Security risk assessment of projects in high-risk areas based on attack-defense game model

Assessing the security risk of projects in high-risk areas is particularly important. This paper develops a security risk assessment model for projects in high-risk areas based on the target loss probability model and Bayesian game model. This model is modeled from the perspective of attack-defense confrontation and addresses the issue that traditional risk assessment focuses on the analysis of the attacker yet neglects to analyze the defender—the defender’s optimum defensive information is not quantitatively determined. The risk level, optimum defensive resource value, and optimum defensive strategy of the project are determined through the analysis of a project in the high-risk area. This enables the project’s risk manager to adjust the defensive resources reasonably and optimally, confirming the objectivity and feasibility of the model and offering a new benchmark for security risk assessment, which has significant practical implications.

It is essential to assess the risk of projects in high-risk areas with the economy growing, more and more projects are built and run in high-risk areas.The subsequent hostile threats resulted in significant losses and damages to project employees and assets.But only a limited fraction of security-related studies on projects in high-risk areas are currently available.Such studies, which are comparatively reliable but primarily rely on traditional risk assessment methods 1 to determine risk levels and safety precaution recommendations, lack quantitative defensive Information about the defender.
The optimum defensive resource value and the optimum defensive strategy for the defender are obtained by the target loss probability model 2,3 which is based on game theory and the Bayesian game model 4 from the perspective of attack-defense confrontation, respectively.The target loss probability model, which is based on zero-sum game theory and has a developed application in the field of assessing the risk of terrorist attacks, but the criteria for quantifying and assigning factors in the model need to be improved 5 ; the Bayesian game model, which is based on the static game theory of incomplete information, has been developed and widely used in network attack-defense scenarios, but it is rarely used in the field of realistic security risk assessment.In addition, the model's primary problem is that it is not accurate enough to be used in realistic security risk assessment.The developed model's relative simplicity, the quantification of attack-defense strategies should be improved, and the model's priori probability value rely on historical experience, should have a higher objective 6 .
By combining the characteristics of projects in high-risk areas, redefining and quantifying the factors in the target loss probability model, and creating a set of attack-defense strategies under Bayesian game, this paper develops a security risk assessment model for projects in high-risk areas based on the two models and the existing relevant research 7 .In the Bayesian game model, the result of the target loss probability model is utilized as the priori probability value to assess the project's risk in the high-risk area and give objective, quantitative defensive information, including the optimum defensive resources and strategies 8 .

Methodology
Figure 1 depicts the overall framework of the risk assessment model based on the target loss probability model and the Bayesian game model.To construct and quantify the index system in the target loss probability modeltarget value V, attacker's resources A, and defender's resources D-to ascertain the project risk level and the optimum value for defensive resources, the method uses the cases related to project security in high-risk areas that have been gathered.It also combines traditional risk assessment theory with expert experience.In order to quantitatively determine the optimum defensive strategy for the project, a group of attack-defense strategies for security events in high-risk areas was first constructed and quantified, the research result of the target loss Construction of target loss probability model.The target loss probability model proposed by Major 2 is based on the zero sum game-the attack and defense revenue matrix is zero.The problem it discusses and solves is: for a specific target, if terrorists launch an attack with certain resources, and the defender allocates resources to defend the target, how to determine the probability of target loss under the situation of the game between the attacker and the defender.On this basis, this paper applies the target loss probability model to the social security risk assessment of the projects in high-risk areas.The attack and defense parties are the enemies who attack the projects and the security management personnel of the projects.At the same time, combining the characteristics of the attack and defense parties in the social security incidents of the projects, we give new definitions to the factors in this model-target value V, attacker A, defender D, and take social security threat incidents as the target value, The two sides of the attack and defense are hostile elements and security management personnel from the projects.By studying the adversarial game process between the attack and defense sides, the risk level and optimal defense resource value are determined.The improved simplified model is as follows: • V: The target value, represented by the letter V, is the high-risk area project security event.The loss of con- sequences brought on by the security event defines the target value V, because it reflects the likelihood and desire of the attackers to launch an attack, and the attractiveness of the security event to the attackers.• A: The attacker is the enemy side in the security event involving the project in the high-risk area, and the attacker's total resources are A T .The attacker chooses the attack target and specific attack resources A to launch the attack, and the attack resources are primarily determined by the level of social security in the host country, the level of social security in the region, the capabilities of terrorist organizations in the region, the capabilities of public order and criminals in the region, ethnic and religious conflicts, and the attractiveness of the project.• D: The defender is the project's risk manager in the high-risk area, and its total resource allocation is D T , which allots defensive resources D to counteract various attacks.The defensive resources are determined based on the safety management organization structure of the project, security personnel strength of the project, security layout and physical protection of the project, technical protection of the project, emergency response, commuter security, sustainable compliance operation capability of the project.• The risk value is represented by the function p(V,A, D). • The anticipated loss formula is as follows: The attacker constantly seeks to maximize attack likelihood and consequence loss, while the defender seeks to decrease it.
Based on this simplified model, it is known that when the defender defends against an assault using specific defensive resources and the attacker uses specific attack resources, the probability of loss for the attacked target is: denotes the probability of the attacker launching an attack and A 2 A 2 + V denotes the probability of the attacker's successful attack.
When under assault, the defender must continuously allocate defensive resources to the attack target with a high expected loss value (EL) until the attack target's EL value approaches equilibrium.When the target EL values are equal, at which point EL = EL 0 .Assuming that k is a normalization constant and that q i represents the probability that target i will be attacked: According to this equation, the attack resources allocated by the attacking side to the target are roughly equal to the open square of the target value.where A 0 is the optimum attack resource, which can be solved by the following equation: From Eqs. ( 2) and ( 4), the solution equation for the optimum defensive resource is as follows: Construction of Bayesian game model 10 .Bayesian game model first evaluates the target value, summarizes the types of security events in high-risk areas and behaviors of attackers to construct a strategy set for both attackers and defenders.Then, the modle quantifies the cost-benefit by substituting the attack-defense benefit matrix into the Bayesian framework 11 , at the same time, using the result of the target loss probability model as the priori probability.The Bayesian attack defense game model is shown in Fig. 2.
Notations and definitions of Bayesian model model.The relevant symbols and definitions in the Bayesian attack defense game model are shown in Table 1.
