LESSON 1

INTRODUCTION TO ASSETS PROTECTION

TOPICS
1. The Management Function
2. Asset Protection- A Historical Perspective
3. Definition Of Assets Protection
4. Relation To Security and Other Disciplines
5. Influences in Assets Protection

LEARNING OUTCOMES
At the end of the lesson, you should be able to:
1. explain the function of management in the assets protection;
2. discuss the history of asset protection;
3. describe the assets protection;
4. distinguish the relationship of asset protection to other discipline;
and
5. explain the influences of assets protection.

Asset protection is the basis for everything that a protection officer does. It is the core
function of the protection officer’s job. Asset protection can have different meanings and functions
depending on the approach to protecting the asset, its location, and even the type of asset. Asset
protection has been practiced for millennia, whether it was protecting the Roman city with night
sentries patrolling the streets, to placing valuables into a modern safe. The most visible and easily
recognizable form of asset protection was the medieval castle. The castle was built to protect an
asset, be it the king or ruler, a precious metal such as gold, or as a point from which to help protect
the empire. Castles initially were quite basic, but as the risks escalated, they came to employ
additional layers of protection such as a moat, drawbridge, or defensive positions.

THE MANAGEMENT FUNCTION

Protecting the assets of any corporation, institution or public interest today is a daunting
task -such efforts transcend traditional brick and mortar security concerns to include securing vital
intellectual property used in e-commerce and Internet applications in a global economy. Clearly,
the Web is redefining how we live our lives and how we need to secure the assets entrusted to
employees. In fact, the definition of what constitutes an employee is also changing and evolving at
a rapid rate. Temporary workers, contractors and joint venture employees are required to have
significant access to information, resources and various other tools previously reserved for full time
employees — exploding previous concepts of protecting assets and people. The role of the security
professional is rapidly changing in this environment and requires a combination of strategic
thinking, process management and the ability to implement programs and initiatives in increasingly
shorter periods of time to match the incredible pace of today’s business.

Macroeconomics teaches us that resources in any given situation are limited; thus, choices
must be made regarding the trade-off between the resources necessary to generate products, profits
and market share, and the assets required to protect them. The successful security practitioner
strikes the appropriate balance between these competing demands.
ASSET PROTECTION- A HISTORICAL PERSPECTIVE

From the earliest of times, humans have recognized the need to protect themselves, their
family and their property. Individuals or small groups living together provided the protection
until loosely organized tribes developed into more formal groups. As civilization began to
trace outlines of government in the sense that we would recognize it today, the need for forces
to maintain order was recognized. These forces were usually created to deal with the threat of
attack from other groups and not with problems of order within the primary group itself. The
raising of armies and their deployment to territorial borders was the initial method of establishing
group defense.

As local communities were further removed from the seat of central power and as more
individuals in those communities were strangers to each other, rather than close relatives, the
need became clear for some form of local order. This was done to preserve peace and enforce
laws made at distant regional or central capitals. Primitive forms of night watch and patrol
were developed, again to protect the community against outside attack. The idea of public
protection for purely private property did not take hold until after the industrial revolution
and even today is a concept of limited application. The proprietor of a private enterprise or the
owner of private assets is and always has been largely self-dependent for adequate protection
against all but major threats to the public peace.

DEFINITION OF ASSETS PROTECTION

Asset protection is a set of legal techniques and a body of statutory and common law dealing
with protecting assets of individuals and business entities from civil money judgments. The goal of
asset protection planning is to insulate assets from claims of creditors without perjury or tax
evasion.

For many people, the term assets protection suggests finance. Security professionals,
however, think of assets protection in a different, broader sense. In the security arena, one often
speaks of protecting three types of assets: people, property, and information. The larger view of
assets protection, however, also considers intangible assets, such as an organization’s reputation,
relationships, and creditworthiness.

In considering all of an organization’s assets and all potential hazards, both natural and
man-made, the security function should take the lead on some matters and play a supporting role
in others. This approach helps ensure that the security function is, and is seen to be, a value-adding
element of the organization. The greatest protection of corporate assets occurs when an appropriate
mix of physical, procedural, and electronic security measures is in place in relation to the assets
being protected. This creates an effective defense-in-depth asset protection program.

Several additional aspects of assets protection emerged as well:

• Both tangible and intangible assets must be considered.

• A key objective is maintaining smooth business operations.
• Post-incident business or mission continuity is an important element.
• Both the current and future risk environments must be considered.
• Providing a safe and healthy environment should be factored in.
• Liability reduction/management is an important component.
In addition, it is essential to know what needs to be protected. In many cases, asset owners (such
as business owners or managers) lack a thorough understanding of what their real assets are. Some
think purely in financial terms, while others focus on tangible goods, such as facilities, inventory,
vehicles, or equipment. A wider view of assets might include those listed in Figure 1.

TANGIBLE INTANGIBLE MIXED

Facilities/buildings Reputation/image People
Equipment Goodwill/trust Intellectual property
Inventory Brand recognition Knowledge
Vehicles Relationships Proprietary processes
Raw materials Vendor diversity Information
technology
Cash/money Longevity/history capabilities
Accounts receivable Past performance Land/real estate
Supplies/consumables Experience Infrastructure
Telecommunications systems Quality assurance Credit rating/financial stability
processes
Other capital assets Workforce Customers (customer base)
morale/spirit/loyalty
Workforce retention Contracts in place
Management style Financial investments
Human capital Geographic location
development
Liaison agreements Staffing sources/recruiting
Market share Certifications (e.g., ISO 9000)
Continuity posture/resiliency
Safety posture
NOTE: Tangible assets are generally those one can see, touch, or directly measure in physical
form. Mixed assets have both tangible and intangible characteristics.
Figure 1
Examples of Organizational Assets by Type

