KARATINA UNIVERSITY

DEPARTMENT OF ARTS AND SOCIAL SCIENCES

BACHELOR OF ARTS IN CRIMINOLOGY, CRIMINAL JUSTICE & PUBLIC SAFETY
COURSE CODE: CCP 416
COURSE TITLE: SECURITY DESIGN AND FORMULATION
2024/2025 FOURTH YEAR 1ST SEM
LECTURER: COL.DR. JEREMIAH NG’ANG’A
0798709947
[email protected]

INTRODUCTION TO SECURITY AND ORGANIZATIONAL POLICY AND PROCEDURES

The concept of security

Security is protection from, or resilience against, potential harm (or other unwanted coercion) caused by others
by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons
and social groups, objects and institutions, ecosystems or any other entity or phenomenon vulnerable to
unwanted change.

Security mostly refers to protection from hostile forces, but it has a wide range of other senses: for example,
as the absence of harm (e.g. freedom from want); as the presence of an essential good (e.g. food security); as
resilience against potential damage or harm (e.g. secure foundations); as secrecy (e.g. a secure telephone line);
as containment (e.g. a secure room or cell); and as a state of mind (e.g. emotional security).

The term is also used to refer to acts and systems whose purpose may be to provide security (security company,
security police, security forces, security service, security agency, security guard, cyber security systems,
security cameras, remote guarding). Security can be physical and virtual.

Etymology
The word 'secure' entered the English language in the 16th century. It is derived from Latin securus, meaning
freedom from anxiety.

Referent
A security referent is the focus of a security policy or discourse; for example, a referent may be a potential
beneficiary (or victim) of a security policy or system.

1
Security referents may be persons or social groups, objects, institutions, ecosystems, or any other phenomenon
vulnerable to unwanted change by the forces of its environment. The referent in question may combine many
referents, in the same way that, for example, a nation state is composed of many individual citizens.

Context
The security context is the relationships between a security referent and its environment. From this
perspective, security and insecurity depend first on whether the environment is beneficial or hostile to the
referent, and also how capable is the referent of responding to its/their environment in order to survive and
thrive.

Capabilities
The means by which a security entity provides for security for the referent (or is provided for) vary widely.
They include, for example:

• Coercive capabilities, including the capacity to project coercive power into the environment (e.g.
aircraft carrier, handgun, firearms);
• Protective systems (e.g. lock, fence, wall, antivirus software, air defence system, armour)
• Warning systems (e.g. alarm, radar)
• Diplomatic and social action intended to prevent insecurity from developing (e.g. conflict prevention
and transformation strategies); and
• Policy intended to develop the lasting economic, physical, ecological and other conditions of security
(e.g. economic reform, ecological protection, progressive demilitarization, militarization).

ORGANIZATIONAL POLICY
In general, organizational policies define what is or is not permitted within the organization. By doing this,
the policies establish expectations and limitations related to behavior. Organizational policies in security
includes a set of guidelines and best practices put in place to protect the company, employees, and customers.
A security policy is a written document in an organization outlining how to protect the organization from
security threats, and how to handle situations when they do occur.

A security policy must identify all of a company's assets as well as all the potential threats to those assets.
Company employees need to be kept updated on the company's security policies. The policies themselves
should be updated regularly as well. In addition, security policy should outline the key items in an organization
that require protection. This might include the company's network, its physical building, and more. It also
needs to outline the potential threats to those items. If the document focuses on cyber security, threats could
include those from the inside, such as possibility that disgruntled employees will steal important information

2
or launch an internal virus on the company's network. Alternatively, a hacker from outside the company could
penetrate the system and cause loss of data, change data, or steal it. In addition, physical damage to computer
systems could occur.

When the threats are identified, the likelihood that they will actually occur must be determined. A company
must also determine how to prevent those threats. Instituting certain employee policies as well as strong
physical and network security could be a few safeguards. There also needs to be a plan for what to do when a
threat actually materializes. The security policy should be circulated to everyone in the company, and the
process of safeguarding data needs to be reviewed regularly and updated as new people come on board.

Elements of Security Policy

• Reflect the reality on the ground. They need to reflect what’s actually happening within the
organization. Too often, though, it’s nearly impossible to get the right people together to even
understand the situation on the ground, much less to define a policy that addresses and mitigates actual
risk.
• Be simple to understand. Policies need to be stated in a way that the audience can understand; and
they need to reflect and convey the reason the policy exists. And the original intent of the policy gets
lost. This is especially true around software and systems deployments, where security teams and
application developers may as well be speaking different languages.
• Be enforceable but flexible. Good policy needs to be specific enough that it can be enforced, but it
also needs to be flexible and adaptive. Rigid and restrictive policy may seem like it will reduce risk,
but if it forces creative people to work around the policy in order to get their job done, the policy
becomes a failure.
• Be measurable. Any decision to implement security policy carries an anticipated return on investment.
But without actionable instructive metrics, organizations never know if their anticipated role is
realized—risk mitigation or reduction.
• Minimize unintended consequences. Good policy must be assessed not just for risk mitigation, but
also against the negative impact of the control.
• Documentation to create reference and avoid excuse

Organizational Policies, Procedures, Standards and Guidelines

Organizations use policies and procedures to outline rules and courses of action to deal with problems.
Organization's policies and procedures make employees understand the organization’s views and values
on specific issues, and what will occur if they are not followed. Policies are general statements of how an
organization wants to behave while procedures define exactly how to do a task or perform step by step.
For instance, a security related policy can be used to identify risks and mitigation measures.
3
 Example of an Organization’s Policy and procedure
Organization can have a policy to implement physical security and prevent unauthorized access inside the
office premise. This policy is applicable to everyone in the organization and general public and must be
followed strictly, without deviation. Policy may state that public can access only up to the reception and
beyond reception only employees are allowed. Procedure is the step-by-step instruction given to the
reception area how to deal with anyone who is trying to cross reception and trying to enter inside the
office.

Policy
All the employees must identify themselves with an two-factor identification process. Using identity card
and with biometric finger print scan to enter inside the office area.

Procedure
1) Anyone who is trying to enter the office area from reception must cross the first security guard check
point.
2) All the employees must have the identity card and show their identity card to the security guard for
verification.
3) The security guard must thoroughly check the identity card, photo of the employee, name of the
employee and card issuer's signature in the identity card to make sure that he is an employee of the
company.
4) The face of the employee must be clearly visible for security inspection.
5) Once the security identity that the employee is genuine, he can move forward and scan his fingerprint
to access the office.
6) If the employee’s face is not similar to that in identity card, the security guard must contact the senior
officer of the employee or human resources department for a verification.
7) If any person who is trying to enter the office from reception cannot be verified as a genuine employee,
they must be guided out of the building by the security guard.

Standards and Guidelines

A standard is used to specify the technologies which must be used for a specific task and guidelines are
only suggestions and are not mandatory.

INTRODUCTION TO SECURITY PLAN AND DESIGN

A security plan is a documented, systematic set of policies and procedures to achieve security goals that
protect from theft, loss, or release. Plans also include agreements or arrangements with extra-entity

4
organizations such as local law enforcement. Plans may be a single document or incorporate other documents
and policies and procedures that work to achieve those security goals.

Entities should establish specific policies which support their plan. Security policies should document
strategies, principles, and rules which the entity follows to manage its security risks. Effective policies provide
a clear means of establishing behavioral expectation and cover the spectrum from directives to standard
operating procedures. As part of security program management, the entity should consider formally
documenting security policies covering all operational controls. Background checks and other personnel
security measures, if practical, should be vetted through the entity’s legal and human resources department.

An effective security plan should be based on the following fundamentals:

• It is built upon well documented operational processes
• It complements other plans such as biosafety, disaster recovery, continuity of operations and others.
• It does not violate any laws. Laws to consider when creating the security plan should include the
individuals with Disabilities regulations, OSHA safety standards, and local building and fire codes.
• The entity should provide security plan training so every person understands his or her responsibilities.
• It requires reporting of all suspected security incidents and suspicious activities.
• It is reviewed at least annually and updated whenever conditions change.

Security Design Principles

The security design consists of eight principles for the design and implementation of mechanisms. These
principles draw on the ideas of simplicity and restriction.

• Simplicity makes designs and mechanisms easy to understand. Less can go wrong with simple
designs. Minimizing the interaction of system components minimizes the number of sanity checks on
data being transmitted from one component to another and also reduces the potential for
inconsistencies within a policy or set of policies.
• Restriction minimizes the power of an entity. The entity can access only information it needs. Entities
can communicate with other entities only when necessary and in as few and narrow ways as possible.
Communications is used in its widest possible sense, including that of imparting information by not
communicating.

The eight security design principles are:

1. Principle of Least Privilege:
• A subject should be given only those privileges that it needs in order to complete its task.

5
 • The function of a subject should control the assignment of rights, not the identity of the subject.

This means that if your boss demands root access to a UNIX (multi-user computer operating system)
system that you administer, he/she should not be given that privilege unless the boss absolutely has a task
that requires such level of access.
• If possible, the elevated rights of an identity individual should be removed as soon as those rights are
no longer required.

2. Principle of Fail-Safe Defaults

• Unless a subject is given explicit access to an object, it should be denied access to that object.
This principle restricts how privileges are initialized when a subject or object is created. Basically, this
principle is similar to the “Default Deny” ideas in computer security. Whenever access, privilege, or
some other security related attribute is not granted, that attribute should be denied by default.

3. Principle of Economy of Mechanism

• Security mechanisms should be as simple as possible.
This principle simplifies the design and implementation of security mechanisms. If the design and
implementation are simple, fewer possibilities exist for errors. The checking and testing process is less
complex. Interfaces between security modules are suspect area and should be as simple as possible.

4. Principle of Complete Mediation

• All accesses to objects should be checked to ensure that they are allowed.

