A resource for consumers, locksmiths, and security professionals.
Posted On by Ralph Goodman
Things don’t get more personal than where you live. When things get personal people get protective. And protective is great, as long as it is practical. Security consultant and all around cool dude, Matthew J. Harmon (@mjharmon) suggested that we give our readers a crash course on risk assessment and security planning. We have broken up the piece so that it educates as well as assists you in the planning process. You will need to understand what risk is and how to calculate it. As a starting point, you should also know the general protections that are afforded by operational and physical security. What questions do you need to ask? Who are you asking? What’s the difference between a CEA and CBA? With a complete and thorough risk assessment, every person should be able to design an effective home security plan that will help keep your home safe from criminals. Learn what it takes to truly be prepared.
“Most people look at their house as a castle, when in fact it is more like a straw hut.”
-Matthew J. Harmon (2015)
Risk is the likelihood of loss. A risk assessment weighs the cost of the strategy against the potential losses without it. It is a business concept, but this assessment goes beyond monetary ramifications. We are not going to necessarily juxtapose financial against financial. Something of value can be property, family, heirlooms, pets (they need to be kept safe too), time, etc. As part of the risk assessment, you need to understand the disasters and the different types of criminal activity. You have to know not only how likely each event is, but what goes into that event. Assessing your risk will assist in creating response procedures for different disasters.
Fraud – Stolen information used to steal money, records or other valuables. This can destroy credit and potentially ruin your life.
Downtime – If your home is your office, downtime can potentially destroy your business. Downtime is most troubling when your home is where you keep many records, servers, information, etc. If those items are damaged, lost, or stolen you may not be able to work. In this instance, your home security may be compromising your business security.
Property Replacement – When physical objects are stolen or destroyed chances are you will want to replace them. Hopefully, what is lost or stolen can be replaced, but that is not always the case.
Legal – You may be responsible for keeping your property equipped with certain protections. Not acting in accordance with the law may put you in financial risk as well as physical harm.
Now that we understand risk a little better, we can talk about how to determine your own risk. The best way to do this is with a simple equation: Risk equals threat times vulnerability. This is an abstract concept, not an actual numerical equation. That means that numbers should not be plugged in. Threat level being 50 multiplied by a vulnerability of 10 will get you a risk of 500. That 500 is ultimately meaningless. The equation is meant to serve as a call to action, not a method for finding an exact number. Use it in the way that if your vulnerability or threat is zero, then your risk will be zero. No chance of the threat being realized when combined with high vulnerability still means that you are not at risk to that threat, and vice versa. Simply, no threat, or no vulnerability, means that there is no risk. This equation will also help you to understand, abstractly, how concerned you should be about a particular threat or vulnerability.
When you consider your threat(s), be conservative. The more realistic your approximation is, the more appropriate your protection will be. Find out what Natural disasters affect your area, and which do not. In a valley, you may think that flooding could be a problem, but a dry climate may make geography somewhat irrelevant. In the hills of southern California mudslides and wildfires may be the largest concern, and disasters like tornados and hurricanes may be nonexistent. If your city is on, or close to, a fault line or fracking plant, you may be in danger of an Earthquake. Similar to a natural disaster, the threat may be exposed wires causing a fire, or faulty pipes bursting and flooding the home. Trees and branches may also fall onto the home, or simply fall to block an exit or entrance.
Your security may also fail. Locks may not work the way that they should. Camera’s might not be recording. Doors could jam. Your equipment quality will be key in determining whether or not these types of failures occur. Even if your equipment is state of the art it is not safe from failure. Operator error is always a clear and ever present danger. If the products are too complex, they may degrade quickly due to misuse. You current security plan may also have issues with operator error separate than daily use. If the plan is not easy to follow or memorize, it may increase certain threats. Analyze how much your safety relies on humans, and how frequent people interact with your security.
