Journal of Physical Security 7

!
"#$% '( )'*+%*+,

!"#$%&' ") *+,-./&' 01/#$.2,3 4"'#51 67893 8:;<

!"#$%&'( *%++,-$(. /01,( #2#3
40/,& 5 2 67 80#" 0-" 79 60((,:. ;4&,<#+#-0&= 4<0- :%& >,?#,@#-1 $A, 4A=(#B0<
4&%$,B$#%- %: 6CB<,0& D0B#<#$#,( #- !1=/$E. /01,( 5255

40/,& F 2 6 G,&0% 0-" 7 HCICJ#. ;K 4&%L0L#<#($#B !3$,-(#%- %: $A, !KHM 7%",<E. /01,( 5F2
FN
40/,& O 2 7* !BA,$0. PK Q#+. RQ R=,=#-J0. 0-" KR SC=,. ;44H !?0<C0$#%- %: K- R#<
>,:#-,&= T(#-1 !"#$ 7%",<E. /01,( OU2V5
40/,& V 2 W 6J%+. MM DC-$C0. 0-" PK Q#+. ;Q,(#1- %: 0- KBB,(( *%-$&%< H=($,+X K 40&0"#1+
:%& H+0<< 6CB<,0& D0B#<#$#,(E. /01,( VF2VN
40/,& Y 2 7 *%%<, 0-" QZ W&%%J(. ;Q% H,BC&#$= H=($,+( D0#< W,B0C(, %: !-$&%/=[E. /01,(
YU2\]

}ouinal of Physical Secuiity 7(2), i-ix (2u14)

i

"#$%&'() *&++,-%)

Welcome to volume 7, issue 2 of the }ouinal of Physical Secuiity. This issue has papeis
about secuiity evaluations of Egyptian nucleai facilities, a piobabilistic mouel foi
quantifying the ouus of inteiiupting an attack, a secuiity evaluation foi an oil iefineiy in
Nigeiia, access contiol foi small nucleai facilities, anu entiopy as a uiivei of secuiity
failuies.

Foi the last papei in this issue, we hau the inteiesting situation wheie the ievieweis, the
euitoi, anu the authois coulun't come to an agieement on possible changes to the papei.
This iesulteu in a uiscussion at the enu of the papei that you won't want to miss because of
its laigei implications. I hope you finu it thought piovoking.

As usual, the views expiesseu by the euitoi anu authois aie theii own anu shoulu not
necessaiily be asciibeu to theii home institutions, Aigonne National Laboiatoiy, oi the
0niteu States Bepaitment of Eneigy.

*****

./0 1 /,,' 2,3$,4

Reseaich manusciipts submitteu to this jouinal aie usually ievieweu by 2 anonymous
ievieweis knowleugeable in the subject of the papei. viewpoint papeis aie ievieweu by u,
1, oi 2 ievieweis, uepenuing on the topic anu content. (Papeis that ieceive no peei ieview
aie cleaily maikeu as such.)

The authois' iuentities aie known to the ievieweis, i.e., this jouinal uoes not use a uouble
blinu ieview system. This is the case foi most peei ieview jouinals in othei fielus. Theie
aie pios anu cons to this single blinu appioach.

We aie always veiy giateful to ievieweis foi theii (unpaiu) time. Seiving as a ieviewei is
a ieal seivice to youi secuiity colleagues anu to eveiybouy's secuiity. If you aie inteiesteu
in seiving as an occasional ieviewei, please contact me thiough Aigonne National
Laboiatoiy oi http:jps.anl.gov.

Bi. }on Wainei of oui Aigonne vulneiability Assessment Team seives veiy capably as
Associate Euitoi.

The pie chait below shows that almost of manusciipts submitteu to }PS uo not get
piinteu in the jouinal. The vast majoiity of manusciipts that aie accepteu unueigo
significant changes oi auuitions suggesteu by the ievieweis anu the euitoi piioi to being
publisheu. I often assist with euiting papeis foi authois foi whom English is not theii fiist
language, oi who aie fiom the 0K.


ii

The stanuaiu style of this jouinal is Ameiican English. This incluues, among othei things,
putting a comma befoie the last item in a list, the so-calleu "seiial comma", also iionically
calleu the "0xfoiu comma". (Not all Ameiicans uo this, howevei, especially jouinalists anu
young people.) Beie aie 2 examples of wheie the seiial comma can be impoitant:
"!" $%&'()*+ ,%-./)01+, %(+ *2-%3 1%43 %-. 01++,+56 iefeis to S sanuwiches, wheieas "!"
$%&'()*+ ,%-./)01+, %(+ *2-%3 1%4 %-. 01++,+5" is focuseu on 2.
"7 8'* *1+ ).+% $('4 *%9:)-8 *' 4" ;',,3 % 0'-&)0*+. $+9'-3 %-. % .(28 %..)0*5" has quite a
uiffeient meaning fiom "7 8'* *1+ ).+% $('4 *%9:)-8 *' 4" ;',,3 % 0'-&)0*+. $+9'- %-. % .(28
%..)0*."
While theie aie countei-aiguments, in my minu theie aie 2 goou ieasons foi use of the
seiial comma. Fiist, is consistent with the geneial iuea of paiallelism, an impoitant
element of goou wiiting. uoou wiiting has ihythm anu oiganization, anu you uon't want to
confuse the ieauei oi squanuei hei time by bieaking them. 0ne example of goou
paiallelism is wiiting a list using only nouns oi only veibs oi only geiunus. Nixing them
cieates clumsy woiuing, such as: "7 9):+ *' $),13 <%-0%:+,3 %-. *%9:)-8 *' %(* +=<+(*,." A
bettei sentence might use all geiunus foi paiallelism: "7 9):+ $),1)-83 +%*)-8 <%-0%:+,3 %-.
*%9:)-8 *' %(* +=<+(*,56

iii
The seconu ieason the seiial comma is useful is that it most closely mimics oial speech,
which is ieally the unueilying basis of the wiitten woiu. To a consiueiable uegiee, goou
wiiting sounus like goou talking. Some wiiteis claim that commas cluttei up wiiting.
While commas can ceitainly be oveiuseu, I think they actually make ieauing easieianu
the meaning cleaieiwhen useu to mimic the natuial pauses in oial speech. Thus, if I
ieally meant S sanuwiches, the way I say this is "*2-%551%455%-.5501++,+", but if I meant 2
sanuwiches, "*2-%>>1%4 ? 01++,+. The comma can help the ieauei unueistanu wheie the
pauses shoulu be.

*****

5&%$-6 7&' 0,89'$%: ;<,=%,'

I iecently obseiveu a neaily 2-houi tiaining couise foi election juuges. The couise was
taught by state election officials foi a single election juiisuiction. The state anu juiisuiction
shall go unnameu.

The couise was efficient, piactical, piofessionally iun, anu well tuneu to the auuience. A
lot of useful infoimation was pioviueu to the election juuges.

I founu it telling that the woiu "secuiity" maue an appeaiance only once in the 2-houi
piesentation, anu then only in the following context: "Election juuges shoulu follow this
pioceuuie because it 8)&+, *1+ %<<+%(%-0+ of secuiity." |Italics auueu.j

Now I'm quite familiai with Secuiity Theatei. As a vulneiability assessoi, I see it all the
time in uispaiate secuiity uevices, systems, anu piogiams. But usually Secuiity Theatei
involves secuiity manageis oi oiganizations fooling themselves, oi it is busywoik
uelibeiately uesigneu to make auuitois oi the boss happy, oi it's something meant to snow
customeis oi the public. Sometimes, Secuiity Theatei is useu as a foim of bluffing, i.e., to
make a taiget falsely look haiuei than it ieally is. (Bluffing, howevei, is usually effective
only ovei the shoit teim.)

The pioceuuie that was being uiscusseu in the couise as neeuing the appeaiance of
secuiity was not one that woulu be much noteu by voteis oi the public, so it was piobably
not intenueu as a bluff. Rathei, the appaient attituue among these election officialswhich
I anu otheis have fiequently obseiveu in othei contexts, states, anu election juiisuictions
is that secuiity is vieweu as only being about appeaiances.

0ne of the functions of election juuges is often to compaie voteis' signatuies on election
uay with the votei iegistiation iecoius. In this paiticulai state anu election juiisuiction, as
in most otheis, election juuges aie given zeio useful instiuctions on how to compaie
signatuies, not even the biief, iuuimentaiy tiaining often given to cashieis in ietail stoies
on signatuie veiification.

In my view, the veiacity of the vote ueseives moie seiious secuiity attention. Election
faiiness anu accuiacy aie funuamental piinciples of uemociacy.

iv
*****

>=?$-6 $% @'%$)%$8=AA:

Counteifeit woiks of ait anu antiquities aie a huge secuiity pioblem. A new technique
has been ueployeu, baseu on the anomalously high amount of iauioactive caibon-14 founu
in the atmospheie since the uawn of the nucleai age. A painting attiibuteu to the Fiench
cubist paintei Feinanu Lgei was cleaily pioven to be a foigeiy. Foi moie infoimation:
http:www.chiomatogiaphytechniques.comnews2u14uScaibon-uating-shows-
cubist-painting-was-foigeu.et_ciu=S81S889&et_iiu=S969S7192&type=heauline

*****

*&+BA$=-8, 3)C 0,89'$%:

Compliance anu Secuiity, of couise, aie not the same thing. Sometimes they aie at ouus.
In my expeiience, it is typical foi at least a thiiu of compliance iules to actually make
secuiity woise. This can occui when compliance wastes time, eneigy, anu iesouices;
uistiacts secuiity peisonnel anu employees anu focuses them on the wiong issues; makes
auuitois the enemy, insteau of the actual auveisaiies; encouiages minuless iule following
iathei than caieful pioactive thinking about secuiity; institutionalizes stupiu, one-size-fits-
all iules manuateu by buieauciats fai iemoveu fiom giounu level; fossilizes iules that
neeu to be flexible with changing thieats, conuitions, anu technology; lets the goou guys
anu the existing secuiity infiastiuctuie anu secuiity stiategies uefine the pioblem, not the
bau guys (which is the ieal-woilu situation); makes secuiity the enemy of piouuctivity anu
of employees; anu engenueis cynicism about secuiity.

The best (anu funniest anu most uistuibing) examples I know of compliance haiming
secuiity can't be openly uiscusseu because of theii sensitivity. Beie, howevei, aie a few
examples I can shaie.

uianting access to numeious auuitois, oveiseeis, micio-manageis, testeis,
maintenance people foi secuiity haiuwaie, anu checkeis of the checkeis incieases
the insiuei thieat.
Nanuateu State of Bealth (S0B) checks on secuiity haiuwaie incieases complexity
(bau foi secuiity) anu hacking oppoitunities.
Nanuateu secuiity uevices get in each othei's way, oi compiomise each othei's
secuiity.
Specifically manuateu secuiity piouucts oi anti-malwaie softwaie piecluue the use
of bettei, moie up to uate piouucts.
PC secuiity iules applieu minulessly to Nacs.
Compliance makes the best the enemy of the goou.
Almost anybouy is consiueieu to have a "Neeu to Know" if it can help us avoiu minoi
pioceuuial anu papeiwoik eiiois (oi heshe can offei some vaguely plausible stoiy

v
line), thus cieating unnecessaiy checkeis anu incieasing the insiuei thieat as well as
the chances of mishanuling sensitive uata.
uoveinment secuiity cleaiances that iequiie self-iepoiting of piofessional
counseling anu mental health tieatment, thus uiscouiaging it.
uiievance, complaint iesolution, anu employee assistance piogiams that inciease
uisgiuntlement anu taiget useis foi ietaliation.
Foimal iules iequiiing oveily pieuictable guaiu patiols anu shift changes.
Little ioom alloweu foi flexibility, inuiviuual initiative, pioactiveness,
questionsconceins, hunches, iesouicefulness, obseivational skills, anu people
skills.
Secuiity manageis aie feaiful of installing auuitional secuiity pioceuuies anu
haiuwaie (even common sense ones) that can impiove secuiity locally because they
aie not calleu foi by auuitois oi the compliance uocuments.
An ovei-emphasis on fences (4.S - 1S sec uelay) anu entiy points as secuiity
measuies leaus to bau secuiity.
The iequiieu complex multituue of secuiity layeis ("Befense in Bepth") leaus to a
situation wheie nobouy takes any one layei (oi alaim) seiiously. See, foi example,
the Y-12 bieak-in by an 8S-yeai olu nun: http:www.cbsnews.comnewsnun-84-
gets-S-yeais-in-piison-foi-bieaking-in-nucleai-weapons-complex This is a classic,
pieuictable, anu veiy common moue of failuie foi Befense in Bepth ("layeieu
secuiity"). 0nfoitunately, multiple layeis of lousy secuiity iaiely auu up to goou
secuiity. Anu Befense in Bepth tenus to engenuei acceptance of lousy layeis.
The wiong minuset is cieateu: Secuiity = Busy Woik & Ninuless Rule-Following,
leauing to the iuea that the Biass anu buieauciats aie iesponsible foi thinking about
secuiity, not me.

*****

*'$+$-:D

Recent events in Ciimea aie a ieminuei that 2u14 is the 16u
th
anniveisaiy of the Ciimean
Wai, a conflict between Russia anu an alliance of Fiance, Biitain, the 0ttoman Empiie, anu
Saiuinia. It was one of the fiist "mouein" wais in a numbei of ways.

The Ciimean Wai is piobably best iemembeieu foi the incompetence anu unnecessaiy
loss of life on both siues. At the time, Biitish citizens coulu buy a commission, i.e., Biitish
militaiy leaueis weie not chosen by meiit, intelligence, oi expeiience but by who coulu
cough up big bucks. The poem, "Chaige of the Light Biigaue" by Alfieu, Loiu Tennyson
baseu on the Ciimean wai helpeu to focus attention on the incompetence of English
militaiy leaueis, which eventually iesulteu in enuing the piactice of selling commissions.

Now, 16u yeais latei, many secuiity piofessionals aie all too familiai with the negative
consequences of having leaueis who aie not chosen baseu on meiit, intelligence, anu
expeiience.


vi
*****

E-8&++&- *&++&- 0,-),

As of this wiiting, theie is as of yet no solution to the mysteiy of missing Nalaysia
Aiilines Flight S7u.

What has become cleai fiom this inciuent, howevei, is that many nations anu aiilines uo
not make use of the Inteipol uatabase of stolen passpoits. This uatabase contains uata on
4u million lost oi stolen tiavel uocuments. Accoiuing to Inteipol ueneial Secietaiy Ronalu
Noble, "0nly a hanuful of countiies woiluwiue aie taking caie to make suie that peisons
possessing stolen passpoits aie not boaiuing inteinational flights." Even so, the uatabase
gets 6u,uuu hits pei yeai. The 0niteu States, 0K, anu the 0niteu Aiab Emiiates aie some of
the few countiies that uo use the uatabase extensively.

A 2u11 stuuy founu that the uatabase can be an effective tool foi countei-teiioiism. See
http:ieseaich.cieate.usc.euucgiviewcontent.cgi.aiticle=1147&context=publisheu_papeis

This counteimeasuie is quick, simple, inexpensive, anu ielatively painless. Failuie to use
it is suiely a bieakuown of common sense. What is it about secuiity that it is so often
uivoiceu fiom common sense. 0i is the pioblem, as voltaiie thought, moie geneiic. Be
maintaineu that the tiouble with common sense in geneial is that it isn't all that common.

*****

F9+G,' ;<=- %<, H='#4=',

A woulu-be buiglai in Chicago uefeateu the lock on the outsiue of a bai, but then coulun't
manage to get insiue because he kept tiying to pull the uooi open. The uooi was cleaily
maikeu, "P0SB". See the viueo anu stoiy at:
http:www.unainfo.comchicago2u14u11Swickei-paikviueo-wickei-paik-bai-bieak-
in-thwaiteu-when-man-pulls-uooi-maikeu-push

*****

I,J$8=- ;<',=%
Appaiently packs of ioaming feial Chihuahua uogs aie haiassing Phoenix. The Phoenix
police uepaitment iepoits moie than 6,uuu complaints. Foi moie infoimation, see
http:abcnews.go.comblogsheaulines2u14u2chihuahuas-iampage-in-aiizona
Seems like an excellent oppoitunity to install $1u billion of untesteu homelanu secuiity
haiuwaie to monitoi the Chihuahua thieat!


vii
*****
*=-=#$=- ;<',=%

0ttawa police aie seaiching foi a man who tiieu to iob a stoie while bianuishing a
hockey stick. The ownei of the stoie giabbeu the hockey stick fiom the suspect, who then
fleu. See http:www.cbc.canewscanauaottawahockey-stick-wielueu-in-foileu-ottawa-
stoie-iobbeiy-1.2SS9S8S.

Piesumably it wasn't a cuiling bioom because cuiling uoesn't exactly have a fieice
ieputation foi bench-cleaiing biawls. (This might, howevei, inciease the fan base.)

Speaking of 0lympic spoits, the best suggestion I have evei heaiu is to iequiie that eveiy
0lympic event incluue one aveiage citizen in the competition, just foi compaiison.

*****

K=# .&?,L M&&# 0,89'$%: I&'=A

A young man on a bicycle has a bag of sanu slung ovei his shouluei. Be iiues up to the
boiuei guaiu who stops him anu asks, "What's in the bag.". "Sanu," says the young man.
The guaiu uoesn't believe him, so makes the young man open the bag anu the boiuei guaiu
feels aiounu insiue. Suie enough, sanu. The guaiu lets the young man go on his way acioss
the boiuei.

The next uay, the same thing happens, only this time, the guaiu insists the young man
empty the bag of sanu on the giounu so the guaiu can moie caiefully examine its contents.
Again, nothing but sanu. The young man hanu shovels the sanu back into the bag anu
peuals acioss the boiuei. This happens S moie uays in a iow.

uiowing moie anu moie suspicious, the boiuei guaiu the next uay takes a sample fiom
the young man's bag to be chemically analyzeu. Foi anothei week, the young man shows
up eveiyuay on his bike with the bag of sanu slung ovei his shouluei, anu the guaiu lets
him thiough. Finally, the chemical analysis iesults come in: 1uu% sanu.

The next uay, the guaiu stops the young man again anu says, "Look, son. I know you aie
smuggling something acioss the boiuei. I'm uying to know what it is. }ust tell me, anu I
sweai on my mothei's giave that I won't tuin you in. So what aie you smuggling."

"Bicycles," says the young man.

*****


viii
0&+, N-8&-3,-$,-% ;'9%<) @G&9% 0,89'$%:

1. If you can't envision secuiity failuies, you can't pievent them.

2. If you aie not failing in testing youi secuiity, you aie not leaining anything.

S. If you automatically think of "cybei" when somebouy says "secuiity", you piobably have
pooi physical secuiity %-. pooi cybei secuiity.

4. Nost secuiity uevices can be compiomiseu in as little as 1S seconus. This can be uone at
the factoiy, the venuoi, while in tiansit, while sitting on loauing uocks, piioi to installation,
anu aftei installation. This is why a soliu chain of custouy is neeueu, staiting iight at the
factoiy, anu why secuiity uevices must iegulaily be caiefully examineu inteinally foi
tampeiing oi counteifeiting. But you have to know what the uevice is supposeu to look
like.

S. A chain of custouy is a <('0+,, foi secuiing impoitant assets in tiansit. It is not a piece of
papei (nevei to be examineu) that aibitiaiy people sciibble theii initials oi signatuies on!

6. Nany manufactuieis anu venuois of secuiity uevices have pooi secuiity anu pooi
secuiity cultuie at theii facilities.

7. A mechanical tampei switch oi a light uetectoi in a secuiity uevice is about the same
thing as having no tampei uetection at all. Noieovei, uuiing the time that the uevice lacks
powei (such as uuiing shipment), they pioviue zeio secuiity.

8. If you aien't secuie befoie you ueploy enciyption, you aien't secuie aftei.

9. Enciyption has no meaningful iole to play in checking piouuct authenticity. It is a ieu
heiiing.

1u. Ranuom, viitual numeiic tokens aie not the same thing as seiialization foi uetecting
counteifeit piouucts. The few companies that use ianuom viitual numeiic tokens usually
make a numbei of eiiois in uoing so.

11. Tampei-inuicating seals uo not magically uetect oi stop tampeiing. They take a lot of
haiu woik to be effective.

12. Nost oiganizations ignoie oi substantially unueiestimate the insiuei thieat.

1S. If you'ie not making an intense effoit to mitigate the uisgiuntlement of employees,
contiactois, customeis, anu venuois, then you aie putting youiself at gieat iisk.

14. If the manufactuiei oi venuoi of a secuiity piouuct can't oi won't tell you the half
uozen most likely ways the uevice oi system can be attackeu, you shoulun't buy it.


ix
1S. Relatively low tech attacks woik well, even on high-tech secuiity uevices, systems, anu
piogiams.

16. If you think that thieats anu vulneiabilities aie the same thing, oi you think that you
know all youi vulneiabilities (oi uon't have any), oi you think a vulneiability assessment is
a test you can pass, then you uon't unueistanu vulneiabilities, vulneiability assessments, oi
youi secuiity.

17. Confiuence in a secuiity piogiam oi secuiity piouuct is almost always wishful thinking.
0i as the olu auage says, "Confiuence is that feeling you sometimes have befoie you ieally
unueistanu the situation."

18. If you aie moie woiiieu about compliance than secuiity, you almost ceitainly have
pooi secuiity.

19. If people can't question youi secuiity without you (oi youi oiganization) getting upset,
you piobably have pooi secuiity.

2u. "0vei-seiiousness is a waining sign foi meuiociity anu buieauciatic thinking.
People who aie seiiously committeu to masteiy anu high peifoimance aie secuie
enough to lighten up." -- Nichael }. uelb

*****

@&+(";'." 1%, % <()0+5 7$ -'*3 +&+(";'." 1%, % /+%:-+,,5
-- Nichelle Bulleii

*****

--Rogei }ohnston
Aigonne National Laboiatoiy
LinkeuIn: http:www.linkeuin.cominiogeigjohnston
vAT 0RL: http:www.ne.anl.govcapabilitiesvat
}ouinal of Physical Secuiity: http:jps.anl.gov
Naich 2u14
}ouinal of Physical Secuiity 7(2), 1-11 (2u14)

1

"#$%&'&()#* "%)( +,# -$.&$/&(0 12$ "2*3&4)% "#,1$41&,(
,+ 564%$)# 7)4&%&1&$3 &( 80*91

*
Nawal N. Saiu
1,S
anu
*
N.B. Nassef
2,S

1
El Taif 0niveisity, Faculty of Science, Physics Bepaitment
2
King Abuulaziz 0niveisity, Faculty of Engineeiing, P.0. Box.8u2u4, }euuah 21S89,
Sauui Aiabia, Phone: +uS671u2821, Fax: +269S2648
S
Nucleai anu Rauiological Regulatoiy Authoiity, (NRRA) Caiio, Egypt
*0n leave fiom NRRA-Egypt

:;31#)41

The main objective of a physical piotection system (PPS) is to pievent
iauiological sabotage of the nucleai facility anu theft of nucleai mateiials. This
papei uesciibes a pioceuuie foi effective physical piotection of nucleai
facilities, as will as physical piotection of nucleai mateiials (NNs) in use,
stoiage, anu tianspoit. The pioceuuie involves categoiizing the nucleai
facility taigets anu how to piotect them. We then piopose a pieliminaiy plan
foi a site visit foi the puipose of evaluating the PPS, anu ensuiing that it is in
compliance with the Inteinational Atomic Eneigy Agency (IAEA) stanuaius,
the Inteinational Physical Piotection Auvisoiy Seivice (IPPAS) guiuelines, anu
also meets the necessaiy conuitions set out in Egyptian iegulations (licensing)
of the facility. The implementation of this plan coulu stiengthen physical
piotection of Egyptian nucleai facilities.

<$* /,#=3> !"#$%&' )&#*$*+, -.,/*#&$ 0'1+%#+*123 45657 4-588 9*//*123 42/0%#+*12 0$&2


2
?@ A(1#,=641&,(
National piactices foi what is calleu "physical piotection" of nucleai mateiials vaiy
wiuely. Some states have obligateu themselves to apply IAEA iecommenuations foi
such piotection, but otheis have only agieeu to give consiueiation to those
iecommenuations, oi have maue no commitment at all. Some have auopteu uomestic
iegulations with iequiiements as high oi highei than these iecommenuations, but
otheis has auopteu lowei stanuaius, incluuing none at all.|1j

Accoiuing to Aiticle III of the Non-Piolifeiation Tieaty (NPT), each non-nucleai
weapon state that is paity to the tieaty agiees to accept safeguaius as set foith in an
agieement to be negotiateu anu concluueu with the Inteinational Atomic Eneigy Agency
(IAEA) in accoiuance with the state's statutes anu safeguaius system. The puipose of
such IAEA safeguaius is to veiify the fulfillment of the state's obligations unuei the NPT
to pievent uiveision of nucleai eneigy fiom peaceful uses to nucleai weapons oi othei
nucleai explosive uevices. As such, IAEA "safeguaius" constitute the most impoitant
example of multinational nucleai tieaty monitoiing.

By the IAEA's own uefinition, the IAEA safeguaius system compiises an extensive set
of technical measuies by which the IAEA Secietaiiat inuepenuently veiifies the
coiiectness anu the completeness of the ueclaiations maue by states about theii nucleai
mateiial anu activities. While this uefinition goes a long way in uesciibing the
safeguaius piocess fiom the point of view of the IAEA, it fails to uesciibe concisely anu
substantively the intentions (anu limitations) of IAEA safeguaius. To auu to the
confusion ovei the teim "safeguaius", the 0niteu States goveinment uses the woiu
"safeguaius" in a iathei impiecise way, often in combination with "secuiity", to covei a
wiue iange of :19%/+*# nucleai non-piolifeiation activities, fiom physical piotection
anu containment to accounting foi nucleai mateiial, gioupeu unuei the heauing of
"Nateiial Piotection, Contiol & Accounting" (NPC&A). It is not suipiising, theiefoie,
that many obseiveis complain that a cleai, concise, anu consistent uefinition foi
safeguaius is still missing.|2j

As a iesult, theie may be a iisk not only of mixing the meaning of the uiffeient
safeguaius teims, but also of confusing the uistinct goals of each nucleai secuiity
measuie implementeu. Theie is a long tiauition of the IAEA using uomestic (usually
0.S.) safeguaius technology anu appioaches with little oi no mouification foi use in
IAEA inteinational safeguaius.

Bomestic anu inteinational safeguaiusuespite both being calleu "safeguaius"aie
piofounuly uissimilai. Bomestic safeguaius aie piimaiily conceineu with nucleai
mateiials piotection, contiol, anu accounting (NPC&A). This incluues piotecting
nucleai weapons oi mateiials fiom sabotage, vanualism, teiioiism, espionage, theft,
uiveision, oi loss. Inteinational NPT safeguaius, on the othei hanu, aie conceineu with
obtaining eviuence that each state that signeu an agieement oi tieaty is inueeu
complying with its obligations, ueclaiations, anu piomises. Nost of the "safeguaius"
cuiiently unueitaken by the IAEA involve monitoiing unuei the NPT.|2j


S
B@ A'9#,.$'$(1 ,+ 564%$)# C$0&3%)1&,( &( 80*91

Egypt staiteu its legal fiamewoik to contiol anu iegulate the peaceful uses of nucleai
eneigy with Law No. S9 in the yeai 196u. 0n Su Naich 2u1u, the uoveinment of Egypt
issueu a new compiehensive law goveining nucleai anu iauiation ielateu activities
(Law No. 7 of 2u1u). This new law aims to establish a legislative fiamewoik foi nucleai
installations anu activities in oiuei to piotect inuiviuuals, the enviionment anu
piopeity. It iegulates iauiation piotection, nucleai safety, iauioactive waste
management, tianspoit of iauioactive mateiial, emeigency piepaieuness anu iesponse,
nucleai secuiity, nucleai safeguaius, impoit anu expoit contiols, anu civil liability in the
case of nucleai uamage. The law also has the powei to ueal with all activities anu
financing mechanisms coveiing the uecommissioning piocess foi the nucleai
ieactois.|Sj

Accoiuing to the new Law, all the iauioactive anu nucleai activities aie contiolleu
unuei the inuepenuent iegulatoiy bouy, the Nucleai anu Rauiological Regulatoiy
Authoiity (NRRA). The NRRA is iesponsible foi issuing licenses anu peimits foi any
activity involving iauioactive mateiials, anu foi contiolling anu veiifying that these
activities aie peifoimeu within the NRRA iegulations. In oui view, the new law has
helpeu Egypt be in compliance with inteinational safety anu secuiity stanuaius.

NRRA Licenses covei the following nucleai activities in Egypt:
- Reseaich Reactois (ET-RR-1 & ET-RR-2)
A: Reactoi 0peiatoi
B: Fuel Fabiication Plant foi ET-RR-2
- Nucleai Powei Plant anu Relateu Activities
- Acceleiatois (Cyclotion & Lineai Acceleiatoi)
A. Inuustiial Iiiauiatoi
- Applications of Rauioisotopes in Inuustiy, Neuicine, Agiicultuie, anu Reseaich
- Rauioactive Waste Bisposal Facility anu Tieatment Plant
- Tianspoitation of Rauioactive Nateiials.

