Once you have identified all the weaknesses and vulnerabilities in a site’s physical protection system, how do you know which ones should be fixed first, and second, and third, etc.?

I’ve been experimenting with four-quadrant matrices, and I came up with this concept. We’ll start with definitions, then show the matrix, then some additional guidance. (Underlined words are listed in the definitions.)

Definitions

AOO – asset owner/operator.  The organization or its representative who makes operational and budgetary decisions related to the site, or asset.

Exploitable - refers to the potential for the W/V to be used to increase the chances of success of an attack that could achieve one or more of the unacceptable consequences as expressed by the AOO.  For example, a W/V that allows access an intruder to access a critical asset is more exploitable than a W/V that allows access to something of lesser importance.  In short, it’s on the attack path to achieving an unacceptable consequence.  (See Non-Exploitable.)

Insider -someone who has direct knowledge of a site that someone who has visited the site would have.  This includes employees, including ex-employees; contractors; and visitors.

Non-Exploitable - refers to the potential for the W/V to be used in an attack that does not include unacceptable consequences amongst the potential outcomes.  An example of this would be using copper grounding straps on a chain-link fence: it is a weakness that is easily exploitable, but the consequences of the loss of the straps are low and are likely unrelated to the unacceptable consequences for the site.  Its priority would therefore be less than a measure directly protecting a critical asset (an attack on which would likely be considered an unacceptable consequence). (See Exploitable.)

Observable - refers to a weakness or vulnerability (W/V) that is visible from outside the perimeter or documented on the internet.

Outsider - someone whose knowledge of the site extends only to what they can see through direct observation from outside the secure perimeter or what they can learn from the internet, and who does not have authorized access to the site.

Physical Protection System (PPS) – the collection of technology, personnel, policies, and procedures that work together to prevent the site from suffering one or more unacceptable consequences of an attack.  This definition should be interpreted as widely as possible and can include everything from secure fencing to human resource policies to liaison activities with local law enforcement.  The PPS does not include resources that the organization does not control.  For example, a neighbouring facility might use a mobile patrol that uses a shared access road, but as you do not control or communicate with the patrol you cannot count it as part of your PPS.

Security Measure – an activity, technology, policy, or procedure that contributes to the management of risk and ensuring a secure environment.  (See Physical Protection System (PPS).)

Site – the asset protected by the PPS.  An attack on the site could have the potential of achieving one or more of the unacceptable consequences.

Unacceptable Consequence - an attack outcome that is considered so grave that an AOO is willing to expend money to avoid.  Preventing these consequences is the purpose of the PPS.

Upgrade – in the context of a PPS, it refers to the mitigation of a W/V through the addition of a new security measure or the improvement of an existing one.

Video Surveillance System (VSS) – a network of cameras, monitors, recording devices, and other supporting sensors and software that provide an operator with a visual image of the area that the system covers.  A VSS can be monitored in real time to provide detection and assessment capability to the PPS, or it can simply record all activity for use later in an investigation of the attack. 

Vulnerability (V) - a gap in the PPS that could be exploited by an adversary in an attack. 

Weakness (W) - an inadequate security measure in the PPS that could be exploited by an adversary in an attack.

W/V – weakness and/or vulnerability

How to use this matrix:

List all vulnerabilities and weaknesses in their appropriate quadrants.

Re-order within quadrants by potential severity of consequence: those W/V that would directly support an attack that achieves one or more unacceptable consequences would have a higher priority.

Treat W/V in the order of Q1, Q2, Q3, Q4.  Again, exercise judgment.

Additional Guidance

Consider treating vulnerabilities before weaknesses because they represent a gap in the PPS.  Weaknesses represent an inadequate security measure (such as a fence in poor condition), but there is at least something – it’s just not as good as it should be.  This is not a hard and fast rule: as with all things, exercise judgment.  There may be vulnerabilities of lesser consequence than a weakness.

Q2 security measures are exploitable but not observable from outside the site or organization.  If it is exploited, it will likely be by an Insider.  If possible, Insider security measure upgrades should be referred to the company insider threat risk mitigation team for mitigation.

Why would #3 be in the first quadrant? How would an outsider know that there was no 2-person rule for critical site access after hours? Because this is the kind of information they are looking for when doing pre-attack surveillance of the site.

You’ll notice that if you can figure out the Word formatting of the numbered items, you will end up with a prioritized list of upgrades.

This is experimental. The most important thing to remember is to use it as a guide: not as a rule. Always exercise your judgment in security matters: that’s why they call it a profession.

Please let me know what you think.