Journal of Physical Security 14

Table of Contents
Journal of Physical Security, Volume 14(1), 2021
Available at http://jps.rbsekurity.com

Editor’s Comments, pages i-v

CR Goulding, "Physical Security R&D Tax Credits", pages 1-9

RG Johnston, "Camera Obscura for Obscuring Cameras", pages 10-12

BK Schwab, "Insider Threat Management: Operating Environments, Detection Methods
and Mitigation Strategies", pages 13-34

RG Johnston, "Want Seals With That? -- Fast Food, Covid, and Tamper Detection", pages 35-
36

MH Nassef, "Suggested Procedures for Physical Protection and Security Improvement for
Category II Sealed Radioactive Sources", pages 37-52

Journal of Physical Security 14(1), i-v (2021)
Editor’s Comments
Welcome to volume 14, issue 1 of the Journal of Physical Security (JPS). In addition to the
usual editor’s rants and news about security that appear immediately below, this issue has
papers about R&D tax credits for physical security, pinhole cameras for surreptitious
surveillance, insider threat issues, tamper-indicating seals for fast food in the era of Covid,
and security for sealed radiological sources.
All papers are anonymously peer reviewed unless otherwise noted. We are very grateful
indeed to the reviewers who contribute their time and expertise to advance our under-
standing of security without receiving recognition or compensation. This is the true sign of
a professional!
Past issues of JPS are available at http://jps.rbsekurity.com, and you can also sign up
there to be notiRied by email when a new issue becomes available. A cumulative table of
contents for the years 2004 through 2019 is available at http://rbsekurity.com/
JPSArchives/grand_jps_TOC.pdf
JPS is hosted by Right Brain Sekurity (RBS) as a free public service. RBS is a small
company devoted to physical security consulting, vulnerability assessments, and R&D
(http://rbsekurity.com).
As usual, the views expressed in these papers and the editor’s comments are those of the
author(s) and should not necessarily be ascribed to their home institution(s), employer,
other authors in this issue, or Right Brain Sekurity.
*****
Shock and Awe
In my view, the January 6 insurrection at the Capitol Building in Washington, D.C.

conRirms some general principles about security:
1. Security Maxim #119: Layered security will usually fail stupidly.

2. Security Maxim #109: A lack of imagination and effective vulnerability assessment is
the most common cause of security failure—the failures in threat analysis, intelligence,
management, and communication
in
this
case
notwithstanding.

3. Security Maxim #80: Warning about threats and especially vulnerabilities will usually
be ignored or even attacked. (See also https://www.nbcnews.com/politics/politics-news/
isn-t-Rinal-chapter-analyst-warns-again-about-rise-right-n1253950.)
4. Security Maxim #137: Too often, the good guys think they can deRine the security,
when in fact the bad guys get to. It is telling, I believe, to hear how Capitol Police were
“shocked” that rioters climbed the “off-limits” Capitol steps after swarming the barriers.
i
5. Security Maxim #89: The main purpose of an investigation after a serious security
incident is not to Rix the problems, but rather to assign blame, pass the buck, engage in
Ringer-pointing, and choose scapegoats.

I am getting tired of seeing the same old security blunders over and over again!
For more discussion, see RG Johnston, “Avoiding Shock and Awe”, Journal of Physical
Security 9(1), 26-48 (2016) and RG Johnston, Vulnerability Assessment: The Missing Manual
for the Missing Link, https://www.amazon.com/dp/B08C9D73Z9
*****
Good Advice
If your child goes missing while you are out in public with him/her, don't look for them
frantically and quietly, look for them loudly:
*****
"Alexa: Go Hack Yourself!"
Electronic products that understand the human voice such as Amazon's Echo, Apple's
HomePod, Google's Assistant, and even smartphones to some extent can be hacked at a
distance if there is a clear line-of sight. Recent experiments show that an appropriate voice
command can be recorded, then used to modulate a small, relatively low power laser. The
laser would be shined on the voice-understanding electronics from some distance,
including through a glass window, and the device will obey the command. The modulated
light gets turned into vibrations that the voice-activated devices recognize as a voice
command.
A simple countermeasure is to keep your voice-understanding devices away from

windows and out of site from outside your home or ofRice.

*****
Lava Lamp Love In
The company Cloudfare uses the random motion of lava lamps to generate random
number seeds for cryptographic keys. This is not as goofy as it sounds (though putting the
lava lamps in their lobby might be). Such hardware-generated seeds avoid the bad
behaviors and poor security of pseudorandom number generators used by many
computers.
ii
*****
In-Bed with Security
Texas Instruments has an excellent guide out entitled, "Building You Application with
Security in Mind: Guide to Embedded Security". It is mostly about cyber security, but may
nevertheless provide some thought triggers for other areas of security.
*****
The Mandela Effect
For an interesting article on false memory, see https://getpocket.com/explore/item/10-

examples-of-the-mandela-effect?utm_source=pocket-newtab.
*****
Paradox Mindset
Embracing opposing demands and viewpoints, rather than Rleeing from them, is a key to
creativity and leadership (and, I believe, to good security):
https://www.bbc.com/worklife/article/20201109-why-the-paradox-mindset-is-the-key-
to-success?ocid=ww.social.link.email.
*****
Security of Ballot Collection Boxes
Probably not the biggest election security issue but...

https://www.forbes.com/sites/marcwebertobias/2020/11/09/the-security-of-ballot-
collection-boxes-one-can-be-opened-in-thirty-seconds-or-less/?sh=64e26af55f76.
*****
Face the Biometric Problems
Yet another example of biometrics failing:

https://www.dailymail.co.uk/news/article-9095719/New-Jersey-man-sues-wrongful-
arrest-facial-recognition-bust.html.
*****
iii
The High Cost of Cheap Security
Bruce Schneier had an interesting and articulate opinion piece in the New York Times
about scrimping on security: https://www.nytimes.com/2021/02/23/opinion/solarwinds-hack.html.
*****
Spoiler Alert: How It All Ends
For a mind-blowing, but remarkably understandable description of cosmology, how the

universe began, and how it will likely end, check out the January 2021 issue of Astronomy:
https://astronomy.com/issues.
*****

An Example of Security Maxim #80 (Feynman's Maxim): "Organizations will fear
vulnerability assessors and others who point out security problems more than the
actual adversaries."
Just when you were maybe feeling a little sorry for the voting machine companies
because they were arguably getting slandered... Election Systems and Software (ES&S) sent
cease and desist letters to organizations simply for highlighting proven security
vulnerabilities. Not exactly a healthy Security Culture! See
"A Voting Machine Company Threatens Researchers for Exposing Valid Security Flaws."
*****
Elephants
In 2013, scientists attempted to teach elephants the meaning of pointing. It turned out to
be unnecessary, as they already understood the concept. That automatically makes them
more intelligent that a lot of the managers and bureaucrats that I have dealt with in my
career. See https://science.time.com/2013/10/10/brainy-elephants-one-more-way-
theyre-as-smart-as-humans/.
*****
More About Animals
Does city life make animals smarter? See https://www.bbc.com/future/article/

20200416-how-city-life-can-breed-smarter-pests?ocid=ww.social.link.email.
*****
iv
And Even More About Animals
On Vladimir Putin's many crimes: https://www.theguardian.com/commentisfree/2020/

jan/18/putin-criminal-incompetent-president-enemy-of-his-own-people-russia,
https://www.wilsoncenter.org/publication/has-vladimir-putin-always-been-corrupt-and-
does-it-matter,
https://www.voanews.com/usa/us-politics/terrible-crimes-made-putin-worlds-richest-
person-Rinancier-testiRies, https://www.atlanticcouncil.org/in-depth-research-reports/
report/russia-after-putin-report/
*****
Porch Pirate

Sometimes, the bad guys aren’t all that clever.
*****
Testing Security
Who says there is no rigorous testing of security products anymore? Check out this story:
https://www.qrockonline.com/drunk-arkansas-men-shoot-each-other-to-test-bulletproof-
vest/.
*****
Cock Sure Security (or Protecting the Family Jewels)
You can read about cyber attacks on male chastity devices here: https://www.bbc.com/
news/technology-54436575 and https://www.vice.com/en/article/m7apnn/your-cock-
is-mine-now-hacker-locks-internet-connected-chastity-cage-demands-ransom.
Call me old-fashioned and a romantic, but I think sex toys shouldn't be connected to the
Internet. Local Bluetooth ought to be good enough.
*****
-- Roger Johnston
Oswego, Illinois
March, 2021
v
Journal of Physical Security 14(1), 1-9 (2021)
Physical Security R&D Tax Credits
Charles R. Goulding
Attorney/CPA, President of R&D Tax Savers

WSU Insider
Introduction
The Federal R&D tax credit is an innovation incentive. It promotes both economic growth
and job creation.
Any Rirm has the potential to qualify. The litmus is not the Rirm but the activity involved.
That activity has to (1) be technical, (2) involve consideration of design alternatives, (3)
eliminate uncertainty, and (4) result in the acquisition of new knowledge to the company.
When a company’s project—be it a new or improved product, process, or software

development—qualiRies for the R&D tax credit, applicable employee time is the largest
driver of the credit calculation.
On December 18, 2015, President Obama signed the bill making the R&D tax credit
permanent. Beginning in 2016, the credit has been used to offset the Alternative Minimum
Tax (AMT), and startup businesses can utilize the credit against $250,000 per year in
payroll taxes. Companies can now plan and pursue projects that are innovative but slightly
risky, and utilize the R&D tax credit to help fuel their R&D efforts.
The Credit for Increasing Research Activities, or the R&D tax credit, as deRined in US IRC
Code, Section 41, allows all of the following to be included in calculating the credit:
amounts paid by the taxpayer for in-house research expenses, contract research expenses,
expenses related to supplies consumed in the R&D process (tangible property other than
land and property subject to depreciation), as well as certain expenses related to obtaining
a patent.
1
The credit calculation for companies is completed on IRS Form 6765, where the credit
amount can then reduce the company’s tax liability, dollar-for-dollar. In instances where
the business is organized as a Rlow-through entity, the R&D tax credit can reduce the tax
liability, dollar-for-dollar, on the owner’s personal tax return.
While there is no speciRic application to the Internal Revenue Service to obtain the R&D
tax credit, contemporaneous documentation is required to be maintained by the taxpayer
in the unlikely event of an audit. Our Rirm does a comprehensive R&D Study that includes
contemporaneous documentation for each and every one of our clients, regardless of
whether they are our billion dollar client or our small software start-up.
This paper draws on the many physical security projects our R&D tax credit engineers
have completed, including airport security, facial recognition, law enforcement technology,
retail theft protection, building security, and Rire protection. Information about other
physical security projects that have beneRitted from the R&D tax credit is also available,
including those involving gun, smart gun, and cyber security developments. Our Rirm has
handled R&D tax credit projects for Rirms in the physical security industry, as well as for
Rirms that are in other industries but made a signiRicant effort to develop and improve their
physical security systems for their business operations.
Physical Security at a Glance

Physical security is a highly complex, multifaceted challenge. It encompasses all of the
physical measures designed to safeguard personnel; to prevent unauthorized access to
equipment, installations, material, and documents; and to protect against numerous
threats, such as theft and damage. The diversity of potential menaces to physical security
calls for multilayered, Rlexible solutions that use innovative technology to keep up with
ever-changing risks.
Before the pandemic, physical security had a 2020 projected growth rate of 6.5%, from
$103bn to $110bn in sales. Despite Rlattened sales due to COVID 19, innovation within the
Rield has continued apace. One underlying theme is that physical security technology builds
off of many other current technologies, including artiRicial intelligence, the Cloud, drones,
sensors, and improved cameras.
Protecting People: Personal Physical Security

Physical security accessories, such as Tasers, bulletproof vests, and body-worn cameras,
can save lives and reduce exposure to injuries. They constitute invaluable assets for
numerous professionals, particularly security personnel and police ofRicers. The following
sections discuss recent innovation trends in technology designed for personal protection.
Non-Lethal Weapons
Electroshock weapons temporally incapacitate neuromuscular transmission, disrupting
voluntary muscle control through the stimulation of sensory and motor nerves. This kind
of weaponry is often preferred to other less-lethal force options due to its overall
2
effectiveness, which presents virtually no variation relative to the subject’s pain tolerance,
drug use, or body size. Electroshock weapons are often divided into three categories,
namely, (1) those that work through direct contact, such as stun guns and cattle prods; (2)
the so-called conducted electrical weapons (CEW), which Rire dart-like electrodes that
deliver shocks through thin wires that remain connected to the gun; and (3) wireless long-
range electroshock weapons.
Though undoubtedly an important means of self-defense and law enforcement, non-

lethal weapons are often subject to criticism. When it comes to technical shortcomings, the
Rirst two categories have obvious limitations of range, which is restricted to the arm’s reach,
in one case, and to the length of the wire, in the other. The third type, though capable of
reaching more distant targets, presents higher risks of death and serious injuries, due to
the speed of the projectile and the inability to control the shock after Riring. Costly
ammunition and an inconveniently large size are also drawbacks of long-range non-lethal
weapons.
Numerous innovative companies are entering the $8.5 billion non-lethal weaponry
market with the objective of overcoming the limitations of existing technology. For
instance, Digital Ally in Lenexa Kansas is working on a wirelessly controlled electronic
weapon that is more compact and easier to carry than those currently available. Other
proposed improvements include enhanced accuracy, reduced projectile speed, and post-
Riring control of the shock via radio frequency.
A more traditional player in this market, TASER International in Scottsdale, Arizona is

