Encyclopedia of Security and Emergency Management

Living Edition
| Editors: Lauren R. Shapiro, Marie-Helen Maras

Criminals: Suggestions to Improve Security Procedures

  • Harald HaeltermanEmail author
Living reference work entry
DOI: https://doi.org/10.1007/978-3-319-69891-5_116-1

Keywords

Security procedures Controls Procedural change Crime script analysis 

Definition

Procedure: a formal or official order or way of doing things – a series of actions that need to be completed in order to achieve something.

Introduction

Security procedures are considered a critical component of an organization’s overall security program (Dunham 2018). They provide guidance on how to implement, enable, and enforce existing security controls and on how to execute security-relevant business processes in a consistent and concerted manner (ibid.). At the same time, they are to be considered controls in their own right. Same as other components of a security program, they require constant fine-tuning in order to remain effective and efficient over time. This entry highlights a number of triggers or incentives for organizations to upgrade existing security procedures or to implement new ones. It further positions script analysis as a promising tool to ensure that controls and procedures remain effective and fit for purpose.

Security Procedures in the Overall Control Framework

Procedures are defined as formal or official ways of doing things or as series of actions that need to be completed in order to achieve something (Hornby 1995). In the field of security, this can be the proper implementation or enforcement of existing security controls or the execution of security-relevant business processes (Dunham 2018). Security procedures are developed and introduced in order to ensure that these controls and processes are implemented, enabled, enforced, and executed in a consistent and concerted manner, providing a reasonable degree of assurance and predictability (ibid.). They build upon the organization’s security policies and focus on guiding behavior toward a certain and desired end result (ibid.). On the other hand, they are to be considered controls in their own right. The introduction of rules or procedures intended to remove any ambiguity concerning the acceptability of conduct is considered an important strand of situational crime prevention and an effective means to remove potential excuses for nonconforming behavior on the part of those intended to obey them (Clarke 1997, p. 24).

The idea behind having appropriate security procedures in place is that whenever they are followed consistently by everyone in scope, a desired and expected outcome is to follow. This does not imply that procedures remain effective and efficient as the internal or external environment changes. Just as security policies should be reviewed and updated on a regular basis, existing security procedures require constant fine-tuning, and new procedures will need to be introduced if and when required (Dunham 2018).

Drivers for Procedural Change

Various developments or events trigger the need to have new security procedures established or existing ones reviewed. As Oliver and Wilson already noted back in 1972, “the changing scene in which security is practiced constantly brings new problems” (Oliver and Wilson 1972, p. ix). These may arise from new or changing threats, from legal and regulatory changes, from a quest for efficiency gains or the need to adapt defensive approaches to the modi operandi displayed by offenders.

It goes without saying that security controls and accompanying procedures will need to be established or revisited as new security threats are being recognized (Threat Assessment). These threats can emerge from new products or services being introduced (see, e.g., Clarke and Newman 2005); from political, economic, social, and technological developments taking place; or from new crime phenomena entering the scene. Rapid advances in technology and an ever-increasing dependency on information and communication systems alone, for example, have been responsible for reshaping the entire security industry and for introducing a wide variety of IT (“information technology”) security measures in public and private organizations alike (Cybersecurity: Cybercrime and Prevention Strategies).