RELATION TO SECURITY AND OTHER DISCIPLINES

Because assets protection is a broad, complex function, many departments or elements of
an organization may be involved in it. However, a single office or person should be designated as
the assets protection focal point. Assets protection professionals should either lead or follow, but
in either case they should not allow themselves to be left out of key deliberations and decisions.
Though it is the responsibility of senior management to provide the resources needed to enhance
the protection of assets, it is the assets protection professional’s responsibility to provide them with
the best information for their decision-making process.
Assets protection incorporates all security functions as well as many related functions, such
as investigations, risk management, safety, quality/product assurance, compliance, and emergency
management. Therefore, the senior assets protection professional must have strong collaboration
and coordination skills as well as a thorough understanding of the workings of the enterprise. In
today’s asset protection program, countermeasures need to include people, hardware, and software.
 Of particular interest today is convergence, which is the “integration of traditional and
information [systems] security functions” (ASIS International, 2005). Such convergence makes
collaboration even more important.
Influences in Assets Protection
Many recent developments have affected the practice of assets protection. In the early
1970s, for example, computer security began to flourish as a separate discipline (National Institute
of Standards and Technology, 2006) because of society’s increasing reliance on information
systems.
Another influence was the recognition of the vulnerability of critical infrastructure to both
natural and intentional attacks. In the United States, critical infrastructure was initially defined as
comprising the following industry sectors: transportation, oil and gas, water, emergency services,
government services, banking and finance, electrical power, and telecommunications. More sectors
were added later. Significantly, most U.S. critical infrastructure is owned or operated by private
enterprises. In the United States, attention to the security of critical infrastructure increased greatly
after the 1993 attack on the World Trade Center in New York City and the bombing of the Alfred
P. Murrah Federal Building in Oklahoma City two years later.

Damage to the Pentagon caused by the September 11th attack.

Photograph by Kevin Peterson

To security professionals, the terrorist attacks of September 11, 2001, represented the most
significant turning point in assets protection around the world. That attack
• led to increased security budgets and reduced constraints on security policies and
procedures,
• fostered communication between security officials and front-office executives, and
• enhanced threat awareness and vigilance by business managers and employees

In some cases, knee-jerk reactions to 9/11 wasted valuable resources. For example, one
company with facilities in several countries ordered each site to post a security officer at its
entrance. However, the new security officers had no idea of their roles and responsibilities and had
no way to communicate with other security staff at the sites. At best they were able to provide a
false sense of security. Similarly, after 9/11 many organizations spent much more than necessary
on security technology.
 The shock of 9/11 also caused an overemphasis in terms of security solutions - on terrorist
attacks instead of the broader spectrum of realistic security risks. Even now, resources that could
have been dedicated to information technology (IT) security, information asset protection, and
traditional crime or loss prevention are being diverted to antiterrorism measures, such as blast-
resistant materials, stand-off zones, bollards, chemical/biological hazard sensors, and similar items.
Even in school security, interest in traditional, comprehensive assets protection has often given way
to preparation for terrorist attacks.
Over time, the 9/11 attacks have partly redefined assets protection. The following are some of the
beneficial changes:
• a change in public expectations and an increase in the level of security measures that the
public will tolerate
• an ongoing examination of personal privacy versus public protection
• more serious study of security and protective services budgets and strategies
• better information sharing within and between the security and law enforcement
communities, leading to improved crime-fighting capabilities.
• greater application of advanced technologies to threat analysis, vulnerability assessment,
information sharing, and protective measures
• more widespread discussion of strategic protection concepts incorporating risk management
and comprehensive assets protection
• more emphasis on security and assets protection research

Similarly, the 2001 anthrax scare in the United States led to much greater emphasis on the security
of mailroom operations. In addition, the Sarbanes-Oxley Act in the United States has required
publicly traded corporations to perform more extensive assessment and reporting.
 LESSON 2
CURRENT PRACTICE OF ASSETS PROTECTION

TOPICS
1. Underlying Principles.
2. Practice of Assets Protection in Various Industry Sectors.

LEARNING OUTCOMES
At the end of the lesson, you should be able to:
1. understand the underlying principles in the current practice of
assets protection; and
2. compare the different practices of assets protection in various
industry sectors.

This section discusses two important issues in assets protection: the field’s underlying principles
and the practice of assets protection in various industry sectors.
UNDERLYING PRINCIPLES
One framework for viewing the underlying principles of assets protection states that three
concepts form a foundation for any assets protection strategy. Those concepts are known as the five
avenues to address risk, balancing security and legal considerations, and the five Ds.
1. Five Avenues to Address Risk
This concept contends that there are five distinct avenues for addressing identified risks to
assets: risk avoidance, risk transfer, risk spreading, risk reduction, and risk acceptance. Care-
fully considering these avenues is an effective way for assets protection professionals and
management to think creatively in designing ways to protect assets.
2. Balancing Security and Legal Considerations
Organizations need to find the right balance between a security approach and a “legal”
approach. Some enterprises rely entirely on legal measures, such as patents, copyrights,
trademarks, and service marks, to protect their critical information. They mistakenly believe
that with these legal protections in place, they do not need stringent security programs.
Alternatively, some executives believe a strong security program eliminates the need for legal
measures. Of course, both types of measures are needed. The legal approach must also consider
when and how incidents will be litigated, what preliminary measures must be in place for
successful litigation, and how litigation costs will be managed.
 3. The Five Ds
This security approach complements the “legal”
approaches discussed above. In this concept, the first
objective in protecting assets is to deter any type of
attack. The second objective is to deny the adversary
access to the asset, typically through traditional security
measures. The third objective, if the first two fail, is to
detect the attack or situation, often using surveillance and
intrusion detection systems, human observation, or a
management system that identifies short- ages or
inconsistencies. Once an attack or attempt is in progress, the fourth objective
is to delay the perpetrator through the use of physical security and target
hardening methods, or use of force. Finally, in today’s terrorist environment
with more violent criminals, it may become necessary to destroy the aggressor
if the situation warrants it.
In short, assets protection should involve a comprehensive strategy not just piecemeal
elements (officers, close- circuit television, access control system, etc.)
PRACTICE OF ASSETS PROTECTION IN VARIOUS INDUSTRY SECTORS.
Many security principles and procedures are common across sectors,
geographic areas, and various sizes and types of organizations. However,
each particular industry has its own culture, environment, and issues that
influence assets protection.
Health Care Sector
Hospitals are open to the public 24/7 and tend to have an open environment.
Patients are vulnerable, and hospitals can be a high- stress environment for all concerned: patients,
visitors, and staff.