This principle restricts the caching of information, which often leads to simpler implementations of
mechanisms. Every time that someone tries to access an object, the system should authenticate the
privileges associated with that subject. What happens in most systems is that those privileges are cached
away for later use. The subject’s privileges are authenticated once at the initial access. For subsequent
accesses the system assumes that the same privileges are enforce for that subject and object. This may or
may not be the case. The operating system should mediate all and every access to an object.

5. Principle of Open Design

• The security of a mechanism should not depend on the secrecy of its design or implementation.
This principle suggests that complexity does not add security. This concept captures the term “security
through obscurity”. This principle not only applies to cryptographic systems but also to other computer
security related systems.

6
 6. Principle of Separation of Privilege
• A system should not grant permission based on a single condition.
This principle is restrictive because it limits access to system entities. The principle is similar to the
separation of duty principle, thus before privilege is granted some checks should be performed. These
are:
• to access root two conditions must be met
• the user must know the root password
• the user must be in the right group (wheel)

7. Principle of Least Common Mechanism

• Mechanisms used to access resources should not be shared.
This principle is also restrictive because it limits sharing of resources. Sharing resources provides a
channel along which information can be transmitted. Hence, sharing should be minimized as much as
possible. If the operating system provides support for virtual machines, the operating system will enforce
this privilege automatically to some degree.

8. Principle of Psychological Acceptability

• Security mechanisms should not make the resource more difficult to access than if the security
mechanism were not present.
This principle recognizes the human element in computer security. If security-related software or systems
are too complicated to configure, maintain, or operate, the user will not employ the requisite security
mechanisms. This means that if a password is rejected during a password change process, the password
changing program should state why it was rejected rather than giving a cryptic error message. At the
same time, programs should not impart unnecessary information that may lead to a compromise in
security. In practice, the principle of psychological acceptability is interpreted to mean that the security
mechanism may add some extra burden, but that burden must be both minimal and reasonable.

SECURITY PLAN GOALS & OBJECTIVES

Security is everyone’s responsibility, however, overall accountability for security planning and risk
management rests with the entity’s accountable authority supported by the chief security officer (CSO).
Security plan arrangements should support its objectives namely:
a. vigilance, resilience and adaptability of personnel to security risks
b. capacity to function, including during security incidents, disruptions or emergencies
c. safety of personnel (including contractors) and those who have dealings with government (including
visitors)

7
 d. protection of resources, information and assets held in the entity

Security Planning Approach

Successfully managing entity security risks and protecting people, information and assets requires an
understanding of what needs protecting, what the threat is and how assets will be protected. Security planning
involves; designing, implementing, monitoring, reviewing and continually improving practices for security
risk management. A security plan specifies the approach, responsibilities and resources applied to managing
protective security risks. The security plan allows entities to review the degree of security risk that exists in
different areas of operations and take action to mitigate identified risks. A security risk management manages
risks across all areas of security (governance, information, personnel and physical) to determine sources of
threat and risk (and potential events) that could affect government or entity business. Security risk
management includes;
i. Security risk assessments, which are structured and comprehensive processes to identify, analyze and
evaluate security risks and determine practical steps to minimize the risks.
ii. Security risk treatments, which are the considered, coordinated and efficient actions and resources
required to mitigate or lessen the likelihood or negative consequences of risks.

Security Plan Roles and Responsibilities

The security program should define each individual’s roles and responsibilities in the system and solicit their
input for improvements. An entity should be aware of, and collaborate with, the personnel responsible for
and/or impacting security. This may include:
• Responsible Official (RO) / Alternate Responsible Official (ARO)
• Facility key control and/or access control personnel
• Alarm companies
• Security personnel who observe video
• Local law enforcement or other response forces

Key Entity Leadership

Certain parties should be involved in the process of designing and implementing the security plan. These
include but are not limited to:
• Principal Investigator (PI)
• Responsible Official (RO)
• Alternate Responsible Official (ARO)
• Security staff
• Institutional Biosafety Committee

8
 • Laboratory Management

Threats, Risks and Vulnerabilities

When implementing the core requirement to detail threats, risks and vulnerabilities that affect the protection
of people, information and assets, entities:
a) identify the people, information (including ICT) and assets to be safeguarded
b) determine specific risks (including shared risks) to its people, information and assets (risk
identification).
c) identify and assess criticality of people, information and assets (criticality assessment)
d) identify the threats to people, information and assets (threat assessment)
e) assess the degree of susceptibility and resilience to hazards (vulnerability assessment)
f) assess the likelihood and consequence of each risk occurring (risk analysis)
g) determine adequacy of existing safeguards and whether current risks (or residual vulnerabilities) are
acceptable or not (evaluate risks)
h) implement protective security measures to mitigate or reduce identified risks to an acceptable level
(risk treatments)
i) manage residual risks (treatable and untreatable) and vulnerabilities
j) identify and accept responsibility for risks

Security Risk Assessment

Security risk assessment is the process of risk identification, analysis and evaluation to understand the risks,
their causes, consequences and probabilities. The aim is to generate a comprehensive list of threats and risks
that effect the protection of the entity’s people, information and assets and identify the sources, exposure and
potential consequences of these threats and risks. Consideration is also given to the entity’s prevailing and
emerging risk environment. Each risk is described as comprehensively as possible, so that decision-makers
can fully understand the position. This may be in the style of a formal assessment undertaken by competent
personnel, or a contracted service provider.

Identify Security Risks

Identifying security risks generates a clear, comprehensive and concise list of potential sources of risk and
threats that could impact government, entity operations or continuous delivery of services. This is achieved
by mapping the sources of risk, determining the importance of organizational and the manner in which these
elements may facilitate or inhibit this interaction. In preparing a list of security risks, consider questions like:
a) What could happen? (potential event or incident and resulting outcomes or consequences)
b) What is the likely outcome and impact of the risk eventuating?
c) When could it happen? (how frequently)
9
 d) Where could it happen? (physical location and assets affected)
e) How could it happen? (sources, potential threats, catalysts, triggers)
f) How reliable is the information that the risk assessment is based upon?
g) Why could it happen? (causes, underlying factors, vulnerabilities or inadequacies in protective security
controls or mitigations)
h) Who could be involved or effected? (Individuals or groups, stakeholders or service provider).

Criticality Assessment
Criticality assessment identifies and assigns importance to all resources (something that has value to the entity
including personnel, information and physical assets or processes that support them) that are critical to the
ongoing operation of the entity or to the national interest. Asset identification and security risk management
documents can form part of the security plan or be standalone and inform the security plan.
The criticality assessment will be different depending on the entity’s purpose, business objectives and risk
environment. Criticality assessments include:
a) Criticality ratings – the scale of the resources’ importance to the entity (eg a numerical scale 1-5 or
importance value scale such as catastrophic, significant, moderate, low, insignificant). Alternatively,
a business impact level can be applied by assessing the impact on the entity if the integrity or
availability of the resource.
b) Consequence of loss, compromise or harm – a description of what the consequence is.
c) Category – consequences can also be expressed across categories such as people, information,
property, reputation, financial, business operations or services.

Threat Assessment
Threat assessment identifies the source of harm and is used to inform the entity’s risk assessment.
Threats are assessed by determining the intent to cause harm, damage or disruption and the capability
(the potential that exists to actually cause harm or carry out intentions) of the threat source.

Vulnerability Assessment.
Vulnerability assessment identifies the degree of susceptibility and resilience of an entity to hazards. To
understand the potential of risks, it is recommended that entities assess the possible vulnerabilities to each
risk to gauge the consequence and likelihood of these risks. This process of understanding possible
vulnerabilities helps entities to prioritize the risks and guides the allocation of resources in mitigating their
effects.

10
Analyze Security risks
Risk analysis involves assessing the likelihood and potential consequence of each identified risk,
determining the level of risk rating and assessing whether additional controls are required.

Aims of Risk Analysis:

• Determine control effectiveness – whether the existing control measures are adequate or effective in
managing identified risks.
• Define the likelihood and consequence of the event. This is achieved by considering the:
✓ Likelihood – the chance or probability of the event occurring, probability or frequency of the event
occurring.
✓ Consequence – the outcome affecting objectives if the event occurs.
✓ Assign the level of risk rating based on the likelihood and consequence risk matrix.

INTRODUCTION TO PHYSICAL SECURITY AND TECHNICAL SECURITY METHODS;

ACCESS CONTROL, DETECTION, IDENTIFICATION AND DETERRENCE

Introduction to Physical Security measures

Physical security describes security measures that are designed to deny unauthorized access to facilities,
equipment and resources and to protect personnel and property from damage or harm such as espionage, theft,
or terrorist attacks.

Physical security involves the use of multiple layers of interdependent systems which include CCTV
surveillance, security guards, protective barriers, locks, access control protocols, and many other techniques.
The relationship between physical design and informal social control of crime is a new idea only in the sense
of its systematic application to the modern urban scene. Prior to the development of the modern city, most
societies took some precautions to relate security in the physical environment to a responsibility for security
actions by the inhabitants themselves. In the rush of modern urban development, however, economic and
political priorities seem to have far outweighed security priorities, with the result that many urban settings
now seem deliberately designed to discourage informal social control.Upgrading the common areas in this
way results in increased social control and an interaction between physical environment and its users that
reduces crime.

11
Defensible Space
Defensible space is a substitute term for the range of mechanisms—real and symbolic barriers, strongly
defined areas of influence, improved opportunities for surveillance—that combine to bring an environment
under the control of its residents. A defensible space is a living residential environment that can be employed
by inhabitants for the enhancement of their lives, while providing security for their families, neighbors, and
friends. The design for defensible space involves attempts to strengthen two basic kinds of social behavior
called territoriality and natural surveillance.