Changes to legal and regulatory frameworks are certainly among the most obvious triggers for organizations to introduce or upgrade security controls and procedures. These regulatory changes are often brought about by highly publicized incidents or events such as the Lockerbie bombing back in 1988, the cowardly attacks on the Madrid rail system in 2004, the liquid plot in 2006, or the recent terrorist attack on Brussels airport in 2016 (Airport Security: Incidents that Changed Procedures). Other examples of incidents or events that served as catalysts for governments to impose new requirements to (listed) companies with regard to security, corporate governance, and internal control are the hijackings and subsequent attacks on the World Trade Center and the Pentagon on September 11, 2001; the early twenty-first-century economic and financial crisis; a series of corporate collapses; and a range of high-profile frauds, corruption, and accounting scandals (Alexander and Alexander 2002; Chtioui and Thiéry-Dubuisson 2011, pp. 289–290). In response to the 9/11 attacks alone, we have witnessed the introduction and further strengthening of a broad range of transborder security programs designed to protect international supply chains against acts of unlawful interference and imposing a variety of specific and binding security requirements upon operators in the industry (Haelterman 2009, p. 485; 2011, p. 390) (Critical Infrastructure: Transportation Systems). In many cases the introduction of these requirements went hand in hand with employers undertaking additional security efforts due to the perception of growing terrorist threats and to employees demanding improved security at the workplace (Alexander and Alexander 2002, pp. 148–149).

Procedural innovation may further be required when it is found that security procedures contradict procedures or requirements imposed by other functions or when interdependencies between existing controls have been overlooked. An often quoted example of contradicting or competing procedural requirements is that of a security department requiring guards to make sure that all external doors of a facility remain locked at all times versus the requirement imposed by the health and safety function to keep these doors unlocked in order not to obstruct escape routes in case of an evacuation (Fire: Evacuation). Examples of interdependencies that may be overlooked are those between physical security measures and accompanying procedures. It is of little use, for example, to install an electronic access control system without having proper access control procedures in place (Haelterman 2009, p. 490), to install GPS (“Global Positioning System”) or similar technology on vehicles transporting high-value goods without the necessary follow-up capabilities and procedures (ibid.), or to invest in a CCTV (“closed-circuit television”) system without having monitoring procedures in place that are appropriate for its setup and design (Clarke 1997, p. 26) (Physical Security: Video Surveillance).

Likewise, procedures may need to be reviewed when it turns out that procedural requirements overlap and result in a duplication of efforts or when they turn out to be too costly or impractical in one way or another. Cost and waste management constantly drive organizations to transform existing strategies and practices in an ongoing quest for efficiencies. The introduction of security measures in a business environment often requires a considerable financial investment and frequently results in additional costs and/or practical problems due to their impact on certain core processes (Haelterman 2011, p. 394). The introduction of cargo screening procedures in a transport and logistics environment, for example, delays (and adds costs to) the normal operating process (ibid.), and imposing mandatory security screening of job applicants clearly adds costs and complexity to a new employee selection and onboarding program (Personnel Security: Best Practices). It is important, therefore, to always engage in an ex ante and periodic assessment and evaluation of the (financial, ethical, esthetical, and consequential) costs associated with introducing security measures and of the conditions that influence their effectiveness and efficiency (see also Haelterman 2009, 2011).

Last but not the least, procedures may require an upgrade as part of the “postmortem” activities of an actual security incident (Dunham 2018). When it shows from a detailed analysis of the modus operandi displayed by an offender that an existing control or procedure was either easily circumvented or turned out to be ineffective for some other reason, an upgrade is required. The next section positions script analysis as a promising tool to guide such analysis.

Tools for Upgrading Existing Controls and Procedures

While the need for establishing new procedures or for updating existing ones is sometimes triggered by events and developments that go beyond management control, this is by far not always the case. This final section positions script analysis as a useful analytical tool to help management upgrade existing security controls and procedures in reaction to a real-life or improvised security incident. Other tools worth exploring are BSA (“Behavior Sequence Analysis”), in which a quantitative method is applied to qualitative data in order to investigate the relationships between events and to anticipate and redirect potentially risky patterns of behavior (see, e.g., Taylor et al. 2017), as well as the use of virtual reality to study the crime commission process in more detail (see, e.g., van Gelder et al. 2016).

