D.05.1. Basic Models for Security Risk Analysis
This report provides several template models aimed at devising strategies for the protection
of critical infrastructures or, more generally, at supporting security policy making. The
template models are based on the adversarial risk analysis framework. While risk analysis
provides a methodology to mitigate the effects of threats that may harm the performance
of a system, adversarial risk analysis expands the methodology focusing on threats coming
from intelligent intentional adversaries. Specifically, we have developed five different
models to support a Defender in facing the actions of an Attacker. The models differ from
each other in the way and order in which the possible attacks and defences take place
within the sequence of events. Thus, we have given the models self-explanatory names:
(a) Simultaneous Defend-Attack, in which a defender and an attacker decide their defence
and attack, respectively, without knowing the action chosen by each other; (b) Sequential
Defend-Attack, in which the defender first chooses a defence and, then, having observed
it, the attacker chooses an attack; (c) Sequential Attack-Defend, in which the attacker first
performs an attack and, then, having suffered it, the defender chooses a defence; (d) Sequential
Defend-Attack-Defend, in which the defender first deploys defensive resources.
Then, the attacker, having observed such decision, performs an attack and, finally, the defender
tries to recover from the attack as best as she can; and (e) Sequential Defend-Attack
with Private Information, similar to the Sequential Defend-Attack, but with some information
that the defender does not want the attacker to know.
These five models may be seen as basic building blocks for general risk analysis problems
related with the protection of critical infrastructures. For each model, we provide the
following information: (1) A general description of the model, emphasising its most relevant
features; (2) A simple motivating example, dealing with some related problem regarding the
protection of critical infrastructure; (3) The standard game theoretic solution. This is a classic
approach, overcome by the adversarial risk analysis methodology, although some of its
concepts are useful as a starting point to understand our template models; (4) The approach
from the view of adversarial risk analysis. This is the main part of our document, dealing with
all the theoretical and modelling aspects of our models; and (5) A basic numerical illustration
in a stylised problem. This case study will complete in full detail the ideas sketched in the
introductory example. For the sake of clarity, all examples will be placed at the end of this
document, on a separate annex.
We also illustrate how the templates may be adapted in more realistic problems, specifically
in a security resource allocation problem within a spacial setting, i.e. when assets and
values are distributed among various nodes (cells). This may be viewed essentially as a set
of adversarial risk analysis models, one for each cell, with models coordinated by resource
constraints and value aggregation across each cell for both the Defender and the Attacker.
We end up discussing issues in opponent modelling, in which our aim is to provide models
for the decision making of all the participants.