A Risk Assessment Methodology (RAM)
for Physical Security*
Violence, vandalism, and terrorism are prevalent in the world today. Managers and decision-makers must have a reliable way of estimating risk to help them decide how much security is needed at their facility. A risk assessment methodology has been refined by Sandia National Laboratories to assess risk at various types of facilities including US Mints and federal dams. The methodology is based on the traditional risk equation:
Risk = PA * (1 - PE) * C,
PA is the likelihood of adversary attack,
PE is security system effectiveness,
1 - PE is adversary success, and
C is consequence of loss to the attack.
The process begins with a characterization of the facility including identification of the undesired events and the respective critical assets. Guidance for defining a design basis threat is included, as well as for using the definition of the threat to estimate the likelihood of adversary attack at a specific facility. Relative values of consequence are estimated. Methods are also included for estimating the effectiveness of the security system against the adversary attack. Finally, risk is calculated. In the event that the value of risk is deemed to be unacceptable (too high), the methodology addresses a process for identifying and evaluating security system upgrades in order to reduce risk.
Risk assessment
Physical security
Vulnerability analysis
Security effectiveness
Consequence
Likelihood of attack
Note: Each critical infrastructure (CI) follows a RAM process developed specifically for that CI.
Analysis Methodology
An analysis methodology has been used to assess the vulnerability of physical protection systems for facilities. Figure 1 describes the order and sequence of the seven basic steps of the methodology.
Facility Characterization
An initial step in security system analysis is to characterize the facility operating states and
conditions. This step requires developing a thorough description of the facility itself (the location of the site boundary, building locations, floor plans, and access points). A description of the processes within the facility is also required, as well as identification of any existing physical protection features. This information can be obtained from several sources, including facility design blueprints, process descriptions, safety analysis reports, environmental impact statements, and site surveys.
Undesired Events/Critical Assets Identification
Undesired Events-
The undesired events must be established. Undesired events result in undesired
consequences. Undesired events are site-specific and have adverse impacts on public health and safety, the environment, assets, mission, and publicity.
Critical Assets- The adversary could cause each undesired event to occur in several ways. A structured approach is needed to identify critical components for prevention of the undesired events. A logic model, like a fault tree, can be used to identify the critical components. The critical components and their locations become the critical assets to protect. Figure 2 is the top-level portion of a generic fault tree for facilities.
Consequence Determination
The next step is to categorize undesired events or loss of critical assets. The proposed categories of consequences are similar to those used by the Department of Defense per Military Standard 882C.
The consequence values and categories are described in Table 1. The goal is to estimate the relative consequence value associated with each undesired event.
Threat Definition
Threat- Before a vulnerability analysis can be completed, a description of the threat is required. This description includes the type of adversary, tactics, and capabilities (number in the group, weapons, equipment, and transportation mode). Also, information is needed about the threat to estimate the likelihood that they might attempt the undesired events. The specific type of threat to a facility is referred to as the design basis threat (DBT). The DBT is often reduced to several paragraphs that describe the number of adversaries, their modus operandi, the type of tools and weapons they would use, and the type of events or acts they are willing to commit.
The types of organizations that may be contacted during the development of a DBT description include local, state, and federal law enforcement (to include searching source material) and related intelligence agencies. Local authorities should be able to provide reports on the type of criminal activities that are occurring and analytical projections of future activities. A review of literature may be conducted to include past incident reports associated with the site, local periodicals, professional journals, and other related material.
Likelihood of Attack-
After the threat spectrum has been described, the information can be used together with statistics of past events and site-specific perception to categorize threats in terms of likelihood that each type of threat would attempt an undesired event. Safety studies have historical data and statistics to predict the likelihood of an abnormal event and the system response to the event. For security studies, estimating the likelihood that an adversary group will attack a specific asset presents a challenge. Because of the human element – the fact that humans plan, rehearse, learn and modify in order to optimize the attack effectiveness, the events are not random and many of the required mathematical assumptions cannot be met. Human behavior is difficult to predict and
providing a quantified prediction of human behavior is an even more difficult task.
The likelihood of adversary attack can be estimated with a qualitative relative threat potential parameter. Figure 3 describes the factors that can be used to estimate relative threat potential. The process for estimating the threat potential follows a complete threat analysis and the parameter is estimated per undesired event and per adversary group. The basis of the parameter estimation includes:
• Characteristics of the adversary group relative to the asset to be protected
• Relative attractiveness of the asset to the adversary group.
Figure 3. Estimating Likelihood of Attack, PA
Protection System Effectiveness Analysis
Figure 4 describes the design and analysis process outline that can be used when estimating physical protection system effectiveness. The physical protection features must be described in detail before the security system effectiveness can be evaluated. An effective security system must be able to detect the adversary early and delay the adversary long enough for the security response force to arrive and neutralize the adversary before the mission is accomplished. In particular, an effective security system provides effective detection, delay, and response. These security system functions (detection, delay, and response) must be integrated to ensure that the adversary threat is neutralized before the mission is accomplished.