The Nucleai safeguaius agieements between Egypt anu the IAEA have been
concluueu puisuant to NPT. A state system of accounting foi anu contiolling of nucleai
mateiial in Egypt has been establisheu unuei the title of "A National System of Nucleai
Nateiial Accounting anu Safeguaius (NSNNAS)".

|4j

A physical piotection system (PPS) foi nucleai mateiials (NNs) in nucleai ieseaich
ieactoi (NRR) facilities pioviues measuies foi exteinal piotection, auministiative
contiol, guaius, entiy anu access contiol, safety, anu piotection foi tianspoit anu
peisonnel
.
|Sj These measuies aie applieu uuiing the opeiation oi the uecommissioning
of the facility. Since the opeiatoi is iesponsible foi opeiational safety anu the physical
piotection of the nucleai facility, the opeiatoi must ensuie that all nucleai mateiials
belonging to it, incluuing waste, is stoieu in specially uesigneu containeis. The opeiatoi
is obligeu to establish anu apply an accounting system foi nucleai mateiials, anu to
exeicise contiol in accoiuance with the iequiiements laiu uown in the safeguaius
agieement. Such accounting is a pait of the physical piotection system.|6j


4
In this stuuy, the physical piotection system (PPS) foi one of the two ueclaieu nucleai
facilities in the Anshas zone in Egypt was investigateu. The PPS unuei investigation
belongs to the olu Egyptian nucleai ieactoi (ET-RR-1), which was the fiist Egyptian
nucleai ieseaich ieactoi (NRR) having a mateiial balance aiea (NBA):ET-A. The ET-RR-
1 is a 2 NW ieseaich ieactoi, tank type, with uistilleu watei as a moueiatoi coolant, anu
utilizing a ieflectoi. The nucleai fuel useu in this ieactoi is type EK-1u of Russian
fabiication. The fuel ious aie maue of uianium uioxiue uispeiseu in magnesium matiix,
eniicheu by 1u%
2SS
0 in the foim of ious clauueu by an Al jacket.|7j

DE F)3&4 G,(4$91 ,+ "2*3&4)% "#,1$41&,(

Accoiuing to the IAEA iecommenuations anu the Egyptian iegulations on the physical
piotection of nucleai mateiials, PPS's must ueal with the following issues:

a- Categoiizing of nucleai mateiials
b- Beteimining the piotecteu anu contiolleu aieas
c- Contiolling the access of peisons anu vehicles
u- Nanaging the secuiity of woikeis
e- Pioviuing a uata infoimation anu analysis unit

A physical piotection plan is pait of the ievieweu uocumentation necessaiy foi issue
of the license given by NRRA. The plan must take in account all iequiiements ielateu to
the PPS accoiuing to the specifications of INFCIRC22SRev.4 anu also the IAEA-IPPAS
guiuelines, which ueal with categoiization of the nucleai facilities, nucleai mateiials,
anu iauioactive waste.|8,9j Because nucleai mateiials (NNs) can be founu in uiffeient
physical, moiphological, anu chemical foims, the attiactiveness of these mateiials foi
theft oi sabotage uepenus ciucially on theii specific natuie anu piopeities. Thus, the
piimaiy factois foi ueteimining the physical piotection measuies against unauthoiizeu
iemoval oi sabotage of NNs must be the status anu natuie of the NN itself. Table 1
shows the type of nucleai mateiial as categoiizeu by the IAEA conventions on physical
piotection, specifically INFCIRC274iev.1 anu INFCIRC22Siev.S.|1u-12j

;<=< -.,/*#&$ -'1+%#+*12 1) +.% !>>

Since the nucleai mateiials containeu in the two Egyptian nucleai ieseaich ieactois
aie classifieu as categoiy II anu III, both ieactois aie piotecteu by uesigneu PPSs
involving baiiieis anu innei aieas, uelay components, access contiol, anu assessment
systems to uefeat theft oi sabotage attempteu by one oi moie peisons fiom outsiue oi
insiue the plants (NC&A). All the equipment anu nucleai mateiials of categoiy II aie
locateu in the contiolleu aiea, while the equipment anu nucleai mateiials of categoiy III
aie locateu in the piotecteu aiea.


S

Table 1: Categoiization of Nucleai Nateiial.
H)1$#&)% 7,#' G)1$0,#* I G)1$0,#* IA

G)1$0,#* IAA

Plutonium 0n-iiiauiateu >2 kg >Suu g <2 kg >1S g <Suu g
0ianium-2SS
0n-iiiauiateu
0ianium eniicheu
(E0) to 2u%

2SS
0
>Skg
>1 kg <S kg

>1Sg <1 kg

E0 to 1u% but
< 2u%
2SS
0
>1u kg
>1 kg <1u kg

E0 above
natuial, but <
1u%
2SS
0
>1u kg
0ianium-2SS 0n-iiiauiateu >2 kg >Suu g < 2 kg >1S g <Suu g
Iiiauiateu Fuel*

uepleteu oi
natuial 0, Th,
oi low eniicheu
fuel > 1u%
fissile

JJJJJJJJJ
*The categoiization of iiiauiateu fuel in the table is baseu on the inteinational tianspoit consiueiations.
The state may assign a uiffeient categoiy foi uomestic use, stoiage, anu tianspoit taking all ielevant
factois into account.

The fiist Egyptian Nucleai Reseaich Reactoi (ET-RR-1) has been in opeiation since
1961. Piovisions weie maue foi the facility geogiaphical location, the safety uesign, the
access to vital aieas, anu the State's assessment of the thieat. The PPS was upgiaueu
anu some new technical components weie intiouuceu, such as a peiimetei baiiiei: a
peiipheial fence has been built aiounu the nucleai facility as a seconu baiiiei. The fiist
baiiiei is the oiiginal fence of the Nucleai Reseaich Centei (NRC-EAEA), wheie
authoiizeu peisonnel aie alloweu to entiy oi exit thiough the main gate.

In auuition to fences, theie aie intiusion sensois, alaims, a lightning system (in oiuei
to ensuie functioning of the suiveillance 24 houis a uay), anu entiy contiol (the access
of peisonnel to the NRR facility is contiolleu thiough a peisonnel entiyexit poit
locateu neai a local secuiity guaiu). Authoiizeu peisonnel aie gianteu entiy to the NRR
facility only aftei iegisteiing anu signing in on an iegistiation book. Theie is also viueo
suiveillance to monitoi the innei aieas, anu an integiateu alaim system with ultiasonic
sensois to uetect the movement of an intiuuei within the inteiioi of a specific innei
aiea insiue the NRR facility. The NRR facility fence is pioviueu with a local secuiity
contiol centei, guaius, communication equipment, anu is in uiiect contact with the main
guaiu anu secuiity centei. Also, the fence has viueo cameias allowing complete
visibility of the fence zone.|1Sj

6
Foi ET-RR-2, the physical piotection system was installeu anu opeiational in 1997.
As with ET-RR-1, the PPS is maintaineu by a technical gioup. The ET-RR-2 facility is
monitoieu 24 houis a uay. Also, as pait of the upgiaues, the PPS iesponsible staff anu
iegulatoiy bouy staff ieceiveu tiaining in the physical piotection of nucleai mateiials
anu facilities. This was uone via the Inteinational Tiaining Couise (ITC) on the Physical
Piotection of Nucleai Facilities anu Nateiials, conuucteu at Sanuia National
Laboiatoiies in the 0SA unuei the umbiella of IAEA. The couise was fiist offeieu in
1978. The couise focuses on a systems engineeiing peifoimance-baseu appioach to
iequiiements, uefinition, uesign, anu evaluation of physical piotection systems. In
auuition to pioviuing impoitant infoimation anu expeiience, the couise is helpful in
impioving the coopeiation of facility peisonnel. Buiing the fiist 21 piesentations of ITC
(the yeais 1987 thiough 2u1u), 2u paiticipants fiom Egypt weie tiaineu.|14j

;<?< -'1#%:"'% )1' &2 6))%#+*@% -.,/*#&$ -'1+%#+*12 8,/+%9

Ensuiing the physical piotection of NNs uuiing use, stoiage, anu tianspoitation is one
of the obligatoiy iequiiements to be met in Egypt in oiuei to get licenseu foi uesign anu
opeiation of nucleai facilities. A physical piotection pioceuuie foi inspection anu foi
iepoiting must be submitteu. This pioceuuie contains a listing of numeious elements
that neeu to be evaluateu in oiuei to impiove the existing PPS anu help to uevise new
plans foi the physical piotection iequiiements. The pioceuuie that we iecommenu,
which we call oui "check list", ueals mainly with the following:

- Beteimining the possible thieats to the NRR, NNs, anu the fuel manufactuiing
pilot plant baseu on Besign Basis Thieat (BBT) analysis.

- Classifying the NRR anu the NNs into inuiviuual categoiies.

- Conuucting safety anu secuiity analyses, taking into consiueiation the national
thieat assessment anu assumeu auveisaiy mouel to iuentify aieas that must be
piotecteu@

- Iuentifying the piotecteu aieas, innei aieas, anu vital aieas foi the
nucleai facility.

- Besciibing the technical equipment useu in the secuiity oi foi the
monitoiing of the NRR anu NNs within the PPS.

- Checking the access contiols pioviueu foi the iuentification anu entiy
authoiization of all incoming peisonal, mateiials, anu vehicles into the
inuiviuual categoiizeu aieas.

- Eiecting baiiieis to pievent the entiy of unauthoiizeu incoming vehicles.

- Establishing the piesence of a contiol ioom insiue the piotecteu aiea
wheie the secuiity peisonnel can monitoi the conuition anu status of all PPS
equipment. (It is impoitant to mention that the opeiatoi insiue the contiol
ioom must have sufficient equipment to communicate with the secuiity
peisonnel anu also communicate with exteinal iesponse foices.)

7

- Equipping the guaiu foices with sufficient equipment to caiiy out theii
task, e.g., communications equipment anu weapons.

- Cieating a piogiam foi measuiing the tiaining anu piacticing of
peisonnel in the implementeu physical piotection system.

- Beveloping a piogiam foi testing anu maintaining PPS equipment.

- Bocumenting the quality assuiance foi the uesign anu implementation of
the PPS.

- Analyzing the implementation of the physical piotection functions uuiing
the opeiation of the nucleai ieactoi anu uuiing theoietical emeigency
situations.

- Evaluating PPS test iesults.

- 0puating the PPS plan when the facility is mouifieu.

;<;< 4565 4--58 A*//*12 +1 62.&2#% +.% B%@%$ 1) --8

The objective of the Inteinational Physical Piotection Auvisoiy Seivice (IPPAS)
mission to Egypt is to assist anu help the NRR to enhance the physical piotection system
anu iegulations foi the nucleai facilities in Egypt. The piouucts of the mission incluue
uetaileu technical notes, with iecommenuations, suggestions, anu goou piactices foi
upgiauing the PPS system thiough a uiscussion with the competent authoiity (NRRA)
anu the opeiatoi's staff at the nucleai ieseaich ieactois. It is impoitant to mention that
all uocuments geneiateu befoie, uuiing, anu aftei the mission aie tieateu as /&)%C"&':/
#12)*:%2+*&$ uocuments by the IAEA anu the team membeis accoiuing to the IAEA
inteinationally accepteu iecommenuations (INFCIRC22S Rev. 4 (Coii.).|1Sj

;<D< -.,/*#&$ -'1+%#+*12 E"'*2C +.% !A/ F'&2/01'+&+*12

It is wiuely believeu that NNs aie most vulneiable to illegal acts anu sabotage uuiing
tianspoit. As a consequence, a plan foi the physical piotection of NNs uuiing
tianspoitation insiue the facility must be piepaieu by the nucleai facility opeiatoi.
(Exteinal tianspoitation involving "tianspoitation outsiue the facility" is beyonu the
scope of oui pioposeu plan).

A peimit is neeueu foi any such inteinal tianspoit, anu the plan foi each tianspoitation
stage iequiies the following:

- Beteimining the possible thieats to the NRR, NNs, anu the fuel manufactuiing
pilot plant baseu on Besign Basis Thieat (BBT) analysis.

- Classifying the NRR anu the NNs into inuiviuual categoiies.


8

- Piepaiing a physical piotection plan.
- Establishing a communication anu iepoiting system foi use uuiing
tianspoitation.
- Locking anu sealing the tianspoit packages.
- Piotecting the confiuentiality of the physical piotection infoimation.
- Establishing an emeigency iesponse system.|16j
- |In the case of inteinational tianspoit, the iesponsibility foi ensuiing
PPS is iegulateu by an agieement between the states conceineu.j

K@ L6# "#,9,3$= A(39$41&,(3 "%)(

To evaluate the effectiveness of the PPS plans anu pioceuuies, an inspection plan
oiganizeu by the authois was ueviseu. 0ui inspection is aimeu at a moie uetaileu
examination anu ueteimination of whethei the PPS elements aie functional anu
woiking accoiuing to plan. This check-up of the system woulu iueally be conuucteu at
least once a yeai by iepiesentatives of the NRRA, jointly with a facility opeiatoi.

The elements of oui pioposeu inspection incluue:

>1"+*2% 42/0%#+*12: The main aim of this is to assess anu evaluate the conuitions of
the PPS, anu also to assess the tiaining anu qualifications of the physical piotection
team (anu how they may have changeu fiom the pievious inspection.)|17j This
involves a ioutine check anu veiification of the PPS elements. Routine inspection
activities aie unueitaken eithei at fixeu time inteivals oi at vaiiable time inteivals in
conjunction with specific tasks, e.g., pie-opeiation, nucleai mateiials tianspoit fiom oi
to the nucleai facility, etc.|18j

8+*9"$&+*12 1) &2 /%#"'*+, *2#*:%2+: This is an in-seivice inspection of the physical
piotection elements anu the facility's capability to uetect, communicate, anu iesponu to
an intiuuei's piogiess towaius the taiget in the shoitest possible time. Specific
checklists foi each type of piactice inspection help facilitate this ieview. Regaiuless of
the type of inspection, the following systems iequiie checking: the exteiioi intiusion
uetection system; the entiy contiol system foi peisonnel anu vehicles; the entiy
contiol baiiieis (fences, peisonnel gate, vehicle gate, etc.); the inteiioi uetection
system; the communication system; anu the manual iesponse of secuiity peisonnel.

D<=< -'101/%: 42/0%#+*12 >%01'+

In oui view, the inspection iepoits shoulu be uone anu submitteu by the nucleai
facility opeiatoi uiiectly to the NRRA. The pioposeu inspection iepoit incluuesM

1. Name anu coue of the nucleai facility.
2. Names of inspection team membeis (peisonnel), anu theii iesponsibilities
uuiing the inspection.
S. Bate anu type of inspection, incluuing weathei conuitions.
4. Classification of the nucleai mateiial.

9
S. Resouices useu foi the inspection (peisonnel, time, mateiials, equipment, etc.).
6. The inspection techniques useu (iunning the system, ievision, check anu
measuie, veiification, etc.)
7. Inspection finuings anu iecommenuations.
8. Assessment of the physical facilities fiom the viewpoint of physical piotection.
9. Type(s) of analyses useu to evaluate the PPS.
1u. A list of ciucial coiiective actions.
11. A list of possible aieas foi impiovement.
12. The iesponse times foi secuiity guaius.
1S. 0veiall finuings anu test iesults.
14. Recommenuations specific to the facility opeiatoi.
1S. Recommenuations specific to the iegulatoiy oiganization.

G,(4%63&,(3 )(= -$4,''$(=)1&,(3

The nucleai mateiials in Egyptian ieseaich ieactois have been categoiizeu
accoiuing to theii fuel amount, type, anu eniichment. This is impoitant
infoimation foi both safety anu secuiity planning.

We believe oui pioposeu pieliminaiy inspection plan, which incluues an
inspection checklist (Section S.2) anu pioposeu iepoit content (Section 4.1),
coulu assist the iegulatoiy oiganization (NRRA) in evaluating the physical
piotection systems at nucleai facilities. The plan might also help the NRRA
systematically follow up on inspection finuings to ensuie that all aspects of
legislation, incluuing the license conuitions, aie fully compliant with national anu
inteinational obligations. This appioach can also help the opeiatoi of the
nucleai facility impiove facility safety anu secuiity.

When oui inspection checklist was applieu to the stuuieu NRR, we came to the
following majoi conclusions:

1) The PPS in the NRR shoulu be mouifieu to incoipoiate new constiuction
anu iepaii.

2) It is impoitant to have a sufficient stock of spaie paits of PPS components
because most of these spaie paits aie piouuceu abioau anu in the majoiity of
cases, cannot be substituteu by local piouucts so as to ensuie uninteiiupteu
opeiation of the PPS.

S) The peifoimance of the secuiity iesponse foice to an emeigency situation
shoulu be examineu to unueistanu its iesponse time anu ieliability.

:4N(,/%$=0'$(13

We aie giateful to the euitoi anu anonymous ievieweis foi useful suggestions,
anu foi assistance with euiting anu ieviewing the English.


1u
:4#,(*'3

IAEA The Inteinational Atomic Eneigy Authoiity
PPS Physical Piotection System
BBT Besign Basis Thieat
IPPAS Inteinational Physical Piotection Auvisoiy Seivice
NPT The Tieaty on the Non-Piolifeiation of Nucleai Weapons
NRR Nucleai Reseaich Reactoi
NRRA Nucleai anu Rauiological Regulatoiy Authoiity
NRC Nucleai Reseaich Centei
NN Nucleai Nateiials
E0 Eniicheu 0ianium
ET-RR-1 Egyptian Fiist Reseaich Reactoi
ET-RR-2 Egyptian seconu Reseaich Reactoi

-$+$#$(4$3
1. ueoige Bunn, Fitiz Steinhauslei, anu Lyuumila Zaitesva, "Stiengthening Nucleai
Secuiity Against Teiioiists anu Thieves Thiough Bettei Tiaining", !120'1$*)%'&+*12
>%@*%G (FallWintei 2uu1), http:cns.miis.euunpipufs8Sbunn.puf

2. Rogei u. }ohnston anu Noiten Biemei Naeili, "Inteinational vs. Bomestic
Nucleai Safeguaius: The Neeu foi Claiity in the Bebate ovei Effectiveness",
E*/&'9&9%2+ E*0$19&#,, issue 69, pp 1-6 (2uuS),
http:www.acionym.oig.ukuuuu6969opu1.htm

S. 0ECB, !"#$%&' B&G H"$$%+*2 No.8S, volume 2u1u1, Nucleai Eneigy Agency,
(2u1u).

4. Ismail Bauawy, "The National System of Nucleai Nateiial Contiol, Bevelopments
anu Challenges", 8*I+. J12)%'%2#% 12 !"#$%&' 8#*%2#%/ &2: 500$*#&+*12/, Caiio, Egypt,
1S-2u Naich, volume 111 (1996).

S. A. A. Bameu, Wael A. El-uammal, anu I. Bauawy, "A Pioposeu Nucleai Safeguaius
System foi A Becommissioneu Nucleai Reseaich Reactoi", 42+%'2&+*12&$ 6*C.+.
J12)%'%2#% 12 !"#$%&' 8#*%2#%/ K &00$*#&+*12/, volume II, Caiio, Egypt, 7-12 Febiuaiy
(2uu4).

6. S. Kuisels, "Bevelopment of a Legal anu 0iganizational Basis foi Physical
Piotection of Nucleai Nateiial anu Nucleai Facilities in Lithuania", 42+%'2&+*12&$
J12)%'%2#% 12 -.,/*#&$ -'1+%#+*12 1) !"#$%&' A&+%'*&$/, vienna, Austiia, 1u-14
Novembei (1997).

7. E.A. Saau, E. N. El Sheibiny, N. Sobhy, anu S. I. Nahmouu, "Spent Fuel Stoiage
Expeiience at the ET-RR-1 Reactoi in Egypt", Inteinational Atomic Eneigy Agency,
IAEA-TECB0C-786, 6I0%'*%2#% G*+. 80%2+ L"%$ 8+1'&C% &+ >%/%&'#. &2: F%/+ >%&#+1'/,
Pioceeuings of an Auvisoiy uioup meeting helu in vienna, Austiia, S-8 }uly (199S).

11

8. IAEA-INFCIRC22Siev.4, F.% -.,/*#&$ -'1+%#+*12 1) !"#$%&' A&+%'*&$ &2:
!"#$%&' L&#*$*+*%/, Inteinational Atomic Eneigy Agency, vienna, Austiia (1999).

9. 456574--58 M"*:%$*2%/, IAEA Inteinational Physical Piotection Auvisoiy Seivice.
IAEA Seivices Seiies No.S. Feb. (1999).

1u. IAEA-INFCIRC274Rev.1, F.% J12@%2+*12 12 +.% -.,/*#&$ -'1+%#+*12 1) !"#$%&'
A&+%'*&$, IAEA, vienna, Austiia (1981).

11. IAEA-INFCIRC22S, F.% -.,/*#&$ -'1+%#+*12 1) !"#$%&' A&+%'*&$, Inteinational
Atomic Eneigy Agency, vienna , Austiia (197S).

12. IAEA-INFCIRC22SRev.S, F.% -.,/*#&$ -'1+%#+*12 1) !"#$%&' A&+%'*&$,
Inteinational Atomic Eneigy Agency, vienna, Austiia (199S).

1S. I. Bauawy, "0pgiauing of Physical Piotection of Nucleai Nateiials in an 0lu
Nucleai Reseaich Reactoi Facility", IAEA-CN-869, Pioceeuings, Inteinational
Confeience helu in Stockholm, Sweuen, 7-11 Nay (2uu1).

14. }ohn C. Nattei, "The Inteinational Tiaining Couise on the Physical Piotection of
Nucleai Facilities anu Nateiials", Topical papei, N1"'2&$ 1) !"#$%&' A&+%'*&$/
A&2&C%9%2+, vol. XXXvIII, No.4, p 4-11, (2u1u).

1S. IAEA-INFCIRC22SRev.4(Coiiecteu), F.% -.,/*#&$ -'1+%#+*12 1) !"#$%&'
A&+%'*&$ &2: !"#$%&' L&#*$*+*%/, 29 pages, IAEA, }une, (1999).

16. B. Kawai, B. Kuiihaia, N. Kajiyoshi, "Physical Piotection of Nucleai Nateiial in
}apan", 42+%'2&+*12&$ J12)%'%2#% 12 -.,/*#&$ -'1+%#+*12 1) !"#$%&' A&+%'*&$/, vienna,
Austiia, 1u-14 Novembei (1997).

17. A. Stefulova, "Evaluation of Effectiveness of Physical Piotection System at
Nucleai Facilities in the Slovak Republic", 42+%'2&+*12&$ J12)%'%2#% 12 8%#"'*+, 1)
A&+%'*&$3 A%&/"'%/ +1 -'%@%2+3 42+%'#%0+ &2: >%/012: +1 4$$*#*+ O/%/ 1) !"#$%&' A&+%'*&$
&2: >&:*1&#+*@% 81"'#%/, Stockholm, Sweuen 7-11 Nay 2uu1, IAEA-Cn_86-47, p84-86,
(2uu1).

18. N.A. Shiniashin, Regulatoiy inspection of plane of nucleai facilities, piivate
communication.

12
! #$%&'&()(*+(, -.+/0*(%0 %1 +2/ -!34 5%6/)
Noiichika Teiao* anu Nitsutoshi Suzuki
}apan Atomic Eneigy Agency
* teiao.noiichikajaea.go.jp
!&*+$',+
The piobability of an auveisaiy's inteiiuption, !", in a specific scenaiio can be
evaluateu using a calculation coue, EASI. The puipose of this stuuy is to uevise a
quantification methou foi !" by consiueiing the influence of unceitainty anu
vaiiability. Specifically, we attempt to uevise a new calculation methou foi thiee
components of !I: the piobability of uetection, !(B$); the piobability of successful
communication to the iesponse foice, !(C$); anu the piobability of the iesponse
foice aiiiving piioi to the enu of the auveisaiy's completion of the attack, !(R|A$).
In auuition, we uesign a hypothetical nucleai facility anu an auveisaiy attack
scenaiio, anu then assess the !" value using oui new methou. We set the
peifoimance paiameteis of the facility as tempoiaiy, hypothetical values without
a ieal peifoimance test. We attempt to expiess the unceitainty anu vaiiability of
each element of the facility using the Nonte Cailo methou.

40+$%67,+(%0
The Septembei 11, 2uu1 attacks incieaseu oui unueistanuing of the impoitance of
consiueiing auveisaiial attacks. Aftei a speech in Piague in 2uu9, Piesiuent 0bama
hosteu the fiist Nucleai Secuiity Summit (NSS) in 2u1u in Washington B.C. aimeu at
global nucleai teiioiism pievention. The seconu NSS was helu in Seoul in 2u12, anu
the thiiu will be helu in Bague in 2u14. Regaiuing the physical piotection iegime in
}apan, a ielevant ministeiial oiuinance was ieviseu in 2u12 that consiueieu both
INFCIRC22SRev.S anu the lessons of the Fukushima Baiichi nucleai powei plant
acciuent.|1j Because of heighteneu inteiest in nucleai secuiity, it is useful to establish
an evaluation methou to calculate the iisks to a hypothetical nucleai facility.

Nucleai secuiity is founueu on a numbei of issues, but S of the most impoitant aie
physical piotection (PP) |2j, illegal tiafficking |2j, anu piotection of iauioisotopes |2j.
0thei issues aie impoitant as well, such as mitigating the insiuei thieat, conuucting
effect thieat assessments, pioviuing cybei secuiity, instigating mateiial contiol anu

1S
accounting (NC&A), optimizing secuiity iesouices, anu pioviuing counteimeasuies to
espionage. In this stuuy, we focus on a hypothetical sabotage event in a mouel nucleai
facility. We focus paiticulai attention on PP.

The iisk (%) foi PP can be uefineu as % =!&(1-!') (, wheie !& is the piobability of
an auveisaiy attacking uuiing a given peiiou, !' is the piobability of PP system
effectiveness, anu ( is the consequence value of a secuiity failuie.|Sj The !& value
shoulu be expiesseu as the possibility of attack against the taiget facility using the uata
of events uuiing the scenaiio, such as sabotage oi the theft. 0ften |4j, the value of !& is
set to 1, though this may not be a piuuent choice in actual piactice.

The piobability of system effectiveness is uefineu as !' =!"!), wheie !" is the
piobability of the auveisaiy being inteiiupteu, anu !) is the piobability of
neutialization.

Now the uiffeience between nucleai secuiity anu nucleai safety is the existence of
auveisaiies in nucleai secuiity. Nany types of auveisaiies exist foi ieasons such as
politics anu ieligion. vaiious factois affect the auveisaiies' piobability of success,
incluuing skills, equipment, knowleuge, anu motivation. It is necessaiy to consiuei the
uetaileu chaiacteiistics of auveisaiies inuiviuually in oiuei to accuiately expiess the
nucleai secuiity iisk. Beie, we incluue only one type of auveisaiy in oui scenaiios.

In geneial, iisk is ueteimineu using two factois: the magnituue of possible auveise
consequences, anu the likelihoou of occuiience of each consequence. Piobabilistic iisk
assessment (PRA) uses piobability uistiibutions to chaiacteiize vaiiability oi
unceitainty in iisk estimates.|Sj In the nucleai safety fielu, PRA is conuucteu using
factois such as the fiequency of an acciuent sequence, the piobability that sensois cease
functioning, anu human eiioi.|6j The fiequencies with which an acciuent sequence oi
ianuom sensoi eiiois occui aie typically expiesseu using actual measuieu values.
Thus, sensoi pioblems oi human eiiois aie well quantifieu in nucleai safety. By
contiast, many of the fiequencies anu piobabilities foi nucleai secuiity aie unknown oi
cannot be ievealeu foi secuiity ieasons. Theiefoie, PRA foi nucleai secuiity is a moie
challenging pioblem.

In this stuuy, we focus on quantifying the value of !". The !" value in a specific
scenaiio can be evaluateu using an Estimate of Auveisaiy Sequence Inteiiuption (EASI),
a calculation coue uevelopeu by Sanuia National Laboiatoiy (SNL) in the 0niteu

14
States.|7j In the EASI mouel, eiiois causeu by unceitainty anu vaiiability aie ignoieu
when expiessing the peifoimance of sensois anu communications. The puipose of
this stuuy is to uevise a quantification methou foi !" by consiueiing the influence of
unceitainty anu vaiiability. In auuition, we seek to uesign a hypothetical nucleai
facility as well as an auveisaiy's attack scenaiio, anu then assess the !" value using oui
new methou.

8%09/0+(%0') -.:$/**(%0 %1 !4 ;*(0< -!34
We conuuct a iisk assessment of the inteiiuption piobability !I unuei a specific
scenaiio using EASI uevelopeu by SNL. EASI is a simple anu easy-to-use methou foi
evaluating the peifoimance of a PP system along a specific auveisaiial path anu with
specific conuitions of thieat anu system opeiation, anu is a tiauitional tool useu
woiluwiue.

A simple calculation uesciibing !I in EASI when an auveisaiy intiuues into a nucleai
facility is shown in figuie 1. The left siue of this figuie inuicates the simplifieu uiagiam
of an event tiee foi the !I calculation at the * point baiiieis, anu the iight siue inuicates
the calculation components of !I. The summation of the calculation components of !I
becomes the !I value. The !I value is iepiesenteu |7j by equation (1).

!
!
! ! !
!
!! !
!
!! ! !
!
! !!!!!
!
!!!!!
!
!!!!!
!
!! ! !!!!
!
!
!!!
!!!
!
!!!
! (1)

wheie !(B$) is the piobability of a uetection alaim foi the facility equipment, e.g.,
infiaieu (IR) sensois; !(C$) is the piobability that the facility guaiu successfully
unueistanus the alaim conuition using the facility's equipment anu successfully
communicates it to the iesponse foice; anu !(R|A$) is the conuitional piobability that,
given a iecognizeu alaim, the iesponse foice aiiives piioi to the enu of the auveisaiy's
action sequence. In the calculation of !I using the EASI methou, both !(B$) anu !(C$)
values aie taken as the evaluateu values without unceitainty anu vaiiability eiiois, anu
the !(R|A$) value is calculateu using a noimal uistiibution.


1S

Figuie 1 - Schematic of the EASI methou.

=/> ?7'0+(1(,'+(%0 5/+2%6 1%$ !4
In this stuuy, we uevise a new calculation methou foi the thiee components of !I:
!(B$), !(C$), anu !(R|A$). Specifically, we expiess !(B$) anu !(C$) as piobability
uistiibutions that incluue eiiois causeu by unceitainty anu vaiiability. 0nceitainty
means incompleteness of knowleuge, such as failuie to set conuitions oi wiong
opeiation pioceuuies, anu vaiiability means fluctuations in natuie, such as weathei
conuitions, enviionmental conuitions, oi piesence of wilu animals. Fuitheimoie, we
expiess a new calculation methou of !(R|A$) using a Beinoulli tiial.

8'),7)'+(%0 %1 #@A(B
The peifoimance of sensois in a nucleai facility pioviue the value of !(B$) foi the
EASI computation, which is useu as the evaluateu value without any eiiois.|7j Theie
aie many types of sensois useu in the facility, such as active anu passive IR sensois,
miciowave sensois, sonic sensois, vibiation sensois, anu viueo cameias. In this stuuy,
we consiuei only IR anu miciowave sensois.

It is possible to expiess the influence of a sensoi's unceitainty anu vaiiability as a
piobability uistiibution by examining the statistical false positive eiioi iates (type I
eiioi, oi !) anu false negative eiioi iates (type II eiioi, oi "). A giaph of !(B) anu !fa
of a hypothetical sensoi against the signal stiength in uB is shown in figuie 2. +,-*(%)
inuicates the piobability uensity function (PBF) of a signal plus noise, anu +*(%)
inuicates the PBF of noise, iespectively, as a function of signal intensity, %. The
thiesholu (.T) sepaiates the sensoi's uetectable iegion anu the unuetectable iegion of

16
+,-*(%) anu +*(%). The blue uasheu aiea, 1-", inuicates the !(B) value, anu the oiange
uasheu aiea, !, inuicates the !fa value. Beteimining a piopei +,-*(%) can help us
calculate the !(B) value.

