Security vs. Sustainability in Building Construction

Interesting:

Any facility executive involved in the design of a new building would agree that security is one important goal for the new facility. These days, facility executives are likely to say that green design is another priority. Unfortunately, these two goals are often in conflict. Consider the issues that arise when even a parking lot is being designed. From a security perspective, bright lights in the parking lot enable security cameras to pick up all activity at night. From a green point of view, a brightly lit parking lot is a waste of energy and a source of light pollution. An advocate of green design would argue for plenty of leafy trees and bushes in the parking lot to minimize the urban heat island effect; a security consultant would reply that trees in the lot will block surveillance cameras and provide hiding places for would-be criminals.

There is no shortage of conflicts between sustainability and security goals. Fortunately these conflicts can be resolved to the mutual benefit of both parties, resulting in sustainable and secure buildings and campuses. This balance can be best achieved if security is involved early in the design process.

Posted on January 18, 2010 at 1:34 PM • 42 Comments

Comments

ArclightJanuary 18, 2010 1:55 PM

The "early in the design process" bit is key here. I have read several books and articles on physical security that argue for "smart" lighting and surveillance.

For the parking lot and perimeter, lighting that comes on when someone trips the motion detectors is supposed to be more effective than all-night floodlights, since it also alerts the patrons and security guards that someone is moving about.

If you want to use natural light and create more open space into a building, that can be capitalized on as well.

For instance, large windows or openings can let the security kiosk have a good view into the parking garage stairwell. Someone can be seen prowling about or a shout for help is more likely to be heard.

Arclight

Clive RobinsonJanuary 18, 2010 2:03 PM

There apears to be many many cases where you see,

Security-v-XXX

The one that causes me most problems is,

Security-v-Efficiency

The interesting thing is though that if you look carefully you can ways of mitigating the majority of the issues.

The question is at what point do you want individual trade offs, and how much different tradeoffs overlap each other.

It's a bit like car safety seat belts are only so so effective to make them more safe becomes exponentialy expensive. However when you add another orthagonal safety feature such as airbags etc the same issue arises however because they are ortagonal to eachother the effect is to increase the safety at a lower cost and thus higher efficiency than can be achived in trying to improve just one feature.

Andre LePlumeJanuary 18, 2010 2:13 PM

Nowhere is this more evident than with rules prohibiting the recycling of passwords.

MailmanJanuary 18, 2010 3:19 PM

@Arclight: "lighting that comes on when someone trips the motion detectors is supposed to be more effective"

That was my first thought as well. Not only is it more energy-efficient and more environment-friendly, but lights that go on with motion detectors are also more likely to be noticed on the CCTV screen by the night guard.

rjhJanuary 18, 2010 3:58 PM

Or, a less blinkered view of security and green could be taken. The "bright light" security is quite false in terms of protection. Yes, it gives you a good video record of crimes the next day, but for protection these islands of light make things worse. They break the light adaptation of the people in the area. They blind security staff to people in the shadows.

Most effective is dim lighting, properly adjusted cameras, and motion detectors that brighten the lighting somewhat. The people will still be able to see into the shadowed areas. Perhaps more effective (although unproven) would be a series of green, yellow, and red LED mini-spots as the dim lighting. These generate distinctly different patterns on people than they do on the background because the people intersect different beams.

As for green issues, in the wetter climates the major parking area impact is runoff, with heating second. Techniques like the use of concrete with holes for grass give you a solid surface for cars, with cooling and runoff management. It does have the problem of needing to be mowed, and oil pollution from car drippings can also be an issue.

The combination reduces light pollution, energy use, and water pollution.

Lighting designers are not ignorant of this. The new (but more expensive) designs have lens and mirror controls to provide less disruptive lighting. Unfortunately, the public has been trained to want the security theater of blinding lights.

kevinmJanuary 18, 2010 4:33 PM

It is a common fallacy that bright light is required for security. For security it is more important to have even lighting without dense shadows. Overly bright lighting impairs the night adapted vision and creates dark shadows that are perfect for hiding in.

Another idea, one of our facilities in France has parking on the grass. The parking spaces are surfaced with a concrete honeycomb with 3cm diameter holes through which grass grows. It's green, looks good and the cars do not damage the surface or turn it into mud.

EadwacerJanuary 18, 2010 4:42 PM

I have found through windy experience that foliage and motion sensors have trouble coexisting.

mooJanuary 18, 2010 5:37 PM

@Andre LePlume:

I lol'd. My workplace, like many, requires me to change my password every 3 months and prevents any of the last 10 passwords. I haven't yet outright forgotten my password because of it (and I never write them down), but its still a pretty annoying rule.

ContrarianJanuary 18, 2010 5:42 PM

@moo

In terms of gaming the system, why not change your pw 10 times and then change it once more to the original pw? (Or would that arouse the ire of IT?)

Impossibly StupidJanuary 18, 2010 5:50 PM

I completely disagree with the notion of "secure early". It's like saying you need to bring an outline to a brainstorming session. The problem being that imposing restrictions too soon can create an environment that is no longer *worth* securing. A real security professional would see a challenge, not a conflict, if tasked to secure an area that naturally serves some better purpose.

Nick PJanuary 18, 2010 5:51 PM

It's an interesting discussion. It seems that one has to pick a Priority No. 1, then try to reach the second one wherever possible. I think this can be done satisfactorily in many cases. For example, the parking lot could be lit with LED-based lights that are quite efficient. I also see some overlap between the design of solar windows and windows designed to resist minor attacks. I think we can do quite a bit of both security and green before we have to pick and choose. We will have to pick and choose, though.

subpatreJanuary 18, 2010 6:01 PM

As several others have pointed out, the 'bright lights' criteria is false, but illustrates a common confusion between security —as protection and prevention of bad things— and documentation of what 'security' efforts were made. It is confusing police actions that record and (often) prosecute crimes, and the prevention of or protection from those crimes.

Kevin D. S.January 18, 2010 7:06 PM

Yes... factor in the additional requirement to balance "security" against "safety" and "usability" and you have enough to make you run screaming from the room.

But, to the author's point... "This balance can be best achieved if security is involved early in the design process."

... the hard part is convincing the project sponsors (and later, PM's) to engage security early and often.

TroyJanuary 18, 2010 7:50 PM

@Contrarian,

Where I used to work that did this, there was an additional rule so you could not change your password more than once per day. I will admit to succumbing to the "incrementing number" crime for a few password changes!

The worse system however was one that required a password *exactly* 8 characters long, no symbols or spaces. Even worse, it was for a system that I wasn't all that... invested in, so the password ended up being more memorable than secure. Still, I didn't share it, which was the main nono in the book.

Impossibly StupidJanuary 18, 2010 8:05 PM

Consider the possibility that the reason it is hard to convince people they need security is because you are wrong. Involving security "early and often" is a premature optimization. Crooks aren't crying over the non-existent trees they can't use for hiding; they're looking for the weakness in what *does* exist. In many ways, it is *worse* than security theater to allow unreasonable influence of the design process by people whose sole goal is to eliminate core value by fabricating fake threats.

Clive RobinsonJanuary 18, 2010 9:18 PM

@ Impossibly Stupid,

"Consider the possibility that the reason it is hard to convince people they need security is because you are wrong. Involving security "early and often" is a premature optimization."

Hmm I don't think you have much contact with Europeans by that statment.

Also it shows a rigidity of thinking that a friend of mine referes to as "a mind of an accountant", it is almost always going to produce a sub optimal design within the requirments feature set.

Also it may be illegal as well...

In a number of languages there is only one word for what we in English very unusualy have two,

"Safety and Security"

And language usually but not always has a defining effect on the way you think.

Thus people forget that designing a system that is both "safe and secure" has benificial trade offs immediately.

Most building designers are aware of what is required within building codes as to what is required for fire/earthquake/flood/storm/etc safety. Adding security to this list is generaly quite easy for "green site" projects (green in this case meaning "turning new soil" as opposed to updating or modernising existing buildings etc).

However security as well as safety should always be part of a designers state of mind. In the same way as form and function.

Thinking about it "after the fact" is a shortsightedness that leads to security flaws not the other way around.

Oh and I should mention why my friend reserves the comment "a mind of an accountant" as the worst of put down statment. They once worked at a place when younger where there where a number of thefts so the accountant put padlocks on the fire exits along with keys in alarmed "break glasses" and shortly there after there was a fire. It was only then discovered that the wrong keys where in the break glasses. Luckly nobody was badly hurt...

Russell CokerJanuary 18, 2010 9:42 PM

It's interesting how the article starts being about lighting a car park to watch all activity and then ends with buildings that are bomb-proof and have protection against poison released into the air intake vents.

Do there exist buildings that have a carpark that is open to the public and which also have risks of bomb and poison attack? I've visited a building that was at risk of bomb blast and seen another from well outside, in both cases the car parks were protected by razor wire and the guards had automatic weapons.

Impossibly StupidJanuary 18, 2010 10:13 PM

@Clive
"Hmm I don't think you have much contact with Europeans by that statment."

I don't know why you think that makes a difference. I've had contact with will real people who want real security and I've had contact with scared people who want the comfort of security theater. Please force all Europeans into those categories based on your experience.

"it is almost always going to produce a sub optimal design within the requirments feature set"

In my experience, what results in bad designs are committees. Brining in security concerns before they're necessary, and especially when they're pure theater, are going to lead to failure far quicker than waiting until you have a candidate design and *then* addressing the security issues.

"Thinking about it "after the fact" is a shortsightedness that leads to security flaws not the other way around."

I never said "after the fact". I said that it is usually not a primary issue, and therefore should not be a primary voice in a design. And are you seriously trying to argue that a bloody *tree* in a parking lot full of cars is the *big* security issue that any competent professional is going to highlight? Honestly, I'd fire any security goon on the spot if they couldn't offer anything more useful than "OMG trees!"

"Oh and I should mention why my friend . . ."

. . . over-generalizes populations like accountants as much as you do Europeans? Look, idiots are idiots regardless of what their profession is. Some of them are accountants that lock fire exits, and some of them are security professionals who can't manage to secure a parking lot that contains plants. You can't insult the former and pretend the latter doesn't need to be equally insulted.

Dave AndersenJanuary 18, 2010 10:28 PM

I'm with the original article: It's mostly a matter of forethought. E.g., planters and (mature, well-rooted) trees make effective anti-car bollards that have less of an effect of making the protected building look like a fortress worth attacking. As can a runoff garden, particularly a slightly deeper one with a heavy stone retaining wall. An earth berm with low-water or native, low-maintenance ground cover. Intersperse attractive, LED courtyard lighting with a reinforced base, and you have a green, attractive, and non-threatening building security perimeter to keep the car bombs out.

Clive RobinsonJanuary 18, 2010 11:43 PM

@ Kevin D. S.

"Yes... factor in the additional requirement to balance "security" against "safety" and "usability" and you have enough to make you run screaming from the room... ... the hard part is convincing the project sponsors (and later, PM's) to engage security early and often."

The old adage about "Money talks..." applies if and only if done in the right way.

However a little examination as to why the problem exists and some of the falicies involved.

Security requirments are seen that way because it is still regarded as an "add on" not a "built in".

For instance if you where puting an oil based heating system in would you run the fuel line above or below the burner?

If you say "huh no brainer" then you are part way to the answer.

It has to be part of the "state of mind" of the designer to not only follow rules but realise also where the rules should be broken or additionaly re-inforced.

For instance in temperate zones fuel lines and fuel storage rarely go above a heater. However in some parts of the world where the temprature drops sufficiently for fuel to become waxy or not flow they are put above the heater in such a way that problems do not arise from insufficient heat or to much heat. One example of this with fuel lines on the very small scale you might have seen is the Primas Stove where the fuel is pre-heated within the fuel head (yup it also deals with altitude issues as well and is quite a neat bit of sideways thinking ;).

Thus there are good reasons to relax general principle/guidence rules. However the contary is also true.

A Hospital I have occasion to stay in from time to time is built on the side of a hill, as part of a redevelopment they put in new walkways to make access to the various parts of the hospital easier. However for some reason the high preasure gas cylinder store for the likes of O2 and other medical gases some of which are fuels is under one of the walkways designated by design as major access route (and thus will be used when an emergancy happens).