DETECTION, the first required function of a security system, is the discovery of adversary action and includes sensing covert or overt actions. In order to discover an adversary action, the following events must occur:
• Sensor (equipment or personnel) reacts to an abnormal occurrence and initiates an alarm
• Information from the sensor and assessment subsystems is reported and displayed
• Someone assesses information and determines the alarm to be valid or invalid. (If determined to be a nuisance alarm (defined below), detection has not occurred.)
Adversary Capability
• Access to region
• Material resources
• Technical skills
• Planning/organizational
skills
•Financial resources
Adversary History/Intent
•Historic interest
•Historic attacks
•Current interest in site
•Current surveillance
•Documented threats
Relative Attractiveness of Asset to Adversary
•Desired level of consequence
•Ideology
•Ease of attack
Methods of detection include a wide range of technologies and personnel. Entry control, a means of allowing entry of authorized personnel and detecting the attempted entry of unauthorized personnel and contraband, is included in the detection function of physical protection. Entry control, in that it includes locks, may also be considered a delay factor (after detection) in some cases. Searching for metal (possible weapons or tools) and explosives (possible bombs or breaching charges) is required for high-security areas. This may be accomplished using metal detectors, x-ray (for packages), and explosive detectors. Security police or other personnel also can accomplish detection. Security police or other personnel can contribute to detection if they are trained in security concerns and have
a means to alert the security force in the event of a problem. An effective assessment system provides two types of information associated with detection: (1) information about whether the alarm is a valid alarm or a nuisance alarm, and (2) details about the cause of the alarm.
The effectiveness of the detection function is measured by the probability of sensing adversary action and the time required for reporting and assessing the alarm.
DELAY is the second required function of a security system. It impedes adversary progress.
Delay can be accomplished by fixed or active barriers, (e.g., doors, vaults, locks) or by sensor-activated barriers, e.g., dispensed liquids, foams. The security police force can be considered an element of delay if personnel are in fixed and well-protected positions. The measure of delay effectiveness is the time required by the adversary (after detection) to bypass each delay element.
RESPONSE,
The third requirement of security systems, comprises actions taken by the security police
force (police force or law enforcement officers) to prevent adversarial success. Response consists of interruption and neutralization. The measure of response effectiveness is the time between receipt of a communication of adversarial actions and the interruption and neutralization of the action.
Interruption is defined as the response force arriving at the appropriate location to stop the
adversary’s progress. It includes the communication to the response force of accurate information about adversarial actions and the deployment of the response force. Neutralization is the act of stopping the adversary before the goal is accomplished. The effectiveness measures for neutralization are security police force equipment, training, tactics, and cover capabilities.
Protection System Effectiveness-
Analysis and evaluation of the security system begin with a review and thorough understanding of the protection objectives and security environment. Analysis
can be performed by simply checking for required features of a security system, such as intrusion detection, entry control, access delay, response communications, and a response force. However, a security system based on required features cannot be expected to lead to a high-performance system unless those features, when used together, are sufficient to ensure adequate levels of protection.
More sophisticated analysis and evaluation techniques can be used to estimate the minimum performance levels achieved by a security system.
The Adversary Sequence Diagram (ASD) is a graphical representation of physical protection system elements along paths that adversaries can follow to accomplish their objective. For a specific physical protection system and threat, the most vulnerable path can be determined. This path with the least physical protection system effectiveness establishes the effectiveness of the total physical protection system. An ASD is developed for a single critical asset associated with an undesired event. Computer codes such as Systematic Analysis of Vulnerability to Intrusion (SAVI) and Analytic System and Software for Evaluating Safeguards and Security (ASSESS) can be used to determine the most vulnerable path. The neutralization module of ASSESS or Joint Combat and Tactical Simulation (JCATS) can be used to estimate response force effectiveness.
Risk Estimation
RISK- Risk is quantified by the following equation:
R = PA * (1-PE) * C
Where: R = risk associated with adversary attack
PA = likelihood of the attack
PE = likelihood that the security system is effective against the attack
(1 – PE) = likelihood that the adversary attack is successful (also the likelihood that security system is not effective against the attack)
C = consequence of the loss from the attack.