Hospitals also have to be concerned about information assets,

especially patient privacy, the protection of which is often governed by regulation, such as, in the
United States, the Health Insurance Portability and Accountability Act (HIPAA) and criteria set by
the Joint Commission on Accreditation of Healthcare Organization (JCAHO). In addition, many
health care institutions, especially at universities, engage in medical research, an activity that calls
for protection of sensitive information, intellectual property, facilities, and materials. Assets
protection staff may also need to focus on maintaining the hospital’s reputation, another key asset.

The most serious threats in health care involve workplace and domestic violence, threats,
harassment, internal theft, vandalism, extremist activity, fraud, threats to high-risk or high- profile
patients, and violence in emergency departments.
Health care security professionals can gain management support through these means (Stewart,
2006):
demonstrating a knowledge of hospital management issues and respecting the business
aspects of the enterprise maintaining a dialogue with management to ensure they
understand the hospital’s risks and vulnerabilities, as well as the assets protection program
itself
Whether security officers in health care settings should be armed is the subject of ongoing debate.
Educational Sector
Educational institutions range from preschools to universities and include both public and
private institutions. Schools at all levels have historically been viewed as somewhat insulated from
the ills of society, but in recent years more attention has been paid to school security.

At the lower academic levels, security responsibility may fall under the school board,
county or city, or local police department. Most colleges and universities maintain their own
security function, which may or may not be connected to the campus police department.

Educational institutions face a wide range of threats, such as assaults against students and
staff, facility damage, vandalism, theft of goods (computers, equipment, supplies, etc.), theft of
private information, attacks against IT, white-collar crime, liability, and natural disasters.
Universities also face the theft of research information.
At most schools, much of a security director’s time is spent on crisis management.
Evacuation planning, preparations for shelter-in-place situations, liaison with first responders,
awareness, training, and exercises are all critical in that environment. In addition, schools may be
called on to serve as community shelters or medical triage centers during disasters.

Universities include more than classrooms- they may also feature dormitories, restaurants,
stores, libraries, entertainment venues (clubs, theaters, bowling alleys, fitness centers, game rooms,
etc.), sporting facilities, worship centers, conference centers, and hospitals. Further security issues
are raised by the fact that some students may be living away from home for the first time and may
not behave as well as they should or show the right level of safety and security consciousness.
Universities also host many students from other countries, who may violate bans on certain exports
or may overstay their visas.

High crime rates, high-profile incidents, and a questionable campus safety record can harm
a university’s image and lead to a loss of students, revenue, grant money, and research projects.

Security directors in the educational environment must take a comprehensive risk

management approach to their assets protection program. In their security planning, they should
consider many factors, such as the size and demographics of the school, the characteristics of the
surrounding area, the mission and culture of the institution, the types and values of assets, the
school’s image, its management style, and any identifiable threats.

Level Considerations
Preschool Health and safety Teacher/staff backgrounds Constant
student oversight
Potential for parental/stranger abduction

Elementary (K through 8) Student oversight Teacher/staff backgrounds

Inappropriate discipline
Early gang and drug abuse prevention Exposure to
inappropriate issues Student interrelationships
Secondary and High School Student independence/student interrelationships
Teacher/staff backgrounds
Teacher/staff relationships with students Gang and
drug/alcohol abuse prevention Exposure to inappropriate
issues Weapons and contraband exclusion Facility
access control
Protection of equipment, chemicals, other resources

College and University Students as an asset and a threat

Lifestyle (student independence, drugs, alcohol, etc.)
Residential setting
Multiple facilities (retail, food service, entertainment)
Overall crime environment
Potential for hate crimes and activist groups Sports and
entertainment venues Laboratory/research facilities and
information
© Innovative Protection Solutions, LLC, 2006. Used by permission.
Figure 2
School Security Considerations
Fast Food Sector
This sector, also known as the quick-service restaurant (QSR) industry, features many
company-owned restaurants and franchise stores around the world. The largest companies often
have an in-country or regional assets protection director, who reports to the local business unit head
and the corporate assets protection director. The wide geographical dispersion also makes QSRs
vulnerable to varying levels of ordinary crime, activism, vandalism, and terrorism. Companies in
this industry work hard to protect the value of their brand.
The industry emphasizes cost control, margins, and profit and loss management. Thus,
assets protection professionals must focus on theft prevention, anti-fraud programs, strategic
planning, and supply chain/vendor/distribution integrity. The QSR industry employs a range of
security technology, including closed-circuit television (CCTV) tied to point-of-sale systems (e.g.,
cash registers). Assets protection teams in the industry also investigate suspected false claims of
employee or customer injuries.

Because of the high employee turnover rate and the geographic dispersion of stores, security
training is both essential and difficult. Modern IT can enhance the company’s ability to conduct
safety and security training—for example, by facilitating distance learning. One focus of employee
training is simply teaching whom to call and how to report suspicious activity. Most companies
maintain toll-free hot lines. In addition, employee awareness can be bolstered using security
posters, changed regularly.

