TESTIMONIALS

“Received the latest edition of Professional Security Magazine, once again a very enjoyable magazine to read, interesting content keeps me reading from front to back. Keep up the good work on such an informative magazine.”

Graham Penn
ALL TESTIMONIALS
FIND A BUSINESS

Would you like your business to be added to this list?

ADD LISTING
FEATURED COMPANY
Interviews

Designing for the wrong threat

by Mark Rowe

Most security failures do not happen because controls are weak. They happen because organisations are defending against the wrong threat, says  Gavin Wilson, Director of Physical Security and Risk, at the consultancy Toro Solutions.

Most physical security environments are not poorly designed. In many cases, they are well managed, compliant and supported by significant technology. The issue is that they are often optimised around a threat model that no longer reflects how hostile activity would realistically develop.

Assumptions Outlast Reality

Sites originally designed around theft, trespass or opportunistic intrusion evolve over time. Occupancy changes, contractors become embedded in day-to-day activity, buildings are repurposed and operational pressure drives processes towards efficiency rather than the assumptions the original security strategy was built upon. The controls themselves often remain largely unchanged, even though the environment they are protecting behaves very differently in practice. This is where the gap begins to emerge between how security is expected to perform and how a determined actor would actually approach the site.

A significant proportion of physical security design still reflects traditional intrusion models: perimeter breach, forced entry and unauthorised access attempts against visible controls. As a result, investment naturally gravitates towards measures that are easy to justify and easy to demonstrate through assurance activity. Perimeter hardening, surveillance coverage, access control infrastructure and hostile vehicle mitigation all sit comfortably within that model and, in many environments, remain entirely appropriate. The problem is that capable adversaries rarely choose to confront strong controls directly if lower-friction opportunities exist elsewhere.

What Adversaries Learn from Everyday Behaviour

In practice, physical intrusion is often preceded by a period of observation designed to understand how the site functions operationally rather than how it appears architecturally. Contractor movement, delivery routines, shift transitions, challenge culture, reception processes and accepted behaviours frequently provide more useful insight than the perimeter itself. Over time, a realistic picture emerges of where procedures are applied consistently, where operational pressure weakens them and where familiarity has gradually reduced scrutiny.

This does not necessarily indicate poor security management. It reflects the reality that operational environments evolve continuously and that people naturally adapt processes to maintain efficiency and practicality. Most mature sites contain some degree of behavioural drift from the original design intent. The question is whether the security model has evolved with them. This is also why conventional review activity can produce an incomplete picture.

The Limits of Traditional Assurance

Assessments are often designed to confirm that controls exist, function correctly and align with established standards or design requirements. What they do not always assess particularly well is how those controls perform when someone is deliberately trying to work around them, or whether the assumptions underpinning the design are still valid in the current operating environment. That distinction becomes increasingly important where the primary concern is no longer opportunistic criminality but disruption, interference or targeted hostile activity.

Visible versus Effective

For some organisations, the more credible risk is not the theft of an asset but the operational consequences that follow unauthorised access. Delays to service delivery, reputational damage, interference with critical operations or pressure applied through supply chain dependencies can fundamentally change how an environment should be assessed.

In these cases, resilience depends less on whether a perimeter can delay intrusion for a period of time and more on how the organisation performs once someone has successfully blended into routine activity inside the site. This is also where visible security measures and effective security measures are not always the same thing.

A site can perform strongly during audit, client assurance activity or formal review while still containing vulnerabilities that become obvious when viewed from an adversarial perspective. Surveillance coverage may satisfy design requirements while offering limited practical detection value in a busy environment. Access control may be technically robust but weakened by routine workarounds, contractor familiarity or inconsistent challenge behaviour. None of these issues are unusual. They simply reflect environments that have evolved while the underlying threat assumptions have remained static.

A Threat-Led Approach 

A threat-led physical security review changes the starting point of the assessment. Instead of beginning with the controls themselves, the process starts with the realistic threat picture surrounding the site. Who would realistically target the environment? What or who would be a target? What would they be trying to achieve? How would they most likely approach it in practice?

Viewed through that lens, the discussion quickly moves away from whether controls simply exist and towards how they actually perform under realistic operational conditions. In some cases, this highlights vulnerabilities that have become normalised internally over time. In others, it demonstrates that heavily funded measures contribute less resilience than originally assumed, while relatively modest operational changes could materially improve the organisation’s defensive posture.

This is not an argument for more security. In many cases, it is the opposite. Organisations frequently discover they are overprotecting low-value areas while under-estimating where their real operational exposure sits. If the environment is not assessed against how hostile activity would realistically develop, it becomes difficult to determine whether investment is improving resilience or simply reinforcing historic assumptions.

Most organisations are not designing poor security environments. More often, they are continuing to design around threat assumptions that no longer reflect how sites are approached in practice.

Related News