When you are charged with hardening a target while working in cybersecurity, you can’t just start the process by blindly throwing some money at some costly equipment hoping for results. Instead, an in-depth security assessment needs to be completed, meticulously inspecting every layer of protection the target has, as well as its level of potential risk.

Intro:

This post will describe the concepts and principles of creating and applying a (PPS) physical protection system, as well as how to locate/identify the vulnerabilities of an existing PPS while proposing effective upgrades (if required). Additionally, I will explain the core concepts of a vulnerability assessment (VA) and risk management. This post’s material is derived from the first few pages from chapter two of ‘Effective Physical Security’ (Fifth Edition,) by Lawrence J. Fennelly.

A VA is a systematic calculation in which quantitive procedures are utilized to foresee PPS component performance and overall system efficiency by detecting exploitable weaknesses in asset protection for a defined threat. By completing a VA, the data can then be used to create determine PPS improvements.

Management, regarding PPS, uses a VA to support upgrades using three phases: planning, conducting the VA, and reporting/using the results.

Key VA Terms:

Like any subset of cybersecurity, or IT as a whole, each area of expertise utilizes different terminology; below, I will discuss a few key terms and their definitions in a VA.

Enterprise: governments, organizations, agencies, companies, or any other unit with the necessity to control security risks.

Asset: personnel, property, data, or any other enterprise possession that claims value.

Difference between safety and security:

Safety: processes (personnel, measures, or equipment) sourced to thwart or spot an irregular circumstance that can jeopardize people, property, or the enterprise. Human carelessness, inattentiveness, lack of training, other unconditional events/accidents.

Security: processes used to protect personnel, measures, or equipment from malicious human hazards; these can be civil disturbances, theft of critical property or info, sabotage, pilferage, workplace violence, or any other premeditated human attacks on assets.

Risk management: a collection of activities an enterprise pursues to discover identified risks; this can include avoidance, reduction, transfer, spreading, elimination, and acceptance options.

Risk avoidance: achieved by removing the risk’s source.

Risk reduction: accomplished by completing procedures to lessen the risk to the enterprise by decreasing the gravity of the loss. Drops risk by employing security measures.

Risk transfer: the use of insurance to cover the replacement or other costs encountered with the result of a loss.

Risk acceptance: the realization that there will constantly be a measure of lingering risk. Knowingly agree on a satisfactory level of risk rather than inadvertently tolerating it.

Total risk management: defined as a methodical, statistically-based, all-inclusive procedure that builds on formal risk assessment and management by answering two sets of questions and addressing the causes of system failures.

Security risk assessment: the process of answering the first three questions regarding threat, probability of attack, and consequence of loss as their benchmarks. A thorough assessment would study risks in all components of a security system: cyber, transportation, executive, etc.

Risk assessment, as applied to the VA of a PPS, is a calculation of PPS supported by a number of analysis methodologies, including threat analysis, consequence analysis, event and fault tree analyses, and vulnerability analysis.

Risk Management

Risk management (options/decisions) > categories of risk (assessment) > market, credit, strategic, operational, liquidity, (hazard) > safety, (security) > define threats, assets (risk assessment) > vulnerability assessment (Finelly, 2016).

The three questions in risk management:

What can go wrong?

What is the probability that it will go wrong?

What are the consequences?

The three questions to help identify, measure, calculate, and evaluate risks:

What can be done?

What choices are available? What are the associated trade-offs regarding costs, benefits, and risks?

What are the effects of current management decisions on future choices?

Security Risk Equation

Security risk can be computed qualitatively or quantitatively using the following equation:

R = Pa x (1 – Pe) x C

R= the risk to the facility/stakeholders of an intruder acquiring access to or pilfering critical assets.

The range is 0-1. 0 standing for ‘no risk’ and 1 standing for ‘max risk’. Risk is calculated for a period of time, such as 1-5 years.

Pa= the likelihood of an intruder attack during a length of time; while this can be problematic to determine, records might be available through internal or external sources. This likelihood ranges from 0 (no chance of attack) to 1 (certainty of attack). Occasionally in the calculation of risk, we accept there will be an attack, which mathematically sets Pa= 1; this is conditional risk, where the condition is that the enemy attacks. Conditional risk doesn’t indicate that there will unquestionably be an attack, but that the value of the target is so prominent, even if Pa is low; for these assets, a PPS is normally required.

Pe = P1 x Pn, where P1 is the possibility of interruption by responders and Pn is the likelihood of removal of the adversary, given interruption. Pn can include various tactics from verbal commands to deadly force. The suitable response relies on the definite threat and value of loss of the asset. Pe signifies the vulnerability of the PPS to the defined threat.

C = consequence value: a value from 0-1 that correlates to the gravity of the occurrence of the event; this is a regulating factor, which allows the conditional risk value to be compared with other risks across the facility (Finelly, 2016).

Three Phases of an Attack:

Regarding security systems and attack timelines, attacks can be separated into three phases:

Preattack: the time the individual takes to plan the attack.

Attack Phase: when the individual arrives at the facility and initiates the attack.

Postattack: when the individual has finished the attack, thus starting the attack’s consequences.

Each term in the security risk equation has primary importance in each attack phase. For example, Pa is most utilized in the preattack phase, where intelligence agencies, cybersecurity experts, and deterrence measures can collect evidence/data regarding threats and the chances of them happening.

Source:

Fennelly, Lawrence J. (28 Nov 2016). Butterworth-Heinemann; 5th edition. “Effective Physical Security.”