Telecommunication Sector

Assets protection in the telecommunications sector has changed in the wake of industry
deregulation; the boom in wireless, Internet, fiber optic, and other telecommunications
technologies; and, in the United States, the designation of the telecommunications system as a
national critical infrastructure. Assets protection in the telecom sector now encompasses four major
areas:
• Information security: protecting competitive and proprietary
information; protecting information about the telecommunication
infrastructure; and protecting voice and data signals
• Network and computer security: protecting networks from hacking
and other forms of cyber attacks; protecting computers and other
equipment from viruses
• Fraud prevention: protecting the company from toll fraud, calling card
misuse, and other frauds
• Physical security: protecting the people, places, and things that make
telecommunications networks function
Assets protection in telecommunications is greatly affected by government
regulation. Some jurisdictions mandate specific security practices, limiting the
ability of assets protection
Aerospace Sector

The aerospace sector, which includes civil craft,

military aircraft missiles, space systems, and aero-space
services, is characterized by fierce, global competition;
large, complex contracts; international joint ventures; and
a huge network of vendors, all of which factors
significantly complicate assets protection strategies.

In addition to traditional corporate safeguards, firms in this

sector should consider the following:
• protection of sensitive, proprietary, and export-
controlled technical information NASA PHOTO
• handling of government classified information
• regulatory and reporting compliance at the local, national, and international
levels integration of safety and security programs
• domestic and international travel security
• test and evaluation program security
The larger aerospace firms maintain large security departments staffed with
various security specialties. By contrast, small aerospace vendors often have no security
resources. Therefore, it is best to discuss security support at the outset of a new project
and agree who will be responsible for various aspects of assets protection and what
resources each player will contribute.
Assets protection in the aerospace industry is also affected by the climate of risk
taking; the extent of high-value information that must be protected; and the industry’s
high profile, which attracts adversaries in the form of competitors, activist groups, and
white-collar criminals.
These industry snapshots illustrate the wide variety of issues, concerns, and
environmental factors that affect assets protection programs. They highlight the meshing
of security concerns with business and management issues in planning for a safe and
secure setting in which to conduct the enterprise’s mission.
 LESSON 3
FORCES SHAPING ASSETS PROTECTION

TOPICS
1. Technology and Touch
2. Globalization in Business
3. Standards and Regulation
4. Convergence of Security Solutions
5. Homeland Security and the International Security Environment

LEARNING OUTCOMES
At the end of the lesson, you should be able to:
1. explain the purpose of technology and globalization in assets
protection;
2. classify the standards and regulation;
3. demonstrate the convergence of security solutions; and
4. describe the homeland security and the International Security
environment.

This lesson examines five forces that are shaping the practice of assets protection:
• technology and touch
• globalization in business
• standards and regulation
• convergence of security solutions
• homeland security and the international security environment
Some of these forces are at least partially within an assets protection manager’s ability to influence,
while others are not. In either case, security professionals should study and leverage these forces
as they formulate tomorrow’s protective strategies.

Technology and Touch

Assets protection has always required a balance between human and technological
solutions. Sometimes the balance swings too far toward technology. The following statements are
described as symptoms of “high-tech intoxication” (Naisbitt, 1999):
• We look for the quick fix.
• We fear and worship technology.
• We blur the distinction between real and fake.
• We accept violence as normal.
• We love technology as a toy.
• We live our lives distanced and distracted.

We look for the Quick Fix

Security solutions are often implemented haphazardly. Decision makers may buy
surveillance cameras or install card readers without an independent assessment or clear
understanding of the real needs. That approach addresses only the symptoms, not the cause.
Through advance planning and meaningful dialogue, the security professional can guide the
corporate decision makers on the best long term security solution for the company.
Security professionals should take the time to ask questions and determine what the actual
problem is and then create a comprehensive assets protection strategy, not a short-sighted quick
fix.

We both Fear and Worship Technology at the Same Time

Assets protection professionals cannot afford to be technophobes. Security systems and

procedures increasingly demand an understanding of technology, and technology is becoming a
major element in most business processes.

On the other hand, some people see technology as the solution to everything. Most common
functions today consist of several layers of technology. If something does not work, the tendency
is to add another layer of technology (Naisbitt, 2006). Careful examination of the problem might
show that a solution blending technology and other solutions (training, policies, or personnel) is
best.

We Blur the Distinction Between Real and Fake

The quality and quantity of electronic images (on television and in video games) tends to
desensitize people to real situations. Frequently seeing people attacked or killed may make those
events seem commonplace. The ramifications for security include a potential dampening of reaction
by security officers and others. For example, console operators might react less quickly to events
shown on their monitors because they see such things all the time in games or on television. The
delay may be aggravated by information overload as security staff are expected to monitor more
and more images.

We accept Violence as Normal

When violence is considered normal, employees may not bother to report incidents or
suspicions to corporate security officials. Failure to report such matters promptly can make it more
difficult to stop such situations as workplace violence, terrorism, sexual harassment, and hate
crimes.

The perception of violence as normal can also affect the reaction of security officials. If
they become desensitized to crime and violence, they may take incidents less seriously or react
more slowly than they should.

We Love Technology as a Toy

Viewing technology as a toy can lead to a neglect of sound, risk-based assets protection
strategies. For example, one company installed biometric access controls on the entrance to each
of its office suites, even though there was no obvious need for high security. When asked why the
equipment was installed, a manager replied, “We thought it was cool.”
High technology plays an important role in assets protection, but it exacts ongoing costs,
such as training and maintenance. In many situations it makes sense to step back and take a “back
to basics” approach. For example, “Given a specific security challenge, imagine how you would
develop a solution if you had no access to technology at all. You can then think outside the box and
interject some traditional creativity into the problem-solving process” (Naisbitt, 2006).
We Live Our Lives Distanced and Distracted

Being surrounded by technology changes our relationship to other people. Assets protection
professionals must never lose sight of the people factor in identifying and protecting critical assets
(Naisbitt, 2006):
Any security issue involves human psychology—and always will. The issues of safety and security
are simply fundamental to every human being.
When planning for security, the professionals should always consider the culture of the
organization. … Does the corporate culture foster a sense of community? Do employees respect
and care for one another? Does the nature of their work allow them to develop relationships, or do
they work in a vacuum? How much human interaction is there?

