You may have heard the term “risk assessment” before. In the security industry, it seems like everyone is performing, designing, or at least talking about risk assessments. With the amount of information out there, it’s important to understand what a risk assessment is, why it matters, and how to do one. This post is designed to serve as a guide for creating a simple risk assessment, good for a homeowner, business, or other low to medium-level threat scenarios. By the end of this article, you should have a solid foundation to be able to assess and prevent you most likely and most destructive threat scenarios.
What Is a Risk Assessment?
A risk assessment is a process used to determine threats to security and how to protect against them. Sometimes it’s simple brainstorming, but often it becomes a deliberative process that includes threat assessments, vulnerability assessments, and a number of other steps. We’ve boiled it down to four steps: Pre-Threat Assessment, Prioritizing and Planning, Contingencies, and Evaluation.
The first step in your risk assessment is to consider all likely threats. Notice I didn’t say all possible threats. Is it possible that a heist team will blow your door off its hinges with C4, ransack your house, and escape by helicopter? Sure, but it is far from likely. You have to honestly assess the factors that play into this. Do you live in a high crime area? Are you a person of interest, celebrity, or some other attractive target? Have you been the victim of a crime before? Be honest with yourself but leave no stone unturned. We spoke with security expert Tim Wenzel to learn about his approach to threat assessments. He recommends the following steps when determining your unique threats:
For most homeowners, you’ll find burglary, armed robbery, home invasion, or some other variant of these crimes. Maybe an arson or two. Regardless of what your likely threat is, spend some time brainstorming and come up with the top 3 threats that you hope to guard against. Once you’ve settled on your top 3, rank them in order of how much damage they would cause. “Damage” isn’t limited to physical damage to the property, but can include physical or emotional harm to people involved. For example: if your biggest concern is burglary while you’re out of town and your second biggest concern is a break-in while you’re sleeping, you might have your priorities mixed up as number two is almost invariably more damaging.
Prioritizing and Planning
Identify which threat is most damaging and most likely. Think of this like the overlapping section of a Venn diagram.
This will be different for every building, scenario, and person. If you are performing a risk assessment for a property you rarely use, and one that doesn’t contain much of value, burglary might cause minimal damage. If you are performing a risk assessment for your family home (where your children live) in a well to do neighborhood, burglary would be devastating. Have your priorities in order and make sure you hit on the correct threats. From here, the risk assessment will revolve around this threat and what can be done to mitigate it. Start to think about countermeasures, procedures, or other ways to stop the threat or make it less damaging.
Figuring out how to improve your security can be overwhelming and it’s worthwhile hiring a professional security consultant to guide you through the process. A security consultant who specializes in this area can make sense of your options and help you understand important dos and don’ts.
In addition to Tim, we spoke to Chris Chapeta of Bastion Projects. Chris' approach to securing a home or building revolves around two concepts: architecture and systems. Architecture refers to the layout and construction of the building as it relates to security risks. Think about the possible security risks that are built in to the structure.
Lots of physical features will play into this:
Systems refer to the operation of the property (daily life) and security devices you might employ. You should think about procedures and habit. Some things to factor in are:
These questions need to be answered so that a successful security plan can be developed. There should be hard and fast rules that all members are aware of and actively follow.
No matter what security measures you choose or which experts you consult, you need a plan B. As we’ve covered in our previous blog posts, all security measures can be defeated with enough time, the right tools, and skill. Plan B is not some magic bullet but rather evacuation. Every office building, school, and government facility has plans in place to evacuate when something goes terribly wrong. You should have one too. Know your exits and make sure you keep them unobstructed.
Remember: this whole process is an assessment. You have to assess the risk, but also assess your response to the risk. Once you decide on your security measures. Sit down with your team, family, consultant, etc. and discuss whether or not your plan will meet your needs. If not, start from scratch. A risk assessment should always be a work in progress. Improve upon your plans, your safety depends on it.
What's the purpose of a door? A door is designed to allow access to, or exit from, a building, location or vehicle. They can often be locked so that only the right people with a key can get in. Even the strongest forced-entry resistant and bullet resistant doors we produce at Shield don’t serve a purpose if they’re not locked. Opening an unlocked door isn’t forced-entry, it’s just entry.
A major (and often overlooked) component in security is your routine. Failure to develop good security habits puts the safety of you and your loved ones are at greater risk of being harmed and falling victim to a home invasion. The most important of those habits is locking your doors.
