As we approach National Safe Schools Week (October 21-27), it is appropriate for a conversation to begin regarding establishing standards for K12 school security. Currently no standards exist for assisting schools navigate the complexity of understanding what they need, how much it will cost and how they will secure their learning environments.

Security Industry Experts

The Partner Alliance for Safer Schools (PASS) is one of the organizations at the forefront of establishing security standards for schools. In 2014, the Security Industry Association (SIA) and the National Systems Contractors Association (NSCA) formed PASS, which brought together a cross functional group of members including school officials, safe schools’ consultants, law enforcement and security industry experts to collaborate and develop a coordinated approach to protecting K-12 students and staff.

School administrators are often contacted repeatedly by organizations with multiple safety and security products

PASS has provided valuable insights regarding an ‘All Hazards’ approach to school safety and security. In fact, PASS suggests that school administrators are challenged with two decisions:

  • Determining what they need to do
  • How to prioritize

Safe School Environment

School administrators are experts in running schools and providing education. However, most are not security experts and do not understand the complexity of implementing a comprehensive physical security and safety program across their districts. Still, they are often contacted repeatedly by organizations with multiple safety and security products.

The Partner Alliance for Safer Schools (PASS) is one of the organizations at the forefront of
School administrators are experts in running schools and providing education, but most are not security experts 

Some of these organizations recognize their products are just pieces of a safe school environment puzzle and how they fit in, whereas others focus on specific applications and do not understand how their specific solutions may affect life safety codes and Americans with Disabilities Act law. (Note: Many ‘barricade devices’ fall into this latter category and actually introduce liability concerns with the unintended consequences of their use.)Schools incorporate evacuation drills as part of their emergency preparedness plans and practice on a regular basis

Even for experts, the plethora of options and disparate systems required to integrate a safety and security approach at schools is daunting. The ongoing challenge is integrating access control, video, mass notification, and/or visitor management products into a single, effective, and appropriate system the owner can understand, utilize, and afford and that meet local codes and ADA laws. In the absence of standards, schools are likely to amass a collection of devices that do not constitute a comprehensive solution.

Lack Of Consensus

In years past, the our industry and commercial buildings adhered to legacy codes – like Building Officials and Code Administrators International Inc. (BOCA), Uniform Building Code (UBC), Southern Building Code Congress International Inc. (SBBCI), and International Conference of Building Officials (ICBO) – which have traditionally been revised every three years, while local jurisdictions decided what versions to adopt and enforce.

Currently, however, there is a move toward the International Building Code (IBC), which is published by the International Code Council (ICC) and includes standards and guidance for commercial buildings on doors, windows, and other openings.

A risk assessment is the next step toward developing a comprehensive security plan, and begins with developing a trend analysis

Still, despite this migration of codes from a patchwork of local decisions to global guidelines, there remains a lack of consensus around school security. The current fragmented approach causes confusion regarding how new schools are designed and how to retrofit existing school buildings, whose average age is 45+ years.

Right Protection Equipment

One can point to the fact that there hasn’t been one student lost in a school fire in over 50 years as testament to standards like NFPA 80 and NFPA 101 being referenced in model building codes. Additionally, schools incorporate evacuation drills as part of their emergency preparedness plans and practice on a regular basis.

It’s not just having the right protection equipment in the building, it’s also having a procedural layer in place to make sure everyone knows their roles and responsibilities in the event of fire. The stress of the actual event can limit ones’ ability to think clearly. Practice makes perfect. Why would we approach school security any differently?

Still, despite this migration of codes from a patchwork of local decisions to global guidelines, there remains a lack of consensus around school security.
School security is a team effort, and it is important to understand all the areas security impacts and involves

School security is a team effort. It is important to understand all the areas security impacts and involves. PASS suggests starting with a basic team consisting of:

  • Security Director
  • Local Law Enforcement
  • School Administrator
  • Integrator
  • Door and Hardware Consultant
  • IT Director

Comprehensive Security Plan

Quantifying and mitigating risk are the jobs of security professionals and school administratorsA risk assessment is the next step toward developing a comprehensive security plan. This often begins with conducting a trend analysis requiring the collection of data from a variety of public and private sources. The challenge is to pull these pieces into a usable and easily understood format that provides a guide for current and future risk concerns.

