Beyond the Basics: Leveraging the 3 D's and 3 R's of Security

By Daniel Young | November 11, 2025 | 11 min read
3ds 3rs

Every organization faces risk. It may be physical risk, cyber risk, risk from malicious insiders, or risk of failing compliance standards. However, whatever the risk is, it can be both managed and mitigated.

The most effective way to manage any scenario’s risk is through a framework that balances the reduction of probability and severity. The 3 Ds (deter, detect, delay) and the 3 Rs (respond, report, recover) provide that balance.

Key takeaways:

  • Not all risks are alike. The Ds work to reduce the probability of threats but are not effective against hazards since we generally cannot affect the probability of a natural disaster while the Rs work with both threats and hazards.

  • Scenario-based planning is essential. General risk assessments diminish the value of the Ds and Rs. To be effective, organizations must apply the Ds and Rs to specific threats such as active shooters, insider theft, or severe weather.

  • Measurement matters. Countermeasures should be tied to KPIs such as detection accuracy, delay time, or mean time to respond. This allows leaders to evaluate the effectiveness of their security programs.

  • Culture and communication are part of security. Deterrence and recovery rely as much on clear policies, reporting structures, and staff training as they do on cameras, fences, or sensors.

  • Multi-division planning and communication is key. To effectively plan, prepare, and prevent scenarios will take a multi-divisional (security, business continuity, legal, HR, maintenance, etc.) approach within an organization. Working within department silos has retarded the growth of organizational efforts to effectively mitigate a multitude of scenarios and become proactive to reducing risk.


By adopting the 3 Ds and 3 Rs as a strategic lens for security assessments, organizations can make smarter investments, strengthen resilience, and ensure continuity when disruptions occur.

What are the 3 Ds and the 3 Rs?

The 3 Ds and the 3 Rs of security are principles for security management. The 3 Ds are concerned with reducing the probability of an event, and the 3 Rs are concerned with recovery from the incident. They can also be thought of as layers. Any security countermeasure, policy, or decision falls under either a D or an R.

The three Ds reduce the probability of an incident by discouraging threats, spotting them early, and slowing their progress.

  • Deter: Discourage the attack or threat from ever happening.

  • Detect: Identify and verify the threats as they are happening.

  • Delay: Postpone a threat actor from fulfilling their mission and allowing for effective response to happen.


The three Rs reduce the severity of an incident by guiding immediate response, ensuring accurate reporting, and restoring operations quickly.

  • Respond: The immediate answer to a threat or hazard, when your team is actively responding.

  • Report: : Document what happened, notify stakeholders, conduct after-action reporting, and capture lessons learned.

  • Recover: Restore operations as quickly and safely as possible, institute business continuity plans, and support team dynamics.

Where do the 3 Ds and 3 Rs come from?

The 3 Ds have a longer history than the Rs, although their exact origin is difficult to pin down. What we do know is that the three Ds have been around for decades, appearing in criminal justice and physical security textbooks over the years.

Security professionals often learn them in the context of the “onion” approach to security, which stacks layers of defense at a site. In this model, the three Ds (deter, detect, delay) describe the desired effect of each layer of security.

Over the years, some authors and security practitioners have expanded the list to four, five, or even six Ds, adding concepts like “defend” or “document.”

We’re sticking with just three Ds in this guide, however, because the additional Ds tend to overlap with the three Rs of security, which are focused on incident response.

The Rs are more recent. We’ve developed them to describe the stages of during and post-incident.

The Three Ds: reducing the probability of an attack or incident

The three Ds are defensive principles; they reduce the probability of an incident occurring by shaping the environment in ways that make attacks harder, riskier, or more obvious. It’s also important to know that a countermeasure does not have to fall into just one of these categories. Cameras can fall under Deter as well as Detect, for example. Security guards can fall under all three Ds. The countermeasures can also be different for various scenarios. For example, a camera might be a deterrent for theft, but for active shooter events, most assailants do not care if cameras are watching. In fact, some even hope for the event to be recorded and shared.

Deter

Deterrence is about discouraging a threat before it begins. The goal is to change the cost-benefit calculation in an attacker’s mind, making the risk of being caught or the difficulty of success outweigh the potential reward.

Examples of deterrence include visible security cameras, clear signage, strong perimeter fencing, lighting, or even well-communicated company policies. In insider threat cases, deterrence can take the form of contracts, monitoring policies, or a culture of accountability.

Effective deterrence reduces the likelihood of an incident by signaling that attempts will be noticed and consequences will follow.

Detect

Detection ensures that threats are identified as early as possible. The faster a threat is recognized and verified, the more time an organization has to activate its response plans.

Detection measures include surveillance cameras, intrusion alarms, motion sensors, visitor management systems, and anomaly monitoring tools. However, detection is only as effective as the organization’s ability to distinguish true alerts from false alarms. Over-reliance on unverified alerts creates noise and slows response, while accurate detection provides the critical first signal that something is wrong.

Delay

Delaying a threat buys valuable time. Whether it’s slowing an intruder with multiple locked doors, channeling vehicles through barriers, or designing access systems that force authentication at every stage, delays extend the window for detection and response to work. Often we look at this as layers of security. The goal is to make each layer harder for a bad actor to access. The asset with the highest security measures is at the center of all the layers.

Delay measures are not meant to stop an attack indefinitely, but they are an invaluable tactic; in high-stakes incidents like active shooter events, every second of delay can save lives. Effective security strategies combine deterrence, detection, and delay so that when one layer fails, the next slows the threat down.

The Three Rs: reducing the impact of a threat or hazard

Even with strong deterrence, detection, and delays, not all threats or hazards can be prevented. That’s where the Rs come in. The Rs are concerned with response and mitigating the impact of an incident.

Respond

Response is the immediate action taken once a threat or hazard is identified. It encompasses everything from activating alarms and dispatching security personnel to executing lockdown or evacuation procedures. A fast and coordinated response can drastically reduce harm, whether the incident is a physical intrusion, an insider theft, or a natural disaster. Response effectiveness is often measured in seconds; the quicker the action, the more likely lives, assets, and operations are preserved.

Report

Reporting ensures that incidents are properly documented, communicated, and analyzed. Spend time debriefing the incident and completing after action reporting. Focus on what went well and what needs improvement. Do this immediately before people forget or timelines get confusing. This includes notifying leadership, law enforcement, insurers, and in some cases regulators, as well as recording the details of what occurred for internal review. Reporting also includes victim and casualty accounting in disaster scenarios. Strong reporting practices not only create accountability but also feed lessons learned back into security planning, making organizations more resilient to future threats.

Recover

Recovery is the process of restoring normal operations and ensuring business continuity after an incident. This phase focuses on reducing downtime, repairing physical or reputational damage, and returning the organization to full strength as quickly as possible. Recovery strategies can include data restoration, temporary relocations, instituting mutual aid agreements, or employee support programs.

Unlike deterrence or response, recovery acknowledges that some incidents cannot be fully prevented. Their impact, however, can be minimized through preparation and resilience planning.

How can you practically apply the Ds and Rs in physical security?

Do the Ds and Rs work the same way for every threat and hazard?

The short answer is no. Some scenarios call for different applications of the Ds and Rs (or different countermeasures), and some threats are only addressed by some of the Ds or Rs.

Below are some examples.

Insider threats and the Ds

The three Ds apply to insider threats, However, the countermeasures are very different from those used against threats from outside of an organization. For example, access control won’t keep an insider out of a building or its online infrastructure. Instead the Ds might look something like this:

  • Deter through culture, contracts, and consequences such as legal action.

  • Detect through monitoring for anomalies, such as unusual hours or other suspicious behavior.

  • Delay through barriers around sensitive assets, logging systems, or stricter controls.

For example, a real-world case involved an employee at a technology company who’d been offered money to steal a prototype. The deterrent? Searches at exit points. The detection? Those searches uncovered the attempt. Delay wasn’t as relevant in that case, but not all Ds apply equally in every scenario.

Active shooters and the Ds

In the case of an active shooter scenario, not all the Ds are weighted equally.

Because many attackers in this scenario expect to die, deterrence doesn’t necessarily work. Detection and delay are lifesaving, however. Seconds matter. For example, one church stopped a shooter before he fired a shot because members were suspicious of the gunman and ready to respond.

Natural disasters and the Rs

When it comes to natural disasters and related hazards, the 3 Ds don’t apply. You can’t deter a hurricane or delay an earthquake.

The Rs, however, are especially critical for these hazards. In the event of hurricanes, tornadoes, earthquakes, or wildfires, organizations must focus entirely on responding to the disaster and reducing the severity of its aftermath.

How to measure the Ds and Rs: metrics and KPIs

How do you know your Ds and Rs are working? Metrics can be tricky but they are necessary. While there is no universal KPI set, it is important for your organization to assess the risk at each site and determine which metrics to track. Here are some examples:

  • Deterrence is hard to measure directly. If nothing happens, was it prevention or luck? However false alarms and breaches can reveal weaknesses in your deterrences.

  • Detection should be measured by both true detections and false alarms. Too many false alarms dilute attention and make real threats harder to catch.

