The Professional Protection Officer: Practical Security Strategies and Emerging Trends

By Sandi J. Davies and Lawrence J. Fennelly

Eight previous iterations of this text have proven to be highly regarded and considered the definitive training guide and instructional text for first-line security officers in both the private and public sectors. The material included in the newest version covers all the subjects essential to the training of protection officers. This valuable resource and its predecessors have been utilized worldwide by the International Foundation for Protection Officers since 1988, as the core curriculum for the Certified Protection Officer (CPO) Program. The Professional Protection Officer: Practical Security Strategies and Emerging Trends provides critical updates and fresh guidance, as well as diagrams and illustrations; all have been tailored to the training and certification needs of today’s protection professionals.

• Offers trainers and trainees all new learning aids designed to reflect the most current information and to support and reinforce professional development
• Written by a cross-disciplinary contributor team consisting of top experts in their respective fields

• Language: English
• Publisher: Elsevier Science
• Release date: Dec 4, 2019
• ISBN: 9780128177495

Book preview

Part I

Foundations

Chapter 1

Concepts and Evolution of Asset Protection and Security

Jim Ellis; Christopher A. Hertig; Robert Metscher

Abstract

Asset protection is the basis for everything that a protection officer does. It is the core function of the protection officer's job. Asset protection can have different meanings and functions depending on who is responsible for establishing the boundaries of that role and function. Ultimately, asset protection is a function of organizational management, and as such security professionals are often expected to provide technical expertise in efficient and effective security risk management activities. The quality of the overall protection effort will depend on the organizational environment, assets, threats, vulnerabilities, and the organizational leadership commitment to managing those risks. Asset protection has been practiced for millennia, from protecting an ancient settlement with night sentries patrolling the perimeter, to securing valuables into a modern vault. The most visible and easily recognizable historical form of asset protection was the medieval castle. The castle was built to protect an asset, be it a royal or noble, their economic means such as gold, from an attacking adversary. These fortifications passed through several phases of evolution, but evolve they did as the threat adjusted to circumvent each new design countermeasure. Furthermore, these designs offer a quick visual representation of layered defenses from outermost obstacles to the innermost chambers of the keep. This evolution is a meaningful analogy to the evolution of security countermeasures found today in physical design and those of policies and procedures.

Keywords

Information technology; International Foundation for Protection Officers; Private investigators; The Hallcrest Report; The path to professionalism; Penetration testing; Red teams and security researchers; The cycle of history risk management; Fire protection; Layered Protection; ASIS; Historical development of security services; Careers in asset protection; Asset protection

Outline

Introduction

Asset Definition

Asset Valuation

Threat

Vulnerability

Loss

Risks

Criticality

Frequency

Probability

Impact

Mitigation

Cost-Benefit Analysis

Asset Protection

Layered Protection

Physical Security

Safety

Risk Management

Insurance

Commerce

Law

Labor Relations

Fire Protection

The Cycle of History

Historical Development of Security Services

The Path to Professionalism

Contemporary Careers in Asset Protection

Professional Development Never Ends

References

Further Reading

Chapter Objectives

•Define and explain valuation of an asset

•List and define key terms

•Provide an overall introduction to the concept of asset protection

•Discuss the importance of looking at the cycle of history

•Discuss fire protection in security

•Describe the development of the security profession

•Offer suggestions for pursuing contemporary careers in asset protection

Introduction

Asset protection is the basis for everything that a protection officer does. It is the core function of the protection officer's job. Asset protection can have different meanings and functions depending on who is responsible for establishing the boundaries of that role and function. Ultimately, asset protection is a function of organizational management, and as such security professionals are often expected to provide technical expertise in efficient and effective security risk management activities. The quality of the overall protection effort will depend on the organizational environment, assets, threats, vulnerabilities, and the organizational leadership commitment to managing those risks. Asset protection has been practiced for millennia, from protecting an ancient settlement with night sentries patrolling the perimeter, to securing valuables into a modern vault. The most visible and easily recognizable historical form of asset protection was the medieval castle. The castle was built to protect an asset, be it a royal or noble, and their economic means such as gold, from an attacking adversary. These fortifications passed through several phases of evolution, but evolve they did as the threat adjusted to circumvent each new design countermeasure. Furthermore, these designs offer a quick visual representation of layered defenses from outermost obstacles to the innermost chambers of the keep. This evolution is a meaningful analogy to the evolution of security countermeasures found today in physical design and those of policies and procedures.