Now because these cyclinders have a value that makes them liable to be stolen they are locked in large metal open air cages for Security and Safety reasons.

Bearing in mind there is a perfectly adiquate place to store such cyclinders a moderate distance away I for one would be interested to know the reasoning for putting preasurised fuel and oxidizer cyclinders under what is an emergancy exit walk way and the cost benifit trade off behind the choice (if there ever was one).

One of the things that people should be more aware of is threat trade off under predictable threat changes.

For instance an extreame example of perception,

We store raw meat at the bottom of a fridge and vegtables at the top the reason as viewed from food safety is obvious blood and other fluids drip downwards and vegtables are often eaten raw, meat not.

But what if environmental issues where overriding then we would tend to store the meat at the top and the vegtables at the bottom... In this case it should be a no brainer because food poisoning happens so frequently.

However what if you are a food emporium where the meat is eaten raw and vegtables fermented and cooked?

That is the food safety risk is nullified or reversed?

The solution used is sub optimal or a fudge which is to store vegatables and meat in separate fridges and not think about environmental issues or driping fluids etc...

A more day to day example why do we still put buildings ontop of car parks?

At one point in time it was considered that due to space limitations in city areas it was acceptable because the car parks could be made reasonably fire proof and the emergancy services where known to respond in a reasonable time period.

However two things have changed. It is now accepted that people put not just fuel but other incredably dangerous materials in their vehicals including in some very rare cases lots of explosives. And secondly due to tax/cost savings fire services take longer to get to fires or serious incidents.

Thus should zoning regulations forbid the building of new under building car parking, or will accepted custom and practice continue but with more constraints (thicker heavier walls and celings etc)?

And at what point do you cross one of many economic lines?

A good design engineer or atleast one who reads the trade journals and does a little thinking should know the answer but will they be able to convince the people with the money (who penultimatly say what happens)?

Prior to changing legislation it often boils down to "overriding economics" to get rid of "excepted custom and practice"... And it is an argument that the money people understand (they may not like it as their money should buy them what they want but they do understand it and will except it if explained in the right way and you have spent a little time working the numbers on alternatives).

Thus if still thinking about security and safety seperatly it boils down to the "speak the language the man who cuts the cheque speaks" and "offer solutions to the problems" way of doing things.

However when you start to think about things as a whole from the very begining new oportunities arise.

In cars sat belts save lives but only up to a point and usually in one vector. They can be improved but the cost is exponential. However an orthagonal safety system such as air bags (or whatever they are called in your part of the world) provides protection in the same vector but in a different way. Again the air bags have exponential costs but the overlap between the seat belt and air bag improves the overall safety (in fact you should be wearing a seat belt if you do have air bags or you introduce other risks).

Thus it can be seen that sometimes gains can be made in a variety of ways and that multiple systems can overlap and be more cost effective. However they have to be included early in the design otherwise you will have to "add in" anchor points etc, which brings the cost up over what it would have been if introduced at an earlier stage in the design where the anchor points are integral.

However both these systems only deal with one impact vector (the forward or reverse shunt depending on your relative view point).

For sidways impact there was untill relatively recently little or no protection (as safety tests where based around 30mph wall impact).

However we now have "side impact protecton" which is at it's simplest puting a side impact bar at about bonnet height in the doors etc.

Initialy this has been seen as a performance degrading add on that adds to the difficulty of designing a car.

Well some auto manufactures actualy moved it from an "add on" to a "built in" which enabled them to have a real rethink about the way they designed the chasis of high performance cars. The result is actually better than the original for handaling and safety and makes the design of convertables so much easier. So a positive benifit. Which also alows the vehical to have better security features as well in that the locks can be built as an integral part of the side impact system making the cost of "stealing and reseling" considerably more expensive for theives but only fractionaly so for the manufacturer.

But how far can you go?

Take a look at car engines the design has been fairly static for sixty years or so and had reached a point where mechanicaly it could not be performance improved without seriously effecting the reliability.

Well there was a trend of adding performance monitoring equipment to high end engines, this quickly changed from monitoring to control and is now at a point where the performance and reliability of an engine is more related to software than it is to the mechanics (the downside is when it goes wrong it realy goes wrong).

Now one thing that has been discussed is as such a software system is so integral to the performance what happens if you have two sets of software?

In Japan they actually developed and built a car with a brethaliser built in to stop you driving if over the limit (a sensible idea). The same imobaliser software is built into modern trucks with a driver specific key to enforce comercial driver work/rest legislation.

But of more recent times in Japan they have developed a vehical that uses it's GPS to automaticaly change the performance of the vehical the most notable aspect being to reduce the risks of speeding.

So it is also possible to have software that makes the engine perform sufficiently to drive at 30mph to the dealers and one that give you all the performance you pay for?

From a security perspective having the "high value" performance software encoded against an electronic key reduces the cars theft value.

However it also has the consiquence of increasig the risk to the owner as the theif now has to steal the key as well.

However people are starting to think about how to keep the benifits of two types of software whilst not putting the car owner at risk. It is something the insurance industry is going to be very interested in when it is developed.

Thus it can be seen that making things "built in" as opposed to "add on" can not only reduce costs it can increase the efficiency and utility of a design way above that which would have been possible. Thus adding significant benifit from introducing it in the early design stages and even at the brainstorming stage.

Nick PJanuary 19, 2010 12:42 AM

@ Clive

This is possibly your longest post on record. I don't know who won this debate: you in the short-term with good arguments or him in the long-term when your thumbs lock up from arthritis. :P

Clive RobinsonJanuary 19, 2010 2:23 AM

@ Impossibly Stupid,

". . . over-generalizes populations like accountants as much as you do Europeans?"

Hmm no not in the way you are saying it. It is about "mind set" and thus viewpoint of those doing the thinking.

As I noted about Europeans their language effects the way they look at the world, having a single word that covers both concepts of safety and security means they implicitly view it differently. That is as one not two seperate issues.

Likewise accountants tend not to think of ways to save money that actually do anything but "cut cost". This is because controling the money flow and not the utility of what it is used for is their primary viewpoint.