Bayesian strategy set and cost-benefit.The set can be used to represent the attacker's strategy in a high-risk area project attack-defense scenario: This strategy can be described as a model of resource distribution for the defender: The defender's strategy set is described as follows: (1) The expected losses and gains of the defender can be expressed as: By applying the most effective strategy, the attacker maximizes his expected benefit.Attacker A's optimization problem is expressed as follows:  The Nash equilibrium is reached when the attack-defense sides are unable to increase or decrease their benefits by adjusting their strategies.For the complete information game, the Hessani transformation 12 must be used to solve the static Bayesian Nash equilibrium.As a consequence, the Bayesian Nash equilibrium must satisfy the two following formulas: Combination weighting method based on game theory.The subjective and objective weighting method based on game theory 13 , which combines the respective advantages of the two methods to determine the weights, is founded on the fundamental idea of minimizing the difference between combination weights and individual weights, thereby minimizing the sum of deviations to maximize the interests of both attackers and defenders.The following are the method's primary solution steps: •For a basic set of weight vectors U = {u 1 , u 2 , . . ., u n } , these n vectors are arbitrarily linearly combined into a set of possible weights: where u is one possible weight vector of the set of possible weight vectors and α k is a weight coefficient.
•According to game-theoretic principles, the linear combination weight coefficients are optimized by reducing the deviation of u from the individual uk in order to find consensus between the various weights α k .
The first order derivative needed for the optimization of the aforementioned equation can be determined using the matrix differentiation property as follows 14 : which corresponds to the system of linear equations: • After deriving (α 1 , α 2 , . . ., α n ) from this equation, it is normalized to: The final weights are derived as follows: Construction of index system and attack-defense strategy set for projects in high-risk area.Construction of V, A, D index system.The methods used to construct the index system of each factor To this end, it should not only refer to the general attack-defense resource index system-the fundamental theory of risk assessment, but also combine the characteristics of projects in high-risk areas with real case studies.Therefore, when constructing the index system, it should also take into account the characteristics of projects in high-risk areas, realistic cases, pertinent literature, pertinent official websites, and the experience and knowledge of experts for revision in addition to referencing the general attack-defense resource index system-the basic theory of risk assessment.The target loss probability model is used to determine the risk level and the optimum defensive resource value on the basis of this index system, and the values of V, A, and D are determined by a combination weighting method based on game theory (fuzzy comprehensive evaluation method 15 and entropy value method 16 ).The indicators are constructed as depicted in Table 2.
The following table provides instances of indicator quantification, with the quantification of indicators for both attackers and defenders set at three levels and the quantification of indicators for target values set at five levels.Table 3 describes the quantitative grading of social security indicators, while Table 4 describes the quantitative grading of indicators for the degree of functional operation damage of the target project 17 .
Construction of Bayesian game strategy set and quantification of the cost-benefit.The construction of the attack and defense strategy set in the Bayesian attack and defense game model and the quantification of cost-benefit grading are based on the DMAT classification method in the field of network attack and defense.The attackdefense resource index system is the major reference point for constructing the Bayesian attack-defense game strategy set for the project.In addition, it is also associated with realistic attack-defense cases.The attack-defense cost-benefit values have a range of 0-100, and the type of attackers is subdivided into public order/criminal criminals 18 and local armed elements/terrorists 19 based on the severity of the injury.The attack strategy is developed from the standpoint of typical strategies used in realistic cases, the cost of attack is taken into account from the enemy's weaponry, strategy, and type, and the benefit to both the attackers and defender is taken into account from the severity of the damage the enemy has caused.Split the cost-benefit of public order/criminal criminals into five categories, and local armed elements/terrorists into four categories.Table 5 provides the quantified cost benefit values for the attacking party.
Set the cost of each benchmark defensive strategy to range from 0 to 10, and the overall cost of defense to be 100.Based on the attack strategies, considering the difficulty and consequences of defending the attack behavior, and taking the project physical protection, technical protection, and security personnel protection strategies as the benchmark, an attack strategy oriented defense strategy is proposed to determine the cost-benefit of attack-defense.Table 6 describes the defense strategy set and costs.
The Bayesian attack-defense game can be solved using the attack-defense benefit matrix and the prior probability value after determining the cost-benefit ratios of attack and defense.The attack-defense benefit matrix and the prior probability value are input into the gambling game software 20 to solve the Bayesian Nash equilibriumoptimum defensive strategy.