According to a 2010 New York Times article, less than half of homeowners lock their doors. Of those surveyed, many who did not lock their doors were surprised to learn that some people found that practice strange.
What's strange is making critical security decisions based on emotion or the sense that you live in a safe neighborhood and as a result aren't at risk.
Most of these people don’t believe they're gambling with their safety and security. Some feel they don’t need to lock their doors because they live in a safe area, because they have a doorman in their apartment building, or because they have never heard of crimes near their home. None of these are good reasons to leave a door unlocked.
Not locking doors is the #1 security sin you can commit. Regardless of who you are, where you live, or what your bank balance is, don’t gamble with your family’s safety. Lock your damn doors.
YOUR ALARM ISN'T GOING TO KEEP YOU SAFE: THE WEAKNESSES OF THE TRADITIONAL APPROACH TO RESIDENTIAL SECURITY
One of the most common mistakes made by homeowners is the belief that installing a security system (e.g. an alarm) makes them impervious to threats such as a break-in. Security products are designed to achieve a range of objectives: deter potential intruders, alert you of a breach, record an event, buy you time by slowing down an intruder, etc. But no security system, be it a door, alarm, camera, or moat is impenetrable. Security can always be defeated.
The objective of a comprehensive security system is to buy you enough time for the police to respond or to retrieve a weapon before coming directly into harms way. Again, it’s a function of time. Whether you live in Fort Knox or a trailer, if a determined intruder has the right combination of tools, skills, and time, they will get in.
The Alarm System Fallacy
American families disproportionately rely on alarms for security, with approximately 15% of homes having one. Alarms serve two purposes: deterring some opportunistic burglars and alerting you to an intruder. Homes without an alarm are 300% more likely to be broken into than a home that has one. Alarms will deter some opportunistic intruders in search of a soft target, but it will not deter all opportunistic intruders and it will not deter a determined intruder who has done their research and is well prepared.
The second purpose of an alarm system is to alert you of a breach. This is an important function that allows you, your alarm company, and the police to respond more quickly than if you didn’t have an alarm. However, police response times vary significantly. The average nationwide response time for burglaries “in progress,” that have been verified by a 911 call, is 7 minutes. The average response time for unverified alarms is 30 minutes.
Most break-ins occur in less than 60 seconds.
An alarm isn’t going to stop a burglar from breaking into your home. It buys you a few seconds by alerting you as soon as their is a breach and it will deter some opportunistic burglars from trying. But by the time your alarm goes off, someone is already inside your home and chances are they will be gone long before the police show up.
CCTV and Surveillance Systems
Like alarms, the function of camera systems is often misunderstood. In residential settings, cameras are usually installed to record an event. They also have a deterrent effect, like alarms, because a potential burglar who notices cameras is less likely to target the home because they are more likely to get caught when the police have video evidence. At the same time, wearing a mask or balaclava easily negates it’s ability to identify an intruder, and a home with a camera might be seen as having something worth stealing.
Tim Wenzel of Facebook succinctly addressed the role of cameras in a recent article. He wrote:
“Cameras provide security.” No, they do not. Cameras are an investigative tool.
If you require them as a security tool, someone will need to be watching them."
Cameras will deter some opportunistic burglars and should help in identifying and prosecuting those responsible. But on it’s own, a camera is not going to stop a determined intruder from breaking in to your home and unless it's monitored, it doesn't buy you any time to react. It’s not going to keep you safe.
Alarms and cameras are important parts of a comprehensive security system that includes physical forced entry barriers such as reinforced doors and windows. On their own they have a deterrent effect, will alert you of a breach, and record the event, but will not prevent a determined intruder from gaining access. The core function of alarms and (unmonitored) cameras only kick in once an intruder is already in your home.
A comprehensive security system must include barriers that prevent forced entry, slow an intruder down, and buy you time to assess the situation, call the police, and/or retrieve a weapon. Even if high security doors are not in the budget, there are inexpensive, off-the-shelf products that will make your doors and windows more secure.
One of the most frequent challenges we deal with is “right-sizing” security: matching our security recommendations with a client’s needs. To do so, we have to overcome misconceptions and the “Hollywood” effect, which usually lead clients to seek a much higher level of security than they need.
We discuss their specific threat scenario and risks, educate them on the range of available security options, and propose options that actually address those risks.
