show your vulnerable side how to do a vulnerability assessment n.
Skip this Video
Loading SlideShow in 5 Seconds..
Show Your Vulnerable Side: How to do a Vulnerability Assessment PowerPoint Presentation
Download Presentation
Show Your Vulnerable Side: How to do a Vulnerability Assessment

Loading in 2 Seconds...

play fullscreen
1 / 78

Show Your Vulnerable Side: How to do a Vulnerability Assessment - PowerPoint PPT Presentation

  • Uploaded on

Talk for the 50th Annual ASIS Conference, Sept 26-30, 2004 (Dallas, TX). Show Your Vulnerable Side: How to do a Vulnerability Assessment. Roger G. Johnston, Ph.D., CPP Vulnerability Assessment Team Los Alamos National Laboratory 505-667-7414

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Show Your Vulnerable Side: How to do a Vulnerability Assessment' - hanae-william

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
show your vulnerable side how to do a vulnerability assessment

Talk for the 50th Annual ASIS Conference, Sept 26-30, 2004 (Dallas, TX)

Show Your Vulnerable Side:How to do a Vulnerability Assessment

Roger G. Johnston, Ph.D., CPP

Vulnerability Assessment Team

Los Alamos National Laboratory




LANL Vulnerability Assessment Team

Physical Security

  • consulting
  • cargo security
  • tamper detection
  • nuclear safeguards
  • training & curricula
  • vulnerability assessments
  • novel security approaches
  • new tags & seals (patents)
  • unique vuln. assessment lab

The VAT has done detailed

vulnerability assessments on

hundreds of different security

devices, systems, & programs.

The greatest of faults, I should say,

is to be conscious of none.

-- Thomas Carlyle (1795-1881)

physical security
Physical Security

This talk will focus primarily on vulnerability assessments of physicalsecurity, but presumably many of the ideas and principles also apply to other types of security such as:

  • computer security
  • network & Internet security
  • intellectual property security
  • information & records security
  • communications security

Better be despised for too anxious apprehensions,

than ruined by too confident security.

-- Edmund Burke (1729-1797)


physical security: trying to protect valuable, tangible assets from harm.

Examples of assets needing protection:

Security Guard: “Don't make me take off my sunglasses!”

-- From the movie Bringing Out the Dead (1999)

definitions con t
Definitions (con’t)

The “harm” that we wish to avoid might involve:

The ultimate security is your understanding of reality.

-- H. Stanley Judd

definitions con t1
Definitions (con’t)


vulnerability assessment (VA): discovering and demonstrating ways to defeat a security device, system, or program. Should include suggesting counter-measures and security improvements.

He that wrestles with us strengthens our skill. Our antagonist is our helper.

-- Edmund Burke (1729-1797)

physical security is difficult
Physical Security is Difficult!

Before thinking about how to assess physical security, we need to recognize that it is difficult and there are no guarantees of success.

Especially because complacency, over-confidence, wishful thinking, and arrogance are not compatible with good security.

Danger breeds best on too much confidence. -- Pierre Corneille (1606-1684)

why physical security is so difficult
The traditional performance measure for security is pathological: success is often defined as nothing happening.

Cost/Benefit analysis is difficult.

There are few meaningful standards, fundamental principles, models, or theories.

Everything is a compromise & a tradeoff.

Why Physical Security is So Difficult

There is always more spirit in attack than in defense.

-- Titus Livius (59 BC)

why physical security is so difficult con t
Objectives are often remarkably vague.

Security managers & personnel aren’t always creative or proactive, but adversaries may be.

Adversaries and their resources are usually unknown to security managers, yet the adversaries understand the security systems.

Society & employees often do not like security.

Why Physical Security is So Difficult (con’t)

We spend all our time searching for security, and then we hate it when we get it

-- John Steinbeck (1902-1968)

why physical security is so difficult con t1
Effective security management is highly multi-disciplinary: engineering, computer science, psychology, sociology, management, economics, communication, & law.

Adversaries can attack at one point, but security managers may need to protect extended assets.

Adversaries need exploit only one or a small number of vulnerabilities, but security mangers must identify, prioritize, & manage many vulnerabilities, including unknown ones.

Why Physical Security is So Difficult (con’t)

We have to get it right every day and the terrorists only have to get it right once. So we have to be ahead of the game.