Crime Script Analysis

Derek Cornish (1994) was the first to adopt the script concept from cognitive science in support of situational crime prevention. This concept, according to Cornish (Idem: 151), offers “a useful analytic tool for looking at behavioral routines in the service of rational, purposive, goal-oriented action” and fits in particularly well with the crime-specific orientation that is found in rational choice and allied approaches to crime control. A script-theoretic approach, yet according to Cornish (Idem: 160), “offers a way of generating, organizing and systematizing knowledge about the procedural aspects and procedural requirements of crime-commission.” To (environmental) criminologists and crime analysts, script analysis provides opportunities for understanding the “step-by-step process that offenders have to go through in the commission of any crimes” (Leclerc and Wortley 2014, p. 6); and by providing a template to capture and describe each stage of that process, it further assists researchers and practitioners with identifying a broad scope of opportunities for situational interventions (ibid.).

In the fields of cognitive science and artificial intelligence, scripts have been positioned as one of the theoretical entities or knowledge structures that form the basis of human memory organization (Schank and Abelson 1977, p. 17). A script (as an “event schema”) is defined as “a structure that describes appropriate sequences of events in a particular context” (Idem: 41; Leclerc and Wortley 2014, p. 6). Applied to the criminological domain, it represents the complete sequence of actions adopted prior to, during, and following the commission of a particular crime (Leclerc and Wortley 2014, p. 6). If we take the hypothetical example of a script representing a theft of cargo from a soft-sided trailer parked at an unsecured parking lot (see also Table 1), such script could provide detail on potential preparations made prior to the actual theft, on the entrance to the parking lot, on the selection of a trailer to hit upon, on the means of gaining access to the load, and on the actual commission of the theft (Haelterman 2016, p. 14). It could further provide detail on the offenders exiting the crime scene, as well as on any follow-up actions (ibid.).
Table 1

Example of script “cargo theft from parked trailer”. (Modified from Haelterman 2016, p. 14)

Script scene

Script action

Preparation

Steal a van or light truck to transport the stolen items

Preparation

Gather the necessary tools for breaking into the trailer

Entry

Enter unsecured parking lot

Precondition

Drive around in search for soft-sided trailers

Instrumental precondition

Select a soft-sided trailer to hit upon

Instrumental initiation

Approach selected trailer

Instrumental actualization

Cut hole into the tarpaulin to check the load

Instrumental actualization

Break seal/lock on the trailer back door

Doing

Off-load cargo from the trailer

Doing

Load cargo into the getaway vehicle

Exit

Exit parking lot

Aftermath

Offer stolen goods for sale on the black market

Scripts can be developed from the perspective of the offender – as is the case in our hypothetical example – or from that of other actors or agents participating in the crime commission process (Haelterman 2016, p. 16). They can be turned into interpersonal scripts, providing detail on the interactions between the various parties involved (Idem: 17), and can be used to study successful, attempted, failed, or aborted crimes (see, e.g., Cornish 1994, p. 163).

The value of script analysis to those tasked with developing and reviewing security controls is that it forces them to study the crime commission process in more detail with a potential to reveal information that may be missed during a more superficial assessment of a criminal event (Haelterman 2016, p. 19). It facilitates the identification of potential intervention points and provides guidance on where preventive measures can best be introduced (Cornish 1994, p. 164). Building upon our hypothetical example of cargo theft from a parked trailer, Table 2 provides some examples of controls that can potentially be mapped onto the script to prevent repeat victimization. Where these controls are missing, their introduction can be considered; and where they are in place but have been circumvented, it is worth assessing why they turned out to be ineffective.
Table 2

Preventing “cargo theft from parked trailer”. (Modified from Haelterman 2016, p. 20)

Script action

Situational controls

Steal a van or light truck to transport the stolen items

Car alarms, ignition locks, steering locks, immobilizers

Gather the necessary tools for breaking into the trailer

Control markets for dual goods, random vehicle searches

Enter unsecured parking lot

Access controls and procedures, parking attendants, select secure parking facilities

Drive around in search for soft-sided trailers

Enhance visibility and natural surveillance, on-site patrolling, camera surveillance, raise awareness and informal social control

