Tom Raffensperger is the Assistant University Librarian for Public Services at Portland State University. He received his MLIS degree from the University of Hawai’i School of Library and Information Science. He has been a firefighter and an emergency medical technician.

---

Abstract

Academic libraries have developed a wide range of emergency preparedness policies, procedures, and training programs. Libraries have traditionally focused on the recovery of collections after an emergency. Risk assessment has focused on collections, largely as an outgrowth of valuation for insurance purposes and the core responsibility of libraries to safeguard collections. Risk assessment has rarely been systematically applied to personal safety and security. There is an anecdotal sense that urban academic libraries are subject to higher risk from property and violent crime than other academic libraries. This study examines the level of risk of property and violent crime using Clery Act data and Uniform Crime Report data, distinguishing between urban and less-urban academic environments and comparing crime rates in academic environments with the general crime rates. It provides a model for risk assessment and for the prioritization of prevention and preparedness initiatives.

Keywords: Libraries; Risk assessment; Security; Emergency management

---

Introduction

How dangerous are urban academic libraries for staff and patrons? Are urban academic libraries more dangerous than their less urban counterparts? What should libraries prepare for? In what cases should prevention or preparation be emphasized? We have a sense that both violent and property crime are more severe in urban academic environments than in suburban or rural ones. Is that true? Mass shootings like that at Virginia Tech in 2007 and Northern Illinois University in 2008 elicit strong emotional reactions, and show that violence is not limited to urban institutions. How does crime in academic environments compare to general crime rates? Data-driven risk assessment can help answer these questions, and provide a foundation for prioritizing incident prevention and emergency planning efforts. This study focuses on crime in academic settings to establish a statistical baseline for risk assessment. An important part of risk assessment is evaluating the severity or impact of different types of incidents. This can be challenging, particularly regarding violent crime, because part of the “cost” lies not just in the liability calculations of actuaries, but also in emotional trauma and damage to the mission of the institution. Risk assessment in this area requires quantitative and objective data, analyzed through a subjective and qualitative lens. Risk assessment and management has generally focused on the department level:

Risk management is the evaluation and mitigation of, and response planning for, possible threats and risks. Each location and each department within your institution has a different level of threat or risk. Therefore, when thinking about the security of your collection and the security and safety of your users and staff, you must consider how each department can prevent risk and respond to its attendant problems, then integrate the needs of each department into the whole picture. (Kahn, 2008, p. 129)

While this is an essential part of planning, there is also a need for a broader and more structured approach to risk and what resources libraries dedicate to prevention and preparation. René Teygeler, Advisor to the Koninklijke Bibliotheek in the Netherlands, identifies the essential elements of risk management:

Generically, risk analysis involves the identification of risk, risk assessment, risk management, and risk communication. There are a number of distinct approaches to risk analysis. These habitually break down into two types: quantitative and qualitative. Quantitative risk analysis, also called probabilistic analysis, is one of several tools that may be chosen by the decision maker when assessing risk. It employs two fundamental elements: the probability of an event occurring and the likely loss should it occur. It makes use of a single figure produced from these elements. This is calculated for an event by simply multiplying the potential loss by the probability. It is thus possible to rank events in order of risk and to make decisions based upon this. (Teygeler, 2004, p.2)

The literature of security and safety in libraries can be divided largely into incident prevention and emergency preparedness/response. These two approaches seek to reduce the two components of risk respectively: prevention seeks to reduce the frequency of incidents, while emergency preparedness/response is an effort to reduce the negative impact of incidents. The focus is on “how-to” procedures and planning for a wide variety of incidents. This study seeks to use crime data to present a model for risk assessment, prioritization of efforts, and determination of the most appropriate kinds of prevention and preparation.

A data-driven approach to risk assessment is only as good as the data itself. There is no consistent, longitudinal data collection or reporting for security and safety incidents in libraries. While there have been occasional surveys of libraries concerning their emergency procedures (for example Anglim, 2008), these are also not collected consistently. The data problem in assessing risk was described by Alan Jay Lincoln in his 1984 book Crime in the Library: A study of patterns, impact, and security. “One of the major problems in assessing crime and disruption in public and other libraries has been the lack of a systematic series of studies of these patterns on a national level” (Lincoln, 1984, p. 179). Lincoln’s three-year study showed consistently higher crime and incident levels in urban libraries, but the focus of the data was on public libraries. If consistent longitudinal data on crime in academic libraries is unavailable, then what data can be used? What can that data be built on?