Upgrades and Impacts
System Upgrades-
If the estimated risk for the threat spectrum is judged to be unacceptable, upgrades to the system may be considered. The first step is to review all assumptions that were made that affect risk. All assumptions concerning undesired events, target identification, consequence definition, threat description, estimation of likelihood of attack, and safeguards functions should be carefully reevaluated. Upgrades to the system might include retrofits, additional
safeguard features, or additional safety mitigation features. The upgraded system can then be analyzed to calculate any changes in risk due to change in likelihood of attack, system effectiveness, or consequence values. If the estimated risk for the upgraded system is judged to be acceptable, the upgrade is completed. If the risk is still unacceptable, the upgrade process of assumption review and system improvement should be repeated until the risk is judged to be acceptable.
Upgrade Impact-
Once the system upgrade has been determined, it is important to evaluate the
impacts of the system upgrade on the mission of the facility and the cost. If system upgrades put a heavy burden on normal operation, a trade-off would have to be considered between risk and operations. Budget can be the driver in implementing security upgrades. A trade-off between risk and total cost may have to be considered. When balance is achieved in the level of risk and upgrade impact on cost, mission, and schedule, the upgraded system is ready for implementation. At this point, the design/analysis process is complete.
Methodology Summary
An analysis methodology for assessing the vulnerability of physical protection systems for facilities has been described. Vulnerability analyses for U.S. Mints and federal dams have been completed using the methodology. The methodology can be used to evaluate other important U.S. infrastructure components.
*Excepts from Sandia white paper “Risk Assessment Methology”
Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.
Migation of Risk
Mitigating the Risks Associated with New Site Construction Projects
Using Earned Value Management
“Bad news never gets better with time. The earlier you know that you have a problem on client’s project, the better chance you will have to mitigate that problem.”
In construction oversight management migrating risk and to use prudent risk management SEA employs Earned Value (EV) Management (EVM.)The function EVM is to contain the cost risks associated with the new nuclear plant project.
The following three elements of Earned Value (EV):
· Planned Value (PV), which consists of the authorized work, along with the authorized budget, within the authorized time-frame, which in total forms the project baseline.
· Earned Value (EV), this is the authorized work that has been completed, plus the original budget for the work.
· Actual Cost (AC), which are the Actual Cost (AC) incurred to convert the Planned Value (PV) into the Earned Value (EV).
Monitoring and Analyzing Earned Value (EV) Project Metrics
By using Earned Value (EV) metrics, SEA can accurately monitor and measure the performance of project against a firm baseline. Measurement will be taking place at regular weekly intervals so at a given point in time, the project will be determining:
- · The Planned Value (PV)
- · The Earned Value (EV)
- · Actual Cost (AC) incurred
These three elements provide a wealth of data reflecting the true health of projects.
The Earned Value (EV) represents two elements:
• The authorized work that has been
completed.
• The original budget authorized to perform
the completed work.
To determine the schedule position, SEA must take the Earned Value (EV) and subtract the Planned Value (PV) for the period being measured.
(EV) – (PV) = Schedule Position
A negative value indicates that the project is behind in its planned schedule position.
This negative value is the first indication that the project is experiencing problems.
SEA has found that Earned Value (EV) schedule position is best used in conjunction with critical path methodology. If the late tasks are on or near the critical path, they become very important, which will be affecting other areas of the schedule. If the late tasks have lots of float or slack and low risk and not on the critical path, they are only interesting and indicate to SEA that the work is behind client’s original schedule.
SEA will verify the cost position by using the Earned Value minus the Actual Cost incurred to accomplish the Earned Value.
(EV) – (AC) = (CP)
“Cost overruns are very serious in that they are rarely (if ever) subsequently recovered by the project.”
If the resultant is negative then SEA will inform the client and the client’s will notify the financial stakeholder that the construction project is overrunning it’s costs. Cost overruns are more serious than falling behind client’s planned schedule, only because in the end the schedule will eventually be recovered, while the cost overruns are rarely (if ever) fully recovered.
“The importance of early detection of delay or problems cannot be overstated.”
Normal scheduling will require the project to be slightly front end loaded in the early phases of the project. If the project is overrun in the early stages, it will be hard for the project to recover in the later stages. of the project.
If the client’s project has an overrun in the early phases of the project, it will be difficult for the client recover the overrun in the latter phases when the plans, schedules, and budgets are more uncertain?
SEA can take the data from the Earn Value and convert it into efficiency factors so SEA can compare the efficiency of the current project against past projects and other current projects running worldwide. This (EV) evaluation will be a continuing information source for the client to spot check the project’s efficiency. This is accomplish by SEA taking the Earned Value (EV) achieved in the project and divide it by the Planned Value (PV); this is to determine the schedule efficiency factor, which SEA refers to as the Schedule Performance Index (SPI). Any SPI value less than 1.0 indicates that the client’s contractor is running behind with client’s planned schedule.
(EV) / (PV) = (SPI)
Watching the Progress
The following are methods that SEA employs to monitor the progress and watch for tell-tale signs of impacts that can affect the progress of the project.
PROCESS NO. 1
Require that the performing General Contractor (GC) provide a time-phased “Schedule of Values” in which the sum of the line items will add up to the total contract value. A time phased Schedule of Values provides the client with a simple form of Planned Value (PV) against which performance throughout the life of the project may be monitored and measured.
PROCESS NO. 2
Each month, as the General Contractor (GC) will submit their invoices reflecting the Actual Cost (AC) incurred, require that all contractors update their Schedule of Values reflecting a percent complete position, i.e., the Earned Value (EV) for the project. Thus, the client and or SEA will have the means to monitor performance by comparing the Earned Value (EV) less the Planned Value (PV) to determine schedule inconsistency, and also Earned Value (EV) less Actual Cost (AC) to determine the cost variation.
PROCESS NO. 3
SEA will always monitor performance of both the cumulative SPI and CPI to compare results of one project to former projects and ongoing projects.
PROCESS NO. 4
SEA can continuously forecast the likely final costs on the project using a simple but accurate estimating technique (the total project budget divided by the cumulative CPI) to provide assurances that the project will be completed within acceptable cost risks to the client and the client’s financial stakeholder. Unacceptable risks would be any forecasted final position that exceeds the client’s projected available funds, or surpasses the Guaranteed Maximum Price.
Different Applications for Different Contracts
The Earned Value (EV) that is employed on most construction projects is the progress payments paid to the contractors based on the demonstrated percentage of work completed. The work that was completed will also have to meet the authorized budget for that completed work. As stated before SEA can easily establish the Earned Value (EV) baseline or Planned Value (PV) using one of two methods: “Schedule of Values” or “Critical Path Method (CPM) Schedule.” Just as SEA recommended for cost-type work, the Earned Value (EV) baseline, or Planned Value (PV) can be created with use of a Schedule of Values,” which is time phased. The Schedule of Values can be updated monthly to reflect the measured Earned Value (EV) and used to authorize payments to the constructor.
SEA’s alternative to the “Schedule of Value” method would be the very effective method of using the “Critical Path Method Schedule to establish an Earned Value (EV) baseline. This would be based on the General Contractor’s (GC) “Critical Path Method (CPM) Schedule” with resources embedded into the CPM network, the sum of which must add up to 100 percent of the contract value. SEA using the client’s schedule software package will have the ability to freeze this baseline. This position is the equivalent of a Planned Value (PV) baseline. Payments to General Contractor (GC) will be made each month based on their reflected percentage completion— their Earned Value (EV). Typically missing with fixed-price or lump-sum work, however, is the Actual Costs (AC) related to the Earned Value (EV) being measured? Without the Actual Cost (AC) related to the Earned Value (EV) achieved, SEA would lack the ability to determine the cost performance efficiency factors—the CPIs—which are likely the most important metric in Earned Value (EV) management. However, there may be a way to get the information needed to bring client risks down to acceptable levels, without invading the sacred cost ledgers of client’s performing fixed-price General Contractor (GC).
Unless the work has been contracted as a cost plus job the general contractor and his sub contractors are very unlikely to fully disclose the real costs. These costs only come to the attention of the client when the contractors have started to incur a loss. The bigger the loss the more unlikelihood that the contractor will complete the job. To migrate risk to the client and the client’s financial stakeholder SEA needs to know how to quantify potential supplier losses as early as possible.
PROCESS NO. 5
Require that all fixed-price contractors provide a financial projection of their anticipated costs incurred, to accompany their Planned Value (PV) projection contained within either the time-phased Schedule of Values or their client’s loaded CPM schedule. Such costs-incurred forecasts should resemble the “S” shaped curve. The “S” curve should show a slow beginning, a fast acceleration in the middle, and then a slow close-down to completion. Unless extenuating circumstances exist, all project expenditure profiles should resemble an “S” shaped curve. Anything other than an “S” curve might indicate that the cost projections may be front-loaded or that proper planning was not done by the contractor. Any indication that there is a problem in the performance of the contractor can cause a ripple effect throughout the project.
PROCESS NO. 6
As a condition to making monthly payments to a fixed price contract it should be required that the Chief Financial officer (CFOs) for client’s contractor “certify” each month that they have not exceeded their own financial forecast of costs incurred. However, if they have exceeded their own forecasted values, require that they also disclose the amount of their costs incurred, so that you can compare it to the Earned Value (EV) and quickly determine the amount of loss the contractors are experiencing.
By closely monitoring the relationship between Earned Value (EV) and Actual Cost (AC) incurred, even on fixed-price jobs, clients may use these data to monitor the project
performance and take action early enough to mitigate the financial risks of projects.
Although you may not eliminate such risks, possibly you may bring them down to acceptable levels.