also innovating through the development of a line of smart weapons designed to save lives
and reduce injuries. With advanced Riring logs, these weapons enable highly accurate
reports that help understand the reasoning behind the decisions made in the Rield. Sensor
technology registers, for instance, how long a weapon was armed and when the trigger was
held. Other technical improvements incorporated into TASER’s latest CEW products
include dual lasers for enhanced accuracy, an audible warning to facilitate voluntary
surrender, and a smart cartridge that reduces accidental discharge. More importantly,
there is the possibility of a backup shot, which is a major breakthrough in a Rield dominated
by single-shot weapons.
Bulletproof Vests
Bullet-resistant vests are designed to absorb the impact and stop or reduce penetration
of Rirearm-Rired projectiles and fragments from explosions. They work by dispersing the
energy from incoming projectiles across multiple layers of material. The very strong Ribers
in their composition “trap” the bullet and slow it down to a full stop.
There are generally two kinds of bulletproof vests: (1) “Soft vests” are usually made of
para-aramids, which are essentially plastics woven into Ribers, or of Ultra-High-Molecular-
Weight Polyethylene (UHMWPE), a gel-spun, multi-Rilament Riber also made from plastic.
Though
3
presenting very high levels of strength-to-weight ratio, these materials remain Rlexible and
are capable of absorbing signiRicant amounts of energy, thus being effective against most
kinds of small-caliber ammunition. (2) “Hard vests”, on the other hand, are designed to
offer protection in extreme situations involving higher-caliber threats, including riRle
rounds. In addition to the Ribers used in soft vests, these reinforced armors incorporate
plates of ceramic, steel, or titanium. Because of the extra layers of protection, hard vests are
heavier and thicker than soft ones.
Despite the general distinction between hard and soft vests, more technical
classiRications, such as the one from the US National Institute of Justice (NIJ), refer to
different ballistic levels. The choice of armor to wear should take into consideration the
likely threats to be faced. Recent events involving the deaths of police ofRicers point to an
increasing use of hard vests. For instance, Texas Lt. Gov. Dan Patrick recently asserted that
he would ask legislators for up to $20 million to provide 40,000 police ofRicers with
reinforced vests.
In addition to ballistic protection, a growing number of body armors offer spike and stab
threat protection. Spike threats refer to sharp pointed objects, such as needles and ice
picks, while stab threats take the form of edged blade attacks. Protection against both of
these menaces is important to various professionals, such as prison guards, bouncers, and
bodyguards.
Innovation in body armors is key for enabling enhanced protection and greater comfort.
Outstanding challenges include the development of thinner, lighter, and more Rlexible vests
that maintain high levels of ballistic protection. Improved ergonomics as well as cooling
systems are also priorities, especially when targeting prolonged users in hot or humid
conditions. Promising areas for body armor innovation include the Rield of “biomimetics”,
which draws inspiration from nature (such as the scales of Rish). This line of research can
take advantage of 3D printing technology, which has emerged as a valuable asset in the
quest of understanding how materials are formed and utilized in nature.
With ofRices in Rogersville, Missouri, worldwide manufacturer and distributor of body

armors Safeguard Armor illustrates the importance of continuous innovation. The
company points to the immense potential of unusual materials, such as wood pulp, which
can be used to create ballistic-resistant nanocellulose, and graphene, a sheet of single
carbon atoms that can absorb considerably more energy than currently available materials.
Among the most exciting recent developments in bulletproof vests are “liquid” body
armors. Polish company Moratex has developed an innovative material called Shear-
Thickening Fluid (STF), which constitutes a lighter and more Rlexible alternative to
traditionally used materials. STF increases in viscosity when exposed to impact, behaving
like a solid when struck with fast-moving projectiles. It is further designed to reduce
indentation when hit by bullets, thereby lessening the impact felt by the wearer and
reducing risks of injury.
4
Body-Worn Cameras
Video evidence systems are designed to work not only as a deterrent mechanism but to
help increase both the transparency and accountability of police ofRicers and security
personnel. Despite the ongoing proliferation of such systems, recent events have brought
their effectiveness into question. In this scenario, innovation is key to enabling the
necessary improvements to existing technology. The following paragraphs present recent
advancements by innovative companies in the Rield of body-worn security cameras, whose
work exemplify the kinds of efforts that could potentially qualify for federal R&D tax
credits.
In October 2016, Axon, a business unit of TASER International, unveiled a new generation
of police body cameras, designed to overcome the limitations of previous solutions. The
innovative Axon Flex 2 automatically turns on in certain predetermined situations, such as
opening a car door, unlocking a weapon, or turning on the overhead lights and siren. In
addition, there is a “buffer” that starts recording up to two minutes before the ofRicer
pushes the start button. These features aim to overcome common criticisms to existing
technologies that often rely on the discretion of the user to be turned on and off, leaving
many unanswered questions.
With ofRices in Huntersville, North Carolina, British security and investigations company
Reveal Media has also invested in new technologies for video evidence. With award-
winning design, the RS2 body camera features a front facing screen and an intuitive one-
touch record function. Besides providing enhanced low light performance and clearer
sound, the solution uses advanced compression technology to facilitate the upload and
storage of Riles as well as an AES-256 encrypted memory for improved security.
Safety Innovations in Logan, Utah designs highly resistant body-worn cameras that can
withstand even the toughest working conditions. The company’s innovative VidMic VX
integrates a radio microphone with the camera, allowing for a lighter duty gear load while
keeping the equipment practical and discreet. The solution is compatible with over 200
models of commonly used radios.
Another important provider of video evidence solutions is Newark, New Jersey-based

Panasonic Corporation of North America, subsidiary of Japanese Panasonic Corporation.
The company has experienced a 180 percent year over year growth in its mobile evidence
capture division, which includes products such as the Arbitrator 360° HD, an in-car digital
video recording system that supports up to Rive cameras working simultaneously to
generate full 360-degree views and maximize situational awareness. Panasonic also
produces the Arbitrator BWC, a body-worn solution that provides 130 degrees of evidence
capture with GPS metadata, pre- and post-event recording, and WiFi for easy ofRloading.
Designed to make the most of the available visual data, a uniRied evidence management
system brings together the company’s mobile and Rixed video solutions, allowing users to
analyze and preserve every link in the chain of evidence.
Also a provider of law enforcement video systems, WatchGuard Video is a four-time

winner of the Dallas 100 Award honoring the fastest growing, privately held businesses in
5
the Dallas area. Located in Allen, Texas, it has a longstanding commitment to R&D, which
has resulted in 12 issued U.S. patents plus 12 additional pending patents. Innovative
capabilities include the record-after-the-fact feature, which enables users to gather critical
evidence with up to one-day delay, and the ultra-wide dynamic range, a solution to common
problems, such as blown-out, overexposed, and underexposed images. WatchGuard’s
technology dramatically improves nighttime video quality through a dual-exposure
mechanism that takes two separate images (a dark exposure and a light exposure) and
automatically blends the two images into a single video frame.
Protecting Spaces: Perimeter Security Systems

Physical perimeter security is understood as the use of mechanical or electronic systems
to protect people and assets within a facility, making intrusions less likely. It refers to the
outermost layer of security and includes fences, walls, and other physical barriers as well as
intrusion detection systems and electronic surveillance. The effectiveness of a perimeter
security system is directly affected by its adequacy to the risks requiring protection, the
sophistication of potential intruders, and the probable means of penetration. According to
a 2016 report by Research and Markets, the global perimeter security market is expected to
grow at an 8 percent compound annual growth rate between 2015 and 2021, reaching
$21,000 million in 2020. The study asserts that emerging technologies are among the most
important drivers of growth, as “companies are majorly focusing on R&D and investments
in development of new technologies in order to expand the scope of perimeter security
systems.”
When it comes to physical perimeter security, there are several aspects to be considered,
besides the ability to prevent intrusion. Desired aesthetics and visibility, ease of
installation, and adequacy to the local weather and topography are just a few examples of
important concerns. In the case of fences, for instance, installation alone can account for
roughly 1/3 of the entire cost involved while a variety of naturally occurring threats, such
as water intrusion, corrosion, and freezing, can signiRicantly decrease their lifespan.
Reducing costs and increasing reliability of perimeter security systems must remain a
priority for companies in this industry.
Important areas for innovation in physical perimeter security include anti-cut and anti-
climb mechanisms, customization against speciRic threats, as well as the mechanical
distribution of potential impacts as a means to increase overall strength. Producer of non-
metallic, non-conductive, and radar-friendly fences, AMICO Security in Birmingham,
Alabama stands out for its innovative efforts, which exemplify the kinds of initiatives that
would likely qualify for R&D tax beneRits. The company’s patent pending Amiguard system
utilizes a proprietary continuous rail design that bolts together the entire length of the
fence, making sure that any impact is distributed throughout the system, thereby enhancing
strength and working as a uniRied curtain wall barrier.
Innovative perimeter security solutions combine physical barriers with technology

designed to detect and monitor intruders’ movements. Examples of such technology
include next-generation fence-mounted sensors, infrared, and integrated Riber-optic
6
solutions. Thermal cameras, video analytics, and intrusion detection technologies, such as
microwave, seismic sensors, and radar, are also interesting allies in physical security
strategies.
Fence-mounted sensing technology includes various cable-type solutions that can be

attached directly to fence structures in order to detect attempts of cutting, climbing, or
lifting. The most common type of data used in these cases is vibration, which requires
varying levels of sensitivity, according to the threats at hand. Sophisticated digital
processing systems are used to analyze the collected data, assess the existence of an actual
menace, and identify its nature. Smart perimeter security with sensing technology has
gained ground as a crucial element of integrated security strategies, which aim for a holistic
approach to security.
Examples of companies investing in this Rield include RBtec in Derwood, Maryland, a

provider of the longest Riber-optic monitoring capabilities on the market, with up to 62
miles through a single Riber-optic cable. RBtec’s RaySense illustrates the advantages of
innovative Riber-optic solutions for long-range, total perimeter coverage. With no gaps
between sensors, it is capable of detecting and locating within 3 meters over the entire
perimeter and can be networked to provide unlimited reach. The system offers seven
different levels of sensitivity that optimize performance according to the targeted
infrastructure. Fiber-optic systems are also resistant to moisture and electromagnetic
interference, which facilitates maintenance.
Monitoring and Surveillance

Another important aspect of physical security is video surveillance. In addition to
allowing for the veriRication and analysis of past incidents, surveillance cameras often act as
a deterrent to potential assailants. In a recent article published by IFSEC Global, Quantum’s
Vice President of surveillance and security solutions Wayne Arvidson pointed out that, by
2019, video surveillance will capture over 3.3 trillion hours daily. The article lists Rive
major drivers of growth in this highly dynamic market:
I. Video Analytics: analyzing video-based data can help identify useful patterns and
trends. For instance, video analytics can be used for intrusion detection, going beyond
traditional motion detection and intelligently distinguishing actual threats from
disturbances caused by animals and weather events. When combined with advanced alarm
systems, this kind of analytics enhances security while reducing the nuisance of false
alarms.
II. Intelligent Cameras: recent developments in sensor technology allow cameras to be

used in new and exciting ways. The fast-growing adoption of intelligent cameras embedded
with sensors will require sophisticated, multi-tiered storage strategies capable of
supporting an unprecedented inRlux of data. There will also be a growing need for
enhanced capabilities, including compression, streaming, and analytics.
7
III. Biometrics: the use of biometric data to identify people has become increasingly
complex and in turn, increasingly valuable to many industries. The integration of
biometrics capabilities, such as face recognition, and video surveillance is expected to
widen the scope of potential applications of video security systems.
IV. The Internet of Things: innovative strategies must be used to merge IoT sensor data
with video surveillance data. The emergence of the IoT has been accompanied by an
unprecedented surge in the number of connected devices, which are expected to reach at
least forty billion over the next decade. The correlation of video information with input
from such smart IoT devices can contribute to greater physical security. For instance,
motion detectors, which are traditionally used for turning lights on and off and adjusting
temperature, can now communicate with video and security systems in order to control for
unauthorized movements.
V. Video Surveillance as a Service: aggregated service models will help companies

automate functions and optimize their resources.
The Rive aspects highlighted above point to a common, underlying trend: integration. In
fact, it is safe to say that integration is at the essence of physical security innovation,
particularly when it comes to video surveillance and monitoring. The idea is to make the
most of available technologies by allowing them to work together. Security control panels
that use information from various devices, such as motion detectors, video surveillance,
access readers, etc., are a great example of this overarching trend.
No-camera security systems are also a promising area, due to recent improvements in
motion-detection technology. Canadian company Cognitive Systems Corp. recently
announced a system capable of protecting and monitoring spaces without the use of
cameras. Arguably the Rirst smart home security system of its kind, Aura uses patented
technology to monitor the disruption of wireless signals caused by movement. In addition
to differentiating human and non-human motion, it sends notiRications to household
members in case of unauthorized movements.
A recent article in Security Sales & Integration magazine has pointed out that innovation
in motion detection has allowed for an unprecedented level of detail, thanks to which there
is practically instant response to intruders. This is made possible by the incorporation of
microprocessors that “intelligently analyze the signals produced by motion to make a very
fast but accurate alarm decision.” Advancements that simplify installation have also
contributed to enhanced reliability, particularly when it comes to features that minimize
installation errors, including integrated end-of-line (EOL) resistors and bubble levels, and
lift-gate terminal strips.
VI. Airports: One major application for such surveillance technology is airports. Although
we have worked on airport projects throughout the country, our western Long Island ofRice
gives us birds-eye view of airport technology at three major airports namely Laguardia,
Kennedy, and Newark. Improving airport technology includes airport screening, Clear's
8
biometric touchless optical scanning, enhanced communications systems and strategic

location of fuel tank farms to minimize explosion damage.
With respect to health-related safety measures, in July of 2020, JFK’s Terminal 4 became
the Rirst terminal in the United States to implement technology to monitor social distancing.
The technology, called CrowdVision, monitors metrics like pedestrian density, operational
resources, queue times, and more. The technology enables airport employees access to
real-time information that can assist them in providing a safe, socially-distanced travel
experience Conceivably, the technology can be used for other purposes, including trafRic
monitoring and airport security.
VII. Drones: Drones are becoming mainstream physical security assets.

A. Police Use: Often when an ongoing crime is reported in trafRic congested urban areas
the police response is invariably too late to capture the Rleeing perpetrator. With immediate
overhead drone dispatch and surveillance, the crime scene can be quickly located and
pictures taken of the Rleeing suspect.
B. Warehouse Use: One of our clients with numerous cavernous distribution centers was
the Rirst U.S. purchaser of warehouse drones. Warehouse drones can inspect the top
shelves of narrow aisle high bay warehouses and inspect for facility and product damage,
lighting Rixture obsolescence and conduct continuous inventory counting. Regular and
accurate inventory counts are an excellent way to monitor theft and reduce stock outs.
C. Environmental Damage: Drones with infrared capability can identify emissions and
septic waste runoff. Before drones it was highly difRicult to identify conditions requiring
environmental remediation. Pinpointing these problems can protect both drinking water
and marine wildlife in harbors and waterways.
Conclusion
Recent developments in physical security technology illustrate how innovation can
improve the reliability and enhance the performance of security systems. R&D tax credits
are available for innovative companies engaged in protecting people, spaces, and material
resources.
About the Author

Charles R. Goulding, Attorney/CPA, is President of R&D Tax Savers. Located in Syosset,
New York, R&D Tax Savers is an inter-disciplinary Rirm at the intersection of tax and
engineering. Mr. Goulding started this Rirm in 2005 and it has grown into a National
practice with clients in industries ranging from physical security, to software development,
all the way to food and beverage. Mr. Goulding spent the majority of his professional career
as Vice President of tax at a multi-billion, multi-national industrial company. He enjoys
reading about technology, tax and engineering advancements and spending time with his
family and friends. Mr. Goulding is also the Mayor of Oyster Bay Cove, a hamlet on Long
Island, New York, where he oversees two Village police departments.
9
Camera Obscura for Obscuring Cameras*
Roger G. Johnston, Ph.D., CPP

Right Brain Sekurity
https://rbsekurity.com
Introduction
It's possible to form images without lenses. A full color image can be formed using only a
pinhole. Pinhole imaging has been undertaken for hundreds of years by artists and solar
eclipse observers using the camera obscura—literally, "dark room". This is a darkened
room (or box) with a small hole in the wall. Objects outside the room in the bright light are
imaged on the room's opposite interior wall. The images are upside down and reversed.
One of the intriguing things about pinhole (camera obscura) images is that they have an
inTinite "depth of Tield". This means that all objects in the Tield of view—near or far—are in
focus, unlike photographs taken using lenses with limited depth of Tield. When artists and
hobbyists display their Tilm pinhole images, people looking at the images are often startled
or disoriented by what they see. They are used to imaging using the human eye, which has
a relatively narrow depth of Tield.
Pinhole photography is usually done using high-sensitive Tilm because of the small
amount of light that comes through the pinhole. The recent availability of off-the-shelf, low-
cost, low-light video cameras, however, makes it easy to produce camera obscura color
videos.
I demonstrate this in a recent YouTube video.[1] The video shows color images made
with a Spinel 2-megapixel, HD video camera with 0.001 lux sensitivity using only a pinhole,
no lenses. The camera costs $48 retail and runs on 5 volts. What is shown is only the raw
video with no image processing to improve brightness, contrast, graininess, or image
quality. Presumably more expensive low-light cameras, and those to be developed in the
future, will allow higher-quality images.
[Note that vendors of video cameras often talk about their "pinhole" cameras but these
are not the camera obscura. They are merely video cameras with a small diameter lens or
lenses. The small diameter of the lens(es) does tend to allow a good depth of Tield, but not
as good as the true camera obscura.]
_____________
*This paper was not peer reviewed.
10
Security Implications
There are 4 reasons why a true pinhole video camera might have security interest.
Consider, for example, the surreptitious surveillance of a conference room or ofTice
using a covert video camera hidden in the wall. The Tirst advantage of the true pinhole
camera is that only a very small hole is needed in the wall for the camera to view the
proceedings. My YouTube video demonstrates the use of a pinhole only 100 µm in
diameter.[1] That small a hole in the wall would be hard to Tind.
The second advantage of using a pinhole video camera for hidden surveillance is that
everything in the Tield of view is automatically in focus, including objects very close to the
camera.
The third advantage of a pinhole video camera for covert surveillance is that one low-tech
method often recommended [2-4] to Tind a hidden video camera in a room is to turn off the
room lights. A Tlashlight is then used to probe the room, looking for retro-reTlections off the
camera lens or off the imaging sensor of the camera behind the lens. With a camera
obscura, there is, however, no such lens reTlection because there is no lens. Any reTlection
off the imaging sensor behind the pinhole is very difTicult to discern because the pinhole
prevents any signiTicant amount of light reTlecting off the interior imaging sensor from
exiting the pinhole.
The Tinal advantage of a pinhole camera for covert surveillance is that systems to "blind"
video cameras using lasers have been proposed as countermeasures.[4] The laser light is
so bright that it swamps the desired image by saturating the photo sensor. This is a more
problematic approach with a pinhole camera. While I was able to somewhat saturate the
image of my pinhole video camera with a 5-mW green laser, this required almost perfect
angular alignment with the axis of the camera, something that might be difTicult to do
reliably in practice, especially in a large room.
It might also be possible for the bad guys to recover partial video images despite laser
saturation by using image processing on their covert video images. When coherent laser
light passes through a pinhole, it creates circular interference rings called "Airy's Disc".[5]
The camera pixels at the diffraction ring minima are not saturated. Also, because laser light
is monochromatic (one color), it is possible that a usable image could be obtained by
keeping only the red, green, or blue pixels in the color video, depending on the laser's color.
Conclusion
Security professionals should be aware that covert video cameras do not require lenses,
and can operate with a very small viewing aperture as small as 100 microns (or smaller).
Moreover, it is important to recognize that conventional detection or countermeasure
schemes that work for covert video cameras with lenses may not work for pinhole cameras
(cameras obscura).
11
References
1. RG Johnston, “Camera Obscura", YouTube video, https://youtu.be/u3mlQzaKAIo
2. E Harper, "The Secrets to Finding Hidden Cameras", April 10, 2019,

https://www.techlicious.com/tip/the-secrets-to-Tinding-hidden-cameras/comments-/
CP2/
3. S Rosenblatt, "Suspect a hidden camera in your Airbnb or hotel?", May 21, 2019, https://
the-parallax.com/2019/05/21/hidden-cameras-airbnb-spying/
4. KN Truong, et al., "Preventing Camera Recording by Designing a Capture-Resistant

Environment", https://www.cc.gatech.edu/fac/summetj/papers/truongk-
ubicomp2005.pdf
5. Hyperphysics, “Circular Aperture Diffraction”, http://hyperphysics.phy-astr.gsu.edu/

hbase/phyopt/cirapp2.html
12
Viewpoint Paper
Insider Threat Management:

Operating Environments, Detection Methods and Mitigation Strategies

Brian K. Schwab, CPP, PSP

S3 Security & Defense Consultants
[email protected]
Abstract
This paper offers a compilation and discussion of what I believe to be best practices for
insider threat mitigation.
Background
While most efforts today are focused on defending against external threats, and most
businesses believe that “it can never happen here”, insider threats add an additional
dimension of complexity and depth to security challenges that many businesses pay little
more than cursory attention to mitigating. When discussing insider threats, most people
immediately think of the IT sector. According to a 2020 IT study1, insider threat incidents
cost businesses an average of nearly $11.5 million annually, a 31% increase over the two
previous years. Over the same period, the number of reported insider threat events
skyrocketed by 47% to more than 4,700. According to Grant Thornton2, it takes a company
an average of 77 days to contain the damage once an insider threat incident has been
discovered.
However, the IT sector is only one of many areas where insider threats can have a
negative impact on business activities. So, as striking as those Yigures for IT are, they
represent only a fraction of the true losses suffered by businesses from insider threats. It
has been estimated that between 25% and 40% of all employees steal from their employer,
resulting in a median annual loss of $145,000 per event. Overall, the combined losses
suffered from insider threats result in a staggering 30% of all business failures in the US
alone.3
Cybersecurity
Environment
Every company, regardless of size, relies to some degree on technology for performing its
daily operations. As advances in technology, such as Cloud Computing, Software-as-a-
Service, and other internet-based computing models improve business efYiciency,
13
companies will increasingly become reliant on technology to conduct business. Operations

with insufYicient protection measures in place continually risk the compromise of critical
processes, equipment, and/or data from threats aiming to exploit weaknesses in software,
operating systems and hardware. As technology rapidly evolves, the challenges facing
businesses in the protection of their network-based assets will become increasingly more
difYicult. Thus, cybersecurity will remain a top business priority.
Threat Detection
Today, it’s not a question of whether an attack against a company’s computer system will
occur, but a matter of when. Relying on detection at the edge or only protecting a single
node is insufYicient in today’s highly dynamic threat environment. Attack avenues increase
as cloud services and multiple data devices are used and equipment are moved into and out
of the network. In order to safeguard data, an enterprise must actively institute a
detection-in-depth so that attackers will encounter new defenses at every turn. According
to Joe Faulhaber4, a Senior Consultant ECG for Microsoft
Con.igurations are in constant .lux, hardware is being cycled,

software is updating, workloads are moving to the cloud, and
users are bringing devices in and out of the network. At the same
time, random attacks are entering the system, and there is
danger of well-funded, determined external attackers trying to
steal valuable data from enterprises as well. Even insiders can be
threats, and what an attack looks like can change every day.
Thus, detection-in-depth allows the enterprise to increase the probability of detecting an

attack, even if one of the layers of defenses has been successfully breached. Detection-in-
depth any attack may be achieved by implementing one or more of the following detection
methods:
Network and Cloud Intrusion Detection that monitors all trafYic into and out of the network
or cloud for unauthorized access. These systems have three primary components:
o Network Intrusion Detection System (NIDS) that monitors all network trafYic and
compares against a library of known attacks
o Network Node Intrusion Detection System that monitors a single host in a manner
similar to the NIDS
o Host Intrusion Detection System that images an entire system’s Yile set and
compares it to a previous snapshot. It alerts the administrator to any identiYied
differences.
Behavior Monitoring
This functionality uses machine learning, advanced correlation engine, and/or
behavioral biometrics. These methods allow for mapping of the usual threat behaviors
such as rootkit installation, attempts for detection of the “sandbox” environment, or
14
attempts to disable security controls. This functionality can be accomplished using the
following techniques, among others:
o Service and Infrastructure Monitoring detects unexpected service outages

throughout the critical infrastructure
o Network Protocol Analysis to determine the exploit method used and/or
determine what speciYic data was extracted
o Network Flow Analysis to identify high-level trends related to the protocols used
and bandwidth usage
Privilege Escalation Detection – The technique designed to identify when software Ylaws
have been exploited in order to gain elevated access to resources that are normally
protected from an application or user. It is critical to detect and prevent vertical and
horizontal privilege escalation activities as these are generally a precursor to a much
more damaging attack to be made later by an attacker. Techniques used to detect
privilege escalation include, but are not limited to:
o Host Intrusion Detection as previously discussed

o File Integrity Monitoring validates the integrity of operating system and
application software Yiles by comparing the current Yile state and a known, good
baseline.
o Attempted Unauthorized User Access Detection
o Monitoring SaaS Services such as OfYice 365 or G Suite
Event Correlation – A technique that evaluates various occurrences to identify speciYic

patterns. This is done by gathering data from the application logs or host logs and
analyzing it to identify relationships. Event correlation can be accomplished using the
following techniques, among others:
o Security Incident and Event Management (SIEM) which is a packaged set of

technologies designed to give a holistic view of a network infrastructure.
o Malicious Host Communication Detection allows for identifying, isolating,
quarantining or blocking potentially dangerous communications that could
otherwise exploit your network.
o Using a centralized dashboard that prioritizes threats based on user inputs
Physical Security – placing access control and intrusion detection devices onto doors,
walls, windows and ventilation ducts to computer and server rooms, data centers and
other IT-related areas will allow for detection of unauthorized entry. Video surveillance
cameras inside these areas and covering exterior doors to those locations will create a
visible record of who entered, whether permissive or otherwise.
Threat Mitigation
Simply because a system is in place with safeguards installed does not mean the system is
fully protected as-is from that point forward. Cybersecurity is not a “set it and forget it”
environment. Systems that are installed are static, while threats to those systems are
15
constantly evolving. You need to continually assess whether the security solutions in place
are still adequate for your needs and determine how to close any newly discovered
vulnerabilities uncovered by the assessment. Only in this manner can your systems
continue to provide the necessary safeguards against current and evolving threats.
The basic means of cybersecurity threat mitigation include, but are certainly not limited to,
the following:
Risk Assessment is a pro-active, systematic process conducted to evaluate a system,

classify the most-likely threats against a system and identify that system’s potential
vulnerabilities. This allows an organization to calculate risk and develop a strategy or
set of strategies designed to reduce the risk to the lowest acceptable level.
Access Control System which secures the network by denying access to a network by non-
compliant devices, places them in a quarantine area or restricts their access to the
system. According to Cisco Systems5, the general capabilities of a network access
control system includes:
o ProYiling and visibility to recognize and proYiles users and their devices
o Guest networking access to manage guest access
o Security posture check to evaluate security-policy compliance
o Incidence response which mitigates network threats by enforcing security
policies
o Bidirectional integration with other security and network solutions
o Policy lifecycle management to enforce policies for all operating scenarios
Intrusion Detection System to monitor all trafYic into and out of the network as discussed
above.
Video Surveillance System cameras to overwatch critical systems and access points into
controlled or restricted spaces housing IT systems
Policies and Procedures – these form the backbone of any organizational effort to reduce
or mitigate risk. They demonstrate senior leadership support, outline the issue, deYine
acceptable operating criteria and highlight everyone’s roles and responsibilities within
the established guidance. Without policies and procedures, organizations simply “wing
it” and will Yind it difYicult – if not impossible – to establish the desired risk
management, organizational behavior and operating culture.
Automated Device Data Wiping – Employ tools that automatically sync to Active Directory
or other domain management software to trigger automatic data wiping of exiting
employee’s devices. This reduces the risk of the manual wiping process not being
completed which would allow the employee to continue to access an organization’s
critical information. These accounts must still be manually audited to ensure the
accounts were actually deleted and identify and correct system gaps when automated
actions do not occur.6
16
Practice Basic Computer/Network Security by following simple, known protocols that

include, but are not limited to, the following:
Enforcing password policies, which is the most basic method to improve security but
is also the hardest to implement. When correctly implemented, strong passwords
are secure. However, the requirements to have strong passwords cannot end up
placing an undue burden to the computer user.
Install patches and software updates to eliminate identiYied vulnerabilities that could
be exploited by an attacker.
Physical Security/Critical Infrastructure Protection

Environment
Insider threats to physical security can come from current or former employees,
contractors, and trusted business partners, clients and vendors. Once unauthorized
physical access is gained into controlled or restricted spaces of an organization, the insider
can easily transform the threat from potential to actual and the damage to an organization
will begin. Thus, an organization’s physical security controls are equally as important as
their IT-based security controls. Insider threats can exploit the physical security in a
number of ways, including:
Poor Physical Security Environment: This includes:
o insufYicient guard oversight

o Poor or missing guard post orders or instructions
o Unmonitored video surveillance systems
o InsufYicient or non-existent physical security system coverage
Unauthorized Facility Access: This risk from unauthorized access can manifest itself in a
number of forms, such as:
o Employees who access facilities without permission before or after standard

work hours
o Unauthorized employees piggybacking through a door into a controlled or
restricted space behind an authorized employee
o A former employee whose access rights have not been terminated
Physical Property Destruction: Employees breaking into secure spaces, stealing assets or
equipment or vandalizing structures or assets
In.iltration/Ex.iltration of Physical Property: Activities such as bringing removable assets

such as computer equipment, tools and other items either into or out of a facility
17
Custodial Staff Problems: This includes custodial staff who steal assets, documents or who
fall victim to socially engineering scams that permit unauthorized physical access rights
Threat Detection
The two most important active physical security system components that can be used to
detect an insider threat are an organization’s security personnel and its physical security
technology:
Security Personnel
o Properly written post orders will provide the guidance necessary for security
personnel to respond to any security incident or emergency.
o Regular or unpredictable patrols of controlled or restricted areas should be
conducted to determine whether unauthorized access has occurred and to
respond to incidents detected by security technology.
o Security Investigations conducted by specialist personnel with the proper
capabilities who look for insider threat indicators so they can stop, or at least
interrupt, an insider threat before the damage can be done.
Security Technology
o Access Control by designating public, controlled and restricted spaces each with
their own levels of physical security protection measures
o Intrusion Detection sensors and alarms to detect unauthorized entry into a
physical location that are controlled or restricted
o Video Surveillance provides an overwatch of all areas to detect potential threats
o Alert and Noti.ication alarms issued by security technology must be transmitted
to the proper personnel for immediate assessment and response, as necessary
Threat Mitigation
Mitigation efforts center around minimizing the amount of damage that can be done by
an inside threat. This is mainly accomplished through understanding the existing
vulnerabilities, training employees to understand the damage that can be done by an
insider while policies and procedures outline roles and responsibilities, reporting
procedures as well as proscribed penalties for violating established protocols. These
methods include:
Security Risk Assessment outlines existing security conditions, identiYies vulnerabilities

and provides a list of measures designed to allow security personnel to develop a
comprehensive strategy designed to reduce the organization’s overall risk.
Security Awareness – training all employees through messages, emails, broadcasts and
computer-based training sessions. Fostering a security culture that includes a high
18
degree of personal engagement can gain the buy-in of employees who will then serve as
additional security “force multipliers” in combatting insider threats.
Policies and Procedures are the statements of principles and process steps designed to
allow the organization to achieve its stated security goals and objectives. These are
designed to outline the desired end-state and effectively mold the security-related
behavior of all organization employees.
Workplace Violence
Environment
In 2017, nearly 2 million people were the victim of workplace violence in the United
States alone. According to the National Institute for Occupational Safety and Health7, these
attacks resulted in 453 fatalities and approximately 20,790 injuries in 2018. There are four
primary categories of workplace violence:
Criminal Intent: where the perpetrator has no connection to the organization but who’s
sole purpose is to commit a crime. The January 2019 attack on the Suntrust Bank
branch in Sebring, FL in which Yive people were killed by a gunman is an example of
criminal intent workplace violence.8
Dissatis.ied Customer or Client: where a customer perpetrates violence directed at staff

members of an organization (mostly in healthcare). The July 2017 physical attack on a
healthcare worker by a patient in Layton, UT is an example of a dissatisYied customer
workplace violence.9
Worker-on-Worker: Violence in the form of bullying, emotional abuse, physical abuse and
other actions that often go unreported for fear of further reprisals from the offender.
This is often seen in supervisor-to-worker relationships. The UPS Warehouse shooting
in San Francisco in June 2017 in which four people were killed and Yive others injured is
an example of worker-on-worker workplace violence.10
Domestic Relationship: A relative of the victim extends domestic abuse at home into the
victim’s workplace. The woman who shot two people before fatally shooting herself at
the Ficosa Plant in Cookeville, TN in April 2017 is an example of domestic violence
spilling over into the workplace.1
Threat Detection
In an effort to predict potential workplace violence, regular proYiling and screening
methods only work well after an event. They are not reliable indicators in predicting or
interdicting an event.12 Instead, knowing workers well enough to understand speciYic, key
behavioral indicators can be more appropriate and informative. These indicators include:
19
o Changes in overall work performance (i.e., tardiness, absenteeism, increased

error rates in work performed, etc.)
o Taking more sick days or staying away from work longer than expected after an
illness
o Changes in social behavior to include conYlict with some regular coworkers or
the complete avoidance of others
o Neglect of personal hygiene can indicate a depressed state of mind
o Expressions of desperation or suicidal ideation
Threat Mitigation
Given the growing threat to business operations posed by workplace violence, mitigation
efforts to minimize the incidence and impact of workplace violence require both
management commitment and employee involvement. These mitigation efforts can take
many forms, including:
Policies and Procedures

Policies and procedures form the backbone of any effort to mitigate risk within an
organization. The following procedures and policies should be developed and
implemented, at a minimum:
Emergency Action Plan13 which contains an evacuation plan covering drills for
Hostile Intruder and Safe Room Procedures (as applicable).
Visitor Protocol Policy that includes access control for former employees and
spouses.
Domestic Violence Policy – must ensure employees know what services are
offered by the organization.
Workplace Violence Prevention Policy - reviewed, updated and reissued to all

employees annually and includes a “Zero Tolerance” attitude toward workplace
violence.
Harassment Policy Statement which is reviewed, updated and reissued to all

employees annually and includes a “Zero Tolerance” attitude toward harassment
of any kind.
Training
• Implement or update a New Employee Orientation to include training on
Workplace Violence Policy, Procedures and Guidelines.
• Teach employees to recognize the potential warning signs of workplace violence.

These may include, but are not limited to:
20
o Paranoia
o Excessive use of Substances and/or alcohol
o Unexplained absenteeism, change in behavior or decline in work
performance
o Depression, withdrawal or suicidal comments
o Resistance to changes at work or persistent complaining about unfair
treatment
o Violation of company policies
o Emotional response to criticism or major mood swings
• Educate supervisors about their responsibility to thoroughly report, document

and investigate every complaint.
• Train employees that reporting at-risk situations is their responsibility in

emphasizing their value.
Assessments
• Conduct a workplace assessment by visual observation by in-house or impartial
third-party observers and issue an employee questionnaire to aid in identifying
potential hazards.
• Review recent incidents to identify potential gaps in existing Violence Response

Plan.
• Assess the most-recent full emergency evacuation drill, and determine if the
organization is prepared for chemical, weather, Yire, bomb or hostile intruder
threats.
Human Capital Development

• Personnel Background Screening
• Employee Onboarding Training
• Situational Awareness Training
• Threat Reporting Program
• Policies, Procedures and Guidelines
• HR Grievance Process
• HR ConYlict Resolution Mechanisms
Sensitive Information/Controlled UnclassiHied Information

Environment
Sensitive information is any information that, if released, could result in a loss of
advantage over competitors. The unauthorized release of sensitive information could
adversely affect the organization, its suppliers and customers and could negatively impact
the welfare of its employees. Similarly, Controlled UnclassiYied Information is a category of
unclassiYied information that require additional controls to prevent unauthorized release.
21
Primarily a government classiYication, this can be applied equally to business concerns for
any information that is sensitive by nature whose release could cause injury or harm to the
organization. Sensitive Information/Controlled UnclassiYied Information can include the
following, among others:
Trade Secrets and Intellectual Property which is data, information, business process or
other factor that give an organization a distinct advantage over its competitors in a
given industry. This information must be protected at all costs from unauthorized
disclosure or compromise.
Supplier and Customer Information which can include names, bank account numbers or
other payment information, addresses, social security numbers and passwords among
others. is by far the most damaging information that can be compromised. This speaks
to an organization’s reputation, brand image and lack of capabilities.
Financial Data such as operating expenses, payroll, sales, debts and liabilities, banking,
and other information that, if exploited, could be devastating to an organization’s
continued existence.
Inventory and Operational Data consisting of any information about how the company
operates or how much inventory the organization carries at any speciYic time. These
data can be exploited by business rivals to compromise an organization’s competitive
advantage
Industry-Speci.ic Information that, if compromised, can damage the organization’s standing

as a leader in a speciYic industry.
Acquisitions or New Product Plans such as non-public acquisitions, plans to expand into
new markets or the development of new product lines which must be protected in order
to ensure business competitors do not thwart the organization’s strategic plans.
Employee Personally Identi.iable Information including names, positions, home addresses,

social security numbers, bank account and routing numbers, health information,
positive and derogatory personnel information and passwords.
Threat Detection
Spillage of sensitive information/Controlled UnclassiYied Information is an issue whose
importance has grown due to the increased use of social media, the reliance on email and
virtual or in-person presentations, as well as the storage of huge amounts of sensitive or
controlled data by companies. However, at present the only reasonably reliable detection
methods include computer algorithm internet searches employing machine learning or
direct, visual observation by a person of data spillage. The former is limited by having to
search a very narrow category based on pre-programmed datasets, while the latter is
limited by the human ability to read everything that is shared or posted and recognize
22
whether the information is of a sensitive nature or not. Neither of these detection methods
are particularly effective in Yinding and alerting the correct people when printed data has
been spilled, leaked or stolen. This is why it is of utmost importance to have an established,
well-functioning mitigation program in place spot a problem that can arise before it starts.
Threat Mitigation
An effective sensitive information/controlled unclassiYied information threat mitigation
strategy will reduce the possible risk of data being accessed and, if it is, will help minimize
the impact of the data loss. These measures revolve around training staff (to include third-
party contractors with access to sensitive information) how to effectively handle, transmit,
store and destroy data appropriately.
Sensitive Information Management Policy – this policy should include (at a minimum) the
types of information the organization considers to be sensitive, cover sheet usage,
passwords, transmission methods, data handling, disposal and destruction methods and
penalties for policy violations. This policy should also include the contact person within
the organization who is responsible for managing the in-house Sensitive Information/
Controlled UnclassiYied Information Program so that person can be contacted with
questions or for further information, as needed.
Training – Data breaches can occur intentional or unintentional insider actions. Often,
inadvertent data leaks occur because employees have not received adequate training in
handling sensitive information. By training employees on why safeguarding sensitive
information is important and how to do it, they will understand how their actions (or
inactions) can impact the organization. This training should use the Sensitive
Information Management Policy as its base.
Limit or Control Access – access to sensitive or controlled information should be restricted

to only those personnel with a deYined “need-to-know” in order to perform their daily
job functions. Data can be further restricted by implementing mandatory document
passwords, encryption, or Yirewalls into speciYic network drives. An organization can
further increase their security of sensitive information by implementing any
combination of these three safeguard methods.
Safe, Con.idential and Con.irmed Data Delivery – send data to an external location via a
trusted delivery company, internal courier or encrypted hard drive, such as an IronKey
or DataLocker. If sent via email, use a corporate or local virtual private network or
secure Yile sharing program that encrypts the transmission until it reaches the recipient.
If information must be sent via unsecured email, be sure the data is at least password
protected. Send the password to the recipient in a separate email with no information
in the subject line. Then contact the recipient to ensure they have received the
transmission and can open the document.
Lockable Storage Cabinets – Place the sensitive documents into a cabinet that can be
locked which restricts access to only a few speciYic, approved individuals. This cabinet
23
should be placed in a secure room which further restricts access and should also be
covered by an intrusion alarm and/or video surveillance camera.
Use Shredders and Separate Con.idential Waste Bins – if hard copies of documents are
maintained on-site, it is important to have the means to destroy the documents at the
appropriate time. A shredder should be the primary means of disposal and one should
not rely on the fact that shredded material is no longer of use to business competitors
and others seeking to access sensitive company data. Therefore, additional security can
be obtained when using the shredder by adding the use of a conYidential waste bin
whose contents will be disposed through a third-party secure disposal service. The
conYidential waste bin can also be used independently if the disposal company is well-
known and a sufYicient level of trust exists between the organization and disposal
company.
Presentation Review Board – allows for review of content of presentations to ensure that
sensitive or controlled unclassiYied information isn’t inadvertently leaked in
presentations given at trade shows, conferences and other external meetings
Remove Contractor Privileges and/or Cancel Contracts - Contractor personnel who violate
sensitive information/controlled unclassiYied information policies and procedures
should be warned and trained how to follow established procedures for a Yirst offense.
For repeated violations, the contractor should be barred from accessing the information
and removed from the job site. Egregious violations should result in the loss of contract
for the violator’s employer.
Food Security
Environment
Food defense is the pro-active protection of food against the intentional, malicious
introduction of contaminants with the aim of causing widespread harm to public health.
Despite a long history of attacks on food sources that goes back several millennia, only in
the last decade has increased strategic attention been devoted to the protection of food at
the production and preparation locations. There are multiple establishments in the food
production system, including Yirms that produce, process, store, repack, relabel, distribute,
or transport food or food ingredients, each of which impose a potential new set of
vulnerability points in the process. Perhaps the most insidious threat in any of these links
is the insider threat.
According to the American Society for Industrial Security (ASIS) International:
A failure to properly recognize the broader scope of insider

threats could pose a signi.icant risk to an organization’s brand. A
single incident could prove harmful enough to put a company out
of business.14
24
There is a particularly unique and very severe impact to the organization’s brand, as well
as to the public in general, when the insider threatens the security of food. The deYinition of
the types of insider threats to foodstuffs depend upon where in the production and
distribution chain the attack occurs and the toxicity of the substance inserted into the food.
There are three primary avenues in which an insider can threaten the security of food
products:
Sabotage is the deliberate actions of individuals to degrade the quality of food as it is

being produced or prepared. The January 2014 case of the Pizza Hut manager who spit
into the food of a police ofYicer who previously arrested her is an example of an insider
sabotaging food.15
Adulteration is the deliberate placing of foreign items into food by individuals with the
intent to injure or cause illness in anyone who consumes it. The former strawberry
farm supervisor in Queensland, Australia who placed sewing needles into strawberries
in September 2018, thereby forcing a nationwide recall of the items is an example of an
insider adulterating food items.16
Poisoning is the placing toxic items into a food product to cause illness or death to those
who consume it. The disgruntled former employee of the Byron Center Family Fare
Supermarket in Byron Center, MI who poisoned 200 pounds of ground beef in 2003 is
an example of an insider poisoning food items.17
Threat Detection
It is of paramount importance that organizations involved (even tangentially) with food
systems be on-guard against potential threats at all stages of production and distribution.
This not only protects against the quality and availability of food but also protects the
general public against threats to their overall health. Threat detection can take numerous
forms, of which four are discussed brieYly below:
Employee Background Screening – Submitting potential employees to criminal background

and credit checks can identify potential “red Ylags” candidates who apply for positions
that allow access to critical assets or vulnerable processes within an organization. Given
that everyone’s personal circumstances change over time, updated checks should be
conducted on existing employees every 18 to 36 months.
Disruptive Behavior Reporting and Management System – Establishing this type of system
will allow the organization to document, track and thoroughly investigate any reports,
establish patterns of negative behavior and establish correlations between reported
issues and events.
Internal Information Sharing – working with union representatives and human resources
to overcome obstacles to information-sharing with security personnel will allow for
pro-active identiYication of issues and implementation of mitigation measures
25
Grievance Management – Establishing an effective mechanism to air and redress

grievances can aid in uncovering potential threats, particularly when an organization’s
HR team works in close cooperation with security personnel. An effective grievance
management process can also ensure that problems can be resolved before they
escalate into a potential situation that negatively impacts workers and the organization.
Threat Mitigation
Activities related to food defense threat mitigation center around three primary
components:
Food Defense Plan – the food defense plan is a set of written documents based on sound
food defense principles. While there is no established format for the food defense plan,
it should incorporate (at a minimum) the following components:
Food Defense Monitoring – according to the US Food and Substance Administration8,

food defense monitoring is the sequence of observations or measurements
conducted to assess whether mitigation strategies are operating as intended.
Food Defense Veri.ication - the application of methods, procedures, and other

evaluations, in addition to food defense monitoring, to determine whether a
mitigation strategy (or combination of mitigation strategies) is or has been
operating as intended according to the food defense plan.
Food Access Control – methods implemented to restrict physical access to food

products as well as network access to manufacturing devices throughout the entire
production process
Food Storage Intrusion Detection – methods that determine whether physical or

computer access has been gained by unauthorized personnel during the production
process.
Food Defense Corrective Actions – a set of actions to be taken if the mitigation

measures implemented as part of the food defense plan are found to be insufYicient.
Vulnerability Assessment – identiYies signiYicant vulnerabilities and actionable process

steps that results in a set of mitigation measures that form the overall strategy to reduce
risk. Assessment methods include, but are not limited to, the following:
Four Key Activity Types Method

▪ Bulk liquid receiving and loading
▪ Liquid storage and handling
▪ Secondary ingredient handling
26
▪ Mixing and similar activities
Three Fundamental Elements Method

▪ Potential public health impact
▪ Degree of physical access to the product
▪ Ability of an attacker to successfully contaminate the product
Hybrid Approach Method that combines the previous two methods
CARVER + SHOCK19 - This methodology was created by the military and is applied
primarily to the agriculture and food production sectors. CARVER stands for
Criticality, Accessibility, Recuperability, Vulnerability, Effect and Recognizability.
SHOCK is the combined assessment of the health, psychological, and collateral
national-level economic impacts of a successful attack on the target system.
Facility-wide Security Measures – the general security measures taken to protect personnel,
product, the facility and its associated machinery and utilities
Physical Security – as previously discussed above
Cyber Security – as previously discussed above
Substance Abuse
Environment
Substance abuse is the overuse of, or dependence upon, addictive substances. Most often,
these substances are drugs, alcohol, or both. The losses estimated to substance abuse is
simply astonishing: $81 billion in lost proYits annually, while an additional $25 to $53
billion in lost productivity is due to opioid abuse alone.20 Besides the hammering of the
bottom line, the problems substance abuse can present to an organization can be further
summarized as:
Substance use and abuse are potential precursors to insider

threat. They could lead to concerning behaviors and both
criminal and non-criminal acts against an organization. Insider
incidents may include theft of intellectual property, sabotage,
espionage, fraud, workplace violence, and non-malicious,
accidental incidents. In these instances, insiders may commit
malicious acts in order to procure money to support their habits
or addictions or, due to the effects of the substances on their
behavior, may commit acts of workplace violence. Substance use
and abuse may also impact an insider's cognitive abilities,
leading to unintentional insider threats. These unintentional acts
27
might include being more likely to click on phishing emails or

misplace company equipment.21
There are a number of avenues in which substance abuse can negatively impact a
business and its operations. A few, but not all, are listed below:
Poor Decision-Making (negligence) which can possibly lead to either the unintentional,
non-malicious compromise of an organization’s data or the willful exposure of the data
to external actors exploiting the Substance user’s vulnerability.
Theft of Assets or Data from an organization in order to sell to support the abuser’s
dependency
Increased Likelihood of Trouble with coworkers or supervisors, which could potentially

develop into a workplace violence situation.
Potential Exploitation of the worker’s known substance abuse by an external actor in

order to gain access to an organization’s systems, processes or data.
Threat Detection
Substance abuse can lead to other insider risks as described in this paper. Rather than let
the situation spiral out of control to a point where you will be liable for injury, damages,
and losses for failing to act, it is best to adopt a pro-active approach. This approach must be
performed within an environment that does not present itself as being overtly hostile to the
employee, which could trigger a negative response or reaction. Two primary methods that
can be employed to detect substance abuse in the workplace are:
Direct Observation of behavior by supervisors and coworkers can give rise to suspicions
of substance abuse:
o Observe an employee’s actions and behaviors for indications of impairment

o Document the employee’s behavior, signs, and symptoms for reference
o Employ “Reasonable Suspicion Testing” to determine that substance abuse is
not the cause of an employee’s suspicious behavior or appearance.
Potentially Disruptive Behavior Monitoring:

o Badge records for tardiness
o Web searches related to alleviating the effects of withdrawal and procuring
substances
o Within the bounds of legal permissibility, gather information about past
arrests and Yinancial stressors potentially resulting from substance abuse
o Gather information from HR that could provide recent information on
disciplinary actions, security violations and substance abuse test results (the
latter, if permitted)
28
Threat Mitigation
The biggest case that can be made for mitigating substance abuse in the workplace, aside
from the company’s bottom line, is the potential improvement in the quality of life for the
affected employee (and that person’s coworkers), which will most likely translate into a
lessened risk of workplace violence and a reduction in threat of theft and other criminal
activities. So, the question is how to mitigate this threat?
Employee Education and Awareness – This is a recurring theme throughout all aspects of
threat identiYication. Employees should be taught to how identify suspicious behavior
and to report it to supervisors or through alternative channels.
Mandatory, Scheduled Substance Testing for positions of moderate- to high-risk
Employee Assistance Programs designed to establish a recovery-friendly workplace in

which the employee can seek and receive assistance without fear of ofYicial, codiYied
punitive action by the organization.
Criminal Activity
Environment
Whether its “white collar” or “blue collar”, crimes against persons or property, felonies or
misdemeanors, criminal activity in the workplace is a real, tangible, and everyday problem.
Some types of insider threat criminal activity in the workplace that will be discussed here
consists of fraud, embezzlement, theft/larceny and many other activities. It is estimated
that $60 billion is lost each year to employee theft alone.22
Theft is by far the most common cause of losses suffered by employers and can consist
of:
Cash theft which can result from pilfering petty cash up to the various forms of
embezzlement by employees who handle cash, checks, or credit cards.
Inventory theft using garbage bins, recycling system, personal bags or other means
to sneak out business goods. In retail, the return and refund process yields many
chances to steal from the company with or without the help of a third party.
Credit card/personal identi.iable information theft where employees, particularly in

retail sales, steal the data of customers and their credit cards.
Theft of of.ice supplies for personal or home use
Theft from customers results range from undercounting change that is then diverted
into the pocket of the thief to actually stealing customer personal property.
29
Theft of payroll resulting in payment for unearned time and reimbursement for non-
existent business expenses. This can be the result of other factors already listed,
such as substance abuse.
Fraud is much more prevalent in small Yirms (i.e., those with under 100 employees) than
larger ones.23. Types of fraud can include:
o Asset Misappropriation
o Vendor fraud
o Accounting fraud
o Data theft
o Bribery
o Payroll Fraud
Threat Detection
You trust employees with the keys to your business. Sometimes, that trust is betrayed for
one reason or another. Methods than can detect that betrayal and uncover employee
criminal activity is surprisingly simple, provided you are paying attention. Such detection
methods can include, at a minimum:
Direct Observation which can often lead to the discovery of employee criminal activity in
the workplace. This can include noticing an employee living well beyond his or her
means (a possible indicator of fraud), frequent tips or complaints about an employee, or
even event correlation of an employee being a constant in time and place of criminal
activity
Execute Inventory Control and Audits in an impromptu manner using a third-party for
objectivity. This auditing Yirm must have a direct reporting line to senior executives and
key decision-makers. This include using an outside accountant to examine key Yinancial
records: bank records, ledgers and checks. Conduct inventory audits to ensure
irregularities or losses are discovered and thoroughly investigated.
Establish a Trash Removal Routine that includes breaking down and Ylattening of all boxes,
using clear trash bags and ensuring one-way access for employees to trash dumpsters
or compactors. Cover trash dumpsters with video surveillance system cameras.
Conduct and Document Thorough Investigations of all employee theft reports. The
importance of this method cannot be stressed enough.
Threat Mitigation
Therefore, mitigating criminal activity in the workplace isn’t simply a good idea, it’s an
absolute requirement.
30
Establish the proper kind of company culture where employees are engaged and are
permitted to report security violations. If employees see a culture in which criminal
activities are permitted, then crime will Ylourish. Creating the proper culture starts
with, but is deYinitely not limited to, the following:
• Provide clear policies that ensure all employees know there will be strict
consequences for anyone who commits a crime. Having employees sign the
policy annually both impresses upon them the importance the company attaches
to the policy and also reinforces in their minds exactly what will happen if they
choose to steal from the company.
• Create a con.idential employee tip line to allow loyal employees to report their
concerns. Follow up on each report
• Mandatory employee and contractor background checks to include past

employers. Contact all professional references and ask why they left the job.
Conduct criminal history checks and do not gloss over any “red Ylags” that
appear.
• Employee Situational Awareness Training where everyone is reminded to lock up

their vehicles, valuables, and personal effects while in the ofYice and to practice
personal safety and security measures at all times.
Use a Security Management System that allows for reporting and tracking security
incidents, managing risks, monitoring the status of security equipment and identify
gaps in equipment coverage.
Put in and Monitor a Video Surveillance System to discourage negative behavior before it
happens and record risky behavior as it happens.
Install Access Control Systems to allow access to employees based on work schedule while
simultaneously prohibiting unauthorized access.
Set up Intrusion Detection Systems on doors to controlled or restricted spaces to alert

security personnel of unauthorized entry.
Conclusion
An insider is someone within an organization who has access to critical data, assets,
information and even personnel. The threat arises when someone with privileged access
negligently or willfully violates the trust an organization has placed in them, whether by
themselves or in concert with an outsider. T hese insider threats can come in many forms,
31
and can include cyber and physical security threats, workplace violence, sensitive
information breaches, food security violations, substance abuse and criminal activity to
name just a few.

