Journal of Physical Security 8(2)

TableofContentsEditor’sComments,pagesi-xvMGillandCHowell,“SingleServiceorBundle:PractitionerPerspectivesonWhatMakestheBestSecurity”,pages1-14GDCurry,JJLeflar,MGlasser,RLoyear,BGrey,TJordan,LOng,WPreining,andJMSobron,“HowSocialMediaisTransformingCrisisManagementandBusinessContinuity”,pages15-36RGJohnston,“TheNewASISStandardonRiskAssessment”,pages37-38SHunt,“WhyIHateSecurity”,pages39-41AlbuquerqueJournal,“WIPPMaybetheBestPlaceforWeapons-GradeWaste”,pages42-43LConey,“TheIoTandtheAbilitytoDefendAgainsttheSilentIntruder”,pages42-53

JournalofPhysicalSecurity8(2),i-xv(2015)

i

Editor’sCommentsWelcometovolume8,issue2oftheJournalofPhysicalSecurity(JPS).Inadditiontotheusualeditor’srantsaboutsecurity(andotherthings)thatappearimmediatelybelow,thisissuehasresearchpapersonsingleservicevs.bundledsecurity,andonsocialmediaimpactsonemergencyresponseandbusinesscontinuity.Therearealso4viewpointpapers.TheseincludeareviewofthenewASISInternationalRiskAssessmentStandard,anessayonwhyyoushouldhatesecurity,aneditorialonthestorageofhigh-levelnuclearwaste,andwhattheInternetofThingsandanewIEEEstandardforwirelessprivacyandsecuritymaymeanforphysicalsecurityprofessionals.Papersarepeerreviewedunlessotherwisenoted.PastissuesofJPSareavailableathttp://jps.rbsekurity.com,andyoucanalsosignuptheretobenotifiedbyemailwhenanewissuebecomesavailable.JPSishostedbyRightBrainSekurity(RBS)asafreepublicservice.RBS(http://rbsekurity.com)isasmallcompanydevotedtophysicalsecurityconsulting,vulnerabilityassessments,andR&D.Asusual,theviewsexpressedinthesepapersandtheeditor’scommentsarethoseoftheauthor(s)andshouldnotnecessarilybeascribedtotheirhomeinstitution(s)ortoRightBrainSekurity.

*****GermyBiometricsEveryhumanwalksaroundsurroundedbyacloudofmillionsofmicrobesthatrepresentaunique“fingerprint”thatcanpotentiallybeusedtoidentifyorverifyaperson’sidentity,evenafterheorshehaslefttheroom.Forinformation,see:http://www.theatlantic.com/health/archive/2015/09/inside-the-germ-cloud/406591/

*****

BeStillMyHeartBionymhasdevelopedawristbandthatusesanelectrocardiogram(EKG)sensortoidentifytheuniquecardiacrhythmofthewearer.ABluetoothorNFCconnectionisusedto,forexample,usethebiometrictologontoacomputer.Formoreinformation,seehttps://www.washingtonpost.com/news/innovations/wp/2014/11/21/the-heartbeat-vs-the-fingerprint-in-the-battle-for-biometric-authentication/


ii

*****

DefeatingBiometricsResearchersattheUniversityofAlabamaatBirminghamhavedemonstratedhowtospoofvoice-baseduserauthenticationsoftwarewithelectronicvoiceimpersonation.Seehttp://www.uab.edu/news/innovation/item/6532-uab-research-finds-automated-voice-imitation-can-fool-humans-and-machines.(ThankstoIndirJaganjacforpointingoutthiswork.)Mostbiometricscanbefairlyeasilycounterfeited—anditwouldbesurprisingiftheMicrobialandHeartbeatBiometricsdiscussedabovewereanydifferent.Whatisoftenoverlookedisthatmostbiometrichardwareisalsovulnerabletosimplephysical/electronicspoofing,suchasman-in-the-middleattacks,notjustcounterfeitingorcopyingofthebiometricsignature.TheseMiMattackscanbedoneveryquicklyatthefactory,vendor,duringshipment,ontheloadingdock,orbeforeorafterinstallation.Itcanbequitedifficulttodetectsuchattacks—examiningsoftwareorcheckingifthedeviceoperatesnormallyisoflittlevalueindeterminingifithasbeencompromised.Thereneedstobeasecurechainofcustodyrightfromthefactory,effectivetamper-detectionbuiltintothebiometricdevices,andindependentandimaginativevulnerabilityassessmentsconducted.Allofthesethingsarealmostuniversallylackingforbiometricsdevices—indeed,foralmostanykindofsecuritydevice.

*****

PissandVinegarNewresearchsuggeststhatpeoplearebetterliarswhentheyhaveafullbladder.Itisnotimmediatelyclearhowtoapplythistosecurity.Formoreinformation,see:https://www.newscientist.com/article/dn28199-the-lies-we-tell-are-more-convincing-when-we-need-to-pee/

*****

MLBAuthenticationMajorLeagueBaseball(MLB)hasanauthenticityprogramforsportsmemorabilia.OfficialauthenticatorsareonhandforeveryMLBgame.Theirjobistotrytomaintainavisualchain-of-custodyongame-dayitems,suchasabaseballinvolvedinarecord-breakingplay,thatareofinteresttosportsmemorabiliacollectors.TheauthenticatorsattachwhatMLBcallsa“tamper-resistant”authenticationhologram—thoughitisn’tparticularlytamper-resistant—andassigntheitemauniqueIDnumber.(Sometimesthesetagsarecalled“tamper-proof”,whichisevenworseterminology.)


iii

“Lifting”thesekindofpressure-sensitiveadhesiveholograms,i.e.,movingthestickerfromoneitemtoanotherwithoutleavingevidenceisusuallynotverydifficulttoaccomplish,especiallyinthefirst48hoursbeforethepressure-sensitiveadhesivehasfullysetup.Moreover,theauthenticatorsareoftenattachingthestickerstodirtybaseballs,dustybats,andsweatyjerseysthatarelessthanidealadhesionsurfaces.Lifting,however,isn’tofprimeinteresttocounterfeitersbecauseitleavesthemwithanauthenticitemthatlacksahologram.Whatismoreusefulforthebadguysistocounterfeitthehologram,ormerelymimicit,whichiseveneasier.Thecounterfeitingormimickingofembossed,metalizedhologramsisespeciallystraightforward.Typicallytheholographicstickeronlyhastofoolavisualinspectionbyanon-expert.ItisthusmostlySecurityTheater.Thetruesecurityinthescheme—ifindeedthereisany—isinthevisualchain-of-custodyduringtheballgame,andtheuniqueIDthatcantheoreticallybeusedtoverifyauthenticity.ItisnotclearhowsecuretheMLBchain-of-custodyisafterthegame,orwhatkindofinsiderthreatmitigationisinplaceforauthenticatorsanditemhandlers.ItisalsonotcleariftheMLBcall-backschemetocheckontheuniqueIDnumberiseffective.VirtualNumericTokenscanindeedbeapowerfultoolforanti-counterfeiting,butonlyifimplementedintelligently.Otherwise,this,toomayjustbeSecurityTheater—likesomanyotherapproachestoproductcounterfeiting.Youcanseeaninterestingvideoathttp://mlb.mlb.com/mlb/authentication/thatexplainstheMLBauthenticationprocess.Noteinthevideothatoneoftheauthenticatorsleaveshisrollof“tamper-resistant”hologramsbrieflyunattendedduringtheballgame.Somuchforasecurechain-of-custody!ToMLB’scredit,theyatleasttakethevisualchain-of-custodyissueseriouslyduringthegame.OnOctober13,2015,theCubs’KyleSchwarberhitatoweringhomerunatWrigleyFieldduringtheNationalLeagueDivisionSeries(NLDS)thatwentoverthetopofthemainvideoboardbutthendisappeared.Laterthatnight,aballwasspottedsittingatthetopofthevideoscoreboard.ThisballwasnoteligibletobecomeanofficialMLBsouvenir,however,becauseithadleftthesightoftheMLBauthenticator.ThiswasthecaseeventhoughtheballhadtheappropriateNLDSprintingthatdiffersfromregularseasonandpracticeballs,andalmostcertainlyhadtobeSchwarber’shomerunball.

*****

Anti-Counterfeiting?NECisreportedlydevelopingaproductanti-counterfeitingtechnologythatusesasmartphonetocheckuniquesurfacemarkingsonhigh-endproducts.Seehttp://blogs.wsj.com/digits/2014/11/12/nec-smartphone-tech-can-spot-fake-bling/


iv

Itisdifficulttobelievethatproductcounterfeiterswouldhaveanyproblemduplicatingsurfacepatternsormorphology,asthisistypicallyquiteeasytodo,evendowntothemicroscopiclevel.Ifcounterfeitersknewthelocationofwherethecheckingwastobedone—aswewouldhavetoassumetheywould—thetaskofduplicatingasurfacepatternshouldberelativelysimple.But,likealotofanti-counterfeitingtechnology,itprobablywillneverbesubjectedtoaseriousvulnerabilityassessmentthatinvestigatessubtle(asopposedtoknucklehead)attacks.

*****

SecurityTheaterTheTVshow“AdamRuinsEverything”ontruTVtakesonexamplesofSecurityTheaterinaveryentertainingbuttotallyvalidway.SeetheSecurityTheaterepisodeat:http://www.trutv.com/shows/adam-ruins-everything/blog/adams-sources/adam-ruins-security.html

*****ChipandPinThenew“smart”creditcardsareoutwiththeembeddedmicrochip.ThesecardsarecomplaintwiththeEMVStandard,longinuseinEurope.(“EMV”standsforEuropay,MasterCard,andVisa).Thesesmartcardsshouldreducecreditcardfraud.WhentheywereintroducedinFrance,Canada,andtheUK,therewasadropofmorethan50%inlostorstolencreditcardfraud.WecanexpectcreditcardfraudtonowmovemoreontotheInternet.IntheUnitedStates,wewillbemostlyusinga“ChipandSignature”approach,whereasignatureisusedinsteadofthemoresecurepersonalidentificationnumber(PIN).CreditcardcompaniesfearAmericanswouldbetooannoyedorforgetfuliftheyhadtoproduceaPIN,asisoftendoneinEurope(orintheU.S.fordebitcards).SigningyoursignatureatthepointofsaleratherthanusingaPINislargelySecurityTheater,aspointedoutintheTVshow“AdamRuinsEverything”discussedabove.TheEMVstandardisabigdealforsmallbusinessesbecause—startinglastmonth—ifyourbusinessacceptsandprocessesacounterfeitEMVcardtransactiononanold,non-EMVterminal,theliabilityforthetransactionisyours—nolongerthecreditcardcompany’s.Only59%ofUSretailstoresareexpectedtobeEMV-compliantbytheendofthisyear,andonly1outof3smallbusinesses(accordingtoaJavelinstudy)isevenawareofthisswitchinliability.


v

*****GamblingCheatsHereisareallyinterestingwebsiteabout10individualswho“cheated”casinos:http://listverse.com/2010/01/24/10-gamblers-who-beat-the-casino/Noteverythingthesepeopledidwasnecessarilyillegal.PerhapsthemostintriguingcharacterisTommyGlennCarmichaelwhocameupwithnumerous,cleverinventionstobeatslotmachines.Hedutifullypaidincometaxesonhisillicitwinnings,however.Carmichaelwentontobecomeaconsultantforcasinosandgamblingsecurity.Also,didyouknowthatacenturyago,manyofthecompaniesthatmadeplayingcardssoldavarietyofdifferentkindsof“advantagetools”whichallowedcardplayerstocheat?Theseincluded“cardpricks”,“pokerrings”,“punches”,and“peggers”tomarkcardswithaverysubtleindentation.Therewerealso“holdoutmachines”thatletyoukeepacardoutofcirculation—underatableorupyoursleeve—untilyouneededitinthegame.Seehttp://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.134.1119&rep=rep1&type=pdf

*****ArtandAnarchyTwobooksworthreading:1.TheArtofForgerybyNoahCharney.Thisisabreezyandhighlyentertainingtourthroughthehistoryofartforgery(andotherkindsofforgery).Charneyconvincinglymakesthepointthatmoneyisnottheprimemotivatorformostartforgers,atleastinitially:“Testinganddemonstratingone’sgeniusandability,revengeagainsttheartestablishmentthathasslightedyou,andacclaimaremorecommonreasonsforgersinitiallytrytheirhand.”Inartforgery,asinalotofsecurityattacks,disgruntlementisahugemotivatorforinsiderattackers.MyfavoriteforgerydiscussedinthebookinvolvesthetheftofMatisse’sOdalisqueinRedTrousersfromtheCaracasMuseumofContemporaryArtinVenezuela.AnFBIstingoperationrecoveredthestolenpaintingin2014.Theburglarshadreplacedtheoriginalpaintingwithasomewhatamateurishforgery.(CharneypointsoutthatthisMO—stealingtheoriginalandreplacingitwithafake—isactuallyfairlyrareintheworldofarttheft.)Ittook2yearsbeforeanybodyevennoticedtheswitch.Thefakehadfooledallthecurators,staff,artexperts,guards,andvisitorsatthemuseumfortwoyears.TheforgerywasinplaceandunrecognizedinSeptember2000whenaproudPresidentHugoChavezwasphotographedstandinginfrontofwhatwassupposedtobethemuseum’smostprestigiouspiece.Atotalof14otherworkswerelaterfoundtobemissingfromthemuseum.


vi

Ascountermeasurestoartandartifactforgery,Charneyrecommendsindependentevaluationsdevoidofconflictsofinterests—justasisneededforotherkindsofsecuritysuchasriskassessmentsorvulnerabilityassessments.Auctionhouses,museums,artconnoisseurs,and“discoverers”whohaveaneconomic,reputational,oregointerestinthefoundartorartifactbeingauthenticaresimplytooeasytofool.CharneyalsobelievesthepublicandnewsmediashouldstopmakingRobinhood-likeheroesofartforgersandartthieves.Hecallsforlawsthatpreventforgersfrombenefitingeconomicallyfromanysaleofartorartifactsafterconviction.Hewouldliketoseemorecarefulanalysisofprovenanceevidence/documents,moreskepticism,andmorescientificforensicswherepractical.2.ImmigrantsAgainsttheStatebyKenyonZimmer.ThisisascholarlydiscussionofAmericananarchistsinthelate19thandearly20thcenturies,especiallyItalianandYiddish-speakingimmigrantswhoweremajorplayersintheanarchistmovement.PeopletendtoforgettodaythattheanarchistmovementwasasourceofveryseriousterroristattacksintheUnitedStatesandEurope,includingbombings,assassinations,bankrobberies,andIEDsmailedtoprominentpeopleandgovernmentleaders.U.S.PresidentWilliamMcKinleywasassassinatedin1901byananarchistsympathizer.Americananarchistshadcomplicated,sporadicconnectionswithsocialistsgroupsandvariouslabormovementsandunions,buttendedtohaveaphilosophyoftheirown.Thisofteninvolvedrejectingsomeorallofgovernment,tyranny,regulations,capitalism,exploitationoftheworkingclass,war,misogyny,andreligion.Themajorityofanarchistswerenon-violent;thosethatwereviolenttendedtothinkoftheirterrorismaslegitimatepoliticalorsocialviolencetheycalled“propagandaofthedeed”.Anarchistviolencelargelyranoutofsteaminthe1920sonitsown.Therepressiveandextrememeasurestakenbygovernmentsagainstanarchists—thinkPatriotActandMcCarthyismonlyalotworse—weremostlyineffective.Theanarchismmovementitselfgraduallygavewaytoothermethodsoftryingtodealwithperceivedsocialinjusticesuchaslabormovements,laborandanti-trustlegislation,socialwelfareprograms,theprogressivemovement,socialism,andcommunism,aswellasvariousfeminist,suffrage,andcivilrightsmovements.ManyimmigrantsalsobecamesomewhatbetterintegratedintoAmericansociety.Anarchistsarestillaroundtoday,ofcourse,buttheyarealmostentirelynon-violentandarenotdominatedbyimmigrants.

*****GrowthIndustryAccordingtotheNovember6,2015issueofTheWeek,privatesecuritywasa$202billionindustryin2013,andisprojectedtobeat$282billionby2020.Thisiscomparedtoamere$52billionin1990.


vii

Ofthe5fastestgrowingsecuritycompanies,3primarilyworkintheareaofphysicalsecurity,ratherthancybersecurityandhadgrowthrateswellinexcessof1000%from2011to2014.

*****RunAwayfromDanger?TheNationalNuclearSecurityAgency(NNSA)hasbeencriticizedforissuinganame-brandsolicitationinFebruary2015for5top-of-the-lineWoodwaytreadmills.(Seehttps://www.fedconnect.net/FedConnect/?doc=DE-SOL-0008095&agency=DOE.)ThemodelNNSAisseekingcostsover$10,000,withupgradesaddingupto$3,900perunit.NNSAplansto“utilizethetreadmillstoqualifyFederalAgentsontherunningrequirementsestablishedbytheNNSA…”Goodqualitytreadmillsofthekindusedinyourneighborhoodfitnesscentercanbehadforaround$4,000.Presumably,NNSApersonnelneedtobefleetoffoottokeepupwithelderly,pacifistnunswhopenetratedeeplyintonuclearfacilities.Foraninterestingtakeonthis,seehttp://www.newyorker.com/magazine/2015/03/09/break-in-at-y-12.

*****IHateWhenThatHappensAlmost50yearsafterahorrendousnuclearaccidentinSpain,thecleanupisnotcomplete.OnJanuary17,1966,aB-52bomberandaKC-135refuelingplanecrashedintoeachothermid-airabovethesmalltownofPalomaresinSpain.Atotalof7crewmembersdied,and4nuclearweaponsfelltoEarth.OnefellintotheMediterraneanandwaseventuallyrecoveredafterconsiderableeffort.Twoofthethreebombsthathitthegroundburstopenwhentheirconventionalhigh-explosiveswentoff,andthiscausedthereleaseofplutoniumintothesurroundingarea.ThecasingsoftwooftherecoverednuclearbombsinvolvedinthePalomaresincidentareondisplayatthefascinatingNationalMuseumofNuclearScienceandHistoryinAlbuquerque.U.S.SecretaryofStateJohnKerryrecentlysignedanewagreementinSpain,pledgingcontinuedU.S.assistancewiththecleanupofcontaminatedsoilfromthePalomaresaccident.Theplutonium-contaminatedsoilmaybeshippedtotheUnitedStatesforpermanentstorage.SeeTheDayWeLosttheH-BombbyBarbaraMoran(2009)aswellashttp://www.cnn.com/2015/10/20/europe/spain-us-palomares-nuclear-accident-cleanup/?iid=ob_article_footer_expansion&iref=obnetwork


viii

Therehavebeennumerousotheraccidentsandmishandlingsofnuclearweaponsovertheyears—manythataretrueheadshakersandfartooridiculoustoputintotheplotofabadpaperbackspynovel.Therewillbemoreamazingnuclearbunglingincidentsinthefuture.

*****

CultureofDenialAnewstudybythinktankChathamHouseconcludesthatnuclearpowerplantsareextremelyvulnerabletocyberattacksandthata“cultureofdenial”isgettinginthewayofgoodcybersecurity.Seehttp://www.ft.com/cms/s/0/b5f0df54-6aa1-11e5-aca9-d87542bf8673.html#axzz3pVEmcPiZ

*****ThePlasticInternetofThingsAnewBarbiedoll,named“HelloBarbie”isnowavailable.AjointventurebetweenMattelandToyTalk,HelloBarbieisawi-ficonnectedplaymatethatcancarryonaconversationwiththedoll’sowner.WhenchildrentalktoHelloBarbie,thereconversationsarerecordedandsentbacktoToyTalk’sserverssothatBarbiecan“remember”detailsofthechild’slikes.Privacyadvocateshavecalledthisfeature“creepy”.Therearesupposedlysomestrongparentalcontrolsbuiltin.Formoreinformation,andtoreadvariousviewsaboutHelloBarbie,see:http://pixelkin.org/2015/09/11/why-hello-barbie-is-not-as-creepy-as-she-sounds/andhttp://www.dallasnews.com/business/retail/20150328-hello-barbies-critics-using-mattel-doll-to-wage-privacy-fight.ece

*****

SecretComputing:BeyondPlayingVideoGamesatWorkTheIEEESpectrumhasanexcellentarticleonconceptsforkeepingdataencryptedduringcomputationsanddatabaseprocessing.Thiscangreatlyincreasethesecurityandprivacyofthedata.See“HowtoComputewithDataYouCan’tSee”,http://spectrum.ieee.org/computing/software/how-to-compute-with-data-you-cant-see

*****


ix

ThePrisonProblemItiswidelybelievedthatthereasontherearesomanyAmericansinprisonisduetodrugarrests.DavidBrooksintheNewYorkTimesquestionsthisassumption.Hepointsoutthatonly17%ofinmatesinstateprisonsaretherefordrugrelatedoffenses,withthepercentagecontinuingtodecrease.Mandatorysentencesarealsonotthecauseofhavingsomanypeopleinprison.AccordingtheBrooks,thereasonwehavesomanyprisoninmatesmayprimarilyacombinationofprosecutorswantingtoseemtoughoncrimebyavoidingpleabargaining,andthefactthatmanyinmateswithmentalillnesswhowouldhavebeensenttomentalinstitutionsinthepastarenowwarehousedinprison.Toreadtheeditorial,seehttp://www.nytimes.com/2015/09/29/opinion/david-brooks-the-prison-problem.html?_r=0.