--TSA Spokeswoman Lauren Stover

why physical security is so difficult con t2
Security functions are often tedious.

Security personnel have trouble identifying security vulnerabilities because they don’t want them to exist.

(It’s hard to think like the bad guys if you devote your career to being a good guy.)

Why Physical Security is So Difficult (con’t)

No problem can be solved from the same

consciousness that created it.

-- Albert Einstein (1879-1955)

why physical security is so difficult con t3
Physical Security scarcely a “field” at all!

- You can’t (for the most part) get a degree in it.

- Not widely attracting young people, females, the best and the brightest.

- Few peer-review, scholarly journals or R&D conferences.

- Lots of snake oil salesmen.

- Shortage of models, fundamental principles, metrics, rigor, standards,

guidelines, critical thinking, & creativity.

- Overly macho and often dominated by bureaucrats, committees, groupthink, “old boys” networks, linear/concrete/wishful thinkers.

Why Physical Security is So Difficult (con’t)

The only security is the constant practice of critical thinking.

-- William Graham Sumner (1840-1910)

major tools for improving security
Security Survey

Risk Management (“Design Basis Threat”)

Vulnerability Assessment

Major Tools for Improving Security

If we don't succeed, we run the risk of failure.

-- Dan Quayle

security surveys vs risk management vs vas
Not really the same thing because they produce different results.

The task of identifying Threats & Vulnerabilities, done as part of Risk Management (or DBT), is too often not really a Vulnerability Assessment.

Security Surveys and Risk Management/DBT were major breakthroughs & are still useful… But they are not enough!

Security Surveys vs. Risk Management vs. VAs

Men do not like to admit to even momentary imperfection.

My husband forgot the code to turn off the alarm. When the

police came, he wouldn't admit he'd forgotten he code...

he turned himself in. --Rita Rudner

security survey
Basically a management walk around.

Walk the spaces, looking for security problems.

A checklist is often used.

Security Survey

We made too many wrong mistakes.

-- Yogi Berra

limitations of security surveys


Often unimaginative

Not focused on adversaries

Overly focused on the check list

Does not encourage new countermeasures

Expectation that problems will leap out at you

Limitations of Security Surveys

0 1

It's better to be looked over than overlooked.

-- Mae West, Belle of the Nineties, 1934

risk management
Similar to Risk Management Techniques in other fields.

Identify Assets, Threats & Vulnerabilities, Adversaries, Consequences, Safeguards & Countermeasures.

Assign relative priorities and probabilities. (Generate lots of tables.)

Field your resources appropriately.

Risk Management

The first step in the risk management process is to

acknowledge the reality of risk. Denial is a common

tactic that substitutes deliberate ignorance for thoughtful planning. -- Charles Tremper

design basis threat dbt
“Design Basis Threat” is similar to Risk Management.

DBT basically means “design your security to deal with the current real-world threats”.

In practice, DBT tends to focus more on hardware and infrastructure than Risk Management does.

Design Basis Threat (DBT)

A hypothetical paradox: what would happen in a battle between an Enterprise security team, who always get killed soon after appearing, and a squad of Imperial Stormtroopers, who can't hit the broad side of a planet? -- Tom Galloway

limitations of conventional risk management or dbt
There is rarely any guidance on how to determine the Threats & Vulnerabilities other than looking at past security incidents. But that is being reactive, not proactive. Not good enough post-9/11, in a rapidly changing world, or for dealing with rare catastrophic events.

Still binary & close-ended

Limitations of Conventional Risk Management (or DBT)

You can never plan the future by the past.

-- Edmund Burke (1729-1797)

more limitations of conventional risk management or dbt
Often done unimaginatively

The attack probabilities are usually a fantasy

Suffers from overconfidence in tables and the

“fallacy of precision”

Not done from the perspective of the adversaries

More Limitations of ConventionalRisk Management (or DBT)

The time to repair the roof is when

the sun is shining.

-- John F. Kennedy (1917-1963)


more limitations of conventional risk management or dbt1
Tendency to let the good guys and existing security measures define the adversaries & attack modes

Often used to justify the status quo--typically does not encourage new countermeasures

Ignores simple/cheap countermeasures when the attack probabilities are judged (rightly or wrongly) to be low or zero

More Limitations of ConventionalRisk Management (or DBT)

It isn't that they can't see the solution.

