Security controls are often mistaken for security risk reduction.

A site may have cameras, guards, access control, alarms, perimeter fencing, patrols, visitor registers and incident procedures. On paper, that can appear reassuring. In practice, those controls may still fail to reduce risk if they are poorly designed, badly integrated, inconsistently applied or not matched to the threat environment.

The presence of a control is not the same as the effectiveness of a control.

This distinction matters because many security decisions are made by asking whether a control exists, rather than whether it works. When that happens, organisations may believe they are protected while important vulnerabilities remain unresolved.

A physical security risk assessment should therefore go beyond listing controls. It should examine whether those controls reduce likelihood, limit consequence, reduce exposure, interrupt credible threat pathways and support a realistic response.

Controls Create Assurance Only When They Work

Security controls are intended to perform specific functions. They may help deter hostile action, detect suspicious behaviour, delay unauthorised access, support response, or assist recovery after an incident.

These functions matter because they determine whether a control reduces likelihood, limits consequence, improves response, or supports recovery.

However, a control only contributes to risk reduction if it performs its intended function in the relevant context and against the scenario it is intended to manage.

For example, a camera may be installed, but it may not reduce risk if:

  • it is poorly positioned;
  • lighting conditions make the image unusable;
  • vegetation or infrastructure blocks the field of view;
  • no one monitors the camera at the right time;
  • recorded footage is not reviewed or retained properly;
  • the camera is not linked to a response process.

In that case, the camera exists, but its contribution to security risk reduction may be limited.

The same applies to guards, fences, gates, alarms, access-control systems, patrols and procedures. Their presence must be tested against the risk scenario they are supposed to control.

Why Controls Fail to Reduce Risk

Controls often fail for practical reasons rather than technical absence.

A control may be correctly specified but poorly implemented. It may have been installed years ago and never reviewed against current threats. It may depend on people who have not been trained properly. It may be undermined by weak supervision, poor maintenance, unclear procedures or slow response.

Common reasons include:

  • controls are not aligned to credible threats;
  • procedures exist but are not followed;
  • guards are deployed but not directed by risk priorities;
  • cameras cover areas of low importance while critical points remain exposed;
  • access-control systems are bypassed for convenience;
  • alarms are ignored because of false activations;
  • incident reporting is incomplete or unreliable;
  • response arrangements are too slow to affect the outcome.

These failures are not always obvious during a simple site walk-through. They become visible when controls are assessed against realistic scenarios, asset criticality and expected response outcomes.

The Threat Pathway Test

A useful way to assess a control is to ask whether it interrupts the threat pathway.

A threat pathway describes how an unwanted event could realistically unfold. It considers how an adversary, offender or other threat source could identify an opportunity, approach the target, exploit a weakness, complete the act and escape or cause harm.

Controls should then be tested against that pathway.

The question is not simply: Do we have a control?

The better question is: At what point does this control prevent, detect, delay, disrupt, support response or assist recovery from the scenario?

If the control does not affect the pathway, its risk-reduction value may be low.

For example, a perimeter patrol may be present, but if it follows the same route at predictable intervals, avoids high-risk areas, is not monitored, and has no clear escalation procedure, its deterrent and detection value may be weak.

A visitor procedure may exist, but if staff routinely override it, issue access without verification, or allow tailgating at busy times, the procedure may not meaningfully reduce unauthorised access risk.

A panic alarm may be installed, but if the response time is unrealistic or responders are uncertain about the location and nature of the incident, the alarm may provide limited protection.

Control Effectiveness Is Context-Specific

A control that works in one environment may not work in another.

A guard post may be effective at a low-volume corporate entrance, but ineffective at a high-volume logistics gate if the guard has no time to verify documentation properly. A camera may be useful in a well-lit reception area, but ineffective along a dark perimeter with poor contrast and no active monitoring. A fence may delay casual intrusion, but provide little resistance against a determined adversary with tools and time.

This is why control effectiveness must be assessed in context.

