Are You Applying Newton's Three Laws of Physical Security?
Okay, Sir Isaac Newton didn’t actually have anything to do with physical security, but if you examine the principles behind his laws of motion, you can gain some very good insight into how security works in any organization. So if Newton happened to work in security today, here are the Three Laws of Physical Security he might have come up with:
1st Law of Security: Every organization, in a state of security or un-security, tends to remain in that state until an external force is applied to it.
Quite simply, security doesn’t just happen. You have to create it. Of course the corollary to this Law is that once an organization has the security processes in place to secure it, that organization has a tendency to remain secure so long as those policies, procedures and technology aren’t degraded by outside forces.
If you want to secure your organization, you have to create and maintain that security. Some effort will always be needed to continually update, maintain and adjust your security processes to counteract the negative influence of outside forces, but once the main effort has been accomplished, adjusting and upgrading your existing security is much easier than creating new security from scratch.
2nd Law of Security: The relationship between an organization’s size (m), its speed of change (a), and the resources required to alter its security (F) is: F = ma.
This one is more mathematical than practical, but it does point out the relationship between resources, the speed at which your organization alters its state of security and the size of the organization itself. What does this tell us? If you’re a medium to large sized organization, you either need more time to implement security changes or more resources.
How does this knowledge help us? Well, if you want to create change in your organization’s existing state of security or if you need to react to political or environmental pressure, you’re going to either need time or extra resources to accomplish this.
For the small organization, reacting quickly takes less resources and time to accomplish. But a large organization can pretty much forget about reacting quickly or changing your environment to counteract new threats without a good amount of time or lots of resources such as money or man-hours. This Law tells us that it’s more effective to focus your efforts on long-term planning rather than just reacting to changes in your environment. To reduce the amount of resources you expend, you should be continually examining the outside forces that will affect your organization’s security and implementing measures to counteract them well in advance of the point where they become a large impact on your organization’s security.
3rd Law of Security: For every incident there is an equal and opposite reactionary measure.
Take a moment to think about the last security failure organization experienced. Maybe it was a shooting in a school or hospital environment, maybe it was a massive theft of information or property, possibly it was an instance of workplace violence from a disgruntled employee. What happened after the incident? If your organization reacted by implementing knee-jerk, reactionary policies or procedures you’re not alone. Now examine those reactions: did they actually serve to improve the security of your organization in the long run? If the answer is no, you’re also in the majority. Finally, ask yourself this last question: was this incident predictable? Can you honestly say that you had not pondered the possibility of this type of incident in the past and could have implemented policies or procedures to mitigate the damage caused if you had the budget, resources, or time to implement them before the incident? I think you see where I’m going here.
Frankly, security (bad security anyway) is more often than not a series of reactionary measures put into place by individuals who do not take the time to develop a holistic security solution that incorporates measured risk and reward to the organization. Typically this is caused because someone higher up in the organization “food-chain” gets heat from someone above him or her and that heat just rolls on downhill until someone makes something happen so they can be seen to take action, regardless of the effectiveness of that action.
Applying the Three Laws of Security
Newton’s three Laws of Motion are intended to help us understand our world and improve ourselves with that knowledge. So too should the three Laws of Security be applied. Here are three ways you can apply these Laws to improve your organization’s security:
1. Create a unified, documented, formal security process that will create a uniform level of security for your organization and provide routine maintenance to overcome the negative influence of outside forces and keep it secure.
2. Plan ahead. Security measures that need to be implemented quickly always cost more resources than proactive, rational, thought-out security measures that are implemented over time. Analyze your risk scenarios and implement measures to mitigate this risk before it occurs, when you have plenty of time to do so.
3. Reactionary measures will occur to every incident. But if you plan ahead, work to mitigate the risk before it occurs and provide training and awareness of security measures and policies, you can reduce the negative impact these reactions will have on your organization. Rather than acting in a knee-jerk manner, use these naturally occurring reactions to strengthen security by implementing policies and procedures that will actually improve your security process for the long-term, rather than just the short-term.
So how are you applying these Three Laws of Security?