Results and discussion
Case validation.This study chooses a project in a high-risk location and conducts a case validation through field trips, conferences, and data collection, in order to confirm the validity of the model and the logic of the risk assessment procedure.
The project's basic setup is as follows: it encompasses an area of approximately 6000 acres, has a perimeter of approximately 10 km, 30 fence posts in total, three entrances and exits, and a regular, roomy surrounding road that is close to the local public safety department, fire department, and medical department.SPU (police) is responsible for guarding the project perimeter and protecting employees during their intermediary transportation, while security is responsible for the internal security work of the project, mainly maintaining order and dealing with emergencies.The project is placed in an extremely dangerous and complex social security environment, and its personnel precautions, physical precautions, technical precautions, and emergency response and disposal measures are either inadequate or generic.The project layout is shown in Fig. 3.
The project's risk assessment is validated based on the built security risk assessment model of the project in the high-risk area and the real scenario of the project, with the results as follows.

Results and discussion. Results of target loss probability model of the project. Combination weighting
based on game theory of V, A, D. Table 7 shows the result values of the attacker's resource value A.
Table 8 shows the result values of the defender's resource value D. Table 9 shows the result values of the value of target's resource V.
Results of target loss probability model.In order to do dynamic analysis, the target value-V, attacker's resource-A, and defender's resource-D are input into the target loss probability model.The results are shown in Table 10 and Fig. 4. The adjustment of defense resource values will cause the probability of target loss to change, thereby affecting the risk level faced by the project.Therefore, the risk level can be divided based on the defense resource values.Figure 4's target loss probability model results show that when defensive resources increase from 0.5 to 1.5, the target loss probability value is high and the project risk level is at its highest; by increasing defensive resources, the target loss probability value can be effectively reduced, lowering the risk level; when defensive resources from 1.5 to 2, the target loss probability value significantly decreases, and at this time, the project risk level is at its medium; when defensive resources are increased from 2 to 3, the target loss probability value and project www.nature.com/scientificreports/risk level are the lowest,but there is no discernible change in the target loss probability value with the increase of defense resources, and the defense resources are now excessive.This is further supported by the expected loss EL result graph, which shows that the expected loss value reduces noticeably when defensive resource levels rise from 0.5 to 2, but does not alter much as defensive resource levels rise further.Combined with the target loss probability result value in Table 10, it can be seen that the risk level of the project is medium, and the optimum defensive resource should be increased by D 0 over the basic defensive resource.Based on the results of the risk assessment, while considering the weaknesses in the actual safety prevention of the project, the optimum defense resource A 0 is increased for the three aspects of the video surveillance system, the outlet control system and the

Social security level Index level
The proportion of major and malignant criminal cases in the host country is less than 10% Low The proportion of major and malignant criminal cases in the host country ranges from 10 to 30% Medium More than 30% of the country's major and malignant criminal cases High Vol.:(0123456789)The enemy is for ethnoreligious or political ends or to exert social influence, it use weapons, bombs, and explosives with well-planning, results in casualties among the staff and property losses of the project and harm to project operations

61-80 71-100 Explosion/Bombing
The enemy is for ethnoreligious or political ends or to exert social influence, it use weapons, guns,bombs, and explosives with well-planning, results in casualties, the loss of property and facilities, and harm to the project's ability to function 81-100 71-100 Armed Attack Table 6.Defensive strategy set.

Building layout
Important assets and densely populated areas of the project are located in the core of the building, away from the edges of the building and other weak protection locations 0-10

Perimeter physical barrier
The main functions of physical perimeter barriers are warning, deterrence, blocking, delay, retardation, preparedness and protection, such as the antidamage, anti-climbing and permeability of physical fences 0-10

Set up protection distance
The protective belt is set outside the building of the project to play the role of delay, prevention and protection 0-10

Building specific protection elements
Reasonable setting of specific building elements, such as bullet-proof glass, anti-theft windows, explosion-proof partitions, hidden observation towers, anti-climbing facilities at the top of fences, and wall reinforcement at the core facilities of the project 0-10 Project technical protection

Intrusion alarm system
Reasonable and strict installation of intrusion alarm systems at key entrances and exits or fences of the project to detect and respond to enemy intrusion in a timely manner 0-10