Studying history is important as it offers us perspective on where things were, where they are now, and the opportunity to consider where they may be in the future. Historical analysis can provide insight into how certain issues were dealt with, and this may provide guidance for contemporary or future problem solving. By looking back, it is possible to use contemporary terms and concepts that have benefited from their own refinement from real-world tests to their effectiveness.

History provides a laboratory for evaluating and potentially testing both theory and application. Security efforts are necessarily implemented moving forward in time, often in response to a negative circumstance or event, but it is always evaluated looking backward in time with hindsight. Consequently, past solutions developed in response to problems of the day may be examined for their positive and negative effects, and their potential role in creating or thwarting new concerns. For instance, the focus in information systems security to create complex passwords often causes users to write their password down to avoid forgetting it. This solution may have provided some level of improved network security, but it resulted in a practice reducing local network access control. Another example is exterior doors that default into a secure or locked state, but are routinely propped open by users, and sometimes left in that open state. Historical study offers the opportunity to observe patterns of cause and effect, draw analogies from those patterns, all with the possibility of identifying and eliminating a vulnerability before a threat exploits it.

Asset Definition

Asset protection begins with defining what assets exist within the scope of the protective efforts. There may be one asset or many assets. An asset can be a person or people; a physical entity such as a building or plant; an object such a painting or a gold bar; or a concept such as a formula or design. The American Society for Industrial Security (ASIS) International Guideline: General Security Risk Assessment (2003) defines an asset as Any real or personal property, tangible or intangible, that a company or individual owns that can be given or assigned a monetary value. Intangible property includes things such as goodwill, proprietary information, and related property. People are included as assets. In the hierarchy of assets, people are most often placed first, or at the top, as their protection is of the highest priority.

For further clarification of assets, here are four classifications of assets:

1.People—employees, visitors, clients, patients, students.

2.Property—real estate, buildings, raw materials, equipment, merchandise.

3.Information—vital information that is necessary for an organization's survival, such as employee and vendor lists, organizational plans, and other items without which the organization could not operate; confidential information such as patient records, personnel or student records; proprietary information such as trade secrets, customer lists, and marketing plans; classified information that is essential to national defense.

4.Image/Reputation—the image cultivated through years of public relations and advertising that an organization or individual (celebrity) has established. Customer goodwill is an asset. So, too, is a positive image that will not attract the ire of extremist groups or individuals.

Asset Valuation

The asset must have some type of value. The value of the asset could be a real value, such as a gold bar being worth a set amount of money based on the weight of the bar and the current price of gold. The value of the asset could be based on what it would cost the company to replace. This is sometimes difficult to calculate when discussing specialty items such as the formula or recipe for a soft drink, or the patented design for a product, the loss of which could mean the end of a company. The most intangible valuation of an asset would be in what is referred to as reputational damage—the loss of the image of a company or consumer confidence in a company. Reputational damage can occur through major theft of customer information, a senior executive being injured or killed, or the brand name of a company being tainted through inferior knock off products. The loss of reputation is difficult to calculate because things such as unrealized sales are nearly impossible to determine. While it is not necessary to have the actual value of an asset on hand at any one time, the value of the asset must be known prior to the implementation of any protection program and reevaluated periodically thereafter.

Threat

Threats represent adverse effects on assets. Not all threats are security related, for instance, if a competing company introduces a new and better product to the market taking away sales they have created a market-based threat generally considered outside the scope of security. Security threats are the actions adversaries undertake that result in harm to the organization's assets, outside the accepted scope of market or industry activity. Although these actions may not be crimes, or classified as crimes yet, they are most certainly unethical. Threats can be characterized by the formula: Threat = Capability × Intent. It is only when there is both an intention and a corresponding capability does a true threat exist.

Vulnerability

Vulnerabilities represent exploitable weaknesses. Organizations often have a range of weaknesses that are either beyond exploitation, in all reasonableness, or offer so little return to an adversary as to place them well below the range of exploitation. Such ranges are subjective and relate to each adversary. An example may be an asset maintained in a sufficiently isolated location as to make the travel too onerous for the value of the asset.

