Using Simplified Metrics for Cost-Benefit Analysis (CBA) and Pareto Optimality in Physical Security Concepts

Critical infrastructures (CRITIS), as the backbone of our society, must be safeguarded against attacks through effective security measures. Since implementing such measures often entails significant costs, it is essential to provide tools that enable operators to make well-informed decisions based on objective analyses. A sound decision, from the operator's perspective, balances the costs of investing in security measures with benefits such as risk reduction. Quantitative metrics are a widely used tool in CRITIS risk assessment, valued for their ability to deliver objective, comparable, and reproducible results. However, these metrics can be challenging for users and decision-makers to manage, especially when quantitative data is unavailable or in instances where only a rudimentary assessment is requested. A simpler alternative is scoring, which categorizes security contributions using expert knowledge. Yet, due to the inherent uncertainty of scoring, it becomes crucial to determine the conditions under which cost-benefit analyses (CBA) can yield results comparable to those of quantitative assessments. This paper builds on prior work by Termin et al. (2024, a) and Witte et al. (2024), demonstrating how scoring-based assessments of physical vulnerability can be adapted to assess potential attack paths within an exemplary series-connected barrier topology. This approach aims to identify Pareto-optimal configurations of security measures. Ultimately, it is expected that this straightforward scoring-based methodology will assist users in optimizing physical security concepts more effectively.

Keywords: Metrical analysis, Physical security, Vulnerability analysis, Decision-making, Generic approach.