On the night of December 3, 2022, gunfire disabled two Duke Energy substations about ten miles apart in Moore County, North Carolina. Roughly 45,000 customers lost power for five days, a state of emergency followed, and an 87-year-old resident who relied on medical equipment later had her death ruled a homicide tied to the outage.
The FBI is still seeking the shooter. The attack is the clearest recent argument for physical security risk management: a deliberate, low-tech assault on an unguarded asset that the operator had never hardened against a credible threat.
Physical security risk management finds those gaps before an attacker does, scores them, and closes the worst first. It runs on a simple equation of threat, vulnerability, and consequence, backed by four control functions and concentric layers of defense.
| Physical Security Risk Management: Key Takeaways |
| Physical security risk management protects people, facilities, and assets by scoring physical threats, ranking them, and closing the worst gaps first, rather than guarding everything equally. |
| The 2022 Moore County substation attack is the cautionary case: gunfire darkened 45,000 customers for five days, one death was ruled a homicide, and the assets had no barrier against a credible armed threat. |
| The core equation is risk equals threat times vulnerability times consequence; every countermeasure exists to drive one of those three factors down. |
| Programs answer scored risk with four control functions, deter, detect, delay, and respond, arranged in concentric layers of defense so an adversary must defeat several barriers, not one. |
| A defensible assessment aligns to the Interagency Security Committee process, FEMA 426, ASIS standards, NIST 800-53 physical controls, and ISO 31000. |
| For critical infrastructure the duty is legal: NERC CIP-014, born from the 2013 Metcalf attack, requires utilities to run physical security risk assessments on their most critical substations. |
What Physical Security Risk Management Is
Physical security risk management is the structured process of protecting people, facilities, and assets from physical threats such as intrusion, theft, sabotage, workplace violence, and armed attack. It identifies what could go wrong, how likely it is, and what it would cost, then ranks the response.
The goal is priority, not paranoia. A site cannot guard everything equally, so physical security risk management points money and attention at the assets whose loss would hurt most, the same logic behind any operational risk program.
Physical Security Risk Management vs a One-Off Security Audit
A security audit checks whether existing controls work. Physical security risk management asks a broader question: given the threats this site actually faces, are these the right controls at all? An audit grades the locks, while risk management decides whether the door belongs there.
Treat the audit as an input. The Moore County substations may have passed a compliance check while staying wide open to a rifle from the tree line, which is the gap a threat-driven assessment exists to catch, and why it feeds the risk management lifecycle rather than ending it.
Why Physical Security Risk Management Is Under Pressure
Physical attacks on US infrastructure are climbing. Direct physical attacks and threats to the power grid hit an all-time high of 163 in 2022, up about 71 percent from the year before, and the Department of Energy logged at least 175 in 2023.
Figure 1. The numbers driving physical security risk management up the board agenda.
The grid is the visible edge of a wider trend. Critical infrastructure, corporate campuses, hospitals, and warehouses all report rising intrusion, theft, and workplace-violence incidents, which is why critical infrastructure security now sits beside cyber on the risk register.
Figure 2. Physical attacks on the US grid by year, the threat physical security risk management has to price in.
Consequences are not only financial. The Moore County outage cut power to dialysis machines and home oxygen, and the lone confirmed death shows how a physical security failure can become a fatality, not just a repair bill.
The Risk Equation Behind Physical Security Risk Management
Physical security risk management runs on one equation: risk equals threat times vulnerability times consequence. Drive any factor toward zero and the risk falls, which is what every countermeasure is trying to do.
| Factor | Question it answers | Moore County example |
| Threat | Who or what could cause harm, and how capable are they? | A person with a rifle and intent |
| Vulnerability | What weakness would let the threat succeed? | Unscreened, unmonitored perimeter |
| Consequence | What is the loss if it succeeds? | A five-day regional blackout |
Read the three factors against Moore County. The threat was a shooter, the vulnerability was an open perimeter with no detection, and the consequence was a regional blackout, so all three ran high at once and the risk score was extreme.
