Situational Awareness to Enhance Security Management
Security management covers all aspects of identifying your organization’s assets, followed by the development, documentation, and implementation of policies and procedures to protect those assets – be they people, facilities, machines, systems, information or digital assets.
However, the best policies and procedures can’t stop determined actors when those actors have more knowledge about their future actions than you do as well as the capabilities to bring their attacks off.
What then can organizations do to protect their people and assets? That’s where situational awareness comes in.
Situational awareness, as defined in NIST Special Publication (SP) 800-160v1r1, is the perception of elements in the system and/or environment and a comprehension of their meaning, which often includes a projection of the future status of perceived elements and the uncertainty associated with that status.
How exactly does enhanced situational awareness contribute to robust security management? This article explains the role of situational awareness in security management, tracing back the origins of situational awareness, how it’s been implemented in security management, and finally the policies and security management software capabilities designed to enhance situational awareness in the enterprise.
Where situational awareness came from
So, where does situational awareness come from? Despite its meaning, situational awareness doesn’t come from the field of security management.
In fact, the term predates modern protective security by some time.
Academic scholars trace situational awareness all the way back to Sun Tzu’s The Art of War.
There, it refers to the habit of constantly being alert and prepared, which entails being able to accurately read the surrounding environment and correctly decipher signs of danger to always act and react with a temporal and tactical advantage (Krassman and Hentschel).
From there, situational awareness got a modern makeover to remain relevant to the volatile situation of high-tech combat.
That setting required a rethinking of communication structures to achieve what is called shared situational awareness, i.e., situational awareness common to multiple actors.
That level of situational awareness can only be achieved by superior information, knowledge, and decision making.
Around the same time, situational awareness also became important to public safety and emergency management. As severe weather incidents increased, public actors had to better anticipate hazardous events to better absorb shocks and recover.
This also required a higher level of information and advanced knowledge to improve the quality of decisions taken before, during, and after critical events.
Why security risk management requires situational awareness
Like severe weather events, security incidents have also increased rapidly. And situational awareness lent itself readily to the protective security management milieu.
This environment has been characterized by ever more complex types of security incidents – cyber, physical, and cyber-physical. As a result, key concerns for organizations now include:
- IT security
- Modern phishing
- State-sponsored attacks
The trend toward social networking, BYOD, and cloud computing technologies has specifically exacerbated enterprise information security risk.
However, physical security incidents remain prolific – from tailgating to insider threats to unaccounted visitors to workplace violence. Indeed, the evacuation of many workspaces during and after pandemic has increased security risk to unattended workers and facilities.
How does situational awareness fit in?
Well, best-practice measures, such as those prescribed in international information security management standard ISO 27001, acknowledge that an organization’s level of security risk exposure should guide its risk controls.
Remember, security risk management entails:
- Risk identification
- Risk assessment
- Risk treatment, e.g., avoidance, mitigation, transfer, etc.
- Risk review
This entire security risk management process, though, relies on high levels of situational awareness to determine the appropriate level of risk exposure.
Situational awareness in security risk assessment
An accurate assessment of overall security risk is, of course, crucial to the risk assessment phase.
What goes on during a security risk assessment?
That phase typically involves the collection of information about the organization’s security resources, including the following:
- Complete and accurate list of discrete assets, both physical and informational
- Complete and accurate list of vulnerabilities to each asset
- Mappings of each threat-asset-vulnerability combination
- Determination of the likelihood and potential impact of each risk scenario
In all instances, enhanced situational awareness makes the practice of risk assessment more effective.
It also cuts down on the expense typically associated with undertaking the risk assessment. These expenses result from the following:
- The large number of assets an organization has
- The evolving nature of security risk itself – collectively risk and individual risks
- The difficulties inherent in determining the likelihood of a security incident or its impact
What’s more, enhanced situational awareness helps overcome common challenges to the practice of security risk assessment. Those challenges or deficiencies include:
- Assessments are too perfunctory.
- Risks are estimated with too little reference to the organization’s actual situation.
- Assessments are often performed too sporadically with little historical basis.
How does situation awareness improve security risk management?
How then can enhanced situational awareness help overcome these challenges?
By providing a more accurate understanding of the risks organizations face, enhanced situational awareness helps security managers make more effective decisions regarding the company’s security posture.
The risk management process, in particular, will benefit from comprehensive information collection, analysis, and reporting mechanisms, enabled by situational awareness, to support the decision-making process.
Security management software to improve situational awareness
The remaining question is how.
