Implementing Analytics in Security Operations

Technology provides actionable insight for security professionals


In case the preceding paragraphs give the wrong impression — that this is going to be a theoretical article about analytics — let’s take a look at a very simple, yet highly beneficial real example of data mining that any company could perform, provided that they have the data to do so. Real-time analytics generate data on the fly. Other data mining analytics — as in this example — require historical data. Many security operations accumulate access and alarm history and then simply delete it after a time; yet, such data can be a source of information that can help improve security operations.

Some years back, a question was raised in one global corporation about the use of security officers at its multi-building campuses. It seemed like the officers were spending an excessive amount of time responding to door forced or held open alarms, only to arrive on the scene and find the door closed and with no apparent incident evidence in sight. When multiple alarms occurred, some could not be responded to; however, they knew that some of these alarms were related to actual property or information material removal. The question was, which ones?

They performed a manual exercise data analysis. Correlation with incident reports and available video revealed that if doors were held open for 20 seconds or less, no security incident occurred. They also discovered that a door forced open for four minutes was always a security incident. In between, there was a high likelihood of an incident. The data also showed that the majority of such alarms had durations of 20 seconds or less. A pilot program was launched, using a rules-based software application, to only annunciate door forced or held open alarms at the 20-second point. This reduced the dispatch rate by 90 percent, and also resulted in an immediate increase in catching incidents in progress.

Some situations were not security incidents, but responding to them still had value as a deterrent action, since officers were now showing up mid-activity when there was prolonged activity at a door. There was a small increase in property pass use, indicating at least partial success. Further data analysis showed that some buildings never had long-duration door alarms, and so security patrols and posts could be located to enable quicker response to higher-risk buildings. Additional cameras were deployed only at the higher-risk buildings, resulting in cost savings compared to deployment at every building. An educational campaign was designed and executed, and this resulted in a further reduction in the officer dispatch rate.

Planned further improvements include applying metrics to the high-risk buildings (such as R&D), to monitor effectiveness and to detect any potential rise in the 20-second or less category (possibly indicating a shift in violator behavior). A security dashboard was designed to display the related trends on an ongoing basis. Additional security improvements could now be implemented using the security officer time reclaimed from chasing after non-incident situations at doors.

Such data analysis can be important for organizations that want to implement a regional or central security operations center (SOC). Should all alarms from each facility be reported to the SOC? The lesson from this example is that they should not. It requires some data analysis, followed by investigation and verification, to determine what SOC response is most security-appropriate. A first step in SOC deployment is to optimize and standardize the security response and alarm reporting at each facility — which may differ based on the presence or absence of security personnel — and then determine what the optimum use of the SOC can be.

Extending the door alarm example further, using current-day video system technology, it is possible to capture door activity (people and vehicles) and forward this to the PDA or mobile phone of the responding officer, and to an officer posted at the exit gate. It is also possible to send the same data to a supervisor or manger (i.e. the security stakeholder with authority in the area), especially if his or her desk is near the alarming door. Another possibility is to lock down an unstaffed parking exit gate (appropriate for a very high-risk situation — such as a box being carried out from an R&D area without authorization), until security can respond and meet the vehicle there. Another consideration is whether a different type of response warranted for suspicious activity after hours vs. normal hours.