It is that they can't see the problem.

-- G.K. Chesterton, The Scandal

of Father Brown (1935)

vulnerability assessment
Perform a mental coordinate transformation and pretend to be the bad guys. (This is a lot harder to do than one might think.)

Gleefully look for trouble, rather than seeking to reassure yourself that everything is fine.

Unlike Security Surveys or Risk Management, don’t let the good guys define the problem or its parameters.

Vulnerability Assessment

It is sometimes expedient to forget who we are.

-- Publilius Syrus (~42 BC)


Example: Open Window

security survey:issue orders to close & lock window!

risk management:ignore if not envisioned as part of a specific threat or attack from a likely adversary; otherwise, design procedure to close & lock window.

VA:Oh boy, an open window! What mischief can this lead to?

You can observe a lot by just watching.

-- Yogi Berra

vulnerability assessment steps
Fully understand the device, system, or program and how it is REALLY used. Talk to the low-level users.

Play with it.

Brainstorm--anything goes!

Play with it some more.

Vulnerability Assessment Steps

Scientists are the easiest to fool. They think in straight, predictable, directable, and therefore misdirectable, lines. The only world they know is the one where everything has a logical explanation and things are what they appear to be. Children and conjurors--they terrify me. Scientists are no problem; against them I feel quite confident.

-- Spoken by Zambendorf in Code of the Lifemaker, (James Hogan, 1987)

vulnerability assessment steps1
Edit & prioritize potential attacks.

Partially develop some attacks.

Determine feasibility of the attacks.

Devise countermeasures.

Vulnerability Assessment Steps

It's awful hard to get people interested in

corruption unless they can get some of it.

-- Will Rogers (1879-1935)

vulnerability assessment steps2
Perfect attacks.

Demonstrate attacks.

Rigorously test attacks.

Rigorously test countermeasures.

Vulnerability Assessment Steps

A thing may look specious in theory, and yet

be ruinous in practice; a thing may look evil

in theory, and yet be in practice excellent.

-- Edmund Burke (1729-1797)

brain storming
Brain Storming

Nothing can inhibit and stifle the creative process more--and on this there is unanimous agreement among all creative individuals and investigators of creativity--than critical judgment applied to the emerging idea at the beginning stages of the creative process. ... More ideas have been prematurely rejected by a stringent evaluative attitude than would be warranted by any inherent weakness or absurdity in them. The longer one can linger with the idea with judgment held in abeyance, the better the chances all its details and ramifications [can emerge].

-- Eugene Raudsepp, Managing Creative Scientists and Engineers (1963).

In theory there is no difference between

theory and practice. In practice there is.

-- Yogi Berra

what if you can t have or afford outside vulnerability assessors
What if you can’t have or afford outside vulnerability assessors?

Use smart, hands-on, creative people inside your

organization who are not associated with security.

Seek: wise guys, trouble makers, smart alecks, schemers, organizational critics, loophole finders, questioners of tradition and authority, outside-the-box thinkers, artists, hackers, tinkerers, problem solvers, & techno-nerds.

Could Hamlet have been written by committee, or the Mona Lisa painted by a club? Could the New Testament have been composed as a conference report? Creative ideas don't spring from groups. They spring from individuals.

-- Alfred Whitney Griswold (1885-1959)

vulnerabilities are often obvious to outsiders
Vulnerabilities are often obvious to outsiders…

To see what is in front of one's nose needs

a constant struggle.

-- George Orwell (1903-1950)

other reasons for doing a vulnerability assessment
Other Reasons for Doing a Vulnerability Assessment
  • mental rehearsal
  • fresh perspectives
  • fun/relieves tedium
  • increased alertness
  • bluffing (don’t underestimate)
  • enhanced sense of professionalism
  • educational/professional development for security staff
  • can involve other members of the organization, thus

increasing employees’ security awareness

  • can help justify additional resources for security

Without deviation from the norm,

progress is not possible.

-- Frank Zappa (1940-1993)

tricky aspects of vulnerability assessments vas
No meaningful standards or underlying theory

Defeats are a matter of degree & probability

No clear endpoint

Wishful thinking is hard to avoid.

Tricky Aspects of Vulnerability Assessments (VAs)

Nothing is easier than self-deceit. For what each man wishes, that he also believes to be true.

