When your organization is creating a security plan, there are three important steps that need to be considered in order to mitigate risk before an incident occurs.
These are the three Ds of security: deter, detect, and delay.
The three Ds are a way for an organization to reduce the probability of an incident. But what are they, exactly? And what happens if an event does happen? Fortunately, there are phases that cover all the steps of responding to an incident.
This article explains the three Ds and the three Rs of risk response.
Learn more: Impact and Consequence: Is There a Difference?
What are the three Ds?
The three Ds are typically put into effect before an incident. When a business uses countermeasures that embody the three Ds, they change the environment in a way that makes it more difficult for incidents to occur.
Deter: Discourage the attack or threat from ever happening.
Detect: Identify and verify the threats as they are happening.
Delay: Postpone a threat from reaching your assets allowing for response to happen.
Countermeasures often accomplish one more or more of these tasks. A security officer can embody all three, for example, while a bollard may deter a vehicle attack that might crash into a building. Access management may also deter, detect, and delay threats from entering restricted areas of a site.
Wait, how many Ds?
Search for the Ds of security online and you might find yourself looking at pages listing the four Ds or the five Ds. There’s even a couple of articles out there about a sixth D. Most of those lists include incident response (Defend and Document, for example.)
We’re sticking with just three Ds, for a couple of reasons. First, to keep it simple. Second, because detect, deter and delay are concerned with reducing the probability of an attack, while the following steps, which we call the three Rs, are concerned with reducing severity.
Learn more: How Can Scenario-Based Assessments Help With Compliance?
What are the 3 Rs?
Even when a company is well-aware of the three Ds and has countermeasures in place to reduce the possibility of an incident, not all threats can be prevented. The three Rs are the steps that happen after an incident, when an organization is actively dealing with a threat, and later, trying to return to normal. While the Ds deal with reducing probability, the Rs deal with reducing severity.
Respond: The immediate answer to a threat, when your team is actively responding.
Retrospective: How was the threat handled? Can your response be improved in the future? Is an investigation necessary?
Recover: How can your organization, site, or people return to their normal state, or a more secure state?
Tangible Vs. Intangible Items in Risk Analysis: What Is the Difference?
What most people get wrong about the 3 Ds and 3 Rs
In many cases, when an organization is analyzing their risk, they are not thinking strategically. They’re focused on having the countermeasures and security controls, but they’re not focused on what each control does. If it's a camera, for example, it can detect a threat. If it's a fence, it can deter one.
This is an important consideration when you're developing plans for risk scenarios, such as an active shooter or an abduction. When you consider each possible scenario, look at the phases, and figure out which phase you should be spending your budget on; should you be planning for deterrence, early detection or response?
Unfortunately, most organizations don’t assess their risk using specific scenarios, choosing to do a general risk analysis. Conducting one general risk assessment, however, robs the Ds and Rs of their power as a security planning tool.
How to get the most out of the 3 Ds and 3 Rs
Use scenario-based risk planning: A scenario-based assessment is a risk assessment that’s directed toward a specific threat, concern, or hazard. Instead of assessing the vulnerability of an entire organization on a general level, scenario-based assessments evaluate the risk of one specific scenario happening, such as a weather event, a mass shooter, or shrinkage.
Determine which Ds apply to each possible risk: Some Ds carry more weight in certain scenarios. Deter, for example, doesn’t mitigate active shooting events, because shooters are usually expecting to die in their attack, but Detect and Delay are critical in that scenario, because every second counts. Deter is much more important when applied to shrinkage; your employees don’t want to be fired or arrested for theft.
Which countermeasures work best for each risk? Because you’re focusing on detection and delaying in an active shooter situation, exterior cameras are extremely useful, as are any countermeasures that slow down the attacker. When dealing with theft, clearly stated policies are a deterrent, while cameras over the till detect theft.
Does a countermeasure reduce the probability or severity of a risk? Not everything can be prevented. In the event of a natural disaster, for example, you should be focusing on the response and recovery since it can't be prevented.
Why is it important to understand the 3 Ds and 3 Rs?
The three Ds and three Rs are more than just helpful identifiers for the phases of incident response. They help you focus your security planning so you know exactly how to prepare or respond to every foreseeable risk.
Rather than simply having a general plan to mitigate all potential risk, phases are an important way to narrow down your response, understand the countermeasures you already have in place, and which you need to reduce probability or severity. By focusing your preparedness you’ll be able to create a comprehensive plan to understand and mitigate your risk.
Do you need help assessing your risk? Contact us for a demo today.