When humans are not causing threats by accident, they are causing them maliciously. This is often the part of a security plan that most people will focus on. Focusing on this type of threat to the point of neglecting other potential threats is a recipe for failure. Honestly, look at crime statistics in your area. Also, consider the type of criminal that might wish to break into your property. Are they going to steal, or are they just going to damage the property? This type of threat is known as interference. Drug addicts and animals may just harm the property. This may be due to an inability to access your valuables or a disregard for them. Regardless, your belongings are being harmed but not stolen.
There may also be a threat of interception. This is when your keys or access codes are stolen. To assess the threat of interception, you will need to review your plans for key and code control (access controls). The presence of pickpockets would be the largest indication of this threat type. The threat of interception can potentially go hand in hand with the threat of impersonation. Impersonation is when the criminal pretends to be you or someone that should be given access to the property. All manner of individuals can be impersonated, but it takes a very particular type of thief to go to this length.
To determine your vulnerability, you will need to ask yourself, “If a threat is realized what are the chances that it will bypass my security?” Things like location can make you vulnerable to natural disasters. Your location can also make you vulnerable to burglary and vandalism. Having cheap equipment is going to increase the chance that your systems will fail. Even if the product is expensive, if it is low quality it may fail. Think about the type of quality the products have. What skill level would a thief need to have in order to attack your property effectively? The more skill it would take, the less vulnerable you are.
Installation will play a big role in your vulnerability. For instance, if a lock is not properly installed then it won’t matter if it is one of the most unpickable locks in the world. Placement of protections, such as a deadbolt latch on the opposite side of a glass door, may make you vulnerable to forced entry attacks. If people are forcing their way in, what would their motivation be? Can they see items of value from the street? Do people like you? Unfortunately, your reputation is also a vulnerability. Is it likely that you will be the target of an attack by your neighbors, coworkers, or even housemates? If you have a feud with anyone, this increases the chance that your property will be disrupted, and your security will be tested.
If many people need access to the property this may also increase certain vulnerabilities. Human error is dependent on the amount of people with access. The more balls you are juggling, the more likely it is that you will drop one. As we have seen with the considerations for gate security, even if you try to protect people, they may damage their own security for an increase in convenience. You have to know your cohabitants and be able to trust them, in order to decrease your human error vulnerability.
Protections exist to lessen vulnerability. You now know about risk and how you can determine particular risk by analyzing your potential threats and vulnerabilities. Now it is important to discuss the protections.
Each category should be addressed in order: introspection, then infrastructure, then residents. These will tell you about your threats and vulnerabilities. These questions are by no means the only you should ask. They should serve as a springboard for more questions.
A security plan has several aspects to it. The basis is to decide on an actionable list of protections. This plan should be practical and effective. Safety and security are not tangible things. Security is achieved with a network of tangible and intangible things. It is how the network works together that creates good or bad security. The idea is the same as a chain. Like a chain, security is only as strong as its weakest link. You can see your locks and cameras, but their value is in the crime they deter. The best security is security that is never tested. Ideally, your security should keep all criminals away and you should never have to deal with a natural or human disaster. Unfortunately, we do not live in an ideal world.
Based on your understanding of your threats and vulnerabilities you should now know the types of risks you would like to prevent. This list may be quite long and diverse, but that is not a bad thing. Some people may argue that being prepared for everything will leave you generally unprepared. Unfortunately, this statement does have some truth to it. The danger of trying to account for everything is that your protections can end up canceling each other out.
That is why this process must constantly be assessed and the importance of certain protections should create some sort of security hierarchy. This is a process that never ends. It is always being tested. New technologies (like smart locks for instance) are always creating new threats and vulnerabilities. And there is always going to be something you are not prepared for. It is by doing this planning, and constantly thinking, that you can limit your unpreparedness level to something resembling zero.
Know your real costs and real benefits. Do not keep your plan abstract. Start to crunch your numbers so that you can budget and take action. Write it down. Keep a record of the threats and vulnerabilities, concerns, and problems. Make sure you are choosing the best options for protecting your property. Invest in the best locks, cameras, security systems, whatever it is. The process of getting started might take a while between plan and purchase. Be sure that when you go to buy the product that your information is up to date. The process is never ending. All aspects of security must constantly be assessed. After you are done, things should be better, and security should be increased.
