The Science and Technology of Counterterrorism: Measuring Physical and Electronic Security Risk

MA.

]>

Preface

Pierre-Simon Laplace

This is my second book on security risk management. In Metrics and Methods for Security Risk Management, I examined the individual components of risk for a variety of physical security threats. I also discussed the importance of identifying the risk factors that affect those components of risk. This book expands on those themes, and there is admittedly some duplication in specific areas.

However, I had different objectives in writing this book, and therefore this is a very different work. In both books I provide a framework for security risk assessments. This is fundamental to addressing counterterrorism issues from first principles and to developing truly strategic solutions.

But in this book I hope to create a comprehensive reference that is useful to practicing security professionals. To that end, I specify the theory that underpins fundamental security controls, and importantly, how theory affects implementation. The focus is clearly on technology controls related to counterterrorism, but I include other methods that apply to more general problems in security.

The main objective of this book is to teach the reader how to think strategically about security risk management by understanding fundamental security principles and methods. I also provide supporting technical details to enable the application of those principles to realistic terrorism scenarios. Anyone can memorize a list of widgets and technical specifications. When security technologies are viewed as controls that affect the overall security risk profile, the development of a risk-based strategy is possible.

To that end, the risk assessment framework specified in Chapter 1 is a recurring theme throughout this book. This is because it provides the rationale for every counterterrorism control discussed thereafter and is essential to developing a risk-based mitigation strategy. Although it is a relatively simple framework, examples are always helpful. I therefore provide numerous examples gleaned from actual security scenarios. Such examples also illustrate the practical limits on controls that are often imposed by Mother Nature.

In some cases these examples may seem a bit esoteric. I might indeed agree, but sometimes it is valuable to stretch the limits of the imagination in thinking about security. Our field can be constrained by templated thinking and the reflexive use of checklists. There is a benefit to thinking about security in nontraditional ways.

Chapters 2 and 3 discuss tools that could be used to measure security and counterterrorism risk. The word measure is in quotation marks because the results are typically estimates; exact measurements of security risk are frequently elusive. The importance of uncertainty in terrorism is also explained, and this includes a discussion on random variables. Ironically, the assumption that a risk factor is a normally distributed random variable introduces a degree of certainty to the inherently uncertain world of counterterrorism.

It is important to know how security technologies work mainly because it is relevant to evaluating their effectiveness in addressing risk. Understanding threats on a scientific level is also important, in part because it is the science that often dictates the magnitude of the vulnerability component of risk. Moreover, scientific and risk-based explanations of security threats and mitigation technologies are typically absent from traditional security references or are presented in nonsecurity-related contexts. When such concepts are not coupled to security issues they can seem too abstract to be useful.

In that vein, simple physical models are presented in Chapter 4 along with their application to broad classes of security problems. These models include point sources of radiation, exponentially increasing and decreasing processes, harmonic motion, and Gaussian plumes. In my experience these are most useful in performing back of the envelope calculations to yield order of magnitude estimates of security risk. Such estimates also provide a valuable reality check on intuition.

Chapter 5 provides a unique method of examining risk. Specifically, the risk factors of various threats are assumed to be normally distributed random variables. What evolves from this assumption is a means of determining the likelihood of the effectiveness of security controls. This is fundamentally different than calculating the likelihood of a future terrorist incident, a typically fruitless endeavor.

Chapter 6 is devoted exclusively to analyzing the risk associated with conventional explosive threats. Understanding how such threats scale, i.e., change, with distance and payload is central to estimating vulnerability. As always, specifying the risk factors for a given threat or attack vector is essential to developing an effective risk mitigation strategy.

Chapter 7 discusses nontraditional terrorism threats. These include radiological, chemical, biological, and electromagnetic pulse weapons. The models discussed in Chapter 4 are used to develop a realistic if coarse estimate of the vulnerability to these threats and the effectiveness of controls.

Another key objective of this book is to provide a deeper understanding of electronic terrorism risk. The distinction between electronic terrorists and other cyber criminals may be mostly semantic. However, in Chapter 8 the focus is on electronic threats that might have particular appeal to a terrorist, based on the potential damage inflicted and/or headlines achieved through such an attack. Detailed analyses of relevant controls and how they address common modes of attack follow discussions of the threats themselves. With respect to controls, emphasis is placed on monitoring inter-zone network traffic in the spirit of measuring risk in this context.

