Year
2011
Abstract
Decision makers wish to use risk-based cost-benefit analysis to prioritize security investments. However, strong nonlinearities in the most common physical security performance metric make it difficult for cost-benefit analysis. This paper extends the definition of risk for security applications and embodies this definition in a new but related security risk metric based on the degree of difficulty an adversary will encounter to successfully execute the most advantageous attack scenario. Development of such a metric requires comparing and aggregating the relative difficulty for disparate adversaries to acquire the requisite resources and effectively employ them against specific targets. This metric is compatible with traditional cost-benefit optimization algorithms, and will enable decision makers to provide objective and unbiased justification for investment decisions that are intended to balance competing security interests (e.g., multiple facilities), resulting in more robust and cost-effective security systems. This paper summarizes the theory behind this new method and illustrates the metric through the use of examples.