Risk assessment and mitigation can never eliminate risk. Quantifying and mitigating risk are the jobs of security professionals and school administrators. Data from the following sources can help measure risk:

  • Campus: Review incident report trends for at least the past 36 months.
  • Area and city: Review crime data from local law enforcement for the surrounding neighborhood and city.
  • Screening procedures: How is hiring conducted?
  • Anonymous tip reporting systems: Enabling students, staff members, parents and the community to anonymously alert administrators to perceived and actual threats.
  • Social media monitoring: such monitoring can provide important information that can be used to identify risks.
●	Social media monitoring: such monitoring can provide important information that can be used to identify risks.
Monitoring social media could help measure risk for school safety

Delay Adversarial Behaviors

These assessments can then be incorporated into the best practice approach of Layered Security. Layered security combines best practice components within each layer that effectively deter, detect and delay adversarial behaviors. Layered security works from the outside in. As one layer is bypassed, another layer provides an additional level of protection. The asset being protected is at the center of the layers – students, staff and authorized visitors. PASS defines five layers of Security:As one layer is bypassed, another layer provides an additional level of protection

  • District Wide
  • Property Perimeter
  • Parking Lot Perimeter
  • Building Perimeter
  • Classroom/Interior Perimeter

Appropriate Tier Target

Each layer can be broken down into Tier levels with Tier 1 being basic and Tier 4 being the highest level of security. It is important to understand that the demographics of individual school buildings varies, even within the same district. Security experts will quickly point out that ‘if you’ve seen one school, you’ve seen one school’. The assessments will determine the appropriate Tier target.

Layered security combines best practice components within each layer that effectively deter, detect and delay adversarial behaviors
Figure 1

Each layer includes essential protective elements, or components, of security. Every layer does not necessarily include all seven of these common components, and a layer may include additional components unique to that particular layer.

Safety And Security Components

  1. Policies & Procedures
  2. People (roles & training)
  3. Architectural
  4. Communication
  5. Access Control
  6. Video Surveillance
  7. Detection and Alarms

Layered Security

While components are not listed in a priority order, three components included in all layers are policies and procedures, the roles and training of people, and communication. These components often perform a function in every layer and every tier in each layer.

Three tools come together in the PASS approach as outlined in the new 4th Edition of the PASS Guidelines (Figure 2) - the Layers are established and defined, a Checklist/Assessment breaks down each layer into tiered best practices which then tie into the guidelines where a narrative explains each best practice in more detail.

Schools need not reinvent the wheel when it comes to school security planning
Figure 2 

Schools need not reinvent the wheel when it comes to school security planning. Following the best practices of Risk Assessments and Layered Security will ensure that every school building in a district will have a unique and comprehensive plan that is tailored to their individual needs.

Download PDF version

Author profile

Mark Williams Sr. Architectural Consultant, Allegion plc

In case you missed it

Why Aren’t The Federal Government’s Physical Access Systems Compliant With HSPD-12?
Why Aren’t The Federal Government’s Physical Access Systems Compliant With HSPD-12?