Fiist, we consiuei +,-*(%) anu +*(%) foi the IR sensois. Theie aie basically two types
of IR sensois, active anu passive. Active IR sensois emit infiaieu light anu uetect
changes to the ieflecteu oi scatteieu infiaieu light inuicative of intiusion. Passive IR
sensois uetect changes to the theimal infiaieu light emitteu by waim bouies, incluuing
people. Foi simplicity, we assume that +,-*(%) foi both kinus of IR sensois is the same
as +*(%).

Figuie 2 - Piobability uistiibution functions !(B) anu !fa foi a hypothetical sensoi.

ueneially, IR sensois aie easily affecteu by noise anu vaiiability. We assume that
theii sensitivity to anomalies is piopoitional to theii vaiiability. Because the iisk
evaluation foimula is a multiplicative function, the uistiibution of the iisk that takes
only a positive value geneially uses a log-noimal uistiibution. We assume that +,-*(%)
obeys a log-noimal uistiibution. If the evaluation values aie usable, a best-fit
piobability uistiibution is most useful. The uetection piobability is equal to the
uistiibution function of +,-*(%).
! !
!!!"
! ! !! !
!
!!!
!!!!!"
!
!"# !
!" !!!
!!!!!"
!
!!
!!!!!"
!
!"
!
!
!"!!!"
, (2)
wheie .T_$_"% is the thiesholu value anu ,/$_"% anu #,/$_"% aie the mean anu stanuaiu
ueviation of the signal-plus-noise peifoimance of the IR sensois, iespectively.
Similaily, we assume that +*(%) obeys a log-noimal uistiibution. The false alaim
piobability is equal to the uistiibution function of +*(%):

17
!
!"!!!!"
! ! !
!
!!!
!!!!!"
!
!"# !
!" !!!
!!!!!"
!
!!
!!!!!"
!
!"
!
!
!"!!!"
, (S)
wheie */$_"% anu #*/$_"% is aie the mean anu stanuaiu ueviation of the noise of the IR
sensois, iespectively.

Next, we consiuei +,-*(%) anu +*(%) foi the miciowave sensois. The miciowave
sensois typically uetect changes in ieflecteu oi scatteieu miciowaves, incluuing
amplituue oi Bopplei fiequency shifts. Niciowaves aie electiomagnetic waves with
wavelengths between 1 cm anu 1u cm. The intensity of miciowaves can be weakeneu
by iain oi fog; we will assume that the vaiiability of the miciowave sensois is mainly
causeu by aii conuitions. Foi miciowave sensois, some conciete statistical mouels of
+,-*(%) anu +*(%) have been pioposeu.|8, 9j In this stuuy, we assume that the main
souice of backgiounu noise is theimal noise. +,-*(%) obeys a Rice uistiibution |1uj, anu
the uetection piobability is equal to the uistiibution function of +,-*(%).
! !
!!!
! ! !! !
!
!
!!!!!
!
!"# !
!
!
!!
!!!!!
!
!!
!!!!!
!
!
!
!
!!!!!
!
!
!!!!!
!
!
!
!"!!!
!", (4)
wheie .T_$_0 is the thiesholu value, #,/$/0 is the stanuaiu ueviation of the signal plus the
noise, anu #*/$/0 is the stanuaiu ueviation of the noise of the miciowave sensois. In
auuition, "u(1) is a mouifieu Bessel function of the fiist kinu with oiuei zeio. If cluttei
becomes uominant in the backgiounu noise, the Rice uistiibution is not useu uue to its
laige eiioi; +*(%) obeys a Rayleigh uistiibution in that case. The false alaim
piobability is equal to the uistiibution function of +*(%):
!
!"!!!!
! ! !
!
!
!!!!!
!
!"# !
!
!
!
!!!!!
!
!
!
!"!!!
!". (S)
If the cluttei becomes uominant in the backgiounu noise, a log-noimal uistiibution |8j
oi Weibull uistiibution |9j is appiopiiate insteau of a Rayleigh uistiibution.

8'),7)'+(%0 %1 #@8(B
In the EASI mouel, the value of !(C$) ignoies eiiois.|7j In oui mouel, two human
chaiacteis come into play: a facility guaiu anu a iesponuei fiom the iesponse foice. In
this stuuy, two communication piocesses aie consiueieu foi calculating the piobability.
The fiist piocess occuis when the guaiu unueistanus the anomalous signal fiom the
sensois anu iecognizes the events that occuiieu in the facility. The seconu piocess is
when thae guaiu coiiectly communicates infoimation to the iesponuei, who, in tuin,

18
compiehenus the complete sequence of events fiom such infoimation.
Communication effectiveness is influenceu by unceitainty anu vaiiability because of
human eiiois such as failuie to act, feai, inattention, memoiy lapses, anu iule-baseu oi
knowleuge baseu mistakes. In contiast, the influence of insiuei thieats such as
violations oi sabotage is not consiueieu heie. ueneially, the human eiioi piobability
(BEP) is quantifieu using vaiious human ieliability analysis (BRA) methous.|11, 12j In
oui mouel, the !(C$) value is expiesseu using a piobability uistiibution that iepiesents
human eiiois.

In the fiist communication piocess, the BEP is influenceu by both unceitainty (e.g.,
the guaiu's conuition anu lack of peiception) anu vaiiability (e.g., bau enviionmental
conuitions). We assume that the BEP of the fiist piocess is piopoitional to the uegiee
of unceitainty anu vaiiability. Because the log-noimal uistiibution is useu fiequently
in safety stuuies as the epistemic uistiibution of failuie iates |1Sj, the BEP is
iepiesenteu as a log-noimal uistiibution function. Fuitheimoie, we suppose that the
unit of a vaiiable is expiesseu using its eiioi iate, that is, the numbei of eiiois pei
commanu. The !(Ctype1_$) value inuicates the communication piobability of the fiist
piocess, anu it is expiesseu in equation (6) by ueuucting the BEP fiom the whole.
! !
!"#$!!!
! ! !
!
!!!
!!!!
!
!"# !
!" !!!
!!!!
!
!!
!!!!
!
!"
!
!!!!
!
, (6)
wheie the .21_$ is quantity of unceitainty anu vaiiability, anu 31_$ anu #31_$ aie the mean
anu stanuaiu ueviation of the fiist communication piocess, iespectively.

In the seconu communication piocess, the BEP is influenceu by both unceitainty (e.g.,
the guaiu's oi the iesponuei's conuition anu lack of peiception) anu vaiiability (e.g.,
bau enviionmental conuitions). We assume that the BEP of the seconu piocess is
piopoitional to the quantity of unceitainty anu vaiiability. The BEP is iepiesenteu as
a uistiibution function of log-noimal type, as with the fiist communication piocess.
The !(Ctype2_$) value inuicates the communication piobability of the seconu piocess anu
is expiesseu in equation (7) by ueuucting the BEP fiom the total piobability.
! !
!"#$!!!
! ! !
!
!!!
!!!!
!
!"# !
!" !!!
!!!!
!
!!
!!!!
!
!"
!
!!!!
!
, (7)
wheie the .22_$ is quantity of unceitainty anu vaiiability, anu the 32_$ anu #32_$ aie the
mean anu stanuaiu ueviation of the seconu communication piocess, iespectively.


19
Finally, the !(C$) value is calculateu as the piouuct of the !(Ctype1_$) value anu the
!(Ctype2_$) value foi each $.

8'),7)'+(%0 %1 #@CD!(B
The value of !(R|A$) foi EASI is calculateu using the noimal uistiibution by incluuing
both the uelay time of the baiiiei foi the facility anu the aiiival time of the iesponse
foice.|7j Appioximately 99.7% of phenomena occui within S sigma foi the noimal
uistiibution. Theiefoie, it is cleai whethei the iesponse foice can ieach the auveisaiy
in time. Because the actions of the iesponse foice shoulu have consiueiable flexibility,
a giauually uecieasing piobability uistiibution, iathei than the noimal uistiibution,
neeus to be consiueieu. In this section, !(R|A$) is expiesseu using a uiffeient methou
than EASI.

The !(R|A$) value is expiesseu using a Beinoulli tiial, focusing on whethei the
iesponse foice can get the situation unuei contiol befoie the auveisaiy finishes the
attack. The piobability uistiibution of the Beinoulli tiial is uesciibeu using a
binominal anu a Poisson uistiibution. An auveisaiy attack is a majoi pioblem foi
nucleai secuiity. The binominal uistiibution is assumeu to occui foi the taiget event
multiple times, anu hence, the Poisson uistiibution is moie suitable than the binominal
uistiibution foi iepiesenting !(R|A$).

A Poisson uistiibution is a uisciete piobability uistiibution expiesseu in equation (8).
! ! ! ! !
!
!
!
!!
!!
,
(8)
wheie 4 is natuial numbei anu $ is a positive constant. In othei woius, a Poisson
uistiibution is the piobability that an event that aiises $ times on aveiage occuis 4
times uuiing a given peiiou. In this section, we assume that $$ at the $
th
baiiiei is a
calculateu value that inuicates the fiequency of the iesponse foice aiiiving in time
befoie the auveisaiies obtain theii goal. The $$ value is given in equation (9).
!
!
!
!"
!
!"#
!
, (9)
wheie TR$ is the iesiuual time at the $
th
baiiiei, anu RFT$ is the iesponse foice's aiiival
time at the $
th
baiiiei. If $ is gieatei than 1, the iesponse foice can ieach the event on

2u
time. By subtiacting the piobability when 4 is equal to u fiom the total piobability, 1,
the value of !(R|A$) foi each baiiiei is given as:
! ! !
!
! ! !!
!!
!
. (1u)

E$(') %1 C(*F !**/**G/0+
We assess the value foi !I in the case of an auveisaiy's attack against a hypothetical
nucleai facility using the new quantification methou pioposeu above. An oveiview of
the uesigneu hypothetical facility anu the auveisaiy's attempt aie shown in figuie S.
The ciicleu numbeis in this figuie inuicate the baiiieis of the facility, anu the uasheu
line inuicates the auveisaiy's attempt to sabotage the taiget nucleai mateiial. Sensois
in this facility aie assumeu to be IR anu miciowave uetectois. The assumeu uelay
values (Belay$) anu iesponse foice time (RFT$) of the baiiiei $ aie shown in table 1.
Belay$ means the time that the auveisaiies neeu in oiuei to pass thiough each baiiiei $,
anu RFT$ inuicates the time iequiieu foi the iesponse foice to aiiive at the facility in
case of an attack.

Figuie S - 0veiview of the uesigneu hypothetical nucleai facility anu auveisaiy's pass.


21
The tempoiaiy peifoimance levels of the sensois, guaius, the auveisaiy, anu the
iesponse foice aie given appioximate numeiical values in oiuei to assess the !I value,
because we cannot use actual values foi secuiity ieasons. It is necessaiy to consiuei
the influence of unceitainty anu vaiiability of !(B$), !(C$), anu !(R|A$). In this stuuy,
the unceitainty anu vaiiability of each element of the facility aie expiesseu using a
Nonte Cailo methou.

Table 1 - Some paiameteis of the hypothetical nucleai facility.
$
Belay$ |secj RFT$ |secj
Nean
Stanuaiu
ueviation
Nean
Stanuaiu
ueviation
1 4u.u 4.uu 22u 22.u
2 Su.u S.uu 22u 22.u
S 2u.u 2.uu 22u 22.u
S Su.u S.uu 22u 22.u
6 4u.u 4.uu 22u 22.u
7 6u.u 6.uu 22u 22.u
9 6u.u 6.uu 22u 22.u
1u 12u 12.u 22u 22.u

Table 2 - Some paiameteis to calculate the !(B$) value anu iesult.
$
Infiaieu sensois Niciowave sensois
P(B_$_IR)
oi
P(B_$_N)
Pfa_$_IR
oi
Pfa_$_N
.5/$/IR ,/$/IR #,_$_IR */$/IR #*_$_IR .5/$/N #,_$_N #*_$_N
1 S.uu 2.uu u.4uu 1.1u u.Suu - - - u.84 u.1S
2 - - - - - 1.Su 2.uu u.Suu u.87 u.12
S 4.Su 2.uu u.4uu 1.uu u.4uu - - - u.89 u.1u
4 - - - - - 1.Su 2.uu u.Suu u.87 u.12
S 4.Su 2.uu u.4uu 1.uu u.4uu - - - u.89 u.1u
6 - - - - - 1.Su 2.uu u.Suu u.87 u.12
7 4.uu 2.uu u.4uu u.9uu u.Suu - - - u.94 u.uS
1u - - - - - - - - u.uu u.uu


22
Fiist, !(B$) is expiesseu using the Nonte Cailo methou. The !(B$) values aie
expiesseu using equation (2) anu equation (4). Foi the IR sensois, the !(B$) values aie
calculateu using the .T_$_"%, the ,/$_"%, anu the #,/$_"% values. Foi the miciowave sensois,
the !(B$) values aie calculateu using the .T_$_0, the #,/$_0, anu the #*/$_0 values. These
values aie set fieely anu shown in table 2 togethei with the calculateu !(B$) values.

If the opeiational peifoimance of the sensois is uiiectly influenceu by eiiois causeu
by unceitainty anu vaiiability, a focus on the fluctuations of the vaiiables #,/$_"%, #,/$_0,
anu #*/$_0 is waiianteu. We assume that these values aie ianuomly affecteu by
unceitainty anu vaiiability, anu that they aie expiesseu using a noimal ianuom numbei.
We geneiateu a noimal ianuom numbei using the following two piocesses: A unifoim
ianuom numbei sequence between u-1 was geneiateu using the RANB function of
Niciosoft Excel anu was then tianslateu into a noimal ianuom numbei, N(u, 1j, using
the Box-Nullei tiansfoim.|14j

The tiial iun was iepeateu S,uuu times using a ianuom numbei sequence. The
same ianuom numbei sequence was useu foi all baiiieis, $. Foi the IR sensois, the
vaiiation of #,/$_"% was assumeu to fluctuate by u.u1 fiom the value set in table 2.
Similaily, foi the miciowave sensois, we assumeu that the vaiiation of #,/$_0 anu #*/$_0
fluctuate by u.uuS anu u.u1, iespectively, fiom the values set in table 2. The
histogiams of the S,uuu calculateu !(B$) values aie shown in figuie 4 foi eveiy !(B$)
value. The uata inteival of the !(B$) values was u.uu1.

Figuie 4 - Piobability uistiibution of !(B$) using S,uuu noimal ianuom numbeis.

Next, !(C$) was expiesseu using the Nonte Cailo methou. The !(C$) values weie
calculateu by multiplying equation (6) by equation (7). In the fiist communication

2S
piocess, the !(Ctype1_$) values aie calculateu fiom the .21_$, 31_$, anu #31_$ values.
Similaily, in the seconu communication piocess, the !(Ctype2_$) values aie calculateu
using the .22_$, 32_$, anu #32_$ values. These values aie set fieely anu shown in table S,
togethei with the calculateu !(Ctype1_$), !(Ctype2_$), anu !(C$) values.

Table S - Some paiameteis to calculate the !(C$) value anu iesult.
$
Path 1 Path 2
!(C$)
.21_$ C1_$ #C1_$ !(Ctype1_$) .22_$ C2_$ #C2_$ !(Ctype2_$)
1 u.uSuu 1.uu S.uu u.9u9 u.u2uu 1.uu 2.uu u.99S u.9u
2 u.u4uu 1.uu S.uu u.92u u.u2uu 1.uu 2.uu u.99S u.91
S u.uSuu 1.uu S.uu u.9SS u.u1uu 1.uu 2.uu u.997 u.9S
4 u.uSuu 1.uu S.uu u.9SS u.u1uu 1.uu 2.uu u.997 u.9S
S u.u1uu 1.uu S.uu u.969 u.u1uu 1.uu 2.uu u.997 u.97
6 u.u2uu 1.uu S.uu u.949 u.u1uu 1.uu 2.uu u.997 u.9S
7 u.u1uu 1.uu S.uu u.969 u.u1uu 1.uu 2.uu u.997 u.97
8 u.u2uu 1.uu S.uu u.949 u.u1uu 1.uu 2.uu u.997 u.9S
9 u.u1uu 1.uu S.uu u.969 u.u1uu 1.uu 2.uu u.997 u.97
1u u.u1uu 1.uu S.uu u.969 u.u1uu 1.uu 2.uu u.997 u.97

If !(Ctype1_$) anu !(Ctype2_$) aie uiiectly influenceu by eiiois causeu by unceitainty anu
vaiiability, a focus on the fluctuations of the vaiiables .21_$ anu .22_$ is waiianteu. We
thus assume that these values aie ianuomly affecteu by both unceitainty
anu vaiiability. These values weie expiesseu using a noimal ianuom numbei, N(u, 1j.
The sequence of the S,uuu noimal ianuom numbeis was geneiateu using the same
methou as that of !(B$). A uiffeient ianuom numbei sequence was useu in the
!(Ctype1_$) anu !(Ctype2_$) calculation.

The tiial iun was iepeateu S,uuu times using a uiffeient ianuom numbei sequence.
The same ianuom numbei sequence, $, was useu foi all baiiieis. We assumeu that the
vaiiations of both .21_$, anu .22_$ fluctuate by u.u1 fiom the value set in table S. The
histogiams of the S,uuu calculateu !(Ctype1_$) anu !(Ctype2_$) values aie shown in figuie S.
The uata inteival of the !(Ctype1_$) anu !(Ctype2_$) values aie u.uu1 anu u.uuuS,
iespectively. The histogiams of the S,uuu calculateu !(C$) values aie shown in figuie 6.
The uata inteival of the !(C$) values was u.uu1.


24
Finally, !(R|A$) was ueteimineu using the Nonte Cailo methou. The !(R|A$) values
come fiom equation (1u) as a function of the vaiiable $$. The $$ values weie calculateu
using the TR$ anu RFT$ values, similai to what was uone foi equation (9). The TR$
values can be calculateu fiom the uelay values shown in table 1. The RFT$ values aie
also shown in table 1. The stanuaiu ueviation values of TR$ anu $$ can be calculateu
using the piopagation of eiiois technique. These values aie shown in table 4 along
with the calculateu !(R|A$) values.

If !(R|A$) is influenceu by eiiois causeu by unceitainty anu vaiiability uiiectly,
focusing on the fluctuations of the $$ vaiiables is waiianteu. We assume that these
values aie affecteu by unceitainty anu vaiiability at ianuom. These values weie
expiesseu using a noimal ianuom numbei, N(u, 1j. The sequence of S,uuu noimal
ianuom numbeis is geneiateu in the same mannei in !(B$) anu !(C$).

Figuie S - (a) Piobability uistiibution of !(Ctype1_$) using S,uuu noimal ianuom
numbeis. (b) Piobability uistiibution of !(Ctype2_$) using S,uuu noimal ianuom
numbeis.

2S

Figuie 6 - Piobability uistiibution of !(C$) using S,uuu noimal ianuom numbeis.

Table 4 - Some paiameteis to calculate the !(R|A$) value anu iesult.
$
TR$ |secj RFT$ |secj $$
!(R|A$)
Nean
Stanuaiu
ueviation
Nean
Stanuaiu
ueviation
Nean
Stanuaiu
ueviation
1 S2u 18.S 22u 22.u 2.S6 u.2S1 u.91
2 48u 17.9 22u 22.u 2.18 u.2SS u.89
S 4Su 17.6 22u 22.u 2.uS u.22u u.87
4 4Su 17.S 22u 22.u 1.9S u.211 u.86
S S8u 16.8 22u 22.u 1.7S u.189 u.82
6 SSu 16.u 22u 22.u 1.Su u.167 u.78
7 29u 1S.S 22u 22.u 1.S2 u.1Su u.7S
8 2Su 14.S 22u 22.u 1.uS u.12S u.6S
9 18u 1S.4 22u 22.u u.818 u.1u2 u.S6
1u 12u 12.u 22u 22.u u.S4S u.u771 u.42

The tiial iun was iepeateu S,uuu times using the ianuom numbei sequence. The
same ianuom numbei sequence was useu foi all baiiieis, $. We assumeu that the
vaiiations of $$ fluctuate by the stanuaiu ueviation values set in table 4. The
histogiams of the S,uuu calculateu !(R|A$) values aie shown in figuie 7. The uata
inteival of the !(R|A$) values is u.u1.


26

Figuie 7 - Piobability uistiibution of !(R|A$) using S,uuu noimal ianuom numbeis.

Finally, values of !I consiueiing unceitainty oi vaiiability can be calculateu using
equation (1). The values of !(B$), !(C$), anu !(R|A$) allowing foi unceitainty oi
vaiiability aie shown in figuies 4, 6, anu 7, iespectively. By using the S,uuu tempoiaiy
uata points of !(B$), !(C$), anu !(R|A$) geneiateu using the Nonte Cailo methou, the
S,uuu uata points of the !I weie calculateu. The histogiam of the S,uuu calculateu !I
values is shown in figuie 8. The uata inteival of the !I values was u.uuS, anu the mean
anu stanuaiu ueviation value of !I weie u.81 anu u.u2, iespectively.

Figuie 8 - Piobability uistiibution of !I calculateu fiom a piobability uistiibution
of !(B$), !(C$), anu !(R|A$).

We can assess the piobabilistic !I values using a tempoiaiy value set when an
auveisaiy attacks a hypothetical nucleai facility. Because the ianuom numbeis useu in
this papei aie inuepenuent of the ieal peifoimance of sensois, guaius, auveisaiy, anu

27
iesponse foice, the assessment iesult uoes not ieveal the ieal fluctuations causeu by
unceitainty oi vaiiability. If the ianuom numbeis aie iepiesenteu by ieal
peifoimance uata, the ieal-woilu !I values can be calculateu.

8%0,)7*(%0*
The !" value in a specific scenaiio can be calculateu using a methou such as EASI
uevelopeu by SNL in the 0niteu States. In the EASI calculation, eiiois causeu by
unceitainty anu vaiiability aie not consiueieu in expiessing the peifoimance of sensois
anu communication.

We attempteu to uevise a new calculation methou foi thiee components of !I: !(B$),
!(C$), anu !(R|A$). Specifically, the new calculation methou foi !(B$) anu !(C$) is
expiesseu as a piobability uistiibution that incluues eiiois causeu by unceitainty anu
vaiiability. We assumeu that +,-*(%) obeys a log-noimal uistiibution in the case of IR
sensois, anu a Rice uistiibution in the case of miciowave sensois. The !(B$) values aie
equal to the uistiibution function of +,-*(%). Noieovei, two communication piocesses
aie consiueieu to calculate the !(C$) value. We assumeu that the BEP of these
piocesses is iepiesenteu as a long-noimal uistiibution function. The communication
piobability foi the fiist anu seconu piocesses, !(Ctype1_$) anu !(Ctype2_$), iespectively, aie
expiesseu by ueuucting the BEP fiom the total piobability. In contiast, the new
calculation methou of !(R|A$) is expiesseu using a Beinoulli tiial, specifically a Poisson
uistiibution. We assumeu that $$ at the $
th
baiiiei is the fiequency at which the
iesponse foice can aiiive in time befoie the auveisaiies obtain theii goal. By
subtiacting the piobability when 4 is equal to u fiom the total piobability, 1, the !(R|A$)
value foi each baiiiei is expiesseu as an exponential foim.

We calculateu the !I value using the new quantification methou in the case of an
auveisaiy's attack against a hypothetical nucleai facility. The tempoiaiy peifoimance
of sensois, guaius, auveisaiy, anu the iesponse foice weie assigneu numeiical values in
oiuei to assess the !I value, because ieal values cannot be useu foi secuiity ieasons.
The influence of unceitainty anu vaiiability aie expiesseu using a Nonte Cailo methou.

If the sensoi's opeiational peifoimance is uiiectly influenceu by eiiois causeu by
unceitainty anu vaiiability, focusing on the fluctuations of the vaiiables #,/$_"%, #,/$_0, anu
#*/$_0 in the case of !(B$), that of .21_$ anu .22_$ in the case of !(C$), anu that of $$ in the
case of !(R|A$) is waiianteu. We assumeu that these values aie affecteu by unceitainty

28
anu vaiiability at ianuom. Theiefoie, we expiesseu these values using a noimal
ianuom numbei, N(u, 1j. By using S,uuu tempoiaiy peifoimance uata points of !(B$),
!(C$), anu !(R|A$) geneiateu by the Nonte Cailo methou, the S,uuu peifoimance uata
points of !I weie calculateu. The mean anu stanuaiu ueviation value of !I weie founu
to be u.81 anu u.u2, iespectively.

We can assess the piobabilistic !I value by using a tempoiaiy value set when an
auveisaiy attacks a hypothetical nucleai facility. Because the ianuom numbeis of this
stuuy aie inuepenuent to the ieal-woilu peifoimance of the sensois, guaius, auveisaiy,
anu iesponse foice, the assessment iesult uoes not ieveal the actual fluctuations causeu
by unceitainty oi vaiiability. If the ianuom numbeis weie iepiesenteu by ieal
peifoimance uata, the ieal !I value can be calculateu.

C/1/$/0,/*
1. The Sasakawa Peace Founuation, 567 2848,6$9: )83;7:< &33$=7*> :*= (<$,$,
0:*:?797*>, pp 6S-8u, (2u12).
2. Kazutomo Iiie, %7=7+$*$*? "*>7<<7;:>$@*,6$A B7>C77* )83;7:< D:+7>EF )83;7:< D738<$>E
:*= D:+7?8:<=,, }ouinal of Powei anu Eneigy Systems H(2), 1u9-117, (2u12).
S. Naiy Lynn uaicia, '&D" 0@=7;, The Besign anu Evaluation of PBYSICAL
PR0TECTI0N SYSTENS 2
nu
euition, Butteiwoith-Beinemann, p. 9-1u, (2uu7).
4. Naiy Lynn uaicia, '&D" 0@=7;, The Besign anu Evaluation of PBYSICAL
nu
euition, Butteiwoith-Beinemann, p. 292, (2uu7).
S. 6u FR 42622, G,7 @+ !<@B:B$;$,>$3 %$,4 &,,7,,97*> 07>6@=, $* )83;7:< &3>$H$>$7,I
2$*:; !@;$3E D>:>797*>, Washington, BC, (199S).
6. INSAu-12, Basic Safety Piinciples foi Nucleai Powei Plants, JKL")D&MLN Rev. 1,
IAEA, (1999).
7. Naiy Lynn uaicia, '&D" 0@=7;, The Besign anu Evaluation of PBYSICAL
nu
euition, Butteiwoith-Beinemann, pp S19-S2S, (2uu7).
8. u. R. valenzuela anu N. B. Laing, O* >67 D>:>$,>$3, @+ D7: (;8>>7<F )%P %'!O%5 JNQRS
9. B. A. Shniuman, M7*7<:;$T7= <:=:< 3;8>>7< 9@=7;, IEEE Tians., Aeiospace anu
Electionic Systems, IJ(S), 8S7-86S, (1999).
1u. S. 0. Rice, 0:>679:>$3:; &*:;E,$, @+ %:*=@9 )@$,7, Bell System Tech. }., KI, 282-SS2,
(1994), anu KL, 46-1S6, (194S).
11. A. B. Swain, & B. E. uuttman, Banubook of Buman Reliability Analysis with
Emphasis on Nucleai Powei Plant Applications, (198S).

29
12. E. Bollnagel, Cognitive Reliability anu Eiioi Analysis Nethou - CREAN, 0xfoiu:
Elseviei Science, (1998).
1S. Nichael Stamatelatos, anu Bomayoon Bezfuli, !<@B:B$;$,>$3 %$,4 &,,7,,97*>
!<@37=8<7, M8$=7 +@< )&D& 0:*:?7<, :*= !<:3>$>$@*7<,, 2
nu
euition, pp. 6-8 to 6-11,
(2u11).
14. u. E. P. Box anu Neivin E. Nullei, & )@>7 @* >67 M7*7<:>$@* @+ %:*=@9 )@<9:;
U7H$:>7,, The Annals of Nathematical Statistics, KM(2), 61u-611, (19S8).
}ouinal of Physical Secuiity 7(2), Su-41 (2u14)

Su
!!" $%&'(&)*+, +- ., /*' 01-*,123 45*,6 !"#$ 7+81'
N.C. Echeta
1
, L.A. Bim
2
, 0.B. 0yeyinka
1
, anu A.0. Kuye
1
1. Centie foi Nucleai Eneigy Stuuies, 0niveisity of Poit-Baicouit, P.N.B SS2S, Poit
Baicouit, Nigeiia

2. Centie foi Eneigy Reseaich anu Tiaining, Ahmauu Bello 0niveisity, Zaiia, Nigeiia

.95)2&:)
This papei attempts to quantitatively analyze the effectiveness of a Physical Piotection
System (PPS) uesigneu foi an oil iefineiy using the Estimate of Auveisaiy Sequence
Inteiiuption (EASI) mouel. The output fiom the mouel is the Piobability of Inteiiuption
(P1) of a potential attack scenaiio along a specific path. The effectiveness of a secuiity
system is uepenuent on the value of the Piobability of Inteiiuption. Results obtaineu show
that the values of the piobability of inteiiuption of the auveisaiies foi the most likely
auveisaiy paths aie veiy low. But by upgiauing the piotection elements, the values of
piobability of inteiiuption inciease fiom u to a iange of u.66 to u.89, stiengthening oveiall
secuiity.

;13<+285= Physical Piotection System; PPS Evaluation; 0il Refineiy Secuiity

>,)2+8(:)*+,
A Physical Piotection System (PPS) integiates people, pioceuuies, anuoi equipment foi
the piotection of assets oi facilities against theft, sabotage, anu othei malevolent human
acts. A PPS can be applieu to eithei fixeu oi moving assets. The ultimate objective of a PPS
is to pievent the accomplishment of oveit oi coveit malevolent actions. A PPS
accomplishes its objectives by eithei ueteiience oi a combination of uetection, uelay, anu
iesponse (uaicia, 2uu1). Foi these objectives to be achieveu, the PPS must be evaluateu oi
analyzeu to ueteimine its effectiveness. Foi a system to be effective, theie must be
awaieness of an attack (uetection) anu the slowing of auveisaiy piogiess to the taigets
(uelay), thus allowing a iesponse foice enough time to inteiiupt oi stop the auveisaiy
(iesponse).

