Benefit-Cost Analysis of Security Systems for Multiple Protected Assets Based on Information Entropy

This article proposes a quantitative risk assessment for security systems which have multiple protected assets and a risk-based benefit-cost analysis for decision makers. The proposed methodology consists of five phases: identification of assets, security unit and intrusion path, security unit effectiveness estimation, intrusion path effectiveness estimation, security system risk assessment and benefit-cost estimation. Key innovations in this methodology include its use of effectiveness entropy to measure the degree of uncertainty of a security system to complete a protection task, and the fact it measures risk like information theory measures the amount of information. A notional example is provided to demonstrate an application of the proposed methodology.


Introduction
Physical security systems are deployed to prevent or mitigate loss of valuable assets (e.g., property or life) [1].According to the Department of Homeland Security National Infrastructure Protection Plan of United States, bene¿t-cost analysis is the hallmark of homeland security decision making [2].Benefit-cost analysis requires quantification of the risk after and before implementation of a risk reduction strategy.The basic theory of risk evaluation for security systems is still lacking in China.Scientists mainly rely on qualitative assessments of management science to determine the risk of the

OPEN ACCESS
Entropy 2012, 14 572 system [3][4][5][6].However, if an evaluation system does not have a deep, comprehensive understanding of the security system, risk evaluation based on management science will result in deviations.On an international scope, scientists have made some significant progress on the basic theory for risk evaluation of security systems.In 1970s, the U.S. Department of Energy's Sandia National Laboratories [7] first introduced the basic concepts of physical protection systems.At that time, it proposed the idea that this system can be applied to the field of nuclear facilities protection.Subsequently, the U.S. Department of Energy put forward a model of adversary sequence diagram (ASD) [8].This model can identify deficiencies in physical protection systems by analyzing how hypothetical adversaries might achieve their objectives through various barriers.The model identified the weakest path in a physical protection system where an opponent has the highest probability of attacking the system.Subsequently, the U.S. Department of Energy put forward a comprehensive path analysis model based on single-path analysis that has a significant limitation in that only one adversary attack path is analyzed [9].The top ten weakest paths will be found from among hundreds of probable attack paths.In 2007, Garcia [10] gave an integrated approach for designing physical security systems.The measure of effectiveness employed for a physical protection system is the probability of interruption, which is defined as "the cumulative probability of detection from the start of an adversary path to the point determined by the time available for response".Hicks et al. [11] presented a cost and performance analysis for physical protection systems at the design stage.Their system-level performance measure is risk, which they define as follows: Risk = P(A) × [1 í P(E)] × C where, P(A) is Probability of Attack, P(E) is Probability of System Effectiveness, = P(I) × P(N), P(I) is Probability of Interruption, P(N) is Probability of Neutralization, C is Consequence.Their discussion of the cost-performance tradeoff is limited and heavily weighted toward cost as a driver in the decision [1].Fischer and Green [12] present a qualitative risk analysis approach to ranking threats using a probability/criticality/vulnerability matrix.Cost effectiveness is discussed as a possible measure of system evaluation.Oak Ridge National Laboratory [13] established a CSG (Combination Solid Geometry) model, which is a powerful descriptive model facility.This model is based on the use of image processing, distributed computing, geometric aspects of technology, using computer-aided design methods to establish facilities in three-dimensional simulation model.This three-dimensional simulation model is close to the actual installations of the model, calculated by dedicated software; the system can do the most detailed analysis.
Those researches are mainly focused on the risk evaluation of security system by using probability statistics methods and simulation methods.Probabilistic statistics methods experiment with small statistical samples of events to get the probability of attack of a security system and make debatable assumptions about fixed values for detection and delay elements [14].These methods only describe scenarios of one asset, and don't extend to collocated assets [14].In practice, there are many security systems that protect multiple assets, such as museums or schools.Risk assessment for security systems for multiple assets is needed.Simulation experiments are applied to assess the effectiveness of security systems must establish completely different facilities models for different facilities, so the complexity of computation is very large and the development process is extremely complex.
The historical data on attacks is limited.There are enormous uncertainties in risk evaluation of security systems.The most uncertain is the threat itself [15].A number of researchers have used bounded intervals [16], game theory [17][18][19], exogenous dynamics [20], to characterize uncertainty in terrorism risk analysis.There is some important recent literature considering both adaptive and non-adaptive threats [18,21].Despite the fact a contribution on this issue is not within the scope of this article, we take the position that credible expert opinion can compensate for the lack of data to support quantitative risk assessments and only consider non-adaptive threats.
The primary objective of this article is to reference the Information Theory of Shannon.Like information entropy, we use entropy to measure the effectiveness uncertainty degree of a security system's protection capability with regard to protection of multiple assets.With a simple illustrative example, we demonstrate the application of security system risk assessment and benefit-cost estimation with different strategies.