In addition to the six preceding symptoms of high-tech intoxication, two other issues are worth
considering:
• whether the prevalence of security technology leads employees to shirk their
responsibility for protecting the organization’s assets because they think technology
will take care of those assets
• whether a high-tech environment depersonalizes the workplace and leads employees
to feel it is acceptable to commit pilferage, industrial espionage, fraud, embezzlement,
and other workplace crimes

The bottom line is that human factors must always be considered in the development of security
strategies. For example, the security approach called crime prevention through environmental
design (CPTED) uses psychology, architecture, and other measures to encourage desirable behavior
and discourage undesirable behavior. Some critics claim that CPTED does not show a conclusive
link between the design concept and a reduction in crime. However, where CPTED has been used,
the recording agencies claim that there are fewer reported incidents when compared to similar
structures or developments within their jurisdiction.
GLOBALIZATION IN BUSINESS
Globalization brings a wider range of goods, services, vendors, suppliers, capital, partners,
and customers within a company’s reach. It also brings threats closer and may increase
vulnerabilities. Risks related to business transactions, information assets, product integrity,
corporate ethics, and liability, as well as far-flung people and facilities, expand and evolve with
increasing globalization. As the director of the U.S. Defense Intelligence Agency notes (Wilson,
2002):
Values and concepts such as political and economic openness, democracy and individual
rights, market economics, international trade, scientific rationalism, and the rule of law…
are being carried forward on the tide of globalization- money, people, information,
technology, ideas, goods and services moving around the globe at higher speeds and with
fewer restrictions.
Our adversaries increasingly understand this link. … They are adept at using globalization
against us—exploiting the freer flow of money, people, and technology … attacking the
vulnerabilities presented by political and economic openness … and using globalization’s
“downsides.”
Globalization makes it necessary for assets protection managers to consider a wider variety
of customs, cultures, laws, business practices, economic factors, language issues, workforce
characteristics, and travel requirements. A more radical vision of the impact on organizational
structures is described in William Davidow and Michael Malone’s The Virtual Corporation. They
argue that the centerpiece of the new economy is a new kind of product: the virtual product where
major business functions are outsourced with hardly any internal departmentalization. This will
give the corporate security manager even more challenges in the protection of proprietary
information, product security, supply chain security, and business continuity. As in all cases the
dissemination of sensitive or proprietary information should be on a need-to- know basis. Security
professionals should not erect barriers to international business but instead should help their
organizations overcome those challenges and comply with the many regulations and standards that
apply around the world (Heffernan, 2006).
STANDARDS AND REGULATION
Security standards are becoming increasingly important, and their development is the subject of
much interest. The establishment of standards and guidelines has been described as the centerpiece
of a comprehensive assets protection program, especially in today’s global society (Dalton, 2003,
p. 185). This section discusses standard-setting bodies; statutory, voluntary, and mixed standards;
the use of certification and licensing as a form of standards; and the impact of regulation.
Voluntary Standards
Standards from the well-known International Organization for Standardization (ISO) and the
American National Standards Institutes (ANSI) are voluntary but widely adopted. Some have been
integrated into various countries’ regulatory frameworks. ISO standards that are relevant to assets
protection involve such issues as safety and security lighting, identification cards, radio frequency
identification), protection of children, and IT and information security. In the United States,
voluntary standards are also set by the National Fire Protection Association (NFPA). Many NFPA
standards are incorporated into regulations, such as building codes.
Several standards from Underwriters Laboratories (UL) relate to security equipment, such as locks,
alarms, and access control systems. Other standards are set by trade and professional associations,
such as the Illuminating Engineering Society (lighting standards and practices) and the Electronic
Industries Association (electronic components and products).
Statutory or Regulatory Standards
Unlike voluntary standards, statutory or regulatory standards are binding under the law and can be
enforced by formal authorities. In the United States, binding security standards are promulgated in
various sources:
• Code of Federal Regulations
• National Industrial Security Program Operating Manual
• Executive Orders, Presidential Directives, and Homeland Security Policy Directives
• regulations of the Occupational Safety and Health Administration, Nuclear Regulatory
Commission, Federal Energy Regulatory Commission, and Federal Trade
Commission
An international source of binding standards is the International Maritime Organization.
Mixed Standards
The distinction between statutory and voluntary standards becomes blurred when voluntary
standards are incorporated into laws or regulations. For example, many of the requirements in
Occupational Safety and Health Administration directives are verbatim references to standards
from such organizations as the NFPA.
In other situations, a standard may remain technically voluntary but practically obligatory. For
example, security standards from UL or Factory Mutual may be used as criteria by insurers. In other
words, they may determine the availability and cost of casualty insurance based on the use of UL-
approved materials or UL-standardized practices. Contracts, too, may incorporate standards as
requirements.

INTERNATIONAL

ASTM International [Link]

International Electro-technical Commission [Link]

International Maritime Organization [Link]

International Organization for Standardization [Link]

UNITED STATES

American National Standards Institute [Link]

Department of Transportation [Link]

Federal Energy Regulatory Commission [Link]

Federal Trade Commission [Link]

National Fire Protection Association [Link]

National Institute for Standards and Technology [Link]

National Labor Relations Board [Link]

Nuclear Regulatory Commission [Link]

Occupational Safety and Health Administration [Link]/[Link]

Underwriters Laboratories [Link]/info/[Link]

Figure 3
Selected Standard- Setting Bodies

Professional Certifications and Licensing

Standards may also be implemented via professional certification and licensing. In the
security arena, ASIS International certifications are perhaps the best-known. The Certified
Protection Professional designation, established in the 1970s, recognizes a broad skill set in security
management. More recent ASIS certifications include the Physical Security Professional and
Professional Certified Investigator designations.
The International Foundation for Protection Officers offers several certifications for
security officers and supervisors: the Certified Protection Officer, Certified in Security Supervision
and Management, and Certified Protection Officer Instructor designations.
Several IT security certifications are also available, such as the Certified Information
Systems Security Professional (through the International Information Systems Security
Certification Consortium) and the Certified Information Security Manager (though the Information
Systems Audit and Control Association).
Specialized security certifications within particular industries are also becoming common
in such sectors as health care, hospitality and lodging, and finance. Finally, certification in crime
prevention is available through many state agencies and also through the International CPTED
Association.
Some jurisdictions require licensing of various types of security practitioners. Most licenses
require training, background screening, qualification, and registration. In the United States,
licensing is generally the purview of states or localities, but national licensing is under
consideration.

