Analysis Mwthodology
A Risk Assessment Methodology (RAM) for Physical Security
Violence, vandalism, and terrorism are prevalent in the world today. Managers and decision-makers must have a reliable way of estimating risk to help them decide how much security is needed at their facility. A risk assessment methodology has been refined by Sandia National Laboratories to assess risk at various types of facilities including US Mints and federal dams. The methodology is based on the traditional risk equation:
Risk = PA * (1 - PE) * C,
PA is the likelihood of adversary attack,
PE is security system effectiveness,
1 - PE is adversary success, and
C is consequence of loss to the attack.
The process begins with a characterization of the facility including identification of the undesired events and the respective critical assets. Guidance for defining a design basis threat is included, as well as for using the definition of the threat to estimate the likelihood of adversary attack at a specific facility. Relative values of consequence are estimated. Methods are also included for estimating the effectiveness of the security system against the adversary attack. Finally, risk is calculated. In the event that the value of risk is deemed to be unacceptable (too high), the methodology addresses a process for identifying and evaluating security system upgrades in order to reduce risk.
Risk assessment
Physical security
Vulnerability analysis
Security effectiveness
Consequence
Likelihood of attack
Note: Each critical infrastructure (CI) follows a RAM process developed specifically for that CI.
This white paper provides a general discussion of the RAM approach and does not address the differences between the different RAMs.
2
Analysis Methodology
An analysis methodology has been used to assess the vulnerability of physical protection systems for facilities. Figure 1 describes the order and sequence of the seven basic steps of the methodology.
1. Facility Characterization
Violence, vandalism, and terrorism are prevalent in the world today. Managers and decision-makers must have a reliable way of estimating risk to help them decide how much security is needed at their facility. A risk assessment methodology has been refined by Sandia National Laboratories to assess risk at various types of facilities including US Mints and federal dams. The methodology is based on the traditional risk equation:
Risk = PA * (1 - PE) * C,
PA is the likelihood of adversary attack,
PE is security system effectiveness,
1 - PE is adversary success, and
C is consequence of loss to the attack.
The process begins with a characterization of the facility including identification of the undesired events and the respective critical assets. Guidance for defining a design basis threat is included, as well as for using the definition of the threat to estimate the likelihood of adversary attack at a specific facility. Relative values of consequence are estimated. Methods are also included for estimating the effectiveness of the security system against the adversary attack. Finally, risk is calculated. In the event that the value of risk is deemed to be unacceptable (too high), the methodology addresses a process for identifying and evaluating security system upgrades in order to reduce risk.
Risk assessment
Physical security
Vulnerability analysis
Security effectiveness
Consequence
Likelihood of attack
Note: Each critical infrastructure (CI) follows a RAM process developed specifically for that CI.
This white paper provides a general discussion of the RAM approach and does not address the differences between the different RAMs.
2
Analysis Methodology
An analysis methodology has been used to assess the vulnerability of physical protection systems for facilities. Figure 1 describes the order and sequence of the seven basic steps of the methodology.
1. Facility Characterization