AS STRONG AS ITS WEAKEST LINK Developing Strategies for a Security Program

In mid-October 2000, the University of Maryland libraries had an object lesson that illustrates that building a culture of security is still a work in progress. Despite improvements in procedures and security awareness instituted in recent years, we still have a long way to go. In the October incident, a young man had walked out of the front entrance of the University of Maryland's McKeldin Library carrying a computer monitor. No one questioned him. The incident, however, occasioned a considerable amount of discussion on the staff e-mail.

A few days later, the same young man was stopped carrying the associated computer processor unit and questioned by a staff member. It is a relief to report that he was a graduate student cleaning out his carrel and the equipment was his own. Nonetheless, this anecdote illustrates both (1) the challenges we face in developing an effective safety and security program in a large research library, and (2) the progress we are making in improving security awareness among staff.

Although significant safety and security problems are relatively infrequent in academic libraries, all library staff members need to maintain a keen awareness of the fact that they are working in a busy environment that is open to the public many hours a week. Moreover, those of us in academic and public libraries are part of a larger community, where thousands of people live, work, and go to school every day. To be responsible members of this community and to protect our patrons, staff, collections, and facilities, we must all share responsibility for safety and security. Libraries are "systems," and security is a vital part of maintaining balance in these systems.

Safety and security in libraries include a diverse range of topics, from the seemingly mundane—such as enforcing a no food and no-drink policy—to more serious incidents that include theft and disruptive behavior. Therefore, it is important to provide staff with the information and the tools they need to respond to a variety of situations. Staff members need clearly stated policies and procedures and the training to understand them so they can take action when called upon to do so—in what might be called a shared culture of mutual responsibility for security and safety.

In 1997, the University of Maryland libraries embarked upon an assessment of its policies, procedures, and facilities in partnership with the Association of Research Libraries (ARL). The security study and subsequent development of practice and policy were implemented over a two-year period and model a comprehensive approach for a large academic library system.

The safety and security environment in the fall of 1997 was long overdue for some scrutiny. For several years, the libraries had contracted with the University of Maryland Police Department (UMPD) to recruit, train, and manage Student Police Aides (SPAs). Frequently undergraduates, the SPAs were posted at the entrance of the two largest library buildings, McKeldin and Hornbake, and they also staffed a security point in the "twenty-four-hour room" on the ground floor of Hornbake. At both libraries, their principal duties were to monitor the electronic theft-detection gates at the exits, enforce the no-food and no-drink policy, and be on the lookout for disruptive behavior. At the four smaller branch libraries on campus, SPAs were employed only at closing time, when they would perform sweeps to ensure that all patrons had vacated the facilities.

In September 1997, the UMPD indicated that it wished to terminate the SPA contract with the University of Maryland Libraries because it found it difficult to recruit, select, train, and retain an adequate number of SPAs to meet the contract. Further, the UMPD was frustrated with the criticism that resulted from the many shortcomings in the service. For instance, SPAs often did not show up for duty on time; they did not enforce the no-food and no-drink policy; and they slept on the job. In retrospect, it is clear from the dearth of incident reports that the SPA system did not really provide security, but only the illusion of security. Unfortunately, this arrangement was more of a security blanket that allowed us to avoid taking full responsibility for library safety and loss prevention.

The UMPD's position and the arrival of new leadership in the library provided the occasion to review this practice. As the newly appointed dean of libraries, I worked with the new director of public services to reevaluate the situation. Philosophically, we agreed that the staff should assume the principal responsibility for safety and security of library users, collections, and facilities. Indeed, we noted more than once the irony of having undergraduates deal with sensitive and often difficult matters while full-time staff members remained outside observers. Candidly, although staff members were not anxious to take on the job themselves, they were willing to complain loudly when an SPA failed to open up a facility or fulfill any small duty.

Pragmatically, we were interested in reallocating the funds that went into the SPA contract for other staff needs. As chance would have it, the Association of Research Libraries, located in Washington, D.C., was seeking to pilot a security self-study with a nearby member of the association, and the University of Maryland was approached. Because the ARL proposal would give us an opportunity to make a top-to-bottom review of our safety and security capabilities and to explore alternatives, we were eager to participate.

After some negotiation, the ARL project commenced in October 1997 with a meeting between the Library Executive Council (senior managers reporting to the dean), Glenn Zimmerman from ARL, and Robert Morse from George P. Morse and Associates, a local loss-prevention firm hired to consult on the project. Morse and Associates would conduct a comprehensive audit of the University of Maryland libraries' safety and security environment as a foundation for developing self-study materials that might also be used in other libraries. The audit would be both a management study—focusing on philosophy, policies, and procedures—and an assessment of existing facilities and practices, with recommendations for corrective action as needed. Morse presented the libraries a project proposal in November with an anticipated completion date of April 1998. The director of public services and the director of planning and administrative services were designated as the in-house contacts for the audit. Throughout the project, we remained in regular communication with the Association of Research Libraries.