In the wake of 9/11, the Federal Government’s secure-the-fort, big idea was to create an identity credential for all federal employees and contractors. Homeland Security Presidential Directive (HSPD)-12 set it all in motion. Today, we know the smartcard-based credential that arose from HSPD-12 as the Personal Identity Verification (PIV) card. The PIV card is meant to give employees/contractors physical access to federal facilities and logical access to federal information systems. While using a PIV card for logical access has been largely successful and compliant with HSPD-12, implementing PIV-based, physical access control systems (PACS) has been much more difficult to conquer. As a result, HSPD-12 compliance for PACS has largely eluded the Federal Government. The noncompliance reasons are many, but there is now hope for fully achieving HSPD-12’s mandates. Interoperability With Any Agency’s PIV Beyond Passports, PIV cards represent the only other open-standards-based, multi-vendor-supported, identity credential program on the planetAll Executive Branch employees and long-term contractors, including the entire Department of Defense, have been issued PIV cards. This has been true since 2013. Beyond Passports, PIV cards represent the only other open-standards-based, multi-vendor-supported, identity credential program on the planet. It seems so simple, where employees/contractors previously used their proximity card to open a federal facility door or go through a turnstile, they should now be able to use their PIV card. However, HSPD-12 took the PIV requirement one step further – compliant PACS must be interoperable with any agency’s PIV. This introduced an entire magnitude of additional complexity. A compliant, interoperable, PIV-based PACS should work like this: an authorized employee (or contractor) presents a PIV card (contact or contactless) to a card reader to enter whichever federal agency building they have reason to be. Over the last 14 years, in all but a very few cases, the lack of PACS’ HSPD-12 compliance has prevented this from happening. Secure Credential Policy Today, less than 1% of the Federal Government’s PACS are HSPD-12-compliant. At most federal facilities, especially those outside the National Capitol Region, a noncompliant PACS works like this: an authorized employee (or contractor) presents a proximity (‘prox’) badge to a proximity card reader to enter his or her agency’s facility. At the fraction of federal facilities with upgraded PACS that work with PIV cards, virtually all such PACS fail to properly use a minimum number of PIV security features before granting access – let alone interoperate with a PIV card from any other agency. Active government solicitations are issued for new, non-compliant, proximity-based systems that perpetuate the delay to HSPD-12 complianceNew federal initiatives frequently suffer from having no policy to enforce their roll-out. That isn’t the case with PACS compliance. Policies have been in place for so long that newer policies like Office of Management and Budget (OMB) M-11-11 (February 3, 2011) remind everyone what the policies said in 2004 and 2006. This year, OMB publicized its proposed OMB M-18-XX (Draft), which will replace M-11-11. OMB M-18-XX’s (Draft) main PACS thrust is, once again, to ensure that everyone understands what the Federal Government’s secure credential policy is. It hasn’t changed since 2004. It would be tempting to say that PACS technology isn’t mature, but that isn’t the case. In 2013, the Federal Government revamped the PACS portion of the FIPS 201 Evaluation Program and, since that time, all PACS on the General Services Administration’s (GSA) Approved Products List are 100% compliant and interoperable. Yet, on any given day, active government solicitations are issued for new, non-compliant, proximity-based systems that perpetuate the delay to HSPD-12 compliance. The usual suspects, policy and technology, are not the culprits for this epic delay. An authorized employee presents a PIV card to a card reader to enter whichever federal agency building they have reason to be Difficulties In Adopting HPSP-12 Compliance For PACS Standards – The Federal Government’s approach to standards is to avoid a great deal of specificity. It’s an unspoken tenet that federal standards must be flexible, promote innovation and avoid disadvantaging any participating market segment. The opposite is true if your goal is interoperability: nearly every detail must be specified. Consider the standards-based success story of chip-based credit cards. When was the last time you used a credit card and it didn’t work? Interoperability failures are nearly unheard of. If you look at the hundreds of volumes of technical specifications that cover minute aspects of every component in credit cards and payment terminals, you quickly realize why it works so well. Nothing is left to chance, nothing is a variable, and there is no optionality. The Good News: Work to increase viability through deep scrutiny has progressed in recent years. The GSA APL PACS Testing Lab, set up in 2013, annually tests credentials from all PIV issuers against all GSA-approved PACS. This testing has significantly reduced interoperability failures at federal facilities. Collaboration – In the past, physical access practitioners from federal agencies rarely collaborated, unlike their logical access counterparts. This is also true for PACS procurement decision-makers across agencies and facilities. The Good News: In 2018, an agency trend has emerged where finally physical access, physical security and IT practitioners have begun sitting down to discuss their shared responsibilities. We have already begun to see coordinated budget requests between IT and Security with enterprise architectures positioning PACS as an enterprise service on the network Scale – The Federal Government owns so many buildings that they can’t be counted. Google doesn’t know how many there are and neither does any one government official. Variability – A significant percentage of facilities have unique aspects making a one-size-fits-all approach infeasible. The Good News: Mature consulting services can now help agencies marry federal requirements with their unique environments to develop robust PACS enterprise architectures. As we see this occurring more and more frequently, a repeatable, achievable, systems-based upgrade of all PACS may be on the horizon. The GSA APL PACS Testing Lab annually tests credentials from all PIV issuers against all GSA-approved PACS Provenance – In many cases, different groups own different parts of a single facility, not all of whom might be subject to, or wish to interoperate with, a high-assurance compliant PACS. For example, GSA manages facilities for Legislative and Judicial tenants who aren’t subject to HSPD-12. Policy dictates that GSA manage the PACS for the front doors of these facilities should be HSPD-12-compliant, despite the fact that these tenants likely don’t have credentials that work with this technology. Sure, these tenants could commercially obtain a PIV-I credential, but almost none have. Economics – It’s difficult for agencies to create their annual security budget requests when HPSD-12 PACS upgrades are in scope, because so many unknowns exist at each facility. To assess the cost, the time to complete, and the facility’s existing equipment inventory, it would be logical for an agency to hire a contractor with PACS expertise to perform a site assessment. Having to do capital planning for an assessment phase in advance of making the annual budget request for the PACS upgrade creates a never-ending cycle of delay. Especially at agencies with multi-year capital planning requirements. Many agencies, trying to avoid this delay cycle, have fallen prey to doing site assessments themselves. This results in their integrators doing their walk-throughs after the contract is awarded. This is the leading cause of PACS upgrade cost overruns. Dependence on the agency’s IT department – Historically, PACS have been deployed on dedicated networks and are rarely ever connected to the enterprise, let alone the Internet. High-assurance PACS that validate credentials from other agencies must now communicate with many different systems on an enterprise network and over the Internet – so much so that the Federal Government reclassified PACS as IT systems. The Good News: With collaboration increasing between Physical Security Officers (PSOs) and Chief Information Officer (CIOs), we expect this to improve in due course. Resistance to change – This is a classic human factors challenge, and it’s a big one. PSOs have spent decades achieving their positions. PIV-based PACS could not be more different from the technologies that proceeded it, and such radical change is often resisted. When the value proposition is clear, change is adopted more readily. But security value isn’t easily measured or observed. It is often said that the best performance review for a PSO is to note that nothing happened. And when something does happen, it is necessarily kept quiet so the risk can be remediated without calling attention to the vulnerability in the interim. To date, the value proposition of moving to PIV-based PACS has been entirely based on policy (without corresponding funding in most cases) and through the shock value of white hat hackers, showing how easily most proximity badges can be cloned. This is not the stuff of change agents. PIV-based PACS could not be more different from the technologies that proceeded it, and such radical change is often resisted Are These Challenges A Unique Situation? No, these PACS challenges are not unique. Cybersecurity initially faced many of the same challenges that federal PACS face today. By 2000, the Federal Government recognized its urgent need to improve cybersecurity practices across its computing infrastructure and issued many policies that required agencies to improve. Improvement was sparse and inconsistent. GSA Schedules were set up to help agencies buy approved products and services to assist them, but this too produced lacklustre results. The Federal Government found that the best cybersecurity results occurred when enforced at the time an agency commissioned a system Congress enacted the Federal Information Security Management Act of 2002 (FISMA) (now amended by the Federal Information Security Modernization Action of 2014). FISMA mandates an Authority To Operate (ATO) accreditation process for all information systems. The Federal Government found that the best cybersecurity results occurred when enforced at the time an agency commissioned (vs. purchased) a system. FISMA and ATO accreditation has been highly successful when implementing new systems. These cybersecurity requirements are the closest thing that the Federal Government has to the ‘PIV Police’ today. However, the PIV requirements in FISMA and ATOs currently apply to only logical access for information systems. The proposed OMB M-18-XX (Draft) mentions that a FISMA PACS overlay to NIST SP 800-53 is forthcoming. The intent of the PACS overlay is to use the army of ATO accrediting officials in the Federal Government and enable them to assess implemented PACS as fit for purpose. This is the first time an enforcement approach has been brought forward that could reasonably succeed. How Long For HSPD-12 Compliance? We know that it won’t take another 14 years to achieve HSPD-12 compliance. Pockets of compliance are popping up. Compliant procurements do exist, and the state of PACS across the Federal Government is better in 2018 than in any previous year. Progress to date has been at a constant rate. The question is: what would take for progress to occur at an exponential rate instead? A major attack or compromise involving PACS would certainly hasten upgrades, but let’s hope that’s not the solution. The energy distribution sector has been riding a wave of security upgrade demands to retrofit their facilities across the U.S. The energy distribution sector, under nearly constant Advanced Persistent Threat attacks, has been riding a wave of security upgrade demands to retrofit their facilities across the U.S. The potential threat exists for Federal Government facilities as well. Looking into the federal PACS-compliance crystal ball, we’re beginning to see the faint outline of a multi-faceted campaign of education, budgetary oversight and accreditation of PACS that will ultimately see us past the tipping point. Consider though, at the current rate of PACS enablement, a 50% compliance rate is still far in the future. When that day arrives, the PIV card form factor may no longer be the key that fits that future lock. (Are you already using a mobile device’s Bluetooth interface to open the door to your office building?) Taking decades to perform a technology upgrade is the aging elephant in the room no one talks about. By the time critical mass is achieved with an upgrade facing these many challenges, there are typically compelling reasons to start over again with the next generation of technology. That cycle may well prove to be the Federal Government’s biggest PACS challenge of all.

Preparing For Cyber-attacks: The Intersection Of Cybersecurity And Physical Security
Preparing For Cyber-attacks: The Intersection Of Cybersecurity And Physical Security

Terry Gold of D6 Research has been giving “cyber in physical security” presentations at a variety of conferences, including ISC West and the Cyber:Secured Forum. We caught up with him for some insights about the intersection of cybersecurity and physical security. Q: Tell us a little bit about your background, specifically in the context of its relevance to cyber security in physical access. Gold: I started out in information security and then got involved in physical security along the way. I started really focusing on physical from a cyber standpoint about 10 years ago. I got into ethical hacking about 8 years ago, and then worked on putting it all together. There wasn’t a roadmap, so I had to build a methodology which I now share with other hackers, end users and law enforcement. I spend all my time either in the lab building success models, methods, and testing them out in some to the largest customers or agencies in the world for validation and improvement. Also, a chunk of my time is spent re-engineering security assessment and controls for end users or validating vendors on their behalf from a unique viewpoint that’s not (yet) typical in the industry. Q: How well prepared is physical security overall against cyber threats? Gold: Not well at all. While security is imperfect anywhere, much of the practices and designs have critical defects and overlook either best practice or fundamental application security principles. I’d say that the industry is very wide open for exploitation that doesn’t take much sophistication to execute. Breach disclosure laws are focused on mandatory reporting for personally identifiable information (PII) Q: What things stand out to you along your journey regarding the changes that you are seeing on this topic? Gold: Culture. Over the years, the industry (and most end users) have been dismissive of my findings. Industry culture hasn’t been aligned to embrace the topic and make requisite improvements that are needed to achieve “good security.” However, I’m finally starting to see that change – quickly and at scale. It doesn’t mean that we’re close to “good,” but rather reached the inflection point of change – and I’m rather pleased about it.     Breach disclosure laws has resulted in IT getting a lot of media attention in comparison to hacks made against physical security   Q: D6 does a lot of research in this area. What is the analysis behind the recent push for cyber security in physical security? Gold: First, it must be recognized that the threat isn’t new, but rather that the industry is only now coming to the table on it. Industry sentiment has been that breaches in physical security don’t happen or that there’s little impact. It must be recognised that the threat isn’t new, but rather that the industry is only now coming to the table on itBoth are false. Mainly, IT gets all the media attention with breaches for two reasons; 1) breach disclosure laws are focused on mandatory reporting for personally identifiable information (PII), and 2) there is really poor detection (mostly non-existent) against hacks in physical security, so they go unrecognized.  On the other side, as physical security systems increasingly resemble an IT architecture, so does their risk profile. As it expands to mobile, cloud, IOT and intelligence - InfoSec and auditors are taking a look and are alarmed at what they’re seeing. Before you know it, the scrutiny is cutting pretty deep, pressure for alignment becomes intense, and vendors feel the pinch on the sales cycles. It’s not a comfortable position for anyone.  Q: What will be the projected impact? Are practitioners seeing the whole picture? Gold: No, and this area is probably the most important takeaway of this interview. The industry is where InfoSec was about 15 years ago in their journey, except we have an additional headwind to deal with – culture change. This industry tends to rely more on trusted relationships than validating the recommendations are being provided. There are too many prevailing misconceptions, that unless remediated, investments won’t be as effective as expected.   Q: What do you believe are the top misconceptions? Gold: Well, this is a longer topic, but here’s a sampling that cuts across different areas.   