Relevant context may include:

  • the type of asset being protected;
  • the criticality of the asset or function;
  • the likely consequence of compromise, disruption or loss;
  • the attractiveness of the target;
  • the surrounding crime environment;
  • public access and visibility;
  • staff and contractor behaviour;
  • operating hours;
  • response capability;
  • maintenance reliability;
  • the intent and capability of likely threat actors.

Without context, a control can easily be overvalued.

Layered Security Does Not Mean Effective Security

Many organisations describe their security as layered. The term is useful, but it can also create false confidence.

Layered security only works when each layer performs a defined function and supports the next. If layers are duplicated, poorly coordinated or not linked to response, the system may look stronger than it is.

For example, a site may have fencing, cameras, alarms and guards, but still fail because:

  • the fence is easy to climb;
  • the cameras do not cover the breach point;
  • the alarm is not activated or is ignored;
  • guards cannot reach the area in time;
  • incident escalation is unclear.

In that case, the controls exist as layers, but the system does not function as a protective sequence.

Effective layered security requires integration. Deterrence, detection, delay, response and recovery must work together as a protective sequence. A weakness in one part of the sequence can undermine the whole system and leave residual vulnerability untreated.

The Cost of Assuming Controls Work

Assuming controls work can be expensive.

Organisations may continue paying for services, systems or procedures that provide limited value. They may invest in additional controls without addressing the underlying weakness. They may accept supplier assurances without independent testing. They may delay necessary corrective action until an incident exposes the gap.

The result is often a security posture that appears adequate but is not defensible.

This becomes particularly serious where boards, executives, estate managers or risk owners rely on those controls to protect people, assets, operations and reputation.

The issue is not simply whether money has been spent on security. The issue is whether that expenditure has produced measurable risk reduction, reduced residual vulnerability, or improved the organisation’s ability to respond and recover.

What a Risk Assessment Should Examine

A proper physical security risk assessment should assess controls in relation to credible scenarios.

It should ask:

  • What asset or function is the control protecting?
  • How critical is that asset or function?
  • What threat is the control intended to address?
  • What vulnerability does it reduce?
  • How does it contribute to deterrence, detection, delay, response or recovery?
  • Is it properly designed and positioned?
  • Is it consistently used?
  • Is it maintained and supervised?
  • Does it depend on people who understand their role?
  • Is it integrated with other controls?
  • What residual vulnerability remains after the control is considered?
  • What happens if the control fails?

These questions move the assessment from appearance to effectiveness.

They also help leadership decide whether to improve a control, replace it, remove it, supplement it, accept the residual risk, or change the operating procedure around it.

Why Independent Assessment Matters

Control effectiveness can be difficult to assess objectively from inside the system.

Internal teams may be too close to existing arrangements. Service providers may understandably view problems through the lens of the services, systems or personnel they manage. Technology vendors may focus on equipment capability rather than operational use. Guarding providers may focus on manpower rather than the broader risk system.

An independent assessment helps separate control presence from control effectiveness.

It asks whether the current security arrangement is actually reducing risk, not whether it looks complete or satisfies a contract.

This independence is especially important before major expenditure, after recurring incidents, during provider changes, or when executives require assurance that security arrangements are proportionate and defensible.

Conclusion

Installed security controls do not automatically reduce risk.

They reduce risk only when they are suitable, integrated, maintained, understood, supervised and capable of interrupting credible threat pathways in a way that reduces likelihood, consequence or residual vulnerability.

A camera that does not support detection, a guard who cannot intervene, a procedure that is not followed, or an alarm that does not trigger a timely response may create the appearance of security without meaningful risk reduction.

For organisations making serious security decisions, the question should not be whether controls exist. The question should be whether they work.

Keown & Associates provides independent physical security risk assessments that evaluate control effectiveness, residual vulnerability and practical risk reduction across complex operating environments.

Explore the Keown & Associates Methodology  |  Discuss a Security Risk Assessment