Physical Security[edit | edit source]

Introduction[edit | edit source]

Physical Security is the implementation of security measures for the protection of assets, information, or people. It aims to prevent as much unauthorized or malicious access as possible, while still allowing those authorized or permitted access to what they need. This topic aims to outline and define aspects of physical security, alongside providing necessary resources for further research. Terminologies are defined in as standard a way as possible considering the multi-resource nature of the topic, but have a preference to the terminology of other Wikiversity topic or lecture pages.

Physical Security measures rely on a combination of physical and psychological methodologies for preventing unwanted access to assets.

Physical Security Terminology

General Terminologies[edit | edit source]

• Security System - a linked or related set of physical security implementations. May apply to: an individual object, such as a lock; A complex object or set of objects, such as a car, computer, or engine; Or some other large scale system, such as a facility and its grounds, a series of complex objects, or a complex of buildings or rooms.
• CIA Triad - A concept from information security that applies well to physical security. The CIA triad is a triangular representation of compromises between the Confidentiality, Integrity, and Availability of an asset (in the typical case, information). When considering Access Controls, particularly to things such as devices for Security Testing, Surveillance, or any other component of the security system, the CIA Triad is of particular relevance. The Triad is not an absolute representation, since some systems can contain high levels of multiple categories, but an important conceptual representation.

The Five Components of Physical Security[edit | edit source]

The core ideas of physical security can be organized into five components: The three key components - Access Control, Surveillance, and Security testing - alongside Deterrence and Detection.

• Access Control - Access Control is the concept of managing and restricting the accessibility and use of certain assets and areas, either to a whitelist of individuals, or from a blacklist of individuals. Those who need a resource, such as a ledger, account number, or stored paperwork, should have access to it, and those who don't should not.
• Surveillance - Surveillance is the concept of watching, monitoring, observing, or recording an area and/or asset, alongside the entities that access it. For an area or asset to be considered surveilled in some form, authorized individuals should be capable of retrieving information about recent accesses and/or interactions with the surveilled entity.
• Security Testing - Security Testing refers to the act and practice of testing the implementation of physical security methods, the practices of agents involved in the enforcement of physical security methods, and the grading or assessment of the capability of a system of security implementations. Security Testing is an active, repeated practice, and should often result in changes, reimplementation, and enhancements alongside evolving information and a changing threat landscape.
• Deterrence - Deterrence as a concept refers to methods to prevent an intrusion attempt in the first place, and is typically the first layer of defense against intruders. Deterrence can take a variety of forms, and may not be a physically implemented system so much as an implied, warned or suggested concept or response.
• Detection - Detection is the concept of identifying a physical intrusion, and possibly the intruders involved. For a method to classify as detection it must be capable of, often 'autonomously' (agents such as human guards, dogs, or Computer-Vision systems classify here), indicating a breach or attempt against a security implementation, site, or asset.

None of the above methods are, nor are expected to be, full-proof, which applies further to the definitions. Methods to evade Detection, Access-Control, Surveillance, and Deterrence do exist and will likely be discussed further under Security Testing. The above components experience overlap/ Access Control may serve as Deterrence, Surveillance may perform a Detection role, Detection may be required for Access Control, and so on; These components are conceptual, and not hard limitations.

Beyond the components of security, a security system must be applied to their own areas of a physical system or environment, defined below.

The Three Levels of Physical Security[edit | edit source]

• Outer Perimeter Security - Refers to the marginal outer layer of a security system such as: The physical property boundary lines of a site; The entrance buildings or hubs to a large site such as Disney World or other multi-building site; The room or area around a device such as a server box, car, or cash-register.
• Inner Perimeter Security - Refers to the direct outer layer of a security system such as: The walls, doors, windows or entry points of a building; The accessible areas of a device such as a laptop or car in standard use (not reverse engineered, disassembled, etc;).
• Interior Security - Refers to the internal operations layer of a security system such as: inner spaces, cubbies, and cabinets of an office, building, or room; Internal mechanics of a device such as a lock, engine, or computer;

Not every system of security will be capable of realistically or permissively implementing protections on every level listed above, however, every level should still be held in consideration as a vector of intrusion, or consideration for secondary protections. Additionally, some texts and references may include grades of security (often 5 grades) for physical security implementation. These grades are omitted simply due to the variance in definition across sources, combined with their lack of necessity for the understanding of the content.

Physical Security as a Practice

Various concepts of Physical Security will be broken down, linked to, or explained below.

Planning a System of Security[edit | edit source]

Before creating a system of security, one must create a plan or set of plans, with an underlying goal. This is particularly the case in regards to large organizations or security teams, which must standardize and communicate ideas clearly and quickly for an efficient and correct implementation.

• Physical Threat Landscaping - The first aspect of planning a system of security, identifying threats and considerations that a physical security system must defend against.

Research Links

• Example of the results of poor physical security: https://www.youtube.com/watch?v=R5RE0mVbJ3s
• Reference building codes in your area or government for further information. Often a security section concerning exact rules and techniques for preventing intrusion is contained within, ie: https://www.kcmo.gov/home/showpublisheddocument/6420/637509790534730000