Detection methods vary based on the threat, but generally revolved around a few core
concepts. These include direct observation and monitoring of employees, data, and assets.
In addition, installing and monitoring physical security systems designed to detect
unauthorized access or record malicious acts aids in detection by allowing more
comprehensive coverage of a facility than simple observation alone. In essence, physical
security equipment is a true “force multiplier” when detecting potential or actual threats.
Not even the most comprehensive detection program will identify all insider threats in
time to raise an alarm before the damage has begun. Insider threats cost companies
billions in lost proYit, damages, lost productivity, assets, and lost reputation, not to mention
the loss of employees either through violence or fear. Establishing the proper corporate
culture by developing proper policies and procedures, training employees through security
awareness campaigns, and applying these measures wholesale to employees, customers,
visitors, contractors and vendors will assist the organization in detecting an insider threat
in time to intervene or stop an attack. Therefore, organizations must make it a top priority
to mitigate the impact and duration of any incident that may arise as a result of an insider.
However, such programs must have the continuous backing and support of senior
management and key decision-makers within an organization. These programs cannot be
created and then sit on a shelf collecting dust until a threat has made itself known. The
threat is dynamic, ever-present, and will continue to be so. As such, it requires constant
vigilance on the part of an organization to make this work. One moment of weakness or
inattention is all it takes for disaster to strike.
32
References
1. Proofpoint, 2020 Cost of Insider Threats: Global Report, h.ps://go.proofpoint.com/

wp-ponemon-itm-cost-of-insider-threats.html?
utm_source=bing&utm_medium=cpc&&msclkid=165d6c3dd821172b88b033c80e41e048
2. Grant Thornton, QuesMon and Answer, h.ps://www.forcepoint.com/blog/insights/

grant-thornton-q-and-
a#:~:text=At%20the%20heart%20of%20it%20all%20is%20a,protect%20criMcal%2C%20and%20i
n%20many%20cases%2C%20personal%20informaMon
3. Traci Catalano, Old Republic Surety, 30% of Business Failures Are Caused By Employee
TheA, h.ps://www.orsurety.com/blog/30-percent-of-business-failures-are-caused-by-
employee-theY
4. MicrosoY, DetecDng cyber threats, Feb 2017, h.ps://www.microsoY.com/security/

blog/2017/02/10/detecMng-cyber-threats/
5. Cisco, What Is Network Access Control (NAC)?, h.ps://www.cisco.com/c/en/us/

products/security/what-is-network-access-control-nac.html
6. James A. MarMn, Jun 2017, How to detect insider threats, h.ps://

www.csoonline.com/arMcle/3202770/how-to-spot-and-prevent-insider-threats.html
7. US Center for Disease Control, “OccupaMonal Violence - Fast Facts”, h.ps://

www.cdc.gov/niosh/topics/violence/fascacts.html
8. Dr. Joshua Sinai, Feb 2019, Workplace Violence AOack at Sebring, Florida Bank: Key
Takeaways for Business Leaders, h.ps://www.cdc.gov/niosh/topics/violence/fascacts.html
9. Dan Rascon, Nov 2017, Health-care worker who was aOacked says industry is not
protecDng its employees, h.ps://kutv.com/news/local/health-care-worker-who-was-a.acked-
says-industry-is-not-protecMng-its-employees
10. Security Today, Jun 2017, Workplace Violence Incident at San Francisco UPS
Warehouse Leaves 4 Dead, h.ps://securitytoday.com/arMcles/2017/06/15/workplace-violence-
incident-at-san-francisco-ups-warehouse-leaves-4-dead.aspx
11. 105.7 News, Apr 2017, ShooDng in Cookeville Being InvesDgated as “DomesDc
Violence” Incident, h.p://1057news.com/2017/04/11/16/01/44/shooMng-in-cookeville-being-
invesMgated-as-domesMc-violence-incident/
12. US Department of Labor, “DOL Workplace Violence Program”, h.ps://www.dol.gov/

agencies/oasam/centers-offices/human-resources-center/policies/workplace-violence-
33
program#:~:text=There%20are%20many%20theories%20about%20the%20causes%20of,indicat
e%20a%20violent%20act%20will%20be%20carried%20out.
13. OccupaMonal Safety and Health AdministraMon, “1910.38 - Emergency acMon plans”,
h.ps://www.osha.gov/laws-regs/regulaMons/standardnumber/1910/1910.38
14. James Sommers and Frank Piscio.a, Jan 2020, Food Defense and the Insider Threat,
h.ps://www.asisonline.org/security-management-magazine/arMcles/2020/01/food-defense-
and-the-insider-threat/
15. Lee Moran, Jan 2014, Pizza Hut manager fired for spi]ng on food of cop who
arrested her year before for DUI, h.ps://www.nydailynews.com/news/crime/pizza-hut-
manager-fired-spimng-pie-arMcle-1.1597859
16. Allyson Horn and Melanie Vujkovic, Sep 2018, Strawberry recall: Disgruntled ex-
employee believed to be behind sewing needles in strawberries, h.ps://www.abc.net.au/news/
2018-09-12/strawberry-invesMgaMon-aYer-sewing-needles-found-inside/10237954
17. Progressive Grocer, Feb 2003, Former Grocery Clerk Indicted for Poisoning Beef,
h.ps://progressivegrocer.com/former-grocery-clerk-indicted-poisoning-beef
18. US Food and Substance AdministraMon (FDA), Mar 2019 (Revised), “MiMgaMon
Strategies to Protect Food Against IntenMonal AdulteraMon: Guidance for Industry”
19. US FDA, Sep 2019, “CARVER + Shock Primer”, h.ps://www.fda.gov/food/food-

defense-programs/carver-shock-primer
20. Justin Kunst, Jul 2019, 5 Statistics on Drug Use in the Workplace, https://
www.amethystrecovery.org/5-statistics-on-drug-use-in-the-workplace/
21. Tracy Cassidy, Apr 2018, Substance Use and Abuse: Potential Insider Threat
Implications for Organizations, https://insights.sei.cmu.edu/insider-threat/2018/04/
substance-use-and-abuse-potential-insider-threat-implications-for-organizations.html
22. Georgiana Strait, Safety First: Reducing Crime in the Workplace, https://
www.gensuite.com/safety-Yirst-reducing-crime-workplace/
23. Business News Daily, Feb 2020, How to Spot the Red Flags of Employee Fraud,
https://www.businessnewsdaily.com/11164-how-to-spot-employee-fraud.html
34
Want Seals With That?

Fast Food, Covid, and Tamper Detection*
Roger G. Johnston, Ph.D., CPP

Right Brain Sekurity
https://rbsekurity.com
Apparently due to the COVID-19 pandemic, many fast food restaurants now hand you
your order in a paper bag sealed with a pressure-sensitive adhesive (PSA) label seal. The
way they are typically used for various security purposes, PSA seals do not provide reliable
tamper detection, though this does not necessarily have to be the case if they are used in a
more time-intensive manner with an understanding of their vulnerabilities and attack
scenarios.[1-3]
PSA seals are often easy to lift and reuse without leaving any discernible evidence,
particularly in the Virst 24-48 hours before the adhesive has achieved full adhesion. Putting
a sticky seal on a Vlexible, greasy fast-food paper bag is especially dubious, though the
particular fast-food chain used for this study is not very greasy, nor were the bags
containing my food orders.
I did a series of informal experiments with 5 drive-up window food orders from two local
franchises of the same popular national fast-food chain. Three minutes after the purchase
while in my car, I found that it was easy to remove the bag's PSA seal in 10 to 15 seconds
(presumably less with practice or tools), open the bag, then satisfactorily reseal the bag
with no discernible evidence that the bag had been opened. No special skills, tools, or
solvents were needed, just a bit of careful effort.
It was also quick and easy to pry apart the bottom of the bag (where there was no seal
just an adhesive). I was then able to use a household adhesive to re-glue the bottom of the
bag. Again, no special skills, solvents, or tools were required, and there was no obvious
visual evidence of the attack. Unlike the PSA seal at the top of the bag, the adhesive used on
the bottom of the bag had presumably been present for weeks to months, allowing ample
time for the adhesive to fully set.
This informal experiment is not a substitute for a rigorous vulnerability assessment.

Nevertheless, in terms of tamper-detection, the seal seems likely to be Security Theater.
There may, however, be other appropriate uses for the seal that aren't directly related to
tamper detection.
_______
*This paper was not peer reviewed.
35
The following are some possible purposes for the seal that I could think of, including non-
security purposes:
1. Reassure the customer during the pandemic.
2. Detect tampering with the order inside the restaurant.
3. Detect tampering with the order by any delivery driver.
4. Use as a "Vlag" (non-security) seal to indicate to restaurant workers that the order is
complete so as to avoid unnecessary additional handling.
5. Authenticate the order as a legitimate order, i.e., the seal would be more like a tag.
6. Remind restaurant employees to follow good anti-COVID procedures.
7. Some other kind of safety or health function?
8. Literally, a seal to be sure the bag is well closed.
9. For advertising purposes, given that the seal contains the company logo; or perhaps
for otherwise making a connection with the customer.
10. Provide a Vlap to hold the drinking straw.
11. Other?
I emailed a senior public relations ofVicial with the company, and sent a letter to the CEO,
inquiring about which purpose(s) in the above list were their intent. Perhaps
unsurprisingly, I receive no answer.
Possible partial countermeasures for the vulnerabilities with the PSA seal might include
brieVly applying heat to the seal to improve adhesion, using a more aggressive adhesive,
using a frangible seal, or choosing a different bag material. Stapling the top of the bag
through the seal using a digestible staple/rivet might also provide better tamper detection.
Possible partial countermeasures for the bottom of the bag might include using a more
aggressive adhesive, or using a bag made of heat- or ultrasonically-sealed Mylar or other
material that would not require an adhesive to seal the seams. This might be harder to
cosmetically repair after an attack.
Another approach that could potentially improve tamper detection is to print a highly
visible notice on the bag (not the seal!) to encourage customers and employees to visually
check the bag and the seal's presence/appearance to look for evidence of tampering. This,
of course, would involve explicitly admitting that the seal has a security purpose.
References
1. RG Johnston, “Poor Practice Using Pressure-Sensitive Adhesive Seals”, Journal of Physical

Security 12(2), 18-28 (2019), https://jps.rbsekurity.com
2. RG Johnston and JS Warner, “How to Choose and Use Seals”, Army Sustainment 44(4),
54-58 (2012), http://www.almc.army.mil/alog/issues/JulAug12/browse.html
3. RG Johnston, “Tamper-Indicating Seals”, American Scientist 94(6), 515-523 (2005)
36

Suggested Procedures for Physical Protection
and Security Improvement for Category II Sealed Radioactive Sources

M. H. Nassef

Faculty of Engineering, Nuclear Engineering Dept., King Abdul-Aziz University,
P.O. Box 80204, 21589, Jeddah, Saudi Arabia, Tel: +508871229; Fax:+6952648
On leave from Nuclear and Radiological Regulatory Authority, (NRRA),
P.O. Box 11762, Cairo, Egypt, [email protected]

Abstract

Iridium 192 (192Ir) radiological sealed sources are commonly used in industry. They
represent an intermediate-risk level, i.e. Category 2 sources with an A/D value <1000
where A is the activity and D is the danger. Based on the information available in the
literature for worldwide industrial radiological accidents between 1945 and 2018, I
selected the accidents involving 192Ir-sealed sources to help understand the regulations
and awareness of 192Ir security and safety measures, including physical protection
measures deployed for 192Ir sealed sources. I present the results of my survey using
statistics and figures. This paper suggests in detail a practical procedure for security,
safety, and deployment of physical protection systems that may be applicable to 192Ir
storage or use facility, as identified by IAEA document TEC DOC-1344.

Keywords: Industrial radiography Security System; physical protection system;
radiation safety; iridium 192

1. Introduction

The security of radioactive sources has become an increasing concern for the
International Atomic Energy Agency (IAEA) and member states. The events of 9/11
pushed the political agenda towards improving the safety and security of radioactive
sources. Radioactive sources must be secured from removal, unauthorized use, or
sabotage. Safe and secure handling of radiological sources will decrease the risk of harm
37
to users and the public. If radioactive sources are not carefully controlled and monitored,
they can produce serious deterministic (non-stochastic) health effects on individuals.
Such deterministic health effects depend on the radiation exposure time, the type of
radiation, and the absorbed dose [1-5]. There are 2 types of medical injury from
radiation: acute radiation sickness and chronic radiation sickness. There is a threshold
of doses below which harmful effects do not occur, though this may vary from person to
person.

Physical security for radiological sources includes protecting, monitoring, and
controlling the sites, buildings, and rooms that contain radioactive sources. The IAEA has
made efforts to help member states, such as developing a code of conduct to protect the
radioactive sources and materials from being sabotaged or stolen. In the past, some
international agreements have focused on certain dangerous radioactive source that can
be used to improvise a radioactive radiological dispersal device (RDD). Fortunately,
sealed radiological sources cannot generally be used to make a nuclear bomb.
Nevertheless, high-intensity radioactive sources represent a significant risk for persons
in contact with them or when they are used in an irresponsible, unregulated, or
unauthorized manner.

The risk of RDDs is that terrorists might turn radiological sources into "dirty bombs".
Conventional explosives can be used to scatter radioactive materials to create hazardous
radioactive contamination. The numbers of deaths may well be small from an RDD, but
the resultant radioactive contamination could cause serious disruption and public panic.
Moreover, decontaminating a public area would be an expensive and lengthy process. [1,
2, 6-14].

In 2002, highlighting the concerns about RDDs, the chairman of the Nuclear Regulatory
Commission (NRC) and the head of the U. S. Department of Energy (DOE) met to discuss
further protection for the physical inventories of all types of radioactive materials that
could potentially be used in an RDD device. They agreed to involve other agencies.[15]
There is also increasing attention from international organizations such as IAEA and the
United Nations Security Council towards efforts to prevent illicit trafficking of nuclear
and radioactive sources.[10, 16-18]
38

The database from the IAEA can be used as a point of reference for roughly calculating
the effect of terrorist violence against persons. As an example, 33 years ago in Goiania,
Brazil, a security/safety radiological accident occurred that could be considered a
warning of what could happen if terrorists seek to build RDDs.[19] The IAEA database
for the illicit trafficking incidents involving both safety and security incidents continues
to grow.

In this paper, I focus on the security of Iridium 192 (192Ir) sealed radiological sources
because they are widely used. They represent an intermediate-risk level, i.e. Category 2
source with an A/D value <1000 where A is the activity and D is the danger. I propose a
work plan for improving physical security, including physical protection measures, that
can be applied to any storage facility with 192Ir radioactive sealed sources. These
suggestions may have applicability as well to the security and safety of other kinds of
radiological material. Perhaps this paper can also increase the awareness of radiological
risks and encourage improved Security and Safety Cultures.

2. Methodology

2.1 Security, regulations and worldwide 192Ir sealed sources accidents
2.1.1 Radioactive source regulation: an overview
The national nuclear authority ("regulatory body") in any nation state must be an
independent scientific organization based on nuclear law and the regulations of that state
to avoid real or perceived conflicts of interest. The regulatory body needs to set security
and safety standards and their enforcement, audit and inspect the radiological
procedures, and communicate safety issues to the public. The regulatory body also deals
with all issues concerning the radioactive sealed sources, nuclear materials
accountability, and the physical protection of nuclear materials and radioactive sources,
as well as the storage, handling, disposing, and transporting radiological materials.[20-
21]

2.1.2 Physical security level based on IAEA categorization of radioactive sources
39
Based on the 2004 IAEA Code of Conduct, every State is obligated take the correct
actions to assure the safety and security of radiological sources. In the case of security,
we need to specify the security level for any radiological source based on its IAEA
categorization. We need to assign the correct security level to the category in which the
source belongs.[22-23] Table 1 shows the IAEA categorization system for 192Ir industrial
radiography sealed sources.
Table 1. IAEA Categorization System and Security Level Assignment [24].

IAEA Category Categorization of Common Activity Ratio Security Level
Practice
2 Industrial gamma sources 1000>A/D≥10 B

Based on the IAEA categorization system, radioactive sealed sources are arranged into
5 categories. Category 2 could produce permanent injury to the user who handles the
source or is in contact with it for a short time (minutes to hours) as shown in Table 2.

Table 2. IAEA categorization for industrial radiography sources. [25]
Category 2 Risk Dispersal Scenarios
Very dangerous Could create permanent injury few risks occur to the health of the
to the user to a user in case of handling user beyond a few hundred meters
away

2.1.3 Defense in-depth strategy to prevent loss of radioactive sources
The concept of defense-in-depth or so-called "layered security", despite some pointed
criticism [26], is conventionally viewed as an effective tool for lowering security risk. To
protect any radioactive sources from an adversary, all basic security measures such as
detection, deterrence, delay, and response should be constructed first to help counter
adversaries intent on sabotage or theft.
There are a variety of barriers than can be used to help implement a defense-in-depth
strategy. For example, warning signs can be posted that alert or warn off persons
travelling through any boundaries or sensitive areas. These can include signs, painted
lines, fences, lighting, and chains. Another tool of defense is an intrusion detection system
that can monitor and control an intruder outside the facility such as cameras (CCTV),
access control systems, and effective intrusion detection systems (second barrier). A
40
third possible type of barrier are physical barriers such as walls or fences. These can
delay, discourage, or (sometimes) prevent intruders from entering the facility. Other
security layers such as doors, windows, and containers in the facility represent a physical
barrier. A fourth type of barrier is intended to control and inspect persons engaged in
exiting the facility.[27-30]
2.1.4 International accidents due to poor regulations, and weakens of physical security
system
From the literature, statistical data indicate that industrial radiography accidents
represent about 48% of the total radiological worldwide industrial radiography
accidents 1945 to 2012.[31-44] From the references [31-44], I extracted only the
accidents due to 192Ir sealed sources that were reported and confirmed by the relevant
state. For each accident, I extracted information such as the country in which the accident
happened, the year of the accident, and the number of injuries or deaths during each
accident. My results are presented in the figures below.
3. Results and Discussion
Now it must be said that radiological safety incidents are quite a different phenomenon
from radiological security incidents. Safety has no deliberate, malicious, intelligent
adversary as is the case for security. Examining safety incidents may, nevertheless, have
relevance to security because we might hypothesize that organizations experiencing
safety incidents may have an increased risk of security incidents. For example, a weak
Safety Culture probably is correlated with a weak Security Culture. While I am unaware
of any research to support or question this hypothesis, it does seem a reasonable
hypothesis to make. There is another reason why it may be prudent to examine safety
incidents in order to understand security issues: radiological safety incidents are much
more common than security incidents and thus may be useful for our understanding.

Following this reasoning, I conducted a survey concerning 192Ir accidents between the
years 1945 and 2018. This includes a total number of 108 accidents (67 accidents from
1945 to 2012, and 41 accidents from 2013 to 2018). The total number of worldwide
injuries due to industrial radiography accidents was 92, with 3 deaths from 1945 to 2012.

41
Figure 1 shows the number of 192Ir industrial radiography sealed sources accidents
worldwide between 1945 and 2013. Figure 2 presents the corresponding accidents from
2013 to 2018. From figure 1, it is clear that the majority of accidents occurred in Russia,
with a percentage of 31.5% of the total accidents. Figure 2 shows the USA had the highest
percentage of industrial radiography accidents with 21.3% of the total accidents. The
primary reason for those accidents, I believe, was the lack of effective regulations and
awareness of safety and security issues when using category 2 industrial radiography
sources. Some accidents involved equipment failure, while others involved improper
storage conditions for this type of category of radiological material.

USSR (Russia)
UK
Worldwide 192Ir accidents between 1945 and 2012 India
USA
France
Argentina
Czechoslovakia
P.R. China
East Germany
Egypt
Republic of Korea
Hungary
Brazil
Switzerland
Chile
Indonesia
South Africa
Figure 1. Industrial radiological accidents involving 192Ir worldwide during the years
1945-2012.

USA
Worldwide 192 Ir accidents between 2013 and 2018
Mexico
Canada
Argentina
Colombia
China
Vietnam
Poland
Iraq
Iran
Malaysia

Figure 2. Industrial radiological accidents involving 192Ir worldwide during the years
2013-2018.

42
3.1 Technical requirements for on-site storage location for safety purpose
Summarizing international regulations for the safety and security of industrial
radioactive sources, 192Ir storage facility (room) must meet the following requirements
[45-46]:
a. Its design, construction and the licensee process must be approved by the national
regulatory body.
b. The room must be in an isolated area, separate occupied areas and relatively far from
any human activities.
c. Transportation of sources should be undertaken in accordance with ALARA principles
(As Low As Reasonably Achievable).
d. The room should have low visibility from outside, and possess sufficient but not
excessive entry access for external emergency services such as police, fire, and medical
first responders.
e. The room should be able to resist or minimize damage from any weather or geological
event, including storms, earthquakes, and flooding.
f. The room should have a smooth, impervious, and easily washable floor.
g. The room needs to be equipped with reasonable vacuum ventilation suction inside to
prevent the build-up of any expected gasses or vapors from radioactive material, and
must be provided with adequate illumination.
h. The dose rate in the storage room shall be less than 7.5µSv/h and not exceed 10µSv/h;
the entrance to the storage room shall be less than 2.5µSv/h; and the dose rate in areas
available to the public shall not exceed 1mSv/y. [47]
i. A radiation hazard sign should be present at the entrance to the storage room. It
should include the wording "radioactive sources".

3.2 The author's suggestions for safety and security measures for radiological storage
facilities

3.2.1 Option 1: Author's suggested site preparation for an occupied storage area
In planning a radiological storage area, the following steps are prudent:
a)-Selection of the best place to store the industrial radiography source should be based
on the occupation factor and local safety considerations.
b)-A radiation survey level should be done for the selected site location.
43
c)-The entrance door should be examined for any security vulnerabilities and possible
failure modes. I suggest the door should be constructed of metal rather than wood, and
possess a suitably secure lock. Such a door helps to secure the storage room from attack,
sabotage, or any weathering effects, and minimizes damage from fire. The door
represents a delay barrier for any unauthorized intruder, and should be designed or
chosen with this in mind.
d)-An inventory list should be prepared. IAEA guidelines[5] require the inventory list
include the following information: Type of radionuclide, physical and chemical form,
source activity, date of inventory, the name of the operator (user), and the name of the
Radiation Safety Officer (RSO) for the storage facility.
e)-Ideally, a special security container constructed for storing the sealed
radiography sources should be used. A warning radiation sign with the wording
"radioactive sources" must be posted on this container so that the sealed source(s)
can be readily recognized. The suggested specification for this metal container (or
cabinet) is discussed in detail in section 3.2.2 below

3.2.2 Option 2: Suggested site preparation steps for storage locations in isolated areas
In my view, the best option for storage in isolated areas is to build a pit for storing the
sealed radiography source(s). The dimension of the storage room should not be less than
3m×3m, housing equipped with a vertical steel tube (pit) of 1m diameter and about 1m
long at the center of the room, including a Mild Steel (MS) cover and locking hardware. I
suggest constructing a security fence around the pit or around the main storage room
that houses the source(s). For good safety, it is desirable to construct a fence at a safe
distance such that the dose rate does not exceed 25 µSv/hr outside the fence, ideally
substantially less. The pit should be made from waterproof materials.[47] I further
suggest an extra metal security container such as a cabinet. This metallic container will
contribute to the concept of defense-in-depth, and complicate the unauthorized access or
removal of the source(s), or at least delay adversaries. A metal storage cabinet shielded
with lead is preferred for storing the source(s). I suggest dimensions of at least
0.5×0.5×0.5m. This storage cabinet should be constructed of strong, fire-resistant metal,
and include a lead sheet of approximately 2 mm thickness as a radiation shield for safety
purposes. The cabinet must include a secure lock and optionally other access control
measures. The cover of the proposed cabinet should have two sliding doors with a
44
suggested dimension of 0.40×0.5m. The key, combination, or PIN for the security cabinet
should be keep under the supervision of the Radiation Safety Officer (RSO).

3.3 Radiation protection considerations and safety management during work
International conferences were held on the security of radioactive sources, in Vienna
during 2003, 2013, and 2018. The main consequence of those conferences was rising
concern for the safe and secure control of radioactive sources, and of the need to
identify those sources that represent the greatest radiation risk.[48-52]
A consensus was reached that every person participating in the storage process should
be exposed only to an acceptable radiation level. The dose constraints for this
radiological work need to follow the international recommended safe limit of 10µSv/h.
A personal monitoring dosimeter (such as a thermoluminescent or TLD badge) should be
distribute to everyone who participates in this work.[53-54] The dose rates outside the
security room, such as in corridors, should be within the background levels of 0.08-
0.1µSv/h.

3.4 Workshop and training in the field of nuclear security
To meet the awareness and training needs in the field of physical security, I believe the
RSO’s at the facility should periodically present a security management workshop for all
operators and radiation workers. Typically, such a workshop covers all radiation
protection rules, regulations, safety, and physical security concepts in order to update
participants' theoretical and practical knowledge, as well as their safety and security
skills. For category 2 sources, the suggested workshop program should consist of some
theoretical lectures, open discussions, and practical implementation exercises for
category 2, security level B radioactive sealed sources.

3.5 The author's suggested procedures to improve the physical security for industrial
sealed radiological sources
Increasing the effectiveness of the physical protection and security measures for
industrial gamma radiological material reduces the risk from radiological terrorism.[16]
The first step is to define the security level for the sealed radioactive source based on the
hazard effects that the source could produce.

45

3.5.1 Physical Access control
It is essential (where practical) to establish and use a continuous physical barrier
(perimeter protection) having a single nominal access point to control access to the
security zone. A room or a laboratory may be adequate for that purpose, provided its
location is far from any public entrance or elevator area. It is also critical to factor in
safety and ALARA issues when moving from low to high radiation areas, i.e., the best place
for storing the radioactive source must be considered in this stage. The entrance to the
storage room must control and limit access to authorized users. A two-man-rule should
be considered when dealing with the access control for the source(s), such as only
allowing a two-person team to access physical keys, passwords, or PINs granting access
to radiologically controlled areas. The tools and equipment needed for handling the
source(s) should be in the controlled area, but stored away from the source.

3.5.2 Detection
The concept of detection is one of the important tools for physical protection. I suggest
installing a constant surveillance video cameras at the storage site, e.g., Closed-Circuit
Television (CCTV) surveillance cameras at specific locations to monitor activities and
personnel. The control point is the door or the gate for access, and should be equipped
with another sensor such as Infrared (IR) and/or motion-detecting security camera. It is
preferrable to use a balanced magnetic switch (BMS) on the door coupled with IR sensor
inside the storage room. In addition to the above tools, a UPS power electricity backup
unit should be installed for this electronic system. The site should also have fire and
smoke detectors. In the case of an emergency alarm, the facility security team must be
notified immediately and start taking action without delay.

3.5.3 Response
The facility security service must have sufficiently detailed information about the
storage room/pit, and about the potential hazards associated with the sources for when
emergencies occur. The security personnel should have multiple ways to communicate
in any emergency, e.g., telephone (landline), mobile phone (cell phone), and walkie-
talkies. They should have the contact number of the mobile phone of the RSO at the site
location.
46

I highly recommended that the security team practice dealing with different attack and
emergency scenarios. They must understand the security vulnerabilities, likely attack
scenarios, and perform regular tests of security and fire alarm systems.

3.5.4 Installation of physical security fence (protective barrier)
A security fence for this type of radiological category is necessary. The fence should
surround the perimeter of the storage site with one metal entrance gate (external entry
point). The metal gate must have a mechanical lock with a radiation warning sign on the
main entrance to the storage site. I suggest building sufficient isolation zones between
the security fence and the storage site. The function of the security fence is to define the
perimeter of a restricted area where unauthorized entry is not allowed, prevent
accidental entry, enhance detection and the capture of intruders, and restrict access
through portals to only authorized personnel.[55]

Figure 3 depicts a schematic of the concept of defense-in-depth, with 4 layers. The
storage room/pit is located in the center of the facility such as a research center,
university, or company. The main entrance and the perimeter of this facility represent
the first layer of defense. The area of the suggested storage site has an enclosed perimeter
fence or wall (metal or concrete) for the second layer of security. Access to the storage
room should be controlled by the use of an identification card and a visual check from the
security personnel. The third layer of security is the security fence around the storage
facility or the wall of the storage room itself in the absence of the security fence. Finally,
the proposed metal cabinet inside the storage room represents the fourth level of
defense.

47

Level 1: Facility Perimeter Fence
(University/Research Center/Company)

Increasing Security

Level 2: Security Fence line around
the storage site

)
Level 3: Wall of the storage room

Level 4: The wall of the suggested

metal cabinet

Source enclosure
(Industrial radiography source)

Figure 3. A schematic of proposed layered security for radiological sealed sources.

4. Conclusion

This paper offered guidelines and my personal suggestions for providing effective
security for category 2 radiological sources, such as 192Ir. These suggestions include
understanding the differences and similarities of safety versus security, recognizing the
risks that sealed radiological sources represent for terrorists creating radiological
dispersal devices (RDDs), following existing international radiological security and safety
guidelines, leveraging the potential advantages of layered security, and having proper
security design and employee training for storage rooms or pits for seal radiological
sources.

5. Acknowledgements

I am grateful to the editor and the anonymous reviewers for editing and content
suggestions.