-- Demosthenes (382-322 BC)

tricky aspects of vas con t
Recursion (chasing a moving target)

Most security failures are due to human error, which is hard to model and predict.

Testing/Demonstration realism can be difficult to achieve.

Tricky Aspects of VAs (con’t)

We are never deceived; we deceive ourselves.

-- Johann Wolfgang von Goethe (1749-1832)

general attributes of effective vas
No conflicts of interest or wishful thinking.

No “Shoot the Messenger” Syndrome. No retaliation or punishment against security personnel or managers when vulnerabilities are found.

Use of independent, imaginative assessors who are psychologically predisposed to finding problems and suggesting solutions, and who (ideally) have a history of doing so.

General Attributes of Effective VAs

When people are engaged in something they are not proud of, they do not welcome witnesses. In fact, they come to believe the witness causes the trouble.

-- John Steinbeck (1902-1968)

attributes of effective vas
No binary view of security.

Rejection of a finding of zero vulnerabilities.

Rejection of the idea of “passing” the VA, or of VAs as “certification”.

Discovering vulnerabilities is viewed as good (not bad) news.

Attributes of Effective VAs

When we were children, we used to think that when

we were grown-up we would no longer be vulnerable.

But to grow up is to accept vulnerability...

To be alive is to be vulnerable.

-- Madeleine L'Engle

attributes of effective vas1
Done early, iteratively, and periodically .

Done holistically, not by component, sub-system, function, or layer. (Attacks often occur at interfaces.)

No unrealistic time or budget constraints on the VA, or on what attacks or adversaries can be considered.

Done in context.

Attributes of Effective VAs

He that will not apply new remedies must expect new evils;

for time is the greatest innovator.

-- Francis Bacon (1561-1626)

attributes of effective vas2
No underestimation of the cleverness, knowledge, skills, dedication, or resources of adversaries.

The good guys don’t get to define the problem, the bad guys do.

Simple, low-tech attacks are examined first.

Attributes of Effective VAs

A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.

-- Douglas Adams (1952-2001)

attributes of effective vas3
Findings are reported to the highest appropriate level without editing, interpretation, or censorship by middle managers.

No confusion about the difference between VAs and other kinds of hardware testing (materials, environ-mental, ergonomic, field readiness) or personnel testing.

Attributes of Effective VAs

The first principle is that you must not fool yourself--

and you are the easiest person to fool.

-- Richard Feynman (1918-1988)

attributes of effective vas4
The following attacks are all considered:

• fault analysis

• false alarming

• poke the system

• wait & pounce

• backdoor attacks

• impersonation

• social engineering

• tampering with security training

• insiders, outsiders, insiders + outsiders

Attributes of Effective VAs

Evil is easy, and has infinite forms.

-- Blaise Pascal (1623-1662)

attributes of effective vas5
Rohrbach’s Maxim must be considered: No security system will ever be used properly (the way it was designed) all the time.

Shannon’s Maxim must be considered: The adversaries know and understand the security systems, strategies, and hardware being used.

Attributes of Effective VAs

Inanimate objects can be classified scientifically into three major categories;

those that don't work, those that break down and those that get lost.

-- Russell Baker

Everything secret degenerates … nothing is safe that does not show how it can bear discussion and publicity.

-- attributed to Lord Action (1834-1902)

attributes of effective vas6
The vulnerability assessors need to praise the good things because:

+ We want the good things to be recognized and to continue.

+ Security managers need to be willing to arrange for future VAs.

+ Discussing the good things will make security managers more willing to hear about potential problems.

It should be clear up front that the vulnerability assessment will produce more suggestions and countermeasures than are likely to be implemented. Security mangers (not the assessors) should ultimately decide which (if any) make sense to employ.

Attributes of Effective VAs

Our only security is our ability to change.

-- John Lilly

don t overlook the insider threat
Don’t Overlook the Insider Threat!
  • The insider threat is often overlooked or underestimated, and can be very difficult to deal with.
  • Disgruntled employees are a particular insider threat.

We have met the enemy and he is us.

-- Walt Kelly, the words of Pogo in Earth Day 1971 cartoon strip

disgruntled workers
Disgruntled Workers
  • Research shows that employee disgruntlement

is associated with perceptions of unfairness &

inequity, not necessarily objective conditions.

  • Disgruntled employees are known to be a risk for

workplace violence, espionage, theft, & sabotage.