Methodology

The focus of this study is an examination of campus crime data to determine whether there is a significant difference in the security and safety needs of urban academic libraries over less-urban academic libraries. While libraries do not consistently collect or report incident data, two agencies collect campus crime data by institution and by year. The Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act or “Clery Act” is a federal statute that requires all colleges and universities that participate in federal financial aid programs to collect and report crime statistics to the U.S. Department of Education. The Clery Act requires that data be collected about criminal activity on campus, in residential facilities, in non-campus buildings, and on public property. This study draws only from the on-campus data to provide an understanding of the immediate environment in which libraries operate. The data used is from two years: 2006 and 2007. These two years are chosen because they are both qualitatively very different and yet quantitatively similar. 2007 is when data was reported for the killing of 32 students at Virginia Polytechnic Institute and State University (Virginia Tech), in Blacksburg, Virginia. The Federal Bureau of Investigation also collects data on crime reported to have occurred on college and university campuses. These two data sources are not compatible; reporting requirements and definitions vary. The Clery Act data is used to compare urban and less-urban campus crime rates as well as to illustrate the relationship between crime severity and frequency. The FBI data is used to compare overall campus crime rates with that of the general population. Analysis of this data provides a foundation for understanding the security environment in which academic libraries operate and consequently an assessment of risk. To what extent can campus-level and national data inform the security decisions of the library? It can provide a foundation for the consideration of risk, and move libraries away from only an anecdotal sense or “gut feeling”. A qualitative, local approach is necessary, but should be built on a solid foundation.

In order to separate reported Clery Act data between urban and less-urban campuses, a definition of “urban” is needed. For this, data on institutions of higher education from the Integrated Postsecondary Education Data System (IPEDS) of the National Center for Education Statistics (NCES), part of the United States Department of Education's Institute of Education Sciences (EIS) was used. “Locale” codes identify the geographic status of a school on a continuum ranging from “large city” to “rural” based on each institution’s physical address. The codes are assigned through a methodology developed by the U.S. Census Bureau’s Population Division, in which a large city is a territory inside an urbanized area and inside a principal city with population of 250,000 or more. All campuses meeting these criteria were identified and matched against the Clery Act data to extract urban campus crime data and compare it to that of all other institutions, described subsequently as “less-urban”. Because the level of urbanization described runs a continuum of twelve levels of urbanization, the definition of what is “urban” is somewhat arbitrary. What this study does is compare data from institutions in large urban areas that are regional centers with data from all other institutions in other types of localities, including small cities, large suburbs, small towns, and rural areas.

Risk assessment requires two types of data: incident frequency and incident severity. In other words, what is the probability of an incident occurring and what is the loss per incident? Loss incurred during an incident can be thought of as the severity of incident. Severity or loss can be difficult to quantify numerically. How much is a human life worth? How can emotional trauma be quantified? How does one enumerate the feeling of insecurity one has after a theft? Society determines the severity of crime through the sanctions it imposes on offenders. In order to quantify severity of crime, specific offenses were matched with average sentences as reported for 2008 by the United States Sentencing Commission, an independent agency of the Federal Judiciary. The average sentence for murder was 221.5 months. For burglary, it was 20.6.  While this method of assigning severity of a criminal act is imperfect, it is one that has been established over time, through historical precedent and reflects the established values of our legal system.

Table 1: Crimes and Average Sentences

Average Sentence (months)	Crime
221.5	Murder
95	Sex Offense
89.2	Illegal Weapons Possessions
82.7	Robbery
81.1	Arson
55.5	Motor Vehicle Theft
48.5	Negligent Manslaughter
44.3	Aggravated Assault
20.6	Burglary
18.9	Drug Law Violations
15.5	Liquor Law Violations

SOURCE: U.S. Sentencing Commission, 2008 Datafile, OPAFY08.

The two elements of determining risk can also be used to plan risk remediation. The two approaches are to 1) reduce the frequency of incidents through prevention, and 2) prepare for incidents to reduce the negative impact of incidents when they occur.

Results

Graph 1: Offense Frequency and Severity on American Campuses.

Frequency is determined by the number of incidents as reported in Clery act data (2006-2007) and total enrollment as reported in IPEDS data. Severity of crime is determined as per Table 1: Crimes and Average Sentences. Trend line shows average.

The pattern shown in Graph 1 is familiar in risk management: that high-impact incidents occur less frequently, and low impact incidents occur more frequently. The high frequency crimes along the Y axis include drug and alcohol violations and property crime. The low frequency crimes along the X axis include aggravated assault and murder.

Graph 2: Offenses Reported on American Campuses

Source: United States Department of Education, Clery Act 2006-2007.

