D.05.2. Case Studies in Security Risk Analysis
This report provides the application and adaptation of the template risk analysis models
introduced in D5.1—Basic Models for Security Risk Analysis. We solve the case studies
(airport, from WP1; underground, from WP3) with the aid of such models, adapting them
as needed. This will require adopting appropriate consequence assessment models as
developed in WP6 and risk perceptions as developed in WP4.
For the airport case study, we have focused on a particularly critical scenario for the
incumbent country and airport analysed: the unlawful access to the Air Traffic Control Tower,
aimed at taking hold of Air Traffic Control Officers before or during flight control operations.
Consequences of such attack have a multiattribute nature, and could be severe, including
high operational costs (due to flight diversions or cancellations), image costs and lives. Our
aim is to support the airport operator in devising a security resource allocation plan. We
address the problem adapting the Sequential Defend-Attack-Defend model from deliverable
The metro case study is a very complex problem, in which authorities have to deal with
more than one threat operating over multiple sites simultaneously. We have focused on the
two most pervasive threats that must be faced by metro authorities: fare evasion and pickpocketing
by a group. We first consider only the fare evasion threat, distinguishing between
casual and intentional evaders, who operate in a single station. Then, we extend our model
to include pickpocketing. Finally, we extend it to more than one station, deploying a Sequential
Defend-Attack model (from D5.1) for each threat and site, under the assumption that
different types of attacks are uncoordinated. Models are related by resource constraints for
the Defender and each attacker and by aggregation of results over various sites and, for the
case of the Defender, over various threats.
The body of the deliverable contains a description of the case studies analysed, focusing
on qualitative issues that will help in understanding the overall performance of the models.
In this sense, we have followed the same structure for each case study. We start with a
brief introduction of them, contextualising it within the SECONOMICS framework. We then
discuss its underlying structure, paying special attention to the relevant modelling issues
concerning the defender and the attacker(s). We then provide a comprehensive outline of all
the assessments that we made when modelling the cases studies. We illustrate the performance
of the model presenting some representative results. We end up with a discussion
about the lessons learnt throughout their modelling. The appendices contain full numerical
and algorithmic details of all these issues.
The overall conclusion is that the template models in D5.1 provide an excellent starting
point for dealing with security risk resource allocation problems. Thus, we actually have a
methodology for deciding how to better protect an organisation from multiple threats, whatever
the structure of the organisation is. This methodology facilitates security strategic thinking
ad guides data and judgment extraction, ending up with the optimal portfolio of security
countermeasures for an organisation. We conclude by outlying the promised general strategy
which will be the object of D5.3.