Shortly after we began the audit in 1997, the UMPD informed us that if we wished to continue our contract, there would be a dramatic increase in charges for SPA services once the contract expired at the end of the year. Rates were to increase nearly 200 percent from eight dollars per hour to fifteen dollars per hour, a figure that the libraries' budget could not sustain. In anticipation of that eventuality, and in recognition that the audit and its recommendations would not be available until spring, Hornbake Library security was turned over to the Hornbake circulation staff. We continued to use the services of the SPAs at a negotiated rate of twelve dollars per hour in McKeldin Library, with the proviso that we would terminate the contract if the recommendations of the audit pointed us in a new direction.

Morse and Associates conducted numerous site visits and interviews in late 1997 and early 1998, including meetings with the UMPD, facilities personnel, campus security, security-related vendors such as 3M (Minnesota Mining and Manufacturing), and numerous library staff. These meetings were intensive in-depth considerations of the environment. In addition, Morse conducted a thorough investigation of six library facilities. In June 1998, Morse and Associates presented a draft report to the Library Executive Council. After incorporating revisions and clarifications, the Library Executive Council accepted the final report in November 1998.

The Morse Report from 1998 is a 100-page analysis based on interviews, documents, and direct observation. It has guided our safety and security planning ever since. The report makes numerous and detailed recommendations for action to improve security, from detailed technology recommendations to those directed at general policy and practice. The recommendations may be summarized here:

(1) The University of Maryland libraries have no single authority for safety and security matters. A locus of responsibility and authority for practice nevertheless must be established at the level of a director reporting directly to the dean of libraries.

(2) A wide divergence in employee attitudes exists toward safety and security, "ranging from substantial involvement to disinterest and apathy." The libraries must therefore develop an articulated philosophy along with policies and procedures, followed by a training program for all staff.

(3) An emergency response team should be formed.

(4) To accurately assess collection loss, hard data must be collected through regular, systematic, thorough inventories.

(5) Effective access-control systems and other safety and security technologies such as video cameras need to be improved for all library facilities. In this regard, several levels of technology implementation were described, but the recommendation was that at least Level 1, those recommendations having the highest priority, ought to be accomplished early on.

(6) All use of student police aides should be discontinued, and staff members themselves should assume full responsibility for safety and security in the university libraries.

This last recommendation was the most far-reaching, because it pointed in a direction that was dramatically different from existing practice. The report stated matters quite forcefully:

The Security history of the Libraries indicates that a full-time police presence is not required, but that rapid police response must be virtually certain. The current SPA staff has no greater authority, training, or capabilities than should be provided to similar library staff. There is no reason to expect that security conditions will deteriorate. . . .

The assignment of the Protection function to Library staff requires that very specific responsibilities, duties and training requirements be developed and utilized. Library personnel must be instructed regarding their responsibility to monitor their areas of responsibility and, particularly, in actions to be taken in the event of an incident.

Once the Morse Report was submitted, the libraries began to implement the recommendations, particularly those that did not require financial resources. We picked the low-hanging fruit first. Two key recommendations constituted our first priority. First, we developed a procedures manual, consolidating the former SPA manual, disparate library policies and procedures, and the security audit. The manual served as a foundation for our policy, practice, and training. New "University of Maryland Libraries Safety/Security Guidelines" were prepared in late 1998 and are mounted on the libraries' Web site, where the staff, users, faculty, students, and the public may view them. Second, the libraries discontinued the services of the SPAs. Security for McKeldin and the opening and closing of all library facilities became the responsibility of library staff. In the McKeldin Library, the circulation and information services staff bore the brunt of these changes.

To assist in the transition, the UMPD provided training in enforcing the no-food and no-drink policy, managing the exit theft-detection gates, dealing with disruptive patrons, performing opening and closing procedures, and handling medical and facilities emergencies. This training, reinforced by the new procedures manual, served as a foundation for a library-wide training effort early in 1999. Nearly 250 staff members have participated in this training, which addresses the two main objectives, that is, to ensure that staff understand security procedures and are able to implement them; and to ensure that staff are able to use techniques (such as communication or conflict-resolution skills) for dealing with problem customer situations.

Training sessions began with the discussion of a "Richter scale" instrument, one that assesses staff perceptions of the environment in which people work and the comfort level they feel while handling uncomfortable situations. Following some discussion and the application of the scale, participants received a detailed orientation, suited to their needs and responses, to the safety and security guidelines. The session ended with role-playing of various situations described in the guidelines.

In addition to the development of the procedures manual and the training program, we began to examine the many recommendations in the Morse Report for improving security for our facilities and collections. As time passed, we allocated more fiscal resources to the effort. We invited 3M to evaluate our security gates. After their comprehensive evaluation, we invited them to present a proposal for replacing the gates with upgraded 3M models. We obtained funding through the university's enhancement fund process to replace the gates in all facilities in early 2000. Because of the closing of undergraduate library services in Hornbake Library, McKeldin Library had to expand service in the fall of 1999. With resources saved from Hornbake, we were able to upgrade video camera systems and provide card access readers to the building so that only members of the campus community with appropriate identification would have late-night access.