Regarding hackers: A misconception is that they’re generally not interested. Hackers are increasingly very interested. When I teach a workshop at a hacker conference, it’s usually the quickest to fill up and go to wait list (within a couple hours). Regarding attacks: A misconception is that attacks are executed directly against the target system. Example, their goal is to get into VMS and attack it directly. The reality is that they’re more commonly dynamic where physical is part of a larger attack and its role is an easier gateway to another system (or vice versa, with many hops).  Regarding protective measures. The most prevalent mistake that the industry is currently making is too much focus and reliance on air-gapping networks or locking ports. This is only a slice of the attack surface and there are various ways to get around it. There’s a heavy price to pay for those that that rely too much on this strategy since its often accompanied by few mechanisms to deal with actors once they do get in (and they definitely will). Regarding the value of exploiting physical security. Too often perceived as low value. In our white paper we review many of the things that hackers can do, what they gain, and how it can impact the overall organization. It’s far broader and deeper than most.  Q: What are the top things that need to change in the industry? Gold: First, culture. This can be answered by adopting the same principles as InfoSec. From an execution standpoint, the industry needs to change how they perform risk assessments. At D6, we’ve developed a stepwise methodology from ground up and it’s a huge differenceIndustry practices, including certifications, are significantly outdated and don’t reflect a methodology that accurately considers cybersecurity, actors, methods, and proactive remedy. At D6, we’ve developed a stepwise methodology from ground up and it’s a huge difference. End users that don’t re-engineer their practice, will be very limited for meaningful cybersecurity improvement.  One of the changes needed in the industry includes how risk assessments are performed  Q: Generally, what advice do you give to clients on steps to move their cyber security to the next level?  Gold: Don’t operate like a silo anymore. Transition from industry “common practices” to best practices that can be validated. Rely less on previous relationships and more toward domain competence. Collaborate with the CISO to a principled, goal-oriented and metrics-based approach. Embed an InfoSec person on the physical team. Present priorities and risks jointly to the board within an overall risk portfolio. Invite scrutiny from auditors. Get a red team performed once a year. Until you do the last step, you don’t really know where you stand (but don’t do it until the other things are done). Last, set the bar higher with vendors to support these improvements or their products will just end up being weak link.   Q: What type of challenges do you see and any advice on how end user and integrators can overcome them? Lessons learned? Gold: There are too many specific domains across cybersecurity – it’s not just a network security resourceFeedback I get from integrators is that they’re struggling to figure out how to deliver expertise to their clients in their area. They’re somewhat overwhelmed with the complexity, becoming an expert or how expensive it is to hire and maintain those skilled resources. My best advice is not to do either. There are too many specific domains across cybersecurity – it’s not just a network security resource. Not even the large integrators have the right bench, and unfortunately, they’re just further down a doomed path than smaller integrators. Form a partnership with boutique cybersecurity firms that have multiple specialists. Negotiate rates, margins, scope, and call on them when needed. It won’t come out of your bottom line, the results will be better, and the risk will be extremely low. You’ll learn along the way too.  Q: Anything notable that your research is uncovering in this area that might not be on people’s radar yet? Gold: Yes, quite a bit. Our Annual Industry Assessment Report goes through every segment. We’re making pretty bold statements about the future and impact, but we’re confident. One thing that stands out is how intelligence (and the swath of subsets) will impose stringent demands on physical security due to attribute and data collection (for analysis) which will absolutely require privacy compliance, integrity, and controls. It will even shape organizations that might not care about cybersecurity but are prioritizing function.  Q: Where can readers learn more about your perspectives on this topic? Gold: Blogs on the D6research.com website. Our annual report. Val Thomas of Securicon and D6 have collaborated on a three-part cybersecurity in physical white paper series. It goes into all of this in detail, as well as remedy.