Loss

Loss is the general term that includes the damage, destruction, degradation, injury, death, theft, disclosure of sensitive assets, or any outcome that results in a quantifiable reduction in the net value of an organization. This may be in the form of damaged physical assets, like production equipment or inventory, theft of funds, or impact to public reputation resulting in loss of confidence found in a drop in stock prices, finance rates, sales, or other customer patronage. One unusual example is the loss of donations to a not-for-profit enterprise when disinformation, or deliberately inaccurate information, is shared casting them in a negative light compared to other charities.

Risks

Criticality

Once the asset and its value are defined, it is necessary to determine what risks there are to the asset. According to the ASIS International Guideline: General Security Risk Assessment, risks or threats are those incidents likely to occur at a site, either due to a history of such events or circumstances in the local environment (ASIS International, 2003, p. 6). It is therefore important to have data on crime and incidents occurring in and around the site being examined. A vulnerability assessment will include a thorough examination of the facility, personnel, contents, materials, suppliers, and contractors, especially anything that by use or omission would damage, harm, or cause loss to the company or its personnel.

Frequency

The frequency of losses must then be determined through an examination of the types of crimes and incidents in and around the facility, with special emphasis on the dates on which they occurred. A ranking of the events should be made using a consistent scale (annually, monthly, daily, or hourly) for all such loss events.

Probability

Through an analysis of this information, trends may emerge which point to an escalation in activities that may precede a more serious crime against the company. This will help to establish the probability of such an event occurring in the future, assuming all other processes and operations at the facility remain the same. Once there is a change in the assets, the probability of loss will also change.

Impact

Finally, a ranking of the impact of any loss on the company must be made. Impact is an accounting of the tangible (real) and intangible (unrealized) costs associated with such events. All such tangible losses should be considered, from the mundane, such as the loss of power or water service, up to and including the loss of the facility including its contents and a substantial portion of the employees. Intangible losses such as the loss of current or future sales or customers should also be accounted for to the extent that this is possible.

Mitigation

Only after the factors of risk or loss have been compiled and examined can the protection officer assist with developing strategies to help mitigate the risk. All of the mitigation efforts must be designed so as not to substantially interfere with the operation of profitability of the enterprise (ASIS International, 2003, p. 6). Mitigation efforts that do substantially impact operations are much less likely to see executive support regardless of the level of risk, as they also substantially impact the profitability of the company.

Cost-Benefit Analysis

A cost-benefit analysis must also be conducted to help assist in evaluating the mitigation measures against the costs incurred. According to the ASIS International Guideline: General Security Risk Assessment, the cost-benefit process involves three steps:

•Identification of all direct and indirect consequences of the expenditure.

•Assignment of a monetary value to all costs and benefits resulting from the expenditure.

•Discounting expected future costs and revenues accruing from the expenditure to express those costs and revenues in current monetary values (ASIS International, 2003, p. 4).

If the cost-benefit evaluation determines that the cost of mitigating the risk is greater than the cost of the asset, then other measures must be employed.

Asset Protection

Layered Protection

Asset protection through risk mitigation typically involves a concept of layered protection; also known as defense in depth. In this concept, the asset is considered to be in the center, surrounded by concentric layers of protection. Each layer contributes individually, and as part of the whole, to the overall protection of the asset. The principles behind layered protection consist of deterrence, detection, delay, and defense/response. Each piece of the layered protection concept can work on its own. However, the most complete protection is afforded through combining all of the layers.

Deterrence is the practice of discouraging an individual or group from even attempting to attack the asset. This can be accomplished through a number of means such as signage, fencing, lighting, cameras, or people. Signage at the perimeter of the enterprise property would warn trespassers of the property line and the penalty for proceeding further. Further enhancements to the signage could include the addition of fencing, lights, and cameras. In a personal protection role, the deterrence would appear to be provided by the ring of protection officers or specialists around a high-profile individual. In some rare circumstances, the illusion of additional layers of protection can be a better and more cost-effective deterrent.

Detection is the identification of a threat, preferably at the earliest possible opportunity. Alarm sensors, cameras, and even protection officers are all means of detecting and identifying threats to the enterprise. A threat identified earlier in the asset protection process gives the remaining layers of protection more time to contribute to the overall protection of the asset.