Deter, Detect, Delay, Respond: The Functions of Physical Security Risk Management
Once a risk is scored, physical security risk management answers it with four control functions. A camera that detects an intruder is worthless if nothing delays them or responds in time, so strong programs cover all four.
| Function | Goal | Example controls |
| Deter | Convince an adversary the target is not worth it | Fencing, lighting, signage, visible patrols |
| Detect | Know an attack is underway as early as possible | Cameras, intrusion sensors, alarms, monitoring |
| Delay | Slow the adversary long enough to respond | Locks, ballistic barriers, bollards, access control |
| Respond | Stop the attack before the loss occurs | Guards, law-enforcement liaison, lockdown plans |
The functions work as a chain. Deterrence thins the threat, detection starts the clock, delay buys minutes, and response has to arrive before delay runs out, the math the Moore County site lost when nothing slowed the shots.
Layers of Defense in Physical Security Risk Management
Layers of defense turn those functions into geography. Physical security risk management arranges controls in concentric rings, from the outer perimeter to the critical asset, so an adversary has to defeat several independent barriers instead of one.
Figure 3. Layers of defense give physical security risk management depth, so no single failure exposes the asset.
Each ring buys time for the next. A fence deters, a sensor detects, a hardened door delays, and a guard responds, and the design borrows from CPTED, the practice of shaping space to discourage crime that FEMA building science builds into facility design.
How to Conduct a Physical Security Risk Management Assessment
Turn the theory into a repeatable assessment. These six steps align physical security risk management with the Interagency Security Committee process and FEMA 426, so the method holds up with auditors and insurers.
| Step | Action | Output |
| 1. Characterize | List assets and the cost of losing each | A ranked asset inventory |
| 2. Assess threats | Profile credible adversaries and hazards | A threat profile per asset |
| 3. Assess vulnerabilities | Walk the site and find exploitable gaps | A vulnerability list |
| 4. Determine risk | Score threat, vulnerability, and consequence | Ranked risk scores |
| 5. Select countermeasures | Apply deter, detect, delay, and respond | A control plan and residual score |
| 6. Monitor | Test controls and re-assess on change | A dated review log |
Step one sets the ceiling on everything after it. Characterize the assets and the cost of losing them before anything else, the same discipline behind any defensible step-by-step risk assessment.
Scoring Physical Security Risk Management Scenarios
Score each scenario on threat, vulnerability, and consequence, usually one to five, then multiply for a risk score. Apply countermeasures, re-score the residual, and you can prove a control actually moved the number.
| Scenario | T | V | C | Risk | Top countermeasure |
| Armed attack on substation | 5 | 5 | 5 | 125 | Ballistic barrier, detection, response plan |
| Unauthorized entry (tailgating) | 4 | 4 | 5 | 80 | Access control, anti-tailgating, badging |
| Theft of assets | 4 | 4 | 4 | 64 | Locks, cages, cameras, inventory control |
| Vandalism or sabotage | 3 | 3 | 5 | 45 | Lighting, fencing, surveillance, patrols |
| Insider misuse | 4 | 3 | 5 | 60 | Access tiers, vetting, audit logging |
Figure 4. Physical security risk management drives each scenario from inherent risk down to an acceptable residual.
The armed-attack row is the one to study. A substation-style scenario scores at the top before controls and drops sharply once a ballistic barrier, detection, and a response plan are in place, which is why a control beats a hope. Our guide to inherent risk scoring shows the math.
Pick one scale and hold it. Mixing a 4×4 and a 5×5 matrix across sites makes scores incomparable, so settle the matrix first and record every score in a live risk register.
Standards That Anchor Physical Security Risk Management
Physical security risk management is stronger when it cites the bodies behind it. A handful of US standards and frameworks do most of the work, and an assessor will expect to see them mapped.
| Standard | Scope | Role in the assessment |
| ISC Risk Management Process | Federal facility security | The threat, vulnerability, consequence method |
| FEMA 426 | Building protection and design | Vulnerability checklists and CPTED |
| NIST SP 800-53 (PE) | Physical and environmental controls | The control catalog for facilities |
| ISO 31000 | Risk management principles | The risk process and language |
ISO 31000 supplies the risk language, while ASIS International and the Interagency Security Committee supply the security-specific method. Together they let a physical security risk management program answer to both a corporate board and a federal facility manager, a span the GAO has audited for compliance.
For critical infrastructure the bar is legal. After the 2013 Metcalf substation sniper attack, regulators created NERC CIP-014, which requires utilities to run physical security risk assessments on their most critical substations, a duty our energy-sector NERC CIP guide covers in depth.