Territoriality
The classic example of territoriality is “a man’s home as his castle” tradition of the single-family home and
its surroundings. In this tradition, the family lays claim to its own territory and acts to protect it. This image
of the home as a castle reinforces itself by the very act of its position on an integral piece of land buffered
from neighbors and the public street by intervening grounds.As the urban setting has grown, the single-family
home has become, to developers, an economic liability. Family housing has morphed into townhouse
apartment complex, high-rise apartment structure, and massive public housing project. Whatever the benefits
of this transition, the idea of territoriality has been largely lost in the process.

The result is that “most families living in an apartment building experience the space outside their apartment
unit as distinctly public; in effect, they relegate responsibility for all activity outside the immediate confines
of their apartment to the public authorities. As residents are forced by the physical design of their surroundings
to abandon claim to any part of the outside world, the hallways, stairways, lobbies, grounds, parking lots, and
streets become a kind of no-man’s land in which criminals can operate almost at will.

Natural Surveillance
The increased presence of human observers, which territoriality brings, can lead to higher levels of natural
surveillance in all areas of residential space. However, the simple presence of increased numbers of potential
observers is not enough, because for natural surveillance to be effective, it must include an action component.
The probability that an observer will act to report an observed crime or intervene in it depends on:
• The degree to which the observer feels that his personal or property rights are violated by the observed
act
• The extent to which the observer is able to identify with the victim or property under attack
• The level of the observer’s belief that his action can help, on the one hand, and not subject him to
reprisals on the other.
Obviously, the probability for both observation and action is greatly improved by physical conditions, which
create the highest possible levels of visibility.

12
Physical Security Threats

Theft and Burglary

Theft and burglary are a bundled deal because of how closely they are related. Theft and burglary are two
of the most common types of physical security threats, and they are some of the easiest to protect against.
Burglary and theft can impede safety at home or derail the progress of businesses.

Vandalism
Vandalism is defined as any activity that involves the deliberate destruction, damage, or defacement of
public or private property. Vandalism is often glorified in the media, but the truth is that in many ways it
violates some of the physical security measures that people have worked hard to put in place. Not only does
it destroy some of these physical measures, but it also takes a toll on many of the resources that required
hefty investments of time and money.

Terrorism
Acts of terror are easily identifiable as physical security threats, much more than any of the other measures
that might be listed. It is a physical security threat that transcends offices and homes and it is something
that even countries have to contend with. This is mostly because acts of terror are brazen and are often
widely publicized. The thing about terrorism is the fact that it is able to pervade several different facets of
physical security and compromise each of these on an almost equal level. This means that acts of terror are
a threat to the physical security of your company, your home and to some aspects of your personal security.

Natural Disasters
There is a broad scope of natural disasters that people will have to deal with at some point in time and these
disasters range from earthquakes, floods, wildfires, etc. Keep in mind that some of these disasters can also
be man-made, namely floods and fires. Not every flood or fire is going to be as a result of a natural disaster.
The loss of resources and damage to property can end up being very costly by the time it is all said and
done. This tends to take a very huge toll on physical security measures, and it is one of the harshest physical
security threats that any organization or individual will have to deal with at any time.
One of the best ways to combat and mitigate the danger and effects of a natural disaster is to invest in
equipment that helps you stay alert. This equipment usually includes sensors and alarms that are meant to
keep people aware and alert.

METHODS OF SECURITY DESIGN

The four layers of physical security involves; deterrence, access control, detection, and identification.

13
The goal of deterrence methods is to convince potential attackers that a successful attack is unlikely due to
strong defenses.

The Four Layers of Physical Security

Organizations’ property and premises are constantly at risk of theft, particularly when their physical assets
aren't fully secure. The best way to keep thieves at bay is to break down security into four layers: deterrence,
access control, detection and identification.

Deterrence

➢ By placing keys in a secure key control system made of heavy-duty materials like steel can help prevent
criminals from gaining access to high-security rooms or assets.
➢ An electronic key control system that requires employees to log in by entering a unique password,
swiping a proximity card or scanning their fingerprint will also make it more difficult for employees
to commit internal theft.
➢ Some systems will even automatically record the times employees take and return keys, creating a
real-time verifiable audit trail.

Access Control

➢ The level of access control for facilities without monitoring who can access keys and high-value
assetscould be missing a vital layer of security.
➢ By implementing a key control system to manage business’s keys, can limit which keys are available
to users based on job function, time of day and even days of the week can prevent employees from
accessing restricted areas and items after hours.

Detection

➢ If a manual key control is in use such as a pegboard or lockbox, there is no way of detecting the exact
moment a key has been requested by an unauthorized user or has exceeded its time limit.
➢ By implementing an electronic key control system, triggers to sound an alarm or send a text or email
to the system administrator can be devised. Such triggers include unauthorized users attempting to
access the system, overdue keys or a system drawer being left open for too long.
➢ By alerting the overdue return of keys and other suspicious activity, the system helps to identify and
resolve potential security breaches.

Identification

➢ Employee accountability only goes so far. By using a key control system with a video camera and
biometric fingerprint readercan eliminate the risk of password sharing and identify who accesses the
system.

14
 ➢ Adding a motion-activated video camera to control system will record any person who approaches the
system, even if the person doesn't attempt to log on.
➢ While a video camera can help to recognize faces, a fingerprint reader will distinguish individuals on
a biometric level.
➢ The system will only unlock for a registered fingerprint from an authorized user and since no two
fingerprints are alike, it will be known exactly who’s accessing the system.

Deterrence methods through environmental design:

The initial layer of security for a campus, building, office, or other physical space uses crime prevention
through environmental design to deter threats. Some of the most common examples are also the most basic:
warning signs or window stickers, fences, vehicle barriers, vehicle height-restrictors, restricted access
points, security lighting and trenches.

Physical Barriers
Physical barriers such as fences, walls, and vehicle barriers act as the outermost layer of security. They serve
to prevent, or at least delay, attacks, and also act as a psychological deterrent by defining the perimeter of the
facility and making intrusions seem more difficult. Tall fencing, topped with barbed wire, razor wire or metal
spikes are often emplaced on the perimeter of a property, generally with some type of signage that warns
people not to attempt to enter. However, in some facilities imposing perimeter walls/fencing will not be
possible (e.g. an urban office building that is directly adjacent to public sidewalks) or it may be aesthetically
unacceptable (e.g. surrounding a shopping center with tall fences topped with razor wire); in this case, the
outer security perimeter will be defined as the walls/windows/doors of the structure itself. Similarly, buildings
may have internal barriers to defeat weapons as well as fire and heat. An example would be a counter at a
police station or embassy, where the public may access a room but talk through security glass to employees
in behind.

Natural Surveillance and Security Lighting

Another major form of deterrence that can be incorporated into the design of facilities is natural surveillance,
whereby architects seek to build spaces that are more open and visible to security personnel and authorized
users, so that intruders/attackers are unable to perform unauthorized activity without being seen. An example
would be decreasing the amount of dense, tall vegetation in the landscaping so that attackers cannot conceal
themselves within it, or placing critical resources in areas where intruders would have to cross over a wide,
open space to reach them (making it likely that someone would notice them).

Security lighting is another effective form of deterrence. Intruders are less likely to enter well-lit areas for fear
of being seen. Doors, gates, and other entrances, in particular, should be well lit to allow close observation of
people entering and exiting. When lighting the grounds of a facility, widely distributed low-intensity lighting
is generally superior to small patches of high-intensity lighting, because the latter can have a tendency to
15
create blind spots for security personnel and CCTV cameras. It is important to place lighting in a manner that
makes it difficult to tamper with (e.g. suspending lights from tall poles), and to ensure that there is a backup
power supply so that security lights will not go out if the electricity is cut off.

Digital Security Function for Intrusion Detection and Control

Alarm Systems and sensors

Alarm systems can be installed to alert security personnel when unauthorized access is attempted. Alarm
systems work in tandem with physical barriers, mechanical systems, and security guards, serving to trigger a
response when these other forms of security have been breached. They consist of sensors including motion
sensors, contact sensors, and glass break detectors.

However, alarms are only useful if there is a prompt response when they are triggered. In the reconnaissance
phase prior to an actual attack, some intruders will test the response time of security personnel to a deliberately
tripped alarm system. By measuring the length of time it takes for a security team to arrive (if they arrive at
all), the attacker can determine if an attack could succeed before authorities arrive to neutralize the threat.
Loud audible alarms can also act as a psychological deterrent, by notifying intruders that their presence has
been detected. In some jurisdictions, law enforcement will not respond to alarms from intrusion detection
systems unless the activation has been verified by an eyewitness or video.

CCTV Surveillance
Surveillance Cameras can be a deterrent when placed in highly visible locations, and are also useful for
incident verification and historical analysis. For example, if alarms are being generated and there is a camera
in place, the camera could be viewed to verify the alarms. In instances when an attack has already occurred
and a camera is in place at the point of attack, the recorded video can be reviewed. Although the term closed-
circuit television (CCTV) is common, it is quickly becoming outdated as more video systems lose the closed
circuit for signal transmission and are instead transmitting on IP camera networks.

Video monitoring does not necessarily guarantee that a human response is made to an intrusion. A human
must be monitoring the situation in real time in order to respond in a timely manner. Otherwise, video
monitoring is simply a means to gather evidence to be analyzed at a later time. However, advances in
information technology are reducing the amount of work required for video monitoring, through
automated video analytics.