Delaying the attacker also gives the other layers of defense a chance to work together. Sufficient layers of delay must be incorporated so that the detection and defense/response pieces of the asset protection continuum can perform their roles. Delay can be accomplished through an expansive perimeter that takes a while for the attacker to cross, fences that take time to climb, strong doors that must be breached, and interior levels of protection such as additional doors into rooms or a safe that takes even more time to enter.

A sufficiently delayed attacker allows for a defense to be mounted from within the site to repel the attacker, or for a sufficient response to be put together and proceed to the site. However, the layers of protection must delay the attacker long enough so as to be able to stop him on the way to the asset, or on his way out with the asset, but before he leaves the property with the asset.

Physical Security

Physical security planning was originally based on response to a military threat. A traditional reference for physical security is FM 3-19.30 Physical Security(US Army, 2001), while a modern reference is the Facilities Physical Security Measures Guideline(ASIS Commission on Standards and Guidelines, 2009).

The process used to plan physical security measures is as follows:

1.Identify assets. These generally include personnel, property, information, and image.

2.Loss events are exposed. Risks are identified. This involves research rather than seat of the pants reasoning!

3.Probability of occurrence of the loss events is calculated.

4.Impact of occurrence is assessed for each loss event. This means the effect the loss event will have in terms of direct, indirect, and extra-expense costs.

5.Countermeasures are selected. There can be a vast array of interventions; generally physical security utilizes target hardening techniques, such as patrols, access control, lighting, intrusion detection, surveillance, weapons detection, and so on.

6.Countermeasures are implemented.

7.Countermeasures are evaluated as to their effectiveness. Traditionally, this step has been avoided by practitioners in physical security and crime prevention.

Patrol operations have been a fundamental part of many physical security systems. They serve as catalysts for the system, bringing all parts together. Patrols have been traditionally used by military forces to scout out the location and disposition of an enemy force. They are used today by police and security forces. While still endeavoring to locate hostile individuals (felons), modern police patrols are used to assess community environments. In a contemporary asset protection scheme, patrols are not only concerned with criminal acts but also with unauthorized activities, safety and fire protection issues, and the performance of auxiliary services. These can include delivering the company mail, checking gauges, conducting lighting surveys, assessing crowd and customer behavior, enforcing lease agreements, and assisting customers. Note that community policing or problem-oriented policing strategies that public police have adopted are very similar to those that security practitioners have been doing for decades.

There are other methods for planning physical security efforts, some of which are the result of academic and practical research. Crime Prevention Through Environmental Design (CPTED) is one method that builds on reinforcing territoriality via barriers, access control, and surveillance, while supporting desired activities which, by their presence, discourage negative activities. In addition, the process works to establish orderly maintenance to further eliminate the rationalization of destructive behavior. Many of these concepts may be found in Jane Jacobs's works The Death and Life of Great American Cities (1961), with the contemporary shaping of it for security through the writings of Oscar Newman Defensible Space: Crime Prevention Through Urban Design (1972) and C. Ray Jeffery Crime Prevention through Environmental Design (1971).

Safety

Protection officers often are engaged in, or partnered with, the safety operations of an organization. While security may focus on intentional harm, safety relates to the confluence of systems or materials failures, human behavior, and environment conditions that result in injury, damage, or disruption. Safety efforts seek to prevent accidents and injuries through procedural design, ergonomics, effective maintenance, and the appropriate use of personal protection equipment (PPE). Accidents cost extensive amounts of direct loss (cost of replacement and repair) as well as indirect loss (downtime, investigative costs, lowered morale, legal fees, etc.) and extra-expense loss (advertising, rental of new rooms or equipment). Note that there are also extensive administrative law requirements under the Occupational Safety and Health Administration (OSHA) and state agencies with which organizations must comply. Safety is a major concern to organizations for all of these reasons.

Risk Management

Risk management is a term closely associated with the insurance industry. It is conceptually similar to the physical security planning process in its implementation, but it deals with risks other than security threats caused by humans. There are different methodologies for describing risk management strategies. All of these incorporate at least three strategies: risk acceptance, risk reduction, risk assignment or transfer. In short, risk may be accepted in full, reduced through intentional efforts, or transferred to another entity. While the latter is most commonly associated with insurance it can be through other methods like vendor relationships.