Once the initial staff training was completed and the manual was distributed to all staff, responsibilities for safety and security were transferred from the Public Services Division to the Planning and Administrative Services Division. The latter includes the Staff Training and Development Office, which has assumed responsibility for continued safety and security training. Conflict resolution training was offered in the summer of 2000 as part of this effort. A Safety and Security Committee—the "emergency response team" called for by the Morse Report recommendations—was also formed and charged with monitoring and improving the safety and security environment in the library, recommending training, and continually updating the procedures manual. In addition, floor marshals were identified and trained to assist in building emergencies such as fire. Floor marshals completed training that included the campus fire marshal, and the group has subsequently coordinated practice fire drills. In the summer of 1999, the members were appointed to the Safety and Security Committee. Within a year, the floor marshals had been incorporated formally into the committee's operations to ensure effective management of emergency response. It is worth mentioning that the marshals work closely with the libraries' Disaster Team, which has the primary function of responding to crises that threaten collections. The Disaster Team has had to act in at least four major "water borne" crises since August 1999, but that is another story.

We also wanted to better educate our users and to involve them in safety and security practices. In the spring of 2000, a Library Conduct Working Group was charged with reviewing our no-food and no-drink policy and making recommendations for improving communications with our users about their role as partners in the stewardship of library collections and facilities. The group submitted its report to the Library Executive Council. The recommendations were informed by contact with the university's student disciplinary system to ensure that our policy and practice were reflected campuswide.

Although much activity has taken place, one of the original goals for participating in the audit—to encourage staff involvement in and responsibility for safety and security—has remained a challenge. It is easier to write procedures and improve equipment than it is to change an organizational culture. Staff members continue to question their role and ability to handle safety and security responsibilities. Nevertheless, individuals gradually become more practiced and accustomed to dealing with these problems, and many have welcomed the authority to act. Some remain inclined to turn a blind eye to a soft drink bottle coming in the front door or to a gate alarm sounding. The anecdote at the beginning of this paper suggests how long it may take to imbue an organization with the spirit of shared responsibility in such matters.

Through continued orientation and training, as well as constant vigilance to improve our facilities and security capabilities, we remain confident that we can achieve the goal of broadly shared responsibility for safety. Although we have had what might be called "basic training," the Staff Training and Development Office has developed a training workshop that will be repeated at regular intervals, with the assistance of the UMPD. The monthly training sessions have as their goals:

(1) to promote safety and security procedures in the university libraries;

(2) to improve awareness of safety and security issues in the University of Maryland libraries and on campus;

(3) to improve interpersonal and intrapersonal skills to reduce the risk associated with difficult situations or patrons within the library system;

(4) to foster the relationship between the UMPD and the library staff.

(5) to set guidelines for conduct with regard to safety and security; and

(6) to supplement the safety and security provided to each staff member.

After completing the training session with the UMPD, members of the staff are able to meet ten behavioral objectives that ensure that baseline skills for participation in the libraries' safety and security program are met. They are able to:

(1) list the steps to identify problem situations or patrons as defined by the UMPD;

(2) state strategies that can be instituted within individual departments that would facilitate safety and security;

(3) demonstrate proper vigilance and promote sharing of information with coworkers with regard to safety and security;

(4) demonstrate constructive dialogue that promotes conflict resolution through practice sessions involving case studies;

(5) recognize members of the UMPD;

(6) recognize and follow appropriate safety guidelines provided by the UMPD;

(7) identify and record important safety information outlined by the safety and security manual;

(8) understand and practice personal safety habits;

(9) set limits for enforcing library policy, knowing when to ask for help from other staff members or to call on outside assistance; and

(10) know where emergency telephones, exits, and fire extinguishers are located within work spaces, and be able to describe their locations to others.

We continue to explore ways to test staff attitudes through focus groups and surveys. We hope these studies will yield information that will further guide our efforts to meet staff training needs in the future.

One of the Morse Report's larger recommendations remains to be addressed. The University of Maryland libraries continue to lack collection inventories. The reason for our delay in beginning this work is that we have just completed the last phase of procurement of a new library system, one with inventory capabilities far beyond our present capacity. The decision was taken with the selection of Ex Libris in late October 2000. A collection inventory can now be planned.

Finally, another of the original purposes of the Morse Report to serve as a prototype and foundation for an ARL self-study activity—lies dormant because of lack of funding. The Association of Research Libraries remains committed to developing a generally applicable program and will seek the funding or enter into a partnership with libraries to enable it to do so. We welcome the opportunity to continue to work with ARL because we recognize the value of this experience for all of our libraries.