There is a common security design mistake that occurs in many types of facilities, but the impact of it can be significantly greater on schools, whose incident response requirements are greater than many other organizations.
So, although this article is written for readers who have K-12 and higher education people and asset protection responsibilities, it still applies to many other types of facilities. If, as you read this, you find that you already understand the risk analysis factors that I’m outlining, you can skip down to the section titled, Lifecycle of a Risk Scenario and read about the webinar that prompted me to write this article. The webinar examines seven real-life school risk scenarios as analyzed by a forensic specialist who has deep insight into the threat actor components of school high-risk threat scenarios.
The Basis of Design
I’m always advocating for scenario-based security design, because when you cover the eight or 12 most critical risk scenarios, the security measures that work for them also work for many lesser risks. Most of what I’m writing about here is common knowledge among trained and experienced security design consultants, security practitioners and others responsible for facility physical security risk management.
However, technology design and deployment practice has evolved over the past few decades in a way that still allows security design mistakes to be made, and I’m using some school scenarios to illustrate that situation.
The Five-Year Cycle
About 25 to 30 years ago, security system design was product-based, with little to no integration between the standalone products. Product lifecycles were about 10 to 15 years, and so if you attended a security conference every five years you could catch up on technology, and maybe update your physical security systems to provide you with greater capabilities.
This was one of the drivers of the five-year facility physical security risk assessment cycle. Facility risk pictures weren’t changing back then as much as they are now. Technology progress was slow compared to today. The common practice was rip-and-replace upgrades, and another driver for that was the multi-year building improvement capital investment cycle.
As a result, many facilities perform in-depth formal security risk assessments about every three to five years, and in between those, implement additional security capabilities as driven by security incidents, newly discovered facility vulnerabilities, or new threats to the facility and its occupants.
It is these interim security additions that are often short-changed when it comes to security design.
This has occurred in the past few years around active shooter risk, a risk that has been expanded in concept to be re-named active assailant, because someone with a knife or other weapon can be just as deadly or more so than a shooter.
Shortcutting Security Design
I’m using shortcutting in its negative sense, meaning to do something in a quicker and simpler way but less thoroughly than should be done. This is what often happens when a security vulnerability is newly discovered, or when its severity rating is elevated by the impact of a serious incident, or the emergence of a new real or potential threat in one’s own or a similar facility. There is a rush to “do something immediately,” and so solutions are sought and adopted – technical and procedural – because they seem to be the only solution or the easiest or most affordable of the available solution options.
In the rush, no security solution requirements or specific design criteria are developed ahead of time. What’s worse – and this is the reason for this article – a category of threat gets treated as “the risk” being addressed, when much more thought needs to be given to the specific threat actors being addressed.
Thus, the design/selection process looks like this:
Risk (Really a Threat Category)
↓
Solution
when it should look like this:
Risk Description
↓
Identify and Analyze Threats
↓
Identify People and Property Vulnerabilities
↓
Develop Likely Threat Impact Scenarios
↓
For Each Scenario, Determine Protective Measures to Stop or Weaken Threat and Prevent or Minimize Impact
↓
Implement Protective Measures (i.e. Solutions)
Where Shortcutting Happens
Unfortunately, the steps outlined above give this topic an impersonal flavor, when in real life being faced with a potentially lethal threat actor in a school environment is very personal for all involved. In that moment, there is no time to get educated about what to do. The learning and thinking must all be done ahead of time, for the safety and well-being of the at-risk personnel.
Both in security planning and incident response execution, the Identify and Analyze Threats step above is often is skipped or cut short, due to lack of understanding during security planning and lack of time during incident response. What to say to at-risk personnel and to the threat actor during an incident will vary considerably depending on the state of the school facility at the time and the state and situation of the threat actor. This is one reason why so much thought needs to be given to potential risk scenarios ahead of time.
In security and incident response planning, threat identification and analysis should result in a profile of the type, composition, and capabilities of an adversary. It’s important to understand not just the impact potential of the adversary, but also the circumstances, motivation and complicating factors (such as being under drug influence). These affect the ways in which the threat the adversary poses can be stopped or weakened.
There may be or one or more aspects of the adversary’s situation or condition that can be used to advantage to start changing the adversary’s behavior as soon as possible. Are we dealing with a spur-of-the-moment action or a carefully planned out operation?
Lifecycle of a Risk Scenario
We often don’t consider the full lifecycle of a risk scenario, but unless we do, we are short-changing ourselves the opportunity to be ready with early preventive and protective measures and perform early response preparation. Most security assessment risk scenarios begin at the point where the threat adversary begins physically attacking the person or property. Then later, the new reports start pointing to multiple early signs of the problem.
On a day-to-day scale, there are crises happening without the school district even knowing.
What is the lifecycle of a risk scenario? When should we take action in response to risk signals? What risk signals are serious and require immediate action? What early preventive measures can be applied?
What response preparation steps should be taken and when? Who should be informed about what, and when should that be done in the risk scenario lifecycle? What measures have been found effective, and what types of actions should be avoided?
These are the kinds of questions that the upcoming webinar will examine, and which you can ask if you participate in the webinar.
School Risk Scenarios
This upcoming webinar is a repeat of one that I originally attended a few months ago. That’s why I know what’s in it. I found out from the sponsor, Maxxess Systems, that it is being repeated due to popular demand.
I appreciated the webinar not just for the great insights that it provides into the varied nature of school incidents, but because it presents good examples of examining threat adversaries in depth, revealing how important such understanding can be in terms of enabling the design and implementation of development of effective response planning.
The webinar presenter, Dr. David J. Sheffner, M.D., is a forensic psychiatrist. I don’t know him personally, and the first webinar is the only time I have heard him speak on this topic. Forensic psychiatry is a specialized branch of psychiatry that deals with the assessment and treatment of mentally disordered offenders in prisons, secure hospitals and the community. It requires a sophisticated understanding of the interface between mental health and the law. Dr. Sheffner has considerable experience in threat assessment with a deep focus on understanding the adversary component and considering the social and situational dynamics involved in the threat scenarios.
This webinar discusses seven real-world K-12 school scenarios where the student is the threat actor. It’s applicable, of course, to other risk situations. The scenarios include a student making suicidal comments, a student who becomes withdrawn and exhibits unusual behavior, a student preoccupied with guns and killing, to a student threatening to kill another student, and one who threatens a teacher.
Educational facilities face very serious challenges in detecting, analyzing and assessing threat severity and the related unfolding dynamics. Technical and procedural security measures can be applied – but the threat context of their application in any situation must be understood to avoid critical mistakes and achieve maximal risk reduction and personal safety for all people at risk, including first responders. Communication is critical, and related questions involve what to communicate, to whom, and when?
Note that the webinar does not delve into threat analysis or security design planning. But its relevance to that should be clear to any experienced security practitioner or service provider. And, as expected, the webinar sponsor very briefly explains how its cloud-based personal safety and productivity application can support the response actions involved in the school risk scenarios considered.
Webinar Details
Title: K-12 Mental Health & Safety Webinar Ft. David J. Sheffner, M.D.
Purpose: Explore what security and safety gaps need to be filled at schools regarding the mental health aspect of school risk scenarios.
Registration: Use this link.
About the Author:
Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). In 2018 IFSEC Global listed Ray as #12 in the world’s Top 30 Security Thought Leaders. He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security. Follow Ray on Twitter: @RayBernardRBCS.