The detection of intruders using video surveillance has limitations based on economics and the nature of video
cameras. Typically, cameras outdoors are set to a wide angle view and yet look out over a long distance. Frame
rate per second and dynamic range to handle brightly lit areas and dimly lit ones further challenge the camera
to actually be adequate to see a moving human intruder. At night, even in illuminated outdoor areas, a moving
16
subject does not gather enough light per frame per second and so, unless quite close to the camera, will appear
as a thin wisp or barely discernible ghost or completely invisible. Conditions of glare, partial obscuration, rain,
snow, fog, and darkness all compound the problem. Even when a human is directed to look at the actual
location on a monitor of a subject in these conditions, the subject will usually not be detected. The A.I. is able
to impartially look at the entire image and all cameras' images simultaneously. Using statistical models of
degrees of deviation from its learned pattern of what constitutes the human form it will detect an intruder with
high reliability and a low false alert rate even in adverse conditions Its learning is based on approximately a
quarter million images of humans in various positions, angles, postures, and so forth.

Artificial Intelligence for Video Surveillance

Artificial Intelligence computer software programs analyze the audio and images from video surveillance
cameras in order to recognize humans, vehicles, objects and events. Security contractors program is the
software to define restricted areas within the 11camera's view (such as a fenced off area, a parking lot but not
the sidewalk or public street outside the lot) and program for times of day (such as after the close of business)
for the property being protected by the camera surveillance. The artificial intelligence ("A.I.") sends an alert
if it detects a trespasser breaking the "rule" set that no person is allowed in that area during that time of day.

The A.I. program functions by using machine vision. Machine vision is a series of algorithms, or mathematical
procedures, which work like a flow-chart or series of questions to compare the object seen with hundreds of
thousands of stored reference images of humans in different postures, angles, positions and movements. The
A.I. asks itself if the observed object moves like the reference images, whether it is approximately the same
size height relative to width, if it has the characteristic two arms and two legs, if it moves with similar speed,
and if it is vertical instead of horizontal. Many other questions are possible, such as the degree to which the
object is reflective, the degree to which it is steady or vibrating, and the smoothness with which it moves.
Combining all of the values from the various questions, an overall ranking is derived which gives the A.I. the
probability that the object is or is not a human. If the value exceeds a limit that is set, then the alert is sent. It
is characteristic of such programs that they are self-learning to a degree, learning, for example that humans or
vehicles appear bigger in certain portions of the monitored image – those areas near the camera – than in other
portions, those being the areas farthest from the camera.

In addition to the simple rule restricting humans or vehicles from certain areas at certain times of day, more
complex rules can be set. The user of the system may wish to know if vehicles drive in one direction but not
the other. Users may wish to know that there are more than a certain preset number of people within a particular
area. The A.I. is capable of maintaining surveillance of hundreds of cameras simultaneously. Its ability to spot
a trespasser in the distance or in rain or glare is superior to humans' ability to do so.

This type of A.I. for security is known as "rule-based" because a human programmer must set rules for all of
the things for which the user wishes to be alerted. This is the most prevalent form of A.I. for security. Many
video surveillance camera systems today include this type of A.I. capability. The hard-drive that houses the
17
program can either be located in the cameras themselves or can be in a separate device that receives the input
from the cameras.

A newer, non-rule-based form of A.I. for security called "behavioral analytics" has been developed. This
software is fully self-learning with no initial programming input by the user or security contractor. In this type
of analytics, the A.I. learns what is normal behavior for people, vehicles, machines, and the environment based
on its own observation of patterns of various characteristics such as size, speed, reflectivity, color, grouping,
vertical or horizontal orientation and so forth. The A.I. normalizes the visual data, meaning that it classifies
and tags the objects and patterns it observes, building up continuously refined definitions of what is normal
or average behavior for the various observed objects. After several weeks of learning in this fashion it can
recognize when things break the pattern. When it observes such anomalies it sends an alert. For example, it is
normal for cars to drive in the street. A car seen driving up onto a sidewalk would be an anomaly. If a fenced
yard is normally empty at night, then a person entering that area would be an anomaly.

Introduction to Security Access Control Systems

Access Control
In the fields of physical security and information Security Access Control (AC) is the selective restriction of
access to a place or other resource. The act of accessing may mean consuming, entering, or using. Permission
to access a resource is called authorization. Locks and login credentials are two analogous mechanisms of
access control.
There are two types of access control: physical and logical. Physical access control limits access to campuses,
buildings, rooms and physical IT assets. Logical access control limits connections to computer networks,
system files and data.

Physical access control is a matter of who, where, and when. An access control system determines who is
allowed to enter or exit, where they are allowed to exit or enter, and when they are allowed to enter or exit.
Historically, this was partially accomplished through keys and locks. When a door is locked, only someone
with a key can enter through the door, depending on how the lock is configured. Mechanical locks and keys:
• Do not allow restriction of the key holder to specific times or dates.
• Do not provide records of the key used on any specific door,
• The keys can be easily copied or transferred to an unauthorized person.

When a mechanical key is lost or the key holder is no longer authorized to use the protected area, the locks
must be re-keyed. To secure a facility, organizations use electronic access control systems that rely on user
credentials, access card readers, auditing and reports to track employee access to restricted business locations
and proprietary areas, such as data centers. Some of these systems incorporate access control panels to restrict
entry to rooms and buildings as well as alarms and lockdown capabilities to prevent unauthorized access or

18
operations. Access control systems perform identification, authentication and authorization of users and
entities by evaluating required login credentials that can include passwords, personal identification numbers
(PINs), biometric scans, security tokens or other authentication factors. Multifactor authentication, which
requires two or more authentication factors, is often an important part of layered defense to protect access
control systems.

Types of access control

Access controls are necessary to protect the confidentiality, integrity, and availability of objects (and by
extension, their information and data). The term access control is used to describe a broad range of controls,
from forcing a user to provide a valid username and password to log on to preventing users from gaining
access to a resource outside of their sphere of access. Access controls can be divided into the following seven
functions or purposes:

1. Preventative access control: A preventative access control is deployed to stop unwanted or

unauthorized activity from occurring. Examples of preventative access controls include fences, locks,
biometrics, mantraps, lighting, alarm systems, separation of duties, job rotation, data classification,
penetration testing, access control methods, encryption, auditing, presence of security cameras or
closed-circuit television (CCTV), smart cards, callback, security policies, security awareness training,
and antivirus software.
2. Deterrent access control: A deterrent access control is deployed to discourage the violation of security
policies. A deterrent control picks up where prevention leaves off. The deterrent doesn't stop with
trying to prevent an action; instead, it gets further to exact consequences in the event of an attempted
or successful violation. Examples of deterrent access controls include locks, fences, security badges,
security guards, mantraps, security cameras, trespass or intrusion alarms, separation of duties, work
task procedures, awareness training, encryption, auditing, and firewalls.
3. Detective access control: A detective access control is deployed to discover unwanted or unauthorized
activity. Often detective controls are after-the-fact controls rather than real-time controls. Examples of
detective access controls include security guards, guard dogs, motion detectors, recording and
reviewing of events seen by security cameras or CCTV, job rotation, mandatory vacations, audit trails,
intrusion detection systems, violation reports, honey pots, supervision and reviews of users, incident
investigations, and intrusion detection systems.
4. Corrective access control: A corrective access control is deployed to restore systems to normal after
an unwanted or unauthorized activity has occurred. Usually corrective controls have only a minimal
capability to respond to access violations. Examples of corrective access controls include intrusion
detection systems, antivirus solutions, alarms, mantraps, business continuity planning, and security
policies.
19
 5. Recovery access control: A recovery access control is deployed to repair or restore resources,
functions, and capabilities after a violation of security policies. Recovery controls have more advanced
or complex capability to respond to access violations than a corrective access control. For example, a
recovery access control can repair damage as well as stop further damage. Examples of recovery access
controls include backups and restores, fault tolerant drive systems, server clustering, antivirus
software, and database shadowing.
6. Compensation access control: A compensation access control is deployed to provide various options
to other existing controls to aid in the enforcement and support of a security policy. Examples of
compensation access controls include security policy, personnel supervision, monitoring, and work
task procedures. Compensation controls can also be considered to be controls used in place of or
instead of more desirable or damaging controls. For example, if a guard dog cannot be used because
of the proximity of a residential area, a motion detector with a spotlight and a barking sound playback
device can be used.
7. Directive access control: A directive access control is deployed to direct, confine, or control the
actions of subject to force or encourage compliance with security policies. Examples of Directive
access controls include security guards, guard dogs, security policy, posted notifications, escape route
exit signs, monitoring, supervising, work task procedures, and awareness training.

Access controls can be further categorized by how they are implemented. In this case, the categories are
administrative, logical/technical, or physical.

• Administrative access controls: Administrative access controls are the policies and procedures
defined by an organizations security policy to implement and enforce overall access control.
Administrative access controls focus on two areas: personnel and business practices (e.g., people and
policies). Examples of administrative access controls include policies, procedures, hiring practices,
background checks, data classification, security training, vacation history, reviews, work supervision,
personnel controls, and testing.
• Logical/technical access controls: Logical access controls and technical access controls are the
hardware or software mechanisms used to manage access to resources and systems and provide
protection for those resources and systems. Examples of logical or technical access controls include
encryption, smart cards, passwords, biometrics, constrained interfaces, access control lists (ACLs),
protocols, firewalls, routers, intrusion detection systems, and clippinglevels.
• Physical access controls: Physical access controls are the physical barriers deployed to prevent direct
contact with systems or portions of a facility. Examples of physical access controls include guards,
fences, motion detectors, locked doors, sealed windows, lights, cable protections, laptop locks, swipe
cards, guard dogs, video cameras, mantraps, and alarms.
20
Use of Access Control
The goal of access control is to minimize the risk of unauthorized access to physical and logical systems.
Access control is a fundamental component of security compliance programs that ensures security technology
and access control policies are in place to protect confidential information, such as customer data. Most
organizations have infrastructure and procedures that limit access to networks, computer systems,
applications, files and sensitive data, such as personally identifiable information and intellectual property.