Frequently Asked Questions About Physical Security Risk Management
What is physical security risk management?
Physical security risk management is the structured process of protecting people, facilities, and assets from physical threats such as intrusion, theft, sabotage, workplace violence, and armed attack. It scores each threat by likelihood and consequence, ranks them, and applies countermeasures to the worst first, rather than guarding everything equally.
What are the steps in a physical security risk management assessment?
Characterize the assets in scope, assess the threats they face, assess the vulnerabilities that would let a threat succeed, determine risk by scoring threat times vulnerability times consequence, select countermeasures, then monitor and re-assess. A physical security risk management assessment aligns these steps to the Interagency Security Committee process and FEMA 426.
How do you calculate physical security risk?
Physical security risk management uses risk equals threat times vulnerability times consequence, scoring each factor on a scale such as one to five. Multiplying gives an inherent score, and re-scoring after countermeasures gives the residual, which proves whether a control actually reduced the exposure rather than just adding cost.
What is the deter, detect, delay, respond model in physical security risk management?
Deter, detect, delay, and respond are the four control functions a physical security risk management program uses to answer a scored risk. Deterrence discourages an attack, detection raises the alarm early, delay slows the adversary with barriers, and response stops the attack before the loss, with each function buying time for the next.
What standards apply to physical security risk management?
The main references are the Interagency Security Committee Risk Management Process, FEMA 426, NIST SP 800-53 physical and environmental controls, ASIS International standards, and ISO 31000. For utilities, NERC CIP-014 makes physical security risk management a legal requirement on critical substations.
What is CPTED in physical security risk management?
CPTED, or Crime Prevention Through Environmental Design, shapes the built environment to discourage crime. In physical security risk management it guides lighting, sightlines, landscaping, and access routes so a site naturally deters intruders and supports surveillance, reducing vulnerability before a single guard or camera is added.
How often should physical security risk management be reviewed?
Run a full physical security risk management assessment at least annually, and refresh it on any material change: a new facility, a renovation, a threat shift, or an incident or near miss. Static assessments fail because the threat environment moves, as the rise in grid attacks since 2021 shows.
Where Physical Security Risk Management Fails
Most failed programs share a short list of mistakes, and none are exotic. Each row pairs the trap with the remedy that the incident record keeps proving out.
| Pitfall | Root cause | Remedy |
| Guarding everything equally | No asset characterization or ranking | Score consequence and fund the worst first |
| Detection without response | Cameras with no one watching or acting | Pair every detection control with a response |
| Compliance over threat | Checklists ignore the real adversary | Drive the assessment from credible threats |
| Single barrier reliance | No layered defense in depth | Build concentric deter-detect-delay-respond rings |
| One-and-done assessment | No change-triggered review | Reopen on renovation, threat shift, or incident |
| Physical and cyber siloed | Separate teams, shared attack surface | Converge physical and cyber risk views |
The detection-without-response row recurs most. A camera that no one is watching records the loss instead of preventing it, which is why physical security risk management funds the full chain, not just the part that is cheap to buy, and why it should converge with cyber risk.
The Physical Security Risk Management Horizon: 2026 and Beyond
Convergence is the defining shift. Building access, cameras, and sensors now run on networks, so a physical security risk management program increasingly shares threats, and a response plan, with the cyber team rather than working beside it.
Drones and standoff attacks widen the threat. The Moore County and Metcalf cases showed that an adversary never has to touch the fence, so assessments now weigh aerial intrusion and long-range attack that older perimeter-only models never priced.
Workplace violence keeps the discipline on the corporate agenda. US employers face rising active-assailant risk, and active-shooter preparedness is becoming a standing line in physical security risk management, not an afterthought bolted on after an event.
The lasting lesson is the one Moore County taught at the cost of a life. Treat physical security risk management as a living control system, scored and re-scored against credible threats, and the open gap shows up in an assessment long before it shows up on the evening news.
Infographic: The Physical Security Risk Management Lifecycle
Figure 5. Physical security risk management as a six-step loop from asset to countermeasure to review.
Strengthen Your Physical Security Risk Management Program
Risk Publishing helps US organizations turn site hazards into a defensible physical security risk management program, from the threat assessment to the business continuity plan behind the response. See our services, then contact us when your physical security risk management needs to find the gap before an attacker does.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.