The Psychology of Security Design Applicable to Access Management

 In order for security programs to be relevant and effective, they must be perceived as effective and contemporary. If your enterprise has not conducted an objective security assessment in the last five years, there is a high probably that your security program is not contemporary, and may be perceived as outdated. For security programs to be optimally effective, these programs must be perceived as effective and comprehensive by both the employees and the general public, including would-be perpetrators.

It has been said: You never get a second chance to make a first impression. However, you do get a chance to make a first impression on those who are visiting your property for the first time. You also get chance to change negative first impressions by making contemporary security upgrades. The starting point for making a positive first impression is the functionality and design of how well external and internal access is controlled.

From a security perspective, what is access management? Access management encompasses human intervention, surveillance systems, interior and external lighting and way-finding information. components generally include card access systems, lock & key systems, cipher locks and remote control locking systems.   

In order for access management strategies to be effective, they must be perceived as effective on a consistent basis. Symbolism counts. Both real and perceived access management starts at the property line and ends at a vault, and/or high value cage, or a restricted space such as a hospital pharmacy or operating room.

The tolerance levels for access management programs varies from one application to another. For example, nuclear power facilities restrict access to only credentialed employees and vetted guests. Manufacturing facilities restrict access to employees, subcontractor and guest that are cleared for entry and give a visitor pass. Shopping malls have very little access management. Mall access management is loosely applied to management office space, loading docks and service corridors. To some degree malls rely on various forms of surveillance to deter criminal behavior. Access management of a mall atmosphere is generally more subtle than in a hospital, in part because hospitals have a multi-tiered approach to controlling interior access. 

One of the most challenging venues for application of access management strategies are, in fact, hospitals. With hospitals the challenge is for effective access management without being too obtrusive. Therefore, access management is minimal at the property line. However, access management, for some hospitals begins to ramp-up for parking facilities (surface lots and structures). It continues to ramp-up for those who enter buildings. However, the amplitude of access control applied to building entrance varies a great deal from one hospital to another, in part responsive to the ambient threat environment.

Hospitals are also face with the conundrum of offering a welcoming environment on one hand, while being held to one of the very highest standards of care for keeping patients reasonably safe. For hospitals the greatest access control challenge is security for inner space. Even when using quality lock and key systems, cipher locks and various modalities of electronic access control systems, we find these methodologies misapplied. The primary emphasizes is on the protection of inner space. Much of the premises liability litigation pertaining to hospitals, often involves the question of the effficacy of access control.

This diagram depicts six levels of access management. Assume the innermost circle (1) is a high security target such as a vault or the heart of the IT system. Level 2 might include a controlled substance storage location. Assume the outermost circle (6) is the property line. The take-away depicted here is that the higher risk and higher value targets (including people), require increasing degrees of security redundancy. This model also assumes that security is very much a situational discipline, in part, responsive to the to the ambient crime/threat environment metrics. Moving from 6 to 1 essentially requires greater degrees of security redundancy. Six layer may not be required for every enterprise, but the layering model is still relevant. This diagram also depicts the security deficit that will result if there is a fracture at any level. This diagram is also applicable to most public access venues such as malls, hotels, office buildings and even industrial environments.

In order to obtain optimal return of investment, access management systems must be effective, and even more importantly, they must be perceived as effective by both the public and the employees of the enterprise.

When it comes to access management systems, the means by which these systems are deployed may render the systems as highly effective or only marginally effective. The outcome is largely determined by the primary objective. Security is at one end of the spectrum and convenience is at the only end. Security systems, by design, cause some inconvenience. For example, if all doors were left unlocked, ingress and egress would be easy, but security would be rendered impotent. It is not infrequent that we find access management systems that seem to favor convenience over sound security practices. Unformed security personnel can go a long way the ensuring the efficacy of access manangment systems, including how these physical security systems are perceived.

I have often told my clients that the role of access control systems is to define the suspect pool, if or when there is a security breach. The smaller the suspect pool, the greater is the deterrent value of the system. If the hospital’s pharmacy’s access control system only admits 15 employees, and controlled drugs are at risk, each of those fifteen employees understands they will become suspects if something goes missing, and are therefore far less likely to misappropriate drugs. On the other hand, if an employee is one of 150 other employees who had access to the pharmacy, deterrence is significantly diminished.

We understand that all hospitals, by regulation limit access to the pharmacy, however the analogy is still relevant. The point is, it is often the case that convenience determines access control for the rest of the hospital, thereby creating an enormous suspect pool and very little deterrent value.

Another example, we frequently find that there is an excessive use of master keys issued as opposed to the issuing of change keys. Consider this: whether we are discussing, change keys (one key, one lock), sub-master keys, master keys or grand master keys; whenever a key goes missing, every lock affected by the missing key should be re-cored. Consider the resultant cost of recoring every affected lock, liability notwithstanding. The analogy may also be applied to cipher locks.

On the other hand, card access systems can cost-effectively permit specific employees access to specific portals at specific times of day, yet frequently the same mistakes made with key locks and cipher locks are repeated with access cards in favor of convenience and ease of access. Because security methodologies are intending to deter dishonest and criminal behavior, the smaller the number of persons in the suspect pool, the greater is the deterrent value of any of these access management systems. (By design, security methodologies may cause inconvenience.)

Decisions pertaining to access levels and access schedules should aimed at limiting the suspect pools, as opposed to convenience of access. To do otherwise, diminishes the deterrent value of the methodology.   When access control systems, whether lock & key systems, electronic card systems or cipher locks, are designed with the primary goal of the furtherance of sound security, they will succeed. However, when these systems are designed in service of convenience, more likely than not, this approach will increase liability.

Recent acts of terrorism, including active shooter attacks, have given rise to the admonition, “If you see something, say something.” That admonition and the objectives therein, must be inculcated in every employee. This includes those who are employed by; shopping malls, hotels, hospitals, college campuses and gated communities. Security systems, lacking employee involvement, are diminished and are therefore perceived as mere symbols. Employee involvement must be encouraged. This means training employees not only how to recognize potential threats, but also know what to do, and who to notify. Lacking employee involvement, even the otherwise best security programs are marginalized.

Another major component of this overall strategy is the effective application of fundamental CPTED (Crime Prevention Through Environmental Design) principals. Well-designed security programs are rendered impotent if they are not perceived (by both the visiting public and employees) as being effective and relevant. In fact, in many instances, perception is more important than reality. If a mediocre security design is perceived as top-notch, it will probably be effective. Conversely, if well designed security system is perceived as weak, it will probably not achieve optimal results.

In this article we have used the term "access management, as opposed to "access control." Access control systems usually do not failure. The failure occurs when the technology is misapplied. When deciding the level of access to be provided for each user, remember the goal of minimizing the size of the suspect-pool to its lowest common denominator.  Remember the goal is better security, not convenience.

This discussion is not intended to favor one security system over another or one brand over another. Security programs are, and should be need driven. The best means to achieve this end is to periodically conduct a thorough security assessment and follow the CPTED model. The access management program should be synergized, and supported by the involvement of uniformed security officers, traditional physical security methodologies, the clients (customers) being served, them ambient threat environment and other physical security systems, such as video surveillance and lighting.

William H. Nesbitt, CPP - Security Consultant – Forensic Security Expert

President of Security Management Services International, Inc.

bill@smsiinc.com  Website: www.smsiinc.com

Member: ASIS International, ICA, IAHSS, ACHE, HCE of So. Cal., ASHRM, SCAHRM & ICSC