*****

NobelPeacePrize?AccordingtoBleacherReport.com,theNationalFootballLeague(NFL)recentlywentanentirecalendarmonth(September)withoutanyofitsplayersgettingarrested.Thisisthefirsttimethathashappenedsince2009.

*****WeAreSaferAccordingtoresearcherDavidFinkelhorattheUniversityofNewHampshire,thephysicalabuse,sexualabuse,andneglectofchildrendeclinedby55,64,and13percentrespectively,between1992and2011.Abductionbystrangersisalsosharplydown.TheCentersforDiseaseControl(CDC)saysthatthedeathrateforchildren12andunderdeclinedby43%inthelastdecade.Seehttp://www.unh.edu/ccrc/pdf/_Updated%20trends%202013_dc-df-ks-df.pdfandhttp://nymag.com/scienceofus/2015/03/we-live-in-an-age-of-irrational-parenting.htmlAnunder-appreciatedstatisticisthat,accordingtotheFBI,theU.S.homicideratein2013(themostrecentyearforwhichstatisticsareavailable)was4.5per100,000people.Thisisapproximatelythesameasin1962andlessthanhalftherateof1993.ThisisamongthelowestratessincetheendofWorldWarII.

*****


x

ScandinaviaAccordingtotheIndependent(UK)newspaper,Norwegianpolicefiredtheirgunsonlytwicein2014,injuringorkillingnobody.InNorway,policeareusuallyunarmedandonlycarrygunsinspecialsituations.Ontheotherhand,Swedenhasthesecondhighestreportedrateofrapesintheworld,about3timeshigherthantheUnitedStates.Someofthisisduetochangesinhowrapestatisticsarereportedthere.Seehttps://en.wikipedia.org/wiki/Rape_in_Sweden

*****Sis-Boom-BahTheOctober18,2015issueofTheChronicleofHigherEducationhasanexcellentarticleonthehistory,challenges,andcontroversiesofcollegeanduniversitypolicing.SeeScottCarlson,“CampusCops’ContestedRole”,pagesA18-A21.Inthesameissueisastoryaboutastudyofcollegeexamcheating.Theinvestigatorsrecommendrandomlyassigningseatstostudentsduringexamsasacountermeasuretocopying.SeeKateStoltzfus,“ToStopExamCheats,EconomistsSay,TryAssigningSeats”,pageA15.[Incidentally,theclassiccollegecheerleadingchant“sis-boom-bah”wasaroundin1867,andmaygobackto1858orearlier.Itismeanttomimicaskyrocket:“sis”forthelaunch,“boom”fortheexplosion,and“(b)ah”forthecrowdreaction.Formoreonthehistoryofthischeerleadingchant,seehttp://esnpc.blogspot.com/2014/05/skyrockets-transatlantic-cable-and-pre.html.]

*****

TSAFolliesUSATodayreportsthattheTransportationSecurityAdministration(TSA)haspaidabout$3millionover5yearsforclaimsthatairportsecurityscreenersbroke,lost,orstoleluggageand/oritscontents.TheTSAsettledbymakingpaymentsinaboutone-thirdofthe50,000claimsfiledfrom2010to2014.Thenumberofclaimsfiledweredownabout35%from2010to2014.Since2003,theTSAhasfiredmorethan500TSAofficersfortheft.Thestorycanbefoundathttp://www.usatoday.com/story/news/2015/07/02/tsa-damage-tops-3m/29353815/BruceSchneierasksinarecenteditorialwhywearespending$7billiondollarsonineffectiveorunnecessaryeffortsbytheTSA:http://www.cnn.com/2015/06/05/opinions/schneier-tsa-security/


xi

JoshNoelinaJune19,2015articleintheChicagoTribunenotestheseTSAfailings:

•Morethan1,500TSAbadgesusedbyTSAemployeestoaccessairportsecurityareasarelost,missing,orstolen.

•TheTSAfailedtoidentify73airportworkerswithpotentialterroristlinks.•Inarecenttest,DHSagentswereabletogetbanneditemspastTSAairportscreening95%ofthetime.

PartofwhatIthinkistheproblemwiththeTSA—aproblemsharedbymanyotherorganizations,includingNNSA,DOE,DoD,IAEA,andNRC—isafailuretoperformfrequentimaginative,independentvulnerabilityassessments(VAs)tofindsecurityweaknesses.ItiscommontoconfuseVAswiththreatassessments,riskassessments,designbasisthreat,securitysurveys,securityaudits,faultoreventtreeanalysis,dataanalytics,“redteaming”,andpenetrationtesting.Whilethesethingsaredefinitelyworthdoing,theyarenotagoodsubstituteforaholistic,imaginativeVAdonebypeoplethinkinglikethebadguys.Ifyouwanttopredicthowthebadguysmightattack,youneedtothinkliketheydo.Badguysdon’tdothreatassessments,riskassessments,designbasisthreat,etc.TheydoVAs.FormorediscussionofthemythsandmisconceptionssurroundingvulnerabilitiesandVAs,see:“VulnerabilityAssessmentMyths”,JournalofPhysicalSecurity7(1),31-38(2014)and“WhySecurityFails”,JournalofPhysicalSecurity8(1),37-39(2015),bothathttp://jps.rbsekurity.com.Alsosee,“TheFearofNORQ”,HomelandSecurityToday11(4),39-41(2014),http://www.nxtbook.com/nxtbooks/kmd/hst_20140607/#/40.

*****

3-DPrintingandKeysAgroupoflock-pickingandsecurityhobbyistsdemonstratedhowtoduplicatealockkeyfromanonlinepictureofthekey.Anyonewitha3-DprintercanusetheresultingCADfilestomakeacopy.ThekeysinquestionwerethemasterkeysthatTSAusestoopentheir“approved”luggagelocks—whicharenothighsecuritylocks.Inonesense,thisisnothingnew.Talentedlocksmithshavesupposedlybeenabletoreadthepatternofcutsinakeyatadistancewhenthekeyisflashedinaparkinglot,thenmakeaduplicatekeywithouteverhavinghandledthekey.Theadventof3Dprintingjustmakesthiseasier.Bottomline:donotshowyourkeysinpublicorletthemgetphotographed!Formoreinformationonthe3-Dprinterhacksee:http://www.wired.com/2015/09/lockpickers-3-d-print-tsa-luggage-keys-leaked-photos/


xii

*****

FlytheFriendlySkiesAccordingtotheChicagoTribune,4/20/2015onpage13:UnitedAirlinesstoppedaprominentsecurityresearcher,ChrisRoberts,fromboardingoneofitsplanesafterhehadpostedasuggestiononlinethattheairline’sonboardsystemcouldbehacked.Hewasonthewaytospeakatamajorsecurityconference.ThisisagoodexampleofFeynman’sMaxim:Anorganizationwillfearanddespiseloyalvulnerabilityassessorsandotherswhopointoutvulnerabilitiesorsuggestsecuritychangesmorethanmaliciousadversaries.ThemaximisnamedforthephysicistRichardFeynman.DuringtheManhattanProject,whenhepointedoutphysicalsecurityvulnerabilities,hewasbannedfromthefacility,ratherthanhavingthevulnerabilitiesdealtwith(whichwouldhavebeeneasytodo).

*****BullyForYouAnewstudysuggeststhatabusivebossesoftenbringtheirabusivebehaviorintotheworkplacebecauseofproblemsathome.Thestudyalsofoundthatsupervisorsandmangersaremorelikelytoengagein(non-physical)abuseofemployeesiftheyfelttheirorganizationwouldletthemgetawaywithit.(Manydo.)Whileonly14%ofU.S.employeesreportbeingthevictimofa(non-physically)abusiveboss,thesecurityrisksthatabusivebossescreatearesubstantialfortheinsiderthreat—nottomentiontheimpactonemployeeperformance,productivity,morale,turnover,andrecruitment.Anorganization’sreputationcanalsobeharmed.Toreadaboutthestudy,seehttp://newsroom.niu.edu/2015/09/24/bosses-unhappy-at-home-wreak-havoc-at-work/

*****PerformanceAnxietyThelargeconsultingfirmAccentureiseliminatingannualperformancereviewsandrankingsforallits330,000employees.Thecompanybelievestheannualreviewprocessistootime-consumingandexpensive,andthebenefitsareminimal.Accenturewillnowdomoretimelyfeedbackfrommanagersonanadhocbasis.Microsoftdidsomethingsimilarin2013.Insteadofannualperformancereviews,Deloittenowencouragesteamleaderstocheckinwitheachteammemberonceaweek,


xiii

andtofocusonfutureperformance,ratherthanobsessingaboutissuesfromthepast.Othercompaniesnowholdquarterlyormonthlyreviewsorconversations,ratherthanannualones.Multiplestudies(andcommonexperience)haveshownthatthetraditionalannualperformancereviewsoftencausesenormousamountsofemployeeannoyance,resentment,anddisgruntlement.Supervisorsandmanagerswhowritethereviewsoftenhavenoideawhattheyaretalkingaboutorwhattheiremployeesreallydo.Annualperformancereviewscandamagemoraleandaggravatetheinsiderrisk.Theydonoteffectivelymotivateemployees,butratherwastetime,money,andenergy.Theyear-longdelayinfeedbackmakesthereviewnearlyuselessasametricandforimprovingemployeeperformance.VauhiniVarahadanexcellentarticleonthisissueintheNewYorker.Seehttp://www.newyorker.com/business/currency/the-push-against-performance-reviews

*****

JPSPeerReviewTheJournalofPhysicalSecurityusesablindpeerreviewprocess.Thismeansthatthereviewer(s)areanonymousbuttheauthor(s)arenot.Revieweranonymitymeansthattheycanfeelfreertooffercommentarywithoutissuesofattribution.Somejournals—thoughnotmany—useadoubleblindreviewprocesswhereboththeauthor(s)andreviewer(s)areanonymous.Onedisadvantagestoadoubleblindreviewprocessisthatthereviewerscantypicallyguesstheauthors’identitiesfromthereferences,acknowledgements,pastwork,orotherhintsinthepaper.Itcanbeverydifficulttoremovesuchclues.Moreover,theidentityandaffiliationoftheauthor(s)isoftenusefultosingle-blindreviewersinidentifyinganyconflictsofinterest,anddeterminingiftheauthor(s)havesufficientresourcesandapprovalstoconducttheirresearchandanalysis.Ofcourse,therearedisadvantagestosingle-blindreviews,too.Reviewerscanhidebehindtheiranonymitywhenofferinglazyorunnecessarilysnarkyreviews.Conflictsofinterestonthepartofthereviewersarenotpubliclyobvious.Toaconsiderableextent,however,agoodeditorcanatleastpartiallymitigatethesedisadvantages.JPSusuallyhas2anonymousreviewersforResearchPapers,and0,1,or2reviewersforViewpointPapers,dependingonthetopicandcontent.Reviewersarenotcompensatedfortheirefforts.Aseditor,Ihavebeenverygratifiedbythecarefulthinkingandhardworkreviewersputintotheirreviews,andfortheirwillingnesstoservethephysicalsecuritycommunitywithoutbeingabletoreceiveanypublicrecognition(ormoney!)inreturn.Thesearetruesecurityprofessionals.


xiv

Ifyouthinkyouwouldbeinterestedinservingasananonymousreviewer,contacttheeditorathttp://jps.rbsekurity.com.Besuretoindicateyourcredentialsandarea(s)ofexpertise.

*****TheLimitationsofPeerReviewActualproductreviewsonAmazon.com:Thiscarbonmonoxidedetectorsavedmyson’slife.Igiveit4outof5stars.Reviewofthemovie,“CaptainAmerica:theFirstAvenger”:WEHADBARBEQUE.Weinvitedfamilyandfriendsovertowatchthisonblu-ray.Whenitended,theygotupandleft.2outof5stars.Reviewofthemovie,“RockyIII”:AREYOUKIDDING?IhavecolleagueswhomightreadthissoevenifIdidenjoythisfilm,Icouldnotadmittoitonthisquasi-publicsite.Iaminenoughtroublejustforresponding.1outof5stars.Reviewofthemovie,“RiseofthePlanetoftheApes”:Thereisnowayanorangutancanrideahorsewithoutcrushingit.2outof5stars.ReviewofHermanMelville’snovel,MobyDick:Acompleterip-offofthemovie“Jaws”.1outof5stars.ReviewofAnnaKareninabyLeoTolstoy:PartsofthebookwerediscussingpoliticalviewsnothingtodowithAnna.ItappearedthereweremanymaincharactersnotonlyAnna.2outof5stars.Reviewofthebook,WhereisBaby’sBellyButton:ALift-the-FlapBook:Thisbookiscompletelymisleading.TheentireplotrevolvesaroundfindingBaby’sbellybutton;thetitlemakesthismuchclearfromthebeginning.However,thereisnomystery.Thereisnotwist.Baby’sbellybuttonisrightwhereit’ssupposetobe,onBaby’sstomach.RightwhereitclearlySHOWSyouitisontheCOVEROFTHEBOOK.Thisplotisacompletemessasaresultofit’srelianceonthemysteryofwherethebellybuttonis;everythingfallsapartthesecondyourealizethatthebellybuttonwasinplainsightallalong.Thereisnoconflict,thereisnocharacterdevelopment,andthereisscarcelyanyplot.Whoeverwrotethisbookmusthaveaseriouserrorinjudgment,becauseyouwouldhavetobeaninfanttonotimmediatelyunderstandwhereBaby’sbellybuttonis.ThisisoneoftheworstpiecesofliteratureIhaveeverread.1outof5stars.

*****


xv

TheStudyofStupidResearchonstupiditymayhavesomelessonsforsecurity,asstupidityseemstobeinvolvedinalotofsecurityblunders.Interestingresearchofthistypeisdiscussedinthefollowingarticle:RobertoA.Ferdman,WashingtonPost,October19,2015,http://www.washingtonpost.com/news/wonkblog/wp/2015/10/19/how-to-act-less-stupid-according-to-psychologists/.

*****ScaryLucyIn2009,a400-poundbronzesculptureofactressLucilleBall(1911-1989)waserectedinaparkinherhometownofCeloron,NY.Thestatuehasbeendescribedashavingzombie-likeeyeswithaderangedtoothygrin,andisconsideredparticularlyscaryatnight.(Youcanseeaphotographathttp://www.washingtonpost.com/news/morning-mix/wp/2015/04/07/in-lucille-balls-hometown-scary-lucy-haunts-her-memory/)ThestatutewilleventuallyresideintheNationalComedyCenter,thoughthesculptorhaspromisedtoredoit.

*****GladYouWarnedUs!IknowIhavebeentravelingtoomuchwhenIreadthesnackwrappershandedoutonairplanes.Thepacketof“HoneyRoastedPeanuts”yougetonSouthwestAirlines,whichlistspeanutsasthenumberoneingredient,warnsusinsmallprintonthebackthatthecontentsare“producedinafacilitythatprocessespeanuts…”.

--RogerJohnstonOswego,IllinoisNovember,2015

JournalofPhysicalSecurity8(2),1-14(2015)

1

SingleServiceorBundle:

PractitionerPerspectivesonWhatMakestheBestSecurity

MartinGillandCharlotteHowell

PerpetuityResearch&ConsultancyInternationalLtd11aHighStreet

TunbridgeWells,Kent,TN11ULUnitedKingdom

AbstractTheaimofthispaperistodiscusstherelativeadvantagesanddisadvantagesofprovidingsecurity servicesaseithera single serviceoraspartofabundle. It isbasedonone-to-oneinterviews with 72 respondents, 44 from client organizations (and including security andfacilitiesmanagers)and28suppliers(includingrepresentativesfromsecurityonlyprovidersandfacilitiesmanagementcompanies).Whiletherearesupportersofsupplyingsecuritybothasasingleserviceandaspartofabundle,theargumentsusedtosupporteacharebasedonexperience and perception rather than evidence. This study is presented as a first step inidentifyingkeyissuesthatpertaintothedeployment/integrationofsecurityalongsideotherfacilitiesmanagementservices.Thereisaneedformoreevaluativeresearch.Keywords:securityservices,bundledservices,client/supplierrelationshipsContextIthaslongbeenrecognizedthattherearedifferentwaysofoutsourcingandavarietyofframeworks are in evidence (McIvor, 2005; 2008; Varadarajan, 2009) for a variety ofdifferent facilitiesmanagementservices. Themotive isoftenhighlightedasaneconomiconealthoughthisisbutoneofmanypossibilities(see,McIvor,2008;Shekar,2008);muchdependsonthetypeofoutsourcingmodelbeingdiscussed,andtherearemany.Willcockset al. (2007; 2009) helpfully identify four options which they term sole supplier, primecontractor,best-of-breed,andpanel.

• Sole supplier: This iswhere all the services are supplied by a single supplier,sometimesconsideredtobeTotalFacilitiesManagement(TFM).

• Prime contractor: This iswhere one supplier is responsible for a contract butmaysubcontractwhereitlacksexpertise.

• Best-of-breed:Thisiswherepotentiallyarangeofservicesaremanagedbytheclient.

• Panel: This is where a preferred group of approved suppliers compete forcontracts.


2

Inreality,thereareavarietyofwaysofclassifyingservices(seealso,BIFM,2007;2012),and since outsourcing is complex (see, Nordin, 2006), ‘ideal type’models often disguisewidevariationsandoverlapsinpractice(see,Oshrietal.,2011;Willcocksetal.,2009b).Anumberofkeypoints, though,areinevidenceandarerelevanttothispaper. Thefirst isthat the decision on which model to choose rests with clients (see, Jain and Natarajan,2011),andat leastpartof the influenceontheirdecisionwillbetheirowncapability formanaging thedifferent options (Willcocks andLacity, 2011;2012). The extent towhichtheyunderstandthepotentialbarrierstoimplementingtheirchosenstrategy(iftheyhaveone)willhaveimportantimplicationsforhowsuccessfulitislikelytobe(Nordin,2006).Asecond issue is that single service provision is typically viewed as less complicated, andthat the scope for outsourcing in some sort of bundledway comeswith experience andrequires greater expertise (BIFM, 2007; Willcocks et al., 2009), not least in turbulentenvironments (MommeandHvolby,2002). Third, the scope formoving to some typeofbundledprovisiondependsinpartonexpertiseemergingamongstsuppliers(Oshrietal.,2011;Feenyetal,2005;WillcocksandLacity,2009).Fourth, there are a range of advantages and disadvantages of different models indifferent sectors, albeit thatmany of these are not tested by independent research (see,BIFM,2007;Willcocksetal.,2007;Willcocksetal.,2009;InterserveandSheffieldHallamUniversity, 2012). Indeed, some evidence suggests that not only will the effects ofoutsourcing be different for different functions, but that there is a danger that internalskills and knowledge that are lost by outsourcingwill need to bemeditated by effectivemanagementstrategies(AgndalandNordin,2009).Fifth,thereisalackofresearchonthepros and cons of different models in different facility management service areas. Bothsecurity management (Gill, 2014) and facilities management (Drion et al., 2012) arerelativelynewareasof studywhere thebodyof knowledgeaboutwhatworks andwhatdoesn’t is still evolving. Indeed, despite research on the outsourcing of various areas offacilities management, such as business processing (Whitaker et al., 2010); engineering(Burdon and Bhalla, 2005); information services (Petry-Eberle and Bieg, 2009); andproperty management services (Yam, 2012), there has been little research on securityservices (but see, Hassanain and Al-Saadi, 2005). It is against this background that ourresearchtookplace.Theaimofthisstudywastoidentifypractitionerperspectivesontherelativemeritsofsingle service as opposed to bundling in one specific area that has received very littlecoverageinthefacilitymanagement(FM)literature,thatofsecurity.Theword‘security’inpracticecoversawidevarietyofactivitiesthatoftenbearlittlerelationtoeachother(forexample locksmithing, security guarding, alarm installation). There is a tendency todiscuss security in terms of personnel services (such as manned guarding and closeprotection)andtechnicalservices(suchasalarmsandCCTV),theapproximateequivalentto soft and hard facilitiesmanagement. (For a discussion of the security sector, see Gill,2014.)The approach in this work was to identify and interview a wide range of individualsusingthedifferentmodelsinpracticetohelpunderstandthekeyissuesinvolvedinsingleservice and bundling (these terms will be defined later in this paper) which involves