In physical security management, guards tend to be the eyes and ears of the organizations. These guards will have access to video footage and sensor data.
Of course, most acknowledge that this isn’t enough given the scale of the security threat.
Security management software, here, helps organizations proactively safeguard their people, assets, and reputation via enhanced situational awareness through actionable threat intelligence.
In the physical security realm, physical security information management systems (PSIM) stand out as software platforms that integrate multiple security applications and devices to maximize situational awareness.
PSIM works by integrating security devices and presenting all their relevant information into a single view, the physical security information management software improves detection efficiency and effectiveness. That contributes to greatly improved situational awareness and decision support.
For this to happen, though, physical security information management software requires a few basic components. According to IFSEC Global, a complete PSIM system will have the following capabilities.
Capabilities of a complete PSIM system
Device management independent software collects data from any number of disparate security devices or systems.
The physical security information management system analyzes and correlates the data, events, and alarms, to identify the real situations and their priority.
PSIM software presents the relevant situation information in a quick and easily-digestible format for an operator to verify the situation.
The system provides Standard Operating Procedures (SOPs), step-by-step instructions based on best practices and an organization’s policies, and tools to resolve the situation.
The PSIM software tracks all the information and steps for compliance reporting, training and potentially, in-depth investigative analysis.
How does PSIM help to improve situational awareness?
That’s not all.
PSIM platforms collect and manage information from disparate security devices and information systems, collating that data into one common situation picture.
Per analysts in the field, these devices can be traditional security sensors like video cameras, access control, intrusion detection sensors, or less conventional systems, such as networks and building management systems, cyber security hacking alerts, and even weather feeds (More later).
PSIM systems themselves are vendor and hardware-agnostic. They serve the purpose of giving users the ability to integrate legacy systems.
Indeed, integration is the primary function of PSIM. Users can connect with existing and/or planned systems without being locked in.
PSIM is also intelligence-based, i.e., users have the ability to identify unfolding events, manage them effectively, and therefore mitigate risk.
By giving security personnel access to data from disparate systems, PSIM empowers staff to accurately identify and proactively resolve situations. What systems precisely? Traditionally, the following security systems have typically been integrated into a PSIM solution:
- Access control systems
- Automated barriers
- Building management systems e.g., heating, HVAC, elevators control, etc.
- CCTV (closed circuit TV)
- Computer Aided Dispatch systems
- Cyber systems
- Electronic article surveillance (EAS)
- Fire detection
- GIS mapping systems
- Intrusion systems including perimeter intrusion detection systems
- Security alarm
- Video content analysis
Importance of physical security information management in situation awareness and decision support
Why weren’t the individual systems enough to contribute to situational awareness?
The data sources and inputs used in PSIM themselves emerged due to the increase in different natural and malicious threat scenarios. Individually, however, the solutions didn’t provide adequate intelligence and reliability.
That’s where PSIM came in. PSIM overcomes technological limitations, synthesizing data from multiple alerting systems and physical sensors.
PSIM also exploits distributed and heterogeneous subsystems to provide advanced event detection capabilities and/or improve detection reliability.
The importance of PSIM comes into greater relief in the scenario where entities must protect open infrastructure spread out across broad spaces and therefore vulnerable to many threats.
In that scenario, cameras and sensors alone run up against the limitations of human-based surveillance – labor intensive, fatiguing work that’s also prone to human error.
In such a context, PSIM yields superior situation awareness and decision support.
Importance of multiple data sources for situational awareness
PSIM underscores the importance of multiple data sources for situational awareness. Indeed, multi-source data points are needed to establish and heighten situational awareness, improve comprehension and perception, and support effective critical decision making.
And we’ve learned that properly integrated, these multiple data sources offer the following benefits:
- Better quality decision-making
- Faster response time and minimized impact of critical events
- More time for coordination
- More consistent messaging to affected publics
Organizations, however, require these data sources for information and cyber security, as well, which PSIM doesn’t cover.
That’s why cyber data alerts are on the rise.
According to a 2020 report on the state of SecOps and automation, more than half (56 per cent) of large companies handled at least 1,000 alerts per day.
Serious challenges have emerged to impede the effectiveness of data alerts for situational awareness, though.
The most acute is alert fatigue.
How alert fatigue impedes situational awareness
So, what is alert fatigue? Alert fatigue happens when an overwhelming number of alerts desensitize responding individuals to individual alerts – even when those alerts carry valuable information.
Cybersecurity experts have picked up on this trend toward alert fatigue, catalyzed by COVID which led to a sharp rise in alerts.