Select a soft-sided trailer to hit upon

Replace soft-sided trailers with hard-sided trailers

Approach selected trailer

Enhance visibility and natural surveillance, on-site patrolling, camera surveillance, raise awareness and informal social control

Cut hole into the tarpaulin to check the load

Intrusion detection, anti-slashing strips on soft-sided trailers

Break seal/lock on the trailer back door

Intrusion alarms, security seals, security locks, park trailers back-to-back or facing a wall or fence

Off-load cargo from the trailer

Enhance visibility and natural surveillance, on-site patrolling, camera surveillance, raise awareness and informal social control

Load cargo into the getaway vehicle

Enhance visibility and natural surveillance, on-site patrolling, camera surveillance, raise awareness and informal social control

Exit parking lot

Exit controls and procedures, exit searches

Sell stolen goods on the black market

Disrupt markets for stolen goods

Reactive, Proactive, and Hypothetical Scripting

Crime script analysis can be applied in a proactive, reactive, and hypothetical mode to identify control gaps and control deficiencies and to select the most appropriate controls and control improvements that will help to prevent (repeat) victimization (Haelterman 2016, p. 123). Reactive scripting refers to the application of script analysis in the aftermath of a criminal event (ibid.). Proactive scripting, on the other hand, refers to the development of crime scripts based on information retrieved elsewhere (e.g., shared within industry bodies, gathered from the press, from professional or academic literature, from seminars and networking activities, etc.) (Idem: 124). By means of developing and interpreting scripts in a proactive manner, those responsible for designing controls gain the ability to assess whether their own organization has the necessary safeguards in place to avoid becoming a next victim (ibid.). Hypothetical scripting, finally, refers to putting oneself in the mind of the offender and viewing the task of breaching existing controls from an offender perspective (Ekblom, quoted in Moreto and Clarke 2014, p. 216). The type of scripts derived from these thought experiments are referred to as potential scripts, describing hypothetical sequences of actions and highlighting the various tracks that an offender could follow to commit a crime (Borrion 2013, p. 4).

Conditions for Successful Scripting

As with any analytical tool, the value of script analysis will depend on the amount and quality of data that is being gathered and processed. The more detail that is available on the offender’s (hierarchy of) goals, decisions, actions, and interactions with the environment and other agents, the more potential for successful interventions (Haelterman 2016, p. 129). It is a known fact, however, that crime scripts often suffer from fragmented and insufficiently detailed information (see, e.g., Cornish 1994, p. 160; Gilmour 2014, p. 39). It is important, therefore, that crime commission is being addressed at the appropriate level of specificity during interviews and investigations in general and that sufficient attention is being paid to the quality of (internal) reporting (Cornish 1994, p. 167; Haelterman 2016, pp. 236–237).

Conclusion

Security procedures provide guidance on how to implement, enable, and enforce existing security controls and on how to execute security-relevant business processes in a consistent and concerted manner. At the same time, they are to be considered controls in their own right. Same as other components of a security program, they require constant fine-tuning. New procedures may need to be established, or existing ones reviewed, as new security threats are being recognized or as the external environment changes. Upgrades may further be required in a quest for efficiency gains or when existing controls and procedures turn out to be ineffective. This entry positions script analysis as a promising and pragmatic tool to help crime prevention practitioners break down the crime commission process with the aim to identify potential intervention points, to strengthen existing controls, or to introduce additional ones. The tool can be applied in a reactive mode to properly identify control gaps and control deficiencies following an incident or in a proactive or hypothetical mode to routinely test the effectiveness of an organization’s security and control setup. As to embrace the full potential of script analysis, however, it is key to address crime commission at the appropriate level of specificity during interviews and investigations and to pay sufficient attention to the quality of (internal) reporting.