ASIS International [Link]/certification/[Link]

Information Systems Audit and [Link]

Control Association
International CPTED Association [Link]/[Link]

International Foundation for [Link]

Protection Officers
International Information Systems
[Link]
Security Certification Consortium

Figure 4
Selected Security Certification Web Sites
CONVERGENCE OF SECURITY SOLUTIONS
In assets protection, convergence generally means the integration of traditional and IT
security functions. A broader definition might consider convergence to be the merging of
disciplines, techniques, and tools from various fields for the purpose of protecting critical assets.
It is widely accepted that “companies’ assets are now increasingly information-based and
intangible, and even most physical assets rely heavily on information” (ASIS International, 2005).
An approach using only physical or IT security measures is insufficient. Assets protection managers
must also employ traditional information security, personnel security, technical security, and public
relations and other external communications to protect intangible assets. A true convergence
approach would also employ security architecture and design, crime prevention through
environmental design, investigations, policies and procedures, and awareness training.
HOMELAND SECURITY AND THE INTERNATIONAL SECURITY ENVIRONMENT

The terrorist attacks of September 11, 2001, made it “crystal clear that the risks and threats
of global terrorism … were no longer vague or unlikely, but rather a genuine reality” (Sennewald,
2003, p. 19). Sennewald contends that 9/11 elevated the corporate security professional to a higher
plateau of respect and recognition within the enterprise.

From an assets protection perspective, reactions to the attack have been a mixed
development. On the positive side, 9/11 raised awareness of security among decision makers and
increased the respect paid to the security profession. It also made resources available for security
enhancements and led to increased interaction among security officials, first responders, emergency
planners, and the communities they serve. On the negative side, 9/11 caused knee-jerk reactions
that resulted in wasteful spending, unnecessary security measures, misdirection of needed funds,
and the surfacing of dishonest or unqualified vendors.

Assets protection professionals should study those reactions and apply what they learn to
comprehensive assets protection strategies. That way, they can leverage the awareness and
resources available to improve their organizations’ security posture.

Still, there is a danger of overemphasizing the threat of terrorism and the practice of
homeland security. Assets protection professionals must address the broader security issues
relevant to their particular environment.
ASSESSMENT 3
 LESSON 4
MANAGEMENT OF ASSETS PROTECTION

TOPICS
1. Concepts in Organizational Management.
2. Management Applications in Assets Protection.
3. Security Organization Within the Enterprise.
LEARNING OUTCOMES
At the end of the lesson, you should be able to:
1. Understand concepts of organizational management and
management applications.

In addition to technical expertise, assets protection professionals need a solid grounding in

organizational management. Success in the field- which may mean saving lives and protecting
valuable assets- depends on the proper balance of three managerial dimensions: technical expertise,
management ability, and the ability to deal with people.

Figure 5
Three Managerial Dimensions

CONCEPTS IN ORGANIZATIONAL MANAGEMENT

The job of managing involves five basic functions:
planning organizing directing coordinating controlling
In addition, management should be guided by two principles, called “who is the customer?” and
“quality.” These principles should become part of the organization’s culture.
Who Is the Customer?
Peter Drucker, an authority on management, suggests that “who is the customer?” is the
first and most crucial question in defining business purpose and mission (1974). The assets
protection manager must understand the purpose and mission of assets protection at the enterprise
before adopting an organizational structure.
Most organizations actually serve multiple customers. It is important to identify all of them
and to understand their interrelationships. Then the assets protection manager can sell the program
not just to executives but to all the customers of assets protection services. Figure 6 lists some of
those customers.
For a chief security officer For a security product or For an independent
or security director, service provider, consultant,
customers might include: customers might include: customers might include:

Corporate executives Clients Clients

Corporate staff/managers Clients’ clients Clients’ clients
Corporate employees Potential clients Potential clients
Company clients Parent company or headquarters Partners and associates
Partners and affiliates Vendors and suppliers Vendors and suppliers
Contractors Partners and consultants Own employees
Security team members Original equipment Investors
Vendors and suppliers manufacturers Self
Other divisions of company Own employees
Other facility users Other divisions of company
Stockholders Executive management
Stockholders

Figure 6
Assets Protection Customers

Taking a more comprehensive view of who the customers are and how best to meet their needs can
result in greater security team effectiveness. The large view also demonstrates the assets protection
manager’s commitment to the business mission as a whole, not just to the security mission. That
commitment often leads to greater respect for the assets protection function and ultimately greater
influence throughout the enterprise.

Quality

Some managers may think that quality is something in a plan on the shelf, something that is done
once, or something that belongs to the quality assurance experts. That view is wrong. Quality
“belongs to everyone, all the time” (Dalton, 2003, p.240).

As one quality consultant notes (Duffy, 2006):

One of the major definitions of quality is “conformance to customer requirements.”

Providing effective professional services or implementing a meaningful assets protection
program for the customer within appropriate resource constraints means delivering the
required level of quality. The security industry is one that must support multiple customers
with a wide variety of requirements.

Although a quality program may begin with tools, measures (metrics), and special processes, the
culture of quality should ideally become a part of the organization and be integrated into all business
practices.
A culture of quality can be developed in any type of security organization. For example, security
service providers are increasingly formalizing and standardizing their quality programs.

