Beyond checklists : a systematic approach to assessing physical security policies

Abstract

Organisations establish physical security procedures, systematic plans to safeguard people, assets, and information from internal and external threats, such as unauthorised access, theft or vandalism. These procedures include, but not limited to access control, monitoring, and incident response, ensuring the stakeholders, such as staff and visitors understand their role in maintaining security and are adequately protected. Failure to adhere to these procedures can lead to severe consequences, such as real-world attackers exploiting tailgating tactics to access sensitive areas of a financial institution. Organisations typically maintain policy documents to track security procedures and ensure that security practices are consistent and accountable. However, these documents may be susceptible to various issues, such as incompleteness, readability, and ambiguity. The consequences of these issues can lead to misunderstandings and non-compliance, ultimately compromising security. There are extensive studies of privacy policies, particularly following the implementation of GDPR, and the detailed evaluation of access control policies, which often came with formal structures. However, to our knowledge, there is limited attention to the quality of physical security policies, which tend to be beyond the scope of privacy policies and are written in natural language. This gap hampers our ability to identify and correct potential weaknesses in security procedures, leaving organisations vulnerable to threats and security risks. This thesis presents three contributions to address this issue. The first contribution is a comprehensive survey study to identify metrics, including Readability, Clarity, Completeness, and Compliance, which are significant in the context of physical security policies. Additionally, I explore applicable methodologies to effectively assess these metrics. The second contribution is the creation of the first data-set for physical security policies (n=51). Through systematic evaluation, these policies often exhibit readability levels equivalent to college graduates or higher, potentially posing challenges for organisations with stakeholders from diverse backgrounds. Additionally, my study on ambiguity highlighted the consistent use of vague terms, complicating policy interpretation. Overall, these findings suggest that general physical security policies may be susceptible to readability and ambiguity issues. The final contribution is an innovative approach to assessing the completeness and effectiveness of physical security policies. By leveraging transfer learning for question generation and answering, I offer an alternative to traditional supervised machine learning methods that require extensive data. I demonstrate that the existing question generation model successfully generates a substantial number of questions with minimal information loss (26%), indicating a high rate of information retrieved from the policies. Question-answering models could answer 80% of the questions provided they were answerable. Additionally, the analysis identifies frequently recurring questions as a potential completeness criterion for physical security policies. By introducing novel methodologies for evaluating policy quality and effectiveness, my work fills critical gaps in existing research and equips organisations with valuable tools to enhance their security policies. This work bridges the gap between theoretical research and real-world security practices, ultimately fostering a more robust and informed approach to physical security management.