PSA-LOPA – A Novel method for physical security

risk analysis based on Layers of Protection Analysis

Fabio Garzia European Academy of Sciences and Mario Fargnoli
Safety & Security Engineering Group - Arts Safety & Security Engineering Group -
DICMA Salzburg, Austria DICMA
SAPIENZA – University of Rome [email protected] SAPIENZA – University of Rome
Rome, Italy Rome, Italy
Mara Lombardi
& Safety & Security Engineering Group - Soodamani Ramalingam
Wessex Institute of Technology DICMA School of Engineering and Technology
Southampton, UK SAPIENZA – University of Rome University of Hertfordshire
Rome, Italy Hatfield, UK
&

Abstract—Physical security risk analysis represents a following the improvements of planned activities to step-up
fundamental tool to evaluate the threats regarding an the levels of protection of a given site.
organization and it can be divided into distinct groups,
represented by: qualitative, semi-quantitative, quantitative, In our case, the Layers of Protection Analysis (LOPA)
and mixed. The method of analysis is very important because it method, initially structured and developed for industrial
also allows to measure the increase in the level of security plants safety (such as chemical industry), has been revised
following the improvements of planned activities to step-up the and adapted to the physical security risk, providing
levels of protection of a given site. In our case, the Layers of interesting and useful results.
Protection Analysis (LOPA) method, initially structured and
developed for industrial plants safety (such as chemical LOPA represents a semi-quantitative tool. As a risk
industry), has been revised and adapted to the physical assessment methodology, LOPA uses order of magnitude
security risk, providing interesting and useful results. categories for initiating event frequency, consequence
The purpose of this paper is to illustrate a novel method for severity, and the likelihood of failure of independent
physical security risk analysis based on LOPA that represents protection layers (IPLs) to estimate risks. Objectives of
a general tool for any kind of organization. LOPA are to determine if risks can be tolerated by asking if
there are enough layers of protection against an accident
Keywords—Physical security risk analysis, LOPA, Layers of scenario and if supplementary independent protection layers
Protection Analysis. are needed.
The purpose of the proposed physical security adapted
I. INTRODUCTION LOPA (PSA-LOPA) technique is to define and quantify the
Physical security risk analysis represents a fundamental risk of occurrence of a dangerous security scenario and to
tool to evaluate the threats regarding an organization, establish if, within a site, there are enough physical security
allowing a subsequent optimal security management, even measures, defined as levels of protection (layers), such as to
using properly supporting integrated technological evaluate the physical security risk acceptability.
framework based on Internet of Things (IoT) / Internet of The proposed methodology is very versatile as it adapts
Everything (IoE) which can connect people, things (mobile both to the design of a new site, allowing to insert the right
terminals, smart sensors, devices, actuators; wearable number of levels of protection, and to the analysis of an
devices; etc.), data / information / knowledge and processes existing site, allowing, if necessary, to add new levels of
[1 - 6]. protection in a way that allows the risk to be acceptable.
Risk analysis can be divided into distinct groups, The purpose of this paper is to illustrate a novel method
represented by: qualitative, semi-quantitative, quantitative, for physical security risk analysis based on LOPA that
and mixed [7 - 15]. represents a general tool for any kind of organization.
Qualitative risk analysis is useful in doing a preliminary
overview of the threats of an organization, but it does not II. THE LAYERS OF PROTECTION ANALYSIS (LOPA)
provide quantitative results.
The proposed Physical Security Adapted Layer of
Quantitative risk analysis is fundamental in giving the Protection Analysis (PSA-LOPA) technique allows to
exact values of different threats. It can be a very complex identify the exact number of physical security protections
and expensive process. (intrusion detection system, access control, video
surveillance etc.) that the site needs and the related
Semi-quantitative risk analysis represents an
performances. It also allows the analyst to avoid
intermediate analysis between qualitative and quantitative
overestimating the risk as in the case of including redundant
analysis.
protective devices that sometimes result to be useless,
Mixed risk analysis joins different techniques. thereby reducing any costs involved [16 - 19].
The method of analysis is very important because it also For these reasons, the correct application of the PSA-
allows to measure also the increase in the level of security LOPA technique represents a simple and effective screening
method to establish not only what physical security

978-1-5386-7931-9/18/$31.00 ©2018 IEEE

protections (PSPs) the site needs to be considered safe but, III. THE PHYSICAL SECURITY ADAPTED LAYERS OF
above all, if the existing PSPs are necessary and enough. PROTECTION ANALYSIS (PSA-LOPA)
The LOPA analysis consists of several steps: As previously explained, since the LOPA methodology
was initially conceived for the calculation of industrial risk,
• Identification of the physical security risk scenario. it was necessary to modify the aforementioned formula,
• Study of the severity of the consequences of the adapting it to the physical security risk, producing extremely
above scenario and assignment of a defined Target precise and useful results whereas the considered PSA-
Factor score. LOPA technique has been applied.

• Identification of the triggering cause (Initiating Since physical security is generally applied according to
event). layers of protection so that any intruders find various levels
of protection such as perimeter protection, video
• Estimate of the frequency of occurrence of the surveillance, technological barriers, sensors etc. before
Initiating Event. reaching the desired target, LOPA method is very suitable
since it is necessary to invert the considered flow of risk.
• Identification of any other factors (Enabling Factors)
that, coupled with the Initiating Event, give rise to the In fact, LOPA considers the different level of protection
scenario. starting from the target and proceeding towards various
levels of protection that could progressively produce
• Evaluation of the actual time in which the risk is damages.
manifested (Time at Risk).
In the PSA-LOPA the processes are properly reversed,
• Identification of independent protections considering the various levels of protection as a sort of
(Independent Protection Layers, IPLs). progressive shields to avoid that an intruder could reach a
• Calculation of the probability of failure of the given target, producing the expected damages (Fig.s 1 - 3).
physical security protections (Probability of Failure
on Demand, PFD).
• Evaluation of credits.
• Evaluation of the acceptability of risk and possible
improvement activities.
To carry out the risk analysis it is necessary to calculate
how much the existing PSPs can reduce the probability that
the scenario will occur. To do this, the concept of ‘credit’ is
used. The definition of credit is closely linked to the
probability of failure, associated with each individual PSPi,
according to the following equation [16 – 19]:
(1)
Once the individual credits have been evaluated, the
PSA-LOPA analysis is performed with the calculation of the
risk coefficient, relative to the k scenario, using the
following equation [16 – 19]:
Fig. 1. Schematic example of different layers of protection of a single
target.
(2)
where:
• TF is the Target Factor.
• FI is the opposite of the logarithm of the frequency of
occurrence of the Initiating Event.
• FE is the opposite of the logarithm of the frequency of
occurrence of the Enabling Factor.
• IT is the index of the Time at Risk.
• IPLs are the Independent Protection Layers that, in
our case, represents the physical security protections,
or levels of protections, that intervene following the
IE.

Fig. 2. Schematic example of different layers of protection of multiple

targets (two in the figure).
 IV. EXAMPLE OF APPLICATION OF PSA-LOPA
It is first necessary to define the damage levels and the
requested level of performances of the security solutions for
the related associated physical security risks and these
activities are specific of a given site of a given organization.
An example is shown in Tab. I where the reliability of
security solution (RSS) is also indicated.
The performance level of the security protection is
associated with the level of damage that the security event
can cause. The five levels of damage have been taken up by
a standard classification of a given organization, which
associates at each level the quantification of economic,
physical, company’s reputation, legal expenses etc.
damages. In this way, the PSA-LOPA technique has been
adapted and customized to a general context valid for any
kind of organization.
The TF target factor (derived by a previous qualitative
Fig. 3. Schematic example of different layers of protection of multiple risk analysis) has been associated with each level of
targets (three in the figure). damage. For example, a potential objective of the highest
strategic and economic importance for the considered
In the present work, only technological protections are organization (data centre, vaults etc.) is associated with the
considered but it is possible to extend the PSA- LOPA maximum damage level, and the score that will be assigned
considering not only technological barriers but even will vary from 9 to 10, and so for the levels of lower risk.
physical barrier and human factor [20, 21] that represent
fundamental elements for security management.
TABLE I. RESUME TABLE OF THE DAMAGE LEVELS, THE
The following assumptions were made to simplify the REQUESTED PERFORMANCE LEVELS OF THE SECURITY SYSTEM AND
THE PSA-LOPA COEFFICIENTS.
proposed technique (but they can be obviously revised to
obtain a deeper level of analysis, but they are not considered
in this basic analysis):
performance
Requested

Damage
level of

R (PSA-
• the FI factor was assumed to be equal to 1, since the TF
LOPA)
RSS PFD
intrusion security system is evaluated when the
intrusion has already happened.
• The IT factor is not considered for simplicity even if
SEVERE

the times of exposure to a security risk can be

determined in particular environments. 5 9 - 10 R < -3 > 99,99 % < 0,0001

• The F factor is not considered for simplicity even if

E

in some security events it is possible to identify

‘enabling’ factors or factors that facilitate the
development of a security event.
HIGH

4 7-8 -3 < R < -2,1 99,9 - 99,99 % 0,001 - 0,0001

Since PSA-LOPA deals in this basic version only with
technological barrier and devices whose failure rate is lesser
than one and since this failure rate is used in eq. (1) as
MODERATED

probability of failure, the sign the logarithm calculation is

reversed since the result of the argument (failure rate, lesser
than one) gives already a negative result. 3 5-6 -2 < R < -1,1 99 - 99,9 % 0,01 - 0,001

It is evident that the higher the reliability of a given

security protection and the lower the failure rate. This means
that the value calculated with eq.(1) strongly reduces,
LIMITED

reducing the related R coefficient of the related risk

scenario. This is an obvious result since it means that the 2 3-4 -1 < R < 0 90 - 99 % 0,1 - 0,01
considered protection is very reliable, ensuring an elevate
level of security protection and therefore a reduction of the
related risk. The great advantage of the proposed method is
NEGLECTABLE

that it permits to evaluate the different level of protections

from the semiquantitative point of view, allowing to
evaluate if further levels of protection are necessary, 1 1-2 R>0
providing also all the necessary information to realize them
with an optimal ratio from the cost / benefit point of view.
 Different kind of qualitative analysis can be performed, physical security risk, which the qualitative risk analysis
using, for example, qualitative matrixes such as: interaction provided in advance.
matrix targets-security protections, interaction matrix impact
on targets-threats, Interaction matrix accesses -security For simplicity, the layers of physical security protection
protections etc., that provide useful information to evaluate, that have been considered are represented by video
the level of damage of each target of the specific site of the surveillance, access control and intrusion detection, named
considered organization necessary for the following PSA- P1, P2, P3, respectively even if the method allows to consider
LOPA semiquantitative analysis. multiple levels of protections, as illustrated before, not
limiting to technological protection systems but also
considering physical barriers and human factor reliability
TABLE II. AN EXAMPLE OF THE RESUMING TABLE, CONSIDERING 12 and errors [20, 21].
TARGETS AND RANDOM BUT REAL VALUES OF P1, P2, P3 COEFFICIENTS OF
EACH TARGET (EVEN IF THEY ARE NOT INDICATED FOR BREVITY). The probability of failure of protection levels P1, P2, P3,
are obtained from the failure rates of each kind of used
devices. In the specific case of video surveillance, the

Requested level of
Actual level of
performance

performance
Damage faceable by failure rate is multiplied for the percentage of visual
Estimated
Target the actual level of
damage
coverage of considered area (i.e. equal to 1 if all the
protection considered area is covered).
Once individuated all the targets, it is possible to
calculate for each target Ti, by means of the related level of
Target 1 LIMITED LIMITED 2 2 protections P1i, P2i, P3i and, using the previous equations, the
related PSA-LOPA risk factor Ri, obtaining the actual
physical security level of protection of each target of the
Target2 MODERATED SEVERE 3 5 considered site.
At this point it is possible to create a resuming table
Target 3 LIMITED MODERATED 2 3 (Tab. II) where the first column represents the
individualized targets, the second column represent potential
Target 4 NEGLECTABLE HIGH 1 4
damages as determined by PSA-LOPA (using Eq.(1) and
Eq.(2)), the third column represents the expected damage
calculated using the results of initial qualitative analysis
Target 5 NEGLECTABLE HIGH 1 4 converted using Tab. I, the fourth column the actual level of
performance of the security protections and the fifth column
the requested level of performance of the security protection
Target 6 NEGLECTABLE HIGH 1 4 necessary to face the expected damages (both converted
using Tab. I).
Target 7 NEGLECTABLE HIGH 1 4 The obtained results allow to evaluate immediately if the
performance level of protections of the single targets, and
3 5
therefore of the entire site, are suitable or if it is necessary to
Target 8 MODERATED SEVERE
enforce the existing layers of protection of each target
(increasing for example their reliability) or increase the
Target 9 MODERATED SEVERE 3 5 number of them to reach the requested performance level.
Tab. II can also be represented using a proper histogram
graph to have immediately a clear view of the situation, as
Target 10 NEGLECTABLE ELEVATED 1 4 shown in fig. 4, or in another synthetic way by means of a
radar graph representation, as shown in fig. 5.
Target 11 MODERATED SEVERE 3 5