Benefit-Cost Estimation of Security Systems Based on Information Entropy
This section develops a quantitative risk assessment for security systems and benefit-cost estimation for decision makes when the security system protects multiple assets.The proposed risk-based benefit-cost estimation method for security system consists of five phases (Figure 1).

Identify Assets, Security Unit and Intrusion Path
The first phase begins by identifying the key assets which need protection and a complete set of plausible intrusion paths leading to each key asset.Each intrusion path begins at the outside perimeter of a security system since it is the first line that must be crossed by an intruder to gain access to a protected asset [22].A sequence of discrete security units composes an intrusion path.Security units have protection capability; they may be either a barrier or a path.The security system is abstracted into a security network diagram which is shown in Figure 2. We make some assumptions as follows: (1) Attackers start from the outside and treat one of protected assets as a target of attack; (2) There exists at least one path can get to the protected asset; (3) All units in the path have protection capability values; the attacker needs to pay a cost to pass through the security unit.

Security Unit Effectiveness Assessment
Entropy is a state function which was proposed to solve the quantity problem of the second law of thermodynamics by French scientist Rudolf Clausius in 1865 [23].Later, entropy became a measure of disorder or uncertainty about system after Austrian physicist Boltzmann's statistical interpretation [24].In 1948, American scientist Shannon used information entropy to represent the average uncertainty of an information source and the amount of information is a measure of uncertainty that is missing before reception [25].Information entropy is often obtained from a given probability distribution p = {p i } of messages or symbols.For a random variable X with n outcomes {x i :i = 1,…,n}, the Shannon entropy, a measure of uncertainty and denoted by H(X), is defined as: where p(x i ) is the probability mass function of outcome x i .Due to the source uncertainty, information entropy is used to measure the amount of information in information theory [26].Similar to information theory, we use entropy to measure the degree of effectiveness uncertainty of the protection capability of a security system.The value of effectiveness is measured by the degree of protection capability that reduces the uncertainty of the security system.In a security system, the effectiveness is usually measured by the ratio of completion of a task.The larger the ratio of completion protection task, the less the uncertainty associated with the effectiveness of the security system is.That means the higher the effectiveness of the security system, the lower the degree of failures to accomplish a protection task will be.Suppose a unit has n-factors for a certain protection task.The ratio is 1 when fully meeting the task.The ratio is 0 when absolutely not meeting the task.The ratio of n factors on a unit can be expressed as R i (i = 1,2,…,n), the weight of each factor is Ȧ i (i = 1,2,…,n).For a particular task, the protection effectiveness of one unit j can be determined as: where U j is the protection effectiveness of unit j.R i is the degree of accomplishing a protection task of factor i. 1 í R i is the degree of fail to accomplish protection task of factor i. As different factors have different impacts on the security system protection effectiveness, Ȧ i denotes the effect weight of factor-i, and

Intrusion Path Effectiveness Assessment
The higher the performance of the unit protection, the greater cost the attacker must pay through the unit, so we define unit cost as the value of unit protection effectiveness.The value of unit cost denoted by ( )( 1,2, , ) is equal to the unit effectiveness: ( ) ( 1,2, , ) We assumed that there are k units ( 1, 2, , ) denotes the path cost.The value of the path cost is equal to the sum of unit costs.( , , , ) ( ) ( ) ( )

Security System Risk Assessment
DHS (U.S.Department of Homeland Security) uses reasonable worst-case conditions to assess terrorism risks because intelligent adversaries can choose circumstances where targets are vulnerable and consequences are maximized.The worst-case condition of a security system is intelligent adversaries who can choose the most vulnerable paths to each asset and destroy all assets.The most vulnerable path is the minimum cost of intrusion paths for each asset.So the protection effectiveness for each asset can be determined as: , , ( ) The value of risk of the security system can be defined as follows, based on the risk definition of security system that Hicks proposed: ( ) ( ) Risk P A P r C (6) where P(A) is the probability of attack against a critical asset during the time frame of the analysis which can be assessed by experts.C is consequence, P(r) is the probability of successful attack, that is also called the probability of protection invalidation.In this formula, P(r) is related to the protection effectiveness of security system.The higher the protection effectiveness, the lower the probability of successful attack P(r).The relationship between the two concepts can be expressed as: Suppose a security system has n protected assets, so the risk of security system can be determined as: Entropy 2012, 14

576
where ( ) i E asset is the protection effectiveness value of asset i, ( ) i P A is the probability of attack for asset i, it can be determined as the annual rate of occurrence of attack, i C is the value of the protection asset i.