Importantly, in Chapter 9 there is a detailed discussion on the increasing convergence of physical and electronic security risk. In that discussion, specific physical security system components with potential electronic vulnerabilities are identified in addition to showing how physical vulnerabilities facilitate electronic attacks. This convergence is often mentioned in security literature but the details are sometimes missing. Absent information showing where and how this convergence occurs, such treatments do not convey a full appreciation of the risks.

Providing the proper balance between theory and practice is important in a book that strives to be useful for both practitioners and academics. Chapters 10, 11, and 12 cover the fundamental controls of physical security. The treatment is risk-based with explanations grounded in science and augmented by quantitative analyses. Physical access control systems, sensors, and CCTV are discussed in detail as well as their application to various counterterrorism scenarios. A statistical treatment of security device/sensor performance is also presented, an analysis that is in keeping with a more quantitative treatment of risk.

The theoretical foundations of threats and technologies are central to understanding risk, but as noted above, a key objective is to provide a useful reference for security practitioners. Therefore, I attempt to identify rules of thumb and simple performance metrics associated with security technologies. These are approximations that are useful in quickly assessing risk and/or in performing back-of-the-envelope calculations of system performance. The pixel density for CCTV systems immediately comes to mind. Numerous tables with security technology specifications are included that are useful in examining risk, and which are particularly handy when compiled in a single reference.

Although some readers might be put off by the occasional mathematical excursions, I believe the game is worth the chase. These may also save the day the next time you are asked for a more rigorous justification of a security-related expenditure. Hopefully you will agree, and thereafter view security risk management in a more analytic light.

Problems are provided at the conclusion of each chapter. These are intended to test the student’s grasp of the fundamental concepts. Many of these problems derive from real-life scenarios and I often attempt to put the reader in the shoes of security decision-makers. Despite my occasional attempt at humor, it is important to keep in mind that decisions made by security professionals can have significant consequences. All problems are tightly coupled to the concepts imparted in the text. In my view this is essential in order to satisfy the book’s objectives.

Finally, I must comment on terrorism itself. Terrorism has become useful to politicians, and is sometimes invoked to further nonsecurity-related agendas. Those in power get to determine who is a terrorist and who is a legitimate defender of the realm. Dictators are fond of labeling opponents who favor democracy as terrorists.

Security professionals are obliged to demonstrate more integrity and intellectual rigor than politicians, which fortunately is not difficult. There is a science to measuring security risk, and that is what this book is all about.

The most important questions of life are indeed, for the most part, really only problems of probability.

(Théorie Analytique des Probabilités: 1812)

Part I

Modeling Terrorism Risk

]>

Chapter 1

Terrorism Threats, Risk, and Risk Assessments

1.1 Introduction: Decisions and Risk

Risk management has an image problem. There seems to be a never-ending stream of headlines about some corporate misstep resulting in billions of dollars in losses that is blamed on poor risk management. We typically only hear about the significant transgressions since big losses and major tragedies make news. The fact is that every financial transaction with a buyer and a seller has a winner and a loser. Therefore, gains and losses are happening all the time. Risk management is presumably at work with little notice until an issue becomes public.

Significant losses often point to a disregard for existing risk management processes rather than flaws in the process itself. So it would seem that risk management is not fundamentally flawed. Rather, it is often selectively applied or intentionally disregarded.

It is also important to appreciate that the tolerance for risk is not constant across professions, and this contributes to an imbalance in expectations on performance. In some fields of endeavor, the tolerance for risk is thankfully quite low. Few people would willingly fly on an airline whose risk management efforts resulted in a 70 percent success rate. Similar statistical expectations exist for other professionals such as surgeons, electricians, riggers, and plumbers. Most people would not be very happy if they had a 70 percent chance of a functional toilet following a visit by the plumber.

On the other hand, the manager of a major league baseball team would be handsomely rewarded for a 70 percent winning percentage. The services of a major league hitter with a mere 30 percent success rate would be even more valued, and no doubt rewarded in kind. Maybe the real lesson here is to carefully choose your profession...and your plumber.

There is a tacit assumption that winning at the professional level in baseball is inherently more difficult than plumbing. Note this says nothing about the relative importance of a plumber versus a baseball manager. This likely depends on the status of one’s bathroom at the time the question is posed.

Society’s tolerance or intolerance for varying levels of risk management is based on expectations informed by statistical norms. These expectations will change as these statistics evolve and a new mean and standard deviation for performance emerge over time. Usually this is a slow process.