Insurance

According to Purpura, loss prevention originated within the insurance industry (Purpura, 1991). Insurance companies issue policies based on event probabilities using actuarial math. Fee structures vary accordingly as each insurance firm is most often a for-profit enterprise. Various types of insurance coverage have evolved, with a few examples being: business interruption, kidnap & ransom (K&R), worker's compensation, liability, fire, burglary, robbery, theft, fidelity bonds, and employment practices liability.

Commerce

Commerce has a tremendous relationship to asset protection and private security. Commerce is the willing exchange of goods and services between a consumer and a provider. Parties on all sides of this relationship experience opportunities for losses that the security professional may be engaged to manage. Professional security personnel must understand the marketing of their employer's goods and services in order for him or her to be effective. A retail loss prevention agent must understand that selling merchandise at a profit is traditionally the purpose of the store, not the apprehension of shoplifters and not necessarily preventing losses. Security efforts support their organization by identifying and managing internal loss opportunities, exploited by employees and contractors, and external loss opportunities, as well as monitoring for and anticipating future and potential loss opportunities of all kinds. Generally speaking, criminals outpace the efforts of police and security professionals. With the emergence of the Internet, this has been called the hacker syndrome in that a hacker must only find one exploitable weakness available at one moment, while the target, and their security apparatus, must be prepared to counter all threats at all times.

Law

One of the earliest codifications of law in Western civilization is generally attributed to Hammurabi who served as king of Babylon from 1792 BC to 1750 BC. The Code of Hammurabi specified offenses and specific punishments. It is a complex code introducing requirements for transaction receipts, husbandry, town planning, commerce, divorce, regulations for certain occupations, and slavery (Bottero, 1973). Another significant development is the Magna Carta (Great Charter) of 1215 in England. The document specified the responsibilities of the state toward its subjects regarding individual rights, privileges, and security. The Magna Carta established the concept of due process. This means that everyone should be treated fairly and according to uniform procedures. It is a common basis for law and disciplinary procedures. Due process was incorporated into the Fifth Amendment of the US Constitution: no person shall be deprived of life, liberty, or property without due process of law. Perhaps most important, the Magna Carta implied that the king was not above the law.

Protection professionals must be well versed in legal concepts. In many cases, security and safety professionals develop policies and procedures based on legal obligations. Protection managers are also occasionally asked to provide insight on general legal issues, while attorneys should always be consulted for advice and guidance it is not always feasible to do so prior to taking action or establishing a policy. Protection officers and investigators must also make legal determinations during the course of their duties relating to legal standards surrounding privacy, property rights, and governmental mandates.

Laws are authored in response to social changes in an effort to maintain order. Criminal law includes offenses such as trespassing, various types of thefts (retail theft, theft of trade secrets), vandalism, assault, burglary, robbery, rape, and so on. Operating environments dictate the criminal offenses most likely to be encountered by individuals and organizations. Civil law relates to the conduct between parties, individuals, and groups. This includes some parallels to criminal law, or torts, as found with the unwanted touching of others (civil battery vs criminal assault), and formal, contracted, interactions of two or more parties. Some of these that affect security professionals include contract security service, private investigative service, armored car service, alarm monitoring and response, labor contracts, and nondisclosure agreements.

Civil law also covers negligence, a failure to exercise reasonable and due care, by doing something dangerous or failing to act, and is accepted as necessary for safety. One example may be not following a recognized standard. Negligence requires that a plaintiff (party bringing the action or suit) must show the existence of a duty, a failure to perform that duty, injury or harm occurring to a party to whom the duty was owed, the harm was reasonably foreseeable, and the harm was caused by the failure of the defendant to perform the duty (Hertig, Fennelly, & Tyska, 1998).