In the uesign, evaluation, anu selection of secuiity systems, Boyon (1981) piesents a
piobabilistic netwoik mouel foi a system consisting of guaius, sensois, anu baiiieis. Be
ueteimines analytic iepiesentations foi ueteimining piobabilities of intiuuei
appiehension in uiffeient zones between site entiy anu a taiget object. Schneiuei anu
uiassie (1989) anu uiassie et al. (199u) piesent a methouology in which counteimeasuies

S1
aie uevelopeu in iesponse to asset-specific vulneiabilities. They uiscuss issues ielating to
cost-effectiveness tiaueoffs foi inuiviuual counteimeasuies, but fail to give an oveiall
secuiity system evaluation scheme. They uo allow foi a "system level impiession of oveiall
cost anu effectiveness" cieateu by consiueiing the inteiaction of the selecteu
counteimeasuies.

uaicia (2uu1) gives an integiateu appioach to uesigning physical secuiity systems,
evaluation anu analysis of piotective systems as well as iisk assessment. A cost-
effectiveness appioach is piesenteu, anu the measuie of effectiveness employeu foi a
physical piotection system is the piobability of inteiiuption, which is uefineu as "the
cumulative piobability of uetection fiom the stait of an auveisaiy path to the point
ueteimineu by the time available foi iesponse". Whiteheau et al. (2uu7) suggest that a
quantitative analysis is iequiieu foi the piotection of assets with unacceptably high
consequence of loss, even if the piobability of an auveisaiy attack is low.

A PPS can be evaluateu foi its effectiveness using available softwaie tools anu
techniques. A numbei of softwaie tools aie available foi evaluating the effectiveness of a
PPS. These incluue EASI, SNAP, SAvI, anu SAFE.

Besciibing these softwaie tools, Swinule (1979) iefeis to Safeguaiu Netwoik Analysis
Pioceuuie (SNAP) as an NRC-sponsoieu methouology uevelopeu by Piiskei anu Associates,
Inc., thiough subcontiact to Sanuia National Laboiatoiies, foi evaluating the effectiveness
of the physical secuiity measuies of a safeguaius system? Be emphasizes that SNAP
employs the netwoik moueling appioach to pioblem solving. uaicia (2uu1) also states that
SNAP employs the netwoik moueling appioach to pioblem-solving. It iequiies the analyst
to mouel the facility, the guaiu foice, anu the auveisaiy foice. SNAP is highly scenaiio-
uepenuent anu uses an assumeu attiibute methou to give a measuie of the PPS
effectiveness within a ceitain scenaiio. Foi applications in which foice-on-foice battles aie
not expecteu, EASI is the piefeiieu analysis tool.

uaicia (2uu1) opines that the System Analysis of vulneiability to Intiusion (SAvI) mouel
pioviues a compiehensive analysis of all auveisaiy paths into a facility. This was
uevelopeu in 198u (Sanuia National Laboiatoiies, 1989). 0nce uata on the thieat, taiget,
facility, site-specific PPS elements, anu iesponse foice time aie enteieu, the SAvI coue
computes anu ianks the ten most vulneiable paths foi up to ten iesponse foice times. This
mouel uses the EASI algoiithm to pieuict system peifoimance anu also uses Auveisaiy
Sequence Biagiam (ASB) Nouel foi multi-path analysis (}ang et al. 2uu9).

Engi anu Bailan (1981) anu Chapman et al. (1978) uesciibe Safeguaius Automateu
Facility Evaluation Nethouology (SAFE) as a Sanuia-uevelopeu, NRC-sponsoieu
methouology foi evaluating the effectiveness of the physical secuiity aspects of a
safeguaius system. SAFE consists of a collection of functional mouules foi facility
iepiesentation, component selection, auveisaiy path analysis, anu effectiveness evaluation.
The technique has been implementeu on an inteiactive computei time-shaiing system anu
makes use of computei giaphics foi the piocessing anu piesentation of infoimation.

S2
Foi the puipose of this woik, Estimate of Auveisaiy Sequence Inteiiuption (EASI) is the
piefeiieu analysis tool. This is because the mouel is simple to use, easy to change, anu it
quantitatively illustiates the effect of changing physical piotection paiameteis. This papei
is focuseu on using EASI foi the evaluation of the effectiveness of the cuiient physical
piotection system of an oil iefineiy.

71)@+8+'+63
.A $."> 7+81'
EASI is a faiily simple calculation tool uevelopeu by Sanuia National Laboiatoiies, 0SA. It
quantitatively illustiates the effect of changing physical piotection paiameteis along a
specific path. It uses uetection, uelay, iesponse, anu communication values to compute the
piobability of inteiiuption P1. Since EASI is a path-level mouel, it can only analyze one
auveisaiy path oi scenaiio at a time. It can also peifoim sensitivity analyses anu analyze
physical piotection system inteiactions anu time tiaue-offs along that path.

In this mouel, input paiameteis iepiesenting the physical piotection functions of
uetection, uelay, anu iesponse aie iequiieu. Communication likelihoou of the alaim signal
is also iequiieu foi the mouel. Betection anu communication inputs aie in foim of
piobabilities (PB anu PC iespectively) that each of these total functions will be peifoimeu
successfully. Belay anu iesponse inputs aie in foim of mean times (Tuelay anu RFT
iespectively) anu stanuaiu ueviation foi each element. All inputs iefei to a specific
auveisaiy path (uaicia, 2uu1). The output is P1, the piobability of inteiiupting the
auveisaiy befoie any theft oi sabotage occuis. Aftei obtaining the output, any pait of the
input uata can be changeu to ueteimine the effect on the output. If theie is one sensoi on
the path, this piobability is calculateu as:

P1 = PC PB (1)
Wheie, PC is piobability of guaiu communication, anu PB is piobability of sensoi
uetection.
0ne of the input paiameteis of this mouel was changeu to suit the ielevant enviionment.
This paiametei was the piobability of guaiu communication, PC. Evaluation of many
systems uesigneu anu implementeu by Sanuia National Laboiatoiies inuicates that most
systems opeiate with a PC of at least u.9S. This numbei can be useu as a woiking value
uuiing the analysis of a facility, unless theie is ieason to believe that this assumption is not
valiu. If actual testing at a facility yielus a uiffeient PC, this numbei shoulu be useu; if guaiu
communication appeais to be less uepenuable, a lowei value can be substituteu in the
mouel. Factois that may influence PC incluue lack of tiaining in use of communication
equipment, pooi maintenance, ueau spots in iauio communication, oi the stiess
expeiienceu uuiing an actual attack. This flexibility allows the analyst to vaiy Pc as neeueu
to coiiectly iepiesent the function. Baseu on expeit juugement, the piobability of guaiu

SS
communication of u.9 was useu as the input value in this woik to fit oui own specific
enviionment. This is because the guaiu iesponse foices uo not ieceive auequate tiaining
in the use of communication gaugets, anu these gaugets aie not piopeily maintaineu,
theieby passing incomplete infoimation oi instituting uelay in uisseminating infoimation.
The values of piobability of uetection aie baseu on the availabilitynon-availability of
sensoi(s) on the auveisaiy paths. Belay anu iesponse values, in foim of mean times anu
stanuaiu ueviation foi each element aie puiely expeit opinion baseu on secuiity guaius'
uiills.
To use EASI in this woik, we followeu the steps listeu below.

BA C2*)*:&' .551) DE&261)F &,8 "*)1 .55155G1,)
The iefineiy complex consists of two iefineiies anu it occupies an aiea of 9uu hectaies. It
is bounueu on the south by muuuy vegetation anu sea, anu on the noith, east, anu west by
uiy giounu. Theie aie many stieams, cieeks, iesiuential builuings, anu shops neai the
complex. These two iefineiies have combineu piocessing capacity of 21u,uuu baiiels of
ciuue oil pei uay. This iefineiy complex houses uiffeient assets such as the auministiative
anu technical builuings, oil pipelines, iefineu petioleum piouucts stoiage tanks, iefining
piocessing units, anu powei plants. 0f all these assets, the most ciitical asset is the 7V km
iefineu petioleum piouucts pipelines that iun fiom the insiue of the iefineiy to the jetty
wheie ships anu fuel tankeis loauoffloau piouucts foi impoit anu expoit. Some paits of
these pipelines iun on top of the giounu, on top of saline watei, anu unueineath iesiuential
builuings.

The iefineiy complex is uoubleu fenceu in some aieas while otheis aie singleu-fenceu.
The complex has 8 entiance anu exit gates, but only foui majoi gates leau uiiectly into the
oil facilities. uate 1 is an entiance gate foi employees anu visitois, gate 2 is foi vehicles
enteiing the facility complex, gate S is the exit foi vehicles anu peisons, while gate S leaus
to the iestiicteu aiea (which houses the ciuue oil iefining facilities). These gates aie
constantly lockeu except when vehicles anu human movements aie iequiieu. The plant
layout of the oil facility is shown in figuie 1.

The heights of the conciete anu electiic fences aie ioughly 4-S meteis anu theie aie 2
closeu-ciicuit televisions (CCTvs) at gates 2 anu S. The viueos iecoiueu by these CCTvs aie
sent to anu monitoieu by the contiol ioom. Theie aie secuiity opeiatives' posts at the
entiance anu exit gates of the iefineiy complex anu at some uistances along the 7V km
iefineu petioleum piouucts pipelines. Theie aie no sensois on the fences, gates, oi
pipelines. The 7V km pipelines aie paitly exposeu without any exteinal fence piotecting
the pait of the pipelines on lanu. Theie is also no fencing oi othei piotective measuies foi
the unueigiounu paits of the pipelines, oi the paits in saline watei.


S4
H*6(21 I A E@1 J'&,) '&3+() +- )@1 +*' 21-*,123 <*)@ *)5 G+5) '*K1'3 &8%125&23 J&)@5 &,8 )&261)?

The !"#$%& ()#$# *+,")- foi ciitical assets must consiuei the attiibutes, chaiacteiistics,
anu motivations of potential insiuei anuoi exteinal auveisaiies who might attempt to
uamage oi seek unauthoiizeu iemoval of iefineu petioleum piouucts, against which the
PPS is uesigneu anu evaluateu. This papei is limiteu to attack fiom exteinal auveisaiies
because EASI mouel uoes not hanule insiuei attacks. Past hostilities that have occuiieu on
the oil pipelines weie all believeu to be fiom the outsiue. Piesently, theie is no iecoiu of
inteinal attacks on the oil pipelines. The possibility of an insiuei attack is not being iuleu
out completely, howevei.

The most likely auveisaiies of the oil facility aie militants anu local vanuals. 0thei kinus
of outsiue auveisaiies iepiesent a lowei piobability of attack. In the past, auveisaiies have
attackeu the facility fiom outsiue of the iefineiy complex using equipment such as plasma
cutteis, weluing machines, plieis, valves, anu iubbei pipes. Fiom the infoimation gatheieu,
they appeaieu to be intent on oil pipeline sabotage anu theft of iefineu petioleum piouucts
fiom the pipelines. The auveisaiies aie motivateu by the financial gain fiom the sale of
iefineu petioleum piouucts, oi by theii uesiie foi iesouice contiol foi theii communities.


SS
CA !+55*9'1 &8%125&23 J&)@5 &,8 &:)*+, 51L(1,:15
The most likely auveisaiy paths to the ciitical asset aie shown in figuie 1. Auveisaiy
path 1 is fiom the shop on top of the 7V km oil pipelines. Auveisaiy path 2 iuns fiom the
iesiuential builuings to the pipelines. Auveisaiy path S iuns thiough the watei-ways,
cieek anu on lanu to the oil pipelines. The possible auveisaiy action sequences
coiiesponuing to the paths aie shown in Fig. 2.

!&)@ I !&)@ M

!&)@ N

H*6(21 M A !+55*9'1 &8%125&23 &:)*+, 51L(1,:15?
Connect iubbei pipes to the pipelines
Penetiate pipelines to inseit valves
"#$%& '% ($%)*$+ ,$&('-$./ ,('+.0&1
Theft of iefineu petioleum piouucts
Entei the boat(s)
Tiavel thiough the watei ways to cieek(s)
Run to the pipelines
Run back to the cieek(s)
Theft of iefineu petioleum piouucts
Big up the giounu Run to the pipelines

S6
015(')5 &,8 O*5:(55*+,
B&51'*,1 J&)@5
A computeiizeu EASI mouel was useu to calculate the piobability of inteiiuption (P1) of
all the most likely auveisaiy paths using the input values obtaineu fiom the expeits at the
iefineiy site. Figuie S shows the iesult of the EASI analysis of auveisaiy path S. The
iesults of EASI analyses of auveisaiy paths 1 anu 2 piouuceu the same output as path S.

!%&'()&* ,-
"./*0%)01
#*23*45*
$4&*0036&',4
!2+9&9*'*)3 +-
P(&28
C+GG(,*:&)*+,

71&, 015J+,51
H+2:1 E*G1 D0HEF
D51:5F
")&,8&28
O1%*&)*+, +-
0HE D51:5F

u.9 72u 216

O1'&35 D"1:+,85F=
E&5K O15:2*J)*+, ! DO1)1:)*+,F Q+:&)*+, 71&,
")&,8&28
O1%*&)*+,
1 Entei Boat u B 6 1.8
2
Tiavel to the Cieek u B 48u 144
S Run to Pipelines u B 1u S
4 Penetiate Pipelines u B 6uu 18u
S
Connect Rubbei
Pipes
u B 1Su 4S
6
Run back to the
Cieek
u B 1u S
7 Theft Taiget u B 12u S6

!2+9&9*'*)3 +-
>,)122(J)*+,=
u.uuu

H*6(21 N A 015(')5 +- $."> &,&'35*5 -+2 &8%125&23 J&)@ N?

The iesults of the EASI analysis of the entiie common auveisaiy paths show the
piobability of inteiiuption to be u.uuu. This shows that the auveisaiy cannot be
inteiiupteu until the iefineu petioleum piouucts have been stolen fiom the pipelines oi if
an acciuent occuis uuiing pipeline vanualism.

!2+J+518R>GJ2+%18 !!"
In ie-uesigning the secuiity system at the oil facility, new secuiity measuies anu
equipment weie pioposeu to impiove the thiee key functions (uetection, uelay, anu
iesponse) of PPS. The suggesteu upgiaues have the ability to achieve uesiieu secuiity
piinciples. These incluue uetection eaily in the path anu piioi to uelay; effectiveness of
uelay at the asset; the ielationship among uetection, uelay, anu iesponse functions; timely

S7
uetection; anu the piinciples of piotection-in-uepth anu balanceu piotection. The upgiaues
aie as follows:
0pgiaues foi auveisaiy path 1
A. Bemolition of shops on top of the pipelines, eiecting an exteinal fence with a fence
sensoi system, anu ensuiing that builuings aie eiecteu beyonu a manuatoiy
uistance of 2S m fiom one siue of the pipelines;

B. Installation of sensois on oil pipelines;

C. Relocation of guaius closei to the pipelines;

B. Enclosing the pipelines in a moie haiueneu case with a stiongei alloy.

0pgiaues foi auveisaiy path 2
A. Eiection of exteinal fence with a fence sensoi system anu ensuiing that builuings
aie eiecteu beyonu a manuatoiy uistance of 2S m fiom one siue of the pipelines;




0pgiaues foi auveisaiy path S
A. Bestiuction of cieeks, anu mounting of seawatei suiveillance equipment;




We assigneu values to the piobability of uetection of the pioposeu upgiaues on each
auveisaiy path in oiuei to see the effects of these upgiaues on the output, i.e., piobability
of inteiiuption. The effects of these upgiaues weie analyzeu using the EASI mouel to show
the new values of output, P1. The iesults of some selecteu EASI analysis of the upgiaues on
each of the auveisaiy paths 1, 2 anu S aie shown below. The iesult of EASI analysis of
upgiaue A on auveisaiy path 1 is shown in figuie 4.


S8

!%&'()&* ,-
"./*0%)01 #*23*45*
$4&*0036&',4
!2+9&9*'*)3 +-
P(&28
C+GG(,*:&)*+,
71&, 015J+,51
H+2:1 E*G1 D0HEF
D51:5F
")&,8&28
O1%*&)*+, +-
0HE D51:5F

u.9

42u 126

O1'&35 D"1:+,85F=

E&5K O15:2*J)*+, ! DO1)1:)*+,F Q+:&)*+, 71&,
")&,8&28
O1%*&)*+,

1 Big 0p uiounu u.9 B 24u 72

2
Penetiate Pipelines u B S6u 1u8

S
Connect Rubbei
pipes
u B 6u 18


!2+9&9*'*)3 +-
>,)122(J)*+,=
u.789

H*6(21 S A 015(') +- $."> &,&'35*5 +- (J62&81 . +, &8%125&23 J&)@ I?

The iesult of EASI analysis of upgiaue B on auveisaiy path 2 aftei upgiaue A has been
executeu is shown in figuie S.

!%&'()&* ,-
"./*0%)01 #*23*45*
$4&*0036&',4
!2+9&9*'*)3 +-
P(&28
C+GG(,*:&)*+,

71&, 015J+,51
H+2:1 E*G1 D0HEF
D51:5F
")&,8&28
O1%*&)*+, +-
0HE D51:5F

u.9

42u 126

O1'&35 D"1:+,85F=

E&5K O15:2*J)*+, ! DO1)1:)*+,F Q+:&)*+, 71&,
")&,8&28
O1%*&)*+,

1 Run to the pipelines u.9 B 1u S

2
Penetiate Pipelines u.9 B S6u 1u8

S
Connect Rubbei
pipes
u B 12u S6


!2+9&9*'*)3 +-
>,)122(J)*+,=
u.768

H*6(21 T A 015(') +- $."> &,&'35*5 +- (J62&81 B +, &8%125&23 J&)@ M?

The iesult of EASI analysis of upgiaue C on auveisaiy path S aftei upgiaues A anu B have
been caiiieu out is shown in figuie 6.

S9

!%&'()&* ,-
"./*0%)01 #*23*45*
$4&*0036&',4
!2+9&9*'*)3 +-
P(&28
C+GG(,*:&)*+,
71&, 015J+,51
H+2:1 E*G1 D0HEF
D51:5F
")&,8&28
O1%*&)*+, +-
0HE D51:5F

u.9 6uu 18u

O1'&35 D"1:+,85F=
E&5K O15:2*J)*+, ! DO1)1:)*+,F Q+:&)*+, 71&,
")&,8&28
O1%*&)*+,
1 Entei Boat u B 6 1.8
2
Tiavel to the Cieek u.7S B 48u 144
S Run to Pipelines u B 1u S
4 Penetiate Pipelines u.9 B 6uu 18u
S Connect Rubbei Pipes u B 1Su 4S
6 Run back to the Cieek u B 1u S

!2+9&9*'*)3 +-
>,)122(J)*+,=
u.84S

H*6(21 U A 015(') +- $."> &,&'35*5 +- (J62&81 C +, &8%125&23 J&)@ N?

Table 1 shows the summaiy of the values of the output, i.e., the piobability of
inteiiuption (P1) aftei the all pioposeu secuiity upgiaues have been implementeu.

E&9'1 I A "(GG&23 +- %&'(15 +- !2+9&9*'*)3 +- *,)122(J)*+, D!IF &-)12 !2+J+518 (J62&815?

!&)@5
"(6615)18 4J62&815
!&)@ I !&)@ M !&)@ N
A u.789 u.699 u.66u
B u.8Su u.768 u.8uS
C u.886 u.874 u.84S
B u.89u u.877 u.874

4u
Fiom table 1 it can be seen that the values of the output (the piobability of inteiiuption)
incieaseu aftei each pioposeu upgiaue was applieu to the auveisaiy paths. The table
shows that the final value of P1 at the enu of the entiie upgiaue (Suggesteu 0pgiaue B) on
each auveisaiy path is appioximately u.9. When the P1's along all paths aie appioximately
equal aftei the upgiaues, the physical piotection system is saiu to be "balanceu", i.e., all
paths aie equally uifficult foi the auveisaiy to achieve theii goal. Note that balance is
achieveu by mixing uetection, uelay, anu iesponse components, anu that theie aie a
numbei of possible combinations that will iesult in acceptable system peifoimance. This
pioviues the oppoitunity to select combinations that meet cost anu opeiational
iequiiements without compiomising system effectiveness.

C+,:'(5*+,5
This woik involveu evaluating the effectiveness of the cuiient physical piotection system
foi an oil iefineiy using the Computeiizeu EASI mouel. Results obtaineu fiom the analysis
of the most likely auveisaiy paths showeu that the values of piobability of inteiiupting the
auveisaiies (P1) weie veiy low. But by upgiauing the physical secuiity systems with
ceitain measuies anu equipment, the values of P1 incieaseu significantly, impioving
secuiity.

.:K,+<'186G1,)5
The authois aie giateful to the Nigeiia Atomic Eneigy Commission (NAEC) foi
sponsoiing this ieseaich woik.

01-121,:15
Chapman, L.B., uiauy, L.N., Bennett, B.A., Sassei, B.W. anu Engi, B., (1978): "Safeguaius
Automateu Facility Evaluation (SAFE) Nethouology," Sanuia Laboiatoiies iepoit SANB 78-
uS78, N0REuCR-u296.

Boyon, L.R., (1981): "Stochastic Noueling of Facility Secuiity-Systems foi analytical
solutions," Computeis & Inuustiial Engineeiing, vol. S, no. 2, pp. 127-1S8.

Engi, B. anu Bailan, C.P., (1981): "Biief Auveisaiy Thieat Loss Estimatoi (BATLE) 0sei's
uuiue," Sanuia National Laboiatoiies iepoit SANB 78-11S6, N0REuCR-14S2.

uaicia, N.L., (2uu1): "The Besign & Evaluation of Physical Piotection Systems",
Butteiwoith-Beinemann, pp. 2S1-2S9.


41
uiassie, R.P., }ohnson, A.}. anu Schneiuei, W.}., (199u): "Counteimeasuies Selection anu
Integiation: A uelicate balancing act foi the secuiity uesignei," in Pioceeuings IEEE 199u
Inteinational Cainahan Confeience on Secuiity Technology: Ciime Counteimeasuies,
Lexington, Kentucky, pp. 116-12S.

Schneiuei, W.} anu uiassie, R.P., (1989): "Counteimeasuies Bevelopment in the Physical
Secuiity uesign piocess: An Anti-teiioiist peispective," Pioceeuings of 1989 Inteinational
Cainahan Confeience of IEEE on Secuiity Technology, Zuiich, Switzeilanu, pp. 297-Su2.

}ang, S.S., Kwak, S., Yoo, B., Kim, } anu Yoon, W.K., (2uu9); "Bevelopment of a vulneiability
Assessment coue foi a Physical Piotection System", }ouinal of Nucleai Engineeiing anu
Technology, vol. 41, No. S, pp. 747-7S2.

SAvI, (1989): Systematic Analysis of vulneiability to Intiusion, v1, SANB89-u926, Sanuia
National Laboiatoiies, pp. 1-8.
Swinule, B.W., (1979): "The 0se of Effectiveness Evaluation in the Besign of a Physical
Piotection System foi the Consoliuateu Fuel Repiocessing Piogiam's Bot Expeiimental
Facility," 2uth Annual Neeting of the Institute of Nucleai Nateiials Nanagement,
Albuqueiaue, NN; Nucleai Nateiials Nanagement vIII, 761, pp. 1-2u.

Whiteheau, B.W., Pottei, C.S anu 0'Connoi, S.L (2uu7): "Nucleai Powei Plant Secuiity
Assessment Technical Nanual", SANB2uu7-SS91, Sanuia National Laboiatoiy, pp. 1-6S.


42

"#$%&' () *' +,,#$$ -('./(0 12$.#34
+ 5*/*6%&3 )(/ 13*00 78,0#*/ 9*,%0%.%#$
B. Nkom
1
, I.I. Funtua
2
, anu L.A. Bim
S

Centie foi Eneigy Reseaich anu Tiaining (CERT), Ahmauu Bello 0niveisity, P. N. B. 1u14, Zaiia, Nigeiia
1
b.nkomieee.oig;
2
iifuntuayahoo.com;
S
lawienceanikweuimyahoo.com

!"#$%&'$ ) *+,# -&-.% /.#'%,".# $+. /.#,01 23 & 4&/,2
5%.67.1'8 9/.1$,3,'&$,21 :459;< -.%#211.= &''.##
'21$%2=>&1$,),1$%7/.% #8#$.?@ 7#,10 &1 &'$,A. B7&/
*&0 :4C;)B*< 4.&/.%>C%,$.% ?2/7=. ,1 /,%.'$
'21D71'$,21 E,$+ & F,'%2'+,-
*F
G9HIJ5KLLM
?,'%2'21$%2==.%@ E+,'+ -%2A,/.# '21$%2=@ 121)A2=&$,=.
?.?2%8@ /&$& -%2'.##,10@ &1/ .N$.%1&=
'2??71,'&$,21 371'$,21#O *+. #8#$.? 2"$&,1#
#,01&=# 3%2? &1 459; ?2/7=.@ ?2$,21 /.$.'$2%# &1/
A,"%&$,21 #.1#2%# $2 .33.'$,A.=8 '21$%2= & /2$)?&$%,N
PQ; /,#-=&8@ &=&%? #271/.%#@ &1/ &1 .=.'$%,' /22%
#$%,R.@ $+.%."8 -%2A,/,10 & =2E)'2#$@ -2E.%).33,',.1$@
%.=,&"=. ?.&1# 23 #7--=.?.1$,10 $%&/,$,21&=
?.$+2/# 23 -%2A,/,10 -+8#,'&= -%2$.'$,21 32%
%.#.&%'+ %.&'$2% "7,=/,10#O 4.=.A&1$ 9!Q!
/2'7?.1$# #7'+ &# 9S5H94H>TTL>4.AO K &1/ *QH;UH
VWX :4.AO I< E.%. /7=8 '21#7=$./ 32% $+. 1.'.##&%8
07,/&1'. ,1 $+,# %.#.&%'+ &1/ /.A.=2-?.1$ .332%$O
Y.8E2%/# ) G+8#,'&= G%2$.'$,21@ P2E H2#$@ 4&/,2
5%.67.1'8 9/.1$,3,'&$,21 :459;<@ !''.## H21$%2=
Z8#$.?@ F,'%2'21$%2==.%O

:; :7<=>"?-<:>7
Since 2u11, lingeiing teiioiist thieats have
iequiieu the global nucleai inuustiy to constantly
ieaffiim its commitment to ensuiing nucleai
secuiity.|1-2j By factoiing in the piesent globalization
tienus, nucleai secuiity has evolveu into an issue that
positive-thinking inuiviuuals, oiganizations, anu
goveinments woiluwiue now iealize conceins anu
affects them, uue to the potential foi huge
consequences foi eveiyone if a laige scale bieach
occuis in any pait of the woilu.|Sj
Physical piotection is an integial pait of nucleai
secuiity. uuiuance note u1u1 of |4j states the neeu foi
a physical piotection system anu points out that a
system baseu on a combination of peisonnel, haiuwaie,
pioceuuies, anu facility uesign shoulu be establisheu to
achieve the uesiieu piotection, beaiing in minu the
oveiall safety of the facility. This papei is conceineu
with piotection using haiuwaie, specifically electionic
haiuwaie. The teim "facility" useu heie may be vieweu
in bioau teims to incluue fixeu facilities such as
ieactois anu spent fuel iepositoiies, as well as in-
tiansit facilities that iefei to special facilities useu in
tianspoiting nucleai mateiial, (e.g., tiucks oi iailcais)
which aie sometimes not piopeily secuieu.|2j The
access contiolanti-intiuuei system uesciibeu in this
papei is piimaiily meant to supplement existing fixeu
facility piotection, specifically at univeisity-baseu
ieseaich ieactois. The teims "asset" anu "thieat" useu
heie may also be vieweu in bioau teims. An asset
iefeis to anything that is being piotecteu (peisonnel,
equipment, nucleai anu non-nucleai mateiial) that aius
nucleai secuiity. A thieat iefeis to anything that
compiomises the secuiity of a nucleai mateiial oi
facility (natuial uisasteis, auveisaiies). This papei is
conceineu with the means of piotection against
auveisaiies, which incluue piotestois (uemonstiatois,
activists, anu extiemists), teiioiists, anu ciiminals fiom
outsiue; as well as inteinal employees, iegulai visitois,
anu contiactoissupplieis with giuuges, ciiminal
tenuencies, oi psychologicaluiug-ielateu issues.|S,18j
0niveisity-baseu ieseaich ieactois aie mostly
locateu in faiily uense locations, sometimes insiue
campuses, anu thus may be peiceiveu as easy taigets
by auveisaiies. A lot of ieactois expeiience a laige
influx of stuuents, visitois, anu clients on a uaily basis,
which may cause laxity in secuiity piotocols when
juxtaposeu with long peiious of absence of secuiity-
ielateu inciuences. Long shutuown peiious as a iesult
of school calenuais anu national holiuays aie also
common. In auuition, most of these ieactois aie useu
foi non-piofit, non-commeicial puiposes that offei
little financial gains to justify elaboiate physical
piotection schemes, giving iise to a high iisk
scenaiio.|6j Fuitheimoie, such ieactois that aie
locateu in politically unstable, technologically
unpiepaieu, anu economically uisauvantageu countiies
aie at gieatei iisk uue to lean buugets, financial
incentives to engage in ciiminal activities, anu lack of
unueistanuing of physical piotection technology.|7j
This papei seeks to show that with the
auvancement of physical piotection technology in
geneial, anu electionics technology in paiticulai,
acquiiing electionic physical piotection systems uoes
not necessaiily iequiie big buugets. In auuition, we
will tiy to show that manageis of such facilities can be
actively involveu in the iuuimentaiy uesign piocess in
oiuei to tailoi the electionic systems to suit theii
inuiviuual ciicumstances, taking national, iegional, anu


4S
inteinational iegulations anu auvice into consiueiation.
This is actually expecteu in physical piotection
consiueiations, as expiessly inuicateu in guiuance note
u427 of |4j.
The iest of this papei is oiganizeu as follows:
Section Two gives an oveiview of a few mouein
electionic uevices that function in accoiuance with the
piimaiy iequiiements foi physical piotection systems,
anu also pioviues a biief uesciiption of
miciocontiolleis. Section Thiee mentions a few
haiuwaie consiueiations necessaiy foi successful
electionic physical piotection system uesign anu
outlines the uesign piocess foi the contiol anu uata
piocessing centie foi oui system. Section Foui coveis
final system implementation anu veiification
consiueiations, incluuing a few factois to consiuei
when actually caiiying out secuiity system
installations. Concluuing statements aie given in
Section Five.

