Abstract
This paper proposes a Dynamic Risk Assessment (DRA) methodology applicable to the so-called High Impact Low Probability (HILP) security risks which, by their very nature, are difficult to identify or occur only infrequently. DRA is based on the processing of Weak Signals (WSs) to protect critical infrastructures and soft targets against HILP security risks before they materialise. DRA allows to rank WSs according to the reliability and credibility of the sources and to correlate them to obtain threat precursors. Experimental results have shown that DRA is effective and helps suppressing irrelevant alerts.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
This paper proposes a methodology to dynamically assess High Impact Low Probability (HILP) security risks which, by their very nature, are either difficult to identify or occur only infrequently [1]: in this category fall, for example, terrorism, extremism, and lone wolf actions. The dynamic assessment of risks is an essential element of any decision support tool aimed at improving the situational awareness while protecting critical infrastructures and/or soft targets against HILP security risks. Related probabilistic approaches (e.g. [2,3,4]) have two major drawbacks: typically present a high number of false positives and, to characterise the problem, require substantial statistical evidence that is not available for HILP security risks that manifest themselves as “black swans”. The proposed Dynamic Risk Assessment (DRA) approach tries to overcome these drawbacks, by processing Weak SignalsFootnote 1 (WSs) [5] collected from heterogeneous sources taking inspiration from Intrusion Detection Systems [6]. WSs, once detected and correlated with other WSs, can generate precursor alerts of threats related to HILP security risks to be deeper and further investigated. The paper is organised as follows: Sect. 2 discusses the DRA approach, Sect. 3 proposes an application of DRA to a mass gathering event, and finally Sect. 4 presents conclusions and future work.
2 The Proposed DRA Approach
The proposed DRA approach bases its reasoning on the processing of WSs, the minimum managed quantum of information. Starting from a static risk assessment, the DRA logic can be summarised in the following steps:
-
1.
Continuously collect the WSs potentially representing precursors of threats;
-
2.
Analyse each collected WSs and verify if, alone or correlated/grouped with other existing WSs, can represent a more significant precursor of a threat;
-
3.
Present the potential detected precursor to a security operator for evaluation;
-
4.
Re-assess the risks for the considered target accordingly.
Each WS, detected by a given source, contains the following minimal information:
-
A unique ID that has embedded the reference to the source of the WS;
-
The absolute time t in which it has been collected;
-
The geolocation (x, y) - if available;
-
A snapshot of what has been detected using a pre-defined semantic to help the operator to confirm, discard (false or nuisance alarms) or amend the detection.
Each detected WS is characterised by a Significance (S) value that is a combination of:
-
The Reliability (R) of the source that characterises the ability of a source to give a true information in a particular context of use;
-
The Credibility (C) of the information generated by the source, that introduces a measure of the degree of confirmation: the more an item of information is confirmed, the higher its credibility and, conversely, the more an item of information is contradicted by others, the less credible it becomes [7].
The Significance of the considered WS detected by the source m ranges in the [0, 1] interval and is computed as follows:
where:
-
Cm and Rm are integer in [0, 5] (where 1 is very low and 5 is very high);
-
The Normalising Factor NF keeps S(WSID) in [0, 1];
-
α and β are correcting factors to tune the role of each factor in the product.
If the proposed methodology is applied to an event (e.g. a concert in a stadium) it is possible to add a further element that consider the Time Distance (TDt) of the WS from the event date: the closer the detection of the WS to the event date the bigger the TDt. S(WSID) then becomes:
Once received, it is necessary to process WSs to evaluate if they can become, alone or together with other WSs, a significant precursor of a threat related to a specific HILP security risk. To this end three structures of Precursors are introduced:
-
Suspicious Sign (SS), represents a single WS that has either sufficient significance to become a SS or is related to a high-risk threat. In both cases, S(SS) = S(WS);
-
WSs coming from the intelligence services, i.e. Intelligence Alerts (IA), can be considered a special Suspicious Event with maximum Significance S(IA) = 1;
-
Suspicious Pattern (SP), two or more WSs can create a SP if they have sufficient significance and are linked together according to one of the criteria described below.