Administrative or regulatory law is established to regulate technical aspects of society by agencies created through legislation. These agencies have the authority to create rules and regulations, investigate, and enforce compliance with those regulations. They also adjudicate violations, and mete out punishments. Consequently, these agencies are very powerful. Complying with their regulations is extremely important to avoid their administrative punishment, and also to avoid potential civil lawsuits as a result of not maintaining that standard. Some federal administrative agencies in the United States include the following: Occupational Safety and Health Administration (OSHA), National Labor Relations Board (NLRB), Environmental Protection Agency (EPA), Federal Aviation Administration (FAA), Nuclear Regulatory Commission (NRC), Federal Communications Commission (FCC), and Equal Employment Opportunity Commission (EEOC). Similar agencies also exist on the state level and in city or municipal governments establishing fire and building codes, alcoholic beverage and marijuana controls, among others.

Labor Relations

Labor relations have played a very large role in the history of both policing and security in America. Organized labor brought together people of different ethnic groups under the umbrella of labor. It established numerous changes in the workplace, such as benefit plans for employees and the establishment of disciplinary procedures based on the concept of due process.

While union membership is declining at present, many of the contemporary approaches to labor relations, physical security, contingency planning, and personnel security are a result of earlier labor issues. The history of labor relations in American society offers context to the development of both labor unions and control forces. Labor relations during the mean years of 1866–1937 (Calder, 1985) saw management employing such tactics as intimidating labor leaders and workers, deploying spies and agent provocateurs in unions, assaults with machine guns, and the importation of strike breakers (workers who replace those who are on strike), promoting interethnic worker conflict. Considerable material is now available online regarding the many strikes, battles, and massacres that occurred around the country. In addition, some key legislation was enacted including the National Industrial Recovery Act, the National Labor Relations, or Wagner, Act, and the Taft-Hartley Act, to name a few. Of particular interest to enterprise security are the Weingarten Rights which provide similar protection for investigatory interviews within a union work environment as the Miranda Warnings do for law enforcement interviews.

Today, there are specialized contract security firms that have strike security forces. These firms supply consulting and guard service to companies having labor difficulties. They generally employ persons with a military background and provide their personnel with training in labor law, crowd management, and so on. These specialized firms are able to manage volatile labor disputes with minimal harm to persons or property. Additionally, the collective bargaining rights of workers are upheld.

Fire Protection

Fire protection is an issue that separates private security and asset protection from public law enforcement. Fire can destroy almost anything. It is a chemical process whereby heat, fuel, and oxygen combine in a chemical chain reaction to turn a solid or liquid into a gas. With adequate amounts of heat and oxygen, virtually anything can become fuel for a fire. Protection officers are frequently responsible for fire prevention duties including inspections, training, and possibly response.

The threat of fire varies with the environment and perception of that threat also changes. Before the Civil War, fire insurance executives generally viewed fire as good for business (Purpura, 1991). Fires were similar to airplane crashes in that they were relatively improbable events that created hysteria and spurred the purchase of insurance policies. Insurance companies made money on these policies until excessive fires—in heavily populated areas where buildings were constructed of wood—caused enormous amounts of claims to be paid. These Great Fires occurred around the world and destroyed large sections of many cities, such as the London, New York, Boston, Chicago, San Francisco, and Seattle. While these often spurred the passage of ordinances and regulation relating to building construction, it was in 1894 that the Underwriter's Laboratories (UL) was formed and began independently testing materials, and in 1896 that the National Fire Protection Administration began developing standards for fire protection. These standards are used across industries and are the basis for many municipal fire codes. In 1948 the National Burglar and Fire Alarm Association (NBFAA) began offering membership, publications, seminars, and professional certification programs for alarm installers. The National Board of Fire Underwriters was merged with the American Insurance Association. This resulted in the development of the National Building Code for municipalities in 1965 (Purpura, 1991). Since then other such construction codes have emerged including the International Building Code in use in several countries and several US jurisdictions.

The Cycle of History

The security industry has a rich and largely unconsidered background. Security implies protection from intentional harm. This need dates back as far as the existences of predator and prey. It is not solely a human requirement, as both instinctive and intentional actions may be witnessed in nature as prey seeks to avoid predation. Security has evolved from avoiding and thwarting attacks by other species to threats that emerged within our societies. The range of potential threats has only grown over time. From physical attacks and network attacks, through to sabotage, espionage, and fraud, the threat landscape continues to grow to match society's complexity.

While the security function can be found across organizations, public and private, throughout the world, the security industry has evolved to offer, or supplement, services to individuals and organizations seeking to avoid, mitigate, and respond to perceived and manifested threats. Organizations and individuals take measures to minimize disruption to their lives, and livelihood, or continued prosperity.

