Characterize Facility

2. Identify Undesirable Events & Critical Assets

Determine Consequences

Define Threats

Analyze Protection System Effectiveness

Upgrade the System

Estimate Risks

Are Risks Acceptable? No / Yes

__ An initial step in security system analysis is to characterize the facility operating states and conditions. This step requires developing a thorough description of the facility itself (the location of the site boundary, building locations, floor plans, and access points). A description of the processes within the facility is also required, as well as identification of any existing physical protection features. This information can be obtained from several sources, including facility design blueprints, process descriptions, safety analysis reports, environmental impact statements, and site surveys.

Undesired Events. The undesired events must be established. Undesired events are site-specific and have adverse impacts on public health and safety, the environment, assets, mission, and publicity.

Critical Assets. The adversary could cause each undesired event to occur in several ways. A structured approach is needed to identify critical components for prevention of the undesired events.

__ A logic model, like a fault tree, can be used to identify the critical components. The critical components and their locations become the critical assets to protect. There is the top-level portion of a generic fault tree for facilities.

Disrupt Mission of a Facility

1. Disruption of Operations

2. Crime Against Person(s)

3. Negative Publicity or Embarrassment

4. Theft of Assets

5. Destruction of Property

The next step is to categorize undesired events or loss of critical assets. The proposed categories of consequences are similar to those used by the Department of Defense per Military Standard 882C.

__ The consequence values and categories are described below. The goal is to estimate the relative consequence value associated with each undesired event.