MANAGEMENT APPLICATIONS IN ASSETS PROTECTION

Planning, management, and evaluation are important tools in crime prevention programs (Fennelly,
2004, p. 418). A strategic approach to managing assets protection programs likewise involves all
three tools. They apply as follows:
• Planning includes developing strategic goals and objectives, aligning assets protection
objectives with the organizational vision, organizing the assets protection function in the
way that best meets objectives, and determining how the mission will be accomplished.
• Management involves conducting the day-to-day operations of the department,
communicating with others, and controlling specific tasks as well as the overall functioning
of the office.
• Evaluation involves stepping back from day-to-day activities to objectively assess how
well objectives are being met and what factors are contributing to the success or lack
thereof. Reporting, documenting, and using information to make adjustments and
improvements are all important parts of evaluation.
These tools are as applicable in the security services or products arena as they are in the corporate
or organizational setting. In a quality assurance/quality control (QA/QC) program in a firm that
provides security officers, the tools could work as follows:
• Planning may entail developing the company’s QA/QC program, obtaining executive buy-
in, preparing documentation, training supervisors, and establishing procedures.
• Management might involve implementing the program, conducting inspections, reviewing
audit reports, handling complaints and compliments, disciplining and rewarding officers
and supervisors, briefing upper management, and interacting with the client on matters
pertaining to QA/QC.
• Evaluation could consist of periodically determining whether the QA/QC program is
serving company objectives and meeting client expectations, identifying systemic
problems, and recommending process improvements.
In a corporate setting, a security department could use the tools as follows:
• Planning may entail setting strategic objectives consistent with the enterprise’s mission and
vision statements, organizing the security function within the enterprise, determining
resource requirements, establishing liaison relationships, developing policies and
procedures, and identifying staffing needs.
• Management would involve day-to-day operation of the department, personnel
management, logistics, vendor management, security systems operations, coordinating with
others internally and externally, and briefing senior executives.
• Evaluation would consist of periodically comparing performance metrics to the
department’s goals and objectives, identifying shortfalls, assessing any changes in the assets
protection environment, and recommending process improvements.
None of these functions should be neglected at the expense of the others. They should be repeated
in an ongoing cycle that results in up-to-date and appropriate assets protection protocols,
procedures, and practices.
SECURITY ORGANIZATION WITHIN THE ENTERPRISE
Although each organization is unique, some basic principles apply widely to organizational
structure and management. This discussion of the security organization within an enterprise is
influenced by well-respected, much recommended security textbooks by Sennewald (2003),
Dalton (2003), McCrie (2001), and Fischer & Green (2004).
The “span of control” principle suggests that a single person can supervise only a limited
number of staff members effectively. The specific number depends on such factors as the nature of
the work and type of organization, but as a general rule one manager can effectively supervise up
to 10 people. This principle may be in jeopardy. Some observers believe that the introduction of IT
infrastructures, use of current telecommunications technology, and flattening of organizational
pyramids may enable a person to supervise as many as 100 people. In settings that emphasize self-
directed, cross-functional teams and very flat structures, span of control is less relevant. However,
traditional, hierarchical organizational structures, where span of control is important, are still
common.
Unity of command dictates that an individual report to only one supervisor. It is based on
the concept that a person cannot effectively serve the interests two or more masters (that is,
managers). It is the supervisor’s responsibility to ensure the best performance from the unit he or
she manages. Some company structures make unity of command less important, but in most settings
employees still need a clear understanding of which policies they need to adhere to (primarily) and
who will provide day-to-day direction, quality control, and conflict resolution.
Placement of the security department within an organizational structure can greatly affect
the assets protection manager’s ability to exert influence, remain informed, and garner resources to
support his or her programs and strategies. Assets protection managers, by the nature of their
expertise, must have functional authority within the organization and be identified as part of the
corporate management team. The rule of thumb is that the senior security or assets protection
professional should be placed as high as possible in the structure of an enterprise and report directly
to senior or executive management. A common discussion today is whether security should be
placed under the chief information officer), IT security should be placed under a chief security
officer, or some other arrangement should be made. If the enterprise includes a chief risk officer,
assets protection may be placed in his or her division.
The following are some other important themes in organizational management:
• Lines of authority, responsibility, and communications should be as clear and direct
as possible.
• Individual and organizational responsibility should come with an appropriate level of
authority.
• Organizational alignments and structures should consider the interrelationships
among functions, roles, and responsibilities (with an eye on the overall mission).
• Communications channels should be structured to allow effective mission
accomplishment and interaction.
More information on the chief security officer’s role in organizational management can be found
in the Chief Security Officer Guideline, published by ASIS International (2004). It discusses roles
and responsibilities, success factors, key competencies, organizational issues, and strategy
development.
 LESSON 5
BEHAVIORAL ISSUES IN ASSETS PROTECTION

TOPICS
1. Behavioral Science Theories in Management
2. Applications Of Behavioral Studies in Assets Protection

LEARNING OUTCOMES
At the end of the lesson, you should be able to:
1. explain the importance of behavioral science theories in
Management; and
2. apply behavioral studies in assets protection.

Behavioral science, the study of people and their relationships to each other, is important in assets
protection for three key reasons:
• Many security risks are the result of human threats, and behavioral science can yield
insights into human threat sources.
• Security management requires effective interaction with other people, including
collaboration, education, influence, supervision, and the most important, excellent
communication skills.
• An effective security manager must also have trust in his or her staff members and have
the ability to delegate to them not only the responsibility but also the authority to act
within their functional area.
BEHAVIORAL SCIENCE THEORIES IN MANAGEMENT
The following theories in behavioral science are widely accepted as relevant and useful in many
management applications.
Maslow’s Hierarchy of Needs
Abraham Maslow’s theory, commonly known as the hierarchy of needs, asserts that people’s
behavior is driven by basic needs at different levels. It is often depicted as a pyramid, as Figure 7
shows.