Video surveillance system
Reasonable and strict setting of intelligent video monitoring system, timely detection and response to intrusion, and record storage 0-10 Entrance and exit control system    The existing literature on project risk assessment in high-risk areas is mostly based on traditional risk assessment theories to assess risk levels, such as Varbuchta et al. 21, which expands the risk variables in large-scale transportation infrastructure projects on the basis of traditional risk assessment and applies them to the executed project assessment process; Li et al. 22 combined risk management and public safety triangle theory to assess the risk level from vulnerability, threat, and key factors.In this paper, the target loss probability model is applied to the traditional risk assessment process, and indicators are constructed from the perspective of an attack-defense game in combination with realistic attack-defense scenarios.While obtaining the risk assessment level, the optimum defensive resource value facing the attacker is given.
Bayesian game model results of project.Quantitative values of the cost-benefit of attack and defense.Table 11 shows the quantification of attack and defense costs and benefits.
Mixed strategy Nash equilibrium solution-gambit software analysis.Figure 5 shows the attack and defense game tree constructed under different attacks.Figures 6 and 7 show the Nash equilibrium solutions for different types of attackers, respectively.
The Bayesian attack-defense game model's findings show that S a4 assassination/shooting, S d2 , is the most likely attack-defense strategy when confronting law and order/criminal elements, while S a8 explosion/bombing, S d6 , is the most likely attack-defense strategy when confronting local armed elements/terrorists.At this point, the attack-defense games have each reached mixed strategy Nash equilibrium.The project security manager should increase D 0 for the resources in strategies S d2 and S d6 , respectively, in conjunction with the target loss probability Table 10.Results of target loss probability model of the project.model's optimum defensive resource value.This will not only significantly lower the project risk level, but will also maximize the sensible allocation of the optimum defensive strategy and resource value.
The prior probability value in existing Bayesian game models primarily relies on expert experience and historical data, and is mostly applied to network attack-defense game scenarios.For instance, Liu et al. 23,24 proposed a generalized method of perfect Bayesian Nash equilibrium (BNE) for solving actual network attack-defense; Wang et al. 25 combined Bayesian game theory and Markov decision methods to construct an incomplete information stochastic game model.However, the model in this study uses the target loss probability result as the attacker's prior probability value, combining the traits of high-risk projects to create Bayesian attack-defense games with various attacker types in realistic attack-defense scenarios, and more objectively determining the optimum defensive strategy against various attackers.

Conclusion
This paper constructs a security risk assessment model for projects in high-risk areas from the perspective of an attack-defense confrontation game to determine the risk level and optimum defensive information, and verifies the scientificity of the model using the example of a project in a high-risk area, which is based on the traditional

Figure 1 .
Figure 1.Framework for risk assessment of the projects in high-risk area.
capability of the project Compliance with relevant laws and regulations Respect for local culture and customs Relationship with local communities Transparency in project governance Assume operational social responsibility Indicators of the target-V Degree of injury to target personnel Degree of exposure of target personnel Degree of damage to target assets Degree of damage to target project operations Target project reputation impact range Scope of environmental impact of the target project

Figure 4 .
Figure 4. Probability value P and loss expectation EL with different defensive resources.

Figure 5 .
Figure 5. Game tree of attack-defense under different types of attacks.

Figure 6 .
Figure 6.Nash equilibrium of the game under the type of law and order/criminal elements.

Table 1 .
Definition of notation related to Bayesian model.The defender's objective is to minimize expected loss by allocating limited defense resources optimally to counter various sorts of attackers.
* Probability of attack on the project under the balanced strategy S A S D Attack strategy set and Defensive strategy set P D Vulnerability of the project k The value of the project in the eyes of attacker A k Vol.:(0123456789) Scientific Reports | (2023) 13:13293 | https://doi.org/10.1038/s41598-023-40409-wwww.nature.com/scientificreports/ in the target loss probability model are literature collection and case study, and the construction principles should follow objectivity, typicality, operability and hierarchy.

Table 2 .
V, A, D indicators of projects in high-risk area.

Table 3 .
Index level description of social security level.

Table 4 .
Index level description of degree of damage to project operations.

Table 5 .
Quantification of the cost-benefit of the attacker's strategy.

Table 7 .
The value of attacker's resource-A.

Table 8 .
The value of defender's resource-D.

Table 9 .
The value of target's resource-V.

Table 11 .
Quantification of the cost-benefit of the attack-defense strategies.