Defender–Attacker Games with Asymmetric Player Utilities

The presence of strategic attackers has become an important factor in the security and protection of systems, especially since the 9/11/2001 attacks, and considerable efforts have been dedicated to its study. When defending against the strategic attacker, many existing studies assume that the attacker would seek to minimize the defender's utility, which implies that the defender and attacker have symmetric utilities. However, the attacker's objective is determined by its own valuation of the system and target of the attack, which is not necessarily consistent with the defender's utility. If the attacker unexpectedly targets a different utility, then the defense strategy might no longer be optimal. In particular, the defense strategy could be inferior if the attacker's utility is not known to the defender. This study considers a situation where the defender's utility is the system survivability and the attacker's utility is the expected number of destroyed elements in the system. We investigate possible attack strategies under these two different utilities and compare (a) the conservative defense strategy when the attack utility is unknown to the defender with (b) the optimal defense strategy when the attack utility is known to the defender. We show that the conservative protection strategy is still optimal under asymmetric utilities when the contest intensity is smaller than one.     

Securing Passenger Aircraft from the Threat of Man‐Portable Air Defense Systems (MANPADS)

In this article, we develop a model for the expected maximum hit probability of an attack on a commercial aircraft using MANPADS, as a function of the (random) location of the attacker. We also explore the sensitivity of the expected maximum hit probability to the parameters of the model, including both attacker parameters (such as weapon characteristics) and defender parameters (such as the size of the secure region around the airport). We conclude that having a large secure region around an airport offers some protection against MANPADS, and that installing onboard countermeasures reduces the success probability of a MANPADS attack.     

Behavioral Modeling of Adversaries with Multiple Objectives in Counterterrorism

Attacker/defender models have primarily assumed that each decisionmaker optimizes the cost of the damage inflicted and its economic repercussions from their own perspective. Two streams of recent research have sought to extend such models. One stream suggests that it is more realistic to consider attackers with multiple objectives, but this research has not included the adaption of the terrorist with multiple objectives to defender actions. The other stream builds off experimental studies that show that decisionmakers deviate from optimal rational behavior. In this article, we extend attacker/defender models to incorporate multiple objectives that a terrorist might consider in planning an attack. This includes the tradeoffs that a terrorist might consider and their adaption to defender actions. However, we must also consider experimental evidence of deviations from the rationality assumed in the commonly used expected utility model in determining such adaption. Thus, we model the attacker's behavior using multiattribute prospect theory to account for the attacker's multiple objectives and deviations from rationality. We evaluate our approach by considering an attacker with multiple objectives who wishes to smuggle radioactive material into the United States and a defender who has the option to implement a screening process to hinder the attacker. We discuss the problems with implementing such an approach, but argue that research in this area must continue to avoid misrepresenting terrorist behavior in determining optimal defensive actions.     

Resource Distribution in Multiple Attacks with Imperfect Detection of the Attack Outcome

This article extends the previous research of consecutive attacks strategy by assuming that an attacker observes the outcome of each attack imperfectly. With given probabilities it may wrongly identify a destroyed target as undestroyed, and wrongly identify an undestroyed target as destroyed. The outcome of each attack is determined by a contest success function that depends on the amount of resources allocated by the defender and the attacker to each attack. The article suggests a probabilistic model of the multiple attacks and analyzes how the target destruction probability and the attacker's relative resource expenditure are impacted by the two probabilities of incorrect observation, the attacker's and defender's resource ratio, the contest intensity, the number of attacks, and the resource distribution across attacks. We analyze how the attacker chooses the number of attacks, the attack stopping rule, and the optimal resource distribution across attacks to maximize its utility.     

Some Limitations of “Risk = Threat × Vulnerability × Consequence” for Risk Analysis of Terrorist Attacks

Several important risk analysis methods now used in setting priorities for protecting U.S. infrastructures against terrorist attacks are based on the formula: Risk=Threat×Vulnerability×Consequence. This article identifies potential limitations in such methods that can undermine their ability to guide resource allocations to effectively optimize risk reductions. After considering specific examples for the Risk Analysis and Management for Critical Asset Protection (RAMCAP?) framework used by the Department of Homeland Security, we address more fundamental limitations of the product formula. These include its failure to adjust for correlations among its components, nonadditivity of risks estimated using the formula, inability to use risk‐scoring results to optimally allocate defensive resources, and intrinsic subjectivity and ambiguity of Threat, Vulnerability, and Consequence numbers. Trying to directly assess probabilities for the actions of intelligent antagonists instead of modeling how they adaptively pursue their goals in light of available information and experience can produce ambiguous or mistaken risk estimates. Recent work demonstrates that two‐level (or few‐level) hierarchical optimization models can provide a useful alternative to Risk=Threat×Vulnerability×Consequence scoring rules, and also to probabilistic risk assessment (PRA) techniques that ignore rational planning and adaptation. In such two‐level optimization models, defender predicts attacker's best response to defender's own actions, and then chooses his or her own actions taking into account these best responses. Such models appear valuable as practical approaches to antiterrorism risk analysis.     