New clients often request unnecessary (and expensive) security features that—considering their threat scenario—they simply don’t need. People have been conditioned by Hollywood and news media to associate things like bullet and blast resistance with security. However, those solutions tend to exceed client needs and overlook the far more common and realistic security risk we all face: forced entry and opportunistic crime.
The percentage of calls we receive for bullet-resistant doors is a reflection of this conditioning. Most of our clients, including millionaires and billionaires, are exponentially more likely to be robbed by an opportunistic criminal because they live in an exclusive neighborhood than be the subject of a credible death threat.
Another one of our favorite right-sizing examples is the RPG scenario:
Very few people have a need for a blast-resistant door to stop an RPG, but they like the idea because that’s what they’ve seen in movies.
Education: Forced Entry
Educating clients to help right-size security starts with an overview of our various forced entry door and window levels: 5-minute (FE5) and 15-minute (FE15), as well as the US State Department standard to which our doors and windows are tested.
Many clients reject the FE5 option because, in their minds, 5 minutes seems insufficient. It’s only after watching test footage that they realize an FE5 rating makes it more secure than virtually every other residential door on the market (with the exception of our FE15 door).
The State Department FE5 test consists of a highly skilled two-man team attacking three (3) distinct locations on the door for five minutes each (15 mins total) with a selection of axes, sledge hammers, wedges, and pry bars.
The State Department FE15 test consists of a highly skilled six-man team attacking three (3) distinct locations on the door for fifteen minutes each (45 mins total) with an expanded selection of axes, sledge hammers, wedges, pry bars, and 120lbs battering ram.
An example we use to help educate clients is from the Arab Spring. In September 2011, the Israeli Embassy in Cairo was overrun by a mob of several hundred protestors. The six Israeli guards on-duty that night took refuge in the embassy’s safe haven as the mob ransacked the Embassy, until Egyptian security forces arrived to assist them. For several hours, all that stood between the Israeli guards and probable death was an FE15 door.
If that’s what the Israelis are using in Egypt, maybe it’s overkill for your front entry.
We go through a similar process when discussing bullet resistance. We offer three options:
Right-sizing security to meet a client’s needs is a process that often leads to a smaller sale; however, it is the responsible and ethical course of action. Not only does it help build a relationship of trust with clients, but right-sizing should be a pillar of our code of ethics as security professionals.
Security threats come in all shapes and sizes, and Shield Security Doors are designed with that in mind. It’s important to understand the function of security doors: they buy you time. The idea of an “impenetrable door” is nothing more than a myth. Every door can be defeated, from Fort Knox to the White House bunker to your linen closet. All it takes is time, tools, and skill.
That’s also why security ratings for doors such as the US State Department forced entry standard and Underwriters Laboratory (UL) fire ratings are measured against time. The State Department forced entry standard has three levels: 5 minute, 15 minute, and 60 minute. UL fire ratings range from 20 minutes to 3 hours.
Here are some of the threats that our doors protect against:
Our goal at Shield is to provide a product that is reliable, versatile, and discrete. For this reason, each door is custom-made to meet the aesthetic and security needs of its environment. The combinations of designs and security features are virtually limitless. If you can think of it, we can build it.
Such a variety of options means that Shield doors and windows can be used just about anywhere. They are equally suited for an embassy in a high-threat country as they are for high-end real estate project in Manhattan. No two projects are alike, so no two doors are alike.
If you don’t care about aesthetics, securing your home is easy. You could put up a ten-foot chain link fence, top it with rows of barbed wire, steel bars on your windows, and replace your front door with an industrial steel door. That will pretty much guarantee your home is well defended from intruders. It will also guarantee that you have the most visually unappealing home on your street and create several other problems:
Despite the fact that these measures do in fact secure your home, they would still attract plenty of unwanted attention. That is a security risk in and of itself. You don’t want strangers and suspicious neighbors taking pictures or poking around in your business. The most secure home is the one that hides in plain sight, not the one that is known throughout town because it looks like a prison.
At Shield, we believe that the secret to good security is to keep it a secret. All our doors and windows are custom made and can resemble anything. We offer the same forced entry, ballistic, and fire certifications as the ugly industrial steel doors, so you don’t have to choose between security and aesthetics. We can turn your home into a fortress without changing the architecture or design.
In order to be forced entry and ballistic resistant (FE/BR) certified, doors have to pass a grueling series of tests performed to the US State Department Forced Entry standard, SD-STD-01.01 Rev. G. This is the testing performed on doors installed in US embassies around the world, as well as other important government offices and facilities. There are three forced entry levels: five minute, fifteen minute, and sixty minute.
