Journal of Environmental Treatment Techniques  
2020, Volume 8, Issue 2, Pages: 679-686  
J. Environ. Treat. Tech.  
ISSN: 2309-1185  
Journal web link:  
Physical Security Problems in Local  
Governments: A Survey  
Poon Ai Phin*, Hafiza Abbas, Norshaliza Kamaruddin  
Advanced Informatics Department, Razak Faculty of Technology and Informatics, Universiti Teknologi Malaysia, Jalan Sultan Yahya Petra,  
4100, Kuala Lumpur, Malaysia  
Corresponding author:  
Received: 26/10/2019  
Accepted: 26/03/2020  
Published: 20/05/2020  
Physical security refers to the control of access into organizations, buildings, rooms, and information technology (IT)  
peripherals. However, physical security may be overlooked by organizations because they are more concerned about information  
security; this is because the organization assumes that those granted access can be trusted. The physical security is not a new issue  
in a local government environment; however, in most cases, hackers are to blame, while the actual culprits may be the employee(s)  
of the local government itself. This paper is a survey done to investigate the problems faced by a local government and the measures  
needed to be taken to keep their physical access secure. The subject of the research is chosen from among municipal councils in  
Malaysia since they hold various private information about the residents of the area, where physical security awareness is still low  
among the members of the organization. As a case study, the Kota Bharu Municipal Council (KBMC) was selected and its security  
problems were identified through a research comprising a mixed method of quantitative (questionnaire and observation) and  
qualitative (interview) techniques. The respondents of the research were eight employees of the IT Department, while the solution  
to their security problems was derived through interviewing its IT Officer. The researchers also discuss if KBMC is able to apply  
other local government’s solutions to their own security problems. The discussion reveals that the security awareness program is  
the most suitable solution to the KBMC’s security problems since it enhances security awareness of top management officers and  
enables the employees to be aware of their responsibilities in their daily work routine.  
Keywords: Physical security, Physical access, Local government, Security awareness, SETA, Sustainable security culture  
In information technology (IT), security refers to the  
2 Physical Security Problems in Local  
safeguarding of digital information and IT assets against  
internal/external, malicious, and accidental threats (1). This  
includes detection, prevention, and taking actions against a  
threat with the use of security policies, software tools, and  
IT services. Security can be divided into physical security  
and information security, where physical security refers to  
the control of access into organizations, buildings, rooms,  
and IT peripherals, while information security controls  
access to computer networks, system files, and data (2).  
However, physical security is often overlooked because  
most organizations focus on information security (3) because  
the organization's main aim is to prevent outsider threat, but  
they neglect the issue of insider threat as the organization  
assumes that those granted access can be trusted (4).  
Physical security is not a new issue in a local government  
environment; however, in most cases, hackers are to blame,  
while the actual culprit is the employee of the local  
government itself.  
According to (5), local government refers to the authority  
that manages the administration of a town, city, country, and  
district in a state. Local government provides vital services  
for people and businesses in their authorized area; it  
normally provides services such as social care, schools,  
housing and planning, waste collection, licensing, business  
support, registrar services, and pest control (6). In (7), a  
survey was done on 109 local governments, which revealed  
that a local government typically faces six commonly  
occurring security threats (see Figure 1).  
.1 Physical Asset Loss  
Physical loss is a risk to an organization’s IT peripherals  
such as laptops, network devices, and servers. In government  
organizations, physical asset loss cases typically happen due  
to no proper storage for the assets, natural disasters, careless  
handling, or improper hardware maintenance. These cases  
can lead to data being lost permanently and this will also lead  
Correspinding author: Poon Ai Phin, Advanced Informatics Department, Razak Faculty of Technology and Informatics,  
Universiti Teknologi Malaysia, Jalan Sultan Yahya Petra, 54100, Kuala Lumpur, Malaysia. E-mail:  
Journal of Environmental Treatment Techniques  
2020, Volume 8, Issue 2, Pages: 679-686  
to the public services disruption. In a survey (7), it was stated  
that 52% of respondents blame hackers as the biggest  
culprits while in reality, it is done by the regular users of the  
assets, who are the employees of the local government,  
which accounts for 44%, and only 4% is actually done by  
hackers. For example, (8) reported that the Bahamas Public  
Treasury’s computer systems went offline when a water leak  
damaged the servers hosting an e-government service.  