::; >@A=@:AB >9 ACA-<=>7:- 5DE1:-+C
5=><A-<:>7 "A@:-A1
An effective physical piotection system shoulu
peifoim the following piimaiy functions: Betei, Betect,
Assess, Belay, anu Responu.|4j u1uS states that the
physical piotection sub-system fiist encounteieu by
auveisaiies in any facility shoulu seive as a huge
ueteiient by piesenting a uifficult obstacle to
penetiate. These obstacles aie usually non-electionic
systems such as steel gates, but in iecent times theie
have been incieaseu use of electiifieu fences anu
aimoieu flooulights as the fiist line of uefense.|8j
Attempts to bieach a piotecteu aiea aie to be
uetecteu by a physical piotection system, anu this is
mostly achieveu by the use of electionic sensois. These
aie typically uevices that uetect changes in a physical
quantity (heat, motion, vibiation) anu conveit them to
electiical signals. These signals aie then maue ieauily
available foi inuication anuoi annunciation at the
cential alaim station via tiansmission sub-systems.
Pioviuing a supplementaiy means of inuication at the
point of uetection may also seive as a ueteiient.
Notion sensois aie useu in the system uesciibeu in this
papei; the type anu specifications cannot be stateu heie
as iequiieu by confiuentiality clauses in sections 4.S.1
anu 4.S.2 of |9j, anu u444 anu 44S of |4j. If a fixeu
nucleai facility has been well uesigneu, its vital aieas
will have a small numbei of entiancesexits, winuows,
anu othei vulneiable access points as iecommenueu by
u61u of |4j, which will ieuuce the numbei of such
uevices to be useu at each point, anu hence lowei costs.
Best piactice highly iecommenus that assessment
shoulu go hanu in hanu with uetection, so that
confiimation of an intiusion may be uone at the cential
alaim station when uetection occuis. This is best
achieveu by visual means via CCTv systems |8j in
conjunction with guaius, as iecommenueu in u1u8 anu
u61S of |4j. This is alieauy in auequate use in the
facility wheie the access contiolanti-intiuuei system
is to be installeu.
In oiuei to uelay an auveisaiy, the entiance anu
peiimetei to the vital oi innei aiea of the facility shoulu
be uifficult to bieach, even by the use of foice, anu this
is a function of the facility uesign. uoou access contiol
systems shoulu also be capable of contiolling the
physical baiiiei at the entianceexit point
automatically by pieventing access to the vital aiea
until authoiization is gianteu, thus contiibuting to the
uelay function. This is mostly achieveu by
electiomechanical sub-systems such as uooi stiikes
anu iotating uoois.
A well-uesigneu physical piotection system shoulu
always assume a thieat of sabotage, as stateu in 7.1.1 of
|9j anu u1u4 anu u11u of |4j, thus a iapiu human
inteivention to an intiusion may be achieveu by the
access contiolanti-intiuuei system's ability to
iesponu quickly anu effectively by piomptly aleiting
iesponse teams thiough communications sub-systems,
by the use of auial anu visual alaim inuicatois such as
siiens anu stiobes. Auuitional iesponse measuies such
as initiating a lock-uown by electiomechanical means
may also be caiiieu out by the system.
Assuming categoiy I nucleai mateiial as classifieu
in |9j, in the case of piotection against iemoval of
nucleai mateiial, oi piotection against sabotage of
nucleai powei ieactois, access to the piotecteu aiea
will be only by positive iuentification thiough photo
bauge IB's. Since a moie stiingent anu ieliable access
contiol measuie is iequiieu foi the vital aiea,
electionic access contiol systems that use one oi moie
means of iuentification aie iecommenueu, as stateu in
6.2.2 anu 7.2.S of |9j, anu u6u1 of |4j. At system uesign
stage, these means of iuentification come as electionic
uevice mouules that aie auueu unto a contiol anu
powei sub-system to make them functional. A few of
such iuentification mouules aie numeiic keypau
mouules, biometiic fingeipiint mouules, anu biometiic
iiis mouules. RFIB is the iuentification scheme foi the
system uesciibeu in this papei. Bue to its wiue
availability anu susceptibility foi spoofing anu
counteifeiting, infiaieu uetectois anu pioximity
switches weie also incoipoiateu in the implementation
as extia bieach uetection baiiieis.
Placing a combination of the uevices uesciibeu
above in a physical piotection system, baseu on
piimaiy function anu piinciples of opeiation, is
necessaiy to obtain an acceptable level of piotection.
Thus, a way to cooiuinate the functions of all these
uevices is neeueu. Tiauitionally, pie-manufactuieu off-
the-shelf alaim contiol panels, typically costing
between $8u anu $S6u, uepenuing on level of
sophistication, iobustness, anu communications
technology employeu, aie useu.|1uj The access
contiolanti-intiuuei system uesciibeu in this papei
uses a miciocontiollei chip to achieve the cooiuination
function. These, togethei with theii piogiamming kits,
typically cost between $S anu $24u |11j uepenuing on
manufactuiei, numbei anu type of on-boaiu mouules,
anu semiconuuctoi technology useu. Choosing anu


44
using a suitable one sensibly will uiastically ieuuce the
cost associateu with the contiol function.
The miciocontiollei is a hanuy uevice that
continues to gain populaiity amongst electionic
systems uevelopeis. It is a computei on a chip that
emphasizes self-sufficiency anu cost effectiveness; anu
as the name implies, it is optimizeu foi contiolling
othei uevicescomponents via on-boaiu mouules such
as ABC's, counteis, CCP's, analog compaiatois, anu
communications. In iecent times, miciocontiolleis
have become vital components in viitually all
electiicalelectionic equipment anu systems, such as
home enteitainment systems anu venuing machines;
wheie they aie useu in contiolling the functions of
these equipment, anu in piocessing anu tiansfeiiing
uata into anu out of exteinal units connecteu to
them
.
|12-14j Electionic access contiol systems aie
ceitainly not left out.
Niciocontiolleis have the auvantage of being
softwaie configuiable anu softwaie uiiven, thus a
caiefully uesigneu piogiam will ieuuce the neeu foi
exteinal suppoit chips such as uigital clockcalenuais,
theieby offeiing a low component count. They offei a
high level of veisatility in uesign since changing a
uesign paiametei mostly just iequiies changing an
aspect of the piogiam. This is vital foi physical
piotection systems, wheie conuitions aie highly
uynamic. Also, a miciocontiollei may be uiiectly
inteifaceu with a suitable uisplay, theieby pioviuing a
means of cieating a menu-baseu usei inteiface foi the
system; which will make it moie usei-fiienuly. veiy
impoitantly also, a miciocontiollei can be inteifaceu
with a PC foi the puipose of uata tiansfei, which is vital
foi any access contiol system. No less impoitantly, a
typical miciocontiollei is a small-sizeu, lightweight,
low-powei uevice, theieby offeiing the auvantage of a
small, eneigy-efficient contiol panel. In auuition, theie
aie vaiious oppoitunities pioviueu by the uevelopment
platfoims of these miciocontiolleis to simulate, uebug,
emulate, anu geneially tioubleshoot youi application
even befoie the miciocontiollei is piogiammeu. This
is obviously a time saving tool. The uevelopment
platfoims themselves aie ueployeu on iegulai PC
systems, theieby pioviuing the most impoitant
auvantage of executing piojects completely in-house.
The choice of which miciocontiollei to use is
influenceu by populaiity of the geneial family anu
paiticulai uevice, suitability foi intenueu application as
iegaius numbei of inputoutput poits anu on-boaiu
peiipheials, availability in locality, cost, uevice
aichitectuie, anu the uevice manufactuiei, which also
has a beaiing on its ease of use.|1Sj By taking these
factois into consiueiation, we naiioweu uown to the
PIC18F4SSu miciocontiollei fiom Niciochip
<F
. This is
a 4u-pin 16-bit nanoWatt uevice with S2 kilobytes of
self-piogiammable flash piogiam memoiy, 2S6 bytes
of flash EEPR0N memoiy, S4 inputoutput pins with
inuiviuual uiiection contiol, foui 16-bit timeicountei
peiipheials, 0SBE0SARTI
2
C communications, 12
inteiiupt souices incluuing inteiiupt on poit change
foi RB<4:7>, multiple selectable oscillatoi peiipheials,
foui auuiessing moues, 8-level ueep haiuwaie stack,
anu a laige geneial puipose iegistei pool. It employs
an auvanceu Baivaiu RISC aichitectuie, featuiing 76
single-woiu instiuctions foi wiiting assembly coue foi
18xxx uevices. It iequiies 2 to S v BC anu consumes
less than 2uu A unuei any conuition, with coie speeus
of zeio to 2u NBz valiu foi opeiation.|19j

:::; 1E1<AF "A1:G7 ->71:"A=+<:>71
System Besign iefeis to the piocess of planning a
system so that it functions in accoiuance with a
pieueteimineu concept. This concept will only be
successfully actualizeu by consiueiing numeious
factois (page 2, paiagiaph 4 of |1Sj), some of which aie
uesciibeu below:
!" $%&'&()*'+,)+(, -. /%0,+(&1 /'-)*()+-2 30,)*4,5
These aie outlineu in u 112 to u118 of |4j, the ones
that concein us most aie:
1. Befense in Bepth: This iefeis to the piactice of
placing multiple levels of piotection sub-
systems in sequence along all the piobable
paths that auveisaiies will follow in the facility
to get to the asset. As pieviously mentioneu,
the access contiolanti-intiuuei system
uesciibeu in this papei is to seive as a sub-
system in an alieauy existing physical
piotection system, so it helps the laigei system
to achieve this iequiiement. Bowevei, uefense
in uepth can be incoipoiateu into the sub-
system itself, as will be shown subsequently.
2. Ninimum Consequence of Component Failuie:
This iefeis to the iequiiement that the entiie
physical piotection system at the facility
shoulu not fail as a iesult of the failuie of a
component oi sub-system. Neasuies will be
taken to ensuie that the failuie of the system
uesciibeu in this papei will not ciipple the
entiie physical piotection system at a facility
by making it entiiely inuepenuent so that it can
seive as a ieuunuant system. Bowevei, it will
be shown that a goou choice of haiuwaie
components anu uesign concepts foi the access
contiolanti-intiuuei system can ieuuce the
ouus of total failuie going unnoticeu.
S. Balance with 0thei Consiueiations: An oveiall
balance must be achieveu between the
physical piotection system anu othei
consiueiations such as safety of peisonnel at
the facility, cost of the system, anu stiuctuial
integiity of the facility itself. These thiee
factois in paiticulai have been positively
auuiesseu in the piocess of uesigning the
system.
6" 782()+-2&1 $-2.-'4+)05
A physical piotection system must be uesigneu
with basic functional logic so that it is effective,
efficient, anu easy to use but not necessaiily easy to


4S
figuie out. In the case of electionic systems, the
functions of the usei inteifaces shoulu be
stiaightfoiwaiu, to ieuuce any confusion peitaining to
the opeiation of the system anu thus instill confiuence
in it. Bowevei, the paiticulai mannei in which the
sensois anu actuatois inteiact with the contiol system
shoulu be kept confiuential. The entiie system shoulu
be as eneigy-efficient as possible, because it shoulu be
able to function foi a ieasonable length of time on
batteiy powei, in case the mains supply is unavailable
foi any ieason. All the components that make up the
system shoulu be easy to tioubleshoot anu maintain, so
as to ieuuce uown time in case of bieakuowns.
9" :812*'&;+1+)0 &,,*,,4*2),5
All physical piotection systems must be subjecteu
to vulneiability tests, to juuge how effective they will
be in waiuing off attacks fiom auveisaiies. Some of the
types of attacks that shoulu be consiueieu when
uesigning such systems aie as follows.|16j
1. False Alaiming: This iefeis to the situation
wheie the auveisaiy inuuces ianuom, multiple
false alaims in a system in oiuei to unueimine
its usefulness anu the confiuence placeu in it.
2. Fault analysis: This iefeis to the situation
wheie an auveisaiy, mostly with technically
savvy, makes a system function in an abnoimal
mannei by alteiing its opeiational paiameteis,
in oiuei to obtain useful infoimation that can
be exploiteu. An example is changing the
ambient tempeiatuie aiounu a sensoi.
S. "Poke the System": This iefeis to the situation
wheie an auveisaiy piobes the system without
tampeiing with it anu obseives its iesponses,
in oiuei to obtain useful infoimation. An
example is taking note of how neai one can get
to a motion sensoi befoie it uetects a piesence.
<" 7-'4, -. =>?*',&'+*,5
A few examples of auveisaiies weie given in the
intiouuction, but the point of inteiest heie is the fact
that auveisaiies can come fiom within the facility
oiganization itself, oi at least be aiueu by people within
it. Thus a physical piotection system shoulu be
uesigneu with the possibility that a legitimate membei
of the facility may become an auveisaiy at any time.
|16-18j
0ui concept in this case is an electionics system
that will caiiy out the following geneial functions:
1. Sense the movement of an animate object
alieauy in a piotecteu aiea towaius possible
access points to a vital aiea such as
entiancesexits, uucts, anu winuows, anu ielay
this infoimation to the cential alaim station,
i.e., Betect. This will be achieveu by using
motion uetectois.
2. Sense the piolongeu piesence of an animate
object in close pioximity to an access point to
the vital aiea, anu set off a soft alaim capable
of being heaiu at that point, i.e., Betei. This
will be achieveu by enabling a false alaim time
peiiou once an animate object is uetecteu,
uuiing which a mini piezo-electiic sounuei is
activateu.
S. Nonitoi all possible access points to the vital
aiea, incluuing uesignateu entiancesexits, to
ueteimine when an intiusion occuis oi is
attempteu, anu set off a geneial alaim. This
will be achieveu by the use of
vibiationultiasonic tiansuuceis to uetect
attempteu foiceu entiy, non-magnetic
pioximity switches to ueteimine uooi position
foi likely intiusion, high-intensity siiens to
pioviue a geneial alaim, anu Etheinet
communications to ielay the situation to the
cential alaim station.
4. Nonitoi uesignateu entiancesexits to
authoiize unhinueieu access to peisons
beaiing valiu RFIB tags, anu to keep iecoius of
instances of entiances anu exits foi iefeience
anu analysis puiposes.
The uesiieu system functions stateu above seiveu
as the main guiuelines in cieating a flowchait, which
completely uesciibes the functions of the access
contiolanti-intiuuei system in ielation to the sensois
anu actuatois to be useu in the system. This is shown
in figuie 1. It seives as the basis of the fiimwaie to be
implementeu in oui miciocontiollei of choice, which
was uevelopeu by tianslating the stiuctuie,
instiuctions, anu vaiiables specifieu in the flowchait
into a computei piogiam wiitten in Niciochip NPLAB
assembly language to influence uesignateu outputs in
iesponse to signals fiom uesignateu inputs, on-boaiu
peiipheials, anu changes in inteinal iegisteis. The
pieuominant ieasons foi choosing the PIC 18F4SSu
miciocontiollei weie its piogiam memoiy space, on-
boaiu peiipheial uevices, anu numbei of inputoutput
pins; howevei, this was uone aftei some pieliminaiy
uesign consiueiations. The fiimwaie uevelopment
piocess actually staiteu with the iuentification anu
piocuiement of a motion uetectoi, a vibiation uetectoi,
an Avago BCNS 297S seiial input 8-chaiactei uot-
matiix LEB uisplay |22j, anu an RFIB mouule. The best
fiimwaie ioutines neeueu to iun these uevices hau to
be fiist establisheu by initially woiking with each of
them sepaiately, befoie integiating the ioutines in the
fiimwaie.
The Niciochip NPLAB Integiateu Bevelopment
Enviionment veision 7.S2 was useu to uesign, uebug,
anu simulate the fiimwaie, anu theieaftei inseit it into
the PIC 18F4SSu miciocontiollei via a PICStait Plus
Bevice piogiammei in oiuei to make it a functional
piece of haiuwaie, which is specifically the contiol anu
uata piocessing centei foi all the uevices that
constitute the access contiolanti-intiuuei system. A
stuuy of the miciocontiollei's uata sheet will show that
its peiipheial iesouices aie moie than auequate to
suppoit a fully confoimal implementation of the system
flowchait.|19j To ensuie a low component count foi


46
the system, the fiimwaie was uevelopeu to also iun a
clockcalenuai ioutine in concoiuance with the
multiple functions uesiieu of the access contiolanti-
intiuuei system, which placeu laige constiaints on loop
timing in oiuei to ensuie accuiacy. This was effectively
iesolveu by using flags foi all uesiieu actions, with the
actions actually being manageu within the main
fiimwaie loop containing the clockcalenuai ioutine.
Auuitional flags may in tuin be geneiateu within the
main loop to influence actions within the inteiiupt
seivice ioutine.
It can be obseiveu fiom the flowchait that a
ieasonable level of uefense in uepth has been achieveu
by the piovision of ioutines foi motion uetectois anu
vibiationpioximity sensois in the fiimwaie.
Connecting anu mounting these uevices coiiectly
will inciease the ouus that auveisaiies will have to
uefeat the piotection pioviueu by them in sequence,
staiting with the uetection of motion towaius an access
point, followeu by the uetection of attempteu foiceu
entiy, anu then the foiceu entiy. The uetection of
motion itself tiiggeis a soft alaim at the point of
uetection as well as at the cential alaim station (CAS)
to seive as a ueteiient to the auveisaiies by inuicating
that theii piesence at that location has been obseiveu.
Since at this time the auveisaiies aie not yet at the
access point, a visual confiimation of the piesence of
auveisaiies will allow the iesponse teams ample time
to take action, hopefully befoie any significant uamage
is uone. Auuitional uefense in uepth has been maue
available by the inclusion of a ioutine foi an electiic
uooi stiike, lock, iotating bai oi uooi, which will
noimally pievent access to the vital aiea until
authoiization is gianteu via the RFIB mouule.
The access contiolanti-intiuuei system, even if
useu without ieuunuancy, will have low consequence
of component failuie because piovision has been maue
foi iegulai tiansmission of the status of the system to
the CAS via state of health (S0B) uata, which will
incluue uata about the powei situation of the system.
In auuition, all uevices connecteu to the system pioviue
a uefinite electiical signal when opeiational, thus the
absence of such signals will be inteipieteu by the
system as an alaim conuition.
Piovisions foi minimizing the impact of false
alaims have also been pioviueu in the flowchait. The
CAS is aleiteu when motion uetection occuis in oiuei
foi an assessment of the situation to be maue. Even
when vibiation uetection occuis, the geneial alaim,
which may consist of a numbei of actuatois (stiobes,
siiens) is activateu inteimittently in accoiuance with
the uetectoisensoi signal. A pieueteimineu numbei
of "false" alaims within a fixeu time peiiou will be
inteipieteu by the system as a "poke" anu thus the
geneial alaim will be fully activateu. This time peiiou
shoulu be auequate foi guaius to caiiy out a thoiough
investigation of the situation to asceitain if auveisaiies
may be iesponsible foi it.
Bata peitaining to loginlogout attempts, whethei
successful oi not, aie ielayeu to the CAS foi iefeience
anu analysis puiposes. This may aiu in iuentifying
potential insiuei thieats in a timely mannei.

:@; 1E1<AF :F5CAFA7<+<:>7 ->71:"A=+<:>71
System Implementation iefeis to actual
constiuction, veiification, installation, anu
commissioning of the system. The constiuction of the
system iequiieu the consiueiation of a numbei of
issues in geneial haiuwaie uesign anu implementation
that weie necessaiy to ensuie functional haimony
between the piogiammeu miciocontiollei anu all othei
haiuwaie components specifieu foi the uata loggei on
integiation; fiist on a bieauboaiu foi haiuwaie
tioubleshooting puiposes, anu then onto a PCB. A few
of these consiueiations, in tuin, iequiieu the use of
auuitional haiuwaie components, foi oveiall system
effectiveness anu efficiency.
Even though we opteu to use one of the available
inteinal oscillatoi speeus foi the miciocontiollei, we
chose to also use the ciystal clock option with a speeu
of S2.768 KBz foi the timei 1 mouule, which was
configuieu to iun as a ieal-time clock foi oui
clockcalenuai ioutine. This necessitateu the auuition
of a ciystal of like specification anu two Su picoFaiau
ceiamic capacitois necessaiy to foim a ciystal
oscillatoi, to oui haiuwaie. We also opteu foi noimally
open, spiing-loaueu PCB button switches as oui usei
input inteifaces foi exit iequest by iegulai useis anu
menu-baseu system opeiation foi the auministiatoi of
the system. To avoiu inteifeience fiom electiical noise
uue to floating inputs at noimally open switch contacts,
a simple buffeiing aiiangement using TTL inveitei
gates was useu. This calleu foi the auuition of a 74Lu4
IC to oui haiuwaie.|2uj
A batteiy backeu-up powei souice was ueemeu an
iueal choice foi the uata loggei because the
miciocontiollei's volatile memoiy, in the foim of its
geneial puipose iegisteis, is useu foi keeping all timing
counts. In auuition, the access contiolanti-intiuuei
functions must withstanu fault analysis attacks fiom
auveisaiies, anu uisiupting powei to a facility falls
unuei this categoiy; thus, the miciocontiollei must be
kept poweieu when the system is in use. This
necessitateu the acquisition of a switch-moue batteiy-
backeu powei supply mouule costing $124. Bowevei, a
tiansfoimei powei supply with similai specifications
may be built foi fai less.
The only components vital to the contiol anu uata
piocessing function of the access contiolanti-intiuuei
system aie the miciocontiollei anu RFIB mouule. This
is uesiiable because a low component count impioves
the systems ieliability anu eneigy-efficiency, anu keeps
the complexity of the system, anu hence its
maintenance costs, low; which in tuin will ensuie that
the system stays in faiily iegulai seivice.
The access contiolanti-intiuuei system went


47
thiough some basic tests foi functionality, uuiability,
powei consumption, anu safety. Powei consumption
was founu to be S8 mA while iunning. Beat uissipation
was baiely noticeable, thus no heat sink anuoi fan is
iequiieu foi the system; howevei, vent slots aie
necessaiy in any casing consiueieu foi the system if a
tiansfoimei powei supply is useu, to ensuie it is
auequately cooleu by aii convection. At this stage, the
uata loggei was consiueieu to be veiifieu.|1Sj
The installation anu commissioning of any physical
piotection system is subject to iatification anu
appioval by the iegulatoiy bouy of the state in question
(4.2.4.2. of |9j anu u424 of |4j, thus the access
contiolanti-intiuuei system uesciibeu in this papei
has not yet been installeu. Bowevei, a few factois to
consiuei when caiiying out an installation of this kinu
aie |21j:
1. Integiation with existing system: In oui case,
the system was uesigneu to be inuepenuent of
any existing access contiolanti-intiuuei
system anu thus iequiies no extensive
integiation with existing systems at the facility
wheie it is to be installeu, save foi powei
souices. Stiuctuially the system's contiol unit
is iathei small to constitute much of a
pioblem. Bowevei, safety analysis, especially
in ielation to emeigency pioceuuies will be
caiiieu out in uue couise.
2. Location of system uevices: In oui case, the
system is meant to be installeu at a pie-
existing facility as a ieuunuant electionic
physical piotection system, anu thus the final
positions of all uevices that make up the
system will be easy to locate since the vital
aiea, piotecteu aiea, anu possible access
points aie alieauy known. The unit housing
the miciocontiollei anu RFIB mouule, anu
batteiy backeu-up powei supply shoulu
natuially be installeu in the vital aiea (u 6u1 of
|4j).
S. Secuiity of Installation: Paits of the system
that will be locateu outsiue the vital aiea such
as the motion uetectois, RFIB antenna, anu the
tiansmission sub-system in oui case, neeu to
be piotecteu. In-wall conuuits oi aimoieu
suiface tiunking aie necessaiy foi cables, with
uummy cables auueu as fuithei piecaution
(6.2.16 anu 7.2.16 of |9j).
4. Inclusion of uummy uevices: It is a goou
secuiity system installation piactice to install a
numbei of uummy uevices togethei with the
actual ones, as a iuse to intiuueis.

@; ->7-C?1:>7
The uesign, implementation, anu use of any
physical piotection system oi sub-system involve
piocesses that auuiess the question of how to
effectively piotect assets fiom thieats. This is highly
multiuimensional anu thus makes physical piotection a
bit uifficult because, while an auveisaiy only neeus to
finu anu exploit one vulneiability in a physical
piotection system to succeeu, uesigneis of such
systems must iuentify, unueistanu, anu factoi-in all
possible vulneiabilities. Also, auveisaiies mostly neeu
to attack fiom just one point, while secuiity manageis
must piotect entiie facilities. Anothei seiious
challenge foi physical secuiity is the fact that success is
equateu with non-inciuences, which uoes not peimit
effective costbenefit analysis anu often iesults in
inauequate iesouices being allocateu. Thus, secuiity
buugets uecay ovei time as long as theie aie no
inciuences, theieby affecting the secuiity level, mostly
uue to ieuuceu quality anu quantity of paiu secuiity
peisonnel anu lack of upgiaues to systems to keep up
with technological auvancements. Peisonnel factois
also contiibute a lot to geneial secuiity, thus it is not
auvisable to iely solely on guaius to piotect access
points that aie meiely lockeu.|16j
Since no two facilities aie the same, in oiuei to
piopeily uesign an effective physical piotection system,
uesigneis anu manageis must woik closely togethei,
anu this is easiest when the uesigneis aie an integial
pait of the facility, paiticulaily its engineeiing wing.
Thus, the main objective of this papei is to piomote the
methou of system uevelopment suggesteu heiein,
which may be useu in acquiiing an effective electionic
physical piotection system of a ieasonable level of
sophistication foi oiganizations that aie hampeieu by
low buugets.|1Sj The miciocontiollei, uisplay, RFIB
mouule anu tags, motion uetectoi, vibiation sensoi,
anu all sunuiy items auueu subsequently, cost a total of
$22u (powei supply excluueu). Laboi time was
appioximately 1SS man-houis. Theie may exist pie-
manufactuieu access contiolanti-intiuuei systems
that cost less, but a high level of customization is
inheient in uesigning anu implementing in-house,
which offeis bettei contiol of all ciicumstances that
may aiise subsequently. This methou is highly
iecommenueu, especially in cieating electionic
physical piotection system ieuunuancy. The two main
constiaints iuentifieu aie the ieauy availability of
embeuueu system haiuwaie piogiammeis within the
facility, anu the availability of the uevelopment kits to
effect the uesigns; howevei, making these available
wheie they may be lacking is an investment in the
engineeiing capabilities anu infiastiuctuie of that
facility, anu is highly encouiageu.


48
Start
1. Initialize Device
2. Initialize I/O ports
3. Testrun
4. Clear timer register
1 minute
elapsed?
1. Clear timer register
2. Send SOH data to CAS
3. Increment clock/
calendar
No
Interrupt
encountered?
No
1. Process flags
2. Place Device in
sleep mode with
timer running
RFID? Exit Button?
Vibration
sensors?
Motion
detector?
Determine
Zone
1. Set flag bit for motion
2. Start false alarm
timer for zone
3. Send status to CAS
Enable soft
alarm for zone
False alarm
period up?
Detector still
active?
Enable general
alarm intermittently
Increment false
trigger counter
False trigger
counter=03h?
1. Set flag bit for
possible system fault
Poke
counter=0?
1. Enable general alarm
continuously for fixed period
1. Set flag bit for door/
window vibration
Poke period
up?
Detector/
sensor still
active?
Initialize false
alarm timer
Decrement
poke counter
No
No
No
No
No
RFID flag
set?
Entrance Exit
Zone?
Display time
Invalid code?
1. Set flag bit for RFID
1. Disable Door
Strike
2. Enable buzzer
3. Start door timer 1
4. Send status to
CAS
Door open?
Door timer 1
period up?
1. Enable door strike
2. Disable buzzer
1. Initialize
door timer 1
2. Disable
buzzer
3. Start
door timer 2
Door closed?
Door timer 2
period up?
1. Send
message
via display
2. Send
status to
CAS
1. Send
message
via display
2. Set or
Clear login
flag bit for
the user
3. Send
status &
data to
CAS
Send status
to CAS
Door closed?
Enable buzzer
1. Disable buzzer
Enable
door strike
No No
No No
No
No No
No
No
No
No
No
No
Proximity
sensors?
No
Set flag bit for
door/window
intrusion
Poke period
up?
1. Start poke timer for zone
2. Initialize poke counter
No

Figuie 1 - Flowchait foi the access contiolanti-intiuuei system.


49
=A9A=A7-A1

1. @8(1*&' A*''-'+,4B Repoit by the Biiectoi-
ueneial to the 46
th
Regulai Session of the
ueneial Confeience of the IAEA (Items 2,S,
21, 28 anu 29 of the Activity Aieas); vienna,
Austiia, 12
th
August 2uu2.
2. =,044*)'+(&1 3&;-)&C* A&()+(,B @8(1*&'
7&(+1+)+*,DE&)*'+&1, &2> :812*'&;+1+)0
&2&10,+,B }. B. Ballaiu, N0NAT Confeience
Pioceeuings; Salzbuig, Austiia, u8 - 1S
Septembei 2uu2.
S. @8(1*&' 3*(8'+)0 F*G-') 6HHI J E*&,8'*, )-
/'-)*() &C&+2,) @8(1*&' A*''-'+,4B Repoit by
the Biiectoi-ueneial to the S2
nu
IAEA Boaiu
of uoveinois ueneial Confeience (Items 1
anu 18); vienna, Austiia, 22
nu
August 2uu8.
4. IAEA-TECB0C-967 (Rev. 1).uuiuance anu
Consiueiations foi Implementation of
INFCIRC22SRev.S, The Physical
Piotection of Nucleai Nateiials anu
Facilities
S. K2)*'2&)+-2&1 3)&2>&'> .-' L*,+C2 M&,+,
A%'*&) NLMA"B }. Blankenship, N0NAT
Confeience Pioceeuings; Salzbuig, Austiia,
u8 - 1S Septembei 2uu2.
6. @8(1*&' A*''-'+,4 /-)*2)+&15 F*,*&'(%
F*&()-', ?, /-O*' F*&()-',P (Page 7
Paiagiaph 4)B u. Bunn et al, N0NAT
7. K2)*'2&)+-2&1 A*''-'+,), A%'*&) )- @8(1*&'
7&(+1+)+*, (Page 7)B C. Biaun et al, N0NAT
8. Q2%&2(*> /%0,+(&1 /'-)*()+-2 E*&,8'*, &2>
)%* =C*2(0R, /1&2 -. =()+-2 .-' /'-)*()+-2
&C&+2,) @8(1*&' A*''-'+,4B T. Rauf,
piesenteu at the 2uuS NPT PiepCom, 6
th

Nay 2uuS.
9. K=Q=SK@7$KF$D66TDF*?U <U
1u. $-4G-2*2), $&)&1-C8*, RS components
website. |0nlinej. Available: http:www.is-
components.com
11. E+('-(%+G
AE
$&)&1-C8*, Niciochip
TN
website.
|0nlinej. Available:
http:www.miciochip.com
12. =2 K2)'->8()+-2 )- /K$ E+('-(-2)'-11*',B R. A.
Penfolu, Beinaiu Babani Ltu, 1997.
1S. K2)*C'&)+2C V&'>O&'* &2> 3-.)O&'* .-' )%*
L*?*1-G4*2) -. E+('-(-2)'-11*'S;&,*>
30,)*4,B A. B. u. Al-Bhahei, Elseviei Science
}ouinal, Niciopiocessoi anu Niciosystems
2S (2uu1), pages S17 - S28.
14. K2)'->8()+-2 )- Q4;*>>*> 30,)*4,B Wiki
website. |0nlinej. Available:
http:en.wikibooks.oigwiki
1S. @8(1*&' E&)*'+&1, &2> 7&(+1+)+*, J 3*(8'+)0
30,)*4, &2> A*(%2-1-C0 F W L A'*2>,B B.
Ellis et al, N0NAT Confeience Pioceeuings;
Salzbuig, Austiia, u8 - 1S Septembei 2uu2.
16. Q..*()+?* :812*'&;+1+)0 =,,*,,4*2), .-'
/%0,+(&1 3*(8'+)0 L*?+(*,X 30,)*4,X &2>
/'-C'&4,B R. u. }ohnston et al, N0NAT
17. =2 K2)*C'&)*> =GG'-&(% )- =>&G) /%0,+(&1
/'-)*()+-2 )- )%* @*O K2)*'2&)+-2&1
A*''-'+,4 A%'*&),B F. Steinhauslei et al,
N0NAT Confeience Pioceeuings; Salzbuig,
Austiia, u8 - 1S Septembei 2uu2.
18. @8(1*&' 3*(8'+)0 3*'+*, I J /'*?*2)+?* &2>
/'-)*()+?* E*&,8'*, &C&+2,) K2,+>*' A%'*&),U
19. E+('-(%+G
AE
/K$!I7<TTH L&)& 3%**)U
2u. /'&()+(&1 Q1*()'-2+(, V&2>;--Y N6
2>
Q>+)+-2"B
I. Sinclaii, Beinemann Newnes, 1988.
21. @8(1*&' 3*(8'+)0 3*'+*, < J Q2C+2**'+2C
3&.*)0 =,G*(), -. )%* /'-)*()+-2 -. @8(1*&'
/-O*' /1&2), =C&+2,) 3&;-)&C*U
22. =?&C- V$E3S6Z 3*'+*, L-)SE&)'+[ \QL
L+,G1&0 L&)& 3%**).