What has posterity ever done for me?

-- Groucho Marx (1890-1977)

Honesty may be the best policy, but it's important to

remember that apparently, by elimination, dishonesty

is the second-best policy.

-- George Carlin

workplace violence usa
Workplace Violence (USA)
  • ~ 1 million victims of workplace violence

each year

  • >1000 workers killed each year due to

workplace homicide

  • Homicide is the number one cause of

on-the-job deaths for female employees

Source: NIOSH

Always go to other people’s funerals. Otherwise

they might not come to yours. --Yogi Berra

causes of increasing worldwide employee disgruntlement
Causes of Increasing Worldwide Employee Disgruntlement
  • global downsizing & outsourcing
  • weakening of labor unions & collective bargaining
  • increased use of temp & limited-term employees
  • the disappearance of lifetime employment
  • increased workforce diversity

We have to distrust each other.

It's our only defense against betrayal.

-- Tennessee Williams (1911-1983)

causes of increasing world wide employee disgruntlement con t
Causes of Increasing World-Wide Employee Disgruntlement(con’t)
  • technical obsolescence
  • the rapid pace of organizational change
  • increased whistle-blowing
  • depersonalization caused by increased

urbanization, expanding bureaucracy, the

growth of multinational corporations, and

the increased use of email & virtual meetings

No one can build his security upon

the nobleness of another person.

-- Willa Cather (1873-1947)

disgruntled americans
Disgruntled Americans
  • American employees are particularly at risk
  • for disgruntlement due to characteristic traits:
  • identity is based on work
  • work long hours
  • strong individualism
  • traditional belief in fairness
  • traditional belief in “American Dream”

Americans do not abide very quietly the evils of life.

-- Richard Hofstadter

In every American there is an air of incorrigible innocence,

which seems to conceal a diabolical cunning.

-- A. E. Housman (1859-1936)

disgruntlement countermeasures
Disgruntlement Countermeasures
  • Listen, acknowledge, validate, & empathize with employees.
  • Allow employees to freely offer suggestions & concerns.
  • Have legitimate complaint resolution processes. Too often these are non-existent, ineffective, adversarial, or fraudulent, especially in large or bureaucratic organizations. This is very dangerous (and bad for productivity).
  • Be aware that employee perceptions about fairness

are the only reality.

  • Treat departing employees & retirees well.

Sincerity is everything. If you can fake that,

you've got it made.

-- Comedian George Burns (1896-1996)

also don t forget about
Also, Don’t Forget About…

Computer & Computer Media physical security!

Relations with public, neighbors, & local authorities

Effective security awareness training for all employees

Even if you're on the right track,

you'll get run over if you just sit there.

-- Will Rogers (1879-1935)

or about having plans to deal with
Or about having plans to deal with…




Natural Disasters

War & Civil Unrest

Product Tampering

Illness & Epidemics

Industrial Accidents

Strikes & Labor Unrest

When choosing between two evils, I

always pick the one I never tried before.

-- Mae West (1893-1980)

product tampering
Product Tampering

Tamper-Evident Packaging

Model of how to effectively deal with product tampering: J&J

On a bag of Fritos: You could be a winner!

No purchase necessary. Details inside.


high tech ≠ high security

inventory function ≠ security function

If you think technology can solve your security problems,

then you don't understand the problems and you don't

understand the technology. -- Bruce Schneier

why high tech devices systems are usually vulnerable to simple attacks
Still must be physically coupled to the real world

Still depend on the loyalty & effectiveness of user’s personnel

The increased standoff distance decreases the user’s attention to detail

Many more legs to attack

Why High-Tech Devices & Systems Are Usually Vulnerable To Simple Attacks
why high tech devices systems are usually vulnerable to simple attacks con t
The high-tech features often fail to address the critical vulnerability issues

Users don’t understand the device

Developers & users have the wrong expertise

and focus on the wrong issues

The “Titanic Effect”: high-tech arrogance

Why High-Tech Devices & Systems Are Usually Vulnerable To Simple Attacks (con’t)
  • Counting and locating our stuff.
  • No nefarious adversary.
  • Will detect innocent errors by insiders, but not surreptitious attacks by insiders or outsiders.
  • Meant to counter nefarious adversaries, typically both insiders & outsiders.
  • Watch out for mission creep: inventory systems that come to be viewed as security systems!
example tags
Example: Tags

tag: an applied or intrinsic feature that uniquely identifies an object or container.

types of tags

inventory tag (no malicious adversary)

anti-counterfeiting tag (counterfeiting is an issue)

security tag (counterfeiting & lifting are issues)

buddy tag or token (counterfeiting is an issue)

lifting: removing a tag from one object or container and placing it on another, without being detected.