Implementing access control measures

Access control is a process that is integrated into an organization's IT environment. It can involve identity and
access management systems. These systems provide access control software, a user database, and management
tools for access control policies, auditing and enforcement.

When a user is added to an access management system, system administrators use an automated provisioning
system to set up permissions based on access control frameworks, job responsibilities and workflows.The best
practice of least privilege restricts access to only resources that an employee requires to perform their
immediate job functions. A common security issue is failure to revoke credentials and access to systems and
data when an individual moves into a different job internally or leaves the company.

Methods of Access Control

Access control methods are used to monitor and control traffic through specific access points and areas of the
secured facility. This is done using a variety of systems including CCTV surveillance, identification
cards, security guards, and electronic/mechanical control systems such as locks, doors, turnstiles and gates.

Mechanical access control systems

• Mechanical access control systems include turnstiles, gates, doors, and locks. Key control of the locks
becomes a problem with large user populations and any user turnover. Keys quickly become
unmanageable, often forcing the adoption of electronic access control.

Fail Safe V.s Fail Secure Locks

Fail Secure
Fail secure locks automatically lock when power lost, i.e. These locks need power in order to open or unlock.
This type of lock is the standard kind used for many access control systems. In fail secure locks, the doors
stay unlocked unless power is interrupted. The locks ensure that inventory, equipment, and other sensitive or
expensive items remain safe from intruders during power outages. These locks work best for doors to areas
that contain highly valuable items, such as IT rooms or rooms containing inventory. If there is a power outage
in a building, the doors to these areas will automatically lock, which helps prevent unauthorized entry.
21
Fail Safe
Failsafe locks open when power is lost. These locks need power in order to lock or secure the door. This type
of lock is commonly used for doors where building occupants might need to make a quick exit for
emergencies, such as fire exit doors or doors to stairwells. When the power is on, these doors stay locked.
These locks can be used to ensure that no one’s life will be in danger if a power outage occurs. NB: fire exit
doors are required to have failsafe locks rather than fail secure locks.

Factors to Consider
When deciding whether to utilize failsafe or fail secure electronic or magnetic locks for the doors, you’ll need
to consider a few factors. For example, during a power outage, would a locked door endanger lives? Would
an unlocked door put equipment at risk of theft? Remember that outlet doors, such as fire exits, should have
failsafe locks, while most other doors in an office or building, such as the front office door or the door to the
IT room, should have fail secure locks. Another factor to consider is energy usage. Failsafe locks need a
constant supply of power in order to remain locked, which means they cost more money.

Electronic access control systems

• Electronic access control manages large user populations, controlling for user lifecycles times, dates,
and individual access points. For example, a user's access rights could allow access from 0700h to
1900h Monday through Friday and expires in 90 days. These access control systems are often
interfaced with turnstiles for entry control in buildings to prevent unauthorized access. The use of
turnstiles also reduces the need for additional security personnel to monitor each individual entering
the building allowing faster throughput. An additional sub-layer of mechanical/electronic access
control protection is reached by integrating a key management system to manage the possession and
usage of mechanical keys to locks or property within a building or campus.
• Electronic access control uses computers to solve the limitations of mechanical locks and keys. A wide
range of credentials can be used to replace mechanical keys. The electronic access control system
grants access based on the credential presented. When access is granted, the door is unlocked for a
predetermined time and the transaction is recorded. When access is refused, the door remains locked
and the attempted access is recorded. The system will also monitor the door and alarm if the door is
forced open or held open too long after being unlocked

Identification systems and access policies

• Another form of access control (procedural) includes the use of policies, processes and procedures to
manage the ingress into the restricted area. An example of this is the deployment of security personnel
conducting checks for authorized entry at predetermined points of entry. This form of access control

22
 is usually supplemented by the earlier forms of access control (i.e. mechanical and electronic access
control), or simple devices such as physical passes.

Security personnel
• Security personnel play a central role in all layers of security. All of the technological systems that are
employed to enhance physical security are useless without a security force that is trained in their use
and maintenance, and which knows how to properly respond to breaches in security. Security
personnel perform many functions: as patrols and at checkpoints, to administer electronic access
control, to respond to alarms, and to monitor and analyze video.
• Geographical access control may be enforced by personnel (e.g., border
guard, bouncer, ticket checker), or with a device such as a turnstile. There may be fences to avoid
circumventing this access control. An alternative of access control in the strict sense (physically
controlling access itself) is a system of checking authorized presence, see e.g. Ticket controller
(transportation). A variant is exit control, e.g. of a shop (checkout) or a country.

Access control operation system

When a credential is presented to a reader, the reader sends the credential's information, usually a number, to
a control panel, a highly reliable processor. The control panel compares the credential's number to an access
control list, grants or denies the presented request, and sends a transaction log to a database. When access is
denied based on the access control list, the door remains locked. If there is a match between the credential and
the access control list, the control panel operates a relay that in turn unlocks the door. The control panel also
ignores a door open signal to prevent an alarm. Often the reader provides feedback, such as a flashing
red LED for an access denied and a flashing green LED for an access granted

The above description illustrates a single factor transaction. Credentials can be passed around, thus subverting
the access control list. For example, Alice has access rights to the server room, but Bob does not. Alice either
gives Bob her credential, or Bob takes it; he now has access to the server room. To prevent this, two-factor
authentication can be used. In a two factor transaction, the presented credential and a second factor are needed
for access to be granted; another factor can be a PIN, a second credential, operator intervention, or a biometric
input.

There are three types (factors) of authenticating information:

• something the user knows, e.g. a password, pass-phrase or PIN

• something the user has, such as smart card or a key fob
• something the user is, such as fingerprint, verified by biometric measurement

Passwords are a common means of verifying a user's identity before access is given to information systems.
In addition, a fourth factor of authentication is now recognized: someone you know, whereby another person
who knows you can provide a human element of authentication in situations where systems have been set up
23
to allow for such scenarios. For example, a user may have their password, but have forgotten their smart
card. In such a scenario, if the user is known to designated cohorts, the cohorts may provide their smart card
and password, in combination with the extant factor of the user in question, and thus provide two factors for
the user with the missing credential, giving three factors overall to allow access.

Credential
A credential is a physical/tangible object, a piece of knowledge, or a facet of a person's physical being that
enables an individual access to a given physical facility or computer-based information system. Typically,
credentials can be something a person knows (such as a number or PIN), something they have (such as
an access badge), something they are (such as a biometric feature), or some combination of these items. This
is known as multi-factor authentication. The typical credential is an access card or key-fob, and newer
software can also turn users' smartphones into access devices.

There are many card technologies including magnetic stripe, bar code, card-swipe, contact smart cards,
and contactless smart cards. Also available are key-fobs, which are more compact than ID cards, and attach
to a key ring. Biometric technologies include fingerprint, facial recognition, iris recognition, retinal scan,
voice, and hand geometry. The built-in biometric technologies found on newer smartphones can also be used
as credentials in conjunction with access software running on mobile devices In addition to older more
traditional card access technologies, newer technologies such as Near field communication (NFC)
and Bluetooth low energy also have potential to communicate user credentials to readers for system or
building access.

Access Control System and Security Identification Components

An access control point can be a door, turnstile, parking gate, elevator, or other physical barriers, where
granting access can electronically rely on users credentials, biometric fingerprints, face, card readers and pin
on. Typically, the access point is a door. An electronic advanced access control door can contain several
elements. At its most basic, there is a stand-alone electric lock. The lock is unlocked by an operator with a
switch. To automate this, operator intervention is replaced by a reader. The reader could be a keypad where a
code is entered, it could be a card reader, or it could be a biometric reader. Readers do not usually make an
access decision, but send a card number to an access control panel that verifies the number against an access
list. To monitor the door position a magnetic door switch can be used. In concept, the door switch is not unlike
those on refrigerators or car doors. Generally, only entry is controlled, and exit is uncontrolled. In cases where
the exit is also controlled, a second reader is used on the opposite side of the door. In cases where the exit is
not controlled, free exit, a device called a request-to-exit (REX) is used. Request-to-exit devices can be a push-
button or a motion detector. When the button is pushed, or the motion detector detects motion at the door, the
door alarm is temporarily ignored while the door is opened. Exiting a door without having to electrically

24
unlock the door is called mechanical free egress. This is an important safety feature. In cases where the lock
must be electrically unlocked on exit, the request-to-exit device also unlocks the door.

Access Control Card Readers

Access control card readers are used in physical security systems to read a credential that allows access
through access control points, typically a locked door. An access control reader can be a magnetic stripe reader,
a bar code reader, a proximity reader, a smart card reader, or a biometric reader. Access control readers are
classified by functions they are able to perform and by identification technology i.e.:

1. Barcode
A barcode is a series of alternating dark and light stripes that are read by an optical scanner. The
organization and width of the lines is determined by the bar code protocol selected. There are many
different protocols, such as the prevalent Code Sometimes the digits represented by the dark and light bars
are also printed to allow people to read the number without an optical reader.

Advantages and limitations

The advantage of using barcode technology is that it is cheap and easy to generate the credential and it can
easily be applied to cards or other items. However, the same affordability and simplicity makes the
technology susceptible to fraud, because fake barcodes can also be created cheaply and easily, for example
by photocopying real ones. One attempt to reduce fraud is to print the barcode using carbon-based ink, and
then cover the bar code with a dark red overlay. The barcode can then be read with an optical reader tuned
to the infrared spectrum, but cannot easily be copied by a copy machine. This does not address the ease with
which barcode numbers can be generated from a computer using almost any printer.