A precipitous change in performance statistics for a large population is a strong indicator that some external influence is at work. For example, during the baseball steroid era (approximately from 1998 to 2005), the home run production from hitters increased dramatically across the major leagues. As if by magic, hitting 40 home runs in a season became a regular occurrence. Just as suddenly, hitters’ home run statistics and fan expectations reverted to the previous mean, probably as a consequence of stringent testing for performance-enhancing drugs.

Statistical outliers in sports do occur, and they take their rightful place at the extreme tails of a normal distribution. For example, Bob Beamon shattered the world long jump record at the 1968 Olympics in Mexico City. In a single attempt he beat the existing record by 21.75 inches. Prior to this effort, the average improvement of the world record was 2.5 inches/jump. So Beamon’s singular effort in Mexico City was nearly nine times the average incremental improvement. However, this type of rare event is not the same as a wholesale shift in the performance of a large population over a short time period.

Risk management is also more easily measured in some professions than others. Fortunately or not, this ease of measurement enhances the intensity of the public spotlight. For example, if planes crash, large numbers of people die in surgery at a hospital, or the Yankees lose to the Red Sox and vice versa (the latter is a more likely outcome), a number of people will be upset. Performance statistics in certain industries are intensely reviewed, and outcomes are constantly compared among peer organizations.

Decisions based on risk management are central to our personal and professional lives. In fact, each and every decision we make is a form of risk management. This is because every decision, no matter how trivial, boils down to a choice between outcomes with varying effects on our lives. Therefore, each outcome carries risk in the broadest sense of the word. This process applies to any issue, whether it is deciding between green beans and carrots for dinner, swinging at a pitch or not, selecting Harvard or Yale for college, or choosing between Betty and Barbara as a spouse.

The pros and cons of Betty versus Barbara notwithstanding, most decisions that require our attention are not very difficult. This probably has more to do with the types of decisions we face than our native decision-making ability. It is a good bet that nearly all readers of this book live in a stable environment and do not lack the necessities of life. Therefore, we are spared the burden of making choices with life-and-death consequences.

It was not so long ago that life-and-death decisions were an everyday event for most humans on the planet. In some parts of the world this is likely still the case. One crude performance metric for the success of a nation might be the average rate of life-and-death decisions faced by its citizens.

This facility for decision-making may be an evolutionary artifact of Homo sapiens and therefore indicative of our evolved thought process. Whatever the explanation, the fact is that risk is built into all our decisions. Whether decision-making is an innate human characteristic is a topic best suited for scientists who study such things.

But it does not require a Ph.D. in zoology to appreciate that animals do not make decisions in the same way that humans do, if at all. Animals rely on instinct whereas humans leverage experience and are clearly influenced by factors like emotion and peer pressure. That said, the reader is referred to a fascinating article describing vervet monkeys who gave up their dislike of colored corn when they changed locations and observed other monkeys eating it.[1]

Consider the daily struggles of your average jungle carnivore. Such animals are focused on survival, which in the near- and long-term translates to eating and procreating, respectively. They do not have the luxury of succumbing to trivial distractions from the Darwinian competition for survival that occurs up and down the food chain every day.

The long-term prospects for a lioness would be dire if she was racked with indecision before each day’s hunt on the savanna. Such indulgences would adversely affect her as well as the entire pride. The lioness is programmed for survival, and food obtained through killing or scavenging is essential to her and her pride’s survival.

The challenge for the lioness is particularly daunting, especially since she does not have a credit card at her disposal. Her pre-dining efforts entail searching, locating, stalking, chasing, catching, and killing her prey. Contrast this with the trivial effort required to order my quotidian dose of Asian takeout. Fortunately, evolution has served the lioness well, although the statistics show that success at hunting is not at all guaranteed.[2]

The daily quest for food by humans is likely not too difficult for those individuals reading this book. This is clearly the case because if you have paid for this book then acquiring food was a lesser priority. If you received this book as a gift then I assume your kindly benefactor would have chosen to buy you a meal rather than a book notwithstanding this particular book’s intrinsic value. In fact, in New York City one merely has to pick up the phone, mumble a 10-digit number plus an expiration date, and food will magically appear at your doorstep. Death through overindulgence is a more likely outcome for the more fortunate members of our species.

In contrast to most of our mammalian counterparts, humans have the simultaneous luxury and curse of distractions resulting from an avalanche of trivial exercises in risk management known as decisions. Most of these are resolved with relative ease despite the consequences of a bad choice.

Consider the decisions required during a routine trip to the grocery store. Do I hop in the car or take public transportation? If I do take the car, should I exceed the speed limit or obey the law? Should I run the yellow light or sit through another frustrating cycle of signal changes? How about knocking down a cold beer (or two) versus drinking Diet Coke before departing? Should I snag a few uninspiring Brussels sprouts or indulge in a bag of artery-hardening potato chips? It is no wonder that ordering takeout seems so liberating.