Target 12 SEVERE MODERATED 5 3

The R factor, i.e. the quantified calculation of the risk

factor obtained from Eq.(2), is associated with the damage
levels of the considered organization, thus combining each
of them the relative levels of overall reliability of the
security solution (RSS) and its probability of failure on
demand (PFD).
Fig. 4. Histogram graph of the results (red colour: actual level of
The PSA-LOPA method can be therefore applied to all performance of protections, green colour: requested level of performance of
potential targets Ti within the site of the considered protections).
organization that are exposed to physical security risks. The
choice of the targets included in the analysis was done with As it is possible to see from fig. 4, excepted target 1 and
respect to the criticality of the same for the organization and target 12, the targets are characterized by an actual level of
based on the qualitative indications, on the exposure to the performance of security protections (red colour) lesser with
respect to the relative requested level of performance of
security protections (green colour), and this provide a clear IEEE International Carnahan Conference on Security Technologies,
idea of where and how it is necessary to increase the level of Madrid (Spain), 2017.
protections to reach the desired goal. [5] F. Garzia, “The Internet of Everything based integrated system for
security /safety /general management / visitors’ services for the
In this way it is possible to study and eventually realize Quintili’s Villas area of the Ancient Appia way in Rome, Italy”,
all the necessary and further protections, considering SAFE 2017 – International Conference on Safety & Security
properly the cost/benefit ratio, to guarantee the necessary Engineering, Safety and Security Engineering VII, WIT Transactions
level of protection to the different targets on The Built Environment, Vol 174, pp.261-272, WIT Press
(Southampton, UK), 2017.
[6] M. Gambetti, F. Garzia, V. Baiocchi, F. J. Vargas Bonilla, F.
Borghini, D. Ciarlariello, S. Chakaveh, D. Costantino, A. Culla, R.
Cusani, M. A. Ferrer, S. Fusetti, J. Kodl, S. Livatino, M. Lombardi, S.
Marsella, J. Peng, V. Smejkal, S. Ramalingam, M. Ramasamy, S.
Sacerdoti, A. Sdringola, D. Thirupati, and M. Faundez Zanuy, “The
Internet of Everything System for the Papal Basilica and Sacred
Convent of Saint Francis in Assisi, Italy”, Proceedings of WEF
(World Engineering Forum) - Safeguarding Humankind’s Heritage,
The Great Challenge for Engineers, Rome (Italy), 2017.
[7] F. Garzia, “An integrated multidisciplinary model for security
management and related supporting integrated technological system”,
Proc. of IEEE International Carnahan Conference on Security
Technologies, Orlando (USA), pp. 107-114, 2016.
[8] F. Garzia, M. Lombardi, “Safety and security management through an
integrated multidisciplinary model and related integrated
technological framework”, SAFE 2017 – International Conference on
Safety & Security Engineering, Safety and Security Engineering VII,
WIT Transactions on The Built Environment, Vol 174, pp. 285-296,
WIT Press (Southampton, UK), 2017.
[9] Lombardi, M., Guarascio, M. & Rossi, G., “The management of
uncertainty: Model for evaluation of human error probability in
railway system”, American Journal of Applied Sciences, Vol.,11, N.3,
pp. 381-390, 2013.
Fig. 5. Radar graph of the results (red colour: actual level of performance [10] Guarascio, M., Lombardi, M., Rossi, G. & Sciarra, G., “Risk analysis
of protections, green colour: requested level of performance of protections). and acceptability criteria”, WIT Transactions on the Built
Environment, Vo. 94, pp.131-138, 2007.
[11] Guarascio, M., Lombardi, M. & Massi, F, “Risk Analysis in handling
