| Article ID: | iaor20134091 |
| Volume: | 17 |
| Issue: | 1 |
| Start Page Number: | 19 |
| End Page Number: | 45 |
| Publication Date: | Jun 2013 |
| Journal: | International Journal of Risk Assessment and Management |
| Authors: | Lord Steven, NunesVaz Rick |
| Keywords: | risk, control, engineering |
Following systems engineering principles, we introduce analytic means to qualitatively judge and quantitatively assess layering of security controls with the aim of optimising risk reduction. The emphasis is on evaluating security controls in real world systems, where complications such as uncertainty, scale, multiple threats, multiple events, and multiple pathways from threat to event to consequences, confound the neat, and often used, picture of layering controls as rings around the bulls‐eye of consequences. An example of physical security at a facility is given, with a quantitative illustration of optimising the layering of controls according to cost constraints.