48
References
1. M. Ridwan, Physical protection of significant radioactive sources: an Indonesian
perspective. Security of radioactive sources, 2003, Proceedings of an international
conference held in Vienna, Austria, 10-13March, organized by IAEA, (2003), 245-264,
IAEA, Vienna.
2. A.J. Gonzalez, Security of radioactive sources, the evolving new international
dimensions, IAEA Bulletin.43/4, (2001), IAEA, Vienna.
3. A.J. Gonzalez, Security of radioactive sources. Symposium on international safeguards:
verification and nuclear material security, IAEA/SM/367/19/11, Vienna, Austria,
29 October-2 November (2001), IAEA, Vienna.
4. W. Weiss, Radionuclide dispersion and related radiological risk. Security of radioactive
sources. Proceedings of an international conference held in Vienna, Austria, 10-
13March 2003, organized by IAEA, (2003), 363-369, Vienna Austria.
5. International Atomic Energy Agency (IAEA), International basic safety standards for
protection against ionizing radiation and for the safety of radiation sources,
Safety Series No.115, (1996), 1-370, IAEA, Vienna.
6. A. AL swayed, Safety and security aspects of radioactive material used in medical
diagnosis and therapy. M.Sc. thesis, University of Surrey, September (2012).
7. L. Ivan, D. Humme, L.Lebel, A MCREXS modelling approach for the simulation of a
radiological dispersal device. Journal of environmental radioactivity, 192, (2018),
551-564.
8. U.S. Nuclear Regulatory Commission ,(2007) Backgrounder on dirty bombs.
http://www. gov/reading/doc-collections/fact-she nrc ets/dirty-bombs.html.
9. National Council on Radiation Protection and Measurements. NCRP, 2010.Report
No.165, responding to a radiological of nuclear terrorism incident: A guide for
decision-makers. NCRP Report No. 165 (2010).
10. T. Biro, Uncertainties in the assessment of the radiological impact of radiological
dispersal devices. Safety and security of radioactive sources: Towards a global
system for the continuous control of sources throughout their life cycle,
Proceedings of an international conference, Bordeaux, 27 June-1 July 2005,
organized by IAEA, (2005), 571-580, IAEA, Vienna.
11. M. Barakat, M.H. Nassef, S.A. El Mongy, Measures Against-Illicit Trafficking of Nuclear
Materials and Other Radioactive Sources. Presented in 9th conference of Nuclear
Science and Applications. Organized with the Egyptian Association for Nuclear
Science, held from 11-14 February (2000).
12. U.S. Nuclear Regulatory Commission, (2003) Office of Nuclear Material Safety and
Safeguards Tracking of radioactive sources. NMSS Licensee Newsletter, U. S.
Nuclear Regulatory Commission, NUREG/BR-0117 No. 03-3 (2003), USNRC.
13. The DOE/NRC Interagency Working Group on Radiological Dispersal Devices,
Radiological Dispersal Devices: An initial study to identify radioactive materials of
greatest concern and approaches to their tracking, Tagging, and Disposition.
Report to the Nuclear Regulatory Commission and the Secretary of Energy,
DOE/NRC (2003).
14. P. Vaz, Radiological protection, safety and security issues in the industrial and medical
applications of radiation sources. Radiation Physics and Chemistry 116, (2015), 48-
55.
15. The DOE/NRC Interagency Working Group on Radiological Dispersal. Radiological
Dispersal Devices: an initial study to identify radioactive materials of greatest
49
concern and approaches to their tracking, tagging, and disposition, Report to the
Nuclear Regulatory Commission and the Secretary of Energy (2003), 1-53.
16. M. Roumie, B. Nsouli, Development and strengthening of the nuclear security status
in Lebanon. Proceedings of an international conference held in Edinburgh, 19-22
November 2007, organized by IAEA, (2007), 509-515. IAEA-CN-154/048.
17. International Atomic Energy Agency (IAEA), combating illicit trafficking in nuclear
and other radioactive material. Reference manual, IAEA nuclear security series No.6
(2007), IAEA, Vienna.
18. International Atomic Energy Agency (IAEA), Security in the Transport of Radioactive
Material. Nuclear Security Series No. 9. Implementing Guide (2008), IAEA, Vienna.
19. A.J. González, Security of radioactive sources: Threats and answers, Security of
radioactive sources. Proceedings of an international conference held in Vienna,
Austria, 10-13 March 2003, organized by IAEA, (2003), 33-59. IAEA, Vienna.
20. A.A. Elabd, O.A. Elhefnawy, I. Badawy, Nuclear safeguards culture: Roles and
responsibilities. Annals of Nuclear Energy, vol. 110, (2017), 1134-1138.
21. International Atomic Energy Agency (IAEA), managing regulatory body competence,
Safety report series No. 79, (2013), IAEA, Vienna.
22. International Atomic Energy Agency (IAEA), nuclear security series No.11, Security of
radioactive sources, implementing guide (2009), IAEA, Vienna.
23. Australian government. Australian radiation protection and nuclear safety agency
(arpansa), Security of radioactive sources. Radiation protection series No.11, (2019),
1-27.
24. IAEA Nuclear Security Series No. 11, Security of radioactive sources, implementing
guide, IAEA, Vienna, (2009), 1-77.
25. International Atomic Energy Agency (IAEA), Categorization of Radioactive Sources.
IAEA-TEC DOC No. 1344, (2003), IAEA, Vienna.
26. R.G. Johnston, “Lessons for Layering”, Security Management 54(1), (2010), 64-69.
27. C. Ferguson, Ensuring the security of radioactive sources: national and global
responsibilities. US-Korea Institute at SAIS, (2017), 3-24.
28. D. Kim, J. Kang, Where nuclear safety and security meet. Bulletin of the Atomic
Scientists, vol. 68(1), (2012), 86-93.
29. C. L. Smith, Understanding Concepts in the Defence in Depth Strategy. IEEE. Security
Technology. Proceedings. IEEE 37th Annual 2003. International Carnahan Conference
(2003) 8-16.
30. C. L. Smith, M. Robinson, The understanding of security technology and its
applications. Proceedings of IEEE 33rd Annual I999 International Carnahan
Conference on Security Technology, (1999) 26-37.
31. International Atomic Energy Agency (IAEA), Lessons learned from accidents in
industrial radiography, Safety reports series No. 7, (1998) IAEA, Vienna.
32. United Nations Scientific Committee on the Effects of Atomic Radiation
(UNSCEAR), 2008 Report to the General Assembly with Scientific Annexes, Volume II
Scientific Annexes C, D and E. (2011) United Nations, New York.
50
33. N.S. Mahmoud, Safety assessment methodology in management of spent sealed

sources. RSO Magazine, Volume 9, No.4, (2005) 1-8.
34. V.K. Singh, V.L. Newman, T.M. Seed, Colony-stimulating factors for the treatment of
the hematopoietic component of the acute radiation syndrome (H-ARS): A review.
Volume 71, Issue 1, (2015) 22-37.
35 I.Turai, K.Veress, Radiation Accidents: Occurrence, Types, Consequences, Medical
Management, and the Lessons to be Learned, Review Article, CEJOEM, 7. No. 1,(2001)
3-14.
36. E.F. Salem, Risk Analysis for Overexposure Measurements Due to Radiological
Accidents Using Computer Code and the Lessons Learned “Meet Halfa as a Case Study,
Egypt, American Journal of Physics and Applications (2017) 5(2), 13-19.
37. International Atomic Energy Agency (IAEA), Sealed Radioactive Sources. Information,
Resources, and Advice for key groups about preventing the loss of control over sealed
radioactive sources. IAEA-PI-A-98E, (2013) IAEA, Vienna.
38. United Nations Scientific Committee on the Effects of Atomic Radiation, (UNSCEAR),
Sources and effects of ionizing radiation. Annexe D: Occupational radiation exposures.
Report to the General Assembly, (1993) 507-549.
Sources and effects of ionizing radiation. Volume II. Annexe C: Radiation exposures in
accidents. Report to the General Assembly, (2008) 1-43.
Sources and effects of ionizing radiation. Volume I. Annex E: Occupational radiation
exposures. Report to the General Assembly, (2000) 497-654.
41. A.J. Gonzalez, T. Action, Strengthening the safety of radiation sources & the security
of radioactive materials. IAEA Bulletin, 41(3), (1999) 2-15.
42. International Atomic Energy Agency (IAEA), Incident and trafficking database
(ITDB) Incidents of nuclear and other radioactive material out of regulatory control,
(2017), Fact Sheet, IAEA, Vienna.
43. https://www.nti.org/.../cns-global-incidents-and-trafficking-database.
44. J.U. Burnham, Radiation Protection. Chapter 4: Dose Limits and Risk (2010) 4-19.
45. International Atomic Energy Agency (IAEA), Radiation Safety in Industrial
Radiography, Specific Safety Guide No. SSG-11 (2011), 1-128.
46. International Basic Safety Standards for Protection Against Ionizing Radiation and for
the Safety of Radiation Sources. IAEA Safety Series No. 115 (1996), 1-370.
47. Australian radiation protection and nuclear safety agency, Code of radiation
Protection requirements for industrial radiography. arpansa, radiation protection
series C-4 (2018) 1-35
48. L.E. Holm, the International Commission on Radiological Protection and the Safety
and Security of Radiation Sources. Safety and security of radioactive sources:
Towards a global system for the continuous, control of sources throughout their life
cycle, Proceedings of an international conference, Bordeaux, 27 June-1 July (2005),
organized by IAEA, 75-84, IAEA, Vienna.
49. International Atomic Energy Agency (IAEA), Code of conduct on the safety and
security of radioactive sources, (2004), IAEA, Vienna.
50. International Atomic Energy Agency (IAEA), International Conference on the Security
of Radioactive Material: The Way Forward for Prevention and Detection, 3-7
December, (2018) ,IAEA, Vienna.
51. International Atomic Energy Agency (IAEA), International Conference on Security of
Radioactive Sources, Austria 10-13, (2003), IAEA, Vienna.
51
52. International Atomic Energy Agency (IAEA), International Conference on the Safety
and Security of Radioactive Sources: Maintaining the Continuous Global Control of
Sources throughout their Life Cycle Abu Dhabi, UAE, (2013), 27-31 IAEA, Vienna.
53. International Commission on Radiological Protection, (ICRP), The 2007
Recommendations of the International Commission on Radiological Protection. ICRP
Publication 103. Ann. ICRP 37 (2007), 2-4.
54. International Commission on Radiological Protection, (ICRP) 1990 Recommendations
of the International Commission on Radiological Protection. ICRP Publication 60.
Annals of the ICRP 21 (1991), 1-3.
55. Military Handbook, Design Guidelines for physical security of facilities. MILHDBK-
1013/1A (1993), 1-289.

52

Journal of Physical Security 14

Uploaded by

Copyright:

Available Formats

Journal of Physical Security 14

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Journal of Physical Security 14

Uploaded by

Copyright:

Available Formats

Table of Contents

Journal of Physical Security, Volume 14(1), 2021

Shock and Awe

In my view, the January 6 insurrection at the Capitol Building in Washington, D.C.

1. Security Maxim #119: Layered security will usually fail stupidly.

"Alexa: Go Hack Yourself!"

A simple countermeasure is to keep your voice-understanding devices away from

Lava Lamp Love In

In-Bed with Security

The Mandela Effect

For an interesting article on false memory, see https://getpocket.com/explore/item/10-

Security of Ballot Collection Boxes

Probably not the biggest election security issue but...

Face the Biometric Problems

Yet another example of biometrics failing:

The High Cost of Cheap Security

Spoiler Alert: How It All Ends

For a mind-blowing, but remarkably understandable description of cosmology, how the

More About Animals

Does city life make animals smarter? See https://www.bbc.com/future/article/

And Even More About Animals

On Vladimir Putin's many crimes: https://www.theguardian.com/commentisfree/2020/

Cock Sure Security (or Protecting the Family Jewels)

Physical Security R&D Tax Credits

When a company’s project—be it a new or improved product, process, or software

Physical Security at a Glance

Protecting People: Personal Physical Security

Though undoubtedly an important means of self-defense and law enforcement, non-

A more traditional player in this market, TASER International in Scottsdale, Arizona is

With ofRices in Rogersville, Missouri, worldwide manufacturer and distributor of body

Another important provider of video evidence solutions is Newark, New Jersey-based

Also a provider of law enforcement video systems, WatchGuard Video is a four-time

Protecting Spaces: Perimeter Security Systems

Innovative perimeter security solutions combine physical barriers with technology

Fence-mounted sensing technology includes various cable-type solutions that can be

Examples of companies investing in this Rield include RBtec in Derwood, Maryland, a

Monitoring and Surveillance

II. Intelligent Cameras: recent developments in sensor technology allow cameras to be

V. Video Surveillance as a Service: aggregated service models will help companies

biometric touchless optical scanning, enhanced communications systems and strategic

VII. Drones: Drones are becoming mainstream physical security assets.

About the Author

Camera Obscura for Obscuring Cameras*

Roger G. Johnston, Ph.D., CPP

1. RG Johnston, “Camera Obscura", YouTube video, https://youtu.be/u3mlQzaKAIo

2. E Harper, "The Secrets to Finding Hidden Cameras", April 10, 2019,

4. KN Truong, et al., "Preventing Camera Recording by Designing a Capture-Resistant

5. Hyperphysics, “Circular Aperture Diffraction”, http://hyperphysics.phy-astr.gsu.edu/

Insider Threat Management:

companies will increasingly become reliant on technology to conduct business. Operations

Con.igurations are in constant .lux, hardware is being cycled,

Thus, detection-in-depth allows the enterprise to increase the probability of detecting an

o Service and Infrastructure Monitoring detects unexpected service outages

o Host Intrusion Detection as previously discussed

Event Correlation – A technique that evaluates various occurrences to identify speciYic

o Security Incident and Event Management (SIEM) which is a packaged set of

Risk Assessment is a pro-active, systematic process conducted to evaluate a system,

Practice Basic Computer/Network Security by following simple, known protocols that

Physical Security/Critical Infrastructure Protection