Detecting and responding to an atypical behavior

What is claimed is: 1. A method, comprising: creating a number of records, each associated with a presentation of a credential device to an access control reader for authentication in connection with access to a physical asset protected by the access control reader, wherein access by a holder of the credential device to the physical asset is determined based, at least in part, on one or more access policies; determining a first behavior of the holder of the credential device based on a pattern of presentations of the credential device indicated by the number of records, the determined first behavior being in addition to the one or more access policies; setting an indicator upon determining at least one of the number of records indicates a behavior atypical of the determined first behavior. 2. The method of claim 1 , further comprising, in response to the indicator being set, performing at least one of requiring a secondary authentication, denying access to a resource, indicating a user associated with the credential device may warrant additional scrutiny, placing an indicia of the atypical behavior on the credential device, alerting other personnel, and triggering an alarm. 3. The method of claim 1 , wherein the first behavior includes an acceptable amount of deviation. 4. The method of claim 1 , wherein the number of records further comprises additional records, each associated with one of a plurality of credential devices. 5. The method of claim 4 , wherein the atypical behavior is determined based, at least in part, on expected behavior of a plurality of individuals associated with the plurality of credential devices. 6. The method of claim 1 , wherein the atypical behavior corresponds to behavior permitted by the one or more access policies. 7. The method of claim 6 , wherein the atypical behavior is determined based, at least in part, on at least one of a time of day, day of the week, day of the month, day of the year, and operational status of the site comprising the access control reader. 8. The method of claim 6 , wherein the atypical behavior is determined based, at least in part, on the at least one of the number of records being created within a unit of time. 9. The method of claim 6 , wherein the atypical behavior is determined based, at least in part, on the location of the access control reader. 10. A system, comprising: an access control reader operable to read a credential device and to protect a physical asset; a storage medium; and a processor operable to: create a number of records, each of the records being associated with a presentation of the credential device to the access control reader in connection with attempting to gain access to the physical asset, wherein access by a holder of the credential device to the physical asset is determined based, at least in part, on one or more access policies; store the records in the storage medium; determine an expected behavior of the holder of the credential device based on a pattern of presentations of the credential device indicated by at least one field of the records, the expected behavior being in addition to the one or more access policies; and set an indicator upon determining that at least one of the records indicates a deviation from the determined expected behavior. 11. The system of claim 10 , further comprising: an indicator reader operable to read the indicator; and a response processor operable to respond to the indicator. 12. The system of claim 11 , wherein the response processor causes at least one of requiring a secondary authentication, denying access to a resource, indicating a user associated with the credential device may warrant additional scrutiny, and triggering an alarm. 13. The system of claim 10 , wherein the processor determines expected behavior, at least in part, from one or more fields of the records associated with at least one of time of day, day of the week, day of the month, day of the year. 14. The system of claim 10 , wherein the processor determines expected behavior, at least in part, from a field of the records associated with the location of the access control reader. 15. The system of claim 10 , wherein the processor determines expected behavior, at least in part, from one or more fields of the records indicating an amount of the number of records created within a unit of time. 16. The system of claim 10 , wherein the processor additionally determines expected behavior, at least in part, from a similar behavior of a plurality of individuals. 17. A portable credential device, comprising: a storage medium; and a processor operable to: create a number of records, each record associated with a presentation of the credential device to an access control reader in connection with access to a physical asset protected by the access control reader, wherein access by a holder of the credential device to the physical asset is determined based, at least in part, on one or more access policies; store the records in the storage medium; determine an expected behavior of the holder of the credential device based on a pattern of presentations of the credential device indicated by at least one field of the records, the expected behavior being in addition to the one or more access policies; and set an indicator upon determining that at least one of the records indicates a deviation from the determined expected behavior. 18. The portable credential device of claim 17 , wherein: the deviation from the determined expected behavior is associated with an attempt to authenticate the credential device that is in progress; and the processor is operable to block the authentication such that the portable credential device is not authenticated. 19. The portable credential device of claim 18 , wherein the processor is further operable to: require a secondary authentication; and remove the block if the secondary authentication is determined to be successful. 20. The portable credential device of claim 19 , wherein the secondary authentication is a code entered by a user on at least one of the portable credential device and the access control reader.