Never answer an anonymous letter.

-- Yogi Berra


Tags: Classic examples of confusing Inventory & Security, High-Tech & High-Security

  • bar codes
  • rf transponders (RFIDs)
  • contact memory buttons

Usually easy to:

* lift * counterfeit * spoof the reader

Between the idea and the reality,

Between the motion

And the act

Falls the Shadow.

-- T.S. Eliot, The Hollow Men, 1925


GPS: Another classic example of confusing Inventory & Security, High-Tech & High-Security

  • The private sector, foreigners, and 90+% of the federal

government must use the civilian GPS satellite signals.

  • These are unencrypted and unauthenticated.
  • They were never meant for critical or security applications,

yet GPS is being used that way!

If you put tomfoolery into a computer, nothing comes out of it but

tomfoolery. But this tomfoolery, having passed through a very expensive

machine, is somehow ennobled and no-one dares criticize it.

-- Pierre Gallois

attacking gps receivers
Blocking: just break off the antenna, or shield it with metal; not surreptitious.

Jamming: easy to build a noisy rf transmitter from plans on the Internet; not surreptitious.

Spoofing: surreptitious & (as we’ve demonstrated) surprisingly easy for even unsophisticated adversaries using widely available GPS satellite simulators.

Physical attacks: appear to be easy, too.

Attacking GPS Receivers
gps cargo tracking
GPS Cargo Tracking

GPS Satellite

Tracking Information

Sent to HQ

(perhaps encrypted/authenticated)



(vulnerable here)

GPS is great for navigation, but it does not provide high security.

warnings con t
Warnings (con’t)

Don’t place undue confidence in data encryption or authentication!

Don’t place undue confidence in biometrics!

Don’t assume counterfeiting is difficult!

Only fools are positive.

-- Moe Howard (1897-1975)

data encryption authentication
Data Encryption/Authentication

Intended for public communication

between two secure points.

Provides reliable security if and only if

the sender and the receiver are physically secure.

The security of a cipher lies less with the cleverness of the

inventor than with the stupidity of the men who are using it.

-- Waldemar Werther

  • Usually easier than developers, vendors & manufacturers claim.
  • Often overlooked: The bad guys usually only needed to counterfeit the apparent performance of the security device, not the device itself or its real performance.

The handwriting on the wall may be a forgery.

-- Ralph Hodgson (1871-1962)

warnings con t1
Warnings (con’t)

Watch out for the multi-layer fallacy: Believing that multiple layers of bad security equals good security.

Security managers will usually over-estimate the difficulty of defeating their security, and under-estimate the cleverness, determination, & resourcefulness of adversaries.

Adversaries can usually bluff their way into a facility or organization more easily than might be imagined.

The simple act of paying attention

can take you a long way.

-- Keanu Reeves


Warnings (con’t)

  • 9. Watch out for fuzzy thinking:
    • scapegoating
    • wishful thinking
    • “one-size fits all”
    • sloppy terminology
    • conflicts of interest
    • design by committee
    • ambiguous functions & goals
    • failure to understand the end user’s world
    • ignoring changing circumstances & adversaries
    • lack of periodic, effective vulnerability assessments
    • forgetting that security is a probabilistic compromise
    • over-confidence in standards, testing, & precedence

You’ve got to be very careful if you don’t know where you are going, because you might not get there. -- Yogi Berra

optimizing safety
Optimizing Safety
  • security survey ≈safety “walkaround”
  • security risk management or “design

basis threat” ≈ safety “what if?” exercises

  • security vulnerability assessment ≈

“adversarial” safety analysis???

In case of contact [with this chemical],

immediately wash skin with soap and

copious amounts of water. If swallowed,

wash out mouth with water provided the

person is conscious, and call a physician.

-- Material Safety Data Sheet

for sucrose (table sugar)

32 attributes of flawed security programs
32 Attributes of Flawed Security Programs

Widespread arrogance & overconfidence.