Figure 7
Maslow’s Hierarchy of Needs
The levels of the hierarchy are:
• self-actualization need: self-fulfillment, realizing one’s full potential
• esteem or recognition needs: respect from others and self
• affiliation or love needs: affectionate social and family relationships
• security or safety needs: protection from perceived harm
• physiological or survival needs: food, drink, shelter

Basic or lower-level needs must be met before a person is motivated by the next higher level of
needs.

Maslow’s theory is still widely recommended to analyze individual employee motivation strategies
and establish tailored rewards, such as pay, recognition, advancement, and time off (Buhler, 2003).

McGregor’s Theory X and Theory Y

Douglas McGregor holds that two worker models can be contrasted. Theory X contends that
workers are inherently lazy and tend to avoid work. They lack creative ambition, must be goaded,
require constant supervision, and are motivated by fear. Theory Y states that workers are naturally
motivated and want to work hard and do a good job. It assumes that workers are thoughtful, eager
to perform well, and willing to be guided and taught. McGregor stresses that programs based on
Theory Y are more successful than those based on Theory X.

Herzberg’s Motivation-Hygiene Theory

Frederick Herzberg’s motivation-hygiene theory is based on the premise that the opposite of
satisfaction is not dissatisfaction but simply no satisfaction. The theory maintains that two sets of
factors determine a worker’s motivation, attitude, and success (Buhler, 2003).

The first set is job content (motivators), such as achievement, recognition, responsibility, and
satisfaction derived from the work itself.

The second set is job context (hygienes), such as the surroundings, physical work conditions, salary,
coworkers, and other factors that are external to the work itself.

Hygiene factors (such as a fresh coat of paint on the wall) will be able to move an individual from
a state of dissatisfaction to no satisfaction, but only motivation factors can move that person from
no satisfaction to satisfaction.

The lesson is that managers should avoid quick fixes. Manipulating hygiene factors may alleviate
dissatisfaction but will not result in a state of satisfaction. Allowing an individual to reach a state
of satisfaction requires changes in the work content itself, such as increased autonomy or
responsibility (Buhler, 2003).

APPLICATIONS OF BEHAVIORAL STUDIES IN ASSETS PROTECTION

An assets protection program will not succeed unless it cultivates the willing cooperation of those
affected by it and meshes its goals with the personal goals of the workforce. Following are some
examples of how lessons from behavioral science might be employed in assets protection.

Crime Prevention and Reaction

Behavioral science has long been involved in criminology with the goal of developing better crime
prevention strategies. Through mutual cooperation, private security can play a major role in the
prevention of crime while law enforcement focuses on crime control. Continuing study is needed,
as is better communication between behavioral scientists, criminologists, and security and law
enforcement practitioners. Many questions in criminology remain unanswered in this area, but we
are seeing a major move by law enforcement to have private security more involved in crime
prevention.

Incident Management
Motivation theories may be useful in developing emergency plans, business continuity plans, and
incident response plans. A major factor in any incident is how people will react— those directly
involved in the incident, bystanders, indirectly affected persons, security forces, and first
responders.

Some data can be gathered from exercises and drills through documentation and after- action
reports. Interpreted through human motivation theories, that information may aid in the
development of plans and procedures that will help ensure a smooth response to a real incident.

Motivation theories should also be considered when developing larger-scale incident management
plans. Such theories may help in predicting how people will react when they are ordered to shelter
in place at the workplace or school—for example, whether they will accept their separation from
their family or instead evacuate immediately, regardless of the directions given.

Security Personnel Management

In supervising security officers, heading an executive protection team, staffing a security operations
center, serving as a facility security officer, performing architecture and design functions, or
administering a global assets protection program, one needs to understand what motivates people
and what demotivates them.

Motivation theory can contribute to the planning and development of a QA/QC program, a
department organizational structure, an advancement plan, assessment or evaluation criteria,
awards programs, discipline procedures, communications venues, and even dress codes. Behavioral
science plays a role in almost every aspect of personnel management.

Employee Training and Awareness

Early security training and awareness programs were based on top-down management directives,
passive compliance, and an attitude of “we do it this way because the book says we do it this way.”
The modern workforce is more sophisticated, highly educated, and independent, and security
training and awareness strategies must be designed accordingly.

Behavioral theories can guide both content and delivery methods for security training and
awareness, which has been recognized as one of the most cost-effective assets protection tools
(Webster University, 2006). In addition, security training and awareness efforts should take account
of adult learning styles and current instructional design methods. When employees can relate to the
information presented and the way it is presented, the training is more effective. Managers need to
set direction and establish a professional setting, but through training they need to avoid making
operating decisions that should be made by their supervisors and officers. As an example, when a
subordinate requests advice about a routine operational problem, the supervisor should avoid giving
a specific solution, opting instead to guide the subordinate, through an open exchange of
information, toward identifying the solution himself or herself.

Corporate Ethics
One of the first questions that comes to mind after a large-scale corporate scandal is “What could
have possibly motivated those people to do that?” Behavioral science theories may help answer
that question. They can be applied to help prevent, respond to, and recover from major white-collar
crime incidents and can also contribute to programs that address smaller-scale, everyday ethical
lapses.

Liaison and Leveraging Other Organizations

Because assets protection is a multidisciplinary venture, liaison and collaboration with a wide
variety of people, organizations, agencies, specialties, and professions is essential. Behavioral
theory can help in establishing and maintaining relationships with a network of professional
contacts, both inside and outside the assets protection manager’s organization.

Collaboration is especially valuable and challenging in a global environment that includes a wide
range of cultures, customs, and perspectives (Buhler, 2003):

The diversity of today’s workforce has further complicated an already complex

phenomenon. The differences among workers are greater than ever before. To be more
successful in motivating a diverse workforce requires, then, an understanding of the
differences among people and what makes them tick …
To become a more effective motivator, then, managers must understand as much as possible
about [motivation theory] and then pick and choose what best fits with which individuals.
The bigger the bag of motivational tools, the more likely the manager will be able to
understand employees’ needs and tailor rewards to better meet them. [This] enables
managers to get more done through