[inca1980]

I'm starting a new Prime Runner campaign and I was looking for some ideas.  In this campaign infiltrating the Aztechnology pyramid or MCT skyscraper will be part of the runs they do, and up until now, infiltrating a AAA office building would have been something that's just considered a suicide run.

The best way I can think of striking a balance between making it still feel like a high-level run, not making it a suicide run and not having it take an inordinate amount of table-time is to incorporate clever ways to gain entrance.  I'm looking for good ideas on how to gain entrance into a facility that still preserve that feeling that a AAA is top of the line security.  The whole "dress up like a janitor" thing just makes security seem amateurish because you would think that by now AAA's would know that one.  In other words, can anyone think of potential loop-holes in top-knotch security? 
Thanks!

[Namikaze]

You're right about the AAA security situation.  It is definitely tough to deal with.  For my Prime Runner campaign, I was throwing the group at subsidiaries or hidden facilities.  This means the secrecy of the facility is the primary security they have to counteract, so the security on-site is a little more lax.  I would always make HRT right around the corner though, so as to not encourage a shooting spree.

My players found some creative solutions though - a sewer tunnel that runs relatively close to the basement, a security guard that can be bribed, that kind of thing.  The human element is probably the weakest part of security, regardless of how aggressive the AAA is.

[BetaCAV]

The human element is probably the weakest part of security, regardless of how aggressive the AAA is.

The runners can go in posing as new hires, needing to be shown to their workstations. This will be a common enough occurrence in a AAA's HQ that the receptionist won't blink at not recognizing them, or that their names aren't on the "expected" list yet, or that they don't have security clearance yet. They will need high quality SINs though, and should probably make plans to have their gear brought in separately.

Not to mention that putting hardened professional criminals through the rigors of office politics might be fun. The Face may score highest, coming away with a new contact or two, and a bunch of Johnsons who might want to hire someone to clear the rung above them, but all characters have the potential of making friends in the belly of the beast.

The best part may be watching them get handed overtime assignments handed to them on their way downstairs. 

[RHat]

Actually, the common loopholes can still work just fine, as long as you deal with the countermeasures.  The "new hires" thing, for example, wouldn't work unless the decker planted everyone's covers in there as new hires.

[Reaver]

Ok THIS will take a lot of work, but is reuseable, and with time you will have a portfolio of security to pull up from for future runs.


The first thing to do is to ask yourself these questions:

"Why security?"
Most places can get by with an overly large receptionist, so why does this particular building need more? Is it a top level research facility? It is a data storage office? There must be some reason why they need extra muscle. Just how valuable is it to the parent Corp, and the its division? What is it that actually need protection? Is it a room? a floor? a wing? a box?

"What Security"
All the magically security in the world isn't going to protect a file on a database from a decker. Nor is IC software going to do anything against a physical threat. Once you know what you are guarding, then you can begin to lay the framework for the actual security system!

"How Much Security"
Security is expensive. Guards cost money, Equipment costs money. Drones cost money. Heck, money costs money! How much you spend on security depends on the perceived value of the item being protected. No sense in spending $2 million to protect $50,000 in assets. There is a fine balance between affordable security and idiot security...but we will talk more about that later.... What you are looking for is an annual amount of expenditure for the building. This is will give you an idea of your onsite forces. A fair range for annual expenses is $500,000 to $5,000,000. That might sound  like a lot, but if you have 10 guards in your building, there is $300k right there (assuming a low-middle lifestyle). leaving you $200k to operate mag doors, drones, cameras, IC, and whatnot.... But we will discuss this more later.. for now just come up with a dollar value.

"Where security"
Placing is Key, and to do this you need a layout. Nothing fancy, just an property fence line to the outside of the building for outside security. And a outside wall and inside wall sketch for the inside of the building. Make life easy and do only 1 or 2 floor plans, no matter how high your building They really don't vary a whole lot on the inside (unless your in an "ego piece"). Now that you have an idea of the floor layout, you can see the traffic patterns for your floor.... where the people are moving to and from.... where the entrance and egress off the floor is located..... so now you know your choke points... and this is where security goes.

For security to actually work, it has to be user friendly, unobtrusive, and intuitive. Sadly, a "Fool Proof System" usually breaks all 3 of these and falls apart. let me explain.
     User Friendly: The system has to interrupt your routine, to secure your identity, but if it totally throws off and breaks your routine, you cease to be productive, thus the system has crippled you, and thus itself (if there is no production, there is no profit, thus nothing worth protection..).
A computer password that you enter when you log in is very user friendly, but not very secure, as if you forget to log out, you ID is compromised until you get auto logged out, which could be minutes. A Computer password that you have to enter every 15 seconds regardless of activity is incredibly secure, but not very user friendly. Somewhere between these two is a happy balance. Sometimes that balance could be a different approach, like an "eye contact" camera for a computer.... As long as you don't look away from the computer for more then 5 minutes, you stay logged on, thus solving a "time out" issue.

   Unobtrusive: There is only a certain amount of hassle anyone will go through for various pay. A security system that causes stress to your employees causes you production, both from new hires being less effective as seasoned workers to the seasoned workers being burned out. A security system that subjected every single person to every single floor to a full body cavity search would be incredibly secure, but I doubt you would have too many people reporting for their 6 day a week job repeatedly. The security system has to be there, It has to be seen (being seen is 90% effective at stopping crime), but it shouldn't hassle the employees any more then it needs to. A circular security door (forcing 1 person at a time) entrance, or a 2 door dead man system, or a turn style, MAD scanners, chemical  sniffers are all "unobtrusive" security devices.