It is one of the reasons that various people in quite successful businesses regard the consultants brought in from expensive accounting firms as a bit of a joke. In fact some investors regard it as a sign that a company has lost it's way and treat the shares accordingly to their investment nature.

"Look, idiots are idiots regardless of what their profession is."

Sadly that is true but it is not the "mind set / view point" I'm trying to bring out.

"Some of them are accountants that lock fire exits,"

It was not the point of locking the fire exits that got my friend so irrate what it was was the fact they failed to check they where putting the right key in the break glass. That is they where working outside of their abilities and should have realised that, and got in somebody who had experiance of such things. Their hubris had put lives at risk, and some of those lives where the companies primary assets.

"and some of them are security professionals who can't manage to secure a parking lot that contains plants."

I've not come across this one so it's not only a new (and somewhat mind blowing) concept, it is one I have no practical insight to so cannot argue the case either way (but fore warned is for armed so I will think about it).

"You can't insult the former and pretend the latter doesn't need to be equally insulted."

As I said the point I was making is that it is the "mind set" effecting the "viewpoint" not insulting people by their chosen job choice (especialy as geeks appear to be just about on the bottom rung ;)

And also the major and important differance between something that is "built in" and something that is "add on". The former opens possabilities and strengths up, the latter is just "Security theater" in it's own little micro world that is unfortuntly often the only way to go with "finalised" choices.

RogerJanuary 19, 2010 2:35 AM

@Impossibly Stupid:
Either you are someone who thinks security is of no worth at all (in which case we won't have much to talk about until you have an epiphany), or you have quite misunderstood what is being said. Specific ally, when you wrote:
"The problem being that imposing restrictions too soon can create an environment that is no longer *worth* securing. "

If you have ever read this blog in the past, you would realise that all the regular readers are very well aware of the problem of mindless measures, taken in the name of security, which actually inhibit the proper functions of the area or service being "secured." In fact tthat is the most common topic of discussion here. But that is not remotely what is being discussed in this post today.

"Securing early" is not about imposing security constraints on the other designers before they even start work; it is about involving security considerations in the design process while everything is still on paper, so that we can arrive at solutions that -- as nearly as possible -- satisfy all requirements at once. Far from "bring[ing] an outline to a brainstorming session", it is a case of the security guy getting invited to the brainstorming session in the first place. This contrasts with the usual approach of completing the design, pouring concrete, waiting until the first serious failures, and then calling in the security consultants to hack holes in concrete and pull cables to (hopefully) fix the mess.

This latter, very common "secure afterwards" approach tends to have three particular characteristics in comparison to "secure early". The "secure afterwards" is:
a) very much more expensive (usually dozens and up to hundreds of times more expensive);
b) if it is not just a token guesture but is intended to have real effectiveness, it is vastly more inconvenient for the normal usage of the facility; and
c) it doesn't work very well, if at all.
To elaborate on point c: it may well work perfectly against whatever problem it was that finally shook up the facility management. But it will have more loopholes than the Kyoto Protocol, and as soon as the installer's van has left the treeless parking lot, the crooks will be cooking up another exploit.

We could give scores of examples of these points, because they have been discussed often and at great length, but here's just one for an illustration: internet credit card transactions.

When "e-commerce" was first contemplated, it was obvious to security analysts that it would be a high risk for fraud, and so a protocol was designed that was both highly secure and yet quite conveneient to use. The credit card companies took no interest, apparently because it involved the expense of issuing new hardware to merchants, and instead they just plowed straight in. More than a decade later, they have tried numerous fixes, all of which have a) amounted to a far greater cost (in both losses and infrastructure deployment) than just doing it right the first time; b) are LESS convenient to consumers, and MUCH LESS convenient to merchants, than the early protocol suggestion would have been; and c) have so far achieved little but slowing the rate of growth in what has become the world's most lucrative crime.

Clive RobinsonJanuary 19, 2010 2:48 AM

@ Nick P,

"you in the short-term with good arguments or him in the long-term when your thumbs lock up from arthritis. :P"

8) I found myself with time on my hands not being able to sleep.

And I'm currently waiting for transport to take me to see a member of the medical profession to make a choice between shoving pills down me or sending me to the afore mentioned hospital for people with sharp objects and high energy sources to poke and prod me in the name of medical science...

So arthritis (apart from in my left shoulder and lower spine) is not an immediate concern 8)

I hope not hospital because I have problems with my veins in that they are shy (hide from needles) and granular (have valves in funny places etc). Consultants think it's a great wheeze to use me to train junior doctors. Which might be benificial for others but is a right pain int the arms and ankles for me. And you just know you are introuble when they start looking longingly at the pulse in your neck 8(

So if I don't post later just assume that they have wheeled me in again 8(

SlackJanuary 19, 2010 6:42 AM

@ Clive Robinson.

I make a point of reading your contributions to this site when skimming the comments sections and am genuinely saddened to read of your health difficulties. I wish you all the best, sir.

BF SkinnerJanuary 19, 2010 7:52 AM

Conflicts? I don't see them.

Perhaps the writer is engaging in a false dichotomy to make thier point. I guess their point IS, as they state, take security into account during planning/design phase? Uh. Duh?

For instance the lighting example--if the parking lot is white topped. The parking lot is reflecting heat, greener, and lighting doesn't have to be as bright since the cameras can take advantage of the larger ambient reflective lighting. Or deploy low light cameras.

And even this is a canard since most "survellience" cameras have mediocre optics. The lights aren't there for the camera's. They are there for the people. One to deter villians (which is questionable and cameras also don't deter well) and the other to assure citizens against dark corners.

BF SkinnerJanuary 19, 2010 8:22 AM

Fail pics

The results of failure to plan.

http://www.familyhomesecurity.com/...

@Clive "veins ... are shy (hide from needles) and granular (have valves in funny places "

Clive not to make light of your pain but this sounds like Brak'Kul physiology. Give your experience and ability to make things go big boom...I suspect this means you are a Klingon. Kapla!

Clive RobinsonJanuary 19, 2010 9:18 AM

@ Slack,

"I wish you all the best, sir."

Thank you for that, it is very kind of you

And the good news is somebody must have heard you and others as they have decided not to torment me with hospital food but just call me in twice a day for IV drugs.

