Lock Blog

A resource for consumers, locksmiths, and security professionals.

Is Your Home Safe? How To Assess Your Home Security Like A Professional

Posted On by

Things don’t get more personal than where you live. When things get personal people get protective. And protective is great, as long as it is practical. Security consultant and all around cool dude, Matthew J. Harmon (@mjharmon) suggested that we give our readers a crash course on risk assessment and security planning. We have broken up the piece so that it educates as well as assists you in the planning process. You will need to understand what risk is and how to calculate it. As a starting point, you should also know the general protections that are afforded by operational and physical security. What questions do you need to ask? Who are you asking? What’s the difference between a CEA and CBA? With a complete and thorough risk assessment, every person should be able to design an effective home security plan that will help keep your home safe from criminals. Learn what it takes to truly be prepared.

“Most people look at their house as a castle, when in fact it is more like a straw hut.”
-Matthew J. Harmon (2015)

Risk Assessment

Risk is the likelihood of loss. A risk assessment weighs the cost of the strategy against the potential losses without it. It is a business concept, but this assessment goes beyond monetary ramifications. We are not going to necessarily juxtapose financial against financial. Something of value can be property, family, heirlooms, pets (they need to be kept safe too), time, etc. As part of the risk assessment, you need to understand the disasters and the different types of criminal activity. You have to know not only how likely each event is, but what goes into that event. Assessing your risk will assist in creating response procedures for different disasters.

Key Take Aways

  • Risk – Likelihood of loss.
  • Risk assessment – Cost of implementation vs the cost of potential losses without implementation.
  • Cost – Expending something of value (not necessarily money).
  • A risk assessment will inform your home safety plan.

Types of Risks

Fraud – Stolen information used to steal money, records or other valuables. This can destroy credit and potentially ruin your life.
Downtime – If your home is your office, downtime can potentially destroy your business. Downtime is most troubling when your home is where you keep many records, servers, information, etc. If those items are damaged, lost, or stolen you may not be able to work. In this instance, your home security may be compromising your business security.
Property Replacement – When physical objects are stolen or destroyed chances are you will want to replace them. Hopefully, what is lost or stolen can be replaced, but that is not always the case.
Legal – You may be responsible for keeping your property equipped with certain protections. Not acting in accordance with the law may put you in financial risk as well as physical harm.

Risk Evaluation Equation

Now that we understand risk a little better, we can talk about how to determine your own risk. The best way to do this is with a simple equation: Risk equals threat times vulnerability. This is an abstract concept, not an actual numerical equation. That means that numbers should not be plugged in. Threat level being 50 multiplied by a vulnerability of 10 will get you a risk of 500. That 500 is ultimately meaningless. The equation is meant to serve as a call to action, not a method for finding an exact number. Use it in the way that if your vulnerability or threat is zero, then your risk will be zero. No chance of the threat being realized when combined with high vulnerability still means that you are not at risk to that threat, and vice versa. Simply, no threat, or no vulnerability, means that there is no risk. This equation will also help you to understand, abstractly, how concerned you should be about a particular threat or vulnerability.

Key Take Aways

  • Risk = Threat x Vulnerability ( R = T x V )
  • Do not plug in numerical values other than 0.
  • When ‘T’ or ‘V’ is 0 the risk will equal 0.

Threat

When you consider your threat(s), be conservative. The more realistic your approximation is, the more appropriate your protection will be. Find out what Natural disasters affect your area, and which do not. In a valley, you may think that flooding could be a problem, but a dry climate may make geography somewhat irrelevant. In the hills of southern California mudslides and wildfires may be the largest concern, and disasters like tornados and hurricanes may be nonexistent. If your city is on, or close to, a fault line or fracking plant, you may be in danger of an Earthquake. Similar to a natural disaster, the threat may be exposed wires causing a fire, or faulty pipes bursting and flooding the home. Trees and branches may also fall onto the home, or simply fall to block an exit or entrance.

natural-disaster

Your security may also fail. Locks may not work the way that they should. Camera’s might not be recording. Doors could jam. Your equipment quality will be key in determining whether or not these types of failures occur. Even if your equipment is state of the art it is not safe from failure. Operator error is always a clear and ever present danger. If the products are too complex, they may degrade quickly due to misuse. You current security plan may also have issues with operator error separate than daily use. If the plan is not easy to follow or memorize, it may increase certain threats. Analyze how much your safety relies on humans, and how frequent people interact with your security.

