Efficient risk evaluation methodologies can be the cornerstone of improvement in the protection of all programs and institutions. The vast methods of risk assessment employed in different critical infrastructures do back this reasoning. Application of risk assessment procedures is indispensable for identifying threats, assessing vulnerabilities and evaluating security systems while accounting for the probability of occurrence of any threat. There are many meaningful methodologies for risk assessment which can be used to assess risk at a maximum-security facility. However, this paper will focus main critical approaches. The core elements of risk assessment methods that this paper will be examining are the use of what-if analysis, use of a checklist, use of hazard and operability study (HAZOP), use a failure mode and effect analysis (FMEA), use a fault tree analysis (FTA).
Keywords: Maximum Security, Vulnerability, Methodologies
In physical security, maximum security is the highest level, or the level five securities. This level such a system is intended to identify, evaluate, deter, and counter any unauthorized both internal and external activities. According to (Fennelly, 2013), such a system has measures characterized by sophisticated, state-of-the-art alarms systems that are too powerful a lone man to defeat. They are remotely monitored either in one or different protected locations. They have tamper-indication and a source of power back up. Besides, these systems are under 24-hour screening by some on-site response armed individuals armed who are ready to neutralize any threat. This paper is dedicated to studying risk assessments in such systems using the risk assessment methodologies.
What If Analysis
The assessment involves brainstorming with what-if scenarios to identify any possible hazardous activities, their causes, outcome, and prevailing barriers, and then going forward to suggest alternatives that can be implemented for the reduction of that risk (Rausand, 2013). For instance, what if response teams are compromised or what team all the teams are attacked with hazardous gases. From such questions, management can think of air support, gas masks, etc.
The checklist is a useful method for determining risks based on the experience obtained from past risks or risks that have happened elsewhere in similar facilities (Talabis & Martin, 2013). For instance, in maximum security, the management can have a checklist for checking whether all the physical controls are in place to ensure that everything is functioning correctly. For example, are all cameras and locks functioning? Are all network scans in place? Rescue teams etc.?
Combination of Checklists and What-If Analysis
Checklist and what-if analysis are combined to maximize security. What if analysis creates the risk scenarios and the management creates a security measure for that scenario. After the creation of that measure, it is then added to the checklist where it can be monitored together with other measures.
Use A Hazard and Operability Study (HAZOP)
This methodology qualitatively identifies risks or operational complications that may result from deviations from the laid rules, conditions or security process (Wei, Matsubara & Takada, 2016). The fundamental principles of HAZOP methodologies hold that hazards happen when people deviate from the standard or expected actions. An example of deviational activity within the security is a penetration testing. Such a test can aim to uncover the weaknesses through assuming suspected security flaws and thinking of the methods for neutralizing vulnerabilities.
Failure Mode and Effect Analysis (FMEA)
The FMEA is a structured methodology which examines failure modes and the impacts they can have on the security. The method aims to spot possible weaknesses in the system and recover them. According to (Schlitter, Gruber, Puschner & Schoitsch, 2014), US Department of Defense used FMEA in 2005 to improve the efficacy and reliability of their military equipment. In maximum security, FMEA can be applied to check the reliability of the hardware and software like cameras, locks, automatic gates, etc.
Fault Tree Analysis (FTA)
FTA refers static methodologies that logically model, analyze, display and evaluate failure paths within a security system (Kornecki & Liu, 2013). In maximum security, FTA uses deductive techniques by postulating sophisticated mishap and trying to find out the weakness in the system, activities or component performance that contribute to such mishap.
Fennelly, L. (2013). Effective physical security (2nd ed.). Waltham, Mass.: Butterworth-Heinemann.
Kornecki, A., & Liu, M. (2013). Fault Tree Analysis for Safety/Security Verification in Aviation Software. Electronics, 2(1), 41-56. http://dx.doi.org/10.3390/electronics2010041
Rausand, M. (2013). Risk Assessment. New York, NY: John Wiley & Sons.
Schmittner, C., Gruber, T., Puschner, P., & Schoitsch, E. (2014). Security Application of Failure Mode and Effect Analysis (FMEA). Lecture Notes In Computer Science, 310-325. http://dx.doi.org/10.1007/978-3-319-10506-2_21
Talabis, M., & Martin, J. (2013). Information security risk assessment toolkit. Amsterdam: Elsevier.
Wei, J., Matsubara, Y., & Takada, H. (2016). HAZOP-Based Security Analysis for Embedded Systems: Case Study of Open Source Immobilizer Protocol Stack. Recent Advances In Systems Safety And Security, 79-96. http://dx.doi.org/10.1007/978-3-319-32525-5_5