In any decision, choosing one option over another has consequences. Absent risk, all choices would essentially be equivalent, and you would end up staring at the grocery shelf in perpetuity. This actually happens to me when I am in the vegetable section since all possible outcomes seem equally bad. I attribute this to a personal failure in risk management rather than a penchant for unhealthy food.

Humans often make the wrong decision on relatively significant issues. The silver lining is that these decisions appear to be having a limited impact on the survival of our species, although the final chapter has not been written on the effects of our current cycle of climate change.

More impactful decisions such as which person to marry might make the point more convincingly. Although humans may be innate decision makers, we clearly have not perfected the process. As noted above, it is possible that modern decisions have limited biological consequences, hence there is no evolutionary pressure to improve. Nature may therefore be agnostic to our decision-making efforts, flawed or otherwise, which means we have the potential to continue this way in perpetuity.

1.2 Threats and the Components of Risk

Questions regarding the risk of marriage and successful lion hunting are no doubt fascinating, but exploring the risk associated with the threat of terrorism should be our main focus.

Understanding the threats posed by terrorists is fundamental to developing an effective security risk-mitigation strategy. In fact, identifying the spectrum of what I choose to call the set of distinct and impactful threats should be the starting point for a rigorous assessment of security risk. Let’s explore what we mean by distinct and impactful threats.

Later in this section we will spell out and examine the three components of risk in more detail. However, one of those components requires mention up front: impact. The impact component of risk specifies how important or meaningful that threat is to the affected entities. After all, not all threats will be of consequence, so identifying what is and is not impactful represents an essential filter in determining risk relevance. In addition, the impact component of risk is important in determining if it is worth expending resources on addressing the risk associated with that threat.

It should not be too difficult to understand whether a specific threat is impactful. For example, a boat owner in Miami should probably not be too concerned about blizzards in Canada.

The notion of distinctness can be trickier to understand, but it is key to identifying risk mitigation. Threats that are commonly lumped together as terrorism, can actually be quite dissimilar, and different mitigation measures might be required to reflect those differences. There needs to be a test for distinctness, and fortunately there is one, which will also be discussed later in this chapter.

Specific attack vectors must also be identified as part of the exercise in identifying threats. An attack vector is a fancy name for a specific mode of implementing a threat. Vehicle-borne explosives, the use of firearms with the purpose of terrorizing the population, and the dispersal of biological agents are examples of attack vectors that are subsumed under the more general heading of terrorism.

A security strategy is not very strategic if the threats of concern are not appreciated and/or their relative impact is not understood. A brief digression regarding the distinction between threats and risk is warranted at this point.

A threat can be defined as anything that causes harm or loss, intentional or not. We will accept it as a fact that the outcome of a threat is to make one worse off than before the threat occurred. Of course, the notion of worse is subjective. The same threat will not affect all individuals in the same way. In fact, some things in everyday life are viewed as a scourge by some and embraced by others.

Religion and television immediately come to mind. Religion is too controversial, so I will sidestep that issue. Although some might argue that television expands our collective consciousness, it might not be so beneficial for the more impressionable members of society, as Figure 1.1 suggests. It appears from this data that the number of hours spent watching television and grade point average is moderately anticorrelated.

Figure 1.1 Televison risk. (Information from: The ‘Evils’ of Television: The Amount of Television Viewing and School Performance Levels. Indiana University South Bend. https://www.iusb.edu/ugr-journal/static/2002/hershberger.php.)

Yet aspiring to a rigorous approach in assessing security risk imposes certain demands. At a minimum, one should be precise about terminology. People often conflate the terms threat and risk, which can cause confusion regarding the precise focus of a strategy. Even experts get this wrong.

In addition, the verb threaten is sometimes confused with the noun, threat. To threaten actually implies the existence of an underlying threat (e.g., physical assault, firing from a job, withholding support such as food or money, etc.), so the act of threatening is merely an explicit announcement of an impending threat. But this begs the important question, What is risk? Simply put, if a threat causes harm and generally makes one worse off, the risk associated with a threat defines the essential properties of that threat. These are admittedly abstract concepts that need more concrete descriptions in order to be fully appreciated.