When humans are not causing threats by accident, they are causing them maliciously. This is often the part of a security plan that most people will focus on. Focusing on this type of threat to the point of neglecting other potential threats is a recipe for failure. Honestly, look at crime statistics in your area. Also, consider the type of criminal that might wish to break into your property. Are they going to steal, or are they just going to damage the property? This type of threat is known as interference. Drug addicts and animals may just harm the property. This may be due to an inability to access your valuables or a disregard for them. Regardless, your belongings are being harmed but not stolen.

There may also be a threat of interception. This is when your keys or access codes are stolen. To assess the threat of interception, you will need to review your plans for key and code control (access controls). The presence of pickpockets would be the largest indication of this threat type. The threat of interception can potentially go hand in hand with the threat of impersonation. Impersonation is when the criminal pretends to be you or someone that should be given access to the property. All manner of individuals can be impersonated, but it takes a very particular type of thief to go to this length.

Key Take Aways

  • Natural Disaster – Disasters outside of human control or prevention.
  • System Failure – When your protections do not work.
  • Operator Error – When the humans being protected cause your security to fail.
  • Malicious Intent – Thieves targeting your property.
  • Interference – Damaging the property with no real theft.
  • Interception – Stealing codes and/or keys to the property.
  • Impersonation – A thief pretending to be you, or someone that would be given access to the property.

Vulnerability

To determine your vulnerability, you will need to ask yourself, “If a threat is realized what are the chances that it will bypass my security?” Things like location can make you vulnerable to natural disasters. Your location can also make you vulnerable to burglary and vandalism. Having cheap equipment is going to increase the chance that your systems will fail. Even if the product is expensive, if it is low quality it may fail. Think about the type of quality the products have. What skill level would a thief need to have in order to attack your property effectively? The more skill it would take, the less vulnerable you are.

Installation will play a big role in your vulnerability. For instance, if a lock is not properly installed then it won’t matter if it is one of the most unpickable locks in the world. Placement of protections, such as a deadbolt latch on the opposite side of a glass door, may make you vulnerable to forced entry attacks. If people are forcing their way in, what would their motivation be? Can they see items of value from the street? Do people like you? Unfortunately, your reputation is also a vulnerability. Is it likely that you will be the target of an attack by your neighbors, coworkers, or even housemates? If you have a feud with anyone, this increases the chance that your property will be disrupted, and your security will be tested.

If many people need access to the property this may also increase certain vulnerabilities. Human error is dependent on the amount of people with access. The more balls you are juggling, the more likely it is that you will drop one. As we have seen with the considerations for gate security, even if you try to protect people, they may damage their own security for an increase in convenience. You have to know your cohabitants and be able to trust them, in order to decrease your human error vulnerability.

Key Take Aways

  • Location can make you vulnerable to natural disasters, burglary, and vandalism.
  • Cheap/low quality products make you vulnerable system failure.
  • The more people with access to the property the more vulnerable it is.
  • How you get along with your community may put you at a higher level of vulnerability.
  • The more skill it takes to bypass your security, the less vulnerable you are.

Protections

Protections exist to lessen vulnerability. You now know about risk and how you can determine particular risk by analyzing your potential threats and vulnerabilities. Now it is important to discuss the protections.