Su

"# $%&'()*+ $+,*%-, ./)0 1%&/',% #2 34*(#5+67

Nichael Coole anu Baviu }. Biooks

School of Computei anu Secuiity Science, Euith Cowan 0niveisity
m.cooleecu.euu.au anu u.biooksecu.euu.au

81$9:8;9
Secuiity is implementeu to mitigate an oiganisation's iuentifieu iisks, linking layeieu
elements into a !"!#$% to pioviue counteimeasuie by the functions of uetei, uetect,
uelay, iesponse anu iecoveiy. Foi a system to maintain its effectiveness these functions
must be efficaciously peifoimeu in oiuei; howevei, such systems may be pione to uecay
leauing to secuiity failuies. This stuuy useu a thiee-phase qualitative methouology to
uevelop an entiopic theoietical founuation anu to piesent a mouel of entiopic secuiity
uecay.

Secuiity uecay is uefineu as uegiauation of the micioscopic constituents piopagating
thiough the secuiity system as a iesult of knowleuge, cultuial oi economic factois.
Secuiity management shoulu be piimaiily conceineu with managing the entiopic
piocesses against commissioneu secuiity system levels; howevei, when uecay occuis it
is as a bottom-up factoi. This stuuy suggests secuiity contiols shoulu be measuiable
anu be uesigneu, applieu, anu manageu to maintain secuiity system efficacy.

!"# %&'()* '$()"* $+#,-."* /$0$+($12+1/$.#3* 4)"$,$/ !$(5,2#"* !"!#$%* .3"!2()4 !$(5,2#"*
!$(5,2#" %)+)6$%$+#

<=9:>"?;9<>=
Secuiity iisk management may be implementeu in an open system appioach, using
the stiategy of uefence-in-uepth (BiB). Neveitheless, it is pioposeu that BiB stiategies
can be impeueu by the chaiacteiistics of uisoiganization anu uecay unueipinning
entiopy. Foi an oiganisation to maintain a sounu secuiity piofile, all BiB elements anu
theii constituents must be maintaineu at theii optimum level of commissioning
peifoimance. This stuuy aigues that the scholaily aiea of Secuiity Science shoulu uiaw
on the concept of entiopy to establish the concept of secuiity uecay. Secuiity uecay
iesults in a ieuuction in oveiall system peifoimance, which coulu be avoiueu thiough
effective iisk iuentification at the uesign stage, anu the active monitoiing anu ieviewing
of tieatment stiategies.

1/&@A(#'4B #2 *C% ,*'B+
0nueiwoou stateu that "the piovision of effective secuiity is paiauoxically the fiist
step towaius uecay, as an effective system will not only iepel successful attacks, but also
pievent the attacks being maue . an illusion is then cieateu that the establisheu
secuiity is unnecessaiy suggesting uecay will follow until the uegiee of secuiity falls to
the point wheie an attack will succeeu" (1984, pp. 249-2Su).
________________
*Euitoi's Note: Be suie to see the ievieweis' comments at the enu of the iefeiences.

S1
Eaily liteiatuie on the concept of secuiity uecay suggesteu that the cause was the
attituue of apathy, which leu to pooi compliance to secuiity pioceuuies (NcCluie,
1997). Neveitheless, uecay is a fai bioauei concept, anu has to encompass the whole
secuiity system anu its inteiielateu constituents. In auuition, exteinal factois such as
the enviionment anu uynamic thieats also affect the secuiity system. Each of these
inteinal anu exteinal constituents is pione to some uegiee of uecay. Foi example, if.
the opeiatoi ieceives many false intiusion alaims, theii tiust in the system will
uiminish to a point wheie they will be unlikely to assessuisciiminate an actual
tiue alaim event.
a uetectoi fails, physical uelay is significantly ieuuceu oi eliminateu as an
effective measuie.
an attackei gains access to fiieaims, the ability to countei-iesponu by the guaiu
foice will be significantly ieuuceu.
a secuiity inciuent occuis, then iesouices aie likely to be uiiecteu towaius that
latest bieach, taking the focus away fiom othei paits of the secuiity system
(Smith & Biooks, 2u1S, p. 47) which may iequiie gieatei attention.
theie is a cultuial view that the oiganisation is not exposeu to a given thieat,
then it won't be piepaieu foi that thieat.
the secuiity managei uoes not unueistanu the secuiity system anu how small
changes may affect the gieatei system, seiious secuiity inciuents may occui.

Secuiity uecay is often misunueistoou so that aftei an inciuent, the immeuiate
ieaction is often to inciease the establisheu secuiity iesouices. Bowevei, this ieaction
is not usually necessaiy, as all that may be iequiieu is the ie-establishment of the
uesigneu oi commissioneu level of piotection. Responuing to uecay in this fashion
iesults in secuiity becoming ieactive, iathei than being pioactive. Thus, iesouices aie
useu ineffectively to pioviue au-hock oi a piece-meal secuiity mitigation stiategies
(Smith & Biooks, 2u1S, p. 47). Conceptually this view was suppoiteu in the woiks of
uaicia, who wiote "it is unlikely that a complex system will evei be uevelopeu anu
opeiateu that uoes not expeiience some component failuie ... it is impoitant to know the
cause of component failuie to iestoie the system to noimal opeiations" (2uu1, p. S9).
Theiefoie, unueistanuing the secuiity system as a !"!#$% anu its likely uecay factois
will leau to impioveu secuiity.

$*'B+ >DE%&*)F%,
The objectives of this stuuy weie to piesent a mouel that uevelops the concept of
$+#,-.2( !$(5,2#" /$()", establishing wheie secuiity uecay integiates into the secuiity
iisk management cycle anu stimulating acauemic uiscouise into the concept of secuiity
uecay. To achieve these objectives, a uisciete Reseaich Question was put foiwaiu,
namely:
'- !$(5,2#" $7.$,#! !5..-,# #3$ #3$-,$#2()4 8)42/2#" -0 $+#,-.2( /$()" #3$-,"* 932(3
!#)#$! #3)# !$(5,2#" /$()" 2! ,$.,$!$+#$/ :" #3$ /$6,)/)#2-+ -0 #3$ %2(,-!(-.2(
;5)+#2#2$! <(-+!#2#5$+#!=* )+/* -,* #3$ 6,)/5)4 /$6,)/)#2-+ 2+ #3$ ,$4)#2-+!32.
:$#9$$+ #3$ %2(,-!(-.2( )+/ %)(,-!(-.2( ;5)+#2#2$! 92#32+ ) !$(5,2#" !"!#$%>

In auuition to the piimaiy Reseaich Question, a numbei sub-questions weie
auuiesseu. These sub-questions consiueieu whethei secuiity expeits suppoit the
systems appioach to implementing effective secuiity contiols, whethei secuiity systems
suffei fiom uecay, anu if expeits suppoit the view that secuiity uecay lies within the

S2
system constituents anu theii inteiielationship. Finally, a secuiity management system
was put foiwaiu to allow the uevelopment of system metiics that can moie ieauily
measuie the peifoimance level of secuiity systems.

$9?"G "3$<H=
A thiee-phase qualitative appioach incoipoiating a Belphic poll was auopteu to
exploie the concept of secuiity uecay fiom a systems appioach (figuie 1), making
iefeience to ielevant theoiies anu laws. Such an innovative appioach was consiueieu
the most appiopiiate ovei moie tiauitional methouologies, as at this stage the bouy of
knowleuge encompassing the concept of secuiity uecay is still ielatively new.

Phase-one
Literature Critique
Develop the foundation of
Security Decay
Phase-two
Expert Interviews
Test the studys foundation
using Delphi iterations with
experts
Phase-three
Interpretation
Validate the previous
Phases

Figuie 1 - Stuuy uesign, using a thiee-phase uevelopmental appioach

Phase-one involveu ueveloping a conceptual liteiatuie benchmaik foi fiaming
secuiity uecay by uiawing on theoiies, incluuing the stiategy of uefence-in-uepth (BiB)
anu ueneial Systems Theoiy (uST). Phase-two useu semi-stiuctuieu expeit inteiviews
using the Belphi technique to obtain the paiticipant's thoughts anu unueistanuing of
secuiity uecay within a systems appioach to implementing effective physical secuiity,
wheie tiansciipts weie analyseu foi unueilying themes. The Belphi technique is a
stiuctuieu communication appioach, uevelopeu as a systematic anu inteiactive foiecast
methou that uses a panel of expeits who answei questionnaiies in two oi moie iounus.
Aftei each iounu, the ieseaichei pioviues an anonymous summaiy of the expeits'
foiecasts fiom the pievious iounu to encouiage ievision to theii eailiei answeis.
Finally, Phase-thiee pioviueu a iesponse to the poseu Reseaich Question baseu, in-pait,
on the pioceeuing phases. Themes weie iuentifieu by uiawing on key woius anu
phiases in paiticipants' iesponses.

Secuiity expeits weie soliciteu to paiticipate in the stuuy, foiming a non-piobability
sample (N=9) that incluueu a pilot panel anu two ieseaich panels. As highlighteu by
Biooks (2u1u), expeit paiticipants weie selecteu baseu on the ciiteiia that they weie

SS
employeu oi soliciteu to pioviue secuiity knowleuge auvice acioss the vaiieu secuiity
ielateu occupations. In auuition, selection was baseu on theii extensive knowleuge,
expeiience, occupation, euucation, tiaining, anu that otheis peei ieveieu theii
piofessional opinion within the multi-uisciplineu secuiity inuustiy.

:%0)/D)0)*+ /4B F/0)B)*+
This stuuy useu a numbei of contiols to ensuie ieliability anu valiuity. These contiols
incluueu the piinciple of tiiangulation, with uata inputs fiom multiple paiticipant
souices. Expeit paiticipants foimeu ieseaich panels, wheie consistent views weie
ieflecteu anu consensus achieveu to uemonstiate a high level of confiuence to infei
suppoit of the coie themes anu piinciples.

Tiiangulation was also useu to establish consensus suppoit to each sepaiate panel of
expeits. Nembei checking was incoipoiateu into the panel uesign, wheie uuiing the
seconu iounu feeuback piocess, each paiticipant was piesenteu with a tiansciipt of
theii inteiview iesponses. Fuitheimoie, each panel paiticipant was askeu whethei
they suppoiteu the inteipietations uiawn fiom the uata, anu weie pioviueu with the
oppoitunity to iesponu to these inteipietations. This appioach aimeu to establish a
level of tiust towaius the inuuctive analysis piioi to moving foiwaiu to the ueuuctive
analysis phase.

8 9I3>:39<;8J .>?="89<>= 9> "3K3J>L $3;?:<9G "3;8G
Phase-one exploieu the liteiatuie in oiuei to uevelop a theoietical founuation of
secuiity uecay fiom the peispectives of uefence-in-uepth (BiB) anu ueneial Systems
Theoiy (uST) (Beitalanffy, 19Su). The concept of secuiity uecay is a significant iisk to
any secuiity piogiam (0nueiwoou, 1984); howevei, theie has been iestiicteu ieseaich
conuucteu into this aiea anu this pioviues limiteu insight. Neveitheless, 0nueiwoou
(1984, p. xi) states that it is "impoitant that secuiity is seen as a whole, both uesigneu
anu opeiateu as a system". As uaicia (2uu1, p. 6) stateu, BiB shoulu be implementeu in
secuiity management using a systems appioach. Such views inuicate that secuiity
shoulu be uesigneu, implementeu, anu manageu as a system.

The systems appioach in management anu a lessei uegiee, secuiity, is a well
suppoiteu concept. Theiefoie, it is ieasonable to aigue that any uiscussion in ielation
to a holistic appioach to secuiity uecay must consiuei a systems appioach. That is, a
holistic appioach to secuiity uecay must encompass both the piocesses in establishing
the system anu the ongoing management piocesses that aim to ensuie the system
ieliably ueliveis, ovei time, the output foi which it was commissioneu. This stuuy
suppoits the concept of secuiity uecay; howevei, we aiegue that the concept of secuiity
uecay must be consiueieu, uefineu, anu applieu congiuous with the systems appioach
useu to employ the stiategy of BiB.

BiB has been applieu to the piotection of assets foi centuiies, baseu on the aigument
that a piotecteu asset shoulu be encloseu by a succession of baiiieis that iestiicts
penetiation of unauthoiiseu access to pioviue time foi an appiopiiate iesponse (Smith,
2uuS, p. 8). Such baiiieis must encompass the physical, technological, anu human
element. The pieventative functions of BiB may be consiueieu as uetei, uetect, uelay,
iesponse (B
S
R) anu iecoveiy, implementeu systematically to achieve a uesiieu level of

S4
secuiity. As such, ueneial Systems Theoiy (uST) pioviues a salient suppoiting stiategy
to BiB.

H%4%(/0 $+,*%-, 9C%#(+
ueneial Systems Theoiy (uST) is the inteiuisciplinaiy stuuy of a system, with the
foimulation anu ueuuction of piinciples. These piinciples "apply to systems in geneial,
whatevei the natuie of theii component elements, oi of the ielations oi foices between
them" (Beitalanffy, 19Su, p. 1S9). In applying a system appioach to BiB, uaicia (2uu1,
p. 6) uefines a system as an "integiateu collection of components oi elements uesigneu
to achieve an objective accoiuing to plan". Bowevei, theie aie many uiffeient types of
systems (Niugley, 2uuS, p. xix) with a numbei of uictomies, each uiawing attention to
paiticulai aspects of systems thinking (Baiton & Baslett, 2uu7, p. 1S1) The most
significant uevelopment in scientific methou towaius systems thinking has aiisen fiom
the open veisus closeu uictomy.

Closeu systems aie those consiueieu isolateu fiom theii enviionment, meaning
conciete systems (Niugley, 2uuS, p. 182). Foi a closeu system, whatevei mattei-eneigy
happens to be within that system is finite anu ovei time, that eneigy giauually becomes
uisoiueieu. Closeu systems theoiy theiefoie emphasises the tenuency towaius
equilibiium (Keien, 1979, p. S12), wheie accoiuing to the laws of theimouynamics,
closeu systems attain a time-inuepenuent equilibiium state, with maximum entiopy anu
minimum fiee eneigy (Beitallanffy, 19Su, p. 2S).

In contiast, othei systems aie not isolateu fiom theii enviionment. Accoiuing to
Bittel (1978, p. 11Su), open systems theoiy consiueis the system's inteiaction with its
enviionment as ciucial to the auoption anu evolution of complex systems. Keien (1979,
p. S16) explains that open systems uepenu on theii enviionment foi iesouices anu aie
constiaineu by its influence. Foi an open system, the ability to change in iesponse to
enviionmental piessuies ensuies the system's long-teim viability. In contiast to closeu
systems that eventually attain a time-inuepenuent equilibiium state, an open system
may attain (ceitain conuitions piesumeu) a stationaiy state wheie the system iemains
constant as a "whole", iefeiieu to as a steauy state conuition (figuie 2) (Beitalanffy,
19Su, p. 2S).

Figuie 2 - Example of a steauy state system (aveiage conuition) ovei time (Piuwiiny,
2uu6).

While in a closeu system, the final state uepenus on the components given at the
beginning of the piocess, steauy state systems (open systems) show equifinality (figuie
S), wheie the initial state can change as eneigy inputs change. As such, if a steauy state
is ieacheu in an open system, it is inuepenuent of the initial conuitions anu ueteimineu
by the system's paiameteis (Beitalanffy, 19Su, p. 1S8). Foi example in figuie S, path A
commences with a high eneigy input ieaching a high point; howevei, as the system's

SS
eneigy inputs aie ieuuceu, that is, constituent paiameteis ieuuceu, its level of output is
also ieuuceu ieaching a steauy state conuition baseu on the mean eneigy inputs. In
contiast, paths B anu C commence with lowei oi negative eneigy inputs.

Foi a BiB system, as the inuiviuual constituent paiameteis that achieve the elements
of uetect, uelay anu iesponse inciease, the systems macio-state output inciease. As
constituent levels ueciease, so uoes the macio-output of the system. Change, accoiuant
with the piovision oi ieuuction of iesouices makes open systems, anu specifically
physical piotection systems, scalable. Theiefoie accoiuant with the piinciple of
equifinality, the system may be tuneu to uelivei a highei oi lowei output, oi maintaineu
at a pieueteimineu level accoiuant with the peiceiveu thieat uiiving the system.

Figuie S - System equifinality (Beitalanffy, 1968, p. 14S).
Theie aie uiffeient possible paths to the same state.

Accoiuing to Checklanu (1981, p. 8S), the steauy state in an open system may cieate
anuoi maintain a high uegiee of oiuei. Steauy states in open systems aie not uefineu
by maximum entiopy, but by the appioach of minimum entiopy piouuction. Entiopy is
a concept ueiiveu fiom a metiic, uefineu as a measuie of uisoiuei in a system anu a
piocess chaiacteiiseu with uecay, uisintegiation, iunning uown anu becoming
uisoiueieu (Bohm & Peat, 2uuu, p. 1S7; Beiman, 1999, p. 86; Beitalanffy, 1968, p. 42).
In all iiieveisible piocesses, entiopy must inciease (Beitalanffy, 1968, pp. 41-42). Foi a
system, as entiopy incieases its (entiopy level) capability uecieases, baseu on the
aigument that systems iely on oiuei anu cohesion.

9C% ),#-#(5C),- #2 %4*(#5+
Entiopy as a concept is a state function of a system (Roos, 1997, p. S), a uesciiption of
the system in teims of its piopeities at any instant of time. When a system changes
fiom one state to anothei, the uiffeience in piopeities uepenu solely on the states anu
not on the mannei oi pathway by which the change occuiieu. Accoiuing to Niugley
(2uuS, p. S9), tiauitional physics only ueals with closeu systems, anu as such, physicists

S6
aigue the laws of theimouynamics only apply to closeu systems, in paiticulai, the
seconu law (Entiopy law) (Beitalanffy, 1968, p. S9). Foi example, as a closeu system
moves towaius equilibiium, eneigy is conveiteu to woik; howevei, as it appioaches
equilibiium the available eneigy uecieases, eventually iemoving the systems capability
until the system is ieeneigizeu.

The concept of entiopy has been seen as a founuational concept in contempoiaiy
systems theoiy. Although the teim oiiginateu in the fielu of theimouynamics, it has
both theoietical anu mathematical inteipietations, as well as wiuespieau applications
in othei uisciplines (Byeon, 2uuS, p. 224). Accoiuing to Byeon (2uuS, p. 224), a laige
numbei of useful teims anu concepts have been tianspoiteu into othei uisciplines fiom
theii oiiginal uiscipline. Since its oiiginal inception by Clausius in classical
theimouynamics, entiopy has witnesseu a seiies of subsequent incainations. As such,
the teim "entiopy" can be useu as long as it is qualifieu by a piefix, as in "social entiopy"
(Bailey, 199u citeu in Byeon, 2uuS, p. 224). This piefix enables vaiious isomoiphic
applications of entiopy to be uiffeientiateu fiom Clausius' entiopy, oi Boltzmann's'
entiopy, oi biological entiopy, oi any othei concept which lacks a ceitain piefix.

The concept of entiopy is becoming incieasingly populai anu useu to uiscuss the state
of vaiious systems. Foi example, the seconu law of theimouynamics has been applieu
to many uomains incluuing infoimation secuiity (King, 2uu8), oiganisational systems
(Lovey & Naukaini, 2uu7), combat systems (Beiman, 1999), communications, biology,
economics, sociology, psychology, political science anu ait (Rifkin, 1982, p. 26S).
Entiopy is a concept conceiveu to uiscuss the uegiauation anu uisoiuei within a system
ielating to a systems ability to caiiy out woik.

"%F%0#5)4A %4*(#5)& ,%&'()*+ B%&/+
Accoiuing to King (2uu8, p. 1), "secuiity system uegiauation is the iesult of such
systems suffeiing fiom natuial entiopy". Bonkasalo (1998, p. 1S6) explains that
uegiauation measuies the iiieveisible inciease of entiopy, which is the amount of
usefulness lost. That is, a secuiity system is only as effective as its paits; when a single
pait fails, this failuie can cause uegiauation within the total system (Konicek & Little,
1997, p. 184: King, 2uu8, p. 1). uaicia (2uu6) concuis, suggesting that system
effectiveness can become uegiaueu thiough the ieuuction in effectiveness of inuiviuual
components. As entiopy incieases, capability uecieases as systems iely on oiuei anu
cohesion (Smith & Biooks, 2u1S, p. 47), anu a secuiity system is no uiffeient.

Even the most effective systems will ueteiioiate ovei time anu with use (Bowlet,
199S, p. 222). The isomoiphic application of entiopy to BiB oi a Physical Piotection
System (PPS) is suppoiteu by Lovey anu Nanohai (2uu7, p. 99), who asseit that vaiious
systems suffei fiom entiopy. The application of the seconu law of theimouynamics,
specifically the concept of entiopy to a PPS, ieintiouuces the concepts of uegiauation
anu uecay into secuiity. System uegiauation iesults fiom entiopy piouuction, which
ieuuces the efficiency anu effectiveness within a system that impeues its output goal
(Bohm & Peat, 2uuu, p. 1S7).

In contiast to closeu systems, open systems that have the appiopiiate feeuback oi
eneigy input will have uecieasing entiopy. Such systems, with minimum entiopy
piouuction, aie geneially stable anu pioviue a consistent output piouuct. Neveitheless,

S7
if one of the system's vaiiables is negatively alteieu, the system manifests coiielating
changes in the opposite uiiection (Beitalanffy, 19Su, p. 26). This piopeity of open
systems is in-line with Loienz's (196S) finuings anu the "Butteifly" metaphoi.

Theiefoie, it is aigueu that the macio state of a BiB system is iecogniseu as an
expiession of the aveiage of the miciostate vaiiables collectively, wheie changes in
miciostates (constituent elements) uiiectly affect the macio state. Such a piocess is
baseu on the uefinition of entiopy offeieu by Bohm anu Peat (2uuu, p. 1S7), wheie
uisoiuei within anu between elements incieases, uecay incieases, anu capability
uecieases, uemonstiateu by the !"!#$%! $00$(#28$+$!! equation (1):

System effectiveness = capability (1)
entiopy

(Coole & Biooks, 2uu9, p. 22).

Foi example if the uegiee of iisk mitigation uecieases, that is, the inuiviuual
constituents which combine to achieve specific outputs of the piotection system uecay,
then the ability of the physical piotection oi iesponse constituents to countei its
commissioneu thieat level is uegiaueu. Foi the system to maintain its commissioning
levels of effectiveness (countei the thieats which pose a iisk), it must be pioviueu with
the appiopiiate feeuback (eneigy inputs) to ensuie the level of output capability foi the
system is equal to oi exceeus the effects of natuial entiopy at the constituent level.

M%/,'()4A B%&/+ )4 5C+,)&/0 ,%&'()*+ ,+,*%-,
In applying a systems appioach to physical secuiity, entiopy is an iuea boin fiom
classical theimouynamics. As such, entiopy is a quantitative entity iathei than
something intuitive anu shoulu theiefoie be uefineu thiough an equation. To apply a
quantitative appioach to physical secuiity, this stuuy uiew on the woiks of uaicia
(2uu1, p. 246) who explaineu that the effectiveness measuie of a Physical Piotection
System (PPS) is the piinciple of timely uetection. Theiefoie, the macio-state of a PPS
can be iepiesenteu as its piobability of inteiiuption (Pi), wheie Pi is the piobability of
inteiiuption oi the cumulative piobability of uetection when theie is enough time
iemaining foi the iesponse foice to inteiiupt the auveisaiies.

Entiopy can be quantitatively measuieu foi a BiB system using the Estimateu
Auveisaiy Sequence Inteiiuption (EASI) equation (2) to quantitatively iepiesent a
systems commissioning oi opeiational macio-state level (uaicia, 2uu1). Accoiuant with
the piemises of systems theoiy, EASI quantitatively piesents the vaiious ielationships
among the constituents anu elements peifoimance measuies within PPS.

P(I) = P(B1) ! P(C1) ! P (RA1) + !
!
!!!
(RAi) P(Ci) P (Bi) !
!!!
!!!
1 ! P(Bi)) (2)

EASI mathematically uemonstiates the ielationship among the peifoimance
measuies of the PPS constituents (table 1). Foi a PPS, the highei the piobability of
inteiiuption (Pi), the lowei the chances of a successful penetiation; wheieas, the lowei
the Pi, the highei the chances of penetiation (uaicia, 2uu1, p. 246).


S8
EASI measuies aie the cumulative sum of the vaiious sub-systems within a PPS,
wheie accoiuant with the piinciples of system theoiy any changes in these inputs have
an oveiall effect on the output of the piobability of inteiiuption. Theiefoie, congiuous
with the piinciples of ueneial Systems Theoiy, changes in the vaiious sub-system's
miciostates have a uiiect effect on the PPS's macio-state.

Table 1 - The Estimateu Auveisaiy Sequence Inteiiuption (EASI) components.
Component Besciiptoi
Ps Piobability that inuiviuual uetection constituents will sense
abnoimal oi unauthoiiseu activities
Pt Piobability that the alaim inuication will be tiansmitteu to an
evaluation oi assessment point
Pa Piobability of accuiate assessment
PB
1
Piouuct of the piobability that the uetection constituents will sense
abnoimal oi unauthoiiseu activities, Pu iepiesents the element of
uetection

P(C) Piobability of guaiu communication
P(A) Piobability of alaim
Nean anu stanuaiu ueviation of uelay time
Nean anu stanuaiu ueviation of iesponse time
P(R | A) Piobability of iesponse foice aiiival piioi to enu of auveisaiy's
action sequence, given alaim
1
To account foi an auveisaiy getting to the next layei along theii path, EASI uiaws on the piobability of
non-uetection (PI) with a vaiiation wheie the sensoi is locateu ielative to path uelay measuies, with PI =
1-PNB.

8&C)%F)4A / ,*%/B+ ,*/*% 5C+,)&/0 5(#*%&*)#4 ,+,*%-
The application of the Estimateu Auveisaiy Sequence Inteiiuption (EASI) mouel
within an open systems facilitates the measuiement of a physical secuiity piogiam,
wheie the combineu elements of uetect, uelay, anu iesponse pioviue a secuiity system's
macio-state measuie. That is, EASI pioviues the means of measuiing the system's
stable conuition stemming fiom the systematic piocess which combines people,
equipment, anu pioceuuies. Bowevei, accoiuing to 0lzak (2uu6, p. 1), "which secuiity
layeis to implement anu to what extent is a iisk management uecision". That is, the
total cost of the secuiity system is ueteimineu within the stiategy of BiB. The uegiee of
secuiity contiol iequiieu to achieve the amount of time uelay juugeu necessaiy aftei
uetection to facilitate an appiopiiate iesponse in ielation to the iisk of the asset being
piotecteu (Post, Kingsbuiy & Schachtsiek, 1991, p. 89; uaicia, 2uu1, p. 272), which must
be implementeu in a mannei which achieves a steauy state (stable) iisk ieuuction
system.

NcCluie (1997, p. 4) consiueieu that an effective secuiity state exists when the level
of iisk exposuie is ieuuceu, thiough vaiious means, to a level that is acceptable to the
oiganization. Such iisk mitigation can be achieveu thiough a secuiity iisk management
stiategy. Secuiity iisk management can be iepiesenteu in many ways, although one
such methou is with the use of thieat, vulneiability, anu ciiticality components (S)
(Stanuaius Austialia, 2uu6). This appioach establishes the secuiity iisk management


S9

context as a combination of a thieat assessment, vulneiability ieview, anu ciiticality
iegistei.

Risk = thieat x vulneiability x ciiticality (S)

Fuitheimoie, uaicia (2uu1, p. 272) consiueis iisk may be uefineu thiough equation
(4). Likelihoou consiueis the piobability of an attack, the cuiient level of vulneiability
within the secuiity system, the effectiveness of the iesponse foice to countei the
attackei in a timely mannei, anu the consequence of the attackei achieving theii goal.

Risk = PA |1-(PI)j C (4)
Wheie:
PA = Likelihoou (thieat) of an auveisaiy attack measuieu between u anu 1.
1 = vulneiability measuieu between u to1.
PI = Piobability of inteiiuption measuieu between u anu 1.
C = Consequences (ciiticality) value measuieu between u anu 1.

