Transcription
Crime Analysisfor Problem Solving Security Professionalsin 25 Small StepsKarim H. Vellani, CPP, CSC
Crime Analysis for Problem Solving Security Professionals in 25 Small StepsKARIM H. VELLANIKarim H. Vellani is an independent security consultant at Threat Analysis Group, LLC, a securityconsulting firm and Past President of the International Association of Professional SecurityConsultants. Karim is Board Certified in Security Management (CPP), a Board Certified SecurityConsultant (CSC), has over 15 years of security management and forensic security consultingexperience, and has a Master’s Degree in Criminal Justice Management. He is the author oftwo books, Applied Crime Analysis and Strategic Security Management, and has contributed toa number of other security related books and journals.Karim developed a crime analysis methodology that utilizes the Federal Bureau ofInvestigation’s (FBI) Uniform Crime Report coding system and a proprietary softwareapplication called CrimeAnalysisTM. Karim has also developed a Risk Assessment Methodologyfor Healthcare Facilities and Hospitals. In 2009, the International Association of HealthcareSecurity and Safety (IAHSS) published its Security Risk Assessment Guideline, which wasauthored by Karim at the request of IAHSS.As an Adjunct Professor at the University of Houston ‐ Downtown, Karim taught graduatecourses in Security Management and Risk Analysis for the College of Criminal Justice’s SecurityManagement Program. Annually, Karim instructs for the International Association ofProfessional Security Consultants and ASIS‐International.Karim may be contacted at (281) 494‐1515 or via email at kv@threatanalysis.com. 2010 Karim H. Vellani. All rights reserved.Page 2
Crime Analysis for Problem Solving Security Professionals in 25 Small StepsContentsEXECUTIVE SUMMARY . 5READ THIS FIRST . 7PREPARE YOURSELF. 81.Learn the POP way. 82.Meet Sherlock Holmes and his successors . 83.Grasp the theories . 94.Know the recipe for risk . 105.Understand the crime triangle . 126.Change the situation. 13THE BUSINESS OF SECURITY . 147.Know that business comes first . 148.Don’t feed the lawyers . 159.Know your industry . 1710.Know your competitors . 1911.Ask the right questions . 21SCAN FOR CRIME PROBLEMS . 2412.Dust off your reports . 24 2010 Karim H. Vellani. All rights reserved.Page 3
Crime Analysis for Problem Solving Security Professionals in 25 Small Steps13.Avoid Social Disorganization. 2414.Make friends with law enforcement . 2615.Meet the feds . 2616.Review the call logs . 2917.Validate the calls. 2918.Apply your expertise . 30ANALYZE IN DEPTH . 3119.Compare apples to apples . 3220.Clock your crime . 3521.Assess the MO . 3722.Mimic the weight loss commercials . 3723.Be specific . 3924.Push your pins . 4125.Ring the bell . 42RESEARCH NEEDS . 45PRACTICAL APPLICATION OF CRIME ANALYSIS . 46REFERENCES . 48BIBLIOGRAPHY. 51 2010 Karim H. Vellani. All rights reserved.Page 4
Crime Analysis for Problem Solving Security Professionals in 25 Small StepsEXECUTIVE SUMMARYWhile the daily assessment of terror threatsapplies primarily to security professionalswho are charged with protecting criticalinfrastructure assets, such as chemicalplants, oil refineries, and transportationports, most security professionals focus onterrorism as a high risk, low probabilityconcern which needs to be addressed on anirregular basis. Once terrorism contingencyplans, emergency procedures, and businesscontinuity plans are established, securityprofessionals can once again turn theirattention to the daily risks that threaten anorganization’s assets. Everyday crimes arethe most common threat facing securityprofessionals in protecting their assets(targets) and a thorough assessment of thespecific nature of crime can reveal possibleweaknesses in a facility’s security postureand provide a guide to effective solutions.A full understanding of everyday crime atspecific sites allows security professionalsto select and implement appropriatecountermeasures to reduce the opportunityfor such incidents to occur again. Eck,Clarke and Guerette state that the greatestpreventive benefits will result from focusingresources high risk sites (“risky facilities”)because crime is heavily concentrated onparticular people, places and things; that isfor any group of similar facilities, a smallproportion will experience the majority ofthe crime (Eck J. E., 2007).Tilley argues in favor of analysis for crimeprevention as a driver for formulatingprevention strategies. Analysis, accordingto Tilley, identifies concentrations of crimewhere there is a potential yield fromprevention efforts and that analysis canhelp forecast future crime problems withthe hope of developing preemptivestrategies. More importantly, Tilley arguesthat analysis “helps find the most efficient,effective, and perhaps equitable means ofprevention,” what the industry might calloptimization (Tilley, 2002).Security optimization, sometimes referredto as data driven security, refers to usingmetrics or data to drive a security programand reduce risk. While not all elements of asecurity program lend themselves tomeasurement, many factors can bemeasuredeffectively.Inlargerorganizations, the security department is abusiness unit, not unlike other businessunits within an organization that mustjustify its existence. Security, notes Gill,needs to be businesslike and show how itcontributes to the financial well‐being of allaspects of organizational life (Martin Gill,2007). A key method for justifying securityis to measurably reduce risk with anoptimized security program.Understanding crime has the primarybenefit of assisting in good securitydecisions, which are effective in preventingreal risks in a cost effective manner. NickOptimization is a concept utilized byorganizations operating in dynamicenvironments to effectively manage risk.Security professionals face the uniquechallenge of providing security that reducescrime and loss, is cost effective, and does 2010 Karim H. Vellani. All rights reserved.Page 5
Crime Analysis for Problem Solving Security Professionals in 25 Small Stepsnot expose their organizations to undueliability. Thus, they must not only beknowledgeable about security technologies,but also good business decision makers andrisk managers. Security costs should becommensurate with the risk and provide ameasurable return on investment.This Report, then, will answer the question:How does one measure the effectiveness ofa site specific security program via crimeanalysis? More specifically, how do securityprofessionals provide the optimal level of 2010 Karim H. Vellani. All rights reserved.security for a site that not only reduces risk,but is also cost effective?This Report is applicable to a broadspectrum ofsecurityprofessionals,including security professionals, facilitymanagers, risk managers, and propertymanagers. Ideally, readers will use theinformation to optimize their securityprograms. While the audience for thisreport is broad, facilities that serve thegeneral public, such as retail stores, banks,hotels, gas stations, and the like will have adiscernable benefit.Page 6
Crime Analysis for Problem Solving Security Professionals in 25 Small StepsREAD THIS FIRSTThe purpose of this Report is not to identifythe myriad threats that face anorganization, nor to discuss the manycomponents of a threat assessment. Thereare many books and articles that providehigh level overviews of those topics.Instead, the purpose of this Report is toidentify current research in security andcrime prevention and identify the means ofoptimizing a security program of specificsites through informed decision making;that is through crime analysis. How doesone measure the effectiveness of a sitespecific security program via crime analysis?More specifically, how do securityprofessionals provide the optimal level ofsecurity for a site that not only reduces risk,but is also cost effective? And why focus onthe micro rather than the macro? Whyshould security professionals hone in on sitespecific problems rather than problems thatspan the organization’s facilities? Eck,Clarke and Guerette argue that the greatestpreventive benefits will result from focusingresources high risk sites (“risky facilities”)because crime is heavily concentrated onparticular people, places and things; that isfor any group of similar facilities, a smallproportion will experience the majority ofthe crime (Eck J. E., 2007). Eck et aldescribe three implications that result fromtheir research on risky facilities: 2010 Karim H. Vellani. All rights reserved.Page 71. It is productive to divide places byfacility type and focus prevention onhomogeneous sets of facilities (e.g.banks, grocery stores, motels, etc.)2. Focusing on the most troublesomefacilities will have greater payoffthan spreading prevention across allfacilities, most of which have little orno crime3. Any prevention measure will have toinvolve the people who own and runthe facilities (e.g. property manager,branch manager, facilities director,etc.)(Eck J. E., 2007)
Crime Analysis for Problem Solving Security Professionals in 25 Small StepsPREPARE YOURSELF1.Learn the POP wayProblem‐Oriented Policing (POP) serves as a model for security practitioners. According toHerman Goldstein, an early founder of the POP approach, “problem‐oriented policing is anapproach to policing in which discrete pieces of police business (each consisting of a cluster ofsimilar incidents, whether crime or acts of disorder, that the police are expected to handle) aresubject to microscopic examination (drawing on the especially honed skills of crime analystsand the accumulated experience of operating field personnel) in hopes that what is freshlylearned about each problem will lead to discovering a new and more effective strategy fordealing with it” (Goldstein, 2009). Security practitioners can use a similar approach toaddressing site specific problems through crime analysis.Unfortunately, very little research has been conducted into crime analysis as it applies to theprivate sector. In fact, one could count on one hand the number of authors who havecontributed to the private sector body of work. This gap has caused many businesses andorganizations to rely heavily on information and studies generated by security servicecompanies that service the end user organizations. The good news is that there has been asignificant amount of research in and for the public sector, some of which is directly applicableto private sector business. We, the security industry, can turn to that body of knowledge toadapt it to sound security practices.2.Meet Sherlock Holmes and his successorsTo