2. Magnetic Stripe
Magnetic stripe technology, usually called mag-stripe, is so named because of the stripe of magnetic
oxide tape that is laminated on a card. There are three tracks of data on the magnetic stripe. Typically
the data on each of the tracks follows a specific encoding standard, but it is possible to encode any
format on any track. A mag-stripe card is cheap compared to other card technologies and is easy to
program. The magnetic stripe holds more data than a barcode can in the same space. While a mag-
stripe is more difficult to generate than a bar code, the technology for reading and encoding data on a
mag-stripe is widespread and easy to acquire. Magnetic stripe technology is also susceptible to
misreads, card wear, and data corruption. These cards are also susceptible to some forms of skimming
where external devices are placed over the reader to intercept the data read.

25
3. Wiegand Card
Wiegand card technology is a patented technology using embedded ferromagnetic wires strategically
positioned to create a unique pattern that generates the identification number. Like magnetic stripe or
barcode technology, this card must be swiped through a reader to be read. Unlike the other
technologies, the identification media is embedded in the card and not susceptible to wear. This
technology once gained popularity because it is difficult to duplicate, creating a high perception of
security. This technology is being replaced by proximity cards, however, because of the limited source
of supply, the relatively better tamper resistance of proximity readers, and the convenience of the
touch-less functionality in proximity readers.

4. Proximity Card
The reader radiates a 1" to 20" electrical field around itself. Cards use a simple LC circuit. When a
card is presented to the reader, the reader's electrical field excites a coil in the card. The coil charges a
capacitor and in turn powers an integrated circuit. The integrated circuit outputs the card number to
the coil, which transmits it to the reader.

5. Smart Card
There are two types of smart cards: contact and contactless. Both have an embedded microprocessor
and memory. The smart card differs from the proximity card in that the microchip in the proximity
card has only one function: to provide the reader with the card's identification number. The processor
on the smart card has an embedded operating system and can handle multiple applications such as a
cash card, a pre-paid membership card, or an access control card.

6. Banking Card Readers

Some banks have issued hand-held smartcard readers to their customers to support different electronic
payment applications:

• Chip Authentication Program (CAP) uses EMV banking cards to authenticate online
transactions as a phishing countermeasure.
• Geldkarte is a German electronic purse scheme where card readers are used to allow the card
holder to verify the amount of money stored on the card and the details of the last few
transactions.

26
 Security Identification Components
1. Biometrics
A biometric device is a security identification and authentication device. Such devices use automated
methods of verifying or recognizing the identity of a living person based on a physiological or
behavioral characteristic. These characteristics include fingerprints, facial images, iris and voice
recognition.

All biometric readers work similarly, by comparing the template stored in memory to the scan obtained
during the process of identification. If there is a high enough degree of probability that the template in
the memory is compatible with the live scan (the scan belongs to the authorized person), the ID number
of that person is sent to a control panel. The control panel then checks the permission level of the user
and determines whether access should be allowed. The communication between the reader and the
control panel is usually transmitted using a computer interface. Biometric templates may be stored in
the memory of readers, limiting the number of users by the reader memory. User templates may also
be stored in the memory of the smart card or a central server PC can act as the template host. For
systems where a central server is employed, this is known as "server-based verification".

The characteristic of the human body are used to access information by the users. According to these
characteristics, the sub-divided groups are:
• Chemical biometric devices: Analyses the segments of the DNA to grant access to the users.
• Visual biometric devices: Analyses the visual features of the humans to grant access which includes
iris recognition, face recognition, Finger recognition and Retina Recognition
• Behavioral biometric devices: Analyses the Walking Ability and Signatures (velocity of sign, width
of sign, pressure of sign) distinct to every human.
• Olfactory biometric devices: Analyses the odor to distinguish between varied users.
• Auditory biometric devices: Analyses the voice to determine the identity of a speaker for accessing
control.

Uses of Biometrics

Workplace
Biometrics is used to establish better and accessible records of the hour’s employee's work. With the
increase in "Buddy Punching" (a case where employees clocked out coworkers and fraudulently
inflated their work hours) employers have looked towards new technology like fingerprint recognition
to reduce such fraud. Additionally, employers are also faced with the task of proper collection of data
such as entry and exit times. Biometric devices make for largely foul proof and reliable ways of
27
 enabling to collect data as employees have to be present to enter biometric details which are unique to
them.

Immigration
As the demand for air travel grows and more people travel, modern day airports have to implement
technology in such a way that there are no long queues. Biometrics are being implemented in more
and more airports as they enable quick recognition of passengers and hence lead to lower volume of
people standing in queue's. One such example is of the Dubai International Airport which plans to
make immigration counters a relic of the past as they implement IRIS on the move technology (IOM)
which should help the seamless departures and arrivals of passengers at the airport.

Animal biometrics
Rather than tags or tattoos, biometric techniques may be used to identify individual animals: zebra
stripes, blood vessel patterns in rodent ears, muzzle prints, bat wing patterns, primate facial recognition
and spots have all been tried.

Benefits of biometric devices

• Biometric data cannot be lent and hacking of Biometric data is complicated hence it makes it safer to
use than traditional methods of authentication like passwords which can be lent and shared.
• Passwords do not have the ability to judge the user but rely only on the data provided by the user,
which can easily be stolen while Biometrics work on the uniqueness of each individual.
• Passwords can be forgotten and recovering them can take time, whereas Biometric devices rely on
biometric data which tends to be unique to a person, hence there is no risk of forgetting the
authentication data. A study conducted among Yahoo! users found that at least 1.5 percent of Yahoo
users forgot their passwords every month, hence this makes accessing services more lengthy for
consumers as the process of recovering passwords is lengthy. These shortcomings make Biometric
devices more efficient and reduces effort for the end user.

Problems with present day biometric devices

• Biometric spoofing
Biometric spoofing is a method of fooling a biometric identification management system, where a
counterfeit mold is presented in front of the biometric scanner. This counterfeit mold emulates the
unique biometric attributes of an individual so as to confuse the system between the artifact and the
real biological target and gain access to sensitive data/materials.

28
• Accuracy
Accuracy is a major issue with biometric recognition. Passwords are still extremely popular, because
a password is static in nature, while biometric data can be subject to change (such as one's voice
becoming heavier due to puberty, or an accident to the face, which could lead to improper reading of
facial scan data). When testing voice recognition as a substitute to PIN-based systems, Barclays
reported that their voice recognition system is 95 percent accurate. This statistic means that many of
its customers' voices might still not be recognized even when correct. This uncertainty revolving
around the system could lead to slower adoption of biometric devices, continuing the reliance of
traditional password-based methods.

Future of Biometrics
Researchers are targeting the drawbacks of present-day biometric devices and developing to reduce
problems like biometric spoofing and inaccurate intake of data. Technologies which are being
developed are:
• The United States Military Academy are developing an algorithm that allows identification through
the ways each individual interacts with their own computers; this algorithm considers unique traits like
typing speed, rhythm of writing and common spelling mistakes. This data allows the algorithm to
create a unique profile for each user by combining their multiple behavioral and stylometric
information. This can be very difficult to replicate collectively.
• A recent innovation by Kenneth Okereafor presented an optimized and secure design of applying
biometric liveness detection technique using a trait randomization approach. This novel concept
potentially opens up new ways of mitigating biometric spoofing more accurately, and making impostor
predictions intractable or very difficult in future biometric devices.

2. Handheld and Personal Devices

Fingerprint sensors can be found on mobile devices. The fingerprint sensor is used to unlock the device
and authorize actions, like money and file transfers, for example. It can be used to prevent a device
from being used by an unauthorized person.

3. Personal signature verification systems

This is one of the most highly recognized and acceptable biometrics in corporate surroundings. This
verification has been taken one step further by capturing the signature while taking into account many
parameters revolving around this like the pressure applied while signing, the speed of the hand
movement and the angle made between the surface and the pen used to make the signature. This system
also has the ability to learn from users as signature styles vary for the same user. Hence by taking a
sample of data, this system is able to increase its own accuracy.
29
 4. Iris recognition system
Iris recognition involves the device scanning the retina of the subject and then cross referencing that
to data stored on the database. It is one of the most secure forms of authentication, as while fingerprints
can be left behind on surfaces, iris prints are extremely hard to be stolen. Iris recognition is widely
applied by organizations dealing with the masses, one being the Aadhaar identification carried out by
the Government of India to keep records of its population. The reason for this is that iris recognition
makes use of iris prints of humans, which hardly evolve during one's lifetime and are extremely stable.

COMPUTER SECURITY
Computer security, Cyber security or information technology security (IT security) is the protection of
computer systems from the theft of or damage to their hardware, software, or electronic data, as well
as from the disruption or misdirection of the services they provide.
The field is becoming more important due to increased reliance on computer systems, the Internet and
wireless network standards such as Bluetooth and Wi-Fi, and due to the growth of "smart" devices,
including smartphones, televisions, and the various devices that constitute the "Internet of things". Due
to its complexity, both in terms of politics and technology, cyber security is also one of the major
challenges in the contemporary world.

The Evolution of Computer-Related Crimes

Computer-related crime—”cyber-crime”—is not new. Since the advent of the public internet in the early to mid-1990s,
criminals have tried to exploit the technology for financial gain through a variety of schemes. In recent years, the variety
of these crimes has grown, with new offenses such as ransomware, revenge pornography, and sextortion becoming
more prevalent as explained below.
• Ransomware: (a type of online attack that blocks a user’s access to his or her computer system until a ransom
is paid) has become a billion-dollar-a-year criminal enterprise. Even law enforcement agencies have been
victims of ransomware.
• Synthetic identity theft: Typically, identity theft involves stealing personally identifiable information, such as a
Social Security Number or credit card number, from a single individual, and using that information to make
purchases, apply for credit, file fraudulent tax returns in the name of that individual in order to receive a tax
refund, or otherwise benefit financially.

The Dark Web

The New Marketplace for Criminal Activity Perhaps the most significant technology that is facilitating criminal activity
in the United States today is the so-called “dark web”—a largely hidden part of the internet that is encrypted-- allowing
users to remain anonymous and untraceable. The dark web has legitimate purposes, such as allowing journalists and
political dissidents in repressive nations to communicate with each other and with the world, with less fear of exposure
and reprisals. In recent years, however, the dark web has also emerged as a major platform for trafficking in drugs,

30
weapons, sex workers, hacking tools, and even violent crime. The dark web is fundamentally changing how and where
many of these types of crimes are committed, moving them from street corners to the internet.

The Surface Web:

This is what most people are familiar with: Many people’s interactions with the internet are limited to what is known
as the “surface web,” which is defined as all websites and web pages that are indexed and searchable by Google, Yahoo,
and other search engines. This includes news media sites, social media such as Facebook and Twitter, online stores and
business websites, government agencies and private-sector websites, special-interest websites and blogs, and other web
pages that are publicly available.

Deep Web
Larger portion of the internet which includes large databases maintained by government agencies and private
organizations, some of which are publicly available, either free or for a charge, and others of which are private to the
organizations that operate them. Private networks operated by government and private organizations are also part of the
deep web.

Why is computer-related crime attractive to criminals?

Experts cite at least four reasons why computer-related crime is so attractive to today’s offenders:
1. Anonymity. The internet provides a high degree of anonymity and cover. This is particularly true in the heavily
encrypted part of the internet known as the “dark web.”
2. Potential for large financial gains with reduced risk. With only a modest, up-front investment in computer
equipment and basic technical skills, cybercriminals can steal significantly more money with a few clicks of
the mouse than what a robber can get from the cash register at a convenience store — and without the risk of
directly encountering their victims or the police.
3. Investigation and prosecution are more difficult. Many computer-enabled crimes cross multiple jurisdictional
boundaries. The offender may be in one jurisdiction, the victim in another and the offenses (such as fraudulent
online purchases) in yet another location.
4. The lag between technology and the law. Because it takes time for legislators to recognize and write laws that
address complex, technical matters, some cyber-crimes can go on for years before they become illegal.

Vulnerabilities and Attacks

Vulnerability is a weakness in design, implementation, operation or internal control. An exploitable
vulnerability is one for which at least one working attack or "exploit" exists. Vulnerabilities are often
hunted or exploited with the aid of automated tools or manually using customized scripts.
To secure a computer system, it is important to understand the attacks that can be made against it, and
these threats can typically be classified into one of these categories below:

31
 I. Backdoor
A backdoor in a computer system, a cryptosystem or an algorithm, is any secret method of bypassing
normal authentication or security controls. They may exist for a number of reasons, including by
original design or from poor configuration. They may have been added by an authorized party to allow
some legitimate access or by an attacker for malicious reasons; but regardless of the motives for their
existence, they create vulnerability.

II. Denial-of-service Attack

Denial of service attacks (DoS) are designed to make a machine or network resource unavailable to its
intended users. Attackers can deny service to individual victims, such as by deliberately entering a
wrong password enough consecutive times to cause the victims account to be locked, or they may
overload the capabilities of a machine or network and block all users at once. While a network attack
from a single IP address can be blocked by adding a new firewall rule, many forms of Distributed
Denial of Service (DDoS) attacks are possible, where the attack comes from a large number of points
– and defending is much more difficult. Such attacks can originate from the zombie computers of a
botnet, but a range of other techniques are possible including reflection and amplification attacks,
where innocent systems are fooled into sending traffic to the victim.

III. Direct-access Attacks

An unauthorized user gaining physical access to a computer is most likely able to directly copy data
from it. They may also compromise security by making operating system modifications, installing
software worms, keyloggers, covert listening devices or using wireless mice. Even when the system is
protected by standard security measures, these may be able to be by-passed by booting another
operating system or tool from a CD-ROM or other bootable media. Disk encryption and Trusted
Platform Module are designed to prevent these attacks.

IV. Eavesdropping
Eavesdropping is the act of stealthily listening to a private conversation, typically between hosts on a
network. For instance, programs such as Carnivore and Narus In Sight have been used by the FBI and
NSA to eavesdrop on the systems of internet service providers. Even machines that operate as a closed
system (i.e., with no contact to the outside world) can be eavesdropped upon via monitoring the faint
electromagnetic transmissions generated by the hardware; TEMPEST is a specification by the NSA
referring to these attacks.

32
 V. Multi-vector, Polymorphic Attacks
Surfacing in 2017, a new class of multi-vector, polymorphic cyber threats surfaced that combined
several types of attacks and changed form to avoid cyber security controls as they spread. These threats
have been classified as fifth generation cyber-attacks.

VI. Phishing
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card
details directly from users. Phishing is typically carried out by email spoofing or instant messaging
and it often directs users to enter details at a fake website whose look and feel are almost identical to
the legitimate one. The fake website often asks for personal information, such as log-in and passwords.
This information can then be used to gain access to the individual's real account on the real website.
Preying on a victim's trust, phishing can be classified as a form of social engineering.

VII. Privilege Escalation

Privilege escalation describes a situation where an attacker with some level of restricted access is able
to, without authorization, elevate their privileges or access level. For example, a standard computer
user may be able to exploit vulnerability in the system to gain access to restricted data; or even become
"root" and have full unrestricted access to a system.

VIII. Social Engineering

Social engineering aims to convince a user to disclose secrets such as passwords, card numbers, etc.
by, for example, impersonating a bank, a contractor, or a customer. A common scam involves fake
CEO emails sent to accounting and finance departments. In early 2016, the FBI reported that the scam
has cost US businesses more than $2bn in about two years.
In May 2016, the Milwaukee Bucks NBA team was the victim of this type of cyber scam with a
perpetrator impersonating the team's president Peter Feigin, resulting in the handover of all the team's
employees' 2015 W-2 tax forms.

IX. Spoofing
Spoofing is the act of masquerading as a valid entity through falsification of data (such as an IP address
or username), in order to gain access to information or resources that one is otherwise unauthorized to
obtain. There are several types of spoofing, including:
• Email spoofing, where an attacker forges the sending (From, or source) address of an email.
• IP address spoofing, where an attacker alters the source IP address in a network packet to hide
their identity or impersonate another computing system.

33
 • MAC spoofing, where an attacker modifies the Media Access Control (MAC) address of their
network interface to pose as a valid user on a network.
• Biometric spoofing, where an attacker produces a fake biometric sample to pose as another.

Information Security Culture

Employee behavior can have a big impact on information security in organizations. Cultural concepts
can help different segments of the organization work effectively or work against effectiveness towards
information security within an organization. ″Exploring the Relationship between Organizational
Culture and Information Security Culture″ provides the following definition of information security
culture: ″ISC is the totality of patterns of behavior in an organization that contribute to the protection
of information of all kind.”

To manage the information security culture, five steps should be taken:

• Pre-Evaluation: to identify the awareness of information security within employees and to
analyze the current security policy.
• Strategic Planning: to come up with a better awareness program, clear targets need to be set.
• Operative Planning: a good security culture can be established based on internal
communication, management-buy-in, and security awareness and a training program.
• Implementation: four stages should be used to implement the information security culture:
1. Commitment of the management
2. Communication with organizational members
3. Courses for all organizational members
4. Commitment of the employees
5 Post-Evaluation: to assess the success of the planning and implementation, and to identify the
Unresolved areas of concern.

Systems at Risk
The growth in the number of computer systems, and the increasing reliance upon them of individuals,
businesses, industries and governments means that there are an increasing number of systems at risk.

Financial Systems
The computer systems of financial regulators and financial institutions like the U.S. Securities and
Exchange Commission, SWIFT, investment banks, and commercial banks are prominent hacking
targets for cyber criminals interested in manipulating markets and making illicit gains.Web sites and
apps that accept or store credit card numbers, brokerage accounts, and bank account information are

34
also prominent hacking targets, because of the potential for immediate financial gain from transferring
money, making purchases, or selling the information on the black market. In-store payment systems
and ATMs have also been tampered with in order to gather customer account data and PINs.

Utilities and Industrial Equipment

Computers control functions at many utilities, including coordination of telecommunications, the
power grid, nuclear power plants, and valve opening and closing in water and gas networks. The
Internet is a potential attack vector for such machines if connected, but the Stuxnet worm demonstrated
that even equipment controlled by computers not connected to the Internet can be vulnerable. In 2014,
the Computer Emergency Readiness Team, a division of the Department of Homeland Security,
investigated 79 hacking incidents at energy companies. Vulnerabilities in smart meters (many of which
use local radio or cellular communications) can cause problems with billing fraud.

Aviation
The aviation industry is very reliant on a series of complex systems which could be attacked. A simple
power outage at one airport can cause repercussions worldwide, much of the system relies on radio
transmissions which could be disrupted, and controlling aircraft over oceans is especially dangerous
because radar surveillance only extends 175 to 225 miles offshore. There is also potential for attack
from within an aircraft.

In Europe, with the (Pan-European Network Service) and New PENS, and in the US with the NextGen
program, air navigation service providers are moving to create their own dedicated networks.
The consequences of a successful attack range from loss of confidentiality to loss of system integrity,
air traffic control outages, loss of aircraft, and even loss of life.

Consumer Devices
Desktop computers and laptops are commonly targeted to gather passwords or financial account
information, or to construct a botnet to attack another target. Smartphones, tablet computers, smart
watches, and other mobile devices such as quantified self devices like activity trackers have sensors
such as cameras, microphones, GPS receivers, compasses, and accelerometers which could be
exploited, and may collect personal information, including sensitive health information. WiFi,
Bluetooth, and cell phone networks on any of these devices could be used as attack vectors, and sensors
might be remotely activated after a successful breach. The increasing number of home automation
devices such as the Nest thermostat are also potential targets.