This stuuy aigues that in a quantitative appioach to secuiity the ielationship can be
summaiiseu with the sum (2) of uetei, uetect, uelay anu iesponu (B
S
R) ovei iisk (S) to
piouuce the final equation foi secuiity (Sj. Foi an effective state of secuiity to be
achieveu, a secuiity system must uemonstiate effectiveness in iesponse to a facility's
analyseu iisk level accoiuant to its uefineu thieat (uaicia, 2uu6, p. Su).

!"#$%&'( !
!!"
!"#$ !!!"#$ !!"#$%&'()#)*+ !!"#$#%&'#$(
(S)

uaicia (2uu1, p. 277) explains the iisk equation (4) anu Piobability of Inteiiuption
(Pi) enables effective cost-benefit uecisions to be maue towaius implementing secuiity
contiols, which ieuuces an oiganisation's iisk to an acceptable level. Foi example,
figuie 4 piesents an open system with the level of implementeu secuiity baseu on the
iisk equation anu PPS system peifoimance measuies, whilst being cognizant of
maintaining a ueteiient value uuiing uaily system fluctuations. Congiuent with the
objectives of open systems (Bonkasalo, 1998, p. 1SS), the oveiall aim of a PPS is to
ieach a steauy state conuition wheie the flow of eneigy is constant anu the inciease of
entiopy is minimal. Such a steauy state conuition implies an exchange of eithei mattei
oi eneigy within the enviionment (Roos, 1997, p. 6), which is a balance of inputs,
outputs anu inteinal piocesses, anu the system is stable to piouuce what it was
commissioneu to achieve.

In contiast to an effectively maintaineu steauy-state secuiity system (figuie 4)
consistent with the piinciple of equifinality (figuie S), figuie S inuicates the effects
entiopy has within the BiB system. Entiopy effect the systems macio-steauy state
conuition in ielation to its commissioneu iisk ieuuction level. In figuie S, the level of
implementeu piotection has uecieaseu baseu on contiol constituent ieuuctions at the
micio level ieuucing total system efficacy as a system, yet the system still intuitively
piesents a steauy state conuition.


6u
Figuie 4 - Effective implementeu secuiity levels. (Auapteu fiom 0nueiwoou 1984;
Naitin, 2uuu, p. 21u; uaicia, 2uu1, 2uu6; Piuwiiny, 2uu6; Stanuaius Austialia BB167
Secuiity Risk Nanagement, 2uu6).

Figuie S - The effects of uecay on the systems commissioning level of effective secuiity
when using the Pi anu Risk Equation. (Aujusteu fiom 0nueiwoou 1984; Naitin, 2uuu, p.
21u; uaicia, 2uu1, 2uu6; Piuwiiny, 2uu6; Stanuaius Austialia BB167 Secuiity Risk
Nanagement, 2uu6).


61
We aigue that this !5:#4$ uegiauation iesults in the system peifoiming below the
level of iisk contiol consiueieu necessaiy foi a specific secuiity iisk context (figuie S).
In auuition, as the system is peiceiveu to be uegiaueu by potential auveisaiies, the
ueteiience element of BiB is also uegiaueu, leauing to the peiception by oppoitunistic
offenueis that the benefits outweigh the costs leauing to a uecision within the iational
choice fiamewoik to attempt penetiation.

34*(#5)& ,%&'()*+ B%&/+ &#4&%5*'/00+ B%2)4%B
The meaning of entiopy is uifficult to conceptualise anu not well unueistoou outsiue
of acauemic uisciplines, leauing to ubiquitous usage anu iestiicteu unueistanuing.
Whilst vaiious uefinitions anu unueistanuings aie applieu to entiopy, a cential theme is
how vaiious components of a system ielate to one anothei towaius piouucing a
coheient whole. As such, this stuuy has aigueu that the concept of entiopy pioviues a
mouel towaius measuiing the giauual uegiauation of a physical piotection system aftei
its commissioning.

The auoption of !$(5,2#" /$()" pioviues a functional uefinition anu theiefoie, appeal
to both secuiity acauemics anu piactitioneis alike. Stuuy Phase-one, the theoietical
founuation of secuiity uecay, leu to the pioposition that secuiity uecay can be uefineu
as:
The giauual uegiauation of the micioscopic quantities (constituents) oi the
ielationship between the micioscopic anu macioscopic quantities within a
secuiity system.

K8J<"89<=H 3=9:>L<; $3;?:<9G "3;8G
Phase-two valiuateu the theoietical founuation of secuiity uecay using the Belphi
appioach. A total of thiee expeit panels weie useu, wheie expeits weie inteivieweu
inuiviuually anu the sum of theii views pioviueu to the othei panel expeits. Expeits
weie heteiogeneous piactitioneis fiom acioss the coipoiate oi commeicial secuiity
inuustiy (table 2). Buiing the inteiviews themes weie iuentifieu by uiawing on key-
woius anu phiases in the expeits' comments, allowing a iesponse to the poseu ieseaich
sub-questions.

NC/* ), *C% %O5%(*,P F)%Q #2 %4*(#5)& ,%&'()*+ B%&/+6
The systems appioach to implementing effective secuiity fiameu the stuuy's
appioach in unueistanuing secuiity uecay. Consiueiing this view, ieseaich sub-
question one askeu whethei ?$(5,2#" $7.$,#! !5..-,# #3$ !"!#$%! )..,-)(3 #-
2%.4$%$+#2+6 $00$(#28$ !$(5,2#" (-+#,-4!>

Congiuous with the past authois (0nueiwoou, 1984; Bowlet, 199S; NcCluie, 1997;
King, 2uu8) all the paiticipants suppoiteu a systems appioach to secuiity. As one of the
paiticipant's stateu ") !"!#$% 2! ) (-%:2+)#2-+ -0 $4$%$+#)4 2+.5#! @ 8$," %5(3
/$.$+/)+# -+ #3$ (-,,$(# -.$,)#2-+ -0 #3$ $00$(#28$+$!! -0 $)(3 -0 #3$!$ $4$%$+#!
.$,0-,%2+6 #3$2, 05+(#2-+ )+/ !5..-,#2+6 05+(#2-+! -0 -#3$, $4$%$+#!A B3$,$0-,$* !%)44
(3)+6$! 2+ #3$ $4$%$+#!* .),#2(54),4" 93$,$ #32! -((5,! )(,-!! %)+"C)44 $4$%$+#! ()+ 3)8$
) %)D-, 2%.)(# -+ !"!#$% -5#.5# )# #3$ %)(,- 4$8$4E. Such a view was suppoiteu by
anothei paiticipant, who suggesteu that a "!"!#$% #2$! #-6$#3$, ) 6,-5. -0 $4$%$+#! )+/


62
(-+!#2#5$+#! 932(3 %)2+#)2+ ) ,-4$ #-9),/! )+ -8$,)44 6-)4* 93$,$ )44 )!.$(#! ),$
2+#$,,$4)#$/E.

Table 2 - Expeit paiticipants.
3O5%(* "%,&()5*)#4 #2 ,%&'()*+ %O5%(*
R 2u yeais expeiience woiking with physical piotection systems (PPS) in
the coiiectional enviionment, pioviuing auvice on the opeiational
effectiveness of PPS. Qualification: Bachelois Begiee in Secuiity.
S 1S yeais coiiectional secuiity expeiience, monitoiing anu ieviewing
opeiational effectiveness of PPS. Qualification: Bachelois Begiee in
Secuiity.
T 2u yeais expeiience in vaiious secuiity ioles in customs anu
coiiectional enviionments, pioviuing auvice ielating to uaily
management of staff opeiating anu maintaining PPS. Qualification:
Bachelois Begiee in Business Nanagement.
U 2u yeais expeiience in secuiity ielateu piojects as a client ielations
managei foi a laige secuiity engineeiing oiganisation. Facilitates
secuiity iisk management anu leaus the uesign of technical, physical
anu pioceuuial secuiity contiols. Qualification: Biploma of Applieu
Science.
V 21 yeais expeiience in secuiity opeiations, incluuing the Austialian
Befence Foice, customs anu coiiections. Cooiuinates capital woiks
piojects focusing on secuiity aspects. Qualification: Bachelois Begiee
in Secuiity.
W 2S yeais expeiience in coiiectional secuiity anu emeigency
management. Secuiity managei within coiiections, cooiuinating
physical anu pioceuuial secuiity.
X 2u yeais expeiience in special foices, with five yeais in oil anu gas
secuiity. Pioviues secuiity compliance auvice to Naiitime Tianspoit
anu 0ffshoie Facilities Secuiity Act (2uuS) anu piepaies secuiity anu
emeigency plans. Qualifications: Bachelois Begiee in Secuiity,
uiauuate Ceitificate in 0peiations Nanagement.
Y 2u yeais expeiience in policing anu secuiity auvisoiy ioles. Piinciple
secuiity consultant, conuucting secuiity iisk assessments anu auuits.
Qualifications: Bachelois Begiee in Secuiity (Bonouis), Auvanceu
Biploma in Business Nanagement, Biploma in Ciiminal Investigations.
Z SS yeais secuiity inuustiy expeiience as a senioi consultant to high
level secuiity piojects. Publisheu ovei 6u papeis on secuiity issues
anu has piofessional qualifications in electiical engineeiing, builuing
seivices engineeiing anu holus Ceitifieu Piotection Piofessional (CPP)
ceitification.

In geneial, theie was paiticipant acknowleugment that the components of a Physical
Piotection System (PPS) aie inteiielateu anu inteiuepenuent, with each sub-system
being a system of systems. Accoiuing to paiticipants, each aspect of a secuiity system
has a uefineu iole, wheie constituents aie implementeu in a mannei wheie theii
inteiielationships complement anu influence each othei to ieuuce secuiity iisks. This
appioach was highlighteu by one paiticipant who stateu that "9$ !$4$(# 2+/282/5)4

6S
(-%.-+$+#! 0,-% #3$2, 2+/282/5)4 F$" .$,0-,%)+($ 2+/2()#-,!* #3$+* (-%:2+$ #3$%
#-6$#3$, 2+#- ) /$!26+$/ 93-4$E. Wheie "s$(5,2#" /$()" 2! #3$ /$6,)/)#2-+ 2+ #3$
.$,0-,%)+($ -0 )+ $4$%$+# -0 #3$ !$(5,2#" !-45#2-+* :-#3* )! ) !2+64$ $4$%$+# .$,0-,%2+6 )
!.$(202( 05+(#2-+* )+/ #3$ $4$%$+#! ,-4$ 2+ !5..-,#2+6 -#3$, $4$%$+#! 2+ #3$2, 05+(#2-+
92#32+ #3$ #-#)4 !"!#$%E.

In iesponuing to ieseaich sub-question one, iesults inuicateu that all paiticipants
suppoiteu the systems appioach to achieving effective secuiity. In auuition, theii views
ielating to the implementation of such contiols aie accoiuant with the vaiious
unueipinning piinciples of ueneial Systems Theoiy.

"# ,%&'()*+ ,+,*%-, ,'22%( 2(#- B%&/+6
Reseaich sub-question two ielateu to the piemises of 0nueiwoou (1984) anu
NcCluie (1997), asking, '- !$(5,2#" $7.$,#! !5..-,# #3$ ),65%$+# #3)# !$(5,2#" !"!#$%!
()+ !500$, 0,-% /$()". All ieseaich panels iepoiteu in the affiimative that they believeu
secuiity systems suffei fiom uecay. Foi example, one membei stateu, "G /- :$42$8$ #3)#
!$(5,2#" !"!#$%! ()+ )+/ /- $7.$,2$+($ /$()"", with anothei stating that, ""$!* @ G :$42$8$
!$(5,2#" !"!#$%! ()#$6-,2()44" /$()"E.

In iesponse to the ieseaich sub-question iegaiuing secuiity systems uecay, the
eviuence suppoiteu that such uecay ielates to a failuie to maintain secuiity "systems" at
theii commissioneu opeiating levels of effectiveness, uiminishing theii ability to uelivei
the iequiieu output goal (iisk ieuuction). As one paiticipant stateu "u$()" ,$4)#$! #- #3$
/$(42+$ 2+ #3$ $002()(" )+/ $002(2$+(" -0 #3$ !$(5,2#" 05+(#2-+* )+/ 2#! (-,,$4)#2+6 2+(,$)!$ 2+
,2!FE. Anothei paiticipant summaiiseu uecay as when "p$-.4$ 93- 3)8$ !"!#$%!
2+!#)44$/ /- +-# 5+/$,!#)+/ 93)# 5+/$,.2+! #3$%* !"!#$%! ),$ /$!26+$/ 92#3 .),)%$#$,!
#- 0)(242#)#$ 0-, /$()"* ) 4)(F 2+ .,-0$!!2-+)4 !"!#$% %)+)6$%$+#* #3)# 2!* ) 4)(F -0
F+-94$/6$ #- %)+)6$ #3$!$ .),)%$#$,!* ) 4)(F 2+ $/5()#2-+* 2+ 0-,%)4 #,)2+2+6 4$)/! #-
/$()" 92#32+ .3"!2()4 .,-#$(#2-+ !"!#$%!E.

30%-%4*, #2 ,%&'()*+ B%&/+
Reseaich sub-question thiee focuseu on the heteiogeneous aspects of the Physical
Piotection ?"!#$% (PPS). As such, this question askeu whethei ?$(5,2#" $7.$,#! !5..-,#
#3)# !$(5,2#" /$()" 42$! 92#32+ #3$ !"!#$%! $4$%$+#!* (-+!#2#5$+#! )+/ #3$2,
2+#$,,$4)#2-+!32.. In iesponse, one paiticipant stateu that uecay "92#32+ ) HH? -((5,!
92#32+ 2#! 2+/282/5)4 $4$%$+#* )+/ .,-.)6)#$! #3,-563 #3$ !"!#$%A '$()" -((5,! )# #3$
:)!$ 4$8$4 -8$, #2%$A B32! /$()" )# $4$%$+#)4 4$8$4 -((5,! #3,-563 %)+" ()5!$! )+/ #3$
$00$(# ()+ ,$!54# 2+ %)D-, !"!#$% :,$)F/-9+". This paiticipant fuithei stateu that ")
!"!#$% 2! ) (-%:2+)#2-+ -0 $4$%$+#)4 2+.5#!* #3$ !"!#$% 2! 8$," %5(3 /$.$+/)+# -+ #3$
(-,,$(# -.$,)#2-+ -0 #3$ $00$(#28$+$!! -0 $)(3 -0 #3$!$ $4$%$+#! 2+ .$,0-,%2+6 #3$2,
05+(#2-+ )+/ !5..-,#2+6 05+(#2-+! -0 -#3$, $4$%$+#!".

Congiuous with this viewpoint, one paiticipant stateu, I#3$ $00$(#! -0 /$()" ),$ /2,$(#4"
.,-.-,#2-+)4 #- #3$ 4-!! -0 ,2!F %)+)6$%$+# AAA '$()" -((5,! 2+ )44 )!.$(#!J %)+)6$%$+#*
#$(3+-4-6" )+/ .3"!2()4 $+62+$$,2+6". This iuea was suppoiteu by anothei who
suggesteu that, "!%)44 (3)+6$! ()+ 4$)/ #- 4),6$ !$(5,2#" 2%.42()#2-+!* %5(3 42F$ ) (3)2+A
K (3)2+ 2! -+4" )! 6--/ )! 2#! 9$)F$!# 42+F -, .-2+#A L3$+ #3$ 9$)F$!# 42+F :,$)F! #3$
,$!54#! ()+ :$ 4),6$".

64
Baseu on the paiticipants' iesponses, we aigue that secuiity uecay lies within the
systems elements, constituents, anu theii inteiielationships. That is, uecay within a
secuiity system occuis at the constituent level, manifests anu then expanus to
incoipoiate anu affect specific sub-system key peifoimance inuicatois. Such expansion
then affects the specific BiB element within the uefence in uepth stiategy foi which it is
locateu.

3=9:>L<; $3;?:<9G "3;8G
Phase-thiee alloweu inteipietation to be maue in iesponse to the poseu Reseaich
Question, namely '- !$(5,2#" $7.$,#! !5..-,# #3$ #3$-,$#2()4 8)42/2#" -0 $+#,-.2( /$()"
#3$-,"* 932(3 ),65$! #3)# !$(5,2#" /$()" 2! ,$.,$!$+#$/ :" #3$ 6,)/5)4 /$6,)/)#2-+ -0 #3$
%2(,-!(-.2( ;5)+#2#2$! <(-+!#2#5$+#!=* )+/C-, #3$ 6,)/5)4 /$6,)/)#2-+ 2+ #3$ ,$4)#2-+!32.
:$#9$$+ #3$ %2(,-!(-.2( )+/ %)(,-!(-.2( ;5)+#2#2$! 92#32+ ) !$(5,2#" !"!#$%> To
suppoit the concept of entiopic secuiity uecay, a numbei of factois aie put foiwaiu. An
item bank was uevelopeu fiom the expeit inteiviews to consiuei the components of
Physical Piotections Systems (PPS). The isomoiphic piinciples of science consiueieu
the use of entiopy within othei systems anu how this suppoits secuiity systems. A
secuiity management system appioach is shown, uetailing how entiopic uecay can
assist in uefining piocess metiic system inuicatois. Finally, we pioviue a uefinition foi
entiopic secuiity uecay, concluuing the conceptual uevelopment of this concept.

34*(#5)& ,%&'()*+ B%&/+ )*%- D/4@
Within a systems appioach to physical secuiity, theie is a complex inteiielationship
between the built enviionment, physical contiols, technology, people, anu management
piocesses as they achieve the elements of uepth-in-uepth (BiB). Foi example, table S
piesents the stuuy's secuiity expeit's pool of vaiiables anu factois (item bank)
associateu with the concept of secuiity uecay. The item bank is uiviueu into uisciete
PPS components of technical, people anu physical, uemonstiating uecay conuitions, the
phenomena anu iesulting consequence. Such an item bank is unueipinneu by the
expeit panel's thoughts, feelings, anu expeiience with uegiauation within PPS. This
stuuy founu that within this inteiielationship, uecay occuis at the constituent level anu
if left unuetecteu, expanus to affect the local sub-system anu eventually, the BiB system.

Table S - Secuiity uecay pieliminaiy item bank foi technical, people anu physical
components.
LL$
;#-5#4%4*
,
"%&/+ ;/*%A#()%,
Conuition Phenomenon Consequence
Technical Pooi uetection
system maintenance

Incieaseu nuisance
alaim iates

Alaims ignoieu,
ieuucing
piobability of
accuiate
assessment KPI.
Incoiiect technical
maintenance
Causes high
nuisance alaim
iates.

Blinu acceptance of
alaims, uiminishing
accuiate
assessment as a
KPI.

6S
Begiauation of
lighting system
Light lamp failuie
affects the
peifoimance of
CCTv systems.
Biminisheu ability
to assess
(uisciiminate)
alaim souices.
People Lack of piofessional
management of the
secuiity function, as
a system.

System uecays
acioss all aspects of
the management
tiiangle,
technological,
physical anu
pioceuuial.
Secuiity events
occui uue to
uiminisheu iisk
ieuuction piogiam.

Pooi, oi lack of
system testing, oi,
bieaches of system
testing pioceuuies.
Accuiate steauy
state conuition not
known.
Sub-system
vulneiabilities.

Pooi foimal tiaining
foi new staff, wheie
tiaining occuis
thiough hanueu
uown piocesses.
Incoiiect
pioceuuies oi bau
habits passeu on to
new staff.

Cultuial uecay
within human
aspect of the
system.

Lack of qualifieu
staff continuation
tiaining.

Becay in iesponse
piocesses foi non-
ioutine events.
Staff iesponses
uecay.
System enviionment
enviionment
changeu to suit
peisonal
iequiiements.
Changes
paiameteis,
uiscoiuant with
theii uesign
specifications.

Tiiggeis small
changes in which
aie not unueistoou
until a secuiity
event.
Fluctuations in staff
competencies
Reuuces sub-system
KPI's ielateu to
competency
ieuuction.
Staff may not ieact
accoiuant with
system uesign
iequiiements.
Pooi physical
attiibute (lighting
anu aii
conuitioning) within
CCR.
Pioviue
inappiopiiate
output conuitions.

Staff concentiation
anu focus uegiauing
within CCR.
0peiating
pioceuuies mouifieu
without iefeience to
holistic system
iequiiements.
Begiaues the
peifoimance of the
opeiating system as
a "whole".
System may not
peifoim accoiuant
with uesign
specifications.
Pooi communication
between CCR, anu
opeiational staff.
Begiauation in
efficacy acioss
"whole" system.
System may not
peifoim efficiently
against uefineu
thieat.

66
Physical Lack of maintenance
of PPS enviionments
(weeus anu feial
giowth).
Tiiggeis incieaseu
nuisance alaim
iates

Alaim acceptance
ieuucing
piobability of
accuiate
assessment KPI.
Beteiioiation of
uelay physical
elements.

Baiiiei time uelay
uegiaues against
uefineu thieat.
Belay time along an
auveisaiy's path is
changeu alteiing
commissioning Pi.
Physical
components
uesigneu without
consiueiing physical
enviionment impact.
Leaus to piematuie
physical uecay.
Physical
components may
not withstanu
uefineu thieat
stiess.
(Aujusteu fiom uillham, 2uuu, p. 68)

<,#-#(5C)& 5()4&)50%, *# ,'55#(* %4*(#5)& ,%&'()*+ B%&/+
Confoiming to the isomoiphic piinciples of science (see Beitalanffy, 19Su; 1968), this
stuuy consiueieu the laws of theimouynamics (Entiopy law) to explain the natuial
uecay occuiiing in systems of all types, iegaiuless of make-up. We consiueieu this
necessaiy given the vaiiety of uiffeient sciences that make a PPS possible, wheie the
one science binus all vaiious sciences to achieve the systems output goal is uST
(Beitalanffy, 19Su; 1968). As with any physical open oi closeu system, it will uecay
oveitime if theie is iestiicteu oi inappiopiiate input. Entiopy is associateu with a
system's inability to caiiy out woik, tiansfei useful eneigy, oi maintain oiueis of
activity, anu all systems stiive towaius uisoiuei that when achieveu aie in a state of
equilibiium oi ueath. Theiefoie, secuiity systems ieuuce in theii efficiency anu
effectiveness when they, theii component elements, oi constituents become uisoiueieu,
iun-uown, uegiaueu, oi uecayeu.

In investigating the concept of secuiity uecay fiom a systems appioach, contiaiy to
NcCluie's (1997) woik, this stuuy aigues that apathy is not the salient factoi uiiving
uecay. Apathy can be a piouuct of uecay manifesteu fiom anothei constituent within
the system that has been alloweu to piopagate. Foi example, one paiticipant stateu, ")44
#$(3+-4-6" /$()"!* )! #$(3+-4-6" /$()"! 2# (-+!#)+#4" 0)4!$ )4),%!* #3$+ !#)00 26+-,$ #3$%*
93$,$ 54#2%)#$4" #3$" 4-!$ (-+02/$+($ 2+ #3$ !"!#$% )+/ #3$2, 9-,F /$()"!". Such a view
was also iepoiteu by Bowlet:

Even the best system will ueteiioiate with time anu use . fiom the time of
taking a system into use it will stait to ueteiioiate. No system, howevei well
uesigneu, can be completely ieliable without piopei maintenance. If left
without attention it will become unseiviceable. A pooily maintaineu secuiity
system will have many unexplaineu alaims, leauing to the guaiu foice losing
confiuence in the system anu eventually ignoiing a tiue alaim as just anothei
false alaim. Bowevei, the opeiatoi may not be awaie of it, but the system will
not peifoim as intenueu (199S, p. 22u).


67
8 ,%&'()*+ -/4/A%-%4* ,+,*%-, /55(#/&C
As a iesult of the heteiogeneous natuie of a PPS, ieuuceu functionality in one specific
aiea (point uistuibance) will iesult in uecay piopagating thioughout the iemainuei of
the PPS uue to inteiielationships. Foi example, a PPS is maue fiom many components
that pioviue the functions of uetection, uelay anu iesponse. If a uetection component
uoes not peifoim to its uesign paiametiic, this puts gieatei stiess in the uelay
component oi incieaseu ieliance on the following uetection components in a layeieu
system. Such piopagation ultimately changes the peifoimance (macio-state) of the
whole system.

The secuiity management system (figuie 6) commences with a top-uown appioach,
wheie, baseu on uefineu oi peiceiveu thieats, vulneiabilities, anuoi ciiticalities
(system puipose), the systems objectives anu paiameteis aie establisheu as a uesiieu
level of secuiity. 0peiational ueliveiables being physical, technological, oi pioceuuial
aie implementeu anu manageu to ensuie the system maintains its commissioneu
measuies of peifoimance oi key peifoimance inuicatois ovei time. Bowevei as figuie 6
highlights, if the system constituents aie alloweu to uecay, the affect of this uecay
piopagates back up the pyiamiu in a bottom-up appioach. Conceptual uecay cuives aie
iepiesenteu within the constituents. Such piopagation of uecay constituents uiminishes
the iisk ieuuction effoits, incieasing oiganisational iisk exposuie.

Figuie 6 - A secuiity management systems appioach, highlighting the uecay constitutes
cuives within the opeiational ueliveiables.


68

NcCluie highlighteu the "complex inteiielationship between technology, people, anu
management piocesses within a secuiity function" (1997, p. 1). Consistent with such a
view, it is the inteiielations which integiate the system towaius achieving an output
goal, iathei than a collection oi juxtaposition of contiols. Coole anu Biooks (2uu9, p.
22) highlighteu such a complex ielationship within a PPS, aiguing that an oiueily
ielationship exists wheie the space anu time uistiibution of the BiB elements cieates a
compiehensive state of oiuei in ielation to a PPS's macio level of effectiveness.

"%2)4)4A %4*(#5)& ,%&'()*+ B%&/+
In consiueiing the systems appioach to achieving BiB, the concept of $+#,-.2( !$(5,2#"
/$()" has been piesenteu. BiB is the sum of vaiious elements, namely ueteiience,
uetection, uelay, iesponse anu iecoveiy. The concept of entiopy suppoiteu the
aigument that any change in the efficiency oi effectiveness of any of the BiB elements
constituents ieuuces the system's effectiveness. The sum of these concepts collectively
foim anu weie iefeiieu to as !$(5,2#" /$()", being uefineu as:

The giauual uegiauation of the micioscopic quantities (constituents) oi the
giauual uegiauation in the ielationship between the micioscopic anu
macioscopic quantities within a secuiity system.

Such a uefinition pioviues iigoi anu genuine conceptual substance that can be
integiateu into a PPS peifoimance measuies. In auuition, such an appioach may also be
applieu to peisonnel anu infoimation secuiity fiamewoiks to encompass the secuiity
management functions, ultimately leauing to the ability to uevelop anu uefine system
metiics oi key peifoimance inuicatois.

:3;>MM3="89<>=$
Secuiity uecay has been uiscusseu by pievious authois (Coole & Biooks, 2uu9;
NcCluie, 1997; Smith & Biooks, 2u1S; 0nueiwoou, 1984) but has not been exploieu
within systems theoiy. Theiefoie, theie aie a numbei of iecommenuations iesulting
fiom this stuuy. These incluue a gieatei use of applieu metiics to measuie anu iecoiu
the secuiity constituents, anu enhanceu effoits to unueistanu anu maintain a secuiity
system at its commissioneu level. 0thei iecommenuations incluue iecognizing the
uynamic enviionment that a secuiity system has to opeiate within, the benefits of a
system appioach to secuiity, anu the neeu foi fuithei ieseaich in oiuei to unueistanu
the concept of secuiity uecay.

+'",-"' .)" &/ )"0.'1-# 2"-'10)
In applying a systems appioach to secuiity, theie has to be the ability to measuie
constituents effectiveness, inuiviuually anu as ielationships. Entiopy can be
quantitatively measuieu foi a BiB system, using the Estimateu Auveisaiy Sequence
Inteiiuption (EASI) to quantitatively iepiesent a systems commissioning oi opeiational
macio-state level (uaicia, 2uu1). In accoiuance with the piemises of systems theoiy,
EASI quantitatively piesents the vaiious ielationships among the constituents anu
elements peifoimance measuies within PPS.


69
Secuiity uecay is a quantitative entity, iathei than being intuitive. Bowevei, all
elements oi constituents neeu to be bettei unueistoou anu capable of having metiics
applieu anu iecoiueu.

34" 0&221))1&5"( 6"7"6 &/ )"0.'1-#
Secuiity systems aie often installeu as a ieactive action, eithei ovei- oi unuei-
engineeieu to mitigate a single iisk (Biooks & Smith, In piint) anu opeiating as an open
system in a uynamic thieat enviionment. Neveitheless, a secuiity system shoulu be
unueistoou anu maintaineu at its commissioneu level.

89"',-15: %1-4 (#5,210 -4'",-
The uynamic enviionment shoulu be monitoieu to allow the secuiity system's steauy
state to be aujusteu to suit the thieat, foi example the secuiity system shoulu be
scalable. As the thieat incieases, the secuiity system shoulu iaise to countei such an
inciease anu, in contiast, lowei when thieat ieuuces, thus showing equifinality. The
ability to achieve such a uynamic secuiity system iequiies auuitional ieseaich to gain
bettei unueistanuing of the inteiielationship between the functional constituents of
secuiity.

;(&9-1&5 &/ , )"0.'1-# )#)-"2 ,99'&,04
The auoption of a secuiity systems appioach to secuiity management shoulu:
Befine a common lexicon anu unueistanuing among stakeholueis.
Act as an aiu to uefining the secuiity piogiam aichitectuie.
ueneiate awaieness of system uesign piinciples to senioi management.
Pioviue the basis foi conscious uiveigence fiom a common philosophy.
Assist communication acioss functional management bounuaiies.
Piomote the iegaiu foi secuiity management thiough auoption of matuie
concepts.
Pioviue flexibility within what might be iegaiueu as an otheiwise iigiu
fiamewoik.
Pioviue ieliability, maintainability, anu the ability to be upgiaueu.
Be flexibility anu iesilience.
Suppoit peifoimance anu effective iesouice allocation.
Pioviues explicit senioi management suppoit (Smith & Biooks, 2u1S, pp. 26-27).

A secuiity system shoulu ieuuce iisks consistent with the business appetite. It is
secuiity's iole to ensuie that secuiity is effective, uoes not waste iesouices, anu uses
components to theii full potential. The piovision of sounu secuiity analysis anu
management allows the business to consiuei anu appiove a balanceu secuiity plan.
Such balance piomotes efficient spenuing to ieuuce 'unuei' oi 'ovei' investment in the
secuiity system, anu pioviue appioveu secuiity to countei iisks that can impact on the
company's ieputation, intellectual anu physical assets, anu to iecovei fiom ciisis
(Cubbage & Biooks, 2u12).