An easy way to assess your information, and plan, is to create a spreadsheet. This can be made on Excel (Windows), Numbers (Apple), Google Sheets (Google), etc…
Once you are done with the skeleton of the document, fill in the information. What is left empty will give you a good indication of the information that you need. Once you have completed the necessary actions for an entire row, mark it as done. You should schedule a reassessment of your security, ideally, every 6 months. If you cannot re-assess that often, once a year is the maximum time that should lapse before reassessment. In the event that the home’s security is tested by a break-in or natural phenomenon, your security should immediately be reviewed.
This is the plan for when all the plans fail. All of your preparation cannot protect against everything. When it comes down to the worst case scenario, how you will react is crucial to staying safe. In this case, a disaster can be the result of criminals, natural activity, or man-made mistakes. Criminal activity is when your property is targeted. Natural disasters would be any disaster that is not the direct result of human intervention, such as floods, mudslides, hurricanes, earthquakes, etc. If a disaster is a result of human behavior, such as a fire caused by a lit cigarette, then it is man-made.
In regards to digital documentation, I would suggest some sort of cloud-based storage. Anything that keeps the information behind a password, but available outside of a single device. Other than digital documentation, physical documentation can be very useful. If there is a theft or a natural disaster you should have access to phone numbers you need to call: insurance, family members, locksmith, plumber, hospital, hotel. Have account numbers and passwords paired together. Keep this document somewhere very secure so that it will not be stolen or destroyed.
Not only will writing the plans down help you to think them through, they will also create a record. That record can be used to educate the relevant parties of the role they play in your security. The document can be used to re-educate easily if the plans change. It can also refresh after a fair amount of time elapses. And it can be trusted that every person has received the same information. Often when we talk about something after not looking at it for a while, we will remember certain parts as more important, and forget others entirely. In the event of an emergency or just during basic daily operations, two parties that are trained differently are going to behave differently. That variation is a potential hole in your security. If by re-examining the plan you would like to change any aspect of it, inform all currently trained members of your updates.
If you document the system itself it will be easier to rebuild. It will also be easier for you to assess the shortcomings of your security if there is ever a failure. This document may also help the police if your home is burgled. Detail your methodology and the scope of your document. Keeping a record of the limitations you had in making the plan will help to re-assess it. Do not forget to include some form of exit strategy. A path to the exits must be described if there are any obstacles. If the floor plan or even furniture is rearranged this may affect the prescribed path. Doors that have been deemed the emergency exits should never be blocked or locked in a way that is not described in the disaster plan.
Try to make the best out of a bad situation and learn from your mistakes. Something is only a failure if you learn nothing from it. What went wrong? Why did your protections fail? Make sure that you are taking responsibility and not assigning blame. It is important not to focus on the negatives during these types of discussions or thought experiments. If you are kicking yourself, or someone else, chances are you are missing the larger issue. One person may have made a dumb mistake, but that means that a dumb mistake was all it took to defeat your security. Say a door was left unlocked. There is no way to know after the fact, how many times, and how many people, have left the door unlocked. All you can do is create procedures to decrease this risk, and adhere by those procedures. Blame and shame are not productive. The focus must be on fixing the problem. Hindsight will always be 20/20. Ex: If your landlord bought cheap locks, the problem is not the landlord, the problem is the cheap locks. In this instance, the focus should be on having new locks installed rather than blaming your landlord.
Along with decreasing the likelihood of another similar failure you should explore mitigating the disaster. It is almost impossible to eliminate human error from the equation of any security plan. Geographic restraints may also keep you from taking all the steps necessary to create adequate protection. Look at the event. Then check the response documentation and strategy. Find the reason the event took place. Analyze this and find out what can be done. If a lock was picked get a higher quality lock with a greater picking resistance. This will not technically solve the problem, but it will mitigate it. Mitigation is based on lessening the severity of something.