  • Delay can be measured in time. How many seconds or minutes did a control add before a threat reached an asset?

  • Response speed is critical, especially in life-safety events. “Mean Time to Respond” is a key KPI in this case.

  • Reporting is often the least measured of the 3 Rs, but there are metrics to track here, such as “time to report” or “completeness of reporting.”

  • Recovery should be measured in terms of downtime and cost of disruption.

The importance of scenario-based risk planning

One recurring theme is that the 3 Ds and 3 Rs only have value when applied in context. A general risk assessment is not enough. Organizations must plan scenario by scenario. This means using scenario-based risk assessment to determine which countermeasures align with a threat.

What is a scenario-based risk assessment?

A scenario-based assessment is a risk assessment that’s directed toward a specific threat, concern, or hazard. Instead of assessing the vulnerability of an entire organization on a general level, scenario-based assessments evaluate the risk of one specific scenario happening, such as a weather event, a mass shooter, or shrinkage.

When considering each possible scenario, look at the phases, and figure out which phase you should be spending your budget on; should you be planning for deterrence, early detection or response?

Some helpful questions to ask may include:

  • Which Ds apply?

  • Which Rs matter most?

  • Which countermeasures align with each?

  • Does the measure reduce probability (Ds) or severity (Rs)?

This requires thinking like an attacker and testing how assets could realistically be stolen, attacked, or destroyed. Unlike cyber environments, the physical world has countless possibilities. Attackers don’t always use doors; they may go through ceilings, walls, or even tunnels. Good planning anticipates these variables.

Why the 3 Ds and 3 Rs matter to your physical security

The three Ds and three Rs are much more than just helpful identifiers for the phases of incident response. They force you to think strategically in security planning, They also make you think in terms of specifics.

Rather than simply having a general plan to mitigate all potential risk, the Ds and the Rs are an important way to narrow down your response to threats. By thinking proactively, you better understand the countermeasures you already have in place, and which you need to reduce probability or severity.

The 3 Ds and 3 Rs give organizations a clear, memorable framework for thinking about prevention and resilience. But in practice, applying them isn’t always simple: threats evolve, human behavior is unpredictable, and no two facilities face the exact same risks.

That’s where Circadian Risk makes the difference. Our platform helps you go beyond theory by assessing your unique environment, identifying gaps in deterrence, detection, and delay, and stress-testing your response, reporting, and recovery plans against real scenarios. With data-driven insights and scenario-based analysis, we help organizations move from reactive security to proactive risk management.

At the end of the day, the 3 Ds and 3 Rs aren’t just concepts. They’re the foundation of protecting your people, assets, and business continuity.

Do you need help assessing your risk? Contact us to talk to an expert.

About the Author

Daniel Young
Daniel Young
Founder & Chief Innovation Officer

Daniel has been a security and risk advisor for more than 10 years, and is passionate about helping companies to better understand their risks to undesirable events on a daily basis. Dan previously served as the Regional Bioterrorism Coordinator for District 1 in Michigan, where he was instrumental in preparing communities for catastrophic incidents. He has also acted as the Private Security Liaison for the City of Lansing’s Critical Infrastructure Team, which identified and documented deficiencies in the city’s critical infrastructure.

He is a Co-Founder of the CSO Risk Council, a think tank of seasoned security professionals and thought leaders with extensive experience in managing the physical security and risks of large enterprises consisting of multiple sites and whose mission is to create a better process to develop and share innovative solutions and pertinent information with organizations to improve safety and security risk by providing a forum to discuss best practices and recommendations for specific risk scenarios and to network with other enterprise security professionals.

Related Posts

Shutterstock 310072547

The 4 Critical Questions Most Risk Assessments Don’t Answer

To help companies reduce their risk, physical risk assessments have to answer 4 critical...

Read More
Please

You're Not Getting Your Security Budget!? You Might Be Bad at Sales.

Security professionals often don’t bother to learn sales, and it costs them their budgets.

Read More
October news

October 2025 — What the Louvre Heist, Amazon Outage, and a Detroit Terror Plot Teach Us About Risk

Heists to Outages: The Top Security Stories You Need to Know This Month

Read More
Halloween 2019

Don’t Get Spooked: How to Protect Your Business from Halloween Mischief

Halloween can be scary for businesses. Here’s how to protect your organization assets from some...

Read More
Organized retail crime

Organized Retail Crime Is Getting Smarter — Is Your Security Strategy Keeping Up?

Organized retail crime costs business millions a year. How can you prevent it?

Read More

Are you ready to improve your organization’s risk management?

See why our clients call us 'game changing.'
Book Risk-Free Demo