Communicating with the Public About Marauding Terrorist Firearms Attacks: Results from a Survey Experiment on Factors Influencing Intention to “Run,Hide, Tell” in the United Kingdom and Denmark

Effective risk communication is an integral part of responding to terrorism, but until recently, there has been very little pre‐event communication in a European context to provide advice to the public on how to protect themselves during an attack. Following terrorist attacks involving mass shootings in Paris, France, in November 2015, the U.K. National Police Chiefs’ Council released a Stay Safe film and leaflet that advises the public to “run,” “hide,” and “tell” in the event of a firearms or weapons attack. However, other countries, including Denmark, do not provide preparedness information of this kind, in large part because of concern about scaring the public. In this survey experiment, 3,003 U.K. and Danish participants were randomly assigned to one of three conditions: no information, a leaflet intervention, and a film intervention to examine the impact of “Run, Hide, Tell” advice on perceptions about terrorism, the security services, and intended responses to a hypothetical terrorist firearms attack. Results demonstrate important benefits of pre‐event communication in relation to enhancing trust, encouraging protective health behaviors, and discouraging potentially dangerous actions. However, these findings also suggest that future communications should address perceived response costs and target specific problem behaviors. Cross‐national similarities in response suggest this advice is suitable for adaptation in other countries.     

Game Theory and Risk Analysis

Risk analysts often analyze adversarial risks from terrorists or other intelligent attackers without mentioning game theory. Why? One reason is that many adversarial situations—those that can be represented as attacker‐defender games, in which the defender first chooses an allocation of defensive resources to protect potential targets, and the attacker, knowing what the defender has done, then decides which targets to attack—can be modeled and analyzed successfully without using most of the concepts and terminology of game theory. However, risk analysis and game theory are also deeply complementary. Game‐theoretic analyses of conflicts require modeling the probable consequences of each choice of strategies by the players and assessing the expected utilities of these probable consequences. Decision and risk analysis methods are well suited to accomplish these tasks. Conversely, game‐theoretic formulations of attack‐defense conflicts (and other adversarial risks) can greatly improve upon some current risk analyses that attempt to model attacker decisions as random variables or uncertain attributes of targets (“threats”) and that seek to elicit their values from the defender's own experts. Game theory models that clarify the nature of the interacting decisions made by attackers and defenders and that distinguish clearly between strategic choices (decision nodes in a game tree) and random variables (chance nodes, not controlled by either attacker or defender) can produce more sensible and effective risk management recommendations for allocating defensive resources than current risk scoring models. Thus, risk analysis and game theory are (or should be) mutually reinforcing.     

A Decision Framework for Managing Risk to Airports from Terrorist Attack

This article presents an asset‐level security risk management framework to assist stakeholders of critical assets with allocating limited budgets for enhancing their safety and security against terrorist attack. The proposed framework models the security system of an asset, considers various threat scenarios, and models the sequential decision framework of attackers during the attack. Its novel contributions are the introduction of the notion of partial neutralization of attackers by defenders, estimation of total loss from successful, partially successful, and unsuccessful actions of attackers at various stages of an attack, and inclusion of the effects of these losses on the choices made by terrorists at various stages of the attack. The application of the proposed method is demonstrated in an example dealing with security risk management of a U.S. commercial airport, in which a set of plausible threat scenarios and risk mitigation options are considered. It is found that a combination of providing blast‐resistant cargo containers and a video surveillance system on the airport perimeter fence is the best option based on minimum expected life‐cycle cost considering a 10‐year service period.     

Cost of Equity in Homeland Security Resource Allocation in the Face of a Strategic Attacker

Hundreds of billions of dollars have been spent in homeland security since September 11, 2001. Many mathematical models have been developed to study strategic interactions between governments (defenders) and terrorists (attackers). However, few studies have considered the tradeoff between equity and efficiency in homeland security resource allocation. In this article, we fill this gap by developing a novel model in which a government allocates defensive resources among multiple potential targets, while reserving a portion of defensive resources (represented by the equity coefficient) for equal distribution (according to geographical areas, population, density, etc.). Such a way to model equity is one of many alternatives, but was directly inspired by homeland security resource allocation practice. The government is faced with a