Risk | Vulnerability
The 3 Ds and 3 Rs of security: Why You Need to Know Them
When you're evaluating risk, three principles must be considered in order to mitigate the probability of a risk incident: deter, detect, and delay, and three principles must be considered in order to mitigate the severity of a risk incident: respond, report, recover.
Called three Ds of security, these steps are part of a layered approach to security. For example, countermeasures in the outer layers of a site, such as the perimeter, might be designed to deter an attacker (a fence) for example. Inner layers, like the building envelope might use cameras, which detect a threat, and the lobby’s access control is designed to delay a threat. These three principles give your organization a roadmap for reducing the probability of an incident.
But what are the three Ds, exactly? And what happens if an incident does occur? Read on to learn more about the three Ds and their cousins, the three Rs of incident response.
What are the three Ds of security?
The three Ds are defensive principles; they typically are used to reduce the probability of an incident. When a business uses countermeasures that embody the three Ds, they change the environment in a way that makes it more difficult for incidents to occur:
Deter: Discourage the attack or threat from ever happening.
Detect: Identify and verify the threats as they are happening.
Delay: Postpone a threat from reaching your assets allowing for response to happen.
A security countermeasure can accomplish one more or more of these tasks. For example, a camera detects suspicious activity, a bollard deters vehicles from crashing into a building, while a security officer can embody all three. Access management may also deter, detect, and delay threats from entering restricted areas of a site.
How many Ds, exactly?
There is some dispute about exactly how many Ds there are. Search for the Ds of security online and you might find yourself looking at pages listing the four Ds or the five Ds. There’s even a couple of articles out there about a sixth D. Most of those lists go beyond defense measures to include incident response (Defend and Document, for example.)
We’re sticking with just three Ds, however. We’re doing this for a couple of reasons. First, to keep it simple. Second, because detect, deter and delay are concerned with reducing the probability of an attack, while the following steps, which we call the three Rs, are concerned with reducing severity.
One thing to keep in mind though is that since the three Ds work to reduce probability, these times will not work with Hazard scenarios, such as tornadoes, hurricanes, wildfires, etc. We generally cannot affect the probability of a naturally occurring event unless we physically change locations. So in these scenarios we must focus on reducing the severity of those incidents, which leads us to the three Rs.
What are the 3 Rs?
Even when a company is well-aware of the three Ds and has countermeasures in place to reduce the possibility of an incident, not all threats can be prevented. The three Rs are the steps that happen after an incident, when an organization is actively dealing with an event, and later, trying to return to normal. While the Ds deal with reducing probability, the Rs deal with reducing severity.
Respond: The immediate answer to a threat, when your team is actively responding.
Report: How was the threat handled? Can your response be improved in the future? Is an investigation necessary? Does law enforcement need to be notified? Do you need to make an insurance claim?
Recover: How can you adapt to the current state to continue operations? How can your organization, site, or people return to their normal state, or a more secure state?
The three Rs are to focus on the response and business continuity. However I have found that security is absent in many business continuity discussions and planning.
What most people get wrong about the 3 Ds and 3 Rs
In many cases, when an organization is analyzing their risk, they are not thinking strategically. They’re focused on having the countermeasures and security controls, but they’re not focused on what each control does. If it's a camera, for example, it can detect a threat. If it's a fence, it can deter one.
This is an important consideration when you're developing plans for risk scenarios, such as an active shooter or an abduction. When you consider each possible scenario, look at the phases, and figure out which phase you should be spending your budget on; should you be planning for deterrence, early detection or response?
Unfortunately, most organizations don’t assess their risk using specific scenarios, choosing to do a general risk analysis. Conducting one general risk assessment, however, robs the Ds and Rs of their power as a security planning tool.
How to get the most out of the 3 Ds and 3 Rs
Use scenario-based risk planning: A scenario-based assessment is a risk assessment that’s directed toward a specific threat, concern, or hazard. Instead of assessing the vulnerability of an entire organization on a general level, scenario-based assessments evaluate the risk of one specific scenario happening, such as a weather event, a mass shooter, or shrinkage.
Determine which Ds apply to each possible risk: Some Ds carry more weight in certain scenarios. Deter, for example, doesn’t mitigate active shooting events, because shooters are usually expecting to die in their attack, but Detect and Delay are critical in that scenario, because every second counts. Deter is much more important when applied to shrinkage; your employees don’t want to be fired or arrested for theft.
Which countermeasures work best for each risk? Using active shooter as a scenario again, if you’re focusing on detection and delaying the shooters, weapons detection devices for exterior and interior of the building are necessary, as are any countermeasures that slow down the attacker such as access control doors. When dealing with theft, clearly stated policies are a deterrent, while cameras over the till detect theft.
Does a countermeasure reduce the probability or severity of a risk? Not everything can be prevented. In the event of a natural disaster, for example, you should be focusing on the response and recovery since it can't be prevented. But to reduce severity training individuals to properly respond to an incident, and processes to adapt and recover as quickly as possible to be key.
Why is it important to understand the 3 Ds and 3 Rs?
The three Ds and three Rs are more than just helpful identifiers for the phases of incident response. They help you focus your security planning so you know exactly how to prepare or respond to every foreseeable risk.
Rather than simply having a general plan to mitigate all potential risk, phases are an important way to narrow down your response, understand the countermeasures you already have in place, and which you need to reduce probability or severity. By focusing your preparedness you’ll be able to create a comprehensive plan to understand and mitigate your risk.
Do you need help assessing your risk? Contact us to talk to an expert.