Mathematical Approach to Security Risk Assessment

The goal of this paper is to provide a mathematical threat modeling methodology and a threat risk assessment tool that may assist security consultants at assessing the security risks in their protected systems/plants, nuclear power plants and stores of hazardous substances: explosive atmospheres and flammable and combustible gases and liquids, and so forth, and at building an appropriate risk mitigation policy. The probability of a penetration into the protected objects is estimated by combining the probability of the penetration by overcoming the security barriers with a vulnerability model. On the basis of the topographical placement of the protected objects, their security features, and the probability of the penetration, we propose a model of risk mitigation and effective decision making.


Introduction
The term physical protection of safety-critical objects represents a set of technical regime actions or organizational actions necessary to prevent the unauthorized actions performed with or in the objects (intrusion and sabotage) of critical infrastructure, such as nuclear facilities, power plants, transmission grids, drinking water supplies, storages of chemicals, oil pipelines and related facilities, and roads.
The infrastructure of developed countries is highly vulnerable and also highly interconnected.As the critical infrastructure is an international phenomenon, an attack on any state may result in the infrastructure failure at the regional level as well as at a broader international geographic level.Thus, various countries seek to harmonize their legal procedures in this paper, for example, H.R.3696: National Cybersecurity and Critical Infrastructure Protection Act of 2014 (USA) [1], Council Directive 2008/114/EC on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection [2] and the associated legal acts of member states, and so forth.
Currently, an increased attention is being paid to the safety of important objects.In the literature, we can find many different approaches to analyze and to solve the problem of assessing the threat for critical infrastructure.
For example, in the paper [3], the author presents new methodology and develops the strategy and solutions for vulnerability assessment to identify and understand the threats to and vulnerabilities of critical infrastructure.
In the work of Hromada and Lukas [4], the conceptual approach and the possible ways of how to develop relevant framework for critical infrastructure protection to increase the resilience of its functional continuity are discussed.
Oyeyinka et al. [5] develop an analytical methodology for physical protection systems evaluation and their effectiveness.
The paper of Woo [6] serves as a dynamical quantification of the detection and action against the incidents using the Vensim simulation software.
As the testing and validating in real conditions are feasible only to a limited extent, the computer technique allows simulating different types of attempts to violate the protected area and thus revealing the hidden security vulnerabilities.A carefully designed model of the real examined environment filled with the correct data is inevitable.
The aim of the study is to propose algorithms enabling the users to analyze the probability of an intruder penetration to the protected object located in the area bounded by multilevel barriers with transition gates (Figure 1).The probability that the physical protection system prevents a hostile attack to finish an unwanted event is in the literature generally calculated as where PE is probability of total system effectiveness, PI is probability of interruption: the overall probability of the attack detection during its duration including the critical detection point (CDP) based on the principle of early detection and the concept of critical point detection, and PN is probability of neutralization: the probability that the corresponding force can prevent the completion of the malicious act, such as the theft of nuclear material or nuclear facility sabotage [7].
The term to neutralize means that the corresponding force stops the invader, occupies the object, or eliminates the hostile attack in another way (by causing the escape of the invader).
The principle of early detection is as follows: to interrupt the enemy attack before the requirement for the sabotage or theft is terminated.From the time of detecting the event, the reaction of the defense forces must be shorter in time than the time remaining for the completion of the enemy attack.
CDP is the last chance to detect the enemy attack.The time for the action is shorter than the time remaining for terminating the invader requirement [7].
In order to perform the intervention effectively, the early attack detection must be achieved at all possible paths to the target object.
On the basis of an extensive use of the principles of probability and the graph theory, the paper deals with the proposal of a mathematical model suitable for further computer processing.The mathematical model describes all the aspects of a real situation and creates an abstract view on the issue.
Based on the customer requirements, three scenarios have been developed: () how far does the intruder penetrate into the object until the desired level of detection is reached?
() What is the distance between the intruder and the target when only the given time to the target is left?
() Does the intruder get into the target and out of it until the desired level of detection is reached?
All three scenarios allow for detecting the supposed position of the intruder if the input condition of the given scenario is met.The algorithms, called Alpha, Beta, and Gamma, were developed for individual scenarios and are listed in other parts of the paper, in Section 6.
An application with a graphical user interface was developed for the purposes of verifying the mathematical model and algorithms.
At the end of the study, one of the series of tests carried out for random models with different parameters such as the number of barriers, gates, detection probability, is chosen.
According to our best knowledge, no paper focused on solving the specific tasks mentioned above, the scenarios Alpha, Beta, and Gamma.

Definitions of Security Features and Nomenclature
In this section, we introduce the definitions of principal concepts used in this paper as follows: (1) target object: TO (e.g., nuclear reactor); (2) barriers: the continuous obstacles to penetrate into the protected object (e.g., a fence): Bar  ,  := 0, 1, . . ., , Bar  := an outer barrier, and Bar 0 := TO.The number of barriers #Bar  = ; with TO, we have ( + 1) barriers; (3) Zone: the area between two consecutive barriers: Z  ,  := 1, 2, . . ., .The total number of the zones #Z  = ; (4) Gates: inputs on the barriers: G Remark 1.The reason for introducing the concept of R-gate is the need of implementing the calculations in real time by reducing the number of less probable paths of the intruder.
Remark 2. Obviously, R ,, = G , ,  = 1, . . ., .Therefore, in the process of implementing the algorithms (Section 6), we will denote the gates and the R-gates on the same barrier (say, ) consecutively and with two indexes only.