35
Large Corporations
Large corporations are common targets. In many cases this is aimed at financial gain through identity
theft and involves data breaches such as the loss of millions of clients' credit card details. Some cyber-
attacks are ordered by foreign governments, these governments engage in cyber warfare with the intent
to spread their propaganda, sabotage, or spy on their targets. I.e. Many people believe the Russian
government played a major role in the US presidential election of 2016 by using Twitter and Facebook
to affect the results of the election.

Medical records have been targeted for use in general identify theft, health insurance fraud, and
impersonating patients to obtain prescription drugs for recreational purposes or resale. Not all attacks
are financially motivated however; for example, security firm HB Gary Federal suffered a serious
series of attacks in 2011 from hacktivist group anonymous in retaliation for the firm's CEO claiming
to have infiltrated their group, and in the Sony Pictures attack of 2014 the motive appears to have been
to embarrass with data leaks, and cripple the company by wiping workstations and servers.

Automobiles
Vehicles are increasingly computerized, with engine timing, cruise control, anti-lock brakes, seat belt
tensioners, door locks, airbags and advanced driver-assistance systems on many models. Additionally,
connected cars may use WiFi and Bluetooth to communicate with onboard consumer devices and the
cell phone network. Self-driving cars are expected to be even more complex.

Government
Government and military computer systems are commonly attacked by activists and foreign powers.
Local and regional government infrastructure such as traffic light controls, police and intelligence
agency communications, personnel records, student records, and financial systems are also potential
targets as they are now all largely computerized. Passports and government ID cards that control access
to facilities can be vulnerable to cloning.

Internet of things and physical vulnerabilities.

The Internet of things (IoT)

IoT is the network of physical objects such as devices, vehicles, and buildings that are embedded with
electronics, software, sensors, and network connectivity that enables them to collect and exchange data
– and concerns have been raised that this is being developed without appropriate consideration of the
security challenges involved. While the IoT creates opportunities for more direct integration of the
physical world into computer-based systems, it also provides opportunities for misuse. In particular,
36
as the Internet of Things spreads widely, cyber- attacks are likely to become an increasingly physical
(rather than simply virtual) threat. If a front door's lock is connected to the Internet, and can be
locked/unlocked from a phone, then a criminal could enter the home at the press of a button from a
stolen or hacked phone. People could stand to lose much more than their credit card numbers in a
world controlled by IoT-enabled devices. Thieves have also used electronic means to circumvent non-
Internet-connected hotel door locks.

Impact of Security Breaches

Serious financial damage has been caused by security breaches, but because there is no standard model
for estimating the cost of an incident, the only data available is that which is made public by the
organizations involved. "Several computer security consulting firms produce estimates of total
worldwide losses attributable to virus and worm attacks and to hostile digital acts in general. The 2003
loss estimates by these firms range from $13 billion (worms and viruses only) to $226 billion (for all
forms of covert attacks). The reliability of these estimates is often challenged; the underlying
methodology is basically anecdotal. Security breaches continue to cost businesses billions of dollars
but a survey revealed that 66% of security staffs do not believe senior leadership takes cyber
precautions as a strategic priority.

Attacker Motivation
As with physical security, the motivations for breaches of computer security vary between attackers.
Some are thrill-seekers or vandals, some are activists, others are criminals looking for financial gain.
State-sponsored attackers are now common and well resourced, but started with amateurs such as
Markus Hess who hacked for the KGB, as recounted by Clifford Stollin The Cuckoo's Egg.
Additionally, recent attacker motivations can be traced back to extremist organizations seeking to gain
political advantage or disrupt social agendas. The growth of the internet, mobile technologies and
inexpensive computing devices that has led to a rise in capabilities but also risk to environments that
are deemed as vital to operations. All critical targeted environments are susceptible to compromise and
has led to a series of proactive studies on how to migrate the risk by taking into consideration
motivations by these type of actors. Several stark differences exist between the hacker motivation and
that of nation state actors seeking to attack based an ideological preference.[92]

A standard part of threat modeling for any particular system is to identify what might motivate an
attack on that system, and who might be motivated to breach it. The level and detail of precautions
will vary depending on the system to be secured. A home personal computer, bank, and classified
military network face very different threats, even when the underlying technologies in use are similar.

37
Computer Protection (countermeasures)
In computer security a countermeasure is an action, device, procedure, or technique that reduces a
threat, vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause,
or by discovering and reporting it so that corrective action can be taken.

Some common countermeasures are listed in the following sections:

a) Security by Design
Security by design, or alternately secure by design, means that the software has been designed from
the ground up to be secure. In this case, security is considered as a main feature. Some of the techniques
in this approach include:
• The principle of least privilege, where each part of the system has only the privileges that are
needed for its function. That way even if an attacker gains access to that part, they have only
limited access to the whole system.
• Automated theorem proving to prove the correctness of crucial software subsystems.
• Code reviews and unit testing, approaches to make modules more secure where formal
correctness proofs are not possible.
• Defense in depth, where the design is such that more than one subsystem needs to be violated
to compromise the integrity of the system and the information it holds.
• Default secure settings, and design to "fail secure" rather than "fail insecure". Ideally, a secure
system should require a deliberate, conscious, knowledgeable and free decision on the part of
legitimate authorities in order to make it insecure.
• Audit trails tracking system activity, so that when a security breach occurs, the mechanism and
extent of the breach can be determined. Storing audit trails remotely, where they can only be
appended to, can keep intruders from covering their tracks.
• Full disclosure of all vulnerabilities, to ensure that the "window of vulnerability" is kept as
short as possible when bugs are discovered.

b) Security Architecture
The Open Security Architecture organization defines IT security architecture as "the design artifacts
that describe how the security controls (security countermeasures) are positioned, and how they relate
to the overall information technology architecture. These controls serve the purpose to maintain the
system's quality attributes: confidentiality, integrity, availability,and accountability
The key attributes of security architecture are:
• The relationship of different components and how they depend on each other.

38
 • The determination of controls based on risk assessment, good practice, finances, and legal
matters.
• The standardization of controls.

Response to Breaches
Responding forcefully to attempted security breaches (in the manner that one would for attempted
physical security breaches) is often very difficult for a variety of reasons:
• Identifying attackers is difficult, as they are often in a different jurisdiction to the systems they
attempt to breach, and operate through proxies, temporary anonymous dial-up accounts,
wireless connections, and other anonymizing procedures which make back tracing difficult and
are often located in yet another jurisdiction. If they successfully breach security, they are often
able to delete logs to cover their tracks.
• The sheer number of attempted attacks is so large that organizations cannot spend time
pursuing each attacker (a typical home user with a permanent (e.g., cable modem) connection
will be attacked at least several times per day, so more attractive targets could be presumed to
see many more). Note however, that most of the sheer bulk of these attacks are made by
automated vulnerability scanners and computer worms.
• Law enforcement officers are often unfamiliar with information technology, and so lack the
skills and interest in pursuing attackers. There are also budgetary constraints. It has been argued
that the high cost of technology, such as DNAtesting, and improved forensics mean less money
for other kinds of law enforcement, so the overall rate of criminals not getting dealt with goes
up as the cost of the technology increases. In addition, the identification of attackers across a
network may require logs from various points in the network and in many countries, the release
of these records to law enforcement (with the exception of being voluntarily surrendered by a
network administrator or a system administrator) requires a search warrant and, depending on
the circumstances, the legal proceedings required can be drawn out to the point where the
records are either regularly destroyed, or the information is no longer relevant.

Legal Issues and Global Regulation

International legal issues of cyber-attacks are complicated in nature. There is no global base of
common rules to judge, and eventually punish, cyber-crimes and cyber criminals - and where security
firms or agencies do locate the cybercriminal behind the creation of a particular piece of malware or
form of cyber-attack, often the local authorities cannot take action due to lack of laws under which to
prosecute. Proving attribution for cyber-crime and cyber-attacks is also a major problem for all law
enforcement agencies. "Computer viruses switch from one country to another, from one jurisdiction
to another – moving around the world, using the fact that we don't have the capability to globally police
39
 operations like this. So the Internet is as if someone had “given free plane tickets to all the online
criminals of the world." The use of techniques such as dynamic DNS, fast flux and bullet proof servers
add to the difficulty of investigation and enforcement.

Sources
• Larry, Siegel J. (2009) Criminology, Thomson: Belmont
• American Civil Liberties Union. (2016)"Is the U.S. Turning Into a Surveillance Society?"
Retrieved August 2019
• Agre, Philip E. (2003), "Your Face is not a bar code: Arguments against automatic face recognition in
public places". Retrieved August, 2019.
• Allmer, Thomas (2012). Towards a Critical Theory of Surveillance in Informational Capitalism. AM
Main :Frankfurt
• Feldman, Jay. (2011). Manufacturing Hysteria: A History of Scapegoating, Surveillance, and Secrecy in
Modern America. Pantheon :New York
• Ross Anderson (2001). Security Engineering. Wiley. ISBN 0-471-38922-6.
• Ross Anderson (2008). Security Engineering - A Guide to Building Dependable Distributed Systems.
Wiley. ISBN 0-470-06852-3.
• Ross Anderson (2001). Why Information Security is Hard - An Economic Perspective. Retrieved August
2019
• Bruce Schneier (1995). Applied Cryptography (2nd Ed.). Wiley. ISBN 0-471-11709-9.
• Bruce Schneier (2000). Secrets and Lies: Digital Security in a Networked World. Wiley. ISBN 0-471-
25311-1.
• David A. Wheeler (2003). "Secure Programming for Linux and Unix HOWTO". Linux Documentation
Project. Retrieved August 2019.
• Ron et al. (2009). "Systems Security Engineering" . Internet of Things. Retrieved
• O’Gorman, Lawrence (2003). "Comparing Passwords, Tokens, and Biometrics for User Authentication".
Proceedings of the IEEE. 91 (12): 2021–2040. doi:10.1109/jproc.2003.819611

40