<.'-4"' '")",'04 15 )"0.'1-# ("0,#
This stuuy has pioposeu the mouel of entiopic secuiity uecay, pioviuing a theoietical
founuation, examples of uecay in a physical piotection systems, anu a concept
uefinition. Past authois have pieviously uiscusseu secuiity uecay (Coole & Biooks,
2uu9; NcCluie, 1997; Smith & Biooks, 2u1S). Bowevei, theie is still fuithei ieseaich

7u
neeueu to suppoit this pieliminaiy uiscussion of entiopic secuiity uecay. Such ieseaich
shoulu seek to bettei unueistanu not only the physical oi engineeiing natuie of uecay,
but also how uecay is uiiven thiough concepts such as a lack of knowleuge, economic
piessuies, anu oiganisational cultuial. Foi example, can uecay cuives be uevelopeu that
consiuei all constituents, anu aie these tiansfeiable within uiffeient contexts. Bow uo
uiffeient uomain expeits view secuiity uecay within uiffeient systems. Becay is not
only applicable to physical anu technical constituents, but also peisonnel, management,
anu coipoiate constituents.

;>=;J?$<>=
This stuuy sought to exploie entiopic secuiity uecay within a systems appioach,
ueveloping a mouel of entiopic secuiity uecay. The initial concept was built fiom
ievieweu liteiatuie suggesting that all physical systems, if left anu with no feeuback,
will uecay. The concept was testeu against secuiity expeit's views anu expeiience with
secuiity systems, suppoiting the mouel of entiopic secuiity uecay.

If a physical piotection system is not piofessionally manageu as a system, that is,
pioviueu the appiopiiate feeuback, it will uecay. In consiueiing such an outcome anu
consistent with the unueipinnings of ueneial Systems Theoiy (uST), we have aigueu
that, in contiast to 0nueiwoou's (1984) anu NcCluie (1997) wiitings, secuiity uecay is
piimaiily conceineu with managing the natuial entiopic piocesses occuiiing against
commissioneu levels of effectiveness within the complex secuiity constitutional
ielationships. Fuitheimoie, these piocesses aie alloweu to manifest uue to a lack of
piofessional management of the secuiity function as a !"!#$%. As one of the
paiticipating expeits stateu, "a significant cause of uecay is a lack of piofessional
management of the system ... we install systems, but people uo not unueistanu what
unueipins them ... we uesign in paiameteis to facilitate foi uecay; howevei, a lack of
(piofessional) knowleuge anu management of these paiameteis leaus to secuiity
uecay".

Entiopic secuiity uecay is the uegiauation of secuiity mitigation stiategies within the
gieatei secuiity management system, uue to inteinal oi exteinal factois. Secuiity uecay
is a suppoitable concept that can be uefineu as #3$ 6,)/5)4 /$6,)/)#2-+ -0 #3$
%2(,-!(-.2( ;5)+#2#2$! <(-+!#2#5$+#!= -, #3$ 6,)/5)4 /$6,)/)#2-+ 2+ #3$ ,$4)#2-+!32.
:$#9$$+ #3$ %2(,-!(-.2( )+/ %)(,-!(-.2( ;5)+#2#2$! 92#32+ ) !$(5,2#" !"!#$%. To
effectively manage a secuiity system iequiies the uesign, application, anu management
of secuiity consistent with a secuiity management systems appioach. Such an appioach
allows a system to be applieu, with metiic opeiational ueliveiables ensuiing compliance
to the secuiity systems objectives. Bowevei, fuithei ieseaich is iequiieu to uevelop
anu uefine this pieliminaiy uiscussion of secuiity uecay anu fuithei exploie a usable
mouel that suppoits the geneial secuiity piactitionei.

:3.3:3=;3$
Baiton, }., & Baslet, T. (2uu7). Analysis, synthesis, systems thinking anu scientific
methou: ieuiscoveiing the impoitance of open systems. ?"!#$%! M$!$),(3 )+/
N$3)82-5,)4 ?(2$+($, OP, 14S-1SS.

71
Beitalanffy, L., v. (19Su). An outline of geneial systems theoiy. B3$ N,2#2!3 ?-(2$#" 0-, #3$
H324-!-.3" -0 ?(2$+($* Q(2), 1S4-16S.
Beitalanffy, L., v. (19Su). The theoiy of open systems in physics anu biology. ?(2$+($*
R$9 ?$,2$!* QQQ(2872), 2S-29.
Beitalanffy, L., v. (1968). S$+$,)4 !"!#$%! #3$-,": founuations, uevelopment, application.
New Yoik: ueoige Biazillei, Inc.
Bittel, L., R. (1978). T+("(4-.)$/2) -0 .,-0$!!2-+)4 %)+)6$%$+#: an authoiitative guiue to
the piofitable piactice of management. New Yoik: Ncuiaw-Bill.
Boigsuoif, B., & Pliszka, B. (1999). Nanagement youi iisk oi iisk youi management.
H5:42( U)+)6$%$+#, VQ(11), 6-1u.
Boiouzicz, E., & uibson, S. B. (2uu6). Coipoiate secuiity euucation: towaius meeting the
challenge. ?$(5,2#" W-5,+)4* QX, 18u-19S.
Biouei, }. F. (2uu6). M2!F )+)4"!2! )+/ #3$ !$(5,2#" !5,8$" (Siu eu.). 0xfoiu: Butteiwoith-
Beinemann.
Biooks, B. }. (2u1u). What is secuiity: Befinition thiough knowleuge categoiisation.
?$(5,2#" W-5,+)4* OY, 22S-2S9. uoi: 1u1uS7sj.2uu8.18.
Biooks, B. }. (2u11). Secuiity iisk management: A psychometiic map of expeit
knowleuge stiuctuie. G+#$,+)#2-+)4 W-5,+)4 -0 M2!F U)+)6$%$+#, QY(12), 17-41.
uoi: 1u.1uS7im.2u1u.7.
Biooks, B. }., & Smith, C. L. (In piint). Engineeiing Piinciples in the Piotection of Assets.
In N.uill (Eu.), Z)+/:--F -0 ?$(5,2#" (2nu eu.): Palgiave NcNillian.
Bohm, B., & Peat, B. (2uuu). ?(2$+($* -,/$,* )+/ (,$)#282#" (2nu eu.). New Yoik:
Routleuge.
Byeon, }., B. (2uuS). A systems appioach to entiopy change in political systems. ?"!#$%!
M$!$),(3 )+/ N$3)82-5,)4 ?(2$+($A OO, 22S-2S1.
Callistei, W. B. (1997). U)#$,2)4! !(2$+($ )+/ $+62+$$,2+6J K+ 2+#,-/5(#2-+ (4th eu.). New
Yoik: }ohn Wiley & Sons.
Checklanu, P. (1981). Systems thinking, systems piactice. Salisbuiy: }ohn Wiley & Sons.
Claike, R. v., & Coinish, B. B. (1987). 0nueistanuing ciime uisplacement: An application
of iational choice theoiy. [,2%2+-4-6", \](4), 9SS-947.
Collins Austialian Pocket Bictionaiy of English Language. (1994). Nelbouine: Baipei
Collins Publisheis.
Coole, N., & Biooks, B. }. (2uu9). Secuiity Becay: An entiopic appioach to uefinition anu
unueistanuing. H,-($$/2+6! -0 #3$ O+/ K5!#,)42)+ ?$(5,2#" )+/ G+#$4426$+($
[-+0$,$+($, Peith.
Ciaigheau, u. (2uuS). Z2631M2!$ ?$(5,2#" )+/ 02,$ 420$ !)0$#" (2
nu
eu.). Boston: Butteiwoith
Beinemann.
Cubbage, C., & Biooks, B. }. (2u12). [-,.-,)#$ ?$(5,2#" 2+ #3$ K!2) H)(202( M$62-+J [,2!2!*
[,2%$* ^,)5/ )+/ U2!(-+/5(# Boca Raton: Tayloi anu Fiancis.
Benbigh, K. u. (2uu9). R-#$ -+ $+#,-."* /2!-,/$, )+/ /2!-,6)+2_)#2-+. Retiieveu Apiil S,
2uu9 fiom http:www.enueav.oigevoluttextuenbig1uenbig1e.htm
Euith Cowan 0niveisity, (2uu4). H3"!2()4 !$(5,2#": ?#5/" 652/$ ?[` QQ]Q. Peith: Authoi.
Feluei, u. (2uu1). B32+6! 0)44 ).),#J K+ 2+#,-/5(#2-+ #- $+#,-.". Retiieveu }uly 1S, 2u11
fiom
http:www4.ncsu.euuunitylockeisuseisffelueipublickennypapeisent
iopy.html
Fennelly, I. }. (1997). T00$(#28$ .3"!2()4 !$(5,2#" (2nu eu.). Amsteiuam; Boston.
Butteiwoith-Beinemann.

72
uaicia, N. L. (2uu1). B3$ /$!26+ )+/ $8)45)#2-+ -0 .3"!2()4 .,-#$(#2-+ !"!#$%!. Boston:
uaicia, N. L. (2uu6). a54+$,):242#" )!!$!!%$+# -0 .3"!2()4 .,-#$(#2-+ !"!#$%!. Boston:
Batfielu, A. }., & Bipel, K. W. (2uu2). Risk anu systems theoiy. M2!F K+)4"!2!, OO(6), 1u4S-
1uS7.
Beiman, N. (1999). T+#,-." :)!$/ 9),0),$J U-/$442+6 #3$ ,$8-45#2-+ 2+ %242#)," )00)2,!A
Retiieveu Apiil 18, 2u1u fiom
http:2u9.8S.17S.1S2seaich.q=cache:7Rigu4CTvaA}:www.au.af.milauawca
wcgatejfq162u.puf+heiman+entiopy+baseu+waifaie&cu=1&hl=en&ct=clnk&
gl=au
Bonkasalo, A. (1998). Entiopy, eneigy anu steauy-state economy. ?5!#)2+):4$
'$8$4-.%$+#A b, 1Su-142.
Bowlet, }., F. (199S). Naintenance: The pacifiei's influence. H,-($$/2+6 -0 #3$ QXXc
G+#$,+)#2-+)4 [),+)3)+ [-+0$,$+($ -+ ?$(5,2#" B$(3+-4-6", Institute of Electionic
Engineeis. pp. 219-224.
Keien, N. (1979). Iueological implications of the use of open systems theoiy in political
science. N$3)82-5,)4 ?(2$+($* OP, S11-S24.
King, S. (2uu8). ?$(5,2#" $+#,-.". Computei Weekly. Retiieveu }uly S, 2u11 fiom
http:www.computeiweekly.comblogsstuait_king2uu8u9secuiity-
entiopy.html
Konicek, }., & Little, K. (1997). ?$(5,2#"* G' !"!#$%! )+/ 4-(F!J B3$ :--F -+ $4$(#,-+2(
)(($!! (-+#,-4. New Yoik: Butteiwoith-Beinemann.
Liamputtong, P. & Ezzy, B. (2uu6). d5)42#)#28$ ,$!$),(3 %$#3-/! (2
nu
eu.). 0xfoiu:
0niveisity Piess.
Lovey, I., & Naukaini, N., S. (2uu7). Z-9 3$)4#3" 2! "-5, -,6)+2!)#2-+. Westpoit,
Connecticut: Piaegei Publishing.
Nanunta, u. (1999). What is secuiity. ?$(5,2#" W-5,+)4. QO, S7-66.
Nanunta, u. (2uu7). The management of secuiity: Bow iobust is the justification
piocess. ?$(5,2#" W-5,+)4. O], 41-4S.
Naitin, B., W. (2uuu). '-2+6 .!"(3-4-6" $7.$,2%$+#! (S
th
eu.). Wauswoith.
NcCluie, S. A. (1997). ?$(5,2#" /$()"J B3$ $,-!2-+ -0 $00$(#28$ !$(5,2#". 0npublisheu
honouis thesis, Euith Cowan 0niveisity, Peith, Westein Austialia.
Niugley, u. (2uuS). ?"!#$%! #32+F2+6J 6$+$,)4 !"!#$%! #3$-,"* (":$,+$#2(! )+/ (-%.4$72#".
Lonuon: SAuE Publications.
Noiales-Natamoios, 0., Tejeiua-Pauilla, R., & Bauillo-Pina, I (2u1u). Fiactal Behavioui
of Complex Systems. ?"!#$%! M$!$),(3 )+/ N$3)82-5,)4 ?(2$+($* Oc, 71-86.
Notz, L., & Weavei, }. B. (1989). B3$ !#-," -0 .3"!2(!. New Yoik: Plenum Piess.
0 Block, R. L., Bonneimeyei, }., F., & Boeien, S., E. (1991). ?$(5,2#" )+/ (,2%$ .,$8$+#2-+
(2
nu
eu.). Boston: Butteiwoith-Beinemann.
0lzac, T. (2uu6). }ust enough secuiity. ?$(5,2#", PY(9), 114.
Post, R. S., Kingsbuiy, A. A., & Schachtsick, B. A. (1991). ?$(5,2#" )/%2+2!#,)#2-+J K+
2+#,-/5(#2-+ #- #3$ .,-#$(#28$ !$,82($! (4th eu.). Boston: Butteiwoith-Beinemann.
Piuwiiny, N. (2uu6). "Equilibiium Concepts anu Feeubacks". ^5+/)%$+#)4! -0 H3"!2()4
S$-6,).3"* <O+/ $/A=A Febiuaiy S, 2u1u, fiom:
http:www.physicalgeogiaphy.netfunuamentals4f.html
Pitzei, K., S. (199S). B3$,%-/"+)%2(!. New Yoik: Ncuiaw-Bill.
Piigogine (1987). Exploiing complexity. T5,-.$)+ W-5,+)4 -0 e.$,)#2-+)4 M$!$),(3* Su,
97-1uS.

7S
Rifkin, }., & Bowaiu, T. (1982). T+#,-.": a new woilu view. New Yoik: The viking Piess.
Roos, I. (1997). The Bebt of Systems Theoiy to Theimouynamics. Nonash 0niveisity
Faculty of Business & Economics. Woiking papei seiies S497.
Singh, A. N. (2uuS). Piivate secuiity anu ciime contiol. B3$-,$#2()4 [,2%2+-4-6", X, 1SS-
174.
Smith, C. L. (2uuS). f+/$,!#)+/2+6 (-+($.#! 2+ #3$ /$0$+($ 2+ /$.#3 !#,)#$6", School of
Engineeiing anu Nathematics. Euith Cowan 0niveisity, Peith, Westein Austialia.
Smith, S. (1992). ulobal uumbing: the politics of entiopy. H,-6,$!!28$ M$82$9. Retiieveu
Apiil 22, 2uu9 fiom http:pioiev.comuumbing.htm
Smith, C. L., & Biooks, B. }. (2u1S). ?$(5,2#" ?(2$+($J B3$ B3$-," )+/ H,)(#2($ -0 ?$(5,2#"
Waltham, NA: Elseviei.
Someison, I., S. (2uu9). B3$ ),# )+/ !(2$+($ -0 ,2!F !$(5,2#" ,2!F )!!$!!%$+#A Alexanuiia,
vA: ASIS Inteinational.
Stanuaius Austialia. (2uu4). K?CRg?PYb]JO]]P M2!F %)+)6$%$+#A Syuney: Stanuaius
Austialia.
Stanuaius Austialia. (2uu6). ZN QbcJO]]b ?$(5,2#" ,2!F %)+)6$%$+#. Syuney: Stanuaius
Austialia.
Styei, B. F. (2uuu). Insight into entiopy. K%$,2()+ W-5,+)4 -0 H3"!2(!, bV(12), 1u9u-1u96.
The New 0xfoiu School Bictionaiy (1991). Nelbouine: Baipei Collins Publisheis.
Tiusteu Infoimation Shaiing Netwoik foi Ciitical infiastiuctuie Piotection, (2uu8).
'$0$+($ 2+ /$.#3. Retiieveu }uly 1S, 2u11 fiom
http:www.ubcue.gov.au__uataassetspuf_fileuuu688SS9BiB-CI0-1S_0ct-
2uu8.puf
0nueiwoou, u. (1984). B3$ !$(5,2#" -0 :524/2+6!. Lonuon: Butteiwoiths.
vannini, A. (2uuS). Entiopy anu Syntiopy: fiom mechanical to life science.
R$5,-d5)+#-4-6" (2), 88-11u.

"#$%#&#"'( )*++#,-' ./' '0++/"1%#2 34 -5# #2%-*" &%-5 -5#%" /66"*$/78

1he auLhors are Lo be congraLulaLed for provlded us a fasclnaLlng and lnnovaLlve model
for Lhlnklng abouL securlLy. unforLunaLely, we have problems wlLh Lhe cholce and phraslng
of quesLlons Lo Lhe experLs panels, wlLh Lhe degree Lo whlch Lhe model was valldaLed", and
wlLh Lhe wrlLlng lLself. MosL lmporLanLly of all, we belleve Lhe auLhors are perpeLuaLlng a
number of myLhs and overslmpllflcaLlons abouL securlLy. 1hese are boLh unnecessary for
Lhelr Lhesls, and a dlsservlce Lo readers.

1he experLs chosen for Lhls sLudy were clearly very quallfled. Whlle Lhe auLhors were no
doubL slmply Lrylng Lo be Lhorough and careful, many of Lhe quesLlons posed Lo Lhe experLs
were raLher mundane and pedanLlc. ls lL really necessary Lo essenLlally check wheLher Lhe
experLs belleve ln Lhe 2
nd
Law of 1hermodynamlcs? More Lroublesome, Lhe quesLlons Lo Lhe
experLs seemed Lo be framed ln a way LhaL dld noL lnvlLe Lhem Lo flnd any problems wlLh
Lhe model. 1hey don'L seem Lo have been parLlcularly encouraged Lo Lhlnk abouL or ralse
any ob[ecLlons. ln oLher words, Loo many sofLball quesLlons resulLed ln a mlssed
opporLunlLy Lo crlLlcally examlne Lhe model.


74
Cne of us (buL noL so much Lhe oLher) Lhlnks LhaL Lhe auLhors' clalm LhaL Lhe uelphl
exerclse valldaLed" Lhelr model may be overreachlng, and LhaL perhaps examlnlng lLs
valldlLy" mlghL be a beLLer way Lo Lhlnk abouL Lhls sLudy.

1he auLhors aLLempL-and we Lhlnk wlLh some success-Lo argue LhaL decay can cause
securlLy fallure. unforLunaLely, Lhey largely lgnore oLher fallure mechanlsms LhaL should be
dlscussed as alLernaLlve or compeLlng mechanlsms, e.g., securlLy may have been poorly
deslgned rlghL from Lhe sLarL, securlLy resources may slmply be lnadequaLe, securlLy
hardware/sofLware producLs deployed may noL be very good or adversarles may have
compromlsed Lhem before deploymenL, Lhe faclllLy may be badly deslgned, changlng LhreaLs
and exLernal Lechnology developmenL may make exlsLlng securlLy mooL or lneffecLlve, Lhe
organlzaLlon's mlsslon or fundlng may have been modlfled by exLernal auLhorlLles, eLc.

AnoLher problem wlLh Lhe paper, and someLhlng LhaL lmpedes Lhe reader's undersLandlng
and en[oymenL, are Lhe prevalenL grammaLlcal errors, pedanLlc language, clumsy wordlng,
and (especlally) Lhe excesslve use of Lhe passlve volce ln much of Lhe wrlLlng. lf wrlLlng lsn'L
Lhe auLhors' sLrong sulL, perhaps Lhey should seek Lhe asslsLance of a proflclenL Lechnlcal
wrlLer ln Lhe fuLure.

1he blggesL lssue we have wlLh Lhe paper ls LhaL Lhe auLhors seem overly obsessed wlLh
uefense ln uepLh" (ulu), and Lhe ofLen mlndless manLra ueLerrence, ueLecLlon, uelay,
8esponse, and 8ecovery" (3u28). 1he laLLer ls more LradlLlonally LhoughL of as Lhe 3us:
ueLer, ueLecL, ueny, uelay and uefend". (ulu ls someLlmes also called layered securlLy".)
1he auLhors do noL need Lo lnvoke Lhese concepLs Lo dlscuss securlLy decay, Lhey would
have a more general model (and mlslead Lhe reader less) wlLhouL Lhem, or lf Lhey aL leasL
used Lhem only LangenLlally.

lL ls nC1 Lrue, as sLaLed ln Lhe absLracL, LhaL ...Lhese funcLlons [ueLer, ueLecL, uelay,
8esponse, and 8ecover] musL be ...performed ln order". ln facL, 3u28 and 3us, whlch Lend
Lo be used somewhaL lnLerchangeably, aren'L even ln agreemenL over Lhe order! More
lmporLanLly, lL's deluslonal Lhlnklng Lo belleve LhaL securlLy managers can force a LlghLly
ordered sequence (or a small number of pre-deflned aLLack paLhs) on an lnLelllgenL and
prepared adversary, especlally lnslde aLLackers. lL ls also worLh noLlng LhaL ln some complex
ulu securlLy plans, Lhe varlous funcLlons (or aL leasL some of Lhem) are meanL Lo go lnLo
acLlon slmulLaneously.

lor many securlLy appllcaLlons, all of Lhe varlous funcLlons ln 3u28 (or 3us) aren'L
relevanL. 1amper-evldenL packaglng on drugs, for example, lnvolve deLecLlon, buL Lhere ls
llLLle deLer, delay, or recovery. When Lhe resldenL of Lhe unlLed SLaLes vlslLs a clLy, SecreL
Servlce AgenLs someLlmes babyslL" menLally unbalanced clLlzens who have made LhreaLs ln
Lhe pasL as a prevenLlve measure durlng Lhe vlslL. 1hls ls pure prevenLlon, wlLhouL 3u28 or
3us. As anoLher example, [ueLer, ueLecL, uelay, 8esponse, 8ecover] are ofLen wholly or
parLlally lrrelevanL for lnslde aLLackers.

8y lnslsLlng LhaL securlLy can only be LhoughL of ln Lerms of ulu and 3u28 or 3us, Lhe
auLhors are perpeLuaLlng common, buL dangerous myLhs. 8y lnslsLlng LhaL Lhelr model can
only be abouL ulu and 3u28 or 3us, Lhey are llmlLed lLs generallLy and usefulness.

7S
#2%-*"(' )*++#,-'

l agree wlLh Lhe revlewers LhaL Lhls ls a welcome and lnLeresLlng paper, and LhaL Lhe
auLhors should be Lhanked for Lhelr dlllgenL efforLs and for sharlng Lhem wlLh us.

l was surprlsed aL Lhe vehemence wlLh whlch boLh !"#$"%"!& re[ecLed Lhe efflcacy and
orLhodoxy of uefense ln uepLh and 3u28 (or 3u). l LhoughL LhaL was my shLlck. l was also
surprlsed aL Lhe vehemence wlLh whlch Lhe '()*+!& lnslsLed LhaL Lhe only way Lo Lhlnk
abouL securlLy or securlLy decay ls vla uefense ln uepLh and 3u28 (or 3u).

l cerLalnly have seen many examples of bad ulu securlLy-Lhe securlLy fallure aL ?-12 wlLh
Lhe Lrespasslng 83-year old nun belng a classlc example of how (sLupldly) ulu usually falls.
(See Lhe mlddle of page v aL Lhe beglnnlng of Lhls lssue for more lnformaLlon abouL Lhe ?-12
securlLy breach.) l have also frequenLly seen examples of where an obsesslon wlLh 3u28 (or
3u) leads Lo an over-emphasls on unlmaglnaLlve force-on-force aLLacks aL Lhe expense of
noL properly defendlng agalnsL more probable, subLle, lnLelllgenL, and effecLlve aLLack
scenarlos. 1hese lnclude, for example, lnslder aLLacks, and Lamperlng wlLh or lnsLalllng
backdoors ln securlLy hardware, sofLware, or Lhe faclllLy belng defended. ln my vlew, Lhe
concepLs of ulu and 3u28 (or 3u)-and ln parLlcular Lhelr mlndless" use (borrowlng one
revlewer's lncendlary Lerm)-have probably caused almosL as much harm Lo securlLy as
good.

As a vulnerablllLy assessor, l ofLen ask abouL Lhe sLraLegy behlnd Lhe securlLy devlce,
sysLem, or program we are analyzlng. lf Lhe flrsL Lhlng LhaL Lhe developer, manufacLurer, or
securlLy manager says ls uefense ln uepLh", Lhen l know ln advance we are golng Lo flnd a
loL of amaLeurlsh and egreglous vulnerablllLles because Lhe securlLy has been lncompleLely
LhoughL Lhrough. lf, on Lhe oLher hand, Lhere acLually ls a securlLy sLraLegy, wlLh ulu merely
belng parL of LhaL sLraLegy, Lhen we wlll cerLalnly flnd vulnerablllLles buL Lhey won'L be as
numerous or embarrasslng.

l have Lo agree wlLh Lhe revlewers LhaL nelLher ulu nor 3u28 (or 3u) are necessary ln Lhe
auLhors' model, and are lndeed someLhlng of a red herrlng. Cn Lhe oLher hand, decay ls no
doubL a blgger problem for complex sysLems, and ulu ls almosL always an (overly) complex
sysLem. Moreover, ulu and 3u28 (or 3u) are hlghly relevanL Lo real world securlLy because
Lhese are approaches and paradlgms commonly used ln securlLy-for good or lll. 1o furLher
slde wlLh Lhe auLhors (aL leasL a llLLle), lL ls probably unfalr for Lhe revlewers and me Lo gang
up on Lhem over Lhe lssue of ulu and 3u28 (or 3u). 1he auLhors cerLalnly dld noL lnvenL
Lhese concepLs nor are Lhey responslble for Lhelr ofLen mlndless", knee-[erk lmplemenL-
LaLlon. lurLhermore, Lhe second and Lhlrd papers ln Lhls lssue dlscuss applylng and
exLendlng Lhe LASl model, yeL nelLher l nor Lhe (dlfferenL) revlewers of Lhose papers
crlLlclzed Lhe auLhors over Lhelr use of LASl, ulu, and 3u28 (or 3u).

1hough Lhe revlewers dld noL ralse Lhls polnL, l was dlsappolnLed LhaL Lhe auLhors-
havlng lnvoked a loL of sclence-dldn'L much use Lhelr model ln a sclenLlflc way: Lo make
predlcLlons. Soclal sclenLlsLs Lend Lo use models Lo organlze ldeas, asslsL ln lnLerpreLlng Lhe
real world, and provlde a consLrucL for Lhlnklng abouL Lhe relevanL lssues. SclenLlsLs, ln

76
conLrasL, Lyplcally vlew Lhe purpose of models as maklng predlcLlons LhaL can be LesLed.
Cne predlcLlon LhaL Lhe auLhors' model would seem Lo make LhaL Lhe auLhors dld noL much
pursue ls Lhe ldea LhaL when securlLy programs are noL closed, l.e., when Lhere ls a loL of
lnpuL of fresh energy" (e.g., money, new ldeas, new personnel, lmproved hardware and
sofLware, fresh analysls of LhreaLs/vulnerablllLles/consequences/sLraLegles), Lhen Lhe
sysLem's enLropy can decrease.
l also whole-hearLedly agree wlLh Lhe revlewers' condemnaLlon of Lhe exLenslve use of
passlve volce by Lhe auLhors. asslve volce ls noL rlgorous or scholarly. 8aLher, lL obscures
and lL dlsgulses. And lL's annoylng ln excess. l have edlLed ouL a good blL of lL ln Lhe flnal
paper, as ls sLandard pracLlce for Lhe ,+(!-'. +0 1*2&$3'. 4"3(!$)2.
lor any confused readers, here are some examples: l made mlsLakes" ls much beLLer
Lhan Lhe passlve and weasely MlsLakes were made." eople should wrlLe, 1he daLa
suggesL.", noL lL can be lnferred from Lhe daLa."
lor fuLure auLhors: Pere ls SLephen klng commenLlng on Lhe passlve volce [from 5-
6!$)$-78 9 :";+$! +0 )*" <!'0)= Slmon and SchusLer, (2000), pp. 122- 124]:
verbs come ln Lwo Lypes, acLlve and passlve. WlLh an acLlve verb, Lhe sub[ecL of Lhe senLence ls dolng
someLhlng. WlLh a passlve verb, someLhlng ls belng done )+ Lhe sub[ecL of Lhe senLence. 1he sub[ecL ls [usL
leLLlng lL happen. >+( &*+(.? '#+$? )*" @'&&$#" #+$3"A l'm noL Lhe only one who says so, you can flnd Lhe same
advlce ln B*" C.";"-)& +0 4)2."A
Messrs. SLrunk and WhlLe don'L speculaLe as Lo why so many wrlLers are aLLracLed Lo passlve verbs, buL l'm
wllllng Lo, l Lhlnk Llmld wrlLers llke Lhem for Lhe same reason Llmld lovers llke passlve parLners. 1he passlve
volce ls safe. 1here ls no Lroublesome acLlon Lo conLend wlLh.l Lhlnk unsure wrlLers also feel Lhe passlve volce
somehow lends Lhelr work auLhorlLy, perhaps even a quallLy of ma[esLy. lf you flnd lnsLrucLlon manuals and
lawyers' LorLs ma[esLlc, l guess lL does. .
l won'L say Lhere's no place for Lhe passlve Lense. [8uL].Lwo pages of passlve volce-[usL abouL any
buslness documenL ever wrlLLen, ln oLher words, noL Lo menLlon reams of bad flcLlon-make me wanL Lo
scream. lL's weak, lL's clrculLous, and lL's frequenLly LorLuous, as well.
now some mlghL argue LhaL Lechnlcal wrlLlng ls somehow dlfferenL. oppycock*, l say! lL
ls sLlll done ln Lngllsh, and Lhe prlnclples of good Lngllsh and good communlcaLlon sLlll
apply, maybe even more so. (And Lhls lncludes Lhe lmporLance of wrlLlng ln shorL, clean,
unamblguous senLences.)

Cverall-Lhe ob[ecLlons of Lhe revlewers and myself noLwlLhsLandlng-l Lhlnk Lhls ls a
remarkable and laudable paper. lL cerLalnly made me Lhlnk abouL securlLy (and enLropy")
ln a dlfferenL way, and Lhe dlsagreemenLs were aL leasL exclLlng, lf noL lllumlnaLlng.

___________
*oppycock" ls from Lhe uuLch word pappekak", llLerally sofL dung".

Journal of Physical Security 7

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Journal of Physical Security 7

Încărcat de

Drepturi de autor:

Formate disponibile

!

"#$% '( )'+%+,

S-ar putea să vă placă și