quote James Lipton, we begin at the beginning. Why is crime analysis important for securityprofessionals? Sir Arthur Conan Doyle in his Sherlock Holmes mystery, A Study in Scarlet, said,“There is a strong family resemblance about misdeeds, and if you have all the details of athousand at your finger ends, it is odd if you can't unravel the thousand and first.” It is on thatbasic premise that crime analysis is based. “Crimes are patterned; decisions to commit crimesare patterned; and the process of committing a crime is patterned.” (Brantingham, 1993). Acrime pattern is a group of crimes that share common characteristics but are not necessarilyattributed to a particular criminal or group of criminals. Understanding crime patterns, in time,in space, of target, can drive better security decisions. Better decisions help optimize a securityprogram. Criminologist Nick Tilley argues in favor of analysis for crime prevention as a driverfor formulating prevention strategies. Analysis, according to Tilley, identifies concentrations ofcrime where there is a potential yield from prevention efforts and that analysis can helpforecast future crime problems with the hope of developing preemptive strategies. More 2010 Karim H. Vellani. All rights reserved.Page 8
Crime Analysis for Problem Solving Security Professionals in 25 Small Stepsimportantly, Tilley argues that analysis “helps find the most efficient, effective, and perhapsequitable means of prevention,” what we might call optimization (Tilley, 2002). Optimization isas an act, process, or methodology of making something (as a design, system, or decision) asfully perfect, functional, or effective as possible; specifically the mathematical procedures (asfinding the maximum of a function) involved in this. (Merriam Webster, 2009).3.Grasp the theoriesThe following discussion provides a broad overview of the theoretical underpinnings of currentsecurity practices. Security professionals often function in dual roles, prevention and response:prevent what can be prevented and be ready to respond to what cannot be prevented. Assuch, there are three options for responding and adapting to emerging risk:1. Eliminating or intercepting threats before they attack2. Blocking vulnerabilities through enhanced security3. Reducing the consequences after the incident occursLogically, the best approach for mitigating risk is a combination of all three elements,decreasing threats, blocking opportunities, and reducing consequences. By way of example, wecan look at the Department of Homeland Security’s efforts in the war on terror. The UnitedStates homeland security strategy may be characterized as the three P’s: Prevent, Protect, andPrepare in that the Department of Homeland Security’s strategy is to reduce the threat by wayof cutting terror funding, destroying terrorist training camps, and capturing terrorists; to blockopportunities through enhanced security measures such as increased airport and maritimesecurity; and to reduce the consequences through target‐hardening efforts which minimizedamage such as window glazing and by shortening response and recovery times such as movingthe Federal Emergency Management Agency under the Department of Homeland Security.Environmental Criminology, which forms the foundation for much of what we do in the securityfield, emphasizes the importance of geographic location and architectural features as they areassociated with the prevalence of criminal victimization. According to this school of thought,“crime happens when four things come together: a law, an offender, a victim or target, and aplace. Environmental criminologists examine the fourth element ‐‐ place (and the time whenthe crime happened). They are interested in land usage, traffic patterns and street design, andthe daily activities and movements of victims and offenders” (School of Criminal Justice atRutgers University, 2009). 2010 Karim H. Vellani. All rights reserved.Page 9
Crime Analysis for Problem Solving Security Professionals in 25 Small Steps4.Know the recipe for riskNoted environmental criminologist Marcus Felson states that criminal acts almost always havethree elements:1. a likely offender2. a suitable target3. the absence of a capable guardian against the offense (Felson, 2002)In the field of security, reducing risk is a key goal. Risk is defined as the possibility of asset loss,damage, or destruction as a result of a threat exploiting a specific vulnerability (Vellani, 2006) oralternatively as the possibility of loss resulting from a threat, security incident, or event (ASIS‐International Guidelines Commission, 2003). As illustrated below, risk exists at the intersectionof assets, threats, and vulnerabilities. 2010 Karim H. Vellani. All rights reserved.P a g e 10
Crime Analysis for Problem Solving Security Professionals in 25 Small StepsWhen seen together, the two concepts illustrate the similarities between theory and practice:In practice, risk managers typically utilize five strategies for mitigating risk. These strategiesinclude avoidance, reduction, spreading, transfer and acceptance. Security is generallyconcerned with risk reduction, wherein security professionals are charged with reducingorganizational risk by providing sufficient protection for assets. One tactic for reducing risk is toreduce the opportunity for security breaches to occur. 2010 Karim H. Vellani. All rights reserved.P a g e 11