3

security.Asnowballsamplingstrategywasused.Thisinvolvesusingcontactsandwordofmouthtoidentifyrelevantpeopletotakepartinthestudy.Anadvantageofthismethodisthat it allows access tomembers of the populationwhomay be difficult to identify andengage by othermeans. Moreover, it allows for potentiallymore valuable responses, asthosetakingpartaremorelikelytobeknowledgeableabouttheresearch. Indeed,oneoftheearlyfindingswasthatknowledgeaboutthebenefitsanddrawbacksofprovidingsingleserviceorbundlingsecuritywasnotclear-cut.Againstthis,however,snowballingisanon-random form of research sampling and it is therefore unlikely that the sample isrepresentative of the total population, which should be kept in mind. The interviewstypicallylastedthirtytosixtyminutes,andsemi-structuredinterviewscheduleswereused.Anadvantageofasemi-structuredscheduleisthatitgivestheflexibilityforinterviewerstoprobetheissuesraised.Atotalof72individualstookpartintelephoneinterviews,mostlyfromtheUK,butalsofromAustralia (7),Canada(4),Europe(3)andarespondentworking in theMiddleEast.Table1providesfurtherinformationontheroleofindividualstakingpart.Table1:Breakdownofinterviewees(n=72)

Clearly, the samplewasnot intended tobe representative, ratherwe sought toengageparticipantswhowere involved in different aspects of security—both single service andbundled—to better understand the pros and cons of different types of security servicepurchaseanddelivery.Itprovidesafoundationonwhichfurtherstudiesmaybuild.FindingsThinkingaboutterminologyOne of the early findings was that there remains widespread confusion in theterminology used (see, Varadarajan, 2009). This included what was meant by singleservice,sincesomereferredtoatypeofsecurityassingleservice(saymannedguarding)while some companies offering a variety of different services (including personnel andtechnical) considered this a single servicebecause itwas all related to security,when in

Interviewee Type NClients(n=44) SecurityManagers 27

Facilities/PropertyManagers 14Consultants 2ProcurementSpecialists 1

Suppliers(n=28) Bundledserviceprovision 10Singleserviceprovision 9Combinationofbundledandsingleserviceprovision 7Advisoryrole 2


4

fact it is best described as ‘bundled security’. Indeed, it was possible to identify thefollowing types of security delivery that do not fit easily into the four categories notedabove:

• in-house:securityprovidedin-house• singleservicesecurity:justonetypeofcontractsecurityprovided• bundledsecurity:differenttypesofcontractsecurityprovided• singleservicesecuritysuppliedwithalimitednumberofFMservices• bundledsecuritysuppliedwithalimitednumberofFMservices• singleservicesecuritysuppliedwithallotherrelevantFMservices• bundledsecuritysuppliedwithallotherrelevantFMservices• single service security supplied with a limited number of FM services with

integrationbetweenthem• bundledsecurityprovidedwithalimitednumberofFMserviceswithintegration

betweenthem• single service security suppliedwith all FM serviceswith integration between

them• bundledsecurityprovidedwithallFMserviceswithintegrationbetweenthem

This list reflects the somewhat complex array of arrangements that exist. Moreover,therewasabeliefthatthefurtherdownthelistonereads,themorecomplexthedelivery.Just toaddto this,sometimestherewasamixtureofdeliveryapproachesacrosssitesorcountries. In this short paper, it is not possible to examine the different risks andopportunitiesthesearrangementspresent—alaudableaimthoughthatwouldbe.Rather,the focushere is to compare the relativemeritsofoffering securityon itsown(whethersingleorasecuritybundle)comparedtosecuritycombinedwithotherFMservices. Thefocushasbeenonotherfacilitymanagementservices,butofcoursesecurityissometimesprovidedalongsideanevenbroaderrangeofservicessuchasthosefocussedonsafetyandemergency management, such as managing natural disasters; this provides anotherpotentialfieldofenquiry.ThecaseforbundlingsecurityThere were three overarching reasons why clients and suppliers said they favoredbundling. Thefirstandmostwidelycommenteduponwasthatitofferedcostsavingsforclients.Therewereanumberofdimensionstothewaysinwhichthesecouldbeachieved.Some noted therewere lower overheads,which resulted from such factors as having todeal with fewer contracts (and under Total Facilities Management [TFM] or IntegratedFacilities Management [IFM] models a single point of contact); less insurance and legalcosts; having tomanage fewer invoices and be involvedwith fewer accounts teams andsuch.Somearguedthattherewasaneedforlessmanagementandsupervisorypersonnelinthecontractedservice,andothersnotedthatasaconsequence,therewaslessneedforoversightintheclientorganizationwhenservicesweremanagedcollectively.Thus:


5

Sometimes (we) bundle security with facilities management, securityand cleaning…Thatbrings economiesof scale… in themanagement,oneaccountmanagermanagingboth.

SeniorRegionalFacilitiesManager,PropertyManagementStraight away you will get economies of scale, you won’t be gettingmarginonmarginormanagementonmanagement.

TFMDirector,FacilitiesManagementReducingthenumberofcontractorsalsomeantthattheprofitseachindividualsupplierhad to make could be consolidated; a supplier involved in offering a range of serviceswouldbemoreamenable toreducing itsprofitmargins inreturn fora largersliceof theavailablebusiness.Somenotedthatinabundle,oneservicemightbechargedoutatcostinorder to generate a profit in other areas, and at least one supplier had this underconsideration.Mannedguardingwasseenasaprimecontenderherebecausethemarginsweresoslightthatsomewonderedwhethertherewasaviablefutureforasinglemannedguardingserviceinthemassmarketintheabsenceofachangeinbuyers’behavior.A second point, and one that implied cost savings but accrued other benefitswas theopportunity that bundling provided for improved management practices. Some herepointed to thebenefits of instilling a specific corporate style to theprovisionof servicesacrosssites,whichbecomesespeciallypossiblewithoneorfewersuppliers.Inadifferentway,bundlingwasperceivedasbeinggood for facilitating cooperativeworking, and thishadanumberofdimensions. Theopportunity toavoid the restrictions implicit in a silomentality was considered important by providing a platform, via joint management, ofencouraging service lines towork togetherwhere appropriate. There has been amajoremphasis inrecent times invarious typesofcollaborationwitharangeofbuzzwords todepict various types of co-operation including integration (BSIA, 2007; De Toni andNonino,2009),convergence(Hunt,2010;Willisonetal.,2012),andpartnerships(Prenzlerand Sarre, 2012; Yang and Wei, 2012) to name but a few. Amongst both buyers andsuppliers, there was widespread agreement that there was confusion about what thesetermsmeant, but for thepurposesof this study, the fact that some typeof collaborationwastypicallyagoodthingasfaraseffectivesecuritywasconcernedgeneratedsupportforbundling.Onthepeopleside,integrationtypicallyinvolvedmultiskillingindividuals,oratleastinengagingthemwithamorevariedsetofduties.Thiswasseenasanopportunitytobuildteamswithdifferentservicelinessupportingeachother.Itprovidedmorevariedworkforstaff,enhancedtheircommitmentandreducedturnover.Thisappliedtomanagement,too,in being able to take on new opportunities with greater responsibility than mightotherwise exist. And on the technology side, a number of suppliers (in particular)identified the potential for systems to provide for better integration, and specifically forsecurity systems to enable the better functioning of other systems,more cost effectivelyandwithmore benefits than if the serviceswereprovided separately. Moreover, itwasargued that the integration of technological systems, security with non-security, andsecurity technology with security people facilitated innovation. For suppliers, this was


6

especially important. Many lamented the growing power of procurement withinorganizations,whichwas seen todriveprices andprofitsdown. Some felt that theonlyway margins could be protected was by being afforded the opportunity to combinetechnologywithmanpower.

(Thereare)economiesofscaleinteamshelpingoutinotherareas,multi–cross skilling, ifdoneright,with theright trainingandskills (meansyoucan)utilizelaborbetter.

SecurityandOperationsManager,EventCentre

Cleanerscanbeonthelookoutforanyproblemsandhelpreducecrimebynoticingwhoshouldnotbe inplaces…Onthesecurityside,guardspickuppapersastheywalkaround.

GeneralManager,Security,ShoppingCentresThere was a third major influence behind the move to bundling, and that was thegrowing expertise of both clients to understand their needs and develop a bundledresponse,andofsupplierstodeliverarangeofservicesunderoneumbrella.Indeed,someclients noted that they had been drawn to bundled services by developments in thesupplier market, and interestingly, some interviewees from overseas (and especiallyoutsidemajor conurbations) lamented the lack of multi service providers to meet theirneeds.Oneclientnoted:

Actually,opportunityisthebiggestfactorhere. Ihaveaproviderabletoprovidethesolutionthatdrivesthislargely,andweremycontractornotprovidingthissolution,wewouldn’thaveadoptedit.

HeadofSecurity,Bank

Security providers were one-trick ponies, just [offering] guards orcameras or intrusion alarms. [Now] more and more companies arebecoming a bit of a supermarket, they are moving from [being a]specialismto[a]masterof[all]trades.Soitmakessense:onesourceforallormostofservicesrequired.

SecurityAdvisor,EnergyProvider Bundlingwas rarely argued toprovideabetterqualityof securitydelivery than singleservice,however,suggestionsthatqualitywouldbesub-standardinabundlewererefuted;proponents of bundling argued that a good procurement process and effectivemanagement can ensure that the quality of service provision ismaintained. Itwas alsonoted that bundling could facilitate the standardization of processes which improvedefficiencyandhelpedtoensureconsistentlyhighqualitydelivery.TheCaseforProvidingSecuritySingleServiceAmajorreasonwhysingleservicewasadvocatedwasbecauseitwasviewedasa‘bestinclass’ service. This was enabled by security being provided by a specialist security


7

companyandbytheservice,oftenthemanagement,notbeing‘diluted’bytheengagementofnon-securityspecialists.SomecorporatesecuritymanagersfeltthatbyfirstoutsourcingandthenbyplacingaFacilitiesManagerinchargeofacompanytheylostdirectcontrolofsecurity operations. This was not always the case; it in part depended on how it wasstructuredand the skill setsof the facilitiesmanager’spointof contact. Some corporatesecuritypeoplesawadvantagesinsecuritybeingaccountabletooperationalbusinessunitsrather than them personally, but formany, the distancing of oversightwas viewed as afurther dilution of security expertise. Some typical comments on this issue from bothbuyersandsuppliersincluded:

I have to say that from a security operational perspective … I seepotential for compromise on security delivery and degradation ofsecurity…ThedriveforincorporatedFMintoasinglecontractisduetocost,notsecurityefficiency.

HeadofSecurity,Telecommunications

IwastryingtoraisesecuritystandardsbutinanFMbundlethereisnofocus on one service—jack of all trades—you don’t get the buy-in onwhat you are trying to achieve. I think things havemoved on—somereputablecompanieshavebeenboughtoutbyFMandtrytokeep(the)specialismbutyouseethemstarttobeerodedbytheFM.

HeadofSecurity,FinanceCompany

Securityisaspecialistbusinessanditneedsasecurityexpertandifyoudon’t value security as a specialist skill, then youwon’t value us as asecurityexpert.

ChiefExecutive,SecurityCompany(securityonly)

AFMmanagerhasadifferentoutlook,sohispriorityisalmostcertainlynotsecurity. Plusthatmanagermaynothavesecurityexperiencefirsthandsomaynothaveagoodideaofriskmanagement.

RegionalSecurityDirector,ManufacturerA second reason why some said they preferred single service was because it led tomanagementefficiencies.Somesawmanagingthelinkbetweensecurityandotherfacilitymanagement services, not leastwhere it involvedanythingapproaching integration, as acomplexone.Somesuppliersnotedthatfindinggoodpartnerswasoftenachallenge,andfindingstaff thatcouldmultiskill (orwantedto)wasachallenge. Onesuppliermanagerfelt that the opportunity to manage a multi skill team had enabled him to developpersonallyandprovidedawelcomecareer fillip,but felt thatmanyotherswouldnot feelthesame.Moreover,itsometimesmeantadilutionofservices,asstaffwereaskedtotakeonadditionaldutiesorbedeployedinwaysthatrenderedsecuritylessofapriorityand,atleast, involved less focus on security related tasks. In a different way, management ofsingleservicewasseentobeeasieringeneralbecausetherewasalongertraditionofthistype of delivery and specifically because there was a direct relationship between thecorporatesecuritymanagerandthesecuritysupplier.Somelamentedthatwithsuppliers


8

ofmultiservices,therewasatendencytosubcontractsomeservices,andtherewasalwaysthedangerthatthismightresultinapoorerqualityserviceespeciallyiftheywerefocusedmoreoncoststhanquality,andsubcontractingtheserviceareainquestionwasnottheirspecialist expertise. Furthermore, some were against employing one company toundertakeavarietyofroles,andthatwasbecauseitentailed‘puttingallyoureggsinonebasket’; in short, this amounted to poor risk management. Finally on this issue, someclientsadmittedthat theywerenotgearedupforanythingotherthansingleservice,andsomesuppliersinordertopromotetheirsecurityexpertise,werekeentosteerclearofanytypeofservicethatwasnottheirspecialismandinwhichtheywerenotexperts:

We use different suppliers for guards, and the contractor who doessystemsisdifferentcontractoranddifferentagainforfire.Wegowiththeexperts,ratherthanfindaonecompanyfitsall.

SeniorManager,Facilities,MedicalSystemsCompanyTherearemerits forbuyingsecurityalongsidewaste,cleaning,butwehad separatecompanies. The riskofonecompanydoing itall, is thattheygenerallytrytosubcontractandsoyoudon’tknowwhatyouget.Butitischeaper.Specialistsreallyknowmoreaboutthetopic.

OperationsServicesManager,BloodServiceAthirdreasonwhysomebuyersandsuppliersstatedtheypreferredsingleserviceoverbundlingwasbecause itwasmorecosteffective. Theywererarelyreferringtothepricepaid here, more in relation to the risks involved in leaving security to a non-specialistcompany,oroverseenbynon-securityexpertsnotingthattheconsequencesofasecurityfailurecancauseunlimitedreputationaldamageandresultinlastingandevendevastatingconsequencesfortheclient.Itwasnotedthatsecurityexpertsarebetterplacedtomonitorthe changing risk landscape and keep abreast of new measures and different ways ofworkingastheyevolve. Singleservicesuppliersinparticularalsonotedthatcostsavingsthat are perceived to comewith bundling could in fact often be achieved by looking atsecurityholisticallyandrelatingmitigationmeasurestorisk,andlookingimaginativelyorinnovativelyattheuseofpeopleandtechnology.Somearguedthatthisnotonlyavoidedadilution of security, it also afforded an opportunity for clients tomake cost savings andsupplierstoprotectmargins:

Thereisaperceptionthatbundledbringshugecostbenefits,becauseittakesawaythe inefficienciesofmultiplemanagers,sharingbackofficeresources, economy of scale etc. This is a misconception because onlargercontracts,ifthecustomerworkswithyou,you…cansavecostonsingleifproviderworksinnovativelywithcustomers.

MD,SecurityCompanyThepointsthatthosefavoringsingleservicemadewasthatitprotectedtheorganizationfrom a dilution of expertise, and suppliers especially promoted the case that if done soimaginatively could be achieved cost effectively and generatedmanagement efficiencies.


9

Suppliers in particular felt the benefits of co-operation implicit in bundling can also beachievedby‘partnerships’and‘jointworkingarrangements’withoutdilutingexpertise.Thepointismoreimportantthansavingjobs;itwasarguedthatboththestatusandtheeffectivenessofsecurityinorganizationsisenhancedwherethereisasecurityspecialistorexpertonboththebuyerandsupplierside.

DeterminingtheStrategyandWhetheritWorksWhile ithas longbeen recognized that there canbeavarietyof influenceson strategy(see,BurdonandBhalla,2005),inthisstudy,7keyfactorsemergedasimportant.Firstwasthe policy of the organization towards outsourcing, and whether there was a welldevelopedstrategythatguidedpolicy(see,Nordin,2006). Somecompanieshadawayofproviding services dictated or directed from the center, and this meant there was areference point for how things should be done, although it seems thatmost often, evenwhereastrategy/policydidexist,itwasflexible(atleastasfarassecuritywasconcerned).Second, some clients recognized that they were only geared-up for single service, andothersfelttheyhaddevelopedsufficientlytobundlesecurity.Theskillsetsoftheclientarecrucial.Athirdfactorwastheskillsetsofthesuppliersand,asnotedabove,someclientswere led towards bundling (both of security and with facilities management) by thecompetenceofsuppliers,andsomerefrainedfromheadingthiswaybecauseofwhattheysawas the lackof availabilityof services tomeet theirneeds in themarket. Othershadtried bundling and stopped because the service levelswere short of their requirements.Wheretherewasasinglepointofcontact—akeybenefitofbundling—thecompetenceofthatcontactcouldcharacterizehowitwasperceived.Itisimportanttonotethattherearearangeoffeaturesthatcombinetomakebundlingwork,includingtheabilitytomultiskillorintegrate,theabilitytofindstaffincludingmanagerswhocanmultiskillandkeepthem,and to structure the business so that internal competition does not underminecollaboration.Afourthkeyfactorwasthestatusoftheheadofthesecurityfunction,andnotleasthisorherrelativestatus to thatof theheadof facilitiesmanagementandprocurement. Wheresecuritywas of a lower status to facilitiesmanagement, itwould often (but not always)reflectanemphasisonbundlingcomparedtosingleserviceinoutsourcingarrangements.The role of procurement was generally seen to have a major impact, and whereprocurementwasseentobeofahigherstatus,whichisnotunusual(GillandHowell,2012)then that could lead to a greater emphasis on cost rather than quality. A fifth factor,somewhatfollowingonfromthis,istheimportanceofsecuritytotheorganization.Therewasatendencyforsecuritytobeprovidedasasingleservicewhereitwascrucialtotheorganization, perhaps because of regulatory requirements or because of persistent orserious threats. A sixth factor was the role of security within an organization. Somesuppliers,who favored single service noted that theydid not see bundling as a problemwhere there was some form of accountability to, or second best, engagement with asecurityspecialistintheclientorganization.Manysuppliersandsomesecurityexpertsfeltthequalityof securitywasdilutedwhere therewasabreak in the linkbetween internalsecurityandsecuritycontractor.Aseventhandfinalpoint,wasthenatureofthecontract


10

andwhetherthefocuswasprimarilyondeliveringanexcellentserviceoronreducingcoststothemaximumextent.The findings revealed a clear tendency for corporate security directors to favor singleserviceandfacilitiesmanagerstofavorbundling. Onthesupplierside,specialistsecuritycompaniesgenerally favoredsingleserviceand facilitymanagementcompaniesbundling.Although thiswas tobeexpected, itwasnotahardand fast rule. Similarly, therewasatendencyforclientsandsupplierstohighlightdifferentfeatures.Sowhileclientssaidtheyfavoredbundlingbecauseofcostsavings,efficienciesindelivery,thegrowingcompetenceofthemarket,andtheopportunityforstandardizationacrosssites,suppliersfocussedoncost savings, followed by innovation, the benefits of multi skilling staff, and theopportunitiesfortechnology.Thisevidencewouldsuggestthattherewasmoretobedoneto bring clients’ attention to potential benefits. With regards to single service, clientshighlighted thevalueofsecurityasaspecialismwhichshouldnotbediluted, thegreaterease and experience of managing single service (in providing a more efficient form ofmanagement and a less risky one), and in saving costs in terms of incurring less risk.Suppliers largelyagreed, alsonoting thata focuson securityasa specialismadditionallyprotectedinternaljobs.DiscussionSecurityisbutoneelementoffacilitiesmanagement.Whenaskedwhethersecuritywasdifferentinanywaytootherservices,answersreflectedtherelativeimportanceofsecurityto theorganization. Somefelt itwas just thesame. Where itwasdifferent, itwasnotedthat it was regulated (in some countries at least), was a 24-hour requirement (in somecases),andthat if itwentwrong, itcould leadtocatastrophe. Othersnotedthatsecuritystaff not turning up forworkwould be less noticed by staff than caterers not providingfood, or the air conditioning or company server not working; in short, it varied. Andsecurity covers a wide variety of activities. On the technology side, integration is lessintellectuallyproblematictounderstand(althoughinpracticeitisfarfromcommonplace),but the integration of people represents a real challenge, which only some claim wasmanagedeffectively.Certainlytheargumentspresentedinfavorofsingleservice,principallythatitisbestinclass,arebeingchallengedbythosefacilitiesmanagementproviderswhobelievethatmultiskilling and integrated services offers a better form of security. On the other hand, theclaims of supporters of bundling that it is more cost effective is challenged by singleproviderswhoarguetherealcostsofincreasedrisksandtheopportunityformoreefficientways of working offer an alternative perspective. The inclusion of different types ofsecurityservices inbundlingarrangements isnotnew,but ithasreceivedrelatively littleattention. Although some interviewees claimed that they had noticed a trend towardsmorebundlingoversingleservice,theresearchapproachtakenmeantthatthisneedstobesubstantiatedbyfuturestudies.However,ifitistrue,itraisesthequestionastowhetherthisreflectsastructuralchangeinthewayservicesaredeliveredorismorecyclicalandareflectionof thecurrentprioritiesclientsareattaching tocostoverrisk inchoosinghow


11

security is provided. The evidence from this study highlights the lack of a commonlanguage to describe outsourcing arrangements, and the paucity of evidence to supportargumentsforandagainstdifferentoptions;therehasbeenlittleindependentevaluationoftheclaimsbeingmade.Theaimoftheresearchwasnottodevelopafact-basedmodeltoguide decision-making, a laudable aim though that would be. Hopefully this study hasprovided a more informed foundation for assessing the implications and potentialeffectivenessofdifferentmodelsofsecurityservicedelivery.Thebenefitsanddrawbacksof different service options seem finely balanced and need to be better understood iforganizationsandsuppliersaretocombinetoprovidethemosteffectivesecurity.ReferencesAgndal,H.andNordin,F.(2009)‘Consequencesofoutsourcingfororganizationalcapabilities:Someexperiencesfrombestpractice’,Benchmarking:AnInternationalJournal,Vol.16:3,pp.316-334.BritishInstituteofFacilitiesManagement(2007)TheGoodPracticeGuidetoFMProcurement,RedactivePublishingLimited.BritishInstituteofFacilitiesManagement(2012)FMCategories(http://www.bifm.org.uk/bifm/knowledge/resources/Categories).BSIA(2007)AGuidetoIntegratedSecurityManagementSystems,BSIA.Burdon,S.andBhalla,A.(2005)‘LessonsfromtheUntoldSuccessstory:OutsourcingEngineeringandFacilitiesManagement’,EuropeanManagementJournal,Vol.10:5,pp.576-582.DeToni,A.F.andNonino,F.(2009)‘TheFacilityManagement:NonCoreServicesDefinitionsandTaxonomy’,inDeToniA.F.,FerriA.,MontagnerM.,OpenFacilityManagement:aNewParadigmforOutsourcedServiceManagement,pp.3-28,MILANO:IFMA.Drion,B.,Melissen,F.andWood,R.(2012)‘FacilitiesManagement:LostorRegained?’,Facilities,Vol.30:5/6,pp.254–261.Feeny,D.,Lacity,M.,andWillcocks,L.(2005)‘TakingtheMeasureofOutsourcingProviders’,MITSloanManagementReview,Vol.46:3,pp.41-48.Gill,M.(ed)(2014)TheHandbookofSecurity:SecondEdition,Basingstoke:Palgrave.Gill,M.andHowell,C.(2012)TheSecuritySectorinPerspective.Leicester:PerpetuityResearch.