Purchase and implement the higher levels of protection. With mitigation, you are trying to keep the events from happening again by closing up the holes that you can see. It is prevention without saying that the problem is solved. Because of the nature of security, a problem can never be solved. But the consequences of that problem do not need to be so severe. Ideally, we are trying to prevent. Even if a goal is improbable, falling a little short of the ideal is better than no improvement. Whatever the disaster is it should not leave you with nothing.
In order to find out if the price you are paying is worth it, you will need to do a cost-benefit analysis (CBA). A CBA asks, “Is what you are investing in (money and/or time) greater than the benefits of those products or services?” A cost-benefit is a little more clear-cut when you are strictly speaking about money, but that might not be your concern. The cost is not necessarily money. Cost can be accessed by any value system. Human well-being, animal safety, protection of sentimental objects, etc may be more important than monetary cost. Other than protecting items of value, the idea must also be feasible. If it cannot be done, then there is no need to invest in it. Infeasibility may describe items that do not exist and cannot be made. It may also be something that is illegal. Justification goes back to your risk assessment. Does the investment go towards the prevention of a likely event?
Use the CBA to compare potential solutions. Don’t get to attached to any one idea. Keep an open mind. Weigh one course of action against the other and do not just compare doing something against doing nothing. You may also use a cost-effectiveness analysis (CEA) to compare safety measures. In order for a CEA to give accurate information, you will need to test the security. This would come after the security has already been implemented and tested organically. If you wish to test your security on your own, be conscious that your efforts may weaken your security to the point that your test no longer represents the current strength of the precaution. This should also be a concern for organic tests. Consider replacing any items that were affected by the security test. If you happen to damage exterior door locks during your test, make sure you reach out to a locksmith to help you with damaged lock repair.
When you are looking for the likelihood of an event try and find statistics with clear methodologies. Sites that sell security systems are not always that willing to tell you about how crime has been steadily decreasing over the past few decades. Some blogs are very alarmist, and even some news publications misinterpret the facts. The FBI has even released a document on proper use for their crime reports, due to the confusion the media was creating. (The Lock Blog has also done a small write-up (in a larger article) on the Crime report’s methodology if you would like to understand their reporting procedures.) I would always promote a certain level of skepticism when people claim to have the facts. Each person colors reality with the paintbrush of their own bias. Similarly to not accepting things at face value, you should also not close off your mind. Being overly skeptical can be just as unproductive, and, even more, paralyzing, than open-mindedness. Find a balance based on your own research and general knowledge.
Don’t create your own system. Keep it consistent and keep it alphabetical. This document exists for quick access and response. If you would like to arrange the documents by priority or some other metric, create a table of contents. Make sure that the section titles accurately describe what is in that part of the document.
A written document should serve as a good protection against this, but it is not immune to causing a misunderstanding. Find someone that can write clearly, but still technically enough to include all the information. Chances are that this document will be shared with a few people. Have these individuals look over a draft. Listen to their feedback. Make the necessary changes, and you may even find that the criticism strengthens the procedure.
It is dangerous to think what you have done so far is good enough. The security field is always changing. Bypasses, virus software, and all sorts of things are constantly being discovered.
Necessary doors or openings should not be blocked to the point where the residents are placed in danger. Make sure that exits in emergency plans open quickly and easily.
It sure is a lot of information to digest and a lot of work to do. But then again nothing worth doing is ever easy. Ultimately it is up to you to determine your precautions. You will have to do your own research at the time of purchase for more up to the date information. If I were to tell you now, the best locks, security systems, alarms, etc. in a year or so the information might be completely different. Make sure that you are comfortable with installing your security yourself. If you do not feel that you have the appropriate skills, make sure to hire a trusted professional. Do not play fast and loose with your safety. Still, before hiring a professional, understanding the protections you need will give you an idea of the project’s scope. Putting in the time and research will also give you the knowledge to better vet security technicians. For up to date lock and security, news be sure to check back in with the Lock Blog by following us on Twitter, Facebook, and Pinterest.