Threat Modeling

What measures should your organization take to strengthen physical security?

You can't counter threats you don't watch for. All upgrades must start with a model of your opponent.

Lets examine some common threat categories.

Hooliganism: Nuisance crimes present risks of property damage and liability. Graffiti, broken windows, damaged signage, abused construction equipment, and wanton property damage all cost money to repair. Perhaps more damaging, however, can be the legal bills. If someone gets hurt while committing petty crimes on your property, you may be held liable under tort law. We agree, it is absurd! Lawsuits are a very real threat though, and often cost millions of dollars. The headaches of cleanup costs and lawyers' fees are best avoided by proper perimeters, signage, and other physical security measures.

Activism: Ideological groups present the risks of protests and property damage. They may trespass on your property to make a statement, and can damage property in demonstrative ways. Their physical damage can range from graffiti to sabotage. Protest groups, due to their organized nature and numbers, can be difficult to dislodge. Moreover, one of the greatest risks they pose to an organization is public relations damage. The best way to avoid bad press and compelling negative images is to prevent activists from gaining access in the first place.

Petty Theft: This category includes beginner thieves, drug addicts, and crimes of opportunity. Their skills are typically unsophisticated, and rely on force over finesse. As such, their efforts tend to be slower, louder, and more noticeable. Petty thieves can be countered with proper hardware choices and good deterrence methods. While they may present a lesser threat than their more experienced colleagues, there are many petty thieves in the world. Their volume makes them a threat due to the increased likelihood of encounter.

Professional Theft: "Good thieves", as they may prefer to call themselves, typically have spent time in prison. It is in prison that petty thieves learn from more seasoned criminals. After time in prison, they leave with new, more technical skills as well as new underworld contacts. Most professional thieves work with a trusted partner who shares their risk tolerance and skewed set of criminal ethics. The team may bring on multiple assistants from their criminal social contacts for larger jobs. Professional thieves tend to work with a fence, who sells their stolen items with a modicum of deniability. This threat category is present all over the nation, in both rural and urban areas. Their skills allow them to open safes, bypass alarms, avoid cameras, and get through locked doors. They exploit what they can: improper hardware and poor security choices. They can be stopped and deterred, with proper preparation.

Terrorism: The greatest physical threats to people and property come from the violent actions of terrorists. Their targets may include religious institutions, government facilities, soft targets with high civilian presence, and more. Unlike some other threat actors, terrorists tend to not worry about being detected, and use destructive entry methods or violence to get into their targets. For this reason, the methods that counter terrorist threats can diverge significantly from those that counter thieves or infiltrators.

Industrial Espionage: Corporate spying is illegal. It is also a multi-billion dollar industry. Targets range from tech companies and auto manufacturers to less expected victims like adhesives manufacturers and gasket makers. Any product or process that takes time or money to create can often be stolen for cheaper. Industrial espionage can range from activities such as dumpster diving to recruiting employees to steal secrets from their workplace. It even includes daring break-ins and undercover infiltrations. For as many stories that make the news, many more go undetected or unreported. Companies often cover up their security lapse to protect brand image: especially when customer records were endangered. Corporate spies take efforts to leave no trace of their presence, so their espionage efforts may not get identified at all. The competition outpaces the target company, and no one is the wiser.

Nation-State Threats: Foreign nations present some of the most sophisticated threats. Their well-trained intelligence agencies have the resources and skills to compromise most unwitting targets. Why? Some reasons are similar to the industrial espionage example above. Traditional intelligence needs drive countries to target more than just other governments: they also target private businesses. Proprietary trade data can boost foreign companies, leading to economic benefits. The defense sector is always a target, for obvious reasons. Espionage alone is not the end of nation-state threats though. Foreign competitors can benefit greatly by crippling US infrastructure and utilities. A people without lights or running water are less prone to wax philosophic about international norms or support their government taking military action in a time of domestic crisis. This is a very compelling reason for international competitors to attempt to gain access to critical assets connected to the grid or urban utilities. While the US stops cyber threats to these targets multiple times every day, it only takes one day to get physical access to plant a device or gain network persistence from inside the facility.

After analyzing an organization and their threats, Klaxon works to select appropriate physical security improvements and policy recommendations to mitigate each threat vector. We're pleased to be able to offer our expertise to counter these threats.

If you want to consult with Klaxon, please reach out to us: