The U.S. Nuclear Regulatory Commission (NRC) has increased its efforts to risk inform security regulatory approaches. This paper will highlight some of the ongoing activities as well as lessons learned. The goal of the NRC’s initiative to risk-inform security is to ensure the staff is applying the appropriate level of regulation and establish requirements for security that are commensurate with the risk of the activity and material to be protected. It also provides an opportunity to add realism to the program including the use of real-world data during the development of force-on-force exercise scenarios. Assessing risk in security has similarities, as well as differences, to assessing risk in the safety world. One particular difference is the initiating event for safety scenarios is typically a random event allowing for the actual calculation of risk. However, the initiating event for security scenarios is not a random occurrence since an adversary (as defined by the design basis threat) initiates an attack which makes it more of a challenge to calculate risk. This paper will present some of the ways this concept has been applied to risk analysis for a physical security program and how the NRC has accounted for this difference.
Risk informing initiatives are important activities for the U.S. Nuclear Regulatory Commission. The NRC has begun risk informing several ongoing security activities including the use of current threat assessment information to inform the development of force-on-force exercise scenarios, the use of site-specific threat conditions to determine appropriate implementing timelines for security compensatory measures and revising the baseline security inspection program to ensure the appropriate level of oversight based on reasonable assurance of protection. In addition to the work the NRC has done, NRC licensees have also undertaken efforts to utilize risk information in their security activities and their interest continues to grow, with a stated goal of increasing efficiency while maintaining safety and security. One major activity that has been underway for several years is the use of modeling and simulation software to conduct vulnerability assessments (computer modeling) of licensed facilities. In many ways, these assessments have many similarities to probabilistic risk assessments conducted in the safety arena. Risk informed security will continue to play an increasing role in the NRC’s regulatory approaches.