Schools reflect their communities, and crime and personal conflict can occur within school facilities. Fortunately, the level and severity of these crimes are far lower compared with the community at large, but it still is necessary to take steps to enhance safety in school facilities.
Before school officials can address crime and safety, they must know the risks, vulnerabilities and threats their facilities may face. They also must understand what they are trying to protect and which safeguards can be put into place. With this knowledge, school officials can develop a road map to reduce risk.
One of the best ways to understand the threats and vulnerabilities confronting a school facility is to perform a risk assessment. This can be done internally by qualified security personnel or by an outside group with proper capabilities.
Evaluating the facility
A risk assessment is a detailed evaluation of a facility to determine risk levels and severity. It can be used to identify ways to reduce risks and liabilities, and determine which risks are acceptable or unacceptable. It looks at assets, threats, vulnerabilities and safeguards, and provides a road map of how these items affect each other. The assessment also should provide details about how establishing or improving safeguards will affect the amount of risk for each type of incident.
The first step in assessing risk for any facility is to determine which assets need to be protected. Assets are things of value that are at risk. In a school environment, the students and staff are the top assets to protect. Other assets include the buildings and grounds, office equipment, computer equipment, school vehicles, electronic equipment, supplies, utilities and intangibles such as reputation.
The second step in a risk assessment is to determine the types of threats that the school facilities may encounter. There are 37 defined threat categories for most risk assessments. Some of the typical threats are arson, activists, fires, burglary, a disgruntled employee or student, sabotage, vandalism, theft and storms. Threats also include events such as bomb threats and terrorist attacks.
An assessment also must determine the possibility and severity of each threat. To achieve this, schools should gather data on threats in four primary areas — frequency, loss, vulnerabilities and protection:
Once the types of threats are determined, schools should investigate the annual frequency expectancy (AFE) for each type of incident. As a starting point, a standard annual frequency expectancy (SAFE) number that is based on national averages can be used. But to make the assessment as accurate as possible, use local or industry-based statistics. Local police often have AFE numbers for their respective areas.
The most accurate data available may come from police records of incidents. If no such records are available, this may be the best place for any school to start improving security. Beginning a process to track and maintain incidents will give school officials a better understanding of the challenges they face and will help future assessments by providing a benchmark.
An AFE of 1.0 would mean that a given occurrence is expected to occur once every year. As an example of an AFE, arson is expected to occur once every 50 years nationally, which equates to an AFE of .02. Some types of incidents, such as theft of personal property, typically are higher on college campuses than the national averages.
Once the assets and threats have been identified, the next step is to determine what type of loss occurs with each asset and threat. Loss can be defined in seven main categories: compromise; disruption; direct loss; indirect loss; personal injury and loss of life; theft; and intangibles. (See the sidebar for loss definitions.)
Next, a school must determine the vulnerabilities of its facilities. For a physical security risk assessment, there are 44 primary vulnerability areas to evaluate. For example, visitor control can be a vulnerability for schools. Weaknesses in this area refer to the lack of a visitor control policy, inadequate awareness and concern about visitors, inadequate processing of visitors, and lack of sufficient and properly trained personnel to escort visitors. Defining visitor-restricted areas, establishing visitor policies and enforcing those policies can reduce this weakness.
The final areas to evaluate in the first phase of an assessment are the existing safeguards at a facility. Safeguards are those security measures already in place to reduce the risk of incident. Examples of safeguards are intrusion detection and access control, closed-circuit television systems, fire suppression, vehicle controls, perimeter fencing, and multiple types of policies and procedures.
After gathering data on the four primary areas of the assessment, a school should assess current levels of compliance with existing policies and procedures.
This can be accomplished with compliance surveys. Department heads from the IT and human-resources departments, as well as security managers and staff, typically fill out these questionnaires. To ensure accuracy, questions should apply to an individual's direct area of control.
Each question should look at the level of compliance in a specific topic, and the answers should be made to equate to levels of compliance on a scale of 1 to 100, where 100 indicates full compliance. For example, to address visitor control, the statement “visitors are escorted within controlled areas at all times” could appear on the questionnaire. The respondent should be prompted to indicate the truth or accuracy of this statement. Although school policy may require visitors to be escorted at all times, in reality visitors may be escorted only 80 percent of the time. In this case, the respondent should answer 80. Typically, anything below an 85 is considered non-compliant and indicates vulnerability.
The purpose of these questionnaires is to identify vulnerabilities that were not believed to exist based on the safeguards and policies already established. They can uncover problems with dissemination of information or even problems with operation and training on specific equipment.
Determine loss expectancy
All of the information gathered to this point is used to figure out the annual loss expectancy (ALE) and single loss expectancy (SLE) for each combination of assets and threats as they are affected by every vulnerability and safeguard in place. For example, one combination would look at how vulnerable office equipment is to vandalism while taking unescorted visitors into consideration.
The resulting ALE is weighed against each asset and associated loss category to determine the loss per asset and per threat. Each type of safeguard then is factored in to determine how much ALE can be reduced by establishing or enforcing any given safeguard. The cost to establish or enforce that safeguard is then weighed annually against the reduction of risk to determine if it is cost-effective.
Some risks may be deemed as “acceptable” based upon the outcome of this assessment, while others may be deemed “unacceptable,” and steps may be necessary to attempt to mitigate this risk.
For example, the likelihood of a rape within a school facility may be very small, but should that occur, the impact on the students, staff and reputation of the school could be devastating. Even though the risk may be low, the school may deem this risk unacceptable and establish safeguards to reduce the risk as much as possible, regardless of the cost.
On the other hand, theft of supplies can be expected to occur frequently. The SLE and ALE may be relatively low depending on the value of those assets most susceptible. The cost of establishing a safeguard that could reduce this loss may be more than the actual loss itself, and the campus therefore may decide that this is an acceptable risk.
A risk assessment is a complicated but critical procedure. One cannot determine accurately the level of safety and security without thoroughly understanding what needs to be protected and from whom or what. Furthermore, the possible interactions between assets, threats, vulnerabilities and safeguards can seem endless. On the other hand, unless school officials understand a school's security situation completely, they will not be able to understand where it is headed.
Data on threats should be gathered in four primary areas:
Types of loss
For every threat to an asset, a school must identify what type of loss is associated with it. Many types of loss exist:
The negotiation of assets such as proprietary data.
The time that an asset is unavailable for use as the result of an incident. For example, a bomb threat would disrupt numerous assets — classrooms, computer networks, even student and faculty productivity time. The loss number for disruption usually is represented by the number of hours the asset is unavailable as the result of an incident.
Anything lost directly as a result of an incident.
Occurs as an indirect result of an incident. For example, in a manufacturing environment, a fire directly affects the final product and the equipment used to make that product. Because the production equipment is lost, future finished products are indirectly lost.
Personal injury and loss of life
A person hurts himself or herself, or loses his or her life as a result of an incident.
An asset is stolen.
Something that is not physical is damaged, such as a feeling or state of mind.
Matchett is a security project development engineer for Johnson Controls Inc., Milwaukee.