A threat is analogous to a force in physics. A force requires certain features in order to have an effect. For example, the force of gravity requires at least two objects with mass in order for the familiar pull to occur. In the same way, a threat requires risk in order to have an effect. In other words, a threat is not threatening without risk, just as gravity is not gravitational (i.e., an attracting influence) without objects that have mass.

In Section 1.1 it was noted how each decision was an exercise in risk management since all decisions carried risk. It turns out that security-related decisions are no different than any other types of decision in terms of the underlying assessment process. The problem with decisions on security is that security solutions sometimes become decoupled from the drivers of those solutions, i.e., threats. In fact, decisions on security risk mitigation can sometimes seem whimsical as a result of a reflexive deployment of a standard set of equipment. This can happen when the risk associated with a threat is not carefully evaluated and understood.

Moreover, in the absence of security incident statistics or a proper laboratory to conduct controlled experiments, the effectiveness of counterterrorism controls cannot be rigorously tested. Inevitably, solutions are implemented without really understanding their effect on the security risk profile.

What is missing? At the highest level, a process is required to assess security risk and then determine the appropriate controls required to manage that risk. What are the benefits of such a process? Most importantly, it provides an explicit connection between security threats and risk mitigation. Of course this presumes one has a genuine understanding of the relevant threats and associated risk. This can be a nontrivial exercise, and learning how to do this is a key objective of this book.

Before we can examine the risk assessment process in detail, we must describe risk with precision. It has been previously stated without accompanying detail that risk has three components. Understanding these components is critical to developing an effective security strategy. These components are as follows:

■ Threat impact (i.e., importance)

■ Threat likelihood (i.e., potential for occurrence)

■ Threat vulnerability (i.e., the consequences or the exposure to loss if the threat does occur)

Each of these three components of risk must exist for a threat to be threatening. If the magnitude of a single component is zero then the threat is merely an abstraction. We can express the relationship between threats and risk in compact form in what I dramatically call the Fundamental Expression of Risk.

The proper way to read this expression is as follows: The risk associated with a given threat is equal to the product of that threat’s impact times the threat likelihood times the vulnerability to that threat.

One should not be too literal in the mathematical interpretation of this expression. Each component of risk is not necessarily equally weighted, contrary to how it is written. In fact, assessing the relative magnitude of each component of risk for a given threat is the first step in conducting a proper security risk assessment.

1.3 Risk Assessments

There are typically many issues to address when defending an organization against the spectrum of distinct and impactful threats. If unlimited resources are available, one can avoid the mental effort inherent in a risk-based approach. One can also ignore this book. Fortunately I am relatively safe in assuming that infinite budgets are not generally available. So, how should one apportion resources in accordance with a finite security budget and thereby address the set of distinct and impactful threats?

Those constrained by budgets need to be judicious in applying risk mitigation. Specifically, they require a strategy that prioritizes the set of distinct and impactful threats and suggest risk-mitigation measures that are proportionate to those threats. A security strategy is actually a prioritized set of risk-mitigation measures. Identifying such a strategy is often easier said than done, and it can be a daunting task for complex organizations with numerous business units, a global footprint, etc.

Developing a bona fide security strategy requires a proper risk assessment using a rigorous methodology. However, one warning from the outset is that it is easy to get hung up on details in the process. The breadth and scope of assessing a large organization can seem overwhelming, so latching on to the most visible, low-hanging fruit is tempting. Although details are important, an initial focus on minutiae can obfuscate systemic issues. In general, when tackling a complex problem it is advantageous to identify general areas first and then drill down on the details rather than vice versa.

We actually specified the first step in a proper security risk assessment process in the previous section. Namely, identify all the distinct and impactful threats and threat attack vectors. In other words, an evaluation of the impact component of risk for each distinct threat or threat attack vector represents the initial phase of a security risk assessment.

This seems straightforward, but it can actually be a nontrivial exercise. Identifying the precise threats and attack vectors of concern requires insight into the various modes of attack as well as an understanding of how an organization conducts business to determine which threats are indeed impactful.

The next step is to assess the relative magnitude of the remaining components of risk associated with each of the identified threats and attack vectors. Importantly, it is essential to specify which component of risk is driving the mitigation strategy. For example, consider a counterterrorism strategy designed to protect the lobby of a building. The security director has wisely decided to install turnstiles to minimize the risk of terrorism and the possibility of other threats by reducing the vulnerability to unauthorized physical access via piggybacking. However, the individual who passes through a turnstile may be using someone else’s ID to gain unauthorized physical access. If the likelihood of this is deemed to be low, should some form of authentication be employed as an added control such as a biometric or a security officer checking ID photographs? The answers to this and similar security questions are not always clear since such moves involve a cost.

