Data from access control system may drive future security decisions
- By Dave Bhattacharjee
- January 01, 2017
Campus security, both in a corporate and higher
education setting, can be improved by leveraging
data from access control systems to
drive future security decisions. currently,
these access control systems are used primarily
for controlling and limiting entrance to
buildings or areas within a facility. however,
the data they generate is often overlooked to
the detriment of physical security operations.
access control data, if properly leveraged, can
allow operators to detect, mitigate and prevent
a variety of risks that extend beyond
ingress and egress. if data attributes are
parsed out for situations including employee,
building, location and incident, when combined
with third-party data sets, unique business and
operational insights can be uncovered.
A TOOL FOR PROFILING RISK
One application of using access control data is to profile risk on the
campus based on empirical data rather than intuition or institutionally
accepted best practices. Many interesting opportunities are possible
for risk assessment using access control data. One example is to
create an overall Building Risk Score by factoring in weighted variables
such as the number of unauthorized access control alarms per
building, volume and type of alarms, and the presence of sensitive
locations or high-value assets such as a data center or research laboratory
within a building.
More advanced algorithms will incorporate third-party datasets such
as neighborhood crime, which can add context to the access control data.
By combining the various variables, an algorithm can be developed to
rank and score each building’s security risk, providing the security personnel
with a proactive view of risk in the campus. The high-risk buildings
can then be reviewed to ensure that they have the adequate staff
levels, the appropriate security systems are in place or to understand if
offices should be moved to a separate location. It is worth noting that over
time, each building’s rank in the risk profile will change based on external
environmental factors such as new construction and socio-economic dynamics on the periphery of the campus.
THE INSIDER THREAT - A VIEW INTO
EMPLOYEE AND STUDENT BEHAVIOR
Another important risk consideration is the
insider threat. Seventy-four percent of chief
information security officers are concerned
about employees stealing sensitive information
according to SpectorSoft. Much of this
happens when employees and students enter
premises after hours or prior to separation
from the company or educational institution.
Data from access control systems can be
parsed to pull out card holder information,
providing valuable insight into employee and
student behavior. For example, unauthorized
alarms associated with employees and students
can be visualized separately, which,
when analyzed, show any number of patterns
associated with their activity.
Sometimes, employees will have multiple
access denials within a short time period
indicating a potential problem with the
employee’s access card or system set up. Other
times, access attempts at odd hours of the day
or night, when an employee is not scheduled
to work, could be anomalous behavior and a
sign of an insider threat. In fact, insider threat
detection is enhanced when data feeds from
human resources are available with termination
dates for employees. When employees
with a documented near term termination
date display anomalous behavior, the probability
of an insider threat event increases.
Cyber threats are increasingly becoming an
issue. According to PricewaterhouseCoopers,
there were about 30 to 40 percent more cybersecurity
incidents in 2015 than in 2014. While
cybersecurity today falls within the domain of
IT, physical security professionals will soon
have to worry about threats from cyberspace
as physical security equipment increasingly
becomes Internet-Protocol enabled and,
thereby, accessible to hacks on the network
and the internet at large. There is also the consideration
of monitoring an employee’s physical
and network presence.
Consider for example, the scenario where
the access control system data has an employee
gaining physical access to an office in Boston,
but the network has that individual as
being logged in with an IP address in Houston.
Clearly, this is an anomaly and something
to be investigated. Very few organizations
currently test for anomalies in physical
and network presence. In the future, this will
become a requirement and access control data
will play an important role.
Buildings in large and sprawling corporate
campuses can generate up to two and a half
million access control events per month,
often leaving system administrators overwhelmed
by the volume of alarms triggered
and the amount of information coming in.
Because of this information overload, operators
often overlook important signals. One
solution is to use risk profile indicators to designate
areas of the campus as special “sensitive
areas” that need to be watched carefully.
The concept of zones can be introduced,
which are a designated set of panels and readers
corresponding to an area of the campus, a
set of buildings or areas within a building that
require special attention.
In these situations, analytics software can
be configured to flag unauthorized access
attempts in such vicinities. Special sensitive
areas can be monitored to understand which
employees and students used these facilities
In addition, filters on alarm events can be set
in these areas to enable a more proactive
approach to systems events. For example,
consider a scenario where a panel or reader
has not been installed correctly. It will generate
intermittent line communication errors
but this error signal is just one of many generated
If operators add an event filter to look for
line communication errors, readers that may
be malfunctioning will be detected and an
operator can be dispatched to fix the problem,
thereby, proactively securing access to a campus
building in a designated sensitive area
that might otherwise have been compromised
because of equipment failure.
VIDEO CAMERA VERIFICATION:
Combining video with incident data can significantly
improve situational awareness.
Consider this scenario: a recent review of an
organization’s data log showed that attempted
access to a door was denied. Within several
minutes of this first attempt, doors nearby
were forced open.
The assumption was made that an employee’s
access card did not work, so a key was
used instead to get into the area. There is a
high probability that those were legitimate
alarms, which should always be investigated
and—if there was video—that footage would
be used to verify the alarms.
BEYOND SECURITY –
Lastly, the data from an organization’s access
control systems cannot only be used to
improve security, but to improve workplace
operations with an eye towards reducing cost.
For example, an area of interest for many
organizations is their office footprint. This is
particularly true of organizations with flexible
work plans or a large mobile workforce.
Should the organization grow or reduce their
physical space and, if so, in what ways?
Access control systems are one source of data
which can help inform such a decision. They
can be used to generate statistics such as the
number of employees or visitors per building.
Office spaces with a low employee-per-building
ratio are candidates for consolidation, for example.
These statistics can also help to determine
the right level of workplace resource staffing per
building. By harvesting access control data, and
generating these statistics which can help
reduce the cost of operations, physical security
personnel create an opportunity
to impact the business
in ways larger than
This article originally appeared in the January 2017 issue of CSLS.