12

Hassanain,M.andAl-Saadi,S.(2005)‘AFrameworkModelforOutsourcingAssetManagementServices’,Facilities,Vol.23:1/2,pp.73-81.Hunt,S.(2010)Convergence:TheSemanticsTrap,Onlinearticle:CSOOnline(availableat:http://www.csoonline.com/article/560063/convergence-the-semantics-trap)InterserveandSheffieldHallamUniversity(2012)TheChangingShapeofFacilitiesManagementProcurement,Interserve.(availableat:http://www.interserve.com/docs/default-source/Document-List/sectors/commercial/the-changing-shape-of-facilities-management-procurement-march-2012.pdf?sfvrsn=10)Jain,R.K.,andNatarajan,R.(2011)‘Factorsinfluencingtheoutsourcingdecisions:astudyofthebankingsectorinIndia’,StrategicOutsourcing:AnInternationalJournal,Vol.4:3,pp.294-322.McIvor,R.(2005)TheOutsourcingProcess:StrategiesforEvaluationandManagement,Cambridge:CambridgeUniversityPress.McIvor,R.(2008)‘WhatistheRightOutsourcingStrategyforyourProcess?’,EuropeanmanagementJournal,Vol.26,pp.24-34.Momme,J.andHvolby,H-H.(2002)‘Anoutsourcingframework:actionresearchintheheavyindustrysector’,EuropeanJournalofPurchasingandSupplyManagement,Vol.8:4,pp.185-96.Nordin,F.(2006)‘Outsourcingservicesinturbulentcontexts:lessonsfromamultinationalsystemsprovider’,LeadershipandOrganizationDevelopmentJournal,Vol.27:4,pp.296-315.Oshri,I.,Kotlarsky,J.,&Willcocks,L.(2011)TheHandbookofGlobalOutsourcingandOffshoring:SecondEdition,Hampshire:PalgraveMacmillan.Petry-Eberle,A.andBieg,M.(2009)‘OutsourcinginformationServices’,LibraryHiTech,Vol.27:4,pp.602-609.Prenzler,T.andSarre,R.(2012)‘Public-PrivateCrimePreventionPartnerships’,inPrenzler,T.(ed)(2012)PrivateSecurityinPractice:ChallengesandAchievements,Basingstoke:Palgrave.Shekar,S.(2008)‘Benchmarkingknowledgegapsthroughrolesimulationsforassessingoutsourcingviability’,Benchmarking:AnInternationalJournal,Vol.15:3,pp.225-41.Varadarajan,R.(2009)‘Outsourcing:ThinkmoreExpansively’,JournalofBusinessResearch,Vol.62:11,pp.1165-1172.


13

Whitaker,J.,Mithas,S.andKrishnan,M.(2010)‘OrganizationalLearningandCapabilitiesforOnshoreandOffshoreBusinessProcessOutsourcing’,JournalofManagementInformationSystems,Vol.27:3,pp.11–42.Willcocks,L.Cullen,S.,Lacity,M.(2007)TheOutsourcingEnterprise:TheCEO’sGuidetoSelectingEffectiveSuppliers.LogicainassociationwiththeLSEInformationSystemsandInnovationGroup.pp.10.Willcocks,L.&Lacity,M.(2009)ThePracticeofOutsourcing:fromITtoBPOandOffshoring,Palgrave:London.WillcocksL,Oshri,I&HindleJ(2009)ToBundleornottoBundle?EffectiveDecision-makingforBusinessandITServices,Accenture.Willcocks,L.,Oshri,I.,&Hindle,J.(2009b)Client’sPropensitytobuyBundledITOutsourcingServices,WhitePaperforAccenture.Willcocks,LandLacity,M.(2011)‘WhatSupplierswouldtellyouiftheyCould’,Outsourcing,Issue6,Autumn.pp.6-14.Willcocks,LandLacity,M.(2012)‘WhatSupplierswouldtellyouiftheyCould2’,Outsourcing,Issue8,Spring.pp.28-34.Willison,J.,Kloet,F.,&Sembhi,S.(2012)SecurityConvergenceandFMs:theLearningCurve,Onlinearticle:IfsecGlobal(availableat:http://www.ifsecglobal.com/security-convergence-and-fms-the-learning-curve/)Yam,T.(2012)‘EconomicPerspectiveonOutsourcingofPropertyManagementServices’,PropertyManagement,Vol.30:4,pp.318-332.Yang,C.andWei,H.(2013)‘TheEffectofSupplyChainSecurityManagementonSecurityPerformanceinContainerShippingOperations’,SupplyChainManagement:AnInternationalJournal,Vol.18:1,pp.74–85.AbouttheAuthorsProfessorMartinGillisacriminologistandDirectorofPerpetuityResearchwhichstartedlife as a spin-out company from theUniversity of Leicester. He holds honorary/visitingChairsattheUniversitiesofLeicesterandLondon. Martinhasbeenactivelyinvolvedinarangeofstudiesrelatingtodifferentaspectsofbusinesscrime,includingthecausesoffalseburglar alarms, why fraudsters steal, the effectiveness of CCTV, the victims of identityfraud, how companies protect their brand image, the generators of illicit markets andstolen goods, to name but a few. Martin has been extensively involvedwith evaluationresearchandwiththeoffender’sperspective,lookingathowtheytargetcertainpeopleandpremisesandaimtocircumventsecuritymeasures. Hehaspublished14booksincluding


14

thesecondeditionofthe'Handbook'ofSecurity'whichwaspublishedinJuly2014.MartinGill is a Fellow of The Security Institute, as well as a member of theCompanyofSecurityProfessionals(andaFreemanof theCityofLondon). He isamemberofboththe ASISInternational ResearchCouncil and the Academic and Training ProgramsCommitteeandaTrusteeof theASISFoundation. In2002 theASISSecurityFoundationmadea ‘citationfordistinguishedservice’ in ‘recognitionofhissignificantcontributiontothe security profession’. In 2009 he was one of the country’s top 5 most quotedcriminologists. In 2010 he was recognised by the BSIA with a special award for‘outstandingservicetothesecuritysector’. In2015IFSECplacedhiminthetop10mostinfluentialfireandsecurityexpertsintheworld.CharlotteHowellisResearchManageratPerpetuityResearch.Shehasconductedawiderange of projects on crime and security including consulting with offenders, victims,securityprofessionalsandthepolice. Charlottealsomanagestherunningof theSecuredEnvironmentsaccreditation—apoliceaccreditationrunbyPerpetuityResearchonbehalfoftheAssociationofChiefPoliceOfficers. CharlotteholdsafirstclassLLB(Hons)inLawandanMScinCriminology.


15

HowSocialMediaisTransformingCrisisManagementandBusinessContinuity

GeraldD.Curry,JamesJ.Leflar,MarcGlasser,RachelleLoyear,BrianeGrey,TimJordan,LeonardOng,WernerPreining,andJoseMiguelSobron*

ASISInternationalCrisisManagementandBusinessContinuityCouncil

KeyWords-Socialmedia,emergencyoperations,crisismanagement,emergencymanagement,disasterTerminology-SocialMedia:anaggregatetermfornetworkingsites,messagingsites,texting,andotherweb-based or mobile technologies that support social interaction. Examples includeFacebook,YouTube,Twitter,Instagram,Google+,LinkedIn,Plus,Tumblr,email,etc.Emergency Operations: this term was selected to encompass the many similar termssuch as emergency management, crisis management, business continuity, disastermanagement,disasterrecovery,andemergencyplanning. Thedifferencesbetweenthesetermsisoftendiscipline-orindustry-driven,butthedifferencesdonotjustifyusingallofthe terms when describing emergency operations. Emergency operations are themanagerial functions charged with creating the framework that helps organizations,communities,andindividualsreducevulnerabilitytohazards,andcopewithdisasters.___________________________*AlloftheauthorsareactivemembersoftheASISInternationalCrisisManagementandBusinessContinuityCouncil.Thisstudy,conductedasaCommitteeprojectoftheCouncil,wasunfundedandisfreeofanyknownconflictsofinterest.The American Society for Industrial Security (ASIS) International is a prominent professionalsecurityorganizationwithChaptersandCouncils.TheCrisisManagementandBusinessContinuityCouncilpromotescrisismanagement,businesscontinuity,andorganizationalresiliencestandardsand best practices worldwide. More information about ASIS International is available athttps://www.asisonline.org/Pages/default.aspx.Authoraffiliations: GeraldD.Curry,DM,EnvironmentalManagementOffice,SafeguardingandSecurity,Department ofEnergy. JamesJ.Leflar,Jr.,MA,CPP,CBCP,MBCI,SeniorPhysicalSecurityConsultant,ZantechITServices. MarcGlasser,MS,CPP,ManagingDirector,ResilienceManagementLLC. RachelleLoyear,MBCP,MBCI,PMP,EnterpriseDirector,BusinessContinuityManagement,Time WarnerCable. BrianeM.Grey,SeniorVicePresident,DirectorofCorporateSecurity,CityNationalBank. TimJordan,B.A.,AMBCI,SeniorConsultant,AutomationConsultingGroup,GmbH. LeonardOng,CPP,ASISInternationalInformationTechnologySecurityCouncil. WernerPreining,CPP,ASISInternational,ChapterChairman,AustriaChapter107. JoseMiguelSobron,DepartmentofSafetyandSecurity,UnitedNations.


16

AbstractThe purpose of this paper is to investigate social media usage in crisis managementplanning,response,andrecoveryactivities.Socialmediausageduringanemergencyeventtogatherimmediateinformationhasbeendemonstratedasanalternativewhentraditionalformsofcommunicationhavebeenlesseffective.Mostofthemessagestransmittedusing(or through) social media are from non-traditional media sources, and themedium hasbecome an expected source for traditional news agencies, as every cellular smart deviceuserintheworldhasthepotentialtobeaninformationbroadcaster.Thisresearchsurveyexplores the role socialmedia ishavingoncrisismanagement for securityprofessionals.SurveyparticipantsconsistedprimarilyofASISInternationalmembers.IntroductionSocialmediaisbeingleveragedacrossglobaldisciplinesorindustries,andaccordingtoanoverwhelmingmajorityofASISInternationalsecurityprofessionalswhoparticipatedinthis study, an established practice has been laid in emergency operation planning. Thepurposeofthispaperistoexploreandreportthevaryingmeansbywhichsocialmediaisbeingusedbypracticingprofessionalsforgeneratingalertmessages,confirmingpersonneland other asset accountability, and keeping key stakeholders—including the generalpublic—informedoncrisisevents.This study uses a mixed methods (quantitative and qualitative) research design toanalyzethesurveyresults. Thequalitativesectionofthispaperidentifiesthematictopicsthat point to the depth of social media frequency and the quality of its use. Severalquestionswereaskedof154participantswhoconfirmtheiracceptanceof this toolasaninformationchannel.Additionally,thesurveyaddressesthefutureofhowsocialmediawillbeusedtohelpsecurityprofessionalsachievetheirprotectiveresponsibilities.Thispaperusesa traditionalresearchmodeland format indiscussing thehighlightsofthe survey. The qualitative section sets the foundation for this paper, as the surveyparticipants help the reader to better understand the reasons and rational of “how” and“why” social media is being incorporated into emergency management, includingpreparednessandmitigationplanning. Thedatacollectedarerich incritical informationfor discovering new social media techniques as it pertains to contingency operationplanning,andfordeterminingthedepthtowhichsocialmediaiscurrentlybeingutilized.The qualitative research methodology offers the opportunity to review the data from asharedperspective,byreducinglimitsandpotentialresearchbarriers.We did not develop a particular theory, but rather offer security-practitionerperspectives on how social media is being utilized in emergency management.Additionally, the results will reveal how social media is being used throughout theemergency operations industry by expediting alert messaging. This study offers newinsightsonthetremendouspossibilitiesfortheuseofsocialmediaplatformsinemergencymanagement.


17

Thequantitativesectionofthispapersummarizesthedepthofthisstudybyreviewingthe strength of social media’s application in real world scenarios. However, it was notenoughtogatherdataonwhetherornotsocialmediaissavinglives.Alsoneededwasanexamination of how is it being used, and at what frequency. These questions were allimportant,andhelpedtodirecttheresearchtoastronger,moreapplicableconclusion.The sample size for this research was 154 participants. The majority of participantswere ASIS International members. This study provides an in-depth description of thesocialmediadomainwithinthedealingsofthesesecurityprofessionals.Thisstudyleveragesquantitativemethodstodeterminestatisticalresultsandqualitativeresearch to explore social media’s usage, in hopes of developing a comprehensiveunderstanding.Wehopethisstudywillservetoinspirefuturestudiesonthissubject.Ourstudydividedtheanalysisofquestionsintoqualitativeandquantitativeinordertoexplore the full spectrum of inquiry. Social media has received significant societalattention. Socialmediahasalsocompletelychanged thewaypeopleengageoneanotherand. more importantly, how businesses connect with potential clients and customers.Social media has become the one common denominator that the world’s citizensunderstandanduseonadailybasis. Thepreferredonlineapplicationsmaychangefromcountrytocountry,butthebasicsofbeingabletoreachmassnumbersofpeoplequicklyhasbeenaccomplishedthroughsocialmedia.PurposeoftheStudyThe purpose of this study was to document established ASIS International securityprofessionals’ social media processes, identify frequency of social media use, and helpprovide a global perspective to improve contingency operations. Additional researchopportunitiesare identified later in thispaper; thesewill lay the foundation forsecurityprofessionals to identify and potentially benefit from further social media benefitsapplicabletosecurityprofessionalsworldwide.Socialmediahasrapidlybecomeasocietalnorm(Kaplan,2012),anditisimportantforsecurityprofessionals to assess itsuse. TheDepartmentofHomelandSecurity’sFederalEmergencyManagementAgency (FEMA) reports that, “Socialmedia is a new technologythatnotonlyallows foranotherchannelofbroadcastingmessages to thepublic,butalsoallowsfortwowaycommunicationbetweenemergencymanagersandmajorstakeholdergroups.”(FEMA,2015,paragraph1).Thesocialmediatechnologyisstillconsideredtobeinitsinfancyandthusrequiresdedicatedexploratoryresearch.This study examines the utility of socialmedia in emergencymanagement by securityprofessionals,soindustryleaderscanpredictitscurrentandlong-termapplicability.Often,newtechnologycomesanddisappearsjustasquicklyasitarrives. Socialmediaseemstobesignificantlydifferent;thisstudyconcludesthatmanysecurityprofessionalsaroundtheworld are using some aspect of social media for emergency notification, keeping


18

stakeholdersengaged,andmakingcriticaldocumentsmoreaccessible. Ourstudyaimstoexpandtheconversationonsocialmediabeingusedinemergencymanagement.LiteratureReviewThereisanenormousamountofliteratureonsocialmediaanditsincreasedutilizationinemergencymanagement.Thisstudyleveragedtheclosestandmostrelevantresourcestoexpand the narrative pertaining to this important topic. The surveywas used to betterunderstandandidentifytheprofessionalpervasivenessoftheplatform,assessifthetoolsareembedded incurrentpolicy,andexplore futurepossibleapplicationsofsocialmedia.Theliteratureusedinthisstudyaimstobetterunderstandthesethreetenets,andconfirmtheresearchresults.Kaplan (2012) offers an overview in his “Social Media In Emergency Management: AQuick Look,” and suggests social media can be used as a means for public serviceannouncements,adependableresourceforinformationforemergencyresponders,andcanprovide immediate feedback for all stakeholders through its crowdsourcing capabilities.Additionally, Kaplan (2012) validates the fact that social media has quickly become thesubjectofvigorousacademicandprofessionalstudies. Infact,FEMAAdministratorCraigFugateuseshisTwitterapplicationtoconversewithindustryprofessionalsandthegeneralpublic.Su,Wardell,&Thorkildsen(2013,page1)intheirworksimplytitled,“SocialMediaintheEmergency Management Field, 2012 Survey Results,” announces that “…76% of adultsrespondingtoa2012AmericanRedCrosssurveyexpectedhelptoarriveinlessthanthreehoursiftheypostanemergency-relatedrequestonsocialmedia.”Thestudysolidifiesthefactthepublichasapsychologicalexpectationthatoncetheypostanemergencymessageinsocialmedia,theofficialauthoritieswillacknowledgeitandrespondappropriately.Su,etal. (2013)sharesthe findingthatsocialmediahascreatedanexpecteddemandbythepublic,andanadditionalplatformforemergencymanagementprofessionals.One critical question this survey asks is, “How knowledgeable are emergencymanagementagenciesregardingsocialmedia?”InSu,etal.(2013,page2)theresearchersdo not stop there however; they continue to examine the issue by identifying thegovernance,technology,data/analytics,andprocessesthatmustbeusedtofullyembracesocialmedia.DHS(2012)usestheir“NextSteps:SocialMediaforEmergencyResponse,VirtualSocialMediaWorkingGroupandDHSFirstRespondersGroup,” tonavigate the futureof socialmedia in emergencymanagement. The DHS report recognizes that many United Statesgovernment officials are turning to social media technologies to share information andconnectwithcitizensduringallphasesofacrisis.Inresponsetotheglobalattentionsocialmedia has drawn, the U.S. Department of Homeland Security’s Science and TechnologyDirectorate (DHS S&T) has establishedworking groups to provide guidance and suggestbestpracticesforemergencypreparednessandtheresponsecommunity. TheDHSstudyconcludes by highlighting six steps DHS needs to focus on: (1) Choosing the right


