This paper examines how security managers respond to organizational loss across a broad range of contexts, from retail theft and shoplifting to digital data breaches, employee downsizing, property damage, and market-driven financial losses. Despite the variety of organizational settings and loss types, the paper argues that four theoretical concepts — surveillance, communication, symbiosis, and directed autonomy — consistently underpin effective security management practice. Using retail sales as an introductory case study, the paper demonstrates how these concepts scale to more complex situations, including digital security and post-downsizing morale management, ultimately showing that strong security management rests on a unified theoretical foundation regardless of organizational context.
The role of a security manager varies widely according to the particular organization and its needs, but despite this variety, certain best practices and policies can help maintain security and stability. This is nowhere more true than in the case of organizational loss, because while loss can mean very different things depending on the field, the underlying theoretical concepts that inform attempts to minimize loss are broadly applicable. By comparing and contrasting different kinds of organizational loss and the demands they place on security managers, one is able to better understand which responses and policies — both general and specific — will be most effective. As will be seen, while the specific options available might vary widely according to organization, the underlying theoretical justifications for those options apply nearly across the board, because they are based on the same shared concepts that define the role of a security manager regardless of context: surveillance, communication, symbiosis, and directed autonomy.
To begin, it is necessary to define organizational loss both generally and specifically, because it is both a highly specific issue in practice and one that nevertheless affects every organization, whether it be a small school, a government agency, or a multinational corporation (Fox & Harding 2005; Newmann 2002; Comfort 2002). In the broadest sense, organizational loss is precisely what the term sounds like — it refers to any loss suffered by the organization in question, whether financial, material, or immaterial. At first glance this might not appear to be a particularly useful term due to its broad definition, but when considering a security manager's responsibilities regarding organizational loss, it soon becomes clear that the same underlying concepts apply across the board, to the point that the broad category of organizational loss becomes a meaningful and useful classification.
Some of these losses are within the control of the security manager, while others are beyond the control of anyone within the organization. For example, while a security manager would undoubtedly be responsible for securing the sensitive internal communications of an information technology company, there is fairly little anyone could do to prevent the property losses associated with natural disasters such as earthquakes or hurricanes (Werlinger, Hawkey, & Beznosov 2009; Cristy 1963). Even in the latter case, however, one could probably identify some preventative measures to minimize loss, such as insurance, backup databases, and employee counseling and emergency communication services.
Having defined organizational loss in general terms, it will now be helpful to define and describe it as it relates to a variety of different organizations, in order to better understand the concept as a whole and to demonstrate how the underlying theoretical basis of security management and planning can inform responses to a variety of situations. Perhaps the easiest field in which to begin discussing organizational loss is retail sales, because the kind of organizational loss most frequently suffered by retail organizations is fairly simple to understand and respond to. This is, of course, referring to theft — whether it be shoplifting perpetrated by individuals outside the organization or the theft of goods or revenue by employees themselves. In both instances the role and activities of the security manager will be largely the same.
Shoplifting is one of the most prevalent kinds of theft, likely because it is frequently easy and carries little perceived risk. As of 2008, data suggests that "one in 11 people has shoplifted during his or her lifetime," and roughly "$13 billion worth of goods are stolen from retailers in the United States each year" (Blanco et al. 2008, p. 905). Although specific responses to this kind of organizational loss will be discussed later, for now it suffices to acknowledge that direct losses such as those produced by retail theft are frequently the easiest to manage, due to the fact that they occur in relatively monitored environments and do not involve the kind of complexity or nuance that can make security management especially difficult. Discussing the relatively straightforward approaches to shoplifting and employee theft will therefore provide a simple demonstration of the theoretical concepts under discussion before applying them to more complex situations.
In addition to the more straightforward losses created by theft and shoplifting, organizations are also at risk of more subtle, but no less insidious, forms of theft that do not target merchandise or cash, but rather proprietary or sensitive information, or that do target financial assets through more subtle, frequently electronic means. This form of organizational loss has become especially relevant in recent years, as more and more organizations of all types have become increasingly dependent on information and communication technologies for their day-to-day functioning, even as a string of high-profile breaches and data losses have affected companies as notable as Apple and Sony (Werlinger, Hawkey, & Beznosov 2009, p. 5). In fact, digital theft and security breaches are rapidly becoming the most pressing issue facing security managers, as more and more individuals connect to their respective organizations via digital communication technologies rather than in-person interactions.
As will be seen, preventing and managing this kind of organizational loss requires a spatial reimagining of the security landscape, because points of potential breach or loss are no longer confined to the physical boundaries of the organization. Nevertheless, this shift in perspective need not be viewed as an entirely novel or unprecedented response, because the same basic concepts that inform the security of physical boundaries can inform the securing of digital boundaries as well. Despite changes in technology, organizations still ultimately depend on human beings, and human beings present the same security risks everywhere, albeit in modified forms.