Security is viewed as binary. (This inhibits improvement.)

Insiders are not viewed as a threat.

Overly focused on paperwork, auditors, regulations, & formality.

Security & security managers are micro- managed by unqualified business executives.

attributes of flawed security programs con t
Attributes of Flawed Security Programs (con’t)

Security personnel are reluctant to report problems or security incidents, or ask questions.

Security problems, vulnerabilities, & incidents are covered-up.

Vulnerability assessment are rare; security is rarely tested.

“What if?” mental or walk-through exercises are rare, instead of being done daily or weekly.

attributes of flawed security programs con t1
Attributes of Flawed Security Programs (con’t)
  • 10. Security personnel receive little training or
  • practice, and are given few opportunities for
  • professional advancement.
  • 11. Security supervisors & managers are not well
  • respected by subordinates.
  • 12. Security managers rarely chat informally with
  • regular (non-security) employees.

13. Security personnel are not well respected by

non-security personnel.

attributes of flawed security programs con t2
Attributes of Flawed Security Programs (con’t)
  • 14. The morale and self-esteem of security personnel
  • is low. Appearance is poor.
  • 15. Low-level security personnel are treated poorly.
  • 16. Low-level security personnel are rarely recognized for good work.
  • 17. Security training exercises are unrealistic & tedious.
  • 18. Security personnel have few opportunities to
  • demonstrate their prowess in contests/exercises.
attributes of flawed security programs con t3
Attributes of Flawed Security Programs (con’t)

19. Security personnel feel no loyalty or connection

  • to their employer, or to the employees and the
  • organization they are protecting.
  • 20. The organization lacks a fair and effective
  • grievance or complaint resolution process
  • for disgruntled employees (whether security or
  • non-security personnel).
attributes of flawed security programs con t4
Attributes of Flawed Security Programs (con’t)
  • 21. Security personnel are not briefed at the start
  • of a shift, nor checked for fitness of duty.
  • 22. Security personnel are not debriefed after their
  • shift.
  • 23. No pre-employment screening of employees;
  • no periodic, thorough background and reliability
  • checks performed on security and other critical
  • personnel.
attributes of flawed security programs con t5
Attributes of Flawed Security Programs (con’t)
      • 24. Unexplained or unexpected absences of
      • security personnel are not investigated, nor are
      • sudden outbreaks of widespread illness.
      • Critical security personnel accept food and

drink from colleagues & co-workers.

  • 26. Rosters, duty assignments, & schedules of
  • authorized work are not well protected from
  • tampering. Paper documents and verbal orders
  • for security personnel are taken at face value.
attributes of flawed security programs con t6
Attributes of Flawed Security Programs (con’t)
  • 27. Security personnel do not know exactly how and
  • when to summon help or sound an alarm.
  • 28. There are no clear policies on the use of physical force (including lethal force and force against coworkers), or else those policies are largely unknown to security personnel and rarely
  • discussed in a “what if?” format.
  • 29. Security personnel are vague on exactly what is
  • expected of them.
attributes of flawed security programs con t7
Attributes of Flawed Security Programs (con’t)
  • 30. The health and safety of security personnel is
  • a low priority. Insurance and medical coverage
  • is absent or poor.
  • 31. VIPs are allowed to bypass standard security
  • procedures.
  • 32. Security managers are automatically fired when
  • there is a major security incident. Low-level
  • security personnel are automatically disciplined
  • or fired when there is a minor security incident.


Vulnerability Assessment Team

We have a CD containing related papers & reports.

Available today or request a copy at

Ring the bells that still can ring.

Forget your perfect offering.

There is a crack in everything.

That's how the light gets in.

-- Anonymous

Roger Johnston, Ph.D., CPP, Ron Martinez, Leon Lopez, Sonia Trujillo, Adam Pacheco, Anthony Garcia,

Jon Warner, Ph.D., Alicia Herrera, Eddie Bitzer, M.A.


A new scholarly, non-profit

peer review journal:

The Journal of Physical Security

Security can only be achieved through constant change, through discarding old ideas that have outlived their usefulness and adapting others to current facts.

-- William O. Douglas (1898-1980)



The End

Security is like liberty in that many are the

crimes that are committed in its name.

-- Robert H. Jackson, dissenting opinionin U.S. vs Shaughnessy, 1950