19

technologyandapplication; (2)Developingstrategy,policy,andprocedures; (3)Settingandmanagingexpectations; (4)Engagingthecommunity; (5)Managingmisinformation;and (6) Addressing challenges to adoption, including concerns related to privacy, publiccomment, record retention, public disclosure, health information, human resources,informationtechnology,andsecurity.TheUSDE/REMS(2013)presentationaccuratelysumsuptheprogressmadetoprotectschoolchildrenandteachers.Thepresentationprovidesanunderstandingofthebenefitsand challenges associatedwith employing socialmedia in school crises. It buildson thetraditional four phases of emergencymanagement: prevention-mitigation, preparedness,response, and recovery. The presentation notes that in the aftermath of the ColumbineHigh School shooting, and other horrific events that have occurred, social media use isgaining traction. Thepresentationconfirms that96%ofyoungadults ages18-29ownasmart device of some kind, and 73% of online teens (age 12-17) use social networkingsites.Thereporthighlightsthefactthatteensfromlowerincomefamiliesaremorelikelytouseonlinesocialnetworks(4in5).Lindsay (2011) starts his discussion by confirming that social media is playing anincreasingrole inemergenciesanddisasters. Hisreportcitesresearch fromInformationSystems for CrisisResponse andManagement (ISCRAM) and theHumanitarian Free andOpenSourceSoftware(FOSS)Project,bothgroupsthatareexploringrelatedlinkages.Theauthor shows how socialmedia is being used in one of twoways: first, to disseminateinformationandreceivefeedback,andsecond,asasystematictooltoconductemergencycommunications, such as issuewarningmessages, receive victim requests for assistance,monitor activities, establish situational awareness, and create damage estimates. Socialmediahascreatedabroadplatformforemergencymanagementprofessionals. Lindsay’sreportsummarizeshowsocialmediaisbeingusedbymanagementofficials.Hiltz,Kushma, andPlotnick (2014)offer a veryuniqueopportunityof semi-structuredinterviewsofU.S.public sectoremergencymanagers todetermine theuse, andpotentialbarrierstousing,socialmedia.Theypointoutthreebarrierstosocialmediause,whichare(1)alackofpersonneltimetoworkonsocialmedia,(2)alackofpoliciesandguidelines,and (3) concerns about trustworthiness of collected data. While these barriers orchallengesareveryreal,socialmediausagecontinuestogrowtoepicproportions.OnesignificantpointHiltz,Kushma,andPlotnickmakeisthatevenwiththemillionsofpeople who are flocking to social media sites, the government has yet to establish anemergencymanagementplatform.Additionally,theyciteKavanaugh(2012)whoreportedthat socialmedia is not beingused in a particularly thoughtful or systematicway (Hiltz,Kushma, & Plotnick, 2014, page 602). The Hiltz, Kushma, and Plotnick (2014) studyfocuses solely on two important questions: (1) what problems or barriers do thesemanagers perceive in terms of using social media, particularly for gathering and actinguponreal-timedisasterpostsinthem?;and(2)whatistheirreactiontoseveralpotentialtypesoftoolsthatmightenhancetheiruseofsocialmedia? Thisresearchconcludesthatthelackoftrainedpersonnelistheprimaryreasonthegovernmenthasnotfullyembracedsocial media (Hiltz, Kushma, & Plotnick, 2014). This technology is dependent on


20

professionalsecuritymanagersandleaderswhohavethetechnicalknow-howtoenhanceoperationsinternally,externally,andwithkeystakeholders.MethodologyThe ASIS International Crisis Management and Business Continuity Council (CMBC)developed a 17-question survey and received answers from 154 security professionalsfrom across the globewho occupy security positions in federal, state, local, and privatecompanypositions.SeetheAppendixforthesurveyquestions.Theweb-basedsurveywasavailablefromJuly6toSeptember1,2014,viaSurveyMonkey.Thesurveyteampublishedthe link toCMBCmembers,who in turnshared the linkwithASISChaptermembersandbusinesscolleagueswhoareassociatedwithASISInternational.WebelievethesurveyreceivedafairlywidedistributionwithinthelimitedASISrelatedpopulation, but there is no indication of the total number of recipients. We estimate atleast several hundred recipients, and likelymanymore. The recipients and participantshad some relationship to ASIS International, either as members or as professionalcolleagues of the research team, but there is no way to know the identities of theparticipants.Theparticipantswereanonymous,andthesurveywascompletelyvoluntary.Participantswereassuredthatanypersonal identifyinginformationtheyprovidedwouldbekept confidential, and the final responseswouldbepresented in aggregate form. Wecannot make any claims concerning the participant’s representativeness of securityprofessionalswithinageneralpopulation.Theparticipantsconsistedof118ASISInternationalmembersand35non-members. Itshould be noted that the 35 non-member participants who engaged in the study aresecurityprofessionals,justnotmembersofASISInternational.Approximately91.9%oftheparticipants have been members of ASIS International for over five years, and 100%activelyworkedinasecurityorcrisismanagementpositionastheirprimaryprofession.Interestingly, 58.3% held a professional certification such as the Certified ProtectionProfessional (CPP), Certified Business Continuity Professional (CBCP), Master BusinessContinuityProfessional(MBCP),orCertifiedEmergencyManager(CEM).59.3%describedtheirprofessionassecurity(non-data).Thisclassificationofsecuritybecomesinterestinglyimportantbecauseitisusedasanumbrellaterm,andtranslatedtocaptureseveralsecuritydisciplines. Almost all participants held some level of college education, 84.2% held abachelors,masters,ordoctoratedegree.Thequalitativesectionasked5open-endedprobingquestionstobetterunderstandtheprogressthathasbeenmadeinemergencyoperationsbyadjustingtothesocietydemandfor social media. These questions very purposefully explored the depth of eachparticipant’sprofessionalinvolvement,includingtheirparticipationindrillsandexercisesthat leveraged socialmedia. Aswith any survey, some participants failed to answer allquestions, so we cannot determine or remark upon their responses to those questions.Several themesweregarneredfromthewrittenresponsesthatwereprovided,andthesewillbediscussedinthenextsection.


21

Thequantitative section explored eachparticipant’s online applicationpreference, andthenshiftedtheinquirytoexaminetheirexposuretosocialmediabeingusedinemergencyoperationspracticalapplications.Discoveringthedepthandfrequencyofsocialmediauseis important in understanding the professional commitment to adapting policies bylocalizing procedures. This quantitative exploration validates the critical impact socialmedia is having on how society views official authoritative response and recoveryoperations.Denise Rousseau’s Psychological Contract helps us understand when and how anindividual’sbeliefinmutualobligationsbetweenthatpersonandanotherparty,suchasanemployeroragentof thegovernment, isexpected(Rousseau,2000). Thisexpectationofmutualobligations canbeeasily illustrated in the federal response toHurricaneKatrina.Thecitizensintheregionheldanexpectationthatitwasthegovernment’sresponsibilitytoprovideforthoseindividualsstrandedinNewOrleansandtheimpactedsurroundingarea.Themixedmethodsprocessofusingaqualitativeandquantitativeapproachallowsthisresearch toexploresocialmediausage inemergencyoperationsapplications. Additionaldetailsareoffered throughout thisstudy toexpandon theuseand futureapplicationsofsocial media. In the analysis section of this paper, more emphasis is placed on theimportanceofcommunicationandtheneedtohearfeedbackfromcitizenry.Socialmediahas become prevalent in society by becoming the preferredmethod for connectingwithpeople, and for government agencies connecting to people within their jurisdiction ofresponsibility.QualitativeSummaryPreviousgenerationswitnessedtechnologicaladvancesresultingintheprogressionfromdirect, limited, interpersonal communication (word of mouth, lectures or speeches, andtown criers) to more remote or extended forms of transmitting information (print,telegraph, radio, cinema, and television.) As technologyhas increased in complexityandcapability,thetimeneededtosendamessagetoanaudiencehasreducedsignificantly.TheInternet and social media platforms in particular have allowed a message from anyindividualtoreachmillionsofpeoplearoundtheworldalmostinstantly.Socialmediaviatheindividual(asin-person)hasbecomefirmlyentrenchedinmodernsocietyasaprimarymethodofcommunicationandhashelpeddecreasethetimeneededtoinformasocietyofanevent.Thisindividualorpersonalabilitytobecomeareporterofnewsinformationhasdramaticallychangedthewaylargeaudiencesreceivetheircurrenteventsinformation.Whenreviewingthedatagatheredinthissurvey,strongevidenceshowsuniquethemesfrom the participant’s responses. Question 13 was: Based on your experience as anemergencyprofessional, haveyouparticipated inemergency riskoperationsusing socialmedia? Thereason for thisquestionwas toexplore theparticipant’s familiarityofusingsocialmediafirsthand,andnotrelyingonthingstheyheard,read,orperceivedfromotheragency’s participation. It was important to have authentic experiences in using socialmediaonadailybasisorroutinely.


22

One participant commented that social media was used as the primary way tocommunicateduringtheJapaneseTsunami,aswellasleveragingglobalgeolocationonlineapplications to identify victims in need. Another confirms that social media was usedduring Hurricane Sandy’s recovery operations. It is apparent from the data that socialmedia has found a significant use in emergency operations, and is used routinely asappropriate.Thequalitative(open-ended)questionsweredevelopedtoelicitmoreinformationfromthe respondents concerning their respective experience and opinions with social mediausageinconjunctionwithanemergencyevent. Thereare154respondentstothesurvey,butapproximately35%oftherespondentsskippedthequalitativequestions. Sincethereisnowaytoknowthereasonsforskippingthequestions,those“skipped”responseshavebeendeletedfromthetotal.Allowingsuchunansweredormeaninglessdatatoremainaspart of the total responses would skew the distribution. Removing the “skipped”respondentsprovidesamoreaccurateandmeaningfulinterpretationofthedata,butalsocreatesaslightinequalityinthetotalsforeachquestion.Thetotalnumberofrespondentsforeachquestiondoesnotequalthesameamount;thetotalsrangefrom95–105,withthemedianequalto98.Table1-ResponsestoOpen-EndedOpinionQuestionsResponseCategories ParticipantResponseQ13:Basedonyourexperienceasanemergencyprofessional,haveyouparticipatedinemergencyriskoperationsusingsocialmedia?Pleaseexplainitsuse.Neverusedsocialmediaforanemergencyevent 52%

Usedsocialmediaforgeneralwarningsnotifications 22%

Q14:Basedonyourexperiences,doyoubelievesocialmediashouldreceivemoreofapriorityinpreparingforemergencyriskoperations?Positivedesiretodevelopsocialmediaasapriority 32%

Develop and establish more controls to vet information,develop infrastructure stability, and organizational controls forreliability

22%

Anefficientmethodofdisseminatinginformation 13%

Q15:Basedonyourexperiences,doyouthinksocialmediacan


23

enhanceorcrippleemergencyriskoperations?Enhancement 60%

Of those indicating enhancement, respondents claim excellentsituationalawarenessanddisseminationtool

29%

Ofthoseindicatingenhancement,emergencyriskoperationsifproperlymanagedwithappropriatepoliciesandcoordinationbytheorganization

28%

Willcrippleemergencyriskoperations 5%

As to enhancement or cripple, it depends on the quality andtoneofthemessages

30%

Q16:Basedonyourexperiences,doyouthinkmoredemandswillbeplacedonemergencymanagersifsocialmediaisappliedtoemergencyriskoperations?Pleaseexplainwhyorwhynot.Willseefewerdemandsontheirtime 14%

Willbeanincreaseinworkdemands 61%

Ofthose indicatinganincrease inworkdemands, the increasewill level off and become a routine part of the emergencymanager’sjob

6%

Q17:Whatrecommendationsdoyouhaveforemergencymanagersdesiringtousesocialmedia?Organizations should embrace social media as part of theofficialorganizationwithpoliciesandprocedurestosupporttheeffectivenessofsocialmediausage

35%

Researching and following the lessons learned from otherorganizationshasvalue

18%

Social media usage should be an integral part of theorganizationmanagedbyaspeciallytrainedteamordepartmentsuchasCorporateCommunications

23%


24

Oftherespondentsindicatingapreferencetothequestionofsocialmediauseduringanemergency, 52% have never used socialmedia for an emergency event. 22% indicatedtheyhaveusedsocialmediaforgeneralwarningsornotifications.When asked for an opinion on establishing socialmedia as a priority resource duringemergencyriskoperations,32%oftherespondentsindicatedapositivedesiretodevelopsocialmediaasapriority.22%expressedadesiretodevelopandestablishmorecontrolsto vet information, develop infrastructure stability, and organizational controls forreliability. 13% responded that social media was an efficient method of disseminatinginformation.When asked to comment on whether social media usage will enhance or cripple anorganization during an emergency, 60% indicated enhancement and only 5% clearlyindicatedthatsocialmediawillcrippleemergencyriskoperations.30%respondedthatitdependsonthequalityandtoneofthemessages.Ofthe60%indicatingsocialmediawillenhance capabilities during an emergency, 29% believe it is an excellent situationalawareness and dissemination tool, and 28% expressed the opinion social media willenhance emergency risk operations if properly managed with appropriate policies andcoordinationbytheorganization.Whereas 14% of respondents for question 16 indicated emergencymanagerswill seefewerdemandsontheirtimeifsocialmediaisintegratedintoemergencyriskoperations,61%believetherewillbeanincreaseinworkdemands.Theincreaseindemandsinvolvesamanagementresponsiblyfortheintegrationofsocialmediaintoemergencyoperations,aswellasensuringtheaccuracyoftheinformation. Ofthe61%indicatinganincreaseinwork demands, 6% believe the increase will level off and become a routine part of theemergencymanager’sjob.When asked for recommendations to managers wishing to use social media, 35%indicated that organizations should embrace social media as part of the officialorganization with policies and procedures to support the effectiveness of social mediausage. 18% suggested that researching and following the lessons learned from otherorganizations has value. According to 23% of the respondents answering Question 17,socialmediausageshouldbean integralpartof theorganizationmanagedbyaspeciallytrainedteamordepartmentsuchasCorporateCommunications.Thisstudyconfirmedthatsocialmediaisestablishingitsplaceinemergencyoperationsplanning and execution. Undoubtedly, communication efforts have improved withemergencyalertmessaging,offeringfeedbacktolocalcitizens,potentialvictims,andotherstakeholderswhomaybeimpactedbytheevent.Emergencyoperationsprofessionalsmayrequire additional training to learn how to best create alert messaging, and ensurecommunicationlinesareestablishedwithcitizensbefore,during,andafterthecrisisevent.Approximately25%oftheparticipantshavenotusedsocialmedia.Itwillproveinterestingto track this trend over the coming years to determine if social media use amongemergencyoperationprofessionalsisincreasingordecreasing.


25

SummaryThis study is constructedusing a samplingofASIS International securityprofessionalsand related colleagues. We distributed the survey to professional associates and ASISChapter members. We promoted a wider distribution of the survey to any emergencyoperations professionals. In the analysis section, we attempt to make sense of thecollectivesummaryofbothareas.The questions selected for this quantitative review were purposefully designed to bemore objectively structured, rather than the more discussion-based (subjective) formatexperiencedinthequalitativesection.Thefollowingsectionwillemphasizetheanalysisofdatathatwillcombinethequalitativethemesandthequantitativestatisticalanalysisofthefindings.Thefollowingaretheresultsoftherespondent’sresponses.Theaveragescoreforeachquestion is calculated based on a scale of 0 to 4, where 4=Strongly Agree, 3=Agree,2=Disagree,1=StronglyDisagree,and0=NotSure. Thescale is0 to3 forYes(3),No(2),Potentially(1),andNotSure(0).Table2Question1Responses:SocialMediaWillIncreaseEfficienciesinEmergencyRiskOperations,AverageScore=2.97AnswerChoices Responses ParticipantsStronglyAgree(4) 33.6% 50Agree(3) 51.0% 76Disagree(2) 4.0% 6StronglyDisagree(1) 2.0% 3NotSure(0) 9.4% 14Total 100% 149

Table3Question2Responses: Use of SocialMediaDuringEmergencyRiskOperations,AverageScore=3.07AnswerChoices Responses ParticipantsStronglyAgree(4) 30.2% 45Agree(3) 57.1% 85Disagree(2) 6.0% 9StronglyDisagree(1) 2.7% 4NotSure(0) 4.0% 6Total 100% 149


26

Table4Question3Responses:ParticipatedInanEmergencyRiskOperationEvent(s)WhenSocialMediaWasUsed,AverageScore=2.34AnswerChoices Responses ParticipantsYes(3) 47.0% 70No(2) 43.0% 64Potentially(1) 7.3% 11NotSure(0) 2.7% 4Total 100% 149Table5Question4Responses:SocialMediaRequiresEmergencyManagersEmbraceNewProcesses,AverageScore=2.50AnswerChoices . Responses ParticipantsYes(3) 75.2% 112No(2) 2.0% 3Potentially(1) 20.8% 31NotSure(0) 2.0% 3Total 100% 149Table6Question5Responses:Socialmediawillrevolutionizeemergencyriskoperations,AverageScore=2.80AnswerChoices Responses ParticipantsStronglyAgree(4) 26.2% 39Agree(3) 55.0% 82Disagree(2) 4.0% 6StronglyDisagree(1) 2.0% 3NotSure(0) 12.8% 19Total 100% 149Wefoundthequantitativedatatobemostusefulinillustratingthedepthofsocialmediausage,anddecidingfutureapplications. Thisstudywouldbeincompleteifaquantitativeprocesswasnotincluded.Therearesignificantcommonstrandsofdataextractedfromtheparticipants that are of interest. The data structure used in this study compliments theinterpretationofvarioustypesofdata,andoffersaplatformforfuturestudies.AnalysisThedatacollectedinthisresearchillustratethatsocialmediaisstillinadevelopmentalstage, and that technology has not yet been fully exploited to fulfil its potential (Dantas,


27

Seville,Nicholson,2006/Field,2010). Thisunderstandingoffersan introduction into theapplicationofsocialmediaworldwide,confirmingthatsocialmediaisplayingasignificantroleinallphasesofemergencymanagementplanning,mitigation,response,andrecovery.Socialmedia’sapplicationhas foundapermanenthome incontingencyplanning,yetstillneedsfurtherdevelopment. This inventioncontinuallyprovidesa forumforpeople fromallwalksoflifetoconnectgloballyinreal-time.Forexample,emergencyplannershavetheopportunitytoexplorenewwaysofstandardizingnotificationprotocols,deepenresponsecoordination,andconfirmevacuationreporting.Thedatavalidatesecurityprofessionals’viewofsocialmediaasacommunication tool.Themajorityoftheparticipantsreportedthatstricterusagecontrolsareneededinorderfor socialmedia tohaveaneffective role in contingencymanagement. In thequalitativesection,several themesevolved fromtheparticipants: (1)Socialmediaexpeditescitizennotifications and enhances community awareness; (2) Solid guidelines are needed toensuremessageconsistencyandreliability;(3)Privacysafeguardsarenecessarytoensuretechnology platform trustworthiness. Each of these themes is critically important tocreatinganindustryfoundationalapproachtosocialmediapolicygovernance. Resilienceandconsistencyinsocialmediaapplicationandexecutionwillyieldtremendousresultsastechnologyevolves.Also found in the survey results was a reluctance from many of the participants tocompletelyembracesocialmedia.Severalparticipantsexpressedtheneedtoholdontothe“old”waysofdoingthings,becauseeveryonedoesnothaveaccesstosocialmediaornewertechnology. This hesitancy is prudent in the sense that it is taking some communitiesdecadestofirmlyfindtheirwaywithnewertechnologyapplications.Managersshouldbemindful of duty-of-care responsibilities towards employees during an emergency andensure that advances in technology are included in procedures and processes.Collaborativetechniquesarerequiredandbuildingpartnershipswillrequirenewalliancestobesuccessful.Another element that surfaced in the data is that maintaining the ability to manageinformation was viewed as paramount. According to survey participants, while crisismanagers cannot control individual citizens input, the messages being relayed fromauthoritative sources must be consistent and reliable. Most importantly, it must betrustworthy. Multipleresourcesareneededtocombinedatastreamsthatwillultimatelyimprove data management. Creating in-depth feedback protocols will be necessary tounderstand developments and concerns from residents actively being impacted by thecrisis.EmergingTrendsSocial media is well established and significant. Various new online applications arebeingreleaseddaily,toeasepublicaccesstoimportantinformationandestablishlinkagestopeople anddata. Oneof the toughestdilemmas societyhas isbalancing theability toprocesshugeamountsofdatawithdetermining the trustworthinessof thatdata (Cullen,2010). As technology increases, the amount of data will surely increase. Emergency


28

managers will need to create social media platforms they intend to use, and thenpopularizethosesitesforthepublictouseintimesofcrisis.Several social trends and business patterns are developing due to interest in socialmedia.Today,morepeopleareconnectedtogetherthaneverbefore.Socialmediaappearsto be themechanism for linking together people from various cultures from around theworld, where learning is taking place in complex industries such as medicine, science,technology, politics, and various formsof academia. Progress in these industries cannotoccur without considering advancements made in emergency operations. Social mediaallowspeopletobecomefamiliarwithoneanotheronvariouslevels.The majority of the initial evidence used to prosecute the defendants in the BostonMarathonbombingcasewas received fromvariouseverydaycitizenswho tookYouTubevideos,tweetedonTwitter,andleveragedfootagefromsurveillancecameras(Crumpacker,2014). Disasters are being captured on individual smart devices by those closest to theevent while it is occurring. There is an abundance of 9-1-1 calls received in a timelymanner because of people’s access to smart devices. Social media and computertechnology have completely changed the emergency operations industry, and it hasmodifiedthebehaviorofemergencymanagersandthepublic.Peopleareconnectingwithpublicofficialsbysendingfileswhenaneventoccurs,andexpectingemergencyoperationagenciestobejustasresponsivebyreturningfeedbackoraresponseifsomethingadverseisreported.Individuals in the public, private, and non-profit sectors are using social media as acommon tool. Social media is being leveraged by police departments to hunt downcriminalsbyreviewingtheironlineprofiles.AccordingtotheInternationalAssociationofChiefs of Police (IACP) in their 2014 report on emerging technologies, approximately55.8%ofpolicedepartmentssurveyedactivelyusesocialmediaintheperformanceoftheirduties(IACP,2014).FirstRespondersareusingsocialmediatodeterminethepropensityofacompanyorperson’sactions,whileconductingmitigationplanning.Itisestimatedthatby2030, every living adult human (worldwide)who is capablewill have a smart deviceequipped with online access and emergency alert applications (Su, 2013). This smartdevice availabilitywill increase crisis event reporting, aswell as periodic updateswhenadverse activities occur. The entire spectrum of situational awareness will surelyoverwhelm existing protocols and communication systems, unless deliberate actions aretakennoworintheneartermtoimproveandincreasefunctionalityinthelongterm.ConclusionSocialmediaisadevelopingphenomenonandusefulplatformthatissecuringitsplaceinsociety by connecting people from variouswalks of life. This research emphasizes thatsocial media has a permanent place in helping security professionals achieve effectivecontingencyplanning,orchestration,andcrisismanagement.Accordingtotheparticipantsin this study, more can be done on various levels, starting with establishing stricterguidelinesgoverningtheuseandapplicationofsocialmedia.


29

Securityprofessionalsrealize thatadditional learningwillberequired to fullyembraceand exploit social media online applications. Approximately, 75.2% agreed that moreknowledge is required to expand social media to a wider audience in emergencyoperations. 81.2% either agreed or strongly agreed that social media has the ability torevolutionizeemergencyriskoperations. Inanefforttomovetheprofessional initiativesforwardwith socialmedia in emergency operations, a deliberate strategy is required toproperly advance. Participants agreed that more needs to be done, but whoseresponsibility is it? ASIS International has a legacy of leading the way by establishingprofessional security certificationsand international trainingopportunities forabroaderaudience.ItisadvisablethatASISInternationalorasimilarsecurityorganizationworktopromotesocialmediaguidelinesforuseinemergencyoperations.Social media has found its place in emergency management, and the researchparticipantsviewsocialmediaasacommunicationtool,butfeelmorecontrolsinrespecttoconfidentiality and privacy need to be established. This study confirmed purposefuleducationalprogramsarenecessary ifsocialmedia istobeusedwholesale inemergencymanagement.Additionally,socialmediaofferstheabilitytoreceiveinstantfeedbackfromthosemostimpactedbytheevent.Thisnewlevelofpublicaccesswillapplynewpressuresonemergencymanagementprofessionalsnotexperiencedbefore(Hiltz,2014).Over 100 participants in the study requested new tools to effectively manage socialmedia. These tools included mobile training teams designed to educate communities,communicationfeedbackplatformsintheformofonlineapplications,andwebsitestohelpcollect data. No single initiative or toolwas identified as the primary focus to improvesocial media applications. It was apparent that social media is having a tremendouslypositiveimpactonemergencymanagers,buttherewasaclearreluctancetoacceptsocialmediaprotocolswholesale.Social media offers real-time information that can be processed immediately, andcontributevalueto theoveralloperations. Thequestionofsocialmediasaving liveswasnotansweredinthisstudy,but if therightplatformsarecreatedandfullyexploited(e.g.,the Internet of Things), it may be possible. Incident Commanders (i.e., EmergencyManagers) requirecritical information,and it ispossible forsocialmedia toexpedite theamount of information they receive. The emergency operations industry should have aresponsibilityandabusinessopportunity tocreatenewmethodologies,applications,anddatastrategiesthatwillenhanceoverallcontingencyoperations.This research study addressed several critical elements and current practices withinemergencyoperationsasitappliestosocialmedia.Theparticipantsinthisstudywereallprofessionalswhoactivelycontributeeverydaytothesafeguardingandsecurityofpeopleand property. Their participation in this study is appreciated as they help educatecolleaguesworldwide. Moreresearchinthisareaisnecessary,anditwastheaimofthisstudytobeginameaningfulconversation. Socialmediaismakingapositivedifferenceinemergencyoperations,yetstillhasawaytogobeforebeingcompletelytransformedintocommonpractice.


30

ReferencesBamberger,M.(1999).Integratingquantitativeandqualitativeresearch:Lessonsfromthefield.Washington,DC:WorldBank.Bertot,J.,Jaeger,P.,Grimes,J.(2010)UsingICTtocreateacultureoftransparency:e-governmentandsocialmediaasopennessandanti-corruptiontoolsforsocieties.GovernmentInformationQuarterly,ScienceDirect.Availablefromhttp://www.elsevier.com/locate/govinfCallahan,M.E.(2010).Haitisocialmediadisastermonitoringinitiative,OfficeofCoordinationAndPlanning,DepartmentOfHomelandSecurity.WashingtonDC:GovernmentPublishingOffice.Cameron,M.A.,Power,R.,Robinson,BandYin,J.(2012).EmergencysituationawarenessfromTwitterforcrisismanagement.ProceedingsoftheWWW2012-SWDM’12Workshop,Lyon,France,ACM,695-698.Coombs,T.(2007).Protectingorganizationreputationsduringacrisis:Thedevelopmentandapplicationofsituationalcrisiscommunicationtheory.CorporateReputationReview,10,page163-176.Retrievedfromhttp://www.palgrave-journals.com/crr/journal/v10/n3/full/1550049a.htmlCrowl,T.K.(1996).Fundamentalsofeducationalresearch(2nded.).Chicago,IL:Brown&BenchmarkPublishers.IntelligenceCommunity,CentralIntelligenceAgency,DepartmentofJustice,DepartmentofHomelandSecurity,(2014).UnclassifiedsummaryofinformationhandlingandsharingpriortotheApril15,2013BostonMarathonbombings.Washington,DC:GovernmentPublishingOffice.Retrievedfromhttp://www.justice.gov/oig/reports/2014/s1404.pdfCullen,J.(2010).Whenbloggersandtweetersattack!Socialmediaandtheorganizationsreputation.Retrievedfromhttp://www.theicor.org/art/present/art/ARCMC00067.pdfDantas,A.,Seville,E.,Nicholson,A.(2006).Informationsharingduringdisaster:Canwedoitbetter?RetrievedfromResilientOrganisationsResearchReport:http://www.resorgs.org.nz/images/stories/pdfs/information_sharing_during_disaster_resorgs_06_02.pdfDepartmentofHomelandSecurity(2012).Nextsteps:Socialmediaforemergencyresponse.VirtualSocialMediaWorkingGroupandDHSFirstRespondersGroup,ScienceandTechnologyGroup.Retrievedfromhttp://www.ghinternational.com/docs/DHS_VSMWG_Next_Steps_Social_Media_Strategy_Formatted_May_2013_FINAL.pdfDepartmentofHomelandSecurity.(2014).Usingsocialmediaforenhancedsituational


31

awarenessanddecisionsupport:VirtualSocialMediaWorkingGroupandDHSFirstRespondersGroup.Retrievedfromhttp://www.firstresponder.gov/TechnologyDocuments/UsingSocialMediaforEnhancedSituationalAwarenessandDecisionSupport.pdfFederalEmergencyManagementAgency(2015)IS-42:Socialmediainemergencymanagement.(EmergencyManagementInstitute,IndependentStudy-42).Retrievedfromhttp://training.fema.gov/is/courseoverview.aspx?code=is-42Field,T.(2010).Socialmedia:Whateveryseniorleadermustknow:InterviewwithProf.SreeSreenivasanoftheColumbiaGraduateSchoolofJournalism.RetrievedApril15,2013,fromtheCUINFOSECURITYwebsite:http://www.cuinfosecurity.com/social-media-what-every-senior-leader-must-know-a-2421Fraenkel,J.R.,&Wallen,N.E.(1996).Howtodesignandevaluateresearchineducation(3rded.).NewYork:McGraw-Hill.Gonzales-Herrero,A.,Smith,S.(2008).Crisiscommunicationsmanagementontheweb:Howinternet-basedtechnologyarechangingthewaypublicrelationsprofessionalshandlebusinesscrises.JournalofContingenciesandCrisisManagement,16(3),143-153.Availablefromhttp://onlinelibrary.wiley.com/doi/10.1111/j.1468-5973.2008.00543.x/abstract;jsessionid=1686BDD5693F10317EE456BC1E947AC0.f03t04Goolsby,R.(2010).Socialmediaascrisisplatform:Thefutureofcommunitymaps/crisismaps.ACMTransactionsonIntelligentSystemsandTechnology,1(1),Article7.doi:10.1145/1858948.1858955.Hiltz,S.R.andGonzalez,J.J.(2012).AssessingandImprovingtheTrustworthinessofSocialMediaforEmergencyManagement:ALiteratureReview,in:V.A.Oleshchuk(Ed.)Proceedings,NISK,AkademikaForlag,Trondheim,Norway,135-145.Hiltz,S.,Kushma,J.,Plotnick,L.(2014).UseofSocialMediabyU.S.PublicSectorEmergencyManagers:BarriersandWishLists,The11thInternationalUSCRAMConference-UniversityPark,Pennsylvania,USA,Retrievedfromhttp://www.iscramlive.org/ISCRAM2014/papers/p11.pdfIACP(2014).InternationalAssociationofChiefsofPolice2014SocialMediaSurveyResults.RetrievedonJanuary22,2015,fromhttp://www.iacpsocialmedia.org/Portals/1/documents/2014SurveyResults.pdfJames,E.,&Wooten,L.(2009).Leadershipinturbulenttimes:Competenciesforthrivingamidstcrisis.WorkingPaperSeries,PaperNo.04-04,DardenGraduateSchoolofBusinessAdministration,UniversityofVirginia.Richmond,VA.Availablefromhttp://papers.ssrn.com/sol3/papers.cfm?abstract_id=555966


32

Kaplan,E.(2012).Socialmediainemergencymanagement:Aquicklook.HomelandSecurityStudies&AnalysisInstitute,Retrievedfrom:http://www.homelandsecurity.org/docs/reports/RP11-01.01.05-01_AQuickLook_30Nov12.pdfKavanaugh,A.L,Fox,E.A.,Sheetz,S.D.,Yang,S.,Li,L.T.,Shoemaker,D.J.,Natsev,A.andXie,L.(2012).Socialmediausebygovernment:Fromtheroutinetothecritical.GovernmentInformationQuarterly,29,480-491.Krigsman,M.(2009).IBM:ITfailureandsocialmediadisaster.RetrievedApril15,2010,fromZDNetwebsite:http://www.zdnet.com/article/ibm-it-failure-and-social-media-disaster/Lindsay,B.(2011).Socialmediaanddisasters:Currentuses,futureoptions,andpolicyconsiderations.(CRSReportforCongress,7-5700,R41987).RetrievedfromCongressionalResearchServicewebsite:https://www.fas.org/sgp/crs/homesec/R41987.pdfMcKinney,K.(2011).Quantitativeanalysisandreporting:Tellingastorywithnumbers.AssessmentInstitute,Chicago.McMenamin,J.(2015)Socialmediaduringdisasterresponse:Alawyer’sperspective.RetrievedMarch10,2015,fromtheDisasterResourceGuidewebsite:http://www.disaster-resource.com/index.php?option=com_content&view=article&id=856:social-media-during-disaster-response-&catid=9:crisis-responseOwyang,J.(2008,December1).Howmunicipalitiesshouldintegratesocialmediaintodisasterplanning{Weblogpost}.Retrievedfromhttp://www.web-strategist.com/blog/2008/12/01/how-municipalities-should-integrate-social-media-into-disaster-planning/Palen,L.(2008).Onlinesocialmediaincrisisevents.EDUCAUSEQuarterly,3,76-78.Retrievedfromhttps://net.educause.edu/ir/library/pdf/eqm08313.pdfRay,A.(2008).Socialmediadisasters(orhownothavingasocialmediastrategycanhurt).RetrievedApril15,2010,fromtheSocialMediaTodaywebsite:http://www.socialmediatoday.com/content/social-media-disasters-or-how-not-having-social-media-strategy-can-hurtU.S.DepartmentofEducation(2013).Socialmediainschoolemergencymanagement:Usingnewmediatechnologytoimproveemergencymanagementcommunications.RetrievedfromU.S.DepartmentofEducation,OfficeofSafeandHealthyStudents,ReadinessandEmergencyManagementforSchools(REMS)TechnicalAssistance(TA)Centerwebsite:http://rems.ed.gov/docs/Training_SocialMediaInEM.pdfRousseau,D.(2000).Psychologicalcontractinventorytechnicalreport.Retrievedfrom


33

http://vodppl.upm.edu.my/uploads/docs/dce5634_1298965643.pdfSu,Y.S.,WardellIII,C.andThorkildsen,Z.(2013).Socialmediaintheemergencymanagementfield:2012surveyresults.(IPP-2013-U-004984/Finalreport).RetrievedfromCANwebsite:https://www.cna.org/sites/default/files/research/SocialMedia_EmergencyManagement.pdfSutton,J.,Palen,L.,Shklovski,I.(2008).Backchannelsonthefrontlines:Emergentusesofsocialmediainthe2007SouthernCaliforniaWildfires.Proceedingsofthe5thInternationalISCRAMConference–Washington,DC.Retrievedfromhttps://www.cs.colorado.edu/~palen/Papers/iscram08/BackchannelsISCRAM08.pdfVila,S.(2010).NGOsmustharnesssocialmediabeyonddisasterrelief.RetrievedApril15,2014fromthePBSMediaShiftwebsite:http://www.pbs.org/mediashift/2010/02/ngos-must-harness-social-media-beyondWagstaff,K.(2014)TheInternetandtheWorldWideWebisNottheSameThing,NBCNews,RetrievedOctober18,2014fromhttp://www.nbcnews.com/tech/internet/internet-world-wide-web-are-not-same-thing-n51011York,B.(2010).Advertisingage:McDonald’snamesfirstsocial-mediachief:HireofRickWion,FoundingMemberofDigitalTaskForce,comesafterayearspentdevisingstrategy.RetrievedApril15,2014fromtheAdvertisingAgewebsite:http://adage.com/article/digital/marketing-mcdonald-s-names-social-media-chief/143248/


34

AppendixThefollowingsurveyquestionswereusedtodevelopthedatainthisstudy:1.AreyouacurrentmemberofASISInternational? Yes No,pleasegotoquestion3.2.HowlonghaveyoubeenamemberofASISInternational? Lessthan1year 1–5years 6–10years 11–15years Morethan15years3.Whatis/areyourmainduties?(Selectallthatapply) SecurityManagement(inclusiveofBusinessContinuity) SecurityManagement(exclusiveofBusinesscontinuity) BusinessContinuityManagement/COOPS CrisisManagement PhysicalSecurity Others(Pleasespecify)____________4.Doyouholdanyofthefollowingcertifications?(Selectallthatapply) CertifiedProtectionProfessional(CPP) CertifiedBusinessContinuityProfessional(CBCP) MasterBusinessContinuityProfessional(MBCP) CertifiedEmergencyManagerCEM) Otherrelevantcertification(pleasespecify)____________ No5.Howdoyoudescribeyourprofessionaldiscipline?(Pleaseselecttheprimarychoice) Security(non-data) DisasterRecovery BusinessContinuity/COOPS CrisisManagement Security(dataornetwork) Others(Pleasespecify)_______________6. Do you hold any of the following degrees? Please indicate your highest, completeddegree. Bachelordegree Graduate/Masterdegree Post-graduate/Doctoratedegree ProfessionalCertificate Others(Pleasespecify)


35

7.Whatsocialmediaplatformsdoyouuse(eitherforpersonalorwork)? LinkedIn Twitter Facebook Instagram Blogwebsites(e.g.Bloggers,Wordpress,etc.) Privateplatform Others(pleasespecify)_______________________(QuantitativeQuestions)Number QuestionText PotentialResponses8

Based on what you know or haveexperienced, social media will increaseefficienciesinemergencyriskoperations.

4—StronglyAgree3—Agree2—Disagree1—StronglyDisagree0—NotSure

9

Do you agree or disagree with using socialmediaduringemergencyriskoperations?


10

Haveyouparticipated inanemergency riskoperations event(s) when socialmediawasused?

3—Yes2—No1—Potentially0—NotSure

11

Will social media require emergency riskoperations managers to embrace newprocesses?

3—Yes2—No1—Potentially0—NotSure

12

Socialmediahas theability to revolutionizeemergencyriskoperations.



36

(QualitativeQuestions)Q13: Based on your experience as an emergency professional, have you participated inemergencyriskoperationsusingsocialmedia?Pleaseexplainitsuse.

Q14: Based on your experiences, do you believe social media should receivemore of apriorityinpreparingforemergencyriskoperations?

Q15: Based on your experiences, do you think social media can enhance or crippleemergencyriskoperations?Pleaseexplainwhy.

Q16:Basedonyourexperiences,doyouthinkmoredemandswillbeplacedonemergencymanagersifsocialmediaisappliedtoemergencyriskoperations? Pleaseexplainwhyorwhynot.

Q17:Whatrecommendationsdoyouhaveforemergencymanagersdesiringtousesocialmedia?


37

ViewpointPaper

TheNewASISStandardonRiskAssessment*

RogerG.Johnston,Ph.D.,CPPRightBrainSekurity

ThenewASISInternationalstandardforRiskAssessmentisout.(ANSI/ASIS/RIMSRA.1-2015.)Hereismytakeonit.LikealotofASIS“standards”,thisislessofatechnicalstandardorsetofsuggestionsthananintelligentmappingoutandgeneraldiscussionofthesubjectarea.Thereistheusualmultitudeofblandplatitudesandmundaneshoppinglists.AlsolikemanyotherASISstandards,thereisanobsessionwithscope,documentation,andestablishingcomplicatedbusiness“programs”forsecurity,ratherthanfocusingonpracticaladviceabouthowtoengageinthenecessaryactions.Effectiveriskmanagementinvolvessubjectivevaluejudgments,butthisisgivensomewhatshortshrift.Thestandardseemstounderemphasizetheroleofvulnerabilityassessmentintheriskassessment/managementprocess.Forexample,“threatanalysis”isdefinedinthelistoftermsbutnotvulnerabilityanalysisorassessment.ThediscussioninSection6.4.4.1.3ofVulnerability/CapabilityAnalysisissomewhatconfusedaboutwhatavulnerabilityassessmentisabout.Itfocusesmoreonthreats,assets,andconsequencesthanvulnerabilities,andencourageslettingtheexistingsecuritythinking,strategy,andinfrastructuredefinethevulnerabilities.Unfortunately,thebadguysgettodothat.Riskitselfisratheroddlydefinedasthe“effectofuncertaintyontheachievementofstrategic,tactical,andoperationalobjectives.”Uncertaintyisn’twhatcausesharm,thethreatdoes.Underthisdefinition,worrieswithinanorganizationaboutpossiblesecurityshortcomings—whichmightbeveryhealthy—wouldbeconsideredrisk.ThestandardendorsestheuseofGapAnalysis,butIhavealwaysfoundthiskindofapproachtobedangerousbecauseitengendersbinarythinkingaboutsecurity.Securityisactuallyacontinuum,notamatterofgapsornogaps.Ontheplusside,thestandard’scallforoutside,independentriskassessorswithnoconflictofinterestsisspecificandpraise-worthy.Therecognitionofthedetrimentaleffectthatcognitivebiashasonriskmanagementissurprisingandwelcome.Thereisastrong_____________*Thisviewpointpaperwasnotpeer-reviewed.Theauthorparticipatedinaminorwayintheearlystagesofthestandarddevelopment.ASISInternationalistheAmericanSocietyforIndustrialSecurity,atradegroupofsecurityprofessionals.


38

andappropriateemphasisonidentifyinganddocumentingassumptions.Overall,thediscussioniswellorganizedandfairlywell-written(bothofwhicharedifficulttodobycommittee),andcoversmanyimportantpoints.At$135,the138-pagestandardisexpensivetoorder,butmuchlessexpensivebyafactorof2-8thanmanyshorterandlessthoughtfulstandardsissuedbyotherorganizations.Moreover,ASISInternationalmemberscandownloadonecopyofthestandardforfree.Despiteitsproblemsandlimitations,theRiskAssessmentstandardisasignificantcontributiontothinkingaboutsecurity,andwellwortharead.AbouttheAuthor:RogerG.Johnston,Ph.D.,CPPwastheheadoftheVulnerabilityAssessmentTeamsatLosAlamosNationalLaboratory(1992-2007)andatArgonneNationalLaboratory(2007-2015).CurrentlyheiseditoroftheJournalofPhysicalSecurity,andCEOofRightBrainSekurity(http://rbsekurity.com),acompanydevotedtocreativesecuritysolutions.


