Risk-Informed Management of Enterprise Security: Methodology and Applications for Nuclear Facilities

Decision makers wish to use risk analysis to prioritize security investments. However, understanding security risk requires estimating the likelihood of attack, which is extremely uncertain and depends on unquantifiable psychological factors like dissuasion and deterrence. In addition, the most common performance metric for physical security systems, “probability of effectiveness at the design basis threat” [P(E)], performs poorly in cost-benefit analysis. This makes it difficult to prioritize investment options on the basis of P(E), especially across multiple targets or facilities. To overcome these obstacles, work at Sandia National Laboratories has developed a risk-informed security analysis method. This methodology, Risk-Informed Management of Enterprise Security (RIMES), characterizes targets by how difficult it would be for adversaries to exploit each target’s vulnerabilities to induce consequences. Adversaries generally have success criteria (e.g., adequate or desired consequences and thresholds for likelihood of success), and choose among alternative strategies that meet these criteria while considering their degree of difficulty in achieving their “successful” outcome. RIMES has been applied to evaluate the theft and sabotage risks for two types of nuclear fuel cycle facilities – used nuclear fuel (UNF) storage and small modular reactors (SMRs).