Continuity) regardless the kind of attack.
Rehearsing – as some perpetrators train for their act by rehearsing (at the actual scene or on a mockup), alertness to unusual occurrences in our surrounding and paying attention to warning signs (such as: Alien students in flight schools that behave strangely and are not interested in landing practice… as in the case of the 9/11 perpetrators) could give us timely warnings to heighten our state of readiness.
Tooling-up – preparing the supporting infrastructure and gathering the tools needed for an attack can also expose an aggressor and raise warning flags at the law-enforcement, intelligence entities and with the well connected, savvy CSO.
Regulating and monitoring the purchase and stockpiling of exotic hardware / materials can provide the necessary hints for actions in preparation. For instance the import ban on "urea nitrate" in its granular form (as was used in the Oklahoma bombing) instated in some countries, allowing only the import of this popular fertilizer in its liquid form, (that is harder to process into explosive charges) is an example of prevention by regulatory acts.
Planning – this phase, being a non exposure segment, presents us with very little intervention / interception opportunities, yet, as it is based and dependant on good, accurate and updated intelligence. Good "Opsec" (operational security) practices regarding sensitive information (such as itineraries and system weaknesses that can serve an aggressor in planning an attack) so that they will not end up in the wrong hands. Another way to foil a plan is by spreading misleading information, but that requires a link leading to our adversaries.
Surveillance – is the phase in which the aggressor verifies and updates the intelligence he has collected, initially from a safe distance and fills in the bits and peaces needed to execute his attack. This is also, in many cases, the first step that requires the aggressor's presence at the scene, hence provides us with good opportunities to flash him out. There are many surveillance methods and forms and as many counter surveillance and
surveillance detection methods, it is important to understand that it's not only about prevention / detection, but how we respond to it. When do we shake-off physical surveillance, and when should we try hard not to loose our "tails" in order to be able to "whack the dog" later. Isolating a detected listening device from critical information and use it to feed our opponents with misleading info is yet another option. Physical surveillance for instance, is often detected by non-security people that happen to be in the area, such as gardeners or a bored Granny that is watching her street from the balcony. Connecting with such sources can give security an inexpensive, extra edge against people casing their installations. Patrolling our perimeters and overtly taking pictures of those we suspect or find out of place, is a good counter surveillance practice as well.Intelligence gathering – in the old days, it was said that 80% of all intelligence reports (top secret included) are derived from open sources, I guess that in the era of the World Wide Web it is pretty safe to say that the number has risen to over 90%. When searching the web for information published about ourselves / our organization, we will often be surprised with the amount of data that can be found there. It is also clear that a major bulk of this compiled information (data that might make an aggressor or competitor extremely happy) was supplied by non others than ourselves or people acting in our behalf. Most of this information is probably important for the marketing of our products and services, therefore published for a good reason, but in addition it often contains excessive information that might help our opponents, competition etc. because no-one at our side looked at it, prior to publishing, through the eye of an aggressor. In other words lack of "censorship".
Other common intelligence methods are: live source running, "moles", information extraction through manipulation and "Social Engineering" or IT invasions such as "Trojan Horses"-programs. Once again awareness, proper procedures and employee sensitizing are relative low-cost yet fairly affective countermeasures.
Marking – choosing the target is the first step an aggressor takes that concerns us, the question is: Is there anything we can do at that early phase to avoid becoming a "Mark"? And there is a lot we can do, starting with solid and visible security that creates deterrence. The image an organization / individual projects can either attract or divert aggressors of different agendas. If that's the kind of threat one faces a "face lift" to ones image should be considered.
when undertaking certain commercial endeavors we often do preliminary studies and risk assessments, but mainly regarding the financial aspect. Only in rare occasions we look at the processes we might set in motion with potential foes in order to defuse the situation before it becomes an eminent threat. Taking precautionary actions "before stepping on someone's tow" can mean the difference between becoming or not becoming someone's "mark".
You might also be intrested in:
The added value of shooting practice
Recuirtment of friendly forces
