Security professionals operating in today’s increasingly competitive environments face the unique challenge of providing security that reduces crime and loss, is cost effective, and does not expose their organizations to undue liability. Success can only be achieved through a carefully orchestrated balancing act of three factors:
– Selecting and deploying effective security measures
– Working within budget limits
– Reducing liability exposure
In order to be successful at this balancing act, security professionals must not only be knowledgeable about security, but they must also be good business decision makers and risk managers. They must use security measures that are effective at reducing loss and preventing crimes to their property, their employees, and most importantly, their customers. These security measures must not exceed the security department’s budget and preferably, provide a measurable return on investment. The security program should also effectively manage risks to the organization and its assets, including liability exposure for negligent or inadequate security.
Data driven security can ensure that security professionals are successful in all three of the factors outlined. How can security professionals justify a sizable and increasing security budget to senior management? By now, most security professionals are keenly aware that a security program’s success depends on the commitment and support, or buy-in from senior executives. Using anecdotal evidence to justify spending on physical security measures and costly protection personnel no longer suffices. A data-driven security program helps management understand that security more than a cost center, it justifies expenses to senior management by showing the proof of success that can garner that necessary buy-in and demonstrate a convincing return on investment.
As discussed in Strategic Security Management by Karim H. Vellani, President of Threat Analysis Group, LLC, data driven security refers to using measurable factors to drive a security program. While not all elements of a security program lend themselves to measurement, many components can be measured effectively. A commonly accepted business paradigm states, what cannot be measured cannot be managed. Some would argue that the security is more of an art than a science. While they are correct, the business of security is not an art. The security department is a business unit, not unlike other business units within a company that must justify their existence.
So, the question is: How do security professionals provide security that reduces crime and loss, is cost effective, and does not expose their organizations to liability? The next section discusses and analyzes these issues.
DISCUSSION & ANALYSIS
There are several doctrines that guide data-driven security decision making, including legal precedents, security guidelines promulgated by trade associations, and industry best practices, including the practices of the security professional’s company. Each is addressed below.
Before discussing legal standards, it might be appropriate to throw in a disclaimer: Threat Analysis Group, LLC is not legal counsel and legal counsel should be consulted on these issues. With that out of the way, let’s consider: Expert Testimony and Foreseeability of Crime
Expert testimony is relevant when a company is sued for negligent or inadequate security, both the defense and the plaintiff’s attorney typically hire a security expert to tell the judge and jury what level of security is required at the property, if any, based on the threat to the organization and its assets (people, property, information). The rule is rather simple: Experts cannot rely on junk science. This rule was articulated in the US Supreme Court case, Daubert v. Merrell Dow Pharmaceuticals. Experts are routinely subjected to Daubert Challenges wherein their opinions are challenged and possibly excluded from testifying on the case at hand. Commonly referred to as the Daubert Factors, the questions asked by the court include:
- Can the relied upon theory/technique tested and has it been tested?
- Has it been subjected to peer-review and publication?
- The known or potential error rates.
- The degree of the theory/technique’s acceptance within the relevant field.
For the security professional, Daubert begs two questions: Are the metrics that the security professional used to make decisions reliable. Are the metrics that the expert witness uses to demonstrate adequate security, or lack there of, reliable. Reliability, according to the US Supreme Court, is determined by a tested theory which has been subjected to peer-review and publication, has a known error rate, and is accepted within the security industry.
Question: Is your method reliable?
Foreseeability of Crime
A negligent security lawsuit is a civil action brought on behalf of a person seeking damages for negligent security against the owners and their agents of the property where the injury or loss occurred. Generally, three elements must be met in order for a Plaintiff to prevail in a premises security lawsuit. These elements are: duty, breach of duty, and proximate cause. Duty is the element we’ll focus on in this section as it directly relates to the metrics used by security professionals. Duty is determined by the foreseeability of crime. While some states take a conservative approach to foreseeability by considering only prior, similar crimes, other states are more liberal and look at the totality of the circumstances. Regardless of the state, all consider crimes on the property when determining whether or not the crime was foreseeable.
Question: Is your method considering crime on the property?
In recent years, trade associations have promulgated standards and guidelines which advise security professionals on what metrics to use to reduce crime and loss in a cost-effective manner, and reduce liability exposure:
– ASIS-International’s General Security Risk Assessment guideline states that among the information sources for determining loss risk events are local police crime statistics.
– The National Fire Protection Association’s Guide for Premises Security (NFPA 730) states that when conducting a security vulnerability assessment, crime statistics should be considered.
– The Illuminating Engineering Society of North America’s Guideline for Security Lighting for People, Property, and Public Spaces (IESNA G-1-03) states that the most reliable means of determining future security needs and criminal vulnerabilities is to conduct a crime analysis.
– The International Association of Professional Security Consultants’ Forensic Methodology (Best Practice #2) states that when conducting a risk assessment, reports of relevant crimes on the premises should be reviewed.
Question: Are you considering crime statistics when making security decisions?
Industry Best Practices
Industry best practices are a little tougher to nail down than the legal and security standards because they are usually not written, but rather practiced informally. Nevertheless, industry journals, anecdotal information, and our own experience indicate that actual crime statistics for the property are the most heavily weighted factor in deploying security resources.
Question: Do your competitors consider crime statistics when making security decisions?
The trend is clear: Crime statistics should be considered when making security deployment decisions.