Year
2009
Abstract
Decision-makers cite the need to perform risk-based cost-benefit analyses to prioritize security investments. But the most common performance metric for physical security systems is poorly suited to cost-benefit analysis because comparable changes in adversary characteristics can produce dramatically different changes in the metric and lead the decision-maker toward biased or questionable investment decisions. This paper describes ongoing work to define a new physical security effectiveness metric based on the resources required for an adversary to be successful when executing his or her most advantageous attack scenario. This metric is compatible with traditional cost-benefit optimization algorithms, and can enable the development of an objective risk-based cost-benefit method that will enable security investment option prioritization. It also enables decision-makers to more effectively communicate the justification for their investment decisions with stakeholders and funding authorities.