Before the tragedy of 9/11, the perception of risk in process plants was mainly focused on accidental events caused by technical failures, human errors or natural events. However, since then, the risk of deliberate actions against process facilities - also known as security risk - has also become a concern. Security risk assessment of engineering systems and infrastructures constitutes a complex task since a significant multitude of technical and socio-political information is needed to reasonably predict the risk of intentional malevolent acts. In the present study, a methodology based on Bayesian network (BN) has been applied to increase the security of critical infrastructures via cost-effective allocation of security measures. Using the probability updating feature of BN, the proposed methodology can be employed to investigate the effect of vulnerabilities on adversaries' preferences while planning security scenarios. Moreover, the proposed methodology is capable of efficiently identifying an optimal defensive strategy given a security scenario (i.e., an attack) through maximizing defenders' expected utility.