Benefit-Cost Estimation
Bene¿t-cost analysis determines the cost effectiveness of proposed countermeasures and consequence mitigation strategies for reducing the risk associated with an asset or portfolio of assets.The bene¿t-to-cost ratio for a given investment alternative can be calculated as:

Benefit Risk after applied strategy Risk before applied strategy Cost
Cost of strategy (9)

An Application of a Museum Scenario
To illustrate a simple application of the proposed method, consider the notional museum with two key ancient porcelain assets as shown in Figure 3.Note that all values used throughout this example are purely notional.

Identify Assets, Security Unit and Intrusion Path
There are two assets in this example.Consider the example where the adversary intends to sabotage the target as shown in Figure 2, there are two paths to the asset 1.Path one: The adversary intends to penetrate the vehicle entrance A, travel to the appropriate room, force open the door C, destroy the protected asset 1.Path two: The adversary intends to penetrate the staff entrance B, travel to room, force open the door C, and destroy the protected asset 1.There are two paths to the asset 2. Path one: the adversary intends to penetrate the vehicle entrance A, travel to the room, force open the door D, destroy the protected asset 2. Path two: the adversary intends to penetrate the staff entrance B, travel to room, force open the door D, and destroy the protected asset 2. The protection units of each intrusion path are shown in Table 1.

The Protection Effectiveness of Security Unit
A security system is a complex configuration of detection, delay, and response elements [27].So suppose each unit has three factors for the protection task: detection, delay and response.Detection is the discovery of an adversary action which must be followed by an assessment of the alarm to verify whether there is an actual intrusion.Delay is the function of slowing down adversary progress during an intrusion to give the guards more time to respond.Response is the actions taken by the response force to prevent adversary success [28].The ratio is 1 when the protection task is fully met.The ratio is 0 when the task is absolutely not met.The effect weights of each factor are the same.The ratio of each factors on a unit are shown in Table 2. From Equation (2), the effectiveness of each unit can be determined as listed in Table 2.

The Protection Effectiveness of an Intrusion Path
From Equation (4), the effectiveness of each intrusion path can be determined as Table 3.

The Risk Assessment of the Security System
From Equation ( 5), the effectiveness of the security system can be calculated: .The value of the asset 1 is 100,000 dollars, the value of the asset 2 is 200,000 dollars so C 1 = 100,000, C 2 =200,000.From Equation ( 8), the risk for each asset can be shown as in Table 4. From Equation ( 8), the risk he risk of the museum security system can be calculated as Risk = 3.92 × 10 4 .

Benefit-Cost Estimation
To reduce the total risk associated with this security system, three countermeasure strategies were considered: first, improve the response factor of Staff entrance B to 0.7.Second, improve the delay factor of Door C to 0.7.Third, improve the detection factor of Door D to 0.8.Suppose that the costs for each strategy are the same, that is 1,000 dollars.
The higher benefit-cost value means the better the strategy is.From the benefit-cost value of each strategy in Table 5, we can know that strategy 1 and strategy 2 are the same, and the third strategy is better than the first and second strategy.

Conclusions
This article proposes a quantitative risk analysis method and benefit-cost estimation for security systems that must protect multiple assets.Following four steps of development, including using effectiveness entropy to measure the degree of uncertainty of the security system, and measuring risk like information theory measures the amount of information, a general formula for security system risk assessment was obtained.Benefit-cost estimation analyses the relationship between proposed countermeasure strategies for reducing risk and cost.As the environments of security system are more complex in general, the proposed model is not comprehensive enough to analyze all the factors.As an exploration of benefit-cost estimation of security systems, this method can help security system technical staff to carry out quantitative risk assessment of security systems which have multiple protected assets and make decisions about the choice of countermeasure strategies.

Figure 1 .
Figure 1.Risk-based benefit-cost estimation for decision maker.

Figure 2 .
Figure 2. The security network diagram.

Figure 3 .
Figure 3. Diagram of security system in a museum scenario.

Table 1 .
The protection units of each intrusion path.

Table 2 .
The effectiveness for each unit.

Table 3 .
The effectiveness for each intrusion path.

Table 4 .
The risk of each asset.

Table 5 .
The benefit-cost value for each strategy.