The Vulnerability Continuum Prescriptive Assets Method - - PowerPoint PPT Presentation

the vulnerability continuum
SMART_READER_LITE
LIVE PREVIEW

The Vulnerability Continuum Prescriptive Assets Method - - PowerPoint PPT Presentation

Mar 09, 2023 41 likes •205 views

Malcolm Baker Jeremy Edwards Robert Rodger Kevin Thompson Jonathan Scott The Vulnerability Continuum Prescriptive Assets Method Neutralisation Analysis Qualitative Threats Method Table-top Exercises Adversary Vulnerability Sequence

slide-1
SLIDE 1

The Vulnerability Continuum

Malcolm Baker Jeremy Edwards Robert Rodger Kevin Thompson Jonathan Scott

Assets Threats Vulnerability and Risks Protection System Systematic Approach Prescriptive Method Qualitative Method Adversary Sequence Diagrams Pathway Models Modelling and Simulation

Neutralisation Analysis

Table-top Exercises Live Play Exercises Conclusions

slide-2
SLIDE 2

Assets

What are you trying to protect (what are the possible targets)?

  • People
  • Nuclear Material
  • Other Radioactive

Materials

  • Structures, Systems and

Components

slide-3
SLIDE 3

Threats

Design Basis Threat

Malicious Capabilities Potential Adversarial Forces Scenarios

slide-4
SLIDE 4

Vulnerability and Risks

Adversary Response

slide-5
SLIDE 5

Physical Protection System (PPS)

  • Designed to address

vulnerabilities and manage risk

  • Assessment can be difficult
  • Subjective
  • Many methods
  • When is it “good enough?”

Image Credit; Tom Olzak (TechRepublic)

slide-6
SLIDE 6

Systematic Approach

Information, Assessment, Decision and Process Categorise Assets for Theft and Sabotage Identify requirements for:

Delay; Detect; Assess; Control of Access; and Insider Mitigation

Design including Performance Specification Vulnerability Assessment

slide-7
SLIDE 7

Prescriptive Methods

Checklist approach (NSS11, Appendix 4)  Very simple  No expertise required  Quick and Inexpensive  Repeatable  Can include non-quantitative aspects (Security Management etc.) Χ No quantification Χ Is that equipment good enough? Χ No scoring – pass or fail “So you have a gate?”…

Image Credit; Newgate UK Image Credit; Wikimedia Commons

slide-8
SLIDE 8

Qualitative Methods

Software Questionnaire (Automated Questionnaire with scoring)  Easy to use  No expertise required  Quick and Inexpensive  Repeatable  Can test non-quantitative aspects Χ Arbitrary quantification and scoring Χ Subjective (is that a 3 or a 4?)

Image Credit; MISCW.com

slide-9
SLIDE 9

Adversary Sequence Diagrams

 Customisable – can be simple

  • r complex

 Quantifies Delay vs. Response  Predominantly user driven  Route comparison/assessment  Understanding of PPS χ Data dependent χ No consideration of e.g. security management χ Transit delays difficult to reconcile χ Requires some expertise χ Takes longer than Prescriptive/Qualitative

Image Credit; M. L. Garcia Image Credit; S Bassam

slide-10
SLIDE 10

Pathway Methods

Simple Pathway  Customisable – can be simple or complex  Quantifies Delay vs. Response  Scenario based  Route comparison/assessment  Understanding of PPS χ Data dependent χ No consideration of e.g. security management χ Requires expertise χ Takes longer than Prescriptive/Qualitative

Image Credit; IAEA NUSAM

slide-11
SLIDE 11

Modelling and Simulation

Pathway/Scenario Tools (e.g. AVERT, Simajin)  Detailed pathway analysis  Highly quantitative  Thorough assessment of PPS  Repeatable  Modifiable Χ Expensive Χ Time consuming Χ Requires significant expertise Χ Needs high volume of data Χ No qualitative assessment

Image Credit; Rhinocorps Image Credit; Ares Corp

slide-12
SLIDE 12

Neutralisation analysis (ConOps)

 Customisable – can be simple or complex  Specialist input  Consideration of expected human responses  Consideration of security management  Understanding of PPS χ Potential for confirmation bias χ Requires significant expertise and knowledge χ Rarely accounts for human error

slide-13
SLIDE 13

Table-top Exercises

 Customisable – can be simple or complex  Specialist input  Some consideration of expected human responses  Some consideration of security management  Understanding of PPS and response force  Easily re-run χ Potential for confirmation bias χ Requires some expertise and knowledge χ Rarely accounts for human error χ Force on Force interactions may benefit first action

slide-14
SLIDE 14

Live Play Exercises

 Customisable – can be simple

  • r complex

 Specialist input  Consideration of expected human responses  Consideration of security management  Understanding of PPS and response χ Expensive to organise and run χ Potential for confirmation bias χ Requires significant expertise and knowledge χ Limited repeatability

slide-15
SLIDE 15

Conclusions

There are many ways to assess the performance of Physical Protection Systems Each has their own strengths (cost, scope, schedule, detail) but also their own weaknesses (depth, coverage, completeness) Some require considerable investment in preparation for the assessment to maximise the value of the output No individual method will be all encompassing No method will ENSURE that the system will perform as expected when challenged for ‘Real’