Wednesday, October 2, 2013

Improving Security in Public Places

Despite having been mostly engrossed in my recent close protection course, I couldn't help but hear about the Westgate mall attack in Kenya. As Kenyan and international authorities attempt to ascertain what went wrong, and how members of al Shabab were able to take over the mall, the RAND Corporation has two items which are worth your attention: an article that they first published in July of this year about the possibility of a Mumbai-style attack in the United States, and a 2006 technical report about the risk of terrorism at America's shopping centers. Both are worth your attention.

The challenge with security at malls and other public places with respect to terrorism is one of managing risks and balancing costs and benefits. In the case of the Westgate mall in Nairobi, or the 2012 Aurora theater shooting, or the Newtown school shooting, or the Washington Navy Yard shooting, the question isn't so much "Can we provide adequate security to ensure that this won't happen?" Rather, the issue raises several questions:
1) What would adequate security cost?
2) Is that cost commensurate with the likelihood of the threat?
3) If not, how much risk are we willing to assume?
4) Based upon that level of risk, what measures are we willing to put in place?
People like to look at the financial costs of these measures, because that's easy to quantify. What's more difficult to quantify, and often overlooked, are some of what I'll call the "opportunity costs", or perhaps "operational costs". As with a number of other factors, security requirements must always be balanced with an organization's ability to perform its purpose. Here are a couple of examples.

I worked for a now-defunct organizations that was, for all intents and purposes, a think tank. As such, information security was a big concern for that organization's risk management folks. At the same time, the staff needed to be able to share information with one another, and with partner organizations, so the type of aggressive security measures that might eliminate those risks weren't really an option - even if they were implemented, the risk management folks might run the risk of the staff finding ways to circumvent security measures that were preventing them from accomplishing organizational requirements. That became a constant balancing act for the folks involved in managing the risks of unauthorized disclosure of one sort of information or another.

Later, I worked for a now-defunct organization that performed vehicle maintenance. This organization didn't suffer from such overwhelming information security risks, but there was a much higher danger from terrorist attacks. Had the facility been completely locked down, it would have prevented the workforce from doing their jobs; as such, the risk management folks had to balance security needs with operational needs. Security measures that undermine operational performance are likely to lose risk management professionals the support of both the organizational leadership, and the workforce. As such, risk management is similar to counterinsurgency, in that it requires the tacit approval and cooperation of the "populace" in order to succeed.

In the case of public areas like malls, or parks, or shopping centers, one must question whether the areas in question are resourced to provide overwhelming security; but they must also ask whether that overwhelming security is commensurate with the actual threats in question, and the risks of those threats taking place. Despite occasional horrific events in public places in America and elsewhere, these events are so rare that potential dramatic upgrades in security often fail that cost/benefit analysis I mentioned earlier, both with respect to expenditure and opportunity/operational costs.

Of course, there are plenty of ways to improve security at individual facilities or venues, and many of these will be common across multiple locations. Experienced security practitioners can help organizational leaders to evaluate their threats, evaluate their risks, and put appropriate measures in place to mitigate those risks within appropriate costing boundaries.

No comments:

Post a Comment