And importantly they think they know what is causing this problem 8)

But the cure looks like life long specialised anti-biotics 8(

Sometimes I'm thankfull for the UK National Health System, it has many failings but it is good for longterm care.

vwmJanuary 19, 2010 9:49 AM

@Clive, about "Europeans" and "their language"...

That's just not correct: my dictionary lists about twenty possible German translations[1] for "Security" and four for "Safety" (not counting compounds). Some of the terms are synonym (e.g. "Sicherheit"), others are not (e.g. "Geborgenheit" meaning "Security" or rather "feeling of comfort".)

If you check a French or a Spanisch dictionary, you will also find more than one translation as well.

Oh, and then there was this other European language, spoken by the offspring of Angles, Saxons and Normans... how is that language called again?

[1]
http://dict.leo.org/ende?...

http://dict.leo.org/ende?...

SlackJanuary 19, 2010 10:01 AM

@Clive

Excellent news. Medical science rolls along at a fair old rate, so the treatment you endure now will likely be considered old hat in five years time.

Impossibly StupidJanuary 19, 2010 10:51 AM

@Clive
"Hmm no not in the way you are saying it. It is about "mind set" and thus viewpoint of those doing the thinking."

So let's focus on that instead of stereotyping an entire continent like you're doing. And I maintain the mindset of "security first" is a premature optimization. It's particularly important to think that way from a practical standpoint: you still have to *keep* systems/facilities secure against new threats.

"It was not the point of locking the fire exits that got my friend so irrate . . ."

Yes, we've already established your friend doesn't think too well. If the locks themselves weren't a major issue, he's dumber than the accountants he berates.

"And also the major and important differance between something that is "built in" and something that is "add on"."

There is nothing magical about calling something "built in" that doesn't make it security theater. I'm getting a feeling that you aren't even drawing a distinction about what is a real risk and what is fantasy. Go re-read the article and you'll see that most of what they want built in *is* security theater.

@Roger
"Either you are someone who thinks security is of no worth at all . . ."

On the contrary. I am someone who thinks security is *so* important that it needs to be done right. Pretending the job can be done best by eliminating the core values of a system is *not* security done right.

"But that is not remotely what is being discussed in this post today."

Then you, too, need to go back and re-read the article. It *does* try to seriously postulate things like "trees in the lot will . . . provide hiding places for would-be criminals" and "release a toxin into the ventilation system" and "a major security concern is blast mitigation". Those are movie plots! The honest day-to-day security is not about that nonsense at all.

"This contrasts with the usual approach . . ."

Please link to statistics that back up what you claim to be the "usual approach". I have a feeling that many people here are cherry picking a lot of what *has* been security theater after incidents and pretending that it is common practice. The fact remains that, regardless of how soon you involve security planning, security remains a process and you *still* have a weakest point that either you know about or you don't. There is a real danger when people think they've designed away insecurity.

"internet credit card transactions"

What a terrible example. Your credit card information is much more likely to be stolen from a physical store than over the Internet. And my point remains: *whatever* system you think is so great as a replacement will have problems of its own. The grass may look greener, but that doesn't mean it is more tasty. It is moronic to think you can plunk in one solution and think you're done. Go back to discussing the article itself, which is a pure hero-wannabe view of the role of security.

Clive RobinsonJanuary 19, 2010 11:26 AM

@ B.F.Skinner,

"Clive not to make light of your pain but.."

Is that high intensity or uniform LED "light" 8)

As for being Klingon,

I sure is big'nuf nd sure is ugly'nuf, but I jest don't have the dress sense 8(

And just what is one supposed to do with that two handled hair clip 8)

Slight pause, whilst Trekies draw in deep breath (which is more than I can do) and say Bah Nak Tock or whatever it is 8)

I'm told that laughter is the best form of medicin so sign me up for four or five cylinders of Nitro and I'll turbo charge my laughing gears 8)

The bad news is the medics have the last laugh for now as they get to give me the needle 8(

But hey no pain no gain ;)

Clive RobinsonJanuary 19, 2010 12:08 PM

@ vwm,

Try looking for false cognates in languages that have comman Romance roots such as French and English,

If I remeber correctly there are five European "Romance" languages and about ten others (like English) that due to the fortunes of war and courtly etiquet have words that have romance roots.

French-English false cognates (faux amis)

French : Sécurité - means safety as well as security .
English : Security - can in addition to la sécurité refer / mean guarantie or to une caution.

Also have a look at why animals have anglo Saxon names in the farm yard (pig cow sheep) but have romance lanquage derived names on the table (pork beef lamb).

Oh and look up the French for Left and Right and the meanings of the similar English words and if not sure ask why left handed people are regarded as sinister...

ArclightJanuary 19, 2010 12:19 PM

The best security installations I have seen are the ones that are subtle, well-integrated and taken seriously. I visit one site that has all manner of high dollar security devices, including metal detectors. I realized after the third visit that there was no response if the metal detector went off.

On the other hand, I also visit a building that has 2 security guards inn suits and no other visible security. They are very alert and consistently check out your reason for visiting, often calling your sponsor and questioning you before allowing you onto your floor. They also seem to have some sort of "hinky behaviour" index that determines the level of scrutiny for visitors.

I am confident that anyone trying to do harm to that facility would run a far greater chance of being intercepted there than at the "high security" building.

Fundamentally, you can only secure a drywall-and-metal-studs building so much, although security can deter less determined threats.

You need mass if you want to delay real attackers with tools or weapons. And all security architecture is really only there to delay attackers and hopefully trigger some sort of response. If this is what you need, the architects had better be aware of it from the start. If those thick walls can also be positioned for thermal mass and energy efficiency, then you can win on multiple fronts.

Arclight

Clive RobinsonJanuary 19, 2010 1:56 PM

@ Impossibly Stupid,

"So let's focus on that instead of stereotyping an entire continent like you're doing."

Now that is a statmet that shows what could be a fundemental fault with your mind set and thus view point.

I made an observation that,

"Hmm I don't think you have much contact with Europeans by that statment."

To your statment,

"Consider the possibility that the reason it is hard to convince people they need security is because you are wrong. Involving security "early and often" is a premature optimization."

And you belive that,

"stereotyping an entire continent like you're doing."