Bahamas State Minister for Finance, Michael Halkitis, stated  
that the incident was due to the leakage on the third floor of  
the Treasury Building, which affected the second floor  
where the servers were situated. No online services were  
available for a few days, which severely impacted the daily  
operations of the Public Treasury.  
the public, and local government may face lawsuits from  
citizens if sensitive data such as financial information is lost  
or falls into the wrong hands and are used for blackmail,  
phishing, or fraud. According to a survey (7), 53% of the  
data loss is due to human errors and is done by the local  
government’s IT team members, and only 11% is done by  
hackers. In a report released by (10), a thief stole a computer  
belonging to the Department of Veterans Affairs (VA) in  
Maryland, United States, which contained unencrypted data  
of 26.5 million veterans and service personnel such as name,  
social security numbers, birth dates, and disability ratings.  
The case was reported, and the stolen computer was  
recovered later by the police. After forensic examination by  
FBI, it was reported that no data had been compromised.  
However, in 2009, VA was sued by five veterans on alleged  
invasion of privacy lawsuit and reached an agreement to pay  
them $20 million for identity theft risk.  
Asset Loss  
.4 Data Breaches  
A data breach is a situation where data is copied,  
transmitted, viewed, stolen, or used by an unauthorized  
individual through phishing or human mistakes. It may occur  
due to lost devices or wrongly configured databases. A  
survey conducted by (7) reveals that 56% of the data breach  
cases are due to human mistakes, and only 39% are due to  
phishing. In a report, A Breach of Trust, it was revealed that  
4,236 data breach cases occurred in the United Kingdom’s  
Local Authorities between April 2011 and April 2014 (11)  
as compared to 1,035 data breaches between July 2008 and  
July 2011 (12). A Lewisham City Council’s social worker  
who accidentally left a bundle of papers on the train, which  
contained data of 10 children and third-party information in  
relation to sex offenders, police reports, and child protection  
reports, decided to resign during the disciplinary procedures  
Physical Security  
Problems in  
Loss of  
Figure 1: Types of Security Threats faced by a Local Government  
.2 Intellectual Theft  
Intellectual theft refers to the act of stealing or using  
without permission another person's intellectual property  
such as trade secrets, software, contracts, grants, and  
agreements. Intellectual theft leads to reputation damage,  
loss of competitive advantage, and financial expenses.  
According to (7), malware is the cause of 43% of intellectual  
theft cases. As reported in a piece of news by the Guardian  
.5 System Disruption  
System disruption occurs when an IT system cannot  
execute any functions for a period due to either power  
failure, natural disasters, malicious attack by insiders or  
outsiders, or human mistakes. In a local government  
environment, unplanned downtime in their services will lead  
to the government officials’ failure to schedule any  
appointments, manage citizen’s complaints, or record their  
attendance using electronic records management (ERM)  
system in their daily routine. In (7), it was reported that 63%  
of system disruption cases in local governments are due to  
power failure, while only 28% are due to hackers’ activities.  
In a piece of news published by SA News (13), it was  
reported that the power failure event at the State Information  
Technology Agency (SITA) severely affected the systems of  
a few government departments in South Africa, including the  
presidency was course by Tshwane power failure. After an  
investigation into the matter, it was later found out that the  
event occurred due to a failed backup generator in SITA.  
This incident caused all government operations, which used  
critical data such as birth, marriages, death, smart ID, and  
passport services, to get unavailable for a few days. As a  
result, SITA executives were blamed for their lack of  
disaster recovery procedures and backup plans. They  
apologized, but SITA reputation has since damaged.  
(9), ten Chinese nationals were charged by U.S. Justice  
Department for intellectual theft through phishing schemes,  
malware, and domain hijacking into a French aerospace  
company in 2015, which was developing engines with a U.S.  
company. It is also alleged that the same culprit hacked into  
other aerospace companies that are manufacturing the engine  
parts using Sakula malware in Massachusetts, Arizona, and  
Oregon. Later, it was revealed that the attack was actually  
done by two employees of Jiangsu Province Ministry of  
State Security (JSSD), six hackers, and two employees of the  
French aerospace company.  
.3 Loss of Data  
Data loss is a situation where information is lost or  
damaged by failure to properly store, process, or transmit  
whether by intentionally erasing, session hijacking,  
malware, IoT exploits, human mistakes, or software failure.  
Data loss can lead to a service disruption for employees and  
Journal of Environmental Treatment Techniques  
2020, Volume 8, Issue 2, Pages: 679-686  
.6 Compliance Penalty  
Government organizations need to comply with a few  
house employees as a strategy to lower the cost of employing  
workers with specialized skills and experiences needed.  
According to Deloitte’s 2016 survey on outsourcing (22),  
35% of the organizations surveyed stated that they are able  
to focus on innovation values with the outsourcing  
laws and regulations regarding physical security, such as the  
Federal Information Security