Over the years I have had many discussions with customers about the perceived risks of publishing floor plans on line. In some cases, important projects have been delayed or even cancelled because of perceptions that publishing floor plans represents a security risk. There is a lot of information in a typical floor plan. Some of it can certainly be considered sensitive. The vast majority of that information is not sensitive. When considering how to distinguish what is sensitive and what is not, it is important to have a solid evaluation criteria.
One of the best papers on the subject – Mapping the Risk - was put out by the RAND Corporation in 2004. While that might seem dated, the central themes of that document hold true today. The crib notes version of the paper is this: There are really three issues you need to work through when determining data sensitivity:
- How valuable is the information to a would-be attacker?
- Is the information readily available elsewhere?
- What is the balance of the value of the information for good versus the risk of it being used for bad?
For those of us old enough to remember, there was much hue and cry when Google Maps and Google Earth first made their appearance because much of our nation’s critical infrastructure could be seen on the aerial photography. There were even some early attempts to blur out those installations that were deemed sensitive. The blurring of the data only served to highlight those areas that someone considered sensitive of course and so the blurring of imagery doesn’t happen much today. It turns out that the value of having ready and ubiquitous access to accurate and timely geo-spatial information far outweighs the potential threat of something like Google Maps being used as a critical planning aid to a terrorist attack.
We have come to expect that our phones and tablets can help us navigate the world around us. College students expect that capability to follow them indoors as well as outdoors. Having maps on your personal device is pretty useful after all. Hence their desire to get the floor plans onto Google Maps. It is the mapping platform they know, and we have not given them the ability to know anything better. Our facilities customers are starting to demand and expect the same kind of navigation aids that helped them to get to their parking spot to also get them to their classroom.
The Public Safety community has a similar if more urgent set of concerns. The Public Safety community is often asked to respond to incidents indoors without any map of the terrain they will be operating in. This lack of information about the insides of buildings has been cited as a mission-critical problem in many after-action reports from responders dealing with active shooter and HAZMAT incidents. In this case, everyone seems to agree that first responders should have access to good in-building maps but we don't seem to deliver on that promise very well. Rolls of paper documents or worse CD's of digital information are not much use in the head of the moment.
One of the challenges with floor plans in the typical CAD format is that there are many layers of information included in the floor plan. Some of those layers could be considered sensitive, others much less so. The fact that a room occupies a certain location on a floor of a building could hardly be considered sensitive and is readily observable by anyone walking through campus. The fact that that room happens to be a lab that houses radiological materials IS sensitive of course and should only be shown to individuals with a need to know – like the Public Safety Community for example. The point here is that it is not the floor plan itself that is sensitive, but rather a few specific layers within the floor plans that are sensitive. When we think through which layers are truly sensitive and which are not, we can publish indoor maps to the general public that are very generic but highly useful for finding your way around campus and other indoor maps to the Public Safety and maintenance communities that have information that is necessary for them. And we can do all this in a highly secure way. Once we pull the information into a GIS, we can secure each layer appropriately and make sure that only authorized people can see sensitive data.
Let's take a look at a few examples. In this first floor plan, we have just simple architectural layout. This could hardly be considered to be sensitive, but it is not all that useful really either.
Next, we'll add some symbology to indicate space type, use, and room numbers. This floor plan is now a lot more useful for general navigation, but still does not reveal any particularly sensitive information.
Now, let's add some information that might truly be considered sensitive. The lab with the room number of 4625 houses radiological materials. This information is of critical interest to first responders, but is likely not something you want shared on your public use maps. This map should be shared only with the public safety community. The other piece of information we have added is the name of the professor assigned to each office. This information COULD be considered sensitive in some cases, but is likely readily available through other sources like an online personnel directory.
My own personal opinion is that locking floor plans up represents more risk to the Public Safety community than it does opportunity for would-be attackers. If you look at the profiles of attackers over the past 10 years in the United States, all of these people have been intimately familiar with the facilities they are attacking. They don’t need the floor plans to execute their attacks. They already know the buildings. The people that really need the floor plans are the Public Safety community. Locking up the floor plans is an easy answer. In my view it is also the wrong answer. I would be interested to hear your opinion.