V. CONCLUSIONS and storage of petroleum products”, American Journal of Applied
Sciences, Vol. 10, N.9, pp. 965-978, 2013.
The proposed PSA-LOPA represents a general method
[12] Broder, J. F. & Tucker, E., “Risk Analysis and the Security Survey”,
apt for any kind of site of any organization and allows to Buttherwoth-Heinemann, New York, 2012.
evaluate, in a quite rapid and efficient way, the level of [13] Norman, T., L., “Risk Analysis and Security Countermeasure
physical security risks and the related countermeasures, Selection”, CRC Press, 2010.
intended as layers of protections, necessary to reach the [14] Lombardi, M., Fargnoli, M., ”Prioritization of hazards by means of a
desired protection level, if necessary, as it was already done QFD-based procedure”, International Journal of Safety and Security
in a plenty of real contexts, characterized by an optimal ratio Engineering, Vol. 8, N. 2, pp.342-353, 2018.
from the cost/benefit point of view. [15] Fargnoli, M., Lombardi, M., Haber, N., Guadagno, F., “Hazard
Function Deployment: a QFD based tool for the assessment of
It can be further developed to obtain more complete and working tasks – A practical study in the construction industry”,
extended results, according to the specific needs but it is out International Journal of Occupational Safety and Ergonomics, pp.1-
of the scope of the paper. 22, 2018.
[16] Willey, R., J., “Layer of Protection Analysis”, Proc. of 2014
International Symposium on Safety Science and Technology, Procedia
REFERENCES Engineering, Vol.84, pp.12 – 22, 2014.
[1] F. Garzia, L. Papi, “An Internet of Everything based integrated [17] Center for Chemical Process Safety, “Layer of Protection Analysis:
security system for smart archaeological areas”, Proc. of IEEE Simplified Process Risk Assessment”, Amer Inst of Chemical
International Carnahan Conference on Security Technologies, Engineers, USA, 2001.
Orlando (USA), pp. 64-71, 2016. [18] Center for Chemical Process Safety, “Guidelines for Enabling
[2] F. Garzia, L. Sant’Andrea, “The Internet of Everything based Conditions and Conditional Modifiers in Layer of Protection
integrated security system of the World War I commemorative Analysis”, Amer Inst of Chemical Engineers, USA, 2013
museum of Fogliano Redipuglia in Italy”, Proc. of IEEE International [19] Center for Chemical Process Safety, “Guidelines for Initiating Events
Carnahan Conference on Security Technologies, Orlando (USA), pp. and Independent Protection Layers in Layer of Protection Analysis”,
56-63, 2016. Amer Inst of Chemical Engineers, USA, 2014.
[3] M. Gambetti, F. Garzia, F. J. Vargas Bonilla, D. Ciarlariello, M. A. [20] F. Borghini, F. Garzia, A. Borghini, G. Borghini, “The Psychology of
Ferrer, S. Fusetti, M. Lombardi, S. Ramalingam, M. Ramasamy, S. Security, Emergency and Risk”, WIT Press (Southampton - UK and
Sacerdoti, A. Sdringola, D. Thirupati, and M. Faundez Zanuy, “The Boston - USA), 2016.
new communication network for an Internet of Everything based [21] F. Borghini, F. Garzia, M. Lombardi, M. Mete, R. Perruzza, R.
security / safety / general management / visitor’s visitors’ services for Tartaglia, “Human Factor Analysis Inside a Peculiar Job Environment
the Papal Basilica and Sacred Convent of Saint Francis in Assisi, at the Gran Sasso Mountain Underground Laboratory of Italian
Italy, Proc. of IEEE International Carnahan Conference on Security National Institute for Nuclear Physics”, International Journal of
Technologies, Madrid (Spain), 2017. Safety & Security Engineering, WIT Press, Vol.8, No.3, pp. 390-405,
[4] F. Garzia, M. Lombardi, S. Ramalingam, “An integrated Internet of 2018.
Everything – genetic algorithms controller – artificial neural networks
based framework for security systems management and support”,