Metrics for Success: Who Goes There?

Aug. 26, 2014
Access control safeguards, policies and awareness are keys to securing the workplace

Corporations spend millions of dollars on access control; from manned security posts to a variety of manual and electronic access systems.  Having made that investment, the state of this core safeguard is far too often poor to absurdly open to the most unsophisticated adversary.  Why?  Corporate cultures tend to expect employees to be respectful and polite.  Holding the door for someone behind you is a sign of that value.  In many work environments, doors designated for “secure” are routinely propped or bypassed with the open support of management.

Manned posts may be incompetently or inattentively staffed.  Key systems are totally outdated and uncontrolled and too often employees are terminated and their means of access is not removed for a return trip. Unfortunately, access integrity is too often overridden by the desire for convenience and a lack of common sense ownership of this basic security measure by those who live within the “protected” space.

We can debate the pros and cons of various elements of a physical security program but there is general agreement of the central role played by flawless access control to measurably effective enterprise security.  Defective access management and control is a common denominator in threats of workplace violence, insider misconduct, negligent security litigation and a host of loss events. On the other hand, It is a core enabler of safe and secure workplaces, regulatory compliance, information and data protection and the human factors side of facility emergency management. 

This organization recognizes these risks and is commencing a program of increased assurance regarding access integrity and program management.  The strategy reflected in this chart represents eight key risk and performance measures they use to track this core safeguard.  Note the connection between risk and performance indicators- the former is a measure of the effectiveness of the latter.

  • Number of unauthorized access attempts within sensitive areas- If the objective of the program is to control access to authorized individuals, doesn’t it make sense to track attempts by unauthorized people to gain access?
  • Time to vet and grant access privileges- This is a key on-boarding cycle time measure that is typically laid on by Human Resources (HR) and reflects the need to get employees in their seats and productive as quickly as possible.
  • Time to remove access privileges- A combined risk and performance measure linked to the HR termination process.
  • Awareness of access rules is effective within controlled spaces- Access management is a local process that relies upon diligence regarding knowledge of who belongs and ownership of designated space.
  • Access credentials are visibly displayed within controlled space- The dynamics of controlled space assignments and other factors impact resident knowledge of the legitimately authorized population.  Visible badge/credential display mitigates this risk.
  • Likelihood of being challenged if unknown within controlled spaces- Similarly, residents need to challenge those who they don’t recognize and report suspicious behavior to Security.
  • Tested reliability of access control system and critical subsystem components are sustained at 99.9 percent- These systems are part of the company’s critical infrastructure and need to be maintained at the highest level of confirmed reliability. 
  • Access control defects are identified within regulatory agency inspections- Virtually all security regulations contain a variety of access management and control standards.  In many regulated environments, compliance is independently inspected and violations have to be self-documented and reported. Maintaining an on-going compliance program that includes routine performance metrics such as these is essential to compliance management and avoidance of costly penalties.  The wording of this measurement focuses on the fact that inspections during the period being reported have noted non-compliance.

This company sees physical access control as an enabler of a safe, secure and compliant enterprise and uses its metrics to affirm this commitment.

About the Author

George Campbell

George Campbell is emeritus faculty of the Security Executive Council and former CSO of Fidelity Investments. His book, “Measures and Metrics in Corporate Security,” may be purchased through the Security Executive Council Web site. The Security Executive Council is an innovative problem-solving research and services organization that works with Tier 1 Security Leaders™ to reduce risk and add to corporate profitability in the process. A faculty of more than 100 experienced security executives provides strategy, insight and proven practices that cannot be found anywhere else. Through its pioneering approach of Collective Knowledge™, the Council serves all aspects of the security community. To learn about becoming involved, e-mail [email protected] or visit The information in this article is copyrighted by the Security Executive Council and reprinted with permission. All rights reserved.