The Precursors can be generated combining already collected WSs, SSs, IAs or SPs using either the experts’ knowledge to define the rules for grouping WSs or data analytics applied to WSs [8,9,10] as follows:
-
Group: a set of precursors without time and geographic constraints independently of the time sequence in which they are detected;
-
Sequence: a set of precursors that need to be received in the correct sequence;
-
Area: a set of precursors within the same area and in a given time interval;
-
Distance from Hot Spots: a set of precursors in a given time interval all at a distance from Hot Spots (e.g. embassies, police offices, etc.) shorter than a given threshold;
-
Simultaneous Group: the grouping is generated using the strategy of “simultaneous events”, i.e. three or more WSs detected within a short period of time;
-
Data Analytics: the grouping of precursors is generated using data analytics approaches for example through the generation of new rules on the basis of data collected in the past. A possible approach is described in [11], where Suspicious Activity Reports (SAR) collected by 911 emergency operators are analysed to identify and prioritise cases of interest from the large volume of SARs;
-
Operators Group: generated by the operator according to his/her experience.
Precursors’ Significance value is computed using the Significance values of all the WSs connected to it. The approach to combine Significance values for an SP with two WSs contributing to it, with significance S1 and S2 respectively, is derived from Certainty Factors [12] theory using the following formula
Having more than two WSs contributing to the same SP, it is possible to iteratively apply the same formula.
Precursors, when triggered by WSs, can be then classified as either Non-Critical or Critical, i.e. elements that constitute an immediate threat for a given risk. Critical Precursors shall be triggered and brought immediately to the attention of a security operator that should take the necessary mitigation actions.
Using the above methodology, the Risk Level can be re-assessed using escalation approaches [13]. An example, when dealing with a mass gathering event, based on an IF-THEN-ELSE approach is given in the following:
-
IF (Time Distance is Big) AND (no Critical precursors are triggered) THEN (the Risk Level is Very Low);
-
IF (Time Distance is Big) AND (some Non-Critical Precursors are triggered) THEN (the Risk Level is Low);
-
IF (Time Distance is Big) AND (at least one Critical Precursor is triggered) AND (Crowd Density is Low) THEN (the Risk Level is Medium);
-
IF (Time Distance is Small) AND (at least one Critical Precursor is triggered) AND (Crowd Density is Low) THEN the Risk Level is High;
-
IF (Time Distance is Small) AND (at least one Critical Precursor is triggered) AND (Crowd Density is High) THEN the Risk Level is Very High.
Clearly, exact and complete IF-THEN rules and related thresholds need to be defined according to laws, protocols and best practices including also socio-political and environmental conditions.
3 The DRA Application to a Mass Gathering Event: An Example
3.1 The DRA Practical Implementation
DRA methodology has been applied to a scenario representing a mass gathering event managed by a Law Enforcement Agency (LEA). The sources of WSs are:
-
Normal citizens calling 112 emergency services;
-
Stewards recruited to manage the event;
-
Human-Centred Computer Vision (HCCV) tools able to semi-automatically recognise car plates, identify vehicles and suspicious behaviours of vehicles and individuals;
-
Intelligence services.
The sequence of WS detection, SP generation and DRA is described in Fig. 1:
-
1.
On the basis of the received WS, the corresponding values of sensor’s credibility and reliability and the time distance from the event are identified.
-
2.
The Significance is then computed using the formulas in Sect. 2 (with \( \upalpha \), \( \upbeta \) and \( \upgamma \) set to 1 for the sake of simplicity) and normalised to get values in the [0; 1] range.
Through the application of the DRA rules the Precursors are created and, if necessary, Risk Level is modified.
3.2 A Possible Architectural Approach for DRA Implementation
DRA has been implemented in the framework of the H2020 LETSCROWD projectFootnote 2 in a Web-server GIS-based architecture receiving WSs from CCTV-based crowd density estimators, Web-crawling and semantic intelligence on social media, crowd behaviour modelling and humans-as-sensors. SPs above a selected Significance threshold are brought to the attention of an operator to allow a risk-aware decision-making process.