Pray tell how you come to the conclusion I'm stereotyping an entire continent?

Oh and remember to make your arguments relevant and not as some people would say "constructing strawmen".

You go on to say,

"And I maintain the mindset of "security first" is a premature optimization."

Without offering any evidence as to why you say so in anything other than what sound like contrived examples of,

"and some of them are security professionals who can't manage to secure a parking lot that contains plants."

Which as I said I'd never heard of before and I note no others have made co-oberating comments on.

So perhaps a little backup information on what sounds like a contrived statmen will help others see your case?

I'm not sure why you feel the need to make the statment,

"It's particularly important to think that way from a practical standpoint: you still have to *keep* systems/facilities secure against new threats."

In what way does it detract from others arguments and augument your argument in a qualified way?

I made a statment bassed on an earlier comment about a comment made by a friend about those with rigid thought processess,

"It was not the point of locking the fire exits that got my friend so irrate . . ."

Because you appear not to have read it or you are cherry picking hearts for strawmen, with your comment,

"Yes, we've already established your friend doesn't think too well. If the locks themselves weren't a major issue, he's dumber than the accountants he berates."

As far as I can tell you are claiming that my friend is "dumber than the accountants" because you have chosen to put your own specific spin on it with,

"If the locks themselves weren't a major issue".

As far as I'm aware the issue my friend has is with the accountant making what could have been a life thretening barrier by putting the incorrect keys in the break glass. That is the only apparent and expected (keys behind glass breakes are nor in anyway abnormal) mittigation against the life threatening asspect of the barrier was by negligence of the accountant making the locks the life threating asspect of the barrier not unlockable. This is not something you would expect of someone knowledgable about safety asspects of security (but perhaps like your security personel incabable of dealing with plants, you find the concept of wrong keys in break glassess next to locked exit doors just part and parcel of your existance and less remarkable than the fitting of locks).

I made a comment further up this thread that I explained in some depth by fairly easily verifiale examples what I considered where the advantages of "built in" -v- "add on"

Which I refered to indirectly in my reply to you with,

"And also the major and important differance between something that is "built in" and something that is "add on"."

You go on to say,

"There is nothing magical about calling something "built in" that doesn't make it security theater."

Prey tell where I have made that claim and if you cannot please then explain why you brought it up that way, I'm sure your explination will prove most enlightening to all. At the very least about your mind set and viewpoint.

You say that you are,

"... getting a feeling that you aren't even drawing a distinction about what is a real risk and what is fantasy".

Sorry was my comment about your plant baffeled security persons expressing insufficient creduality about it's apparent fantasy aspects?

You go on to say,

"Go re-read the article and you'll see that most of what they want built in *is* security theater."

That may well be true but you will find on examination I have in no way refrenced any part of the articale for my arguments thus it realy is an invalid point to be making.

All of that being said I feel (as others probably do) that this argument is going around in circles.

You continue to maintain,

"Involving security "early and often" is a premature optimization"

Whilst I maintain,

"the major and important differance between something that is "built in and something that is add on"

Is key to the design process and thus should be considered equally with the likes of safety from the concept stage of an idea that would include initial "brainstorming" sessions as this enables the leveraging of extra value or utillity to such things.

Perhaps before we full under the watchfull eye of the Moderator who might be tempted to "raise the red flag". We agree to either accept the view of others posting on the list to the relevence of our differences or we get significantly more on topic.

The choice I leave to others who may wish to comment not just yourself.

Impossibly StupidJanuary 19, 2010 3:17 PM

@Clive
"Pray tell how you come to the conclusion I'm stereotyping an entire continent?"

Seriously? How about the fact that you wrote "contact with Europeans" in the first place. I contact *individuals*, not geographical areas. Some individuals are morons that put locks on emergency exits, and some are morons that think the only problem with locks on emergency exits is what to do with the keys. So how about you get away from broad generalizations and get back to discussing this *one* article which, as written, contains laughable amounts of security theater.

"keys behind glass breakes are nor in anyway abnormal"

Excuse me? I've certainly never run into them. And certainly the greater flaw than a key placement error is an intentional key theft. Someone who wanted to burn the building (or go on a gun-toting rampage or whatever) could ensure everyone dies by simply taking all the keys first. Focus on *that* if you want to talk about the security implications, not the simple possibility that the wrong key might get put into the wrong box.

"Prey tell where I have made that claim"

How about immediately after your statement in the same paragraph:

"The former opens possabilities and strengths up, the latter is just "Security theater" in it's own little micro world that is unfortuntly often the only way to go with "finalised" choices."

I'm working past your horrible grammar and spelling, but perhaps you're not even making a cogent argument. If that is *not* a claim that "built in" *must* be better and "add on" *must* be security theater, please restate your position in a coherent manner.

"I have in no way refrenced any part of the articale"

Right, so you're admitting you're a troll with no real interest in discussing the article in question. OK, then I'm done with you.

Clive RobinsonJanuary 19, 2010 8:55 PM

@ Impossibly Stupid,

"Seriously? How about the fact that you wrote "contact with Europeans" in the first place. I contact *individuals*, not geographical areas."

Are you for real?

Europeans are individuals who have the right to live in Europe.

In exactly the same way Americans are individuals who have the right to live in America.

In no way are Europeans "geographical areas" in the same way Americans are not "geographical areas".

I can only assume out of politness at this point in time your first language is not English.

And perhaps your comment,

"Some individuals are morons that put locks on emergency exits,"

Are you telling me that as a generalisation that anybody who puts a lock on an external door that might be, or is, used as an emergancy exit is in your own words a "moron"?

Can I ask if you have a lock on your front door?

You go on again in your own words to say,

"... some are morons that think the only problem with locks on emergency exits is what to do with the keys."

I don't know where you where taught to reason, but I would be vaguely interested to know how, using the rules you where taught, you came up with "the only problem" as a counter argument.

As for your comment about "break glasses",

"Excuse me? I've certainly never run into them."

Hmm are you seriously telling me that you have never seen a break glass safety box?

Or maybe you have not seen a break glass security bolt?

Or is it just a break glass that is used to hold a key to a lock you have not seen?

If not have a look at,

http://www.screwfix.com/prods/66994/Security/...