I once asked my class at John Jay College to estimate the rate at which individuals were bypassing the turnstiles in the lobby of our classroom building. I asked the question to see whether they would recommend adding authentication as a security control, and if so, how would they justify their decision. Their estimates of risk varied wildly since they were relying on impressions based on informal observations and anecdote. My point was less about arriving at the correct answer (note: there is often no correct or incorrect answer to risk-type problems; there are only substantiated or unsubstantiated explanations about risk) than to illustrate the importance of making decisions based on a rigorous assessment of risk.

It is possible that the cost of implementing authentication does not make sense in view of limited vulnerability and/or a smallish likelihood component of risk. However, such a decision should be based on an actual evaluation of the components of risk. In my experience such an evaluation is often lacking.

Returning to the assessment process, it is imperative that each distinct and impactful attack vector be identified when assessing terrorism risk, otherwise the risk-mitigation strategy might address irrelevant vulnerabilities or miss them altogether. Fortunately there is a way to test for distinctness, and this conveniently leads to the next step in the security risk assessment process as discussed in Section 1.6. Figure 1.2 illustrates the balance required in assessing the likelihood and vulnerability components of risk.

Figure 1.2 Assessing the components of risk.

1.4 Security Risk Trade-Offs

Operational decisions with security implications often require trade-offs that are driven by an organization’s business model. A good example of this occurs at museums. I sometimes visit the Metropolitan Museum of Art in New York City, which is just across the park from my home. The Met is an iconic institution that possesses countless art treasures. I am personally fond of the baseball card collection, much to the frustration of my more cultured friends.

One day I found myself hanging around the museum lobby deciding which collection to visit. After watching the security staff in action, it dawned on me that the museum does not authenticate the identity of visitors prior to allowing physical access to the exhibits. How is that possible in light of the priceless collections, of art and the close proximity of millions of visitors to those items?

The Met does inspect bags upon entry, but I believe this is primarily intended as a counterterrorism measure. In all candor, inspection of bags alone does not make a lot of sense unless art-loving terrorists are preternaturally averse to hand-carrying their weapons. Absent evidence to the contrary, this likely qualifies as security theatre, a concept explored in Section 2.5. However, a brief digression on this point is warranted.

Goldman Sachs implemented X-ray inspections of bags carried into their New York City buildings immediately after 9/11. In a scenario reminiscent of the Met, individuals were not personally inspected for weapons. Therefore, any terrorist who hand-carried a firearm or a bomb was relatively immune to detection.

Setting aside the potential for someone attacking Goldman Sachs in this way, it was clear to even the casual observer that inspecting bags alone was ineffective. This was certainly apparent to my nonsecurity-trained friends, who reminded me of the flawed logic at every opportunity. Adding insult to injury, the X-ray inspectors themselves were often observed to be inattentive.

The X-ray procedure was not just a waste of time and money. It actually had a more damaging effect: it caused employees to lose faith in the physical security program. This experience provided a valuable lesson about the collateral effects of security theatre. Goldman Sachs employees are generally quite intelligent, so when subjected to a nonrisk-based and inconvenient procedure the result was collective cynicism and distrust.

Returning to the Metropolitan Museum of Art’s security strategy, it too focuses on confirming that one is authorized to enter the facility. However, this translates to ensuring the entrance fee is paid. So 25 bucks allows any person to get within inches of many extremely expensive assets. Is this a prudent security strategy?

A museum’s security professionals probably recognize that this strategy is not ideal, but they also realize it is driven by necessity. The museum assumes that the risk associated with theft, sabotage, etc., is roughly the same from person-to-person. Absent evidence to the contrary, the assumption is that the security risks posed by Carl Young are the same as anyone else relative to the threats just noted. This is a necessary assumption since accommodating visitors is the whole point of a museum. If you overly inhibit visitors, the entire museum could come to a grinding halt. This highlights the importance of understanding an organization’s business model before prescribing security measures.

What other controls might help manage the risk in this context? Adding a control such as background checks on each of the nearly 6 million annual visitors might reduce risk, but this is not a realistic option. Other standard physical security controls such as authentication of identity and confirmation of authorized physical access are also not compatible with the museum’s business model. As noted above, it does not matter if Carl Young is a mass murderer in this context. All visitors are assumed to pose an equivalent risk to the museum with respect to the physical threats of concern.

What controls do the museum use to address the risk factor of close physical proximity to high-value items? The answer is they saturate the environment with security officers and antitheft technology. This is an expensive