D.05.3. General Methods for Security Risk Analysis

The main goal of this deliverable is to describe the general Adversarial Risk Analysis (ARA)
methodology used in the SECONOMICS toolkit. This deliverable also addresses the issues
and characteristics that are needed to model operational security problems for Critical In-
frastructure Protection (CIP) in the real-world scenarios addressed in the project.
Some of these issues were already identied in the various case studies studied in
D5.2—Case Studies in Security Risk Analysis, derived from the outcomes of SECONOMICS
WP1, WP2 and WP3. The basic models used to solve these case studies needed to be ex-
panded with ad-hoc modications to accommodate the complexities posed by these new
scenarios, as e.g. the presence of multiple risks simultaneously affecting several locations,
among other advanced requirements. The general methodology proposed in this deliverable
overcomes these shortcomings, presenting a rich framework to integrate additional dimen-
sions that help us in reecting the nuances of the underlying CIP problems in greater detail.
Specically, this deliverable includes:
• A complete specication of a methodology to design general models based on ARA
and its application to solve CIP problems.
• Design requirements for the development of tools implementing this methodology in
different domains, which serves as an input for WP8-Tool Support.
• Two new case studies illustrating the application of this general methodology, along
with its main advantages to identify and address future and emerging threats.
The main body of this document provides a high-level overview of the different aspects
and factors that can be considered in this general ARA methodology to solve CIP problems.
Besides, this document also includes several Annexes providing a more detailed and techni-
cal description of the core elements that enable such generalised approach (ANNEX1, AN-
NEX2 and ANNEX3), along with two case studies illustrating the application of the proposed
methodology (ANNEX4 and ANNEX5). As a result, the main sections of this document body
try to minimise as much as possible the use of mathematical, statistical and technical ter-
minology and concepts, in order to provide an accessible description of the main scientic
and technical contributions. In any case, multiple pointers to the Annexes are also provided
in the corresponding sections for those readers interested in further theoretical details and
practical technicalities.

General Methods for Security Risk Analysis