The historical development of security, loss prevention, asset protection, and the sibling field of safety has moved from the merchant guard and soldier of ancient times to a complex industry and profession necessitating specialization. At the root of all of these specialties are those functions routinely carried out by protection officers.

Private initiatives often precede public. In many cases, private protective measures are started to fill a void in services offered by governments. Private corporations are nimbler and more flexible than governments. This enables them to start new programs, protection or control forces, etc.

There is a strong relationship between commerce and protective needs. The amount and type of commerce (ships, trains, Internet, and so on) determines the threats or risks posed to the commerce system.

Protective efforts may be spawned by the need for mutual protection, such as merchant associations to address street crime, as well as the InfraGard formation to facilitate public-private partnership to protect against terrorism.

Demographics—population size, density, age distribution, culture—plays a key role in crime control and safety. College students living in dormitories create another set of challenges. High-rise office buildings with business tenants have different protection needs than two-story apartment complexes for low-income families.

Security efforts generally are a step behind the latest methods of criminal attack. Pareto's distribution can be applied in that 20% of prudent security efforts will address 80% of threats, while the remaining top 20% of the threats will consume 80% of the security effort. It is often the evolving threats that fill that top group.

Protective efforts are frequently initiated after serious incidents. Any threat exploiting a vulnerability with sufficient impact will likely draw a change in security efforts. This may be observed from the September 11, 2001, attacks on the Pentagon and World Trade Center, driving the Patriot Act and establishing the Transportation Security Administration, among others. The breach of Target Corporation using a vendor's access resulted in changes to the Payment Card Industry-Digital Security Standard (PCI-DSS).

Historical Development of Security Services

Security may be considered in the contexts of a role, a function, and a duty. It has evolved over time from intentional efforts to avoid predation, to efforts used to manage the threat of attack by others, to identifying inappropriate behavior within any social subdivision. This may be domestic issues on a national scale or those within an organization. Consequently, security may be found in discussions relating to military, domestic law enforcement, other public and private organizations, as well as in terms of individual protection throughout history.

It has evolved alongside human civilization from intentional efforts to avoid predation to intentional efforts to manage threats posed by people. Ortmeier reveals that in prehistoric times, cave dwellers stacked rocks around perimeters in front of their caves to both mark the space and warn off intruders (Ortmeier, 1999). The first private security roles, in the form of estate or merchants guards, likely gained their skills through military service and military defense practices were fundamental. Concepts such as defense-in-depth became common practice for protecting merchants, their property, and others willing to engage these services.

Public policing finds its earliest roots with the domestic use of military forces to maintain order. For instance, order was maintained in ancient Rome by the Praetorian Guards, which was a military unit. There were also cohorts who kept peace. The vigiles were civilian freemen who controlled fires and assisted in controlling crime and disorder. It is interesting to note that urban mob violence would later be one reason why municipal police were formed in both England and the United States.

In the early 19th century, London continued to have a large population with crime and disorder problems. As few organizational models were available at this time, the military model was adopted for the London Metropolitan Police (Ortmeier, 1999). What Robert Peel established in 1829 in London served as an organizational model for police and security departments. Peel set forth a series of principles upon which a police force could be established and administered. While his specific frame of reference was public law enforcement, the principles are also adaptable to uniformed private protection forces:

1.The police must be stable, efficient, and organized along military lines.

2.The police must be under government control.

3.The absence of crime will best prove the efficiency of police.

4.The distribution of crime news is absolutely essential.

5.The deployment of police strength both by time and by area is essential.

6.No quality is more indispensable to a police officer than a perfect command of temper; a quiet, determined manner has more effect than violent action.

7.Good appearance commands respect.

8.The securing and training of proper persons is at the root of efficiency.

9.Public security demands that every police officer be given a number.

10.Police headquarters should be centrally located.

11.Police officers should be hired on a probationary basis.

12.Police records are necessary to the correct distribution of police strength.