As you will see it holds a key it has a key that can be used to open the box for checking purposes on "H&S walks" and it has a glass pane above the key in the box that can be broken by the little hammer on the chain.

Some even contain alarm wires that set of either the fire alarm or a security alarm if the box is tampered with.

As they say 'you live a little you learn a little'

You however say,

"And certainly the greater flaw than a key placement error is an intentional key theft. Someone who wanted to burn the building (or go on a gun-toting rampage or whatever) could ensure everyone dies by simply taking all the keys first. Focus on *that* if you want to talk about the security implications, not the simple possibility that the wrong key might get put into the wrong box."

Oh dear you are now doing exactly what you accussed others of with

"Those are movie plots! The honest day-to-day security is not about that nonsense at all."

With regards your statment,

"There is nothing magical about calling something "built in" that doesn't make it security theater."

And my response of

'Prey tell where I have made that claim'

You respond with,

"How about immediately after your statement in the same paragraph:"

And go on to quote my statment about 'built in'-v-'add on',

"The former opens possabilities and strengths up, the latter is just "Security theater" in it's own little micro world that is unfortuntly often the only way to go with "finalised" choices."

How do you link the two statment together in your mind?

Your statment,

"There is nothing magical about calling something "built in" that doesn't make it security theater."

Firstly refers to "built in" mine to "add on" for security theater.

Secondly you make the following statment,

"but perhaps you're not even making a cogent argument. If that is *not* a claim that "built in" *must* be better"

You are saying I'm making a claim "*must* be better",

When I've actualy said,

"The former opens possabilities and strengths up,

Therefore you are claiming that where I have said is a "possability" you think I'm saying it is 'certainty' with "*must*".

Therfore I realy must ask you to consider your "making a cogent argument" statment and how it applies to yourself.

I would also point out you have offered no evidence for your viewpoints of,

1, "Involving security "early and often" is a premature optimization."

2, "In many ways, it is *worse* than security theater to allow unreasonable influence of the design process by people whose sole goal is to eliminate core value by fabricating fake threats."

With regards "Security Theater", importantly Bruce's basic argument about it's primary charecteristic is about reacting to an attack in a less than usefull fashion. That is "to be seen to be doing" rather than "actually doing".

This often evidenced by overly specific responses to one and only one specific attack vector.

As I pointed out "add on" security is '"Security theater" in it's own little micro world' simply because you see the "security theater" mistakes made by the likes of the TSA repeated endlessly the world over and not just in airports or by Government agencies.

Your statment,

"There is nothing magical about calling something "built in" that doesn't make it..."

Is about something built in prior to a new unknown attack and evaluating it post the attack.

I'm assuming from your statment that you belive that whatever you do is "security theater" if there is an attack that a measure does not cover.

Yet you argue,

"Crooks aren't crying over the non-existent trees they can't use for hiding; they're looking for the weakness in what *does* exist."

Thus are you actually arguing "your going to fail so why bother"?

Having designed both security and safety critical systems for high risk activities (nuclear, petro chem, weapons) I can offer you a little insight,

There are two (not mutualy exclusive) ways to build safety systems. The first is to address a very specific known and reasonable probability event. The second is to design a system to cover a broad number of events within a single class of event or if done well multiple events within multiple classes of event.

In general the difference between a safety event and a security event is the notion of the "directing mind". Which I'm sure if you have studied security sufficiently to make your orginal claim of,

"Involving security "early and often" is a premature optimization."

You must be very familier with.

Oh just one thing I'm curious about your statment,

"It's like saying you need to bring an outline to a brainstorming session."

If you don't have a basic outline of what you want to get out of a brainstorming session why bother having it?

Or are you sugesting your time is well used by sitting there writting down every random and unrelated thought for a vauge future possible use?

Oh and with regards your,

"Right, so you're admitting you're a troll with no real interest in discussing the article in question. OK, then I'm done with you."

To my statment,

"I have in no way refrenced any part of the articale"

With regards debating your points 1&2.

Why on earth should I refrence the artical it is only one of a veritable myriad of documets I could use many of which are far more suitable to show up the falseness of your assertions when looked at from various differing view points.

To refuse to support your own arguments and then make a basless accusation that somebody is a Troll and then using it as an obviously false reason to avoid presenting a supporting case for your points speaks volumes not just about your viewpoint but about your abilities as well.

And it is this baseless accusation that has caused me to break my declaired aim of,

"We agree to either accept the view of others posting on the list to the relevence of our differences or we get significantly more on topic."

And I can only guess at what others may assume about you and thus the contents of the website you link to under your chosen identification of

"Impossibly Stupid".

ModeratorJanuary 19, 2010 11:28 PM

This has obviously become more about personalities and who said what in what context than about the value of built-in security. It would be a good time for both of you to let it drop.

RogerJanuary 20, 2010 7:09 AM

@Impossibly Stupid:
> On the contrary. I am someone who thinks security is *so* important that it needs to be done right.
> Pretending the job can be done best by eliminating the core values of a system is *not* security done right.

But you are the only person talking about "eliminating core values". Everyone else is talking about the importance of joint planning early. Or was, until you derailed the discussion.

> Then you, too, need to go back and re-read the article. It *does* try to seriously postulate things like "trees in the lot will . . . provide hiding places for would-be criminals"

Erm, no, no it does not. The only time the article mentions trees is in the first paragraph of page 1, where you clipped the phrase that actually reads "A SECURITY CONSULTANT WOULD REPLY that trees in the lot will block surveillance cameras and provide hiding places for would-be criminals" (emphasis added.) This hypothetical security consultant is not necessarily O'Neill's own position; he is simply highlighting the conflicts that can arise through lack of planning. I doubt that his actual opinion on the huge "trees in carparks" issue can be elucidated from this short article, and frankly no-one (else) cares anyway: it was just an example.

> and "release a toxin into the ventilation system" and "a major security concern is blast mitigation". Those are movie plots! The honest day-to-day security is not about that nonsense at all.

The pertinence of any particular example is low, but here I just have to bite.

