Most schools keep an incident log because they are required to. Almost none of them ever analyse it. Somewhere in those rows of dates, times and brief descriptions is a pattern that would change how you think about your site security. This article shows you how to find it.
Ask a school business manager about their incident log and most will tell you the same thing. Yes, they have one. It lives in a spreadsheet, or a shared drive, or a notebook somewhere in the site manager's office. They add to it when something happens. It gets reviewed briefly after a significant event and then filed again.
What almost never happens is any systematic analysis of what the data is actually showing. Not because the business manager is not diligent — they almost always are — but because nobody has told them that the log is worth analysing, or given them a practical way to do it.
The result is that schools make security decisions based on the most recent incident rather than the underlying pattern. A car gets broken into on a Tuesday morning, so the business manager emails the site manager about improving lighting in the car park. What they do not know, because they have not looked, is that seven of the last twelve incidents happened between 7pm and 10pm on Fridays. The lighting will not solve that. A monitored alarm and better perimeter fencing might.
The key insight: Your incident log is not a record of bad luck. It is a dataset. Patterns in that dataset reveal vulnerabilities in your site that no amount of walking around will show you as clearly.
When you analyse an incident log properly, four types of pattern emerge. Each one points to a different type of security gap.
Time of day patterns are the most revealing. Security incidents are not random in time. They cluster around specific windows — often late evening for external incidents, and specific times of day for internal ones. A school that sees 60% of its external incidents between 7pm and 11pm has a clear out-of-hours problem. A school that sees most of its theft incidents between noon and 1pm has a different problem entirely, one that professional monitoring will not solve but improved access control and staff awareness might.
Location patterns are the second most important. Most schools find that a small number of locations account for a disproportionate share of incidents. The car park. The perimeter fence on the west side. The sports hall. These hotspots are not obvious from a single incident review, but they become clear when you aggregate across six or twelve months. Knowing your top three hotspot locations tells you exactly where to prioritise physical security investment.
Day of week patterns reveal whether your site has a weekend vulnerability. Many schools find that weekend incidents are significantly more common than weekday incidents, which makes sense given the absence of staff. But the degree of that difference matters. A site where 50% of incidents happen at weekends has a very different risk profile to one where incidents are evenly distributed through the week.
Incident type patterns tell you what category of threat you are actually dealing with. Vandalism, theft, trespass, vehicle crime, aggressive behaviour and false alarm events each point to different interventions. A site with predominantly vehicle crime needs different measures to one with predominantly trespass. Mixing these up — installing CCTV to address a problem that is actually driven by poor perimeter fencing — wastes budget without fixing the vulnerability.
A secondary school with around 900 pupils kept a incident log for 18 months. When the data was analysed, the patterns were striking. Of 23 recorded incidents:
17 occurred between 6pm and midnight. The school had no professional monitoring and relied on a keyholder arrangement. Several of those incidents had gone undetected until the following morning.
14 of the 23 involved the car park or the perimeter fence on the north side of the site. The car park had one camera with a faulty recording unit. The north fence had been damaged and repaired twice, but never properly secured.
9 of the 12 weekend incidents happened on Saturdays between 7pm and 10pm. This was consistent enough to suggest the site was being targeted deliberately rather than opportunistically.
None of this was visible from reading the log entry by entry. It only emerged when the data was counted and grouped. The school's response — connecting to a monitoring centre, replacing the camera in the car park with two properly functioning units, and installing perimeter detection on the north fence — was directly informed by the analysis. The following six months saw two incidents, both of which were detected and responded to in real time.
Paste your incidents into the Pattern Analyser and get an instant breakdown of time windows, hotspot locations, day-of-week trends and recommended interventions — all in your browser, nothing stored.
The quality of your analysis depends entirely on the quality of your data. A log entry that says "incident in car park" tells you almost nothing useful. One that says "22/03/2025 21:15 Car Park (north end) — vehicle window smashed, no witnesses, discovered next morning" gives you a date, a time, a specific location and an incident type. That is four pieces of data in one entry.
The minimum a useful incident log entry should contain is the date, the time (even an approximate time is better than nothing), the location, and a brief description of what happened. You do not need to capture everything — the person involved, the weather, the response taken — for the pattern analysis to work. Those details matter for individual incident management. For pattern identification, date, time and location are the essential three.
Even a log in this simple format — which takes ten seconds per entry to write — will yield meaningful pattern analysis when you have twenty or thirty entries to work with. The analysis becomes more reliable with more data, but useful patterns often emerge from as few as ten to fifteen incidents.
This is the most common question. The honest answer is that any number of incidents is worth analysing, but the confidence you can place in the findings increases with volume.
With fewer than ten incidents, you can identify obvious concentrations but should treat them as indicators rather than firm conclusions. One location accounting for four out of eight incidents is worth noting, but it could be coincidence rather than a genuine pattern.
With ten to twenty incidents, real patterns begin to emerge reliably. Time-of-day clustering and location hotspots at this scale are unlikely to be coincidental and can inform genuine security decisions.
With twenty or more incidents, the analysis is robust enough to present to governors or a budget committee as evidence for security investment. The patterns are statistically meaningful and the recommended interventions can be directly linked to what the data shows.
If your log has fewer than ten entries because your site has been quiet, that is genuinely good news. If it has fewer than ten entries because incidents are not being recorded consistently, that is a separate problem worth addressing. Under-reporting is common in schools — incidents that feel minor at the time often go unlogged. Encouraging consistent recording, even of near-misses and minor events, significantly improves the quality of any future analysis.
The pattern analysis is not the end point. It is the input into a security decision. The question it should prompt is: what specific measure would have the most impact on the patterns we have identified?
If the analysis shows a concentration of late-evening incidents, the right question is not "should we improve security" but "what security measure would specifically deter or detect a late-evening incident at this site?" Professional monitoring is the most direct answer to that question, because it provides a response capability at the exact time when staff are not present. A better padlock on the gate is not.
If the analysis shows a car park hotspot, the right question is "what would make that car park less attractive to someone considering an incident there?" Visible, well-maintained CCTV with clear signage is a powerful deterrent. Poor-quality cameras that nobody monitors are not.
If the analysis shows weekend concentration, the question is "what happens on weekends that is different from weekdays?" The answer is almost always staff absence. The intervention is either a physical deterrent that works without staff presence — perimeter detection, monitored alarm, CCTV with remote access — or an improvement to the physical barriers that make the site harder to enter in the first place.
The pattern tells you where and when. The intervention is the specific response to that where and when. Connecting the two — moving from "we had twenty incidents last year" to "we need monitored CCTV in the car park and a perimeter alarm on the north fence" — is exactly what good incident analysis makes possible.
Incident log analysis should not be a one-off exercise. It is most valuable as a regular review — ideally termly for schools, or quarterly for larger public sector estates. Each review adds data and improves the reliability of the patterns. It also allows you to track whether the interventions you have put in place are working. If you install perimeter detection and the next quarter's analysis shows a significant reduction in perimeter incidents, that is evidence that the measure was effective. If the incidents simply move to a different part of the site, that tells you something different.
A termly review does not require hours of analysis. With a well-maintained log and a structured approach, it can be done in thirty minutes and presented as a standing item on the governing body's health and safety agenda. The findings become the evidence base for security budget requests, which are far more likely to be approved when they are supported by data rather than impressions.
The Pattern Analyser is free, takes under a minute to use and runs entirely in your browser — nothing is stored or shared. Paste your incidents and see your patterns immediately. Or request a free site survey and we will review your incident history as part of the assessment.