Physical security engineering is the design of protective system for critical resources and targets against attack, sabotage, and theft using a set of security countermeasures (Hay 2001).
It deals with the development of detailed engineering plans for the implementation of security countermeasures using different analysis techniques such as risk assessment, cost-benefit analysis, and space planning (Demkin 2004). Security countermeasures are implemented in zones and layers that collectively deter, detect, delay, and detain any intruders or attackers breaching for protected assets. The following subsections describe in more details previous research studies and developments in the domain of physical security engineering.
Grassie et al. (1990) proposed a Structured Countermeasure Selection Process (SCSP) in order to help security system designers to select the economical implementation of different security countermeasures considering existing threats and limited budgets. The developed
system is designed to help decision maker to select best countermeasure options of security system main components: physical barriers, detection equipments, communication systems, security personnel, and security procedures and policies. SCSP involves six main steps: (1) identify assets; (2) determine criticality of assets; (3) determine threats; (4) determine modes of attacks; (5) determine vulnerability; and (6) determine required protection. Security countermeasures in the proposed process are divided into three groups: asset-specific, facility-specific, and site-specific countermeasures. Security designer selects required countermeasures considering the overall cost of the system that is the cost summation of all countermeasures. The cost effectiveness of each countermeasure is calculated considering different lifecycle costs of installation, operation, and maintenance.
Comparative Layout Analysis for Secure Fences (CLASP) is a mathematical model that was developed to assist security designers and practitioners to evaluate and compare a set of possible alternatives for security fences in terms of performance and cost (Tarr 1992; Tarr 1994; Tarr and Peaty 1995). Security fences are evaluated by CLASP using six performance metrics: detection, intervention, worst intervention, false alarms, capital cost, and equivalent annual cost. Intervention calculation is the core part of CLASP that calculates the chance of detaining an attacker given a specific set of barriers, alarm systems, response force, and site layout. CLASP calculates intervention probability based on the three security functions of detecting the attackers by the intrusion detection systems; delay them by fence barriers; and detaining them by the response force. The model relates these three “D” functions in a mathematical formulation based on the assertion that the intervention can only happen if the attacker is detected and the response time is less than the delay time. CLASP is designed to
consider different types of attack styles (cutting, ladder, rope, etc) as well as the existence of different segments design in the same security fence.
Bilbao (1992) developed a risk analysis model for security designers to evaluate different types of risks utilizing fault tree analysis and fuzzy set operations. First, major risks against an asset are identified such as burglary and theft. Second, each major risk is decomposed into its simple risks that represent occurrence prerequisites such as window penetration or fence jumping. Simple risks are connected to their major risks using fault trees representation through AND-gates and OR-gates. Similarly, simple risks can be broken down into its sub-risks until basic criminal actions are reached with measurable occurrence probability (P) and consequences (T). Third, fuzzy sets are used to represent occurrence probabilities and the consequences of the simple risks in the modeled fault tree. Fourth, occurrence probability and consequence of each risk in a specific level of the fault tree are calculated based on its simple risks and the type of relation (AND-gate or OR-gate) using fuzzy set operations.
These fuzzy set operations are performed until the P and T parameters are obtained for the major risks in the system. Finally, the severity of each major risks R is obtained as a fuzzy set using P and T parameters calculated in the previous step. The severity of each major risk is compared to five predefined fuzzy patterns of risks (from very low, low, medium, high, and very high) in order to determine the representing pattern using a fuzzy set parameter called Euclidian distance.
In another study, Strutt et al. (1995) developed a security risk assessment methodology to analyze the adequacy and compatibility of security countermeasures and quantitatively asses the probability of successful completion of predefined attacker’s mission. The proposed
methodology involves three main phases: (1) data collection, (2) protection analysis, and (3) summarizing and reporting. First, all available data are collected including possible threats, attack objectives or targets, attack frequency, attacker competence, and consequences for each threat/objective combination. Second, protection analysis is performed to calculate the probability of successful attacks for each threat/objective combination. The physical representation of the system in this analysis involves a set of barriers around attack objectives and paths that intruders can take to reach their objectives and/or escape. The probability of successful attacks is calculated in the analysis phase considering barriers negotiation times, intrusion an escape paths, and reaction time for response forces. Finally, the output of the previous phase is used to perform cost/benefit analysis to compare between the costs and risk mitigation for different options of the security system.
Cost and Performance Analysis (CPA) model is a decision support system for security practitioners, which integrates activity-based cost estimation and performance-based analysis of physical security systems (Hicks et al. 1998; Hicks et al. 1999). CPA consists of two major modules: cost analysis tool for security system (CATSS) and performance module (PERFORM). CATSS is built around another tool called ACEIT (Automated Cost Estimating Integrated Tools) that supports lifecycle cost analysis considering installation, operation, maintenance, and demolition costs. PERFORM is a post-analysis module that integrates the results of security computer applications such as ASSESS (Analytic System and Software for evaluating Safeguards and Security) and JTS (Joint Tactical Simulation).
The performance of a physical security system is quantified using a probabilistic metric that depends on two main factors: (1) probability of interruption (PI) and (2) probability of neutralization (PN) for each attacker/response force combination. Probability of interruption
(PI) is a function of the detection probabilities and delay times on different paths in the system as well as the required time for the response force to interrupt the intruder. Based on the results of CATSS and PERFORM modules, cost/benefit analysis is performs in a way that correlates costs with probabilistic performance metrics in order facilitate operational and strategic decision of the security system designer.