Cross-References

References

  1. Alexander, D. C., & Alexander, Y. (2002). Terrorism and business. The impact of September 11, 2001. Ardsley: Transnational Publishers.Google Scholar
  2. Borrion, H. (2013). Quality assurance in crime scripting. Crime Science, 2(6), 1–12.Google Scholar
  3. Chtioui, T., & Thiéry-Dubuisson, S. (2011). Hard and soft controls: Mind the gap! International Journal of Business, 16(3), 289–302.Google Scholar
  4. Clarke, R. V. (1997). Introduction. In R. V. Clarke (Ed.), Situational crime prevention. Successful case studies (2nd ed., pp. 1–44). New York: Harrow and Heston.Google Scholar
  5. Clarke, R. V., & Newman, G. R. (Eds.). (2005). Crime prevention studies volume 18: Designing out crime from products and systems. Monsey: Criminal Justice Press.Google Scholar
  6. Cornish, D. B. (1994). The procedural analysis of offending and its relevance for situational prevention. In R. V. Clarke (Ed.), Crime prevention studies (Vol. 3, pp. 151–196). Monsey: Criminal Justice Press.Google Scholar
  7. Dunham, R. (2018, March 14). Security procedures – How do they fit into my overall security documentation library? https://linfordco.com/blog/security-procedures/. Accessed 1 Dec 2018.
  8. Gilmour, N. (2014). Understanding money laundering. A crime script approach. The European Review of Organised Crime, 1(2), 35–56.Google Scholar
  9. Haelterman, H. (2009). Situational crime prevention and supply chain security: An ex ante consideration of preventive measures. Journal of Applied Security Research, 4, 483–500.CrossRefGoogle Scholar
  10. Haelterman, H. (2011). Re-thinking the cost of supply chain security. Crime, Law and Social Change, 56(4), 389–405.CrossRefGoogle Scholar
  11. Haelterman, H. (2016). Crime script analysis. Preventing crimes against business. London: Palgrave Macmillan.CrossRefGoogle Scholar
  12. Hornby, A. S. (1995). Oxford advanced learner’s dictionary of current English (5th ed.). Oxford: Oxford University Press.Google Scholar
  13. Leclerc, B., & Wortley, R. (2014). The reasoning criminal. Twenty-five years on. In B. Leclerc & R. Wortley (Eds.), Cognition and crime. Offender decision making and script analyses (pp. 1–11). New York: Routledge.Google Scholar
  14. Moreto, W. D., & Clarke, R. V. (2014). Script analysis of the transnational illegal market in endangered species. In B. Leclerc & R. Wortley (Eds.), Cognition and crime. Offender decision making and script analyses (pp. 209–220). New York: Routledge.Google Scholar
  15. Oliver, E., & Wilson, J. (1972). Practical security in commerce and industry (2nd ed.). New York/Toronto: Wiley.Google Scholar
  16. Schank, R. C., & Abelson, R. P. (1977). Scripts, plans, goals and understanding. An inquiry into human knowledge structures. Hillsdale: Lawrence Erlbaum Associates.Google Scholar
  17. Taylor, O., Keatley, D. A., & Clarke, D. D. (2017). A behavior sequence analysis of perceptions of alcohol-related violence surrounding drinking establishments. Journal of Interpersonal Violence.  https://doi.org/10.1177/0886260517702490.
  18. van Gelder, J.-L., Nee, C., Otte, M., Demetriou, A., van Sintemaartensdijk, I., & van Prooijen, J.-W. (2016). Virtual burglary: Exploring the potential of virtual reality to study burglary in action. Journal of Research in Crime and Delinquency.  https://doi.org/10.1177/0022427816663997.CrossRefGoogle Scholar

Further Reading

  1. Abbott, A. (1995). Sequence analysis: New methods for old ideas. Annual Review of Psychology, 21, 93–113.Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Faculty of Law and Criminology – Department of Criminology, Criminal Law and Social LawGhent UniversityGhentBelgium