Probabilities of Detection during Penetration.
Let  +   denote the probability of detection of the subjects penetrating through the object  in the direction to the target object TO and  −   in the direction from the target object TO.Then, the probability of the penetration through the object  will be the probability of detection per second of the stay in the zone Z  .

Required Inputs and Outputs
(2) specifying V +  and V −  ,  = 1, 2, . . ., , the speed of the penetrating subject through the zone Z  towards/from the target object TO, respectively; (3) the probabilities and times of the penetration through the protection elements; (4) the possibility to switch off the selected security features: (a) if the barrier Bar  is switched off when moving inwards, then  +  Bar  = 1,  +  G , = 1,  +  R ,, = 1,  +  Z  = 1,  + Bar  = 0, and  + G , = 0,  + R ,, = 0,∀,, analogously when moving outwards () For the given probability of the detection P , determine the set of points (and paths belonging to them) in which the probability level of the detection P is reached exactly.
() For the given time , determine the set of points (and paths belonging to them) by which the time for achieving the target object TO is equal to the time .
() For the given probability of the detection P , find the return paths (if any) with the probability of the detection lower than required (the return path is defined as the path starting at some point on the outer barrier Bar  , passing through TO, and ending on the outer barrier Bar  ).

Preliminary Calculations
Using the data specified in Sections 3.1, 3.2, and 3.3, we put together a mathematical model of the whole protected object.Obviously, these sensitive data require a high degree of confidentiality.In addition to these data, it is necessary to determine and calculate the following values.
(1) The target object TO is being translated into the origin [0, 0] of the coordinate system.
( (3) The real position [, ] for each object  is being calculated using the map scale.
(5) Let  = (, ).Then, the time that the subject passes from the object  to the object  through the zone Z  at the rate V + is equal to  +  = /V +  .Similarly, the time that the subject passes from the object  to the object  through the zone Z  at the rate V − is equal to G [1,2] TO Figure 2: Topographical placement of the target object and its security features.
TO (6) The probability of the detection of the subject moving through the zone Z towards TO is  +   = 1 − (1 −  +  Z)  +  and that in the direction away from TO is

Algorithms
Based on the three algorithms, there are three cases of the intrusion by intruding into the protected object proposed and analyzed in this section.The Alpha analysis represents the evaluation of the possibility of the intruder penetration algorithm based on a set of detection probability level.The Beta analysis evaluates the distance from the penetration spot to the target with respect to time.The Gamma analysis examines the possibilities of the intruder penetration into the target and out of the protected object based on the desired detection level.
6.1.Recursive Procedure, Path Alpha (Figure 10).This subsection introduces the flowchart [8] for the Alpha analysis used for implementing the mathematical model into the software environment.
Path characterization is as follows: How far does the intruder penetrate into the object until the desired level of detection is reached?6.2.Recursive Procedure, Path Beta (Figure 11).In this subsection, we propose the flowchart implementing the mathematical model to the software environment with the purpose of examining the Beta path.
Path characterization is as follows: What is the distance between the intruder and the target, when only the given time to the target is left?

Recursive Procedures, Path Gamma (Figures 12 and 13).
The flowchart presented in this subsection was designed for the Gamma path and is supposed to examine the probability of the intruder penetration into and out of the object successfully.
Path characterization is as follows: Does the intruder get into the target and out of it until the desired level of detection is reached?

Application of Mathematical Model
In this section, we apply the proposed methodology to the fictive model of the protected area.
Figures 2 and 3 show the topographical and schematic placement of the target object and its security features, respectively.The symbols used in Figures 2-9 are explained in Table 1.
R [2,4] TO TO Table 1: Explanatory notes to the schemes.
Fence Path in the direction to target object Path in the direction from target object Tables 2 and 3 refer to the parameters of gates and zones, respectively. TO TO TO

Conclusions
The submitted study analyzes the alternatives of the intruder penetration into the protected area by processing the data describing the detection capabilities in overcoming the transition gates and barriers or moving through the area.The solution relevance is closely related to the accuracy of the input data.
A mathematical view of the studied issue created an abstraction serving as a basis for the model and algorithm proposal.The computer technology must be involved due to the number of combinations arising in the model transition.Therefore, the user interface, suggesting the design of application assisting in the processing of the issue, was proposed.The subsequent implementation was necessary in order to verify the correctness of the mathematical model, the functionality of the proposed algorithms, and the applicability and intuitiveness of the designed user interface.
Emerging from the performed tests, it can be concluded that the proposed algorithms are functional and are able to achieve the desired results.The tests also highlight the problem of an exponential increase of road alternatives after increasing the number of barriers and gates.It will be necessary to establish criteria, filtering out the uninteresting intrusive ways.A significant reduction in the total paths is required for the postprocessing of results by man.

Figure 1 :
Figure 1: Sketch of the protected area with security features showing one of the possible intruder's paths to the target object.

4. 1 .
Inputs into the Mathematical Model.The necessary inputs into mathematical model are the following:

Figure 3 :
Figure 3: Schematic placement of the target object and its security features.
, , it is the connection of the target object TO and the gate G , , and then the R-gate R ,, lies on the intersection of  , and Bar  .The total number of the R-gates is : R ,, ,  := 1, 2, . . ., ,  := 1, 2, . . .,   , and  := 1, 2, . . ., , which is a physical place on the half-line  , lying on the barrier Bar  .Thus, if  , = TO−G the zone Z  is switched off when moving inwards, then  +  Z  = 1, analogously when moving outwards  −  Z  = 1.

Table 2 :
The gate parameters (an example).