It is important to point out that organizational loss need not come in the form of theft. In fact, some of the most influential and difficult-to-manage organizational loss has nothing to do with theft, but rather with the natural comings and goings of an organization. As an organization expands or shrinks, it may need to hire new employees, fire existing employees, or reorganize employees into new hierarchies and groups. Every one of these actions creates the potential for loss, whether it be the loss of employees themselves, the loss of the experience or specific knowledge they retain, or even a loss in productivity among those employees who may have seen their friends and co-workers let go.
There is a reason much of the academic literature regarding layoffs and downsizing refers to those remaining employees as "survivors." Although the employees who have been let go are not actually dead, in terms of the organization as a whole, those who remain are forced to deal with their now-absent co-workers in much the same way that a family might deal with the loss of a loved one, while at the same time attempting to maintain the same level of efficiency and productivity (Milligan 2003, p. 115; Samuel 2010, p. 120). Though this might sound dramatic, it has very practical consequences for organizations attempting to maintain their level of productivity, and the security manager's role in surveillance and communication becomes crucial in this effort. In a sense, the security manager becomes the organization's internal eyes and ears, looking out for warning signs that employees are suffering.
This kind of organizational loss can extend even beyond employees and their connections with each other to actual physical spaces and properties. If a particular building or property is closely associated with the organization's identity, the loss of that property — whether through disaster or simply a change of address — can negatively affect the organization in the same way that the loss of employees might (Milligan 2003, p. 115). This is because organizations, like individuals, establish their identity through a combination of physical and non-physical attributes, and because organizations are made up of individuals, this identity formation is a two-way street: the organization contributes to the individual's identity, and the individual's identification with the organization ultimately generates the organization's identity as a whole (Hatch & Schultz 2002, p. 990).
While at first glance "employee nostalgia for the old site" might not seem like a particularly pressing phenomenon for a security manager to consider, in fact it is precisely this kind of subtle, seemingly unimportant organizational attitude that can negatively affect organizations to the tune of billions of dollars in lost productivity, not to mention employee loyalty — which can itself affect the amount of internal theft or security breaches (Milligan 2003, p. 120–121). Furthermore, if the property switch was precipitated by destruction or damage to the old site, this attitude will only serve to compound the direct financial and material losses already suffered by the organization. In situations such as this, the security manager has the dual role of predicting risk while responding to the aftermath of those risks that were not sufficiently mitigated.
Before discussing potential responses to these different varieties of organizational loss, it is necessary to outline one final variety: the kind of loss that occurs as a result of doing business, such as market variation, shifting consumer confidence, and fluctuations in supply and demand. Obviously, this kind of organizational loss affects corporations most directly, but even governmental and non-governmental organizations ultimately feel its effects, whether through reduced tax revenues or increased purchasing and supply costs. In addition, while these kinds of losses are more frequently viewed as the purview of regular management rather than the security manager, the fact remains that the security manager is responsible for certain elements of organizational security and risk management related to this kind of financial or market loss.
Having outlined the various kinds of organizational loss that might fall under the purview of a security manager, it will now be possible to discuss best practices and responses for dealing with organizational loss, with the further goal of demonstrating that the theoretical underpinnings of security management are fairly uniform across the board, even if particular practices vary according to context and necessity. This theoretical continuity stems from the fact that despite obvious differences between organizations, in the end they are all made up of a group of people working in tandem and functioning as something larger than the sum of its parts. To see how important this understanding of organizations is, one may note that organization and organism share the same root, and in fact organizations may be thought of as essentially super-organisms, with structures and functions analogous to actual organisms. In this context, one can imagine the security manager as a liaison between the immune system and the rest of the body, working to prevent illness while responding to any potential injuries or attacks, whatever they may be.
It will be possible to go through the potential responses to each of the varieties of organizational loss described above, not only to determine the best responses, but also to demonstrate how those different responses ultimately stem from a relatively small set of theoretical concepts: surveillance, communication, symbiosis, and directed autonomy. Once again, it will be instructional to begin with the relatively simple phenomenon of shoplifting and employee theft of merchandise or cash, because although the responses to this particular form of loss are relatively straightforward, examining them in detail will help reveal the theoretical concepts underlying all security management, regardless of whether the organization is a retail store, a school, a transnational corporation, or a government.