3.3 First Experimental Results
First experimental results have confirmed the validity and effectiveness of the approach, as confirmed by the involved LEAs and that DRA helps distinguishing irrelevant alerts, thereby reporting only significant threats to operators. The proposed DRA approach is going to be further validated on real scenarios (mass gathering events) from Law Enforcement Agencies (LEAs). The main problem of the DRA application lies in the identification of sources of WSs apart from human-as-a-sensors and (semantic) intelligence: most of the CCTV-based tools are either not sufficiently reliable or facing serious privacy issues.
4 Conclusions
The proposed DRA methodology has the following advantages over more traditional approaches: it searches for out-of-the-ordinary behaviours, reduces the number of false alarms, does not require large statistical samples and is sufficiently simple to run in real-time. Further research should confirm the first promising experimental results focusing on identifying suitable WSs sources, characterising them in terms of reliability and credibility and evaluating the feedback from LEAs’ operators.
Notes
- 1.
A WS can be defined as “A seemingly random or disconnected piece of information that at first appears to be background noise but can be recognized as part of a significant pattern by viewing it through a different frame or connecting it with other pieces of information” [14].
- 2.
References
UK Government Office for Science: Blackett Review of High Impact Low Probability Risks, London (2011)
Ezell, B., Bennet, S., von Winterfeldt, D., Sokolowski, J., Collins, A.: Probabilistic risk analysis and terrorism risk. Risk Anal. 30(4), 575–589 (2010)
Brynielsson, J., Horndahl, A., Johansson, F., Kaati, L., Martenson, C., Svenson, P.: Analysis of weak signals for detecting lone wolf terrorists. In: 2012 IEEE European Intelligence and Security Informatics Conference (2012)
Paté-Cornell, M.L.: Fusion of intelligence information: a Bayesian approach. Risk Anal. 22(3), 445–454 (2002)
Holopainen, M., Toivonen, M.: Weak signals: ansoff today. Futures 44, 198–205 (2012)
Chakir, E., Moughit, M., Khamlichi, Y.: A real-time risk assessment model for intrusion detection systems. In: 2017 IEEE International Symposium on Networks, Computers and Communications (ISNCC) (2017)
North Atlantic Treaty Organization (NATO) Information Handling Services: Annex to STANAG 2022 (Edition 8) (1992)
Vu, H.: Deep Abnormality Detection in Video Data, Melbourne (2017)
Xu, D., Ricci, E., Yan, Y., Song, J., Sebe, N.: Learning deep representations of appearance and motion for anomalous event detection (2015)
Hasan, M., Choi, J., Neumann, J., Roy-Chowdhury, A.K., Davis, L.S.: Learning temporal regularity in video sequences, Las Vegas (2016)
Strom, K.J., Hollywood, J.P.M.: Using 911 calls to detect terrorism threats, June 2009. https://www.nij.gov/journals/263/pages/911-calls.aspx
Lucas, P.J.F.: Certainty-factor-like structures in Bayesian belief networks. Knowl.-Based Syst. 14, 327–335 (2001)
UK HM Treasury: Orange Book: Management of risk - Principles and Concepts, London (2004)
Schoemaker, P.J.H., Day, G.S.: How to make sense of weak signals. MIT Sloan Manag. Rev. 50(3), 80–89 (2009)
Acknowledgements
This paper is based on the work carried out in the LETSCROWD project that has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement number 740466.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Dambra, C., Graf, C., Arias, J., Gralewski, A. (2020). A Dynamic Risk Assessment (DRA) Methodology for High Impact Low Probability (HILP) Security Risks. In: Nadjm-Tehrani, S. (eds) Critical Information Infrastructures Security. CRITIS 2019. Lecture Notes in Computer Science(), vol 11777. Springer, Cham. https://doi.org/10.1007/978-3-030-37670-3_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-37670-3_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-37669-7
Online ISBN: 978-3-030-37670-3
eBook Packages: Computer ScienceComputer Science (R0)