Crime Analysis for Problem Solving Security Professionals in 25 Small Steps5.Understand the crime triangleThe effectiveness of risk reduction is based on the concept of the crime triangle, shown below,which identifies the necessary elements for crime to occur.All three elements, motive, desire, and opportunity, must exist for a crime to occur. Capabilityand motive are characteristics of the criminal perpetrator. Opportunity, on the other hand, is acharacteristic of the asset, or more specifically around the asset (target of crime). In thesecurity professional, the term opportunity is used interchangeably with the term vulnerability.Eliminating or reducing opportunities (vulnerabilities) is a primary goal of most securityprograms. If opportunities are eliminated, crime does not occur, as illustrated below. 2010 Karim H. Vellani. All rights reserved.P a g e 12
Crime Analysis for Problem Solving Security Professionals in 25 Small Steps6.Change the situationOnce the nature of crime is known, environmental criminology tells us that there are manytechniques for reaching the goal of reducing and/or eliminating opportunities. A quick scan ofSituational Crime Prevention’s techniques for preventing crime also shows remarkablesimilarities between theory and security practices:Twenty‐Five Techniques of Situational Crime Prevention (Clarke, 2005)1. Harden Targets2. Control access to facilitiesIncrease the Effort3. Screen exits4. Deflect offenders5. Control tools/weapons6. Extend guardianship7. Assist natural surveillanceIncrease the Risks8. Reduce anonymity9. Utilize place managers10. Strengthen formal surveillance11. Conceal targets12. Remove targetsReduce the Rewards13. Identify property14. Disrupt markets15. Deny benefits16. Reduce frustration and stress17. Avoid disputesReduce Provocations18. Reduce emotional arousal19. Neutralize peer pressure20. Discourage imitation21. Set rules22. Post instructionsRemove the Excuses23. Alert conscience24. Assist compliance25. Control drugs /alcohol 2010 Karim H. Vellani. All rights reserved.P a g e 13
Crime Analysis for Problem Solving Security Professionals in 25 Small StepsTHE BUSINESS OF SECURITY7.Know that business comes firstThe phrase “it’s the economy, stupid,” coined by former President Clinton’s campaignstrategist, refers to the simple and singular message of a successful political campaign. It’sequally applicable to a successful security program. Economics is a significant driver of security,both in terms of pushing dollars to reduce loss as well as pulling dollars away to cut costs andprotect the bottom line. Making the business case for security is an increasingly criticalfunction of security professionals. In larger organizations, the security department is a businessunit, not unlike other business units within an organization that must justify its existence. A keymethod for justifying the department is to optimize security such that risk is measurablyreduced, and security costs are manageable.Optimization is a concept utilized by organizations operating in dynamic environments toeffectively manage risk. Security professionals face the unique challenge of providing securitythat reduces crime and loss, is cost effective, and does not expose their organizations to undueliability. Success can be achieved through a carefully orchestrated balancing act of three tasks:1. Monitoring risk in real time or near real‐time2. Deploying effective security measures which reduce risk3. Working within reasonable financial limitationsOptimizing security is an effective method for balancing these tasks. In order to be successfulat this balancing act, security professionals must not only be knowledgeable about securitytechnologies, they must also be good business decision makers and risk managers. Securitycosts should not exceed reasonable budgets and preferably, provide a measurable return oninvestment. The security program should also effectively reduce risks to an acceptable andmanageable level.Optimization can ensure that security professionals are successful in all three of the factorsoutlined. How can security professionals justify a sizable and increasing security budget tosenior management? By now, most security professionals are keenly aware that a securityprogram’s success depends on the commitment and support, or buy‐in from senior executives.Using anecdotal evidence to justify spending on physical security measures and costlyprotection personnel no longer suffices. 2010 Karim H. Vellani. All rights reserved.P a g e 14
