When your organization is creating a security plan, there are three important steps that need to be considered in order to mitigate risk before an incident occurs.
These are the three Ds of security: deter, detect, and delay.
The three Ds are a way for an organization to reduce the probability of an incident. But what are they, exactly? And what happens if an event does happen? Fortunately, there are phases that cover all the steps of responding to an incident.
This article explains the three Ds and the three Rs of risk response.
Learn more: Impact and Consequence: Is There a Difference?
What are the three Ds?
The three Ds are typically put into effect before an incident. When a business uses countermeasures that embody the three Ds, they change the environment in a way that makes it more difficult for incidents to occur.
Deter: Discourage the attack or threat from ever happening.
Detect: Identify and verify the threats as they are happening.
Delay: Postpone a threat from reaching your assets allowing for response to happen.
Countermeasures often accomplish one more or more of these tasks. A security officer can embody all three, for example, while a bollard may deter a vehicle attack that might crash into a building. Access management may also deter, detect, and delay threats from entering restricted areas of a site.
Wait, how many Ds?
Search for the Ds of security online and you might find yourself looking at pages listing the four Ds or the five Ds. There’s even a couple of articles out there about a sixth D. Most of those lists include incident response (Defend and Document, for example.)
We’re sticking with just three Ds, for a couple of reasons. First, to keep it simple. Second, because detect, deter and delay are concerned with reducing the probability of an attack, while the following steps, which we call the three Rs, are concerned with reducing severity.
Learn more: How Can Scenario-Based Assessments Help With Compliance?
What are the 3 Rs?
Even when a company is well-aware of the three Ds and has countermeasures in place to reduce the possibility of an incident, not all threats can be prevented. The three Rs are the steps that happen after an incident, when an organization is actively dealing with a threat, and later, trying to return to normal. While the Ds deal with reducing probability, the Rs deal with reducing severity.
Respond: The immediate answer to a threat, when your team is actively responding.
Retrospective: How was the threat handled? Can your response be improved in the future? Is an investigation necessary?
Recover: How can your organization, site, or people return to their normal state, or a more secure state?
Tangible Vs. Intangible Items in Risk Analysis: What Is the Difference?
What most people get wrong about the 3 Ds and 3 Rs
In many cases, when an organization is analyzing their risk, they are not thinking strategically. They’re focused on having the countermeasures and security controls, but they’re not focused on what each control does. If it's a camera, for example, it can detect a threat. If it's a fence, it can deter one.
This is an important consideration when you're developing plans for risk scenarios, such as an active shooter or an abduction. When you consider each possible scenario, look at the phases, and figure out which phase you should be spending your budget on; should you be planning for deterrence, early detection or response?
Unfortunately, most organizations don’t assess their risk using specific scenarios, choosing to do a general risk analysis. Conducting one general risk assessment, however, robs the Ds and Rs of their power as a security planning tool.
How to get the most out of the 3 Ds and 3 Rs
Use scenario-based risk planning: A scenario-based assessment is a risk assessment that’s directed toward a specific threat, concern, or hazard. Instead of assessing the vulnerability of an entire organization on a general level, scenario-based assessments evaluate the risk of one specific scenario happening, such as a weather event, a mass shooter, or shrinkage.
Determine which Ds apply to each possible risk: Some Ds carry more weight in certain scenarios. Deter, for example, doesn’t mitigate active shooting events, because shooters are usually expecting to die in their attack, but Detect and Delay are critical in that scenario, because every second counts. Deter is much more important when applied to shrinkage; your employees don’t want to be fired or arrested for theft.
Which countermeasures work best for each risk? Because you’re focusing on detection and delaying in an active shooter situation, exterior cameras are extremely useful, as are any countermeasures that slow down the attacker. When dealing with theft, clearly stated policies are a deterrent, while cameras over the till detect theft.
Does a countermeasure reduce the probability or severity of a risk? Not everything can be prevented. In the event of a natural disaster, for example, you should be focusing on the response and recovery since it can't be prevented.
Why is it important to understand the 3 Ds and 3 Rs?
The three Ds and three Rs are more than just helpful identifiers for the phases of incident response. They help you focus your security planning so you know exactly how to prepare or respond to every foreseeable risk.
Rather than simply having a general plan to mitigate all potential risk, phases are an important way to narrow down your response, understand the countermeasures you already have in place, and which you need to reduce probability or severity. By focusing your preparedness you’ll be able to create a comprehensive plan to understand and mitigate your risk.
Do you need help assessing your risk? Contact us for a demo today.
About the Author
Daniel Young
Founder & Chief Innovation Officer
Daniel has been a security and risk advisor for more than 10 years, and is passionate about helping companies to better understand their risks to undesirable events on a daily basis. Dan previously served as the Regional Bioterrorism Coordinator for District 1 in Michigan, where he was instrumental in preparing communities for catastrophic incidents. He has also acted as the Private Security Liaison for the City of Lansing’s Critical Infrastructure Team, which identified and documented deficiencies in the city’s critical infrastructure.
He is a Co-Founder of the CSO Risk Council, a think tank of seasoned security professionals and thought leaders with extensive experience in managing the physical security and risks of large enterprises consisting of multiple sites and whose mission is to create a better process to develop and share innovative solutions and pertinent information with organizations to improve safety and security risk by providing a forum to discuss best practices and recommendations for specific risk scenarios and to network with other enterprise security professionals.
The three Ds of security—deter, detect, and delay—are pivotal in mitigating risks within an organization's security plan. They focus on altering the environment to prevent incidents, identifying threats as they happen, and postponing threats from reaching assets, respectively. Countermeasures, such as security officers or access management systems, embody these principles by discouraging attacks, verifying threats, or restricting access to sensitive areas.
However, the post-incident phase, covered by the three Rs—Respond, Retrospective, and Recover—becomes crucial when despite preventive measures, an incident occurs. Responding immediately to the threat, analyzing the handling of the threat for future improvement, and facilitating the return to a normal or more secure state are the key aspects of this phase.
In practice, organizations often fail to strategically assess risks. They focus on having security controls without understanding their specific functionalities. For instance, a camera can detect a threat while a fence may deter one. It's vital to tailor security plans to specific scenarios like active shooters or thefts, determining whether deterrence, detection, or response should be the priority.
To optimize the effectiveness of the three Ds and three Rs:
- Utilize scenario-based risk planning: Assess specific threats rather than generalized risks (e.g., weather events, mass shootings) to tailor security measures accordingly.
- Identify which Ds are applicable to each risk: Certain scenarios may require emphasis on specific Ds. For example, in an active shooter situation, detection and delay are critical.
- Evaluate countermeasures based on risk: Understand whether a countermeasure reduces the probability or severity of a risk. For instance, exterior cameras are vital for detection in an active shooter scenario.
Understanding the three Ds and three Rs is pivotal as they provide a focused approach to security planning, aiding in the preparation and response to foreseeable risks. Rather than a generic plan, these phases allow organizations to discern existing countermeasures' functionalities and needs for reducing probability or severity.
As for the author, Daniel Young's expertise in security and risk advisory for over a decade, coupled with experiences in preparing communities for catastrophic incidents and identifying deficiencies in critical infrastructure, underscores his deep understanding of security planning and risk mitigation. Young's involvement in creating forums for security professionals to discuss best practices further solidifies his expertise in the field.