In the case of shoplifting perpetrated by non-employees, practically every preparation and response revolves around surveillance and situational awareness. Understanding how these concepts relate to shoplifting can help one better understand how a security manager might deal with other, less obvious forms of organizational loss. In terms of securing physical spaces, surveillance and situational awareness methods can be divided into passive and active methods. Passive methods include the use of security tags on merchandise coupled with sensors at entrances and exits, or even the presence of security cameras regardless of whether or not they are actively monitored — or even real. Active methods include the aforementioned security cameras as well as the observations of employees. In general, a combination of active and passive methods is necessary in order to effectively survey a physical space while maintaining at least the impression of surveillance in those areas that cannot be viewed or controlled directly.
Regardless of method, the key for a security manager is being aware of the limits of his or her surveillance and situational awareness capability — and this is true in any situation, not just retail. However, identifying the limits of these capabilities is somewhat easier in a retail environment, because there are fairly direct, obvious means of measuring and quantifying them. For example, while security cameras themselves can function as a deterrent, if they are to be used for actual surveillance, their placement is extremely important, because any blind spots will be exploited. Ensuring maximum coverage is a relatively simple procedure, but pointing out its necessity here will be informative later when discussing digital security, because although the spaces needing securing are vastly different, the same fundamental concept applies.
This is also true of employee awareness. The same difficulties facing the security manager attempting to prevent shoplifting also face the security manager attempting to secure a vast internal communications network. In research literature this is referred to as "information security awareness," and refers "to a state where users in an organization are aware of — and ideally committed to — their security mission" (Siponen 2000, p. 31). Perhaps the most frustrating part of maintaining healthy information security awareness is the fact that for most employees not directly related to the security apparatus, maintaining situational awareness simply is not part of their job description, and as a result their only investment in security is the minimum required of them under whatever security guidelines exist (Siponen 2000, p. 32). This brings one to the next critical concepts for security management after surveillance and awareness: communication and symbiosis.
Symbiosis is a term most commonly used in biology and ecology to refer to a mutually beneficial relationship, and it is applicable to the functioning of an organizational security operation when one considers how the different departments or branches of an organization work together. For example, although a retail employee may not see surveillance and security as an integral part of his or her contribution to the organization, the fact remains that the employee's own success within the organization is dependent on the security apparatus and vice versa. Neither can survive without the other, even if their day-to-day interactions are minimal.
The difficulty comes in communicating this common dependency to individuals, because too often security guidelines and education programs do not take the individual's self-interest into account, and thus fail to communicate the individual benefit derived from maintaining organizational security (Siponen 2000, p. 31). Furthermore, research has shown that management tends to overestimate not only the security of the organization as a whole, but also the degree to which employees actually "adhere to established organization security policies" (Taylor & Brice 2012, p. 5). This is particularly true in retail organizations, which frequently see high turnover at the lowest levels — which also happens to be where the organization interacts most closely with the public. Thus, it is up to the security manager to develop effective means of incorporating employees into the security operation by clearly communicating each individual's own investment in the success of that operation.
Recognizing the symbiotic relationship between the security operation and seemingly unrelated departments leads to the final theoretical concept mentioned above: directed autonomy. Perhaps the biggest benefit and drawback of human beings is their ability to think critically and act autonomously. On the one hand, having autonomous elements of an organization reduces unnecessary oversight and managerial interference; on the other hand, too much autonomy means that "managers fail to perceive routine employee actions that may unintentionally expose the organization to security risks" (Taylor & Brice 2012, p. 6). Thus, the concept of directed autonomy is an attempt to retain the benefits of individual autonomy while ensuring that this freedom does not result in unregulated behavior that puts the organization at risk.
In the case of retail security, this means educating employees about warning signs and their own situational awareness while giving them the freedom to make judgment calls regarding potential security risks. Obviously, entry-level retail employees should not be expected to evaluate potential security risks with the same skill as a security manager or officer, but by clearly communicating potential security risks as well as the benefits employees would see from remaining vigilant, security managers can retain the benefits of autonomous employees while directing their autonomous assessments toward productive ends. In turn, this would have the effect of reducing turnover somewhat, because individuals tend to feel more fulfilled when they have the impression of choosing their own responsibilities and interests.
Though the above discussion focused mainly on shoplifting, these same concepts apply almost without alteration to the matter of employee retail theft, because all of the same issues are in play. In fact, the only major difference is that employees actually have a greater vested interest in maintaining security, because a single dishonest employee has the potential to mar the reputations of everyone else, to the point that some managers simply find it easier to punish the entire staff than to root out the guilty party. In this case the security manager has an extra responsibility to the staff as a whole, because he or she must be able to identify the guilty party, lest the entire organization suffer more than it already has.
"Extends surveillance framework to digital networks and data breaches"
"Addresses morale, productivity, and identity loss after downsizing"
"Concludes with security manager's role in market and business risk"
Always verify citation format against your institution’s current style guide requirements.