39

ViewpointPaper

WhyIHateSecurity*

SteveHunt,CPP,CISSP

HuntBusinessIntelligencehttp://www.huntbi.com

Thesecriticismsarenothingnew.You'veheardthemallbefore,ormutteredthemunderyourbreath.Ifyouareabusinessexecutive,you'veshakenyourheadwhenyou'veseenit.Andifyouareasecurityprofessional,you'reguiltyofmorethanone:

• "Ihatesecurity."

• Muchofwhatpassesassecurityisnomorethanwindowdressing,or,asBruceSchneierhascalledit,“SecurityTheater”,withitsposturing,phonycontrolsandsecurityguardbravado.

• NotaweekgoesbythataCIOorotherexecutivehearsapitchfromasecurity

vendor,whoseeyesarebuggedoutastheirwordsoozefear,uncertainty,anddoubt(FUD).

• Securitydirectors,includingsomeofthemostesteemedCISOs,canbeseenfrom

timetotimerunningthehalls,armsflailingoverhead,screeching,"Theskyisfalling!Theskyisfalling!"

• Riskmanagementexpertstalkforhoursaboutthe"fuzzylogic"ofmeasuringimpact

andlikelihood,usinggametheory,andgenerallytalkinguntiltheaudiencegoesnumb.

• Andwhenthebigonehappens,whenthebigdatabreachhits,asitinevitablydoes,

securityprosandbusinessexecutivesalikepointfingersatbudgets,andinternalpolitics,andvendormisstepsforblame.

SoIamheretogiveyouthestraightdope.Toaddressallofthesecomplaintsonceandforall.Toputthediscussiontorestsowecanallmoveon.Securityisallthosethings.Securityisoftenmeretheatrics.Vendorsdocommonlysell_____________*Thisviewpointpaperwasnotpeer-reviewed.ItisreprintedfromanessaypostedonLinkedIn.


40

FUDinplaceofvalue.Riskmanagementexpertsdooftenemploypseudoscience"todefinitivelycalculate"intangibleandunknownrisks.CISOsdosoundlikeChickenLittlewhentheypredictthethingswesimplyaren'tpreparedforandneedmorebudgetfor.Andsecurityprosdoliketofindascapegoat.Allofthesethingsaretrue,andsecuritydeservesitscriticism.Personally,though,Ilookatitdifferently.Securityissomethingspecialtome.Forexample,whenIseeaCISOworkhisorherwayoutofamessydatabreachbyrespondingquickly,limitingimpact,andrecoveringsmoothly—itgivesmeaverysatisfiedfeeling.Moreover,whenIthinkofmyowncareerasasecurityprofessional,Ithinkofthetrulycostlyanddamagingattacksthatwe'veavoidedbyworkinghardtoimprovecontinuously.Intheearly1990s,IworkedatafinancialinstitutioninChicago.Wegothacked—beforeweevenhadtheword"hacked."Thebulletinboardserverwasfineyesterday,buttodayitisn't,andtheauditlogisgone.Aswescratchedourheadsanol'timerleanedoverusandsaid,"Lookslikeyougotasecurityproblemwithyourcomputer."Iwasstunned.Ihadneverconsideredsecurityandcomputersinthesamethoughtbefore.Myfatherwasalocksmith,andIhadworkedmywaythroughcollegeandgradschoolattheUniversityofChicagowithmyownlocksmithcompanyandbuildingPCclonesontheside.SowhenIheardthosewords,alightbulbwenton.Ithoughttomyself,Iknowsecurity,andIknowcomputers.RightthenIbeganretoolingforacareerincomputerandnetworksecurity.Rightplace.Righttime.SosecuritygavemeanentreeintotheworldofthefledglingInternet,andintotheworldofcreatingvalueforthebusinessinwaysInevercouldhaveimaginedbeforethatfatefulday,seatedcross-leggedonthefloor,underadesk,staringblanklyatthebackofabulletinboardserver.Securityalsodidmuchmorethanthat.Itsolvedrealproblems.Fromthescript-kiddiesofthe'90stothestatesponsoredhackingofthe2000s,securitygavehundredsofprofessionalsanopportunitytofightinveryforeignterritory—guerrillaITwarfare.WecreatedanewwayofoperatingtheInternet,andweopeneddoorspermittingbusinessestocreatevalueandrevenueinnewways.Forexample,thesecuritycommunityputitscollectiveheadtogether,limitinglosssufficientlytomakeonlinecommerce(oncecallede-commerce)areality.Convergedapproachestophysicalandcybersecurityforthedecadebeginning2001createdanamazingnewworldofinter-networkedsecuritycameras,intrusiondetection,gates,fences,locks,employeeIDbadges,laptops,personaldevices,andhomeautomationcontrols.Everythingwassuddenlynetworkablebecausethebasicquestionsofauthenticationandauthorization(whoareyou?,andwhatareyousupposedtodo?)wereansweredbysecurityprofessionals.


41

Today,wearecomingupwithcleverwaystoextendtheworkwedidpreviouslyandapplyittotheInternetofThings(IoT).Soon,wewillseealternativestokeysandlocksbeingusedwidelyinthesecurenetworkingofanyandeverycommondeviceathomeorsensoronalocomotive.HomeswilloperatemoreefficientlyandbusinesseswillmakecountlessbillionsinnewrevenuebecauseofIoT.Thisispossiblebecausethesecurityindustrytrulyisdoingitsbest.Doessecurityhaveitsfoibles?IsitSecurityTheaterlacedwithFUD,badlogicandblame?Yes.Butdoesitcreatevaluethatoutweighsitssometimesilliness?Yesitcertainlydoes.Formepersonally,ithasprovidedmemanybenefitsandopportunities,makingmeabetterphilosopheroftechnology,abettertechnologistingeneral,abettercitizenoftheworld,abetterproviderformyfamily.Sothenexttimeyousitthroughanotherridiculousvendorpitchaboutallthebadthingsthatwillhappenifyoudon'tbuytheirproduct:useyourphonetosecurelytransferfundsatyourbank,orbuyagiftforyourkidonAmazon,orplanthenextproductlaunchwithconfidencethatthesecurityproshaveyourback.AbouttheAuthor:SteveHunt,CPP,CISSPisPrincipalConsultantatHuntBusinessIntelligence(http://www.huntbi.com),whichfocusesoncybersecurity,physicalsecurity,dataanalyticsandbusinessintelligence.


42

ViewpointPaper

WIPPMaybetheBestPlaceforWeapons-GradeWaste*

EditorialBoard,AlbuquerqueJournal

Therearesomeimportantdetailsthatdon’tquitemakethetalkingpointsofwhattodowiththenation’snuclearwaste,thosebeing:

Ithastogosomewhere,mostofwhereitisnowisnotgoodorsafeorresponsible,andNewMexicanshaveofferedtheonlypermanentsolution.

Thenation’smorethan70,000metrictonsofusedreactorfuelisnowkeptintemporaryfacilitiesin39states—somesitesadjacenttoriversorontopofwatertables.Thenation’s55metrictonsofsurplusweapons-gradeplutoniumiskeptinbunkersattheEnergyDepartment’sPantexwarheadassembly-disassemblyplantoutsideAmarillo,Texas,andinanoldreactorbuildingattheSavannahRiverSite.

Thosearen’tpermanentsolutions,andthenation’s$15billionpermanentplan,YuccaMountain,remainsthelargest,mostexpensiveandemptiestparkinggarageever.Aclosesecondisthe$4billionincomplete“mixedoxide”fuel,orMOX,facilityinSouthCarolinathatwouldconverttheplutoniumforuseincommercialnuclearpowerplants.Sinceitsdesignationina2000arms-controlagreementwithRussia,thepricetagfortheMOXfacilityhasballoonedfrom$1.5billiontobetween$7billionand$30billion.

SoitisimportantnottoblindlyfollowformerNewMexicoGov.BillRichardson’sleadindismissingtheWasteIsolationPilotPlant(WIPP)asafinalrestingplacefordilutedweapons-gradeplutoniuminfavorofaMOXplanthatmayneverhappen.MOXwasapprovedwhenRichardsonwasU.S.Energysecretary,thoughnowevenhisformeremployer,DOE,islookingatstoragealternativesincludingWIPP.

ThatislikelyinpartbecauseoftheincreasingMOXconstructionpricetag,inpartbecausenoutilityhassteppeduptosayitwillusetheMOXfuel,andinpartbecausewhileWIPPwasshutteredaftera2014truckfireanddrumradiationrelease,therehasbeenserious,ongoingscrutinytoensureitspolicies,proceduresandcontractorsareontrack.

AnditislikelyalsoingreatpartbecausesoutheasternNewMexicohasbecomehometonuclearexperienceandexpertise,withWIPP,the$4billionUrencoUSAuranium

_____________*Thisviewpointpaperwasnotpeer-reviewed.ItisreprintedwithpermissionoftheAlbuquerqueJournalfromaneditorialbytheeditorialboardprintedonSeptember26,2015.Copyright2015AlbuquerqueJournal.


43

enrichmentplant,aproposed$100millionInternationalIsotopesplanttoprocessspenturaniumfromUrenco,aproposed$280-million-plusHoltecInternationalInc.undergroundstoragesiteforusedreactorfuel,andaproposedspent-fuelstoragefacilityrunbyWasteControlSpecialistsandFrenchfirmAREVAInc.justacrosstheTexasstateline.

AsRichardsoncautionsthatDOEwillmaketheWIPPfacilityahigh-levelwastedump,Carlsbadleadersarewelcomingtheideaofdownblendingthenation’sweapons-gradeplutoniumwithinertmaterialssoitcanbepermanentlydisposedofatWIPP.

MayorDaleJanwayhaswrittentoNIMBYSenateMinorityLeaderHarryReid,D-Nevada,that“ifnon-proliferationisyourintent,thentheclearpathforwardisdisposalinWIPP.Thisisanationaldecision,werecognizethat.Butweareacommunityoftaxpayers,withinastateoftaxpayers,andwevolunteeredtohostadefense-onlydeepgeologicwastedisposalfacilitythatpermanentlyremovesriskfromthebiosphere.”

SoutheasternNewMexicohasdonemorethananyothercommunity,companyorgovernmentleadertoofferasafe,long-termstoragesolutiontothetensofthousandsofmetrictonsofnucleartoysthenationhasleftlyingaround.Itsweapons-gradeproposaldeservesseriousconsiderationand,ifapproved,remuneration.

.


42

ViewpointPaper

TheIoTandtheAbilitytoDefendAgainsttheSilentIntruder

[email protected]

ChairoftheIEEEPar1912PrivacyandSecurityArchitecture

forConsumerWirelessDevicesWorkingGroup

Introduction

AWorkingGrouponPrivacyandSecurityArchitectureforConsumerWirelessDevices—based upon the IEEE Project Authorization Request 1912 (P1912)—first met in July of2015.ThepurposeoftheWorkingGroupistodevelopaStandardforPrivacyandSecurityArchitecture for ConsumerWirelessDevices. The Institute of Electrical andElectronicsEngineers (IEEE) is a professional association with more than 400,000 membersworldwide. It supports the educational and technical advancement of electrical andelectronicengineering,telecommunications,computerengineering,andallieddisciplines.The resulting P1912 architectural standard will establish a common communicationprotocol to enable relationships amongdisparate consumerdigitalwireless technologiesand devices. The architecture envisioned by P1912 will permit control over devices,throughtheuseofuniqueidentifiers,whichareinherentinwirelesstechnologyorcanbeassigned by individuals, through subnets or private geo/location-proximity fencingprotocols. Individualswill be able to establish an array of subnets, among twoormoredevices,tosupporttheequivalentofprivateGPSsystemswithinaradius,definedbyradialpoints,boundedinteriorspaces,orgeo-locations.Wherehasdigitalcommunicationbeen,andwhereisitgoing?Thenetworkcomputingcommunicationenvironmentevolvedfromriversandstreamsofinformationformedbytwo-waydataflowsovercoaxialcableortwistedpairconnectionsamongnetworkeddevices. Later, theseriversandstreamsformedponds,pools,or lakescreatedbywirelessareanetworks.Today,weareonthevergeofcreatingvastoceansofdigitaldatarichenvironmentsthatwillcoverahome,officecomplex,industrialpark,cityblocks,towns,cities,ornationsdependingontheresourcesallocatedandtheinnovationsthatwillbeenabledbytheInternetofThings(IoT).We may be fast approaching the verge of a global civilization that would have thecapabilityifnotthewilltoaccountandchronicleallactivityonamicro-andmacro-level.TheabilitytocollectdetailedbitsonagranularlevelcombinedwiththeIoTcouldenablethecollectionofmanybytesofdataregardinghumanbeingsatnearlyeverystageof life.


43

Theprojectionofthecapabilitiesandqualitiesofcomputingintophysicalspacewillallowfor the collection, retention, analysis, and sharing of information on health, education,abilitiesanddeficits,successesandfailures—inshorteachlifecouldbeanopenbook.TheIoTwill notonly createpoolsofdata that isolate eachperson’s life experiences, butwillplace those life experiences in the context of places, things, events and other lives bothcloseanddistant.In2010,aresearchprojectfundedbytheWallStreetJournalgeneratedenoughtopicsforthepapertopublishaseriesofstoriesentitled,WhatTheyKnow.TheWallStreetJournal’sserieswasmade possible by the broad adoption of smartphones, which are the leadingwirelesspersonalcomputingdeviceconstantly in thehandsof individuals. Smartphonesencompass every formof human communication conceivable. Smartphones enable two-way wireless sharing of data, which include audio, video, photographic, text, and visualcontent.The study of smartphone usage is revealing the lives of people as they are describedthroughthedataondevices,aswellastheirlocationandproximitytootherdevices.Thesedata are further augmented by how smartphone usage changes overtime as well asindividual user’s reaction to data received or sent. Human relationships observed byresearcherswithaccesstomoment-by-momentsmartphoneusagedataforbothcasualandveryintimatecommunicationsrevealmorethanmostwouldassumepossible.Those responsible for the physical security of companies engaged in sensitivenegotiations;oronthevergeofmergers,acquisitionsorothermajoractivitiesshouldtakenote.Leakingofsensitiveinformationorthewarningsaboutpotentialproblemsmaycomebymanymeans,includingchangesinsmartphoneusagepatternsamongkeyemployees.BeforethefullrealizationoftheIoT,thereisalreadysomuchdatathathumanbeingsareunabletoprocessit—whichiswhyterabytesofdataarebeingstoreduntiltechnologyandinnovationcancatchup. It is inevitablethattheterabytesofknowledgecollectedbyIoTfednetworksorcloudserverswillhavetoyieldanalysis,decision-making,andactionstobetakentoautomation.However,beforethatdayarrives,thereisworkthatmustbedoneto make the IoT secure end-to-end: its applications, firmware, and hardware must betrustworthy,resilient,privacy-centric,andcybersecure—whichisthegoalofP1912.HowwillweknowwhentheIoTageofubiquitouscomputingarrives?ThefullintegrationoftheIoTineveryaspectofdailylifewillbesilentwiththeexceptionofglitchesorproblemsthataretoopublictoignore.TherewillnotbeanIoTdrumroll,buttherewillinsteadbetheintroductionofoncephysicaltasksbeingperformedbyautomatedprocesses. Initially the tasks removed from the list of routine human control such asturningon lightsoradjusting the temperatureofaroommaybenoticed,butquickly thenoveltywill fade and future iterations of the technology and innovationwill remove thephysical controls without much notice. As more functions are taken over that once


44

performedbymaintenanceandcustodialstaff, theonlypeoplewhomaynoticearethosewhoworkunscriptedstaffhours.MunicipalgovernmentsleadingthewayonIoTadoptionThepacethatmunicipalgovernmentsaremovingtoinvestinubiquitouswirelessaccessfor residents—coupled with the growing number of private and quasi-private wirelessnetworksofferedbytouristareas,privatevenues,andbusinesses—willcontinuetoexpandIoTinfrastructure.Someofthefirstbeneficiariesmaybethebudgetsofgovernmentsthatcanremovethecostofpayingformeterreadersandtrafficenforcementofficersfromthemix,andletthecomputingfunctionsofautomobilesdealwithwirelesssentriesstationedwithin a jurisdiction when vehicles are illegally parked or exceeding the speed limit.Governments could be attracted to the potential income and the ability to incorporate amorejustpolicyforawardingticketsandfines.Thedaysof thenightwatchmanmaybenumberedaswell. What companywill resistcuttingnightsecuritypersonnelfora24/7livefeedwithinasensornetworkthatiseverpresentthroughoutthephysicalspacethatistobesecured?Citizen-consumerswillbenefit fromtheIoTastheirdailyroutinescanbesynchronizedto the level of a senior executive working at a large firm, or that of the head of agovernmentdepartmentoragency.Individualscanexperiencethebenefitsofaminute-by-minute synchronized lifeas themovementsof abus is trackedandsyncedwith thepre-determinedarrival timedesired,whichmovementcanbeused toadjustwhen thealarmwillsound,whenthecoffeeorteamakerwillstartitscycle,whenthewaterwillbeheatedforashower,andwhen(ifnecessary)amessageissenttoasupervisorupdatingthemonarrivalstatus.WhyisP1912neededtosecurephysicalspace?Thesecurityofphysicalspaceisabouttoinheritmanyofthesecurityvulnerabilitiesthatplague cyberspace; perhaps some new threats will arise that have not been consideredbeforetheexistenceofapervasiveever-presentwiredphysicalworld. Thethreatsposedtocomputingdevicesincludeviruses;worms;Trojanhorses;botnetcreation,capture,andexploitation;pharming;phishing;denialofserviceattacks;andothercybersecuritythreatsexecutedbyinternalandexternalsourcesthatintendtounderminetheproperfunctioningofphysicalsecuritythatincorporatesorreliesuponcomputingdevices.Theseareonlythethingsthatpeoplemayattemptwhointendtodoharm,butthreatscanextendtoactionsbyinsidersthatcauseharmwithouttheintenttodoso.There are a range of threats presented by unintended actions by insiders that includeintroducing devices into thework IoT environment that carry exploitable vulnerabilitiesthat could be seized upon by opportunistic applications or technology that probe the


45

environmentforstrayinformationtocollectandreportbacktocloudservicesornetworkshostedbydataandfinancialthieves.Physical security in IoT environments will present challenges because of the number,diversity, and fluidity of digital technology that will traverse physical spaces. Anotherchallenge will be the speed that devices will change; the ability or willingness ofmanufacturersorproviders toupdatesoftwareonevery typeof IoTdevice;and towhatdegree remote actors (such as criminals, nation/states, or intellectual property thieves)maybeabletoexplorepotentialvulnerabilitiesinlarger,morecomplexsystemsbyusingverysimpleIoT-enabledtechnology.Unfortunately, individual control over thedata thatmaybe collected froman insecurerouter may be limited—this was the argument made after it was discovered thatStreetview technology collected data from unencrypted private wireless routers in thehomesorbusinessesonstreetsitwasmapping.Businesses largeandsmallwilladopt IoTtechnologywithouthesitationbecauseof thetremendous opportunities for cost savings. Lowering electricity bills based on actualusage;smartlightbulbsthatreduceoutputorcompletelyturnoffwhensensorsinaspaceindicatethatitisunoccupied;employeecredentialsthatnotonlyactasatimeclock,butalocation servicewhile employees are atwork; and sensors that regulate the function ofeverythingfromwatercoolerstoelevatorsbaseona“justintimedelivery”ofonlywhatisneededandexactlywhenitisneeded.This will usher in an opportunity for much of life’s reflexive responses to changingconditionsinthephysicalenvironmenttobecomeseamlesslyautomated:e.g.,changingthethermostatormicro-interiorclimatecontrol featuresthatallowforsettingsbasedonthenumberofoccupantsinaroomorspace.Innovation will move at unprecedented pace, as new physical designs for everydayconsumableswillbechangedtoworkasanodeintheInternetofThings. Thesamelightbulbfromthesamemanufacturerwillnowhaveawirelessinterfacethatallowsittosendandreceivewirelesscommunications. Thesameistrueforthefleetofvehicleslargeandsmallthatareusedbyemployeesonoroffthecampusesofcompaniesororganizations.In this fast paced environment, one of the important protections for digitalcommunicationsmaynotbeavailableeitherthroughdesignorduetothelimitedcapacityoftheIoTdevice.PasswordprotectionmaybeunavailableformanypassiveIoTwirelessdevicesandthismayfurtherchallengephysicalsecurity.Exploitation of weaknesses found in the poor, or inefficient design of software or IoTdevice security may facilitate broader discussions about its implications for physicalvulnerabilitiesandsecuritythreats. TheIoTappearstobeabouttoproject thepowerofcomputing into physical space without much consideration for the totality of thevulnerabilities and threats that may be imposed on once controlled and secureenvironments.