In my opinion, one of the worst mistakes Bruce has made was choosing the name "movie plot threats" to describe a particular type of flawed analysis. It has caused many casual readers to completely misunderstand his point. "Movie plot threats" means focussing on a particular (usually intriguing) attack scenario to the detriment of an integrated security policy. It DOES NOT mean, as many have unfortunately taken it to mean, attention to fantastical attacks that might make for a great heist movie plot. The mere fact that an attack seems fantastical (to some critic) has no relevance to its practicality; on the contrary, attacks that *seem* fantastical but are actually economically achievable are ideal for the attacker and are seen quite often.

For some clients in some locations, blast mitigation IS a major concern. (Here's a clue: one of O'Neill's clients is a major airport. He doesn't say where, but it looks suspiciously like Abu Dhabi.) As for "release a toxin into the ventilation system" -- I can see you sitting there thinking "Al Qaeda, sarin, no way!" Try this then: drunken idiot or disgruntled employee, pile of garbage, cigarette lighter. Dozens dead. Perhaps not so surprisingly, building codes often actually require protection against this threat because it is a serious issue.

> Please link to statistics that back up what you claim to be the "usual approach".

Why on earth would I bother to do that? This is a blog discussion, not a thesis. A moment ago you were making broad-brush claims about what crooks think and what "real" security professionals do with nary a verifiable fact in sight, but when you don't like an argument it's the old "citation required" dodge? Pffft.

Having said that, a confession: another of the frequent topics of this blog is the fact that security concepts are mostly anecdotal because there are very few hard facts available. There are some exceptions, relating to UL and insurance in general, and it is getting better, but there are still vast areas where we don't really know. For example, until very recently it was widely accepted that bright lighting at night significantly reduced the risk of crime in nearly all scenarios. We now have the hard facts to show that in many, perhaps most scenarios it does no such thing, yet even insurers are still often accepting this as a security enhancement. There's a million more. How about, say, bars on windows? Do they really reduce the risk of burglary? By how much? Some guy told me that the bolts need to be spot welded or else the crooks will just unbolt the bars. Seems logical, but is it true? So far as I can tell, no-one actually *knows* any of this stuff.

> The fact remains that, regardless of how soon you involve security planning, security remains a process and you *still* have a weakest point that either you know about or you don't. There is a real danger when people think they've designed away insecurity.

This is more-or-less true, but there are two problems with it:
1. The question of whether or not "designed in" security may still have problems, is not what was being discussed. Of course it will. But it will have been cheaper, less intrusive to the system users, and have had fewer flaws, that are more easily fixed when discovered. And yes, this is all anecdotal -- but there are many, many anecdotes.
2. The phrase "... *still* have a weakest point ... " suggests you think that only the weakest point matters. Really, the point that matters at any given time is the one that the attacker knows about and believes he can defeat. This is not necessarily the "weakest" point. A designed-in, integrated policy should ideally have resilience regardless of which method the attacker chooses. Ironically, focussing too strongly on the "weakest point", the "most likely avenue of approach", or whatever you choose to call it is what is meant by "doing movie plot threats!"


> What a terrible example. Your credit card information is much more likely to be stolen from a physical store than over the Internet.

Erm, bunk. While APACS has recently been trying to claim this (and nooo, they wouldn't have any reason for claiming that, would they, hmmm?) independent surveys conclude that the on-line fraud rate is about 0.25%. This is some 3 times higher than the off-line rate. (Of course this isn't quite the same thing as the location where the information was stolen, but it is the relevant statistic for the example I was actually giving.)

> And my point remains: *whatever* system you think is so great as a replacement will have problems of its own. The grass may look greener, but that doesn't mean it is more tasty.

Your point may remain, but it is wrong. This is just one of the classic (and annoying) memes in security: the claim that because something is not perfect, therefore it is no good at all. Designing-in gives better results than add-on security. Much, much better results at a fraction of the cost. Not perfect results, not totally free, and not finished once-and-for-all; but still much better than add-on security.

> It is moronic to think you can plunk in one solution and think you're done.

And nobody whatsoever suggested doing that.

> Go back to discussing the article itself, which is a pure hero-wannabe view of the role of security.

Ah, insults. How useful. I note, by the way, that the author of the article is the president of a company with offices in two countries, which is involved in security consultancy to several major airports, metropolitan hospitals, etc. etc. Clearly a total wannabe.

Patrick CahalanJanuary 22, 2010 1:19 PM

Here I take a month off and I come back to a wildly entertaining thread (sorry, Moderator) :)

Clive, hope you're doing okay. Long term health problems are one of the worst edge cases of human existence.

We have in our new building a particular case of balancing security and safety. Several of the rooms are group meeting spaces. Since controlling individual keys for community rooms is logistically difficult, those rooms are locked by prox-card readers that open based upon an RFID chip in the student/faculty ID card.

Pop quiz: what happens when the building loses power?

Right now, the locks fail open, and return to locked state when building power is restored. This decision was made as a qualified life safety call... if the building loses power, it's likely that this is due to an emergency condition like an earthquake, and they don't want people to be trapped under furniture behind locked doors.

However, it's certainly possible for building power to be restored prior to the building being evacuated. So having the doors revert to locked state still presents a risk, as someone may be trapped under furniture behind a locked door.

On one hand, the combined probability of (a) earthquake (b) person trapped (c) building power being restored prior to person being rescued... is fairly small. And there is still an immediate workaround, as the doors have large glass panes so someone could easily break into the room despite the door lock.

On the other hand, it is not unknown for campus to lose power briefly, and if this were to occur on say a Friday they wouldn't want the doors to remain unlocked until someone noticed that the individual door needed to be reset.

WernerJanuary 23, 2010 3:08 PM

@Patrick Cahalan:

Given that there's probably already a microcontroller in these locks, wouldn't it have been better to just make them remember the state they were in when power was lost ?

The scenario I'm thinking of would be a short blackout where people may not even be aware that power has been lost. Yet they may all of a sudden find themselves locked in or out.

- Werner

RogerJanuary 25, 2010 2:08 AM

@Werner:
> Yet they may all of a sudden find themselves locked in or out.

I don't think they'll be locked in. Fire regulations generally require that these doors (for multi-occupant shared spaces) can *always* be opened from the inside, regardless of the lock status.

Pat's scenario was regarding a door locking whilst all occupants are for some reason disabled and unable to exit by themselves.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..