Graph 2 shows that the most frequently occurring offenses on American campuses are property crimes and substance violations. Property crime occurs at a significantly higher rate at urban colleges and universities than in less-urban institutions. While violent crime generally occurs at higher levels in urban academic environments, the difference is less significant than property crime. Moreover, the frequency of violent crime in higher education is lower compared to the general population (see Graph 3 below).

Graph 3. Comparison between crime rates in the US and Postsecondary Institutions

Source: United States Department of Justice and United States Department Education, 2008

Crime at colleges and universities is generally lower than in the general population. The one notable exception is burglary. Graph 3 shows that the burglary rate on college campuses is significantly higher than in society in general.

The data shows that crime is somewhat higher at urban academic institutions, but that it is generally lower on college campuses than in the general population (with the exception noted above). It also shows that high-severity incidents are very infrequent. This data points to the need for a realistic assessment of risks and a focused approach to prevention and response planning. Planning sometimes focuses on the most dramatic possibility, such as an “active shooter” incident, where a more pressing threat may be elsewhere. Emergency planning can be too detailed, where staff cannot possibly remember all the “if/then” statements in the response plan, particularly in a chaotic and quickly unfolding situation. Clarity in procedures and regular training are essential to a successful response. How does information on the frequency and severity of crime translate into effective emergency planning? These two variables lead into a discussion of risk, and risk prioritization. They also suggest how libraries might avoid over-planning for less-frequent incidents.

Incident Frequency and Severity: Implications for Planning

Safety and security concerns can be placed into two categories: personal safety, and security of property. The data shows that despite concerns of terrorism, mass shootings, and other dramatic violent crimes, American colleges and universities are safer than the general environment. Violent crime is also not significantly higher on urban campuses than less urban campuses. In contrast, property crime on campuses occurs near or above that of the national average, and much higher in urban environments than in less-urban ones. This does not indicate that libraries shouldn’t prepare for catastrophic incidents. Though they may be infrequent, the severity of the consequences demands preparation.

To what extent can the library reduce the frequency or severity of incidents? A frequency/severity model of risk can help prioritize planning and allocate resources efficiently for both prevention and response efforts. Frequency of incidents is lowered through prevention activities, and severity of impact is reduced through response planning and training.

How should libraries prioritize their efforts? A common method for prioritizing risk is the risk matrix. The matrix turns frequency and severity into prioritized categories. Interestingly, risk matrices can vary considerably among types of institutions in terms of prioritization of risk. The following is a common form, and appropriate for libraries:

Risk Priorities:

1. Higher impact, higher frequency incidents pose the greatest risk and must be dealt with first. An example would be a rash of robberies or assaults in the library.
2. Higher impact, lower frequency incidents often have greater psycho-social consequences than incidents with lower impact. These can affect the ability of the institution to carry out its mission. These would include incidents such as arson.
3. Higher frequency, lower impact. An example is petty property crime.
4. Lower frequency, lower impact. This might include minor disruption as the result of a fraternity prank.

How should urban academic libraries approach these prioritized risks? Emergency procedures sometimes attempt to cover every conceivable incident, but in doing so can become unwieldy, inflexible, and difficult to implement when the time comes. Training for too many infrequent possibilities can lead to confusion on the part of staff during an incident.

For the purposes of a general planning approach, two theoretical types of incidents can be identified through an examination of frequency and severity:

1. Incidents that occur frequently and have relatively low impact are good candidates for preventative efforts. Their frequency and repetition make them inherently predictable, so preventative strategies can be effectively applied. Examples include theft, harassment, inappropriate use of facilities, etc.
2. Incidents that are lower frequency and higher impact are often more difficult to predict, both because they are infrequent and can unfold in unpredictable ways. Response plans and training can effectively reduce the impact of these types of incidents. Examples include flood, violent crime, fire, etc. Extremely rare and catastrophic events such as the Virginia Tech shooting are sometimes referred to as “Black Swan” events. This term was used by Nassim Nicholas Taleb  in his 2007 book, The Black Swan.

For type 1 incidents, prevention efforts can include regular patrols of unstaffed floors, surveillance cameras at entrances or potential problem areas, and  outreach to build connections with community members. Prevention efforts will help reduce risk by reducing incident frequency. Procedures for handling these incidents often focus on communication and reporting to gather information for further prevention efforts.

Excessive planning for rare (type 2) incidents may not be the best use of resources. There must be some cost/benefit consideration in emergency planning. The challenge in preparing for these incidents is that it is often difficult to predict how and when they will unfold. Preparing for every specific possible yet unlikely event is neither an efficient nor effective use of resources. Overly detailed plans are easily forgotten by staff, and are too difficult to follow during chaotic situations. One solution is to limit responses to a limited number of plans that cover a wide range of possible incidents. Flexibility in planning for type 2 incidents provides a relatively less resource-intensive way to prepare for them. There are four major actions that may be taken in case of a high-impact incident.