The Shield Embassy Series door is rated to the five (5) minute level while the Shield Fortress Series is rated to the fifteen minute (15) level.
Forced entry tests involve a team of attackers trying to breach the door by exploiting weak points in the allotted amount of time. A five minute test consists of a five minute attack on the lock side of the door, five minutes in the center of the door, and five minutes on the hinge side of the door. Naturally, the fifteen minute test consists of fifteen minutes spent on each attack point.
The five minute test calls for a two-man team while the fifteen minute test calls for a six-man team. A variety of tools are used in the testing, including sledge hammers, axes, pry bars, picks, wedges, and a battering ram.
Since the testing team spends five or fifteen minutes on each location, an actual intruder would need significantly more time to penetrate the door.
The attack locations are all considered dissimilar areas: hinges, seams, and the like. The goal is to open, remove, or penetrate the door to a large enough degree that they can pass a standard-sized testing object through the opening.
For the ballistic test, the doors must withstand dozens of rounds placed in specific shot patterns on the door and frame using 5.56mm and 7.62mm NATO rounds. Each shot is lined up separately and fired using a test barrel in order to keep to the requirements laid out in the standard.
Passing these tests is the ultimate seal of approval and ensures that customers know they are getting a quality product that will keep them and their families safe no matter who comes knocking at their door.
A recent article by Fortune.com covered the security risks of using IP-based and other online security systems. Last month, hackers infiltrated the smart locks used by the Seehotel Jägerwirt hotel in Austria. The hackers locked guests out of their rooms and disabled the hotel admins from using the system. This attack came at the peak of the skiing season and the hotel was fully booked. The hackers demanded a ransom to be paid in 1500 Euros worth of Bitcoin before eventually giving up control of the smart locks.
This wasn’t the first time this hotel has been compromised, and it likely won’t be the last, even if they change to a different smart lock. A Techcrunch.com article covering the Def Con hacking conference found that approximately 75% of smart locks have poor cyber security measures and are easily defeated. Thanks to Austrian fire codes, none of the guests were locked into their rooms or the hotel; the fire code mandated manual locks as backups in case of such an event. Despite the fact that nobody was in harm’s way this time, the danger is still incredibly real. In this instance, guests were locked out, separated from their belongings. This is a huge inconvenience and a financial issue for the hotel, but nobody was hurt. They very easily could have been.
The hackers had total control over the system that supported these locks. Suppose the hackers wanted to gain entry to the rooms instead of prevent it. It’s the same principal in terms of the security flaws. A hacker could disable every lock in the hotel while someone else entered the rooms as the guests slept. This scenario is far more deadly than a small ransom to let the guests back into their rooms.
We often get questions from our clients about controlling their doors with an app and the answer is always the same: no. We consider the risks of internet-based security/access control systems to be unacceptably high, which is why none of our door or locks are online. Anything connected to the internet can be hacked with relative ease, especially compared to what it would take to physically defeat our doors.
The IP connected security system used by Seehotel Jägerwirt wound up being such a hassle that the hotel will be returning to traditional locks on all their doors. Their experience with smart locks has been a costly mistake and valuable lesson that smart locks are not necessarily safe locks.
Several of our previous posts have referenced “ballistic resistace” (or bullet resistance) as a key feature of high security doors. Without seeing it in action, it might be hard to picture how this works.
We’ve all seen ballistic resistant glass in movies or on tv. The bad guys open fire and their shots are stopped by a pane of glass, now covered in spider web cracks. We use a much less dramatic, but equally impressive technology behind our doors.
On our UL level 8 (rifle) rated door, we sometimes utilize a “self-healing” system. The door is filled with ceramic pellets designed to absorb the impact of a round. As the round pierces the paneling or skin of the door, they crush the pellets behind it. Their energy is totally absorbed and the round won’t go any further.
The aspect that is “self-healing” is that once those pellets get crushed, the pellets above begin to trickle down and fill in any gaps. The door acts almost like the hopper on a pitching machine, with pellets falling from top to bottom to replace those destroyed by bullet rounds. This is how the doors can withstand so many rounds in the same location without penetration.
This is a major advantage compared to ballistic glass or steel, which lack the self-healing properties of ceramics and therefore have a much lower failure threshold than ceramics.