There are two broad strategies for using IT to solve a problem. One is to design a solution and depend on the user to conform systems and practices to that solution. A classic example is in the arena of enterprise-wide software.
In order to accommodate the algorithms developed by vendors such as PeopleSoft or SAP, customers have to alter procedures in accounting, human resources and other critical management functions. Despite the cost of such renovation, the benefits are frequently deemed worthwhile - hence the rise in enterprise software generally. At other times, the costs are prohibitive; there are financial, marketing and management issues that cannot be easily solved. Then the only strategy is to design the software around the customer's processes, which at the end of the day is the customer's preferred solution anyway.
Defining the problem
Security technology, particularly as it relates to control of physical access, is a challenge of the second kind. The bottom line is that the software used to prevent unauthorised intrusion requires a focus on a couple of realities, one of which is that the players are not likely to conform to some pre-ordained script that is derived in relative isolation from the realities of the user's world.
In short, if someone wants to design a system to preclude piggybacking, tailgating, and related misbehaviours, there should be a rich database of situations that need a solution. These should be identified on site and in the real world. The following section provides an incomplete listing of the what-if scenarios, real and potential, they have identified. Although some of the items should be familiar, the list can serve as an initial benchmark in putting together a program to protect against piggybacking, tailgating and related problems associated with physical access control.
Tailgating scenarios
I. Collaborative deviation
A. An authorised person outside the secure or protected area swipes the card and allows another person to enter the area before he enters. When the authorised person enters the area, he closes the door behind him.
B. An authorised person outside the secure or protected area swipes a card and allows another person to enter the area, but does not enter himself.
C. A person already inside the secure area swipes a card and allows someone else to enter.
D. An authorised person swipes a card and enters the secure or protected area but fails to close the door, thus allowing any number of others to enter the sterile area before the door is closed.
II. Suspicious objects
A. An authorised person carries an unidentified object into the area.
B. A person carries an unidentified object out of the area.
C. An authorised person enters or leaves the sterile area with an unauthorised object.
D. A person leaves an unattended object inside or outside the sterile area near the door.
E. An unidentified object is passed back through the doorway after access is achieved.
III. Violating ID badge procedures
A. Personnel do not wear their required ID badges after they obtain entry to the secure area.
B. Personnel wear the wrong badge in the secure area and the error is not recognised by others.
C. Personnel wear the wrong badge and the error is detected by others but not challenged.
IV. Individual variations
A. An authorised individual gains entry to the secure area within procedures and then moves to an inappropriate section of the area (toward a power source or baggage area, for example).
B. An authorised individual has out-of-range frequency of access (within an hour or day).
C. An authorised individual displays out-of-range access patterns (for example, going to a door that normally is not used by him or her or by authorised populations generally).
D. A person attempts to hide his or her face when swiping the card to enter or exit.
E. A person swipes his or her card more frequently than expected within some time period.
F. A person uses something to keep a door open and to prevent it from closing.
V. System aberrations
A. Identification reliability and accuracy varies with changes in lighting and illumination (eg, by access door opening to brighter or darker environment, time of day).
B. False positives are generated from background noise and movement.
C. Multiple alarms, caused by multiple and simultaneous intrusions, confuse warning and response mechanisms.
It is the people, stupid.
Identifying and developing piggybacking scenarios and even tying alarms and response procedures to them is only part of the business and security opportunity. At the end of the day, technological solutions have to fit inside a facility's broader or comprehensive security plan. A trained workforce is still necessary. For example, interviews with security officials around the United States over the past year, including officials in both airport and non-airport settings, suggest that the most frequent tailgating violation is the occurrence of one authorised individual permitting other authorised individuals familiar to him to 'ride' on his swipe or authorisation. So although professionals know that security is a layered solution, there is often a gap in tying the layers together.
And this situation creates an opportunity. By focusing on how their tools can assist in training workers to be more security savvy, vendors create an added value that is significant from the user's or buyer's perspective but may not be so obvious to the engineers of a state-of-the-art technology.
Security is a multifaceted problem and the solutions have to be multifaceted as well. When technology firms realise how their tools can be used for working at more than one level of the problem, value is easier to find.
This article was first published in the August 2003 issue of Security Technology and Design magazine (www.simon-net.com)
About the author: Nicholas Imparato is a professor, School of Business and Management, University of San Francisco; a research fellow, Hoover Institution, Stanford University; and a member of the policy and planning committee of the Bay Area Science and Innovation Consortium (BASIC). He can be contacted at [email protected]
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version