In the mid-19th century, major American cities began to develop police departments. These forces evolved out of earlier night watch systems relying on volunteers or civilians. Some of these forces only operated at night, and they were no longer effective at controlling crime in burgeoning urban environments. Organized, paid, full-time police operating under the principles established by Robert Peel began to take shape. State police forces also developed. The Pennsylvania State Police is generally regarded as the first modern state police department. While Texas and Massachusetts had state police forces too, these were vastly different from the organizations we think of today as state police. The Pennsylvania State Police has full law enforcement authority. In some states, there are separate highway patrol forces that specialize in traffic law enforcement.

It is commonly asserted that the modern private security industry grew out of wartime efforts of World War II. However, with each war, governments often seek improved security to thwart saboteurs and spies, and with domestic prosperity citizens often desire protection for themselves and their property from miscreants. An example of the former includes the use of Pinkerton agents for presidential security during the American Civil War, or the explosion at Black Tom Island, a munitions storage facility in New Jersey, set off by a German saboteur in July 1916 that resulted in increased War Department security measures. During World War II the US Department of War established an internal security division and swore in 200,000 security officers as military police auxiliary.

Security services or contract security agencies have played a large role in both public and private protection. Outsourcing or contracting for security makes economic sense. Flat hourly rates are charged and clients do not have to worry about benefit costs and associated human resource management issues. The client can hire as many personnel as desired for as long as desired. This provides for flexibility in protection. Additionally, contract service firms may have specialized expertise that the client does not.

Security services are growing and will likely continue to do so. In addition to traditional guard services there are patrol services, alarm monitoring and response services, armored car services, personal protection or close protection specialists, undercover investigators, retail security or loss prevention agents, private investigation, and security intelligence analysts to name a few. Outsourced services permit a principal or organization an opportunity to control costs while receiving the benefits of flexible staffing levels and skills sets.

Pinkerton, a Scottish immigrant, became involved in investigation by accident. While searching for wood to make barrels, the young copper discovered a gang of counterfeiters. Pinkerton established the largest protective and investigative agency in the world with branch offices in many countries. By the mid-1990s, Pinkerton had 250 offices worldwide with over 50,000 employees (Mackay, 1996). Pinkerton had extensive centralized records, a code of ethics, used undercover investigation, employed the first female detective (Kate Warne—60 years before the first female police officer), and used wanted posters. Pinkerton has been credited with being the first to start a security service; in actuality there were other services started before him, but none have become as well-known as his was.

In 1858 Edwin Holmes started the first central office for alarm monitoring and response. Today a central alarm station or central station, including both proprietary and contracted facilities, may monitor alarms, access control systems and surveillance cameras, and initiate or summon the appropriate response service. Other notable events in the early formation of the security industry include American District Telegraph (ADT), which was founded in 1874 and became the largest alarm company in the world; Brinks Armored, founded in 1891, became the largest armored car company in the world; William J. Burns founded the Burns Detective Agency in 1909, Burns was known for his ability to use evidence collection at the scene of a crime to capture suspects.

The Path to Professionalism

There have been some significant developments along the path toward professionalism for the security industry:

1952—The Industrial Security Manual was published in 1952. This was considered the Bible of the Department of Defense (DOD) contractor security procedures. It established information protection, personnel security, and physical security measures for DOD contractors. Since the United States was in a wartime economy until about 1975, there was heavy activity in this sector. Many security personnel worked in industrial security.

1955—The American Society for Industrial Security was formed in Washington, DC. ASIS consisted of security directors for DOD contractor firms. Over the passage of time, ASIS International has grown to tens of thousands of members in over 100 countries. Members have a diverse range of positions within private industry, law enforcement, government, security service, and supply firms. ASIS has numerous councils on such topics as health care, retail, campus, banking, economic crime, commercial real estate, gaming and wagering protection, and so on.

1971—The Rand Report on Private Police in America—This was a private research study by the Rand Corporation. It was important as the security industry had not been studied. The Rand Report found that the security industry was large, growing, and unregulated. The average security officer was an aging white male with a limited education who was usually untrained and who worked many hours to make ends meet. The Rand Report was useful as a reference point for the Report of the Task Force on Private Security in 1975.

1975—The Report of the Task Force on Private Security conducted by the National Advisory Committee on Criminal Justice Standards and Goals was published in 1976. The committee found a lack of training, regulation, and job descriptions within the security industry. The report advocated minimum training standards; these have been used as guides by some states in setting up mandated training and licensing