46

There will be no barriers within the IoT that will preserve physical security ofbusinesses, government, or personal spaces unless they are created through broadvoluntary adoption of standards that work both in theory and practice to address real-worldchallengestophysicalsecurity,privacy,orconfidentiality.WhyshouldthesecurityandprivacyofIoTtechnologymattertophysicalsecurity?Physicalsecurityreliesuponcontroloverwhoorwhatcanenterorexitadefinedareaorspace. The challenge tophysical securityposedby the IoT is a lackof security over thewireless communication signals and/or devices that may enter or exit a space. Thefollowing are incidents that foreshadow some of the challenges to physical security in aworlddominatedby the IoT. Securityprofessionalsresponsible for facilities thatrelyonindustrial control systems should be aware of new paths that may be used to accessnetworkstocausedisruptionstothreatsposedbycyberattacksthatcanresultinphysicaldamagetoequipment.AlightbulbexploitIn2014,itwasreportedthataLiFXsystemofwifiremotecontrolledlightbulbdesignedtoworkwithasmartphonehadasecurityvulnerability.Sensorsonlightbulbsdesignedtooperate in conjunctionwith a smart phone offered an opportunity for a breach of othersystems. The problem was discovered in the bash shell of applications that translatescommands fromadevice’soperatingsystem, in this case thecommand toa lightbulb toturn on or off. The problem is that the bash shell program also queries the device foradditional information that itwill then automatically collect and take into the operatingsysteminteractingwiththelightbulb.Theextrainformationcouldincludemaliciouscodeintheformofacomputervirus,worm,Trojanhorse,orothercodethat,oncebehindthefirewallofacomputernetwork,coulddoharm. This isareal threatandonethathasnosolutionatpresent,andmaybehardtodetectifithasbeenexploited.Wemaynotknowformonthsifthieveshaveuseditandwhattheoutcomeindamagemightbe.IoTenabledintercomsystems(babymonitoringtechnology)In September 2015, two years after the first cyber security warning regarding thesecurityvulnerabilityofbabymonitoringtechnology,itwasreportedthat9babymonitormodelsfortopmanufacturersremainvulnerabletohacking.Therearedocumentedcasesof monitors being breached, allowing unauthorized voice communication from hackersoverthecommunicationsystem,andexternalaccesstovideolivefeedsfrombaby’srooms.PhysicalsecurityofvehiclesisinquestionIn 2015, researchers gained remote access to a Jeep Cherokee and took control ofphysicalfunctionssuchasclimatecontrol,windshieldwipers,andthesound-system.Theycouldeventurnofftheenginewhilethevehiclewasinmotion.Automobilemanufacturers,not just of the Jeep Cherokee, understood that the computing systems of their vehiclescould be compromised and took action to close the cyber security risk that hadconsequencesforthephysicalsecurityoftheirvehiclesandthesafetyoftheircustomers.


47

PhysicalsecurityofindustrialcontrolsystemsIn2010,Stuxnet—roughly500kilobytesofcode—becameknowntocomputersecurityexperts who identified it as a hybrid computer-worm designed to destroy physicalequipment. Its targetapplicationwas reported tobe thegas centrifugesusedby Iran toenrichuranium. Stuxnetwasreleased in2005and isbelievedtohavecausedsignificantdamagetotheequipmentusedbyIrantoreportedlyenrichuraniumbasedonreportsbyU.S.and Israeliofficials,aswellas the Institute forScienceandInternationalSecurity,anindependentthinktank.IranianofficialsacknowledgedtheStuxnetwormwasfoundedinindustrialsoftwareusedtooperatecentrifugesintheirNatanznuclearfacility.AreportbytheInstituteforScienceandInternationalSecurityassessedthat1,000of8,000centrifugesat the Natanz nuclear facility had to be replaced, and by November, Iran suspendedenrichmentduetotechnicalproblemswithitscentrifuges.According to a September 2010 Symantic report, therewere 100,000 Stuxnet-infectedcomputersworldwideofwhich60,000wereinIran.TheStuxnetisstealth,anduntilsomewormisdiscoveredthatcandostealthbetter, it isat the topof the foodchain forwormcode. Stuxnet moved from system to system through connected and unconnectedcomputing technologyusing theMicrosoftWindowsOperatingSystem. Ifamachinewasnot connected toanetwork, stickingaUSBdrive intoan infectedmachine, then into theuninfected machine was sufficient for Stuxnet to spread. Once Stuxnet is inside of amachineornetwork,itreplicatesitself.Stuxnetalsosoughtout “SiemensStep7”software,whichwasalsoWindows-basedandusedtoprogramindustrialcontrolsystemsthatoperateequipment. Thisallowedforthehackerstocollectdataonthemachinesoperation,andtakecontrolofthemachine—givingitinstructionsthatinthecaseofthecentrifugesexceededsafeoperationalparameters.Researchers who studied the Stuxnet code formonths believe its origin is the UnitedStatesandIsrael,whileothersattributethesourcetoChina.Russiaalsohasthecapabilityto develop theweapon. The lack of attribution by thosewho released Stuxnetmakes itimpossibletodefinitivelyplaceblame.HoweverStuxnetbegan,by2012UnitedStatesgovernmentofficialsstartedtowarnofa“CyberPearlHarbor”.Stuxnetisnotlimitedtoharmingthefunctionofgascentrifugesusedto enrich uranium, but can damage or destroy machines or equipment controlled byindustrial control systems used for a range of non-military purposes. The capacity ofStuxnettodestroyequipmentormakeitunusableposesathreattophysicalsecurity.According to the IEEESpectrumarticle,TheRealStoryofStuxnet, itspath intosystemstook the routeofmostpredatoryworms—itexploitedoneormorevulnerabilities in thehostsystem.InStuxnet’scase,itused4“zeroday”vulnerabilities,whichwerepreviouslyunknown or were never widely used that could attack or infiltrate Microsoft Windowsoperating systems. Typically, these types of vulnerabilities are used to steal credit cardinformation, personal identifiable information on customers or clients, intellectualproperty,orfinancialtransactiondataformonetarygain.


48

In the caseof Stuxnet, the zerodayexploitswereused to implant a stealthymaliciousworm program that would cause physical damage to property. In short, Stuxnet waswrittentodamageanothernation’scriticalinfrastructure,butitcouldhavebeenwrittentodamagea competitor’sassembly lineequipment, adistiller’sprocessingmachinery, clothmaker’sweavingmachinery, anynumber of foodprocessing or storageprocesses,watertreatmentfacilities,orelectricitygenerationcapacity.ThelistofpotentialStuxnettargetsisnearlyinexhaustiblethemoretechnologicallyadvancedthesociety.OnceStuxnetenteredtheoperatingsystems,itspreadtocontrolsystemswithaspecificmissiontodisruptordestroyphysicalequipmentbytrickingthesystemintothinkingonesetofphysical factsare trueregarding thestateorconditionof thesystem,andthenthesystem’scomputerautomatedprogramcomponentstookaction.Theactiontakeniswhatcausedthedamagebecausetheunderlyingfactsacceptedbythesystemasbeingtruewereinfactfalse.Inotherwords:ifaconvincingliecanbetoldtoanindustrialcontrolsystem,thenthesystemcanbetrickedintoharmingitself.There isoneadditionalwormprogramaddressed in the IEEEarticle, “Flame,”which isabout40megabytes in sizeand isbelieved tobeanearlierversionof thenow infamousStuxnet. The Flame worm was design to collect data and send that information to itssponsors in small amounts overtime to avoid detection. This spyware worm couldexchange data wirelessly with Bluetooth-enabled devices further than the standardcommunication range up to 2 kilometers if a directional antenna linked a Bluetoothcomputer. In thedaysofwardriving, aPringles-canwould suffice as an antenna for anunsecureBluetoothwirelessrouterorhub.The Flame worm appears to have been introduced through an update to Microsoft’sWindows 7 operating system, which is phenomenal because to get Windows Operatingsystemtoacceptanupdateithastoauthenticatethattherequestsourceoftheupdateislegitimate. Theonlyway toget theWindowsOperating system todo this is tohave theencryption key thatMicrosoft uses to secure its operating system,which should only beknownbyMicrosoft.Microsoftwouldhaveasecurealgorithmandwouldrelyuponahighlysecurekeythatwouldrequiresignificantcomputingcapacitytoacquirethekeythroughbruteforceattack.Itwouldbehard to imagine thatMicrosoftwouldnothave takenprecautionsagainst aninsiderthreat,sothatleavesopenthequestionofwhowouldhavetheresourcestoexpendtogetMicrosoft’sWindow’soperatingsystemupdatekey.Stuxnet or Flame worms can be altered to attack a wide range of industrial controlsystemsorcriticalinfrastructure.Stuxnet-derivedwormcodecouldbewrittentodamagewater treatment and delivery systems, electricity delivery systems, industrial controlsystemsusedbyfoodprocessors,portsoperations,orautomobileassemblylines.Layingthegroundworkforseekingoutvulnerabilitiestoexploitandthereforetodefend,HungarianresearchersinSeptember2011uncovered“Duqu”aprogramthatwasdesignedtostealdataregardingindustrialcontrolsystems.


49

WhatwillbetheIoTphysicalsecuritychallengesofcomplexoperations?ThinkingaboutthisquestiongavemepausebecausetheubiquitousIoTisnotyetpresentto learnwhat itwillmeantohaveawirelesscommunication-richenvironmentwithoutasingle entity empowered to control it. Fortunately, there is some research on a majorcritical infrastructure area of concern for cyber safety and security—deep-water andcontainerports.Title33,Chapter29,Section1502oftheUnitedStatesCodedefinesa“DEEPWATER”portas “any fixed or floating manmade structure other than a vessel, or any group of suchstructures,thatarelocatedbeyondStateseawardboundariesandthatareusedorintendedforuseasaportor terminal for the transportation, storage,or furtherhandlingofoilornatural gas for transportation to or from any State.” The definition “includes allcomponents and equipment, including pipelines, pumping stations, service platforms,buoys,mooring lines, and similar facilities to the extent they are located seaward of thehighwatermark”andcoverwaterwaystodepthsof30feetormorethatcanmanageshipsthatarethemaximumsizethatthePanamaCanallocksystemscanhandle.Therearealso containerports locatedon landbuilt tomanage largevolumecontainercargo, as well as industrial and manufacturer products that comprise high-volume seacommercialimportsandexports. Hundredsofmillionsoftwenty-footequivalentunitsorcontainersareprocessedbyportsaroundtheworldeachday.The security of deep-water and container ports have beenwedded from their earliestbeginningsbecausecargowaspersonalwealthandnation-statecommerce.Thevolumeofactivityatdeep-waterandcontainerportsmadeinnovationandcomputingnecessaryforautomationoffacilitiestomanagementportfunctions. However,noonesystemmanageseverythingthathappensatdeep-waterandcontainerports. Arrivalsanddeparturesmaybe managed by one system; loading and offloading by another entity; containermanagement by another provider; employee access by another system; and privatecompaniesmaytracktheircargousingproprietarysystems.Thenumber,type,andseverityofcyberthreatsexperiencedbyports,serviceprovidersorportcustomersareunknown. Thepreference isnot toreport incidentsandtopayorabsorb costs resulting frombreaches or thefts. The other reasons for underreporting islikelythatcompaniesandportsareunawarethattheircybersecurityhasbeenbreached.An October 15, 2014, report by CyberKeel entitled, Maritime Cyber-Risks, reported onfinancial thefts; alteration of carrier information regarding cargo location; barcodescanners use as hacking devices (a variation of the light bulb vulnerability describedabove); targeting of shipbuilding and maritime operations; cyber enabled large drugsmugglingoperations;compromisingofAustralianCustomandBorderprotection;spoofingavesselAutomatedIdentificationSystem(AIS);drillingrigcyberattack;vesselnavigationcontrolhack;GPSjamming;vulnerabilitiesintheElectronicChartDisplayandInformationSystem;andaDanishMaritimeAuthoritybreach.


50

Man-in-the-middleattackThe financial-based maritime cyber risk is the same in regards to motivation andintent—theftfrombankaccountsbytrickingalegitimatecompanyintopayingfundsintoanillegitimateaccountheldbythieveswhoareposingasatrustedbusinesspartner.TheFBIissuedawarninginDecember2013,using3casesasexamplesthatcost$1.65millionintransferstothieves. Thesewereman-in-the-middleattackswherethethievesinsertedsoftware in the e-mail communications of a company and waited for legitimatecommunications that bank account information had changed for an existing businessrelationship. At that point, theywould insert themselves into the exchange andprovideerroneousbankaccountinformationafterinterceptingthecommunicationwiththecorrectbankaccountchange information. Theywould thenconfirmthereceiptof thechangeofaccountinformationtothesourceofthechangerequest.Whenpaymentswereeventuallysent,theywenttothethieves’accountandnotthebusinessthatshouldhavebeenpaid.ItisimportantforbusinessestonotethatU.S.financialprotectionlawsthatareusedtocoverpersonallossesduetoidentitytheftassociatedwithcreditcardsdonotprotecttheftsfrombusinesses,includingforbusinessesthatprocessEMVcreditcards(chipandpin)onnon-EMVcompliantdevices.DeletionofcarrierinformationInAugust2011,an incidentofdeletionofcarrier informationregarding the locationofcargooccurredagainsttheIslamicRepublicofIranShippingLines.Theattackdamagedallthe data related to cargo ship contents, which meant that no one knew where anycontainerswereorthestatusofcontainers—off-loaded,pickedup,orstillonboardships.The datawas eventually recovered, but the disruption in operation of the businesswassignificant.BarcodescannerhackingtoolTheattackwasnamed“ZombieZero”andinvolvedmalwarehiddeninthesoftwareforbarcode scanners of at least 8 different companies. The malware activated when thebarcode readers were connected to company networks. When connected, the malwarelaunched a series of automated attacks searching for the locationof the financial server.Uponlocationofthefinancialserver,themalwarewouldcompromisethetargetservertobe takenover. Oneaccountof thisattackhad thecompany’s controlover their financialserver transferred to a server in China. The CyberKeel report stated that, “Themanufacturer providing the scanner was also located in the same physical area as thelocationoftheremotecontrol.”AustraliancustomsexploitAcyber-crimeorganizationbreachedthecargosystemofAustralianCustomsandBorderProtection,whichallowedcriminalstoverifythattheirshippingcontainerswereviewedassuspicious by the police or customs authorities. This allowed criminals to abandoncontrabandthatwouldresultinarrestsorconfiscationandfocusonwhattheyknewwouldbereleasedwithoutdifficulty.


51

SpoofingAISAutomatedIdentificationSystemsmaybeusedforentitiesmanagingfleetsofvehicles,oraccesscards foremployees,but ineithercase, it is important tounderstand that if thesesystemsarevulnerabletobreachorhavebeenbreachedtheyarenottrustworthy.Inthecaseofships,atestinOctober2013byTrendMicrodemonstratedthatacargoship’sAIScouldbebreachedusing$200inequipment.Thisbreachwouldallowmodificationofthereporting on a ship’s position, course, cargo, speed, and name; send false weatherinformation;triggerafalsecollisionwarningalert;allowtheabilitytoimpersonatemarineauthorities;createafakemanoverboarddistressbeacon;andincreasethefrequencyofAISdata transmissions which can cause a DNS attack on those receiving that data. With adenialofserviceattack(DNS),somuchdataisbeingsentthattherecipientcannotreceivetheinformationnorhavethecapacitytoreceiveAISinformationfromothers.DrillingrigcyberattackIn2010,whileadrillingrigwasbeingmovedfromtheconstructionsiteinSouthKoreatowardSouthAmerica, its critical control systemswere infectedbymalware that shut itdown for 19days to fix the problem. A similar attack on a rig reported off the coast ofAfricacausedittobeshutdownforaweek.GPSjammingandspoofingAbackpackGPSjammerislegaltoobtainandcosts$10-20,000.00witharangeof3-400meters. People on land, in flight, and at sea rely upon GPS for navigation and for thisreasondisablingaGPSsystemcanpresentseriousconsequencesforsafetyandcommerce.The test of one GPS jammer resulted in the failure of the electronics chart display andinformation system,AIS, the dynamic positioning system, and the ship’s gyro calibrationsystemamongothersystems.SurreptitiousGPSattacksinvolvingGPSspoofing,notjustjamming,havebeendemonstrated.ThisiswherephonytimeandlocationissenttoGPSreceivers.These are some of the cyber vulnerabilities known to exist inmaritime environments.Thechroniclingofthesevulnerabilitiesprovidesaviewintoaworldwheregoodphysicalsecurityhas longbeenthegoal,andthe introductionofcomputinghas introducedanewlevelofthreatsthatarebotholdandnew.The larger security challenge is not the cataloging and addressing of vulnerabilitiesintroducedbyknownwirelessdevicesortechnologies,butrathertherealitythatthestateofvulnerabilitywillneverbestatic.ItwillbeimpossibletocontrolthenumberandtypesofIoTtechnologiesthatwillbeinanygivenspace.ShouldtheIoTbefeared?This paperwasmeant to raise issues and questions regarding the physical security ofindustrial control systems, energy efficiency systems, and methods for managing theaccountingofproductsandmaterials,labor,andresources,amongotherthings.TheIoTis


52

goingtochangetheworldofphysicalsecurityforever.PhysicalsecurityprofessionalswillneedtomeetwithITpersonnel,theCISO,andotherstostart lookingathowtoapproachphysicalsecurityofindustrialcontrolsystems.Largecomplexenvironmentssuchasdeep-waterandcontainerportsoffertheworsesetof conditions for cyber security—high probability and high impact situations. Criticalinfrastructure or vital functions within physical environments should be assessed andclassifiedaslow,medium,orhighforanalysisoftheriskofsomethinghappeningaswellastheassigningofa ratingof low,medium,orhighconsequencesshouldaparticulareventoccur.WheredoesP1912fitinthesecurityandprivacyoftheIoT?TheIoTwillforceacontinuousevaluationandre-evaluationofthesocietaldefinitionof“what issecure.” IoTwilldrive thesecurityriskmoving intophysicalspace,which isanextensionofthecurrentInternet’scapabilities.TheInternetwasnotbuiltforsecurity,buttomakesurethatmessagesgetfromthesendertothereceiver.P1912 will focus on security and privacy with equal weight. Privacy can be called“confidentiality”inthecontextofbusinesses.Privacyassureswhen,where,why,andhowdata about an individual are under the individual’s control. The smart grid and otheradvances that bring the IoT into homes and businesses through applications andtechnologythatreportonenergyconsumptionevery15minutesorlesswillintroducethepotentialforauthorizedandunauthorizedenergysurveillance.P1912 offers an opportunity to develop a voluntary communication architecturalstandardtocreategreatersimplicityandeaseofusethatsupportsprivacyandsecurity.Acommoncommunicationplatformthatbridgesthecommunicationdividethatexistsamongwirelesstechnology(e.g.,RFID,IP,NForotherwirelesstechnology)wouldcreateoptionsforuserstocontrolaccesstopersonalandconsumerdigitaldevices.ThegoalistousethecapacityoftheIoTinaphysicalspacetoallowflexibilityinsecuringthedataandthespacefromharm,abuse,ormisusebyothers.Establishing a common architecturewill support end-user ease of use of security andprivacyoptions. Thecommonarchitecturecansupportuniquedevicerecognitionamongwireless digital devices and technology. P1912’s common architecture will allowdevelopment basedon this standard for a rangeof applications anddigital technologies.Ultimately,thestandardcanaidinpreventingtheft,abuse,ormisuseofdigitaldevicesandstoredinformation,andcanhelptoincreaseprivacy. Atthesametime,itwillreducetheneedtorelyonpasswordsorPINstoestablishlegitimateaccess. Adoptionoftechnologyrequires greater security and ease of securing wireless enabled digital devices. Thisstandardwill support flexibility in themethods thatmaybe employedby users to exertcontroloveroraccessthecontentontheirdigitaldevices.


53

This standardwouldprovide greater consumer anduser control overphysical devicesandtechnology,soastofitthemtotheuniqueneedsofindividualusers.DevelopmentoftheP1912standardwillextendgreatercontrol toownersandlegitimateusersthroughacommon architecture, while supporting innovation and broad adoption of RFID, IP, NP,wirelessorotherremotecommunicationenableddevicesandtechnology.AbouttheAuthor:LillieConeyservesasPolicyDirectorforaseniormemberoftheHouseofRepresentatives.SheisalsoPresidentofBruceCorporation,aprivacyandcybersecurityconsultingcompany. Ms.ConeychairstheP1912WorkingGroupdiscussedinthispaper.Formerly, she worked as the Associate Director of the Electronic Privacy InformationCenter.