1. Evacuation: for fire or bomb threat
2. Shelter in place: for active shooter incidents or environmental hazards
3. Salvage of materials: for flood or fire
4. Restoration of services: for network, power loss, or loss of human resources

These actions may be taken individually or in combination, and all must include communications protocols. In an earthquake for example, response 2 (shelter in place) would be followed by response 1 (evacuation). By planning and training for these four major actions, each can be implemented as necessary and procedures and training can become streamlined. Many unpredictable or “black swan” incidents can also be covered through these four general actions. If staff members are trained for these four responses, they will be more likely to remember and carry out necessary actions. The effectiveness of this approach would rest heavily on a well understood incident command structure and updated communications procedures.

Both prevention and response are necessary elements of any emergency planning, and communication is key to all; but an understanding of the level of risk and components of risk can help libraries take a more efficient and effective approach to emergency planning. This approach can be particularly useful to urban academic libraries, which face increased risks, particularly in the area of property crime.

While general data can provide a broad framework for risk assessment, local conditions vary significantly. Some libraries have their own security staff while others receive relatively little security support. Further research might include library surveys based on the frequency/severity model of risk assessment and mitigation. This could add localized, qualitative data to make the connection between risk and planning efforts. Another useful next step would be qualitative research into a full implementation of a generalized approach to low frequency/high severity incidents, and whether staff better retain and internalize a limited set of responses for less predictable events.

References

Brand, Marvin. (1984). Security for libraries: People, buildings, collections.  Chicago: American Library Association.

Breighner, M. (2005). Risk and insurance management manual for libraries. Chicago: Library Administration and Management Association.

British Columbia Ministry of Sustainable Resource Management, Information Management Branch. Risk Management Standards. In SDLC Standards - Project Management. Retrieved November 3, 2009 from http://www.env.gov.bc.ca/imb/3star/sdlc/8manage/risks/risk_std.html

Chaney, M. (1992). Security and crime prevention in libraries. Aldershot, Hampshire;  Brookfield, Vt.: Ashgate

Cravey, P. (2001). Protecting Library Staff, Users, Collections, and Facilities :a How-to-do-it Manual. New York: Neal-Schuman Publishers.

Disaster Management for Libraries and Archives. (2003). (p. 236). Aldershot Hampshire: Ashgate Publishing.  

Government of British Columbia, Ministry of Sustainable Resource Management, Information Management Branch. Risk Management Standards. In SDLC Standards - Project Management. Retrieved November 3, 2009 from http://www.env.gov.bc.ca/imb/3star/sdlc/8manage/risks/risk_std.html

Higher Education Funding Council for England. (2001). Risk management A guide to good practice for higher education institutions. Bristol, Avon: HEFCE. (Eric Document Reproduction Service No. ED43709).

Kahn, M. (2008). The library security and safety guide to prevention, planning, and response . Chicago: American Library Association.

Lincoln, A. J. (1984). Crime in the library: A study of patterns, impact, and security. New York: Bowker.

Mitroff, I. I., & Alpaslan, M. C. (2003). Preparing for evil. Harvard Business Review, 81(4), 109-115.

Soete, G., & Association of Research Libraries. (1999). Management of library security: a SPEC kit. Washington  DC: Association of Research Libraries, Office of Leadership and Management Services.

Taleb, N. (2007). The black swan: The impact of the highly improbable. New York: Random House.

Teygeler, R (2005). Writing a disaster plan: Identifying risk. In J.G.Wellheiser & N. E.Gwinn [eds]), Preparing for the worst, planning for the best: Protecting our cultural heritage from disaster. Proceedings of a special IFLA conference held in Berlin in July 2004. München: K.G.Saur.

United States Department of Education Institute of Education Sciences, National Center for Education Statistics. Integrated postsecondary education data system (IPEDS) Institutional Characteristics (2008-09) [Data file]. Retrieved from http://nces.ed.gov/ipeds/datacenter/Default.aspx

United States Department Education, Office of Postsecondary Education. Clery Act data for calendar years 2005-07 ( [Data file]. Retrieved from http://ope.ed.gov/security/dataFiles/Crime2008EXCEL.zip

United States Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Division (2008). Crime in the United States, 2008 (Uniform Crime Reports) [Data file]. Retrieved from http://www.fbi.gov/ucr/cius2008/index.html