Crime Analysis for Problem Solving Security Professionals in 25 Small StepsA security program driven by data and metrics helps drives decisions. “It replaces intuition withhard data” (Jopeck, 2000). Data and metrics justifies expenses to senior management byshowing the proof of success that can garner that necessary buy‐in and demonstrate aconvincing return on investment. Specifically, metrics guide decision making in the followingareas: 8.allocation of resources (money and staff);consideration of new technologies;identifying risks faced by the company; andimplementing methods of mitigating those risks (Cavanagh, 2008).Don’t feed the lawyersBefore discussing legal standards, it might be appropriate to include a disclaimer: The author isnot providing legal advice and legal counsel should be consulted on these issues. With thatsaid, two legal factors should be considered when optimizing security: Expert Testimony andForeseeability of Crime. These factors should be considered because of the impact thatnegligent security litigation may have on the organization, directly and indirectly. Decisionsthat are made in the board room (or at least in the security conference room) may be testedduring the litigation process. The validity of a security methodology or risk model will bescrutinized. Individual components that make up the broader methodology will be evaluated.Unfortunately, unless one is actively involved in the litigation process or debriefed by defensecounsel, few lessons are learned that can then be applied to security decisions in the future.The first factor is expert testimony. Expert testimony is often used when an organization issued for negligent or inadequate security. When necessary, the defense and/or the plaintiff’sattorney retain a security expert to explain to the judge and jury what level of security isrequired at the property, if any, based on the risk to the organization and its assets (people,property, and information).Experts, by definition, must rely on a sound and reliable methodology such as the onedescribed in this report. More frequently, experts are used to determine if the defendantorganization’s decision making process was sound. An organization that uses an unreliablemethodology may suffer from criticism from an expert, even one that was retained by theirdefense counsel. Similarly, using an unreliable methodology is problematic for the primaryreason that the court will not allow unreliable evidence in court. Some crime analysismethodologies are sound, while others are not. 2010 Karim H. Vellani. All rights reserved.P a g e 15
Crime Analysis for Problem Solving Security Professionals in 25 Small StepsThe rule for expert testimony is rather simple: Experts cannot rely on junk science or unreliablemethodologies. This rule was articulated in the U.S. Supreme Court case, Daubert v. MerrellDow Pharmaceuticals, Inc., 509 U.S. 579 (1993). Experts are routinely subjected to DaubertChallenges wherein their opinions are challenged and possibly excluded from testifying on thecase at hand. Commonly referred to as the Daubert Factors, the questions asked by the courtinclude:1. Can the relied upon theory/technique be tested and has it been tested?2. Has it been subjected to peer‐review and publication?3. What is the known or potential error rate?4. Is the theory/technique accepted within the relevant field?For the security professional, Daubert begs two questions: Was the decision making process(methodology or risk model) and data that the defendant organization used to make decisionsreliable. Is the data that the expert witness uses to demonstrate adequate security, or lackthereof, reliable. Reliability, according to the U.S. Supreme Court, is determined by a testedtheory which has been subjected to peer‐review and publication, has a known error rate, and isaccepted within the security industry. Crime analysis is the one component of a threatassessment that can meet the challenge of Daubert.The applicability of Daubert to individual states varies by state. Some states have accepted it inwhole or in part, while others have modified it or developed their own tests for admissibility ofexpert testimony. Daubert suggests that security practitioners should evaluate their decisionmaking practices in light of the Daubert factors. Specifically, can each element of their riskmodel or methodology individually withstand the scrutiny of a Daubert challenge? In thecontext of this paper, is the crime analysis methodology based on research or is it based on junkscience?The second legal factor that should be considered is the foreseeability of crime. A negligentsecurity lawsuit is a civil action brought on behalf of a person seeking damages for negligent orinadequate security against the owners and their agents of the property where the injury orloss occurred. Generally, three elements must be met in order for a Plaintiff to prevail in apremises security lawsuit. These elements are: duty, breach of duty, and proximate cause. Dutyis the element we’ll focus on in this section as it directly relates to the metrics and data used bythe defendant organization. Duty is determined by the foreseeability of crime: 2010 Karim H. Vellani. All rights reserved.P a g e 16
Crime Analysis for Problem Solving Security Professionals in 25 Small Steps1. Past episodes of the similar or related activities on the property2. Similar crimes in the immediate vicinity (high crime area)3. That the facility itself attracts crime (inherent threats)“The element of foreseeability is essentially a question of whether the criminal act was one thata reasonable person would have foreseen or reasonably anticipated, given the risk of crime thatexisted at the time of the assault at the property
program. Criminologist Nick Tilley argues in favor of analysis for crime prevention as a driver for formulating prevention strategies. Analysis, according to Tilley, identifies concentrations of crime where there is a potential yield from prevention efforts and that analysis can help