How bad has the issue become?
In 2021, the International Data Corporation (IDC) reported that over eight in every ten cyber security professionals said they were struggling to cope with the sheer volume of security alerts.
Surveyed staff reported spending more time (32 minutes) on alerts that turned out to be false leads than on actionable alerts.
As a result, more than a quarter (27 per cent) of all alerts were ignored or not investigated in mid-sized corporations. Slightly larger organizations (1,500 to 4,999 employees) saw personnel ignore nearly a third of all alerts.
Digital technology solutions to address alert fatigue and other information management challenges
Of course, alert fatigue will give security managers a flawed understanding of risk exposure by impeding situational awareness.
What then can be done?
Here, as with PSIM, the right security management solution can ensure actionable data gets through in a format that incentivizes speedy triaging and contributes to situational awareness.
To contribute to enhanced situational awareness, these solutions offer powerful workflow automation, which helps to aggregate and visualize alerts, thereby accelerating investigation speeds and response times.
The flexible, digital solutions which boast such information-management modalities work by capturing and consuming information from multiple sources, to provide a real-time common operating picture of the task or operation at hand.
- Leverage powerful, yet easy-to-set-up workflows to control and automate management processes and standard operating procedures, keeping the right stakeholders informed across multiple communications mediums
- Deploy analytics and reporting tools to ensure that decision-makers have the correct information in the best available format, when they need it
- Track tasks to ensure that the right actions are taken and followed through, helping security managers to better assign, manage, and track resources
- Provide a case management framework, orchestrating information flows throughout the organization, delivering consistency where multiple systems, sources, and processes are employed, and enabling the secure exchange of information and coordination of resources across multiple stakeholders
Further benefits include:
- Reinforce intelligence tasking and response with an auditable record of changes
- Automated review, approval, escalations, and interactions across the organization and externally
- Ability to relate assets, events, contacts to provide a complete picture of requests, incidents, and tasks, including mapping for geospatial information, timelines for understanding changes and progressions in context, as well as alerts to automatically flag issues for further attention
- An executive view of progress, emerging issues, and crises
- Support for scalable processes to handle routine or commodity threats
- Support for intelligence gathering for entities of interest including evidence gathering and multi-party coordination
- Accommodation of low privilege users, such as third-party IT staff to log threats and incidents or receive reports, without their gaining access to more sensitive information
- Highlighted prioritized assets or other high impact items
Noggin integration options to enhance situational awareness, ensure the right information gets through at the right time
And there’s more. The genius of these solutions is that they offer a full range of integration options, making it easy to connect and synchronize data and plug in customer systems, to further enhance situational awareness in security management.
The Noggin platform, for example, integrates with ERPs and CRMs, as well as other service management and cyber security systems. When it comes to actionable data alerts, relevant Noggin integrations include:
For security threats
Integrating with Noggin, Signal is an open-source intelligence tool for security teams who may deal with disruptive or unexpected events. Customers monitor multiple online data sources with a simple, easy-to-use interface, with Signal providing relevant, actionable information in real time. And so, with Signal, you can:
- Identify emerging threats faster
- Receive real time alerts
- Monitory developing situations
For event and risk detection
Integrating with Noggin, the Dataminr AI platform detects the most relevant, high-impact events and emerging risks in real time – so customers can respond with speed and confidence. The platform enables a diverse customer base to manage crises more effectively:
- Businesses can identify and respond to emerging risks across the enterprise, with the earliest indicators of business-critical information about risks to people, brands, and physical and virtual assets.
- Public sector entities can respond to real-time events faster, know where to deploy first responders, and provide aid to citizens on the ground within minutes.
For IT ops
Integrating with Noggin, PagerDuty provides a source of truth and coordination for real-time operations and major IT disruptions, useful in the following business cases:
- IT on-call management
- Operational analytics
- IT incident response
- IT team activation and coordination
- Automated IT incident resolution
The security environment, whether cyber, physical, or cyber-physical, has never been more perilous. As a result, modern security managers need to know more and anticipate better to keep bad actors at bay.
That’s where enhanced situational awareness in security management comes in.
But just as there are certain practices that enhance situational awareness, there are also technologically-induced challenges to situational awareness, such as alert fatigue.
Fortunately, technologies like Noggin contribute greatly to situational awareness in security management by making more relevant information actionable through powerful (yet configurable) workflows that can be tailored to your organization’s business processes.
Don’t take our word for it, though. Check out Noggin Resilience for yourself in a tailored software demonstration.