Is The Physical Security Industry Doing Enough To Prevent School Shootings?
Is The Physical Security Industry Doing Enough To Prevent School Shootings?

School shootings continue, as does a search for answers. What solutions are there to prevent school shootings and/or to improve the response (and thus minimize the death toll)?  In the physical security industry, we like to think we have solutions that can help, if not “solve”, the problem, but realistically speaking, how effective are they at the end of the day? We like to think we have solutions that can help, if not “solve”, the problem: but how effective are they at the end of the day? The sad answer – even after dozens of school shootings and even in the wrenching aftermath of the latest one – is that we don’t know. There is a gaping lack of knowledge and research when it comes to measuring the effectiveness of preventative measures as they relate to school shootings. Scarce Resources For Preventative Measures The dearth of knowledge on the subject leaves schools at risk of spending scarce resources on measures that don’t have any real impact, or worse, that have a negative effect on education environments. The natural impulse following a school shooting is to do something – anything – to prevent the tragedy from happening again at any school, but especially at my school. But how is money best spent?Successful businesses are a good thing, but not at the expense of misspending education resources on solutions that don’t solve anything Congress has passed the Stop School Violence Act of 2018 to provide $50 million per year to develop programs to train students, teachers and law enforcement to prevent violence, and to create anonymous reporting systems, such as hot lines, for school violence threats. The bill authorizes another $25 million for improvements to school’s physical security infrastructures. Congress also provides $1.1 billion in Title IV block grants, which districts can use to pay for diverse needs such as security systems. Several states are providing additional funding for physical safety measures and campus police, and local districts are also stretching their budgets to address security concerns. But is that money being targeted to measures that will help the situation? What is the role of technology in preventing school violence, and are we as an industry at risk of over-selling our preventative capabilities and diverting money from other measures that might have more impact? Successful businesses are a good thing, but not at the expense of misspending education resources on solutions that don’t solve anything. More metal detectors, armed guards and police officers could cause anxiety in some students and even interfere with the learning process Studies On School Safety And Protection Researchers, advocates and educators gathered this fall at American University to consider the need for better research to inform decision-making on safety, reported Education Week.The field is in desperate need of more evidence on what works, and schools want this information presented to them" A 2016 study by the Rand Corp. points to the problem: Lack of data and research on what works and what doesn’t. “Despite growth in the school safety-technology sector, rigorous research about the effectiveness of these technologies is virtually non-existent,” according to Rand. “The field is in desperate need of more evidence on what works, and schools want this information presented to them in vetted, digestible ways to help them with procurement.” Jeremy Finn, a professor of education at the University of Buffalo, has pointed out the difficulty of assessing the effectiveness of measures designed to deter events that likely won’t occur anyway. “How do you know when you have deterred a school shooting?” he asks. “It didn’t happen.” The Effects On Our Students  Might technologies aimed at making schools more secure have an adverse effect on the learning environment? More metal detectors, armed guards and police officers could cause anxiety in some students and even interfere with the learning process. The physical security industry should freely acknowledge that the technologies we offer are only part of the solution to school violence Do security measures aimed at preventing active shooting incidents absorb resources that might better be used to address a more general and/or likely security threat such as vandalism or student discipline? Theoretically, security measures in general should help to prevent the probability of an active shooter at the same time they are addressing a wider range of concerns and threats. But do they? At the very least, we in the physical security market should be aware, and should freely acknowledge, that the technologies we offer are only part of the solution to school violence. Schools should take the broadest possible approach to the range of security challenges, and technology should be one tool among many. Furthermore, better data to measure what works is sorely needed to illuminate the best path forward.