Quantitative Physical Security Assessment Model Based on Information Security Management System Rama Roshan Ravan Advanced Informatics School Universiti Teknologi Malaysia Kuala Lumpur, Malaysia rrrama2@live.utm.my Teddy Mantoro Faculty of Information Technology University of Budi Luhur Jakarta, Indonesia tmantoro@gmail.com Sanam Ghorbani Liastani Advanced Informatics School Universiti Teknologi Malaysia Kuala Lumpur, Malaysia sanam.liastani84@gmail.com Abstract— Physical security controls aim to prevent or reduce the potential damage and breaches that could be result of an incident. For most situations the recommended reaction involves general facilities like CCTV, intruder alarms and lighting that deter as well as detect. However, external and internal threats to organizations will constantly evolve and so all procedures and technologies should be kept under standard reviewing approach. Moreover, there are lots of quantitative and qualitative physical security approaches that provide variety of guidelines for achieving physical security objectives. But most of them are customized methods that introduced for a specific area like, critical data centers, army area and etc. in fact, a comprehensive standard based approach that provides overall physical security umbrella for variety of area not introduced yet. Among lots of security standards, information security management system (ISMS) international standard (ISO/IEC27001:2005) provides some physical security objectives and controls that could be a comprehensive guideline for all organizations. This paper proposes a mathematical physical security model based on this standard. In fact, proposed model determines the physical security level of the organization with using some controls and assigning a weight to each of them. Obviously, these weights are depending on the criticality of the area. Keywords-Physical Security, Security Objective, Security Domain, Security Control I. INTRODUCTION Every general computer networking education program focuses on some well-known networking models like DoD and/or OSI, and shows that everything begins with the physical level at the bottom. Also, in information technology security area, physical security defines as a basic concept for organization’s overall strategy. But some organizations, which distracted with complexity of software-based security products, may overlook the importance of physical security in their network security plan [10]. Essentially, Physical security refers to the protection mechanism for personnel, hardware, programs, networks, and data against physical events, which could cause serious losses or damage to an organization including protection from fire, theft, natural disasters, burglary, vandalism, and terrorism [5]. Moreover, physical security is an insolvent concept that sometimes overlooked in shadow of more technical issues like hacking, viruses, Trojans, and spyware [8]. In fact, attackers need lower technical knowledge for breaching physical security defense layers. Furthermore, there are some inevitable physical attack resources like accidents and natural disasters, which are part of daily life [7]. Physical security has three main components [6], which include notification and surveillance systems, physical defense layers against accidents and environmental disasters, and finally methods for apprehend attackers and to quick recovery from physical security events. Based on information security management system international standard (ISO/IEC27001) there are two physical security objectives: Secure Area and Equipment Security [1]. The former focuses on protection against unauthorized physical access, damage, and involvement to the organization’s environment and information. And the latter aim to protect organizational assets form loss or damage and also interruption to the organization’s normal activities. This paper provides realistic guidance and prescribes uniform quantitative physical security model based on information security management system (ISMS) in terms of physical security objectives, domains, and controls, and then formulizing the assessing physical security process to determine organization’s physical security level. In fact, this paper includes five sections, which introduce literature review, security domains, security controls, proposed model, and physical security levels, respectively. II. LITERATURE REVIEW Researches on physical security area and assessment of physical security models are mature subjects. Hicks et al. [11] introduce a risk-based design stage for physical protection systems based on cost and performance analysis in 1998 that define as follows. Risk = P (A) * [1-P (E)]*C (1)