Man vs. Machine in access control systems

BY LOWELL ADKINS,
DUVALL GROUP CONSULTING

This is the third in a series of articles reviewing the basic concepts of access control and security on campuses. In the earlier articles, I focused first on the card itself – and primarily on the issues surrounding the issuance of a card – then moved to a discussion about the users of a card access control system. I want to continue the discussion about the human element, the people who use a card access control system – how they impact it and how it may impact them.

Role playing: Man and Machine

There is the on-going debate about how much we have become dependent – perhaps too much so – on computers and on automation in general. For a card access control system, there is good reason to let automation play an important role and not become overly dependent upon humans. The fact is that many of the functions of an access control system are repetitive, need to follow a strict schedule, and involve just “watching and waiting” for long periods of time to assure that nothing out of the ordinary is occurring. Computers are great at handling those tasks; humans often are not.
Humans are, well, human – they forget, they get sick, they take vacation, and they move on. I remember planning for the access control system to be installed in a large science building at Duke. As was most often the case, the plan was to put card readers on a few key exterior, perimeter doors. For the (many) other perimeter doors, the system would only schedule their locking and unlocking and monitor them for being propped or forced open. As we planned, one of the building’s users noted, “Sam has been faithfully locking those doors in the east wing for thirty years, I know he’ll want to continue doing it”, an admirable sentiment perhaps, but not the way to handle an access control system. There are other ways to make Sam feel he’s doing his part, the system needs to handle this task.

Humans can be influenced. How many instances do we know where a school hires students to monitor a key access point used by other students? That creates a situation that is ultimately unfair to both to the students hired to do the monitoring and the students who may be tempted to ask for unauthorized exceptions to the access control policy. A card reader will unwaveringly follow the rules and it is absolutely unemotional.

Because humans are human, I am cautiousabout including overrides in an access control system. It’s interesting, for example, how often institutions want to include key overrides on card access doors. I understand that a system can fail and we want an alternate way to make it function. Nevertheless, simple overrides are too often simply overridden. If the institution believes that a key override is a necessary system backup, then limit its use to only one, perhaps two, exterior doors per building and keep the keys in a secure central location.

Humans are a very expensive element in an access control system. While there are clearly significant up-front costs to installing an access control system, and some on-going ones, over the long term, a system can do many things far more efficiently than can humans. How many institutions use their staff to travel around the campus locking dozens, perhaps hundreds, of doors, five, six, even seven, nights a week? And those will doors need to get unlocked the next morning! Think of the many other important tasks that these folks could perform while a system did the locking and unlocking.

Humans are, however, the most versatile element of an access control system. Starting with the thought that goes into carefully planning a system, humans have an unequaled perspective on making the system serve its intended purpose. Humans monitor the system. They can determine priorities if several incidents occur concurrently. They are the ultimate counter measure to other humans who may be attempting the defeat the system. And they are the unrivaled problem solvers and source of support to other humans who just need help when the system fails or doesn’t perform as they want or need it to.

Let the Public In

As I discussed in an earlier article, if you have a card access control system, even a limited one, it is likely that everyone who comes on campus will at some point encounter it. The issue is how best to handle that encounter. You can certainly make as many people as possible a part of the system by issuing them cards and allowing them access where appropriate. But that is just not the answer for some people. Community people who need to use the library, for example. Even in this age of electronic media, libraries are pretty much useless unless people can get in them. It is unlikely, however, that the institution will find it practical to issue cards to all the high school students who need to do occasional research. So what is an institution to do?

For an answer, we need to understand the difference between the concepts of “perimeter” and “exterior”. From an access control perspective, you want to secure the perimeter of a building but that is not always its exterior. In the case of a library, there are typically exterior doors that open into a common space – the circulation area or reference area. Other doors then open off of that area further into the library.

To accommodate the public’s need to usethe library, they must penetrate through the buildings’ exterior – but they do not have to penetrate the building’s perimeter. Those doors that lead from the public space into the depths of the library can designate the building’s secure perimeter.

So, there are going to be public spaces on a campus. The idea is to keep them as separate as possible – and always have a secure perimeter beyond the space where you permit the public to enter.

Protect, with care

Doors secured from the outside must have a fail-safe method of releasing from the inside in the case of an emergency. There are a variety of door release mechanisms: panic bars, push buttons, and motion detectors to name a few. They must be employed. Be sure this is the case, especially with magnetic locking devices. Institutions often use magnetic locks when they want to “permanently” secure a door. There can be no such thing as a permanently locked door if the building is on fire!

Make sure the appropriate emergency/medical staff have the necessary access. The campus emergency/medical staff will certainly have been issued cards. The cards for this staff should have fairly universal access. What may be overlooked is the community’s emergency/medical staff. Think through what is the appropriate access and be sure it’s available to them.

Unfortunately, students often will routinely ignore, or discount, propped/forced door alarms. If these alarms sound like the fire alarms, then students may ignore or discount them as well. Make certain that propped/forced door alarms are distinctly different from fire alarms.

Once again, I think we’ve come to a point where that’s enough to think about for a session. In this article we focused nearly exclusively on humans and how they can impact and be impacted by an access control system. We noted that machines have an important role to play in an access control system but so do humans. We pointed out that there are going to be public space on a campus that these space need to be accommodated while maintaining as much security as possible. And we reviewed the need to include the element of safety in any access control system.

Next time we’ll turn our attention back to the system itself. We’ll discuss system maintenance, vandalism, the appropriate use of cards, and last, but not least, the costs of an access control system.

Mr. Adkins is a respected member of the higher education card and security community. Contact information: Lowell E. Adkins; Duvall Group Consulting; 1270 E Voltaire Avenue; Phoenix, AZ 85022; 602-896-0107; [email protected].