   Intuitive: Scanners and cameras are all well and good, but the system has to know what it is looking for... So this is a training issue.. is the training and discipline of the site up to snuff? Or is it slacking. Generally, the more quiet, relaxed the building, the more slack the guards. A data storage facility probably has 3 guards on site, the young rookie, the near retiree, and the out of shape middle ager. A crack research and development facility might have a dozen well trained, ex military hard asses who eat, sleep and shit procedure, doctrine, and policy. This is you human element. Does the security guard ignore the pressure alarm on the 10 floor cause "it's always going off"... or does he call in for magical support every time he gets a chill? The problem with an overly automated system is oversight, generally these systems are lacking the required oversight as the guards get tired of staring at monitors showing the same thing for hours, go off and do other things... like play poker. Too Much oversight and not enough automation however, leads to a hassled and rushed, not to mention stress security staff, who are prone to make errors....





*****


So now you have your answers to the questions
You have an idea of your annual budget
You have an idea of the interior and exterior layout.
You have idea of how much and what type of security you need
You have an idea of what you are protecting.


Now the Fun starts



Take your item (whatever it is) and place it in a room (if it IS a room, ignore this step ). This is the epicenter of your security. All your toughest security should be placed near here in a User friendly, Unobtrusive, and intuitive way that is to be expected for this level of security. Now build outward.

Costs are easy. Just use the base cost for your sensors, drones and scanners, remember, you are accounting for repairs and maintenance as well, which means you probably have multiple parts for everything in storage for easy replacement. Over the years it works out.  For human guards, look at their professional level and assume $30,000 +$5000/lvl average. Most buildings provide round the clock security... so that means a minimum of 4 guards. And they are usually working alone! (assuming a 50hr work week, 50 weeks a year)


Now save your template for the next time you need a security plan and you have the ground work for the next one... and the next one, and the next one... and soon you will have a portfolio of various specialized security that you can apply on the go to anything to you need.
 
Once you have all this worked out, you know what loopholes the system that can be exploited and how, can answer character/player questions about the security, and so on.

[inca1980]

Wow guys, all really great ideas, I knew I could count on you!!

Reaver, thanks for the great guidance, it will definitely be put to good use in my up-coming campaign.  One question, do you think you could briefly sketch out how you personally would answer the questions you posed for the case of the Aztechnology pyramid in downtown Seattle.  Let's say the runners are going after a prized awakened jewel that a heavy weight administrator in magical R&D keeps locked away in his administrative office inside the Aztechnology pyramid and he never takes it out, the only way to get it is to go and get it.  I know that is pretty involved, but I feel my players are at the point where they should be doing runs against the heart of the corporate world, very much like you can do in the shadowrun sega genesis video-games. 

Thanks!

[martinchaen]

Pretty much what has already been said; to this day, social engineering is still one of the biggest issues modern day corporations face.

[Reaver]

like I said, start with what needs to be protected, and build out wards

Now the Pyramid might not be the best place to start ... to give you an idea, My Seattle Pyramid has a layered security system that overlaps wards, guards and tech in an increasing difficult ringed defense. I basically pulled out 6 different security layouts and combined them for when I needed a security layout for the pyramid....



For you, I would start with the VIP's office and work outwards. AS an exec in the magic department, you know his office is going to be in, or close to the magical research department, so you start with your magical security and build that outwards. (What type of magical security do they need? Are Wards used? Where are the Wards? What type of Spirits, or other magical countermeasures do they have? Are there Para critters? Patrolling mages?) Then you add in the mundane security. (locked doors, pass cards, check points, guards, drones, sensors).


However, since this is also a Exec, he may have had a little something extra added into the security in his office... (an off the books ward maybe?, a private drone, a guardian spirit)

[Belker]

Social engineering is a big one. With support from a decker/technomancer it can get you a long, long way.

Suborning an insider, either through overt coercion ("Get us in or we shoot your bunny!") or through more subtle means ("Oh, c'mon sweetie, I just want to visit you at work") are time-tested methods.

In fact, if you look at the historical examples, most of the time there is an insider involved - either someone planted by the perpetrators, or someone they suborned somehow.

Unless it's a completely self-contained environment, deliveries from the outside are going to be a necessity. And even the deepest, most secure parts of a facility are going to sometimes need a big item delivered which could turn out to be a trojan horse. This one likely requires some preliminary work. Say, for example, a run by the decker to overclock the processor on that big air handler unit cooling the lab, causing it to fail and needing an urgent replacement. Oh, look, there just happens to be one available locally...

Staging some kind of fire, hazmat or similar emergency can also be a good cover. Example I've seen used in a physical penetration test - the tester happened to arrive on the day of a scheduled fire drill. She mingled a bit in the crowd of employees outside. When everyone went back in, many of the usual security measure (badge readers, etc.) were temporarily suspended, so she just followed the crowd. She managed to make it to the outer room of a data center before she was finally stopped. This was purely opportunisitc without fake credentials or any particular preparations or stealth, so you can imagine what a prepared and stealthy operator might be able to pull off.

You might also be amazed at how few people outside of really, really restricted environments will try to stop an obviously pregnant woman. Even when they do question her, people are less inclined to hassle her.

Now, on the flip side of all this, I've seen an enlisted Air Force policeman knock a field-grade officer to the ground for violating a flight line. So your mileage may, indeed, vary.

PS - one thing that Hollywood and a lot of lazy writers get wrong: while you might restrict physical access to certain areas or assets, it's actually really helpful for the secure space to be very visible. One place I assessed did this really well - they had a secure storage room that contained a huge trove of really sensitive records. And while it was an interior room with a lock that required two people to open - one to press a button some distance away from the door, while the other person badged in at a card reader right next to the door - one wall was a giant window open to the rest of the office space. That way anyone inside could see at any moment who was in the room and what they were doing. Extra eyes of random wageslaves are free security. If you're trying to get past this, then, you need to get those eyes looking elsewhere.