layered-home

Physical Security

  • Gates – The access may be based on a keyed padlock system, a system which has been refined throughout its long history. Electronic locks may be used on gates for remote access. The lock may be secured with a code that is either shared or individual. The gate may have an attendee.
  • Locks – All locks should be in working order, and installed properly. Make sure you weigh the benefits of having a professional install your locks. A lock that is functioning should also be used. Having a lock that is never locked will be the same as not having a lock when your security is tested. Always invest in the best door locks.
  • Motion sensors – Any motion sensor should be set up to communicate to another device. The secondary device will need to gather attention. It can be as simple as triggering a light, or as involved as sending you a text message.
  • Visibility – When there is no place to hide there is no place to work in secret. Lights, trimming plants, and even the shape of the building can increase perimeter visibility.
  • Window protection – Windows are often pointed to as the biggest flaw to a building’s security. A criminal will not waste time with a vault door if there is a window into the same room. The first step would be to lock your windows. Further protection would be to bar them, or even invest in window security film.
  • Security cameras – It is true that inactive security cameras will discourage some criminals, but it more secure to utilize real protections. Make sure you have high-quality security cameras.
  • Alarms – An effective alarm is one that cannot be ignored. If it is not getting your attention then it is not effective. If you are away from your home, your alarm will need to attract the attention of your neighbors.
  • Security system – A security system is not simply an alarm. What a system offers is remote alerts. This system should be set up to notify law enforcement, as well as you, when your security has been tampered with. Cell phone networks are going to be more tamper resistant than landline systems. In some cases homeowners can utilize monitored security systems to enhance safety.
  • Layers – Use different styles of protection. For example, actively using cameras, motion sensor lights, alarms, and locks all at the same time.
  • Redundancy – This is when you have more than one of a particular protection. In the event that an alarm is compromised, do you have a second alarm? If you have redundant security measures, always use them simultaneously. A lock that is unlocked is not providing any safety. The same goes for anything else not in use. If it is not being used it is not doing its job.

Operational Security

  • Access – Controlling who has access to the property is a great first step in protection. Firstly, the people that have keys and codes need to be trained on procedures. More importantly, they have to abide by them. Trust is a large part of access protection. If you do not trust the person(s) with access you are opening yourself up to vulnerability. It is also important to know how access works when a person is leaving the home. Once someone is in, how easy is it to walk out with your valuables? This also applies to renters. It is important to trust your landlord or anyone who might have access to a master key (if a master key system is in place).
  • Information control – Similar to access control, be mindful of who you give security information to. How informed is the rest of the building on your procedures? How well do they know you/your security? Does having people with this information, or lack thereof, protect your or increase your risk? It will protect you if the people that know your security are trustworthy. It will increase your risk if they are not. Untrustworthy, in this case, does not mean that they will be the ones that rob you. They must also be trusted not to share the information with others. Educate your trusted individuals on the information that people would need to know. Someone that claims to work for the city or a business does not need to know about your security. When allowing workers into your home keep them on a prescribed path. Do not label doors and rooms. If a thief does not have inside information they should not know where to go. Only important people should know where the important stuff is. Control who knows what and you will have a better idea of where leaks are coming from.
  • Information consistency – Information on your security should be consistent. For the sake of everyone involved in your security, please document your procedures. Make sure that those that are involved in carrying out any part of these operational tasks are aware of what they need to do. This is also true for key control for when someone is house sitting, taking care of a pet, taking care of a human, taking in your mail, etc. Documenting their responsibilities will help clear up any confusion.

Questions:

Each category should be addressed in order: introspection, then infrastructure, then residents. These will tell you about your threats and vulnerabilities. These questions are by no means the only you should ask. They should serve as a springboard for more questions.

questions-couple

Introspection – Looking at yourself.

  1. What is valuable? (Define what your assets are.)
  2. What are you worried about losing? (Don’t let this influence your perception of a threat’s likelihood.)
  3. How comfortable are you with assessing your own security? (Consider the benefits and pitfalls of hiring a private contractor to assess your security.)
  4. What is your skill level when it comes to installing hardware or fabrication? (You may need to have your security made or installed by professionals.)
  5. What are your current problems?
  6. What are you concerned with? (You may not be sure if it is a problem, or it may not be a problem yet)
  7. What are the laws in your area?
  8. How is the security you have now being used? (Are you using your current security fully? How often?)
  9. Do you own your home? (Can you make structural changes?)
  10. Who are the people visiting the house? (Friends, gardeners, dog walkers, etc.)
  11. What are the known threats?
  12. What is your risk tolerance? (May vary depending on the threat.)
  13. What is your budget? (Can you afford to take action right way?)

Infrastructure – Looking at the building

  1. Look around for potential problems.
  2. Get an idea of the physical layout of the home and quality of current protections.
  3. What is the age of the equipment?
  4. Do gates latch properly? How high are they?
  5. If you don’t have something, do you need it?
  6. What are these protections doing? (If they are broken, or forgotten, they are a vulnerability)
  7. Is ingress or egress blocked at any point?

Residents – Neighbors and housemates (Maybe landlord or super)

  1. What problems are they having? (You might not know about the problems plaguing the rest of the neighborhood)
  2. What are their concerns? (Find the difference between a complaint and a problem. Something that is bothering them might not necessarily be a relevant problem.)

The Security Plan

A security plan has several aspects to it. The basis is to decide on an actionable list of protections. This plan should be practical and effective. Safety and security are not tangible things. Security is achieved with a network of tangible and intangible things. It is how the network works together that creates good or bad security. The idea is the same as a chain. Like a chain, security is only as strong as its weakest link. You can see your locks and cameras, but their value is in the crime they deter. The best security is security that is never tested. Ideally, your security should keep all criminals away and you should never have to deal with a natural or human disaster. Unfortunately, we do not live in an ideal world.

Based on your understanding of your threats and vulnerabilities you should now know the types of risks you would like to prevent. This list may be quite long and diverse, but that is not a bad thing. Some people may argue that being prepared for everything will leave you generally unprepared. Unfortunately, this statement does have some truth to it. The danger of trying to account for everything is that your protections can end up canceling each other out.

That is why this process must constantly be assessed and the importance of certain protections should create some sort of security hierarchy. This is a process that never ends. It is always being tested. New technologies (like smart locks for instance) are always creating new threats and vulnerabilities. And there is always going to be something you are not prepared for. It is by doing this planning, and constantly thinking, that you can limit your unpreparedness level to something resembling zero.

Key Take Aways

  • Planning should be actionable.
  • Plans should also be practical.
  • One weakness is all it takes for a security plan to fail.
  • Ideal security deters the disaster from ever happening.
  • Create a hierarchy for your security.
  • Keep up to date on new technologies.

Organization

Know your real costs and real benefits. Do not keep your plan abstract. Start to crunch your numbers so that you can budget and take action. Write it down. Keep a record of the threats and vulnerabilities, concerns, and problems. Make sure you are choosing the best options for protecting your property. Invest in the best locks, cameras, security systems, whatever it is. The process of getting started might take a while between plan and purchase. Be sure that when you go to buy the product that your information is up to date. The process is never ending. All aspects of security must constantly be assessed. After you are done, things should be better, and security should be increased.

An easy way to assess your information, and plan, is to create a spreadsheet. This can be made on Excel (Windows), Numbers (Apple), Google Sheets (Google), etc…

  1. Create 7 columns
  2. Title the first: Potential Threats
  3. Title the second: Individuals at Risk
  4. Title the third: Cause of Risk
  5. Title the fourth: Actions Already in Place
  6. Title the fifth: Status of Research
  7. Title the sixth: Further Actions Needed
  8. Title the seventh: Done

Once you are done with the skeleton of the document, fill in the information. What is left empty will give you a good indication of the information that you need. Once you have completed the necessary actions for an entire row, mark it as done. You should schedule a reassessment of your security, ideally, every 6 months. If you cannot re-assess that often, once a year is the maximum time that should lapse before reassessment. In the event that the home’s security is tested by a break-in or natural phenomenon, your security should immediately be reviewed.

The Disaster Plan

This is the plan for when all the plans fail. All of your preparation cannot protect against everything. When it comes down to the worst case scenario, how you will react is crucial to staying safe. In this case, a disaster can be the result of criminals, natural activity, or man-made mistakes. Criminal activity is when your property is targeted. Natural disasters would be any disaster that is not the direct result of human intervention, such as floods, mudslides, hurricanes, earthquakes, etc. If a disaster is a result of human behavior, such as a fire caused by a lit cigarette, then it is man-made.

In regards to digital documentation, I would suggest some sort of cloud-based storage. Anything that keeps the information behind a password, but available outside of a single device. Other than digital documentation, physical documentation can be very useful. If there is a theft or a natural disaster you should have access to phone numbers you need to call: insurance, family members, locksmith, plumber, hospital, hotel. Have account numbers and passwords paired together. Keep this document somewhere very secure so that it will not be stolen or destroyed.

Not only will writing the plans down help you to think them through, they will also create a record. That record can be used to educate the relevant parties of the role they play in your security. The document can be used to re-educate easily if the plans change. It can also refresh after a fair amount of time elapses. And it can be trusted that every person has received the same information. Often when we talk about something after not looking at it for a while, we will remember certain parts as more important, and forget others entirely. In the event of an emergency or just during basic daily operations, two parties that are trained differently are going to behave differently. That variation is a potential hole in your security. If by re-examining the plan you would like to change any aspect of it, inform all currently trained members of your updates.

If you document the system itself it will be easier to rebuild. It will also be easier for you to assess the shortcomings of your security if there is ever a failure. This document may also help the police if your home is burgled. Detail your methodology and the scope of your document. Keeping a record of the limitations you had in making the plan will help to re-assess it. Do not forget to include some form of exit strategy. A path to the exits must be described if there are any obstacles. If the floor plan or even furniture is rearranged this may affect the prescribed path. Doors that have been deemed the emergency exits should never be blocked or locked in a way that is not described in the disaster plan.

Key Take Aways

  • The Disaster Plan- the plan for when all the other plans fail.
  • Disaster- the result of criminal activity, natural or man-made events that result in a loss of valuables.
  • Documentation- Should be used for emergency contact information and to keep information consistent.
  • Detail an exit path in your disaster plan.

Future Planning

future-plan

Try to make the best out of a bad situation and learn from your mistakes. Something is only a failure if you learn nothing from it. What went wrong? Why did your protections fail? Make sure that you are taking responsibility and not assigning blame. It is important not to focus on the negatives during these types of discussions or thought experiments. If you are kicking yourself, or someone else, chances are you are missing the larger issue. One person may have made a dumb mistake, but that means that a dumb mistake was all it took to defeat your security. Say a door was left unlocked. There is no way to know after the fact, how many times, and how many people, have left the door unlocked. All you can do is create procedures to decrease this risk, and adhere by those procedures. Blame and shame are not productive. The focus must be on fixing the problem. Hindsight will always be 20/20. Ex: If your landlord bought cheap locks, the problem is not the landlord, the problem is the cheap locks. In this instance, the focus should be on having new locks installed rather than blaming your landlord.

Key Take Aways

  • Learn from your mistakes.
  • Try not to focus on the negatives.
  • Do not assign blame.
  • Fix the flaw(s) in the security.

Mitigation

Along with decreasing the likelihood of another similar failure you should explore mitigating the disaster. It is almost impossible to eliminate human error from the equation of any security plan. Geographic restraints may also keep you from taking all the steps necessary to create adequate protection. Look at the event. Then check the response documentation and strategy. Find the reason the event took place. Analyze this and find out what can be done. If a lock was picked get a higher quality lock with a greater picking resistance. This will not technically solve the problem, but it will mitigate it. Mitigation is based on lessening the severity of something.

Purchase and implement the higher levels of protection. With mitigation, you are trying to keep the events from happening again by closing up the holes that you can see. It is prevention without saying that the problem is solved. Because of the nature of security, a problem can never be solved. But the consequences of that problem do not need to be so severe. Ideally, we are trying to prevent. Even if a goal is improbable, falling a little short of the ideal is better than no improvement. Whatever the disaster is it should not leave you with nothing.

Key Take Aways

  • Mitigation – an action that lessens the seriousness or severity of something.
  • Focus on closing the holes you can without worrying about perfect security.
  • Each solution should solve at least an aspect of a larger issue

Cost

In order to find out if the price you are paying is worth it, you will need to do a cost-benefit analysis (CBA). A CBA asks, “Is what you are investing in (money and/or time) greater than the benefits of those products or services?” A cost-benefit is a little more clear-cut when you are strictly speaking about money, but that might not be your concern. The cost is not necessarily money. Cost can be accessed by any value system. Human well-being, animal safety, protection of sentimental objects, etc may be more important than monetary cost. Other than protecting items of value, the idea must also be feasible. If it cannot be done, then there is no need to invest in it. Infeasibility may describe items that do not exist and cannot be made. It may also be something that is illegal. Justification goes back to your risk assessment. Does the investment go towards the prevention of a likely event?

Use the CBA to compare potential solutions. Don’t get to attached to any one idea. Keep an open mind. Weigh one course of action against the other and do not just compare doing something against doing nothing. You may also use a cost-effectiveness analysis (CEA) to compare safety measures. In order for a CEA to give accurate information, you will need to test the security. This would come after the security has already been implemented and tested organically. If you wish to test your security on your own, be conscious that your efforts may weaken your security to the point that your test no longer represents the current strength of the precaution. This should also be a concern for organic tests. Consider replacing any items that were affected by the security test. If you happen to damage exterior door locks during your test, make sure you reach out to a locksmith to help you with damaged lock repair.

Key Take Aways

  • CBA – A cost-benefit analysis determines if the investment is greater, less than, or equal to the cost of the products or services.
  • The investment and cost are not strictly money.
  • CEA – A cost-effectiveness analysis measures the investment against the effectiveness of the solution.
  • Replace all security features that may have been damaged during a staged or organic test.

Be wary of:

1. Confirmation bias in the findings of your security assessment.

When you are looking for the likelihood of an event try and find statistics with clear methodologies. Sites that sell security systems are not always that willing to tell you about how crime has been steadily decreasing over the past few decades. Some blogs are very alarmist, and even some news publications misinterpret the facts. The FBI has even released a document on proper use for their crime reports, due to the confusion the media was creating. (The Lock Blog has also done a small write-up (in a larger article) on the Crime report’s methodology if you would like to understand their reporting procedures.) I would always promote a certain level of skepticism when people claim to have the facts. Each person colors reality with the paintbrush of their own bias. Similarly to not accepting things at face value, you should also not close off your mind. Being overly skeptical can be just as unproductive, and, even more, paralyzing, than open-mindedness. Find a balance based on your own research and general knowledge.

2. Lack of organization in your documentation.

Don’t create your own system. Keep it consistent and keep it alphabetical. This document exists for quick access and response. If you would like to arrange the documents by priority or some other metric, create a table of contents. Make sure that the section titles accurately describe what is in that part of the document.

3. Miscommunication in documentation and verbal interaction.

A written document should serve as a good protection against this, but it is not immune to causing a misunderstanding. Find someone that can write clearly, but still technically enough to include all the information. Chances are that this document will be shared with a few people. Have these individuals look over a draft. Listen to their feedback. Make the necessary changes, and you may even find that the criticism strengthens the procedure.

4. Complacency with your current protection.

It is dangerous to think what you have done so far is good enough. The security field is always changing. Bypasses, virus software, and all sorts of things are constantly being discovered.

5. Ingress/egress points being blocked or locked.

Necessary doors or openings should not be blocked to the point where the residents are placed in danger. Make sure that exits in emergency plans open quickly and easily.

Conclusion

family-inspec-home

It sure is a lot of information to digest and a lot of work to do. But then again nothing worth doing is ever easy. Ultimately it is up to you to determine your precautions. You will have to do your own research at the time of purchase for more up to the date information. If I were to tell you now, the best locks, security systems, alarms, etc. in a year or so the information might be completely different. Make sure that you are comfortable with installing your security yourself. If you do not feel that you have the appropriate skills, make sure to hire a trusted professional. Do not play fast and loose with your safety. Still, before hiring a professional, understanding the protections you need will give you an idea of the project’s scope. Putting in the time and research will also give you the knowledge to better vet security technicians. For up to date lock and security, news be sure to check back in with the Lock Blog by following us on Twitter, Facebook, and Pinterest.

Category: How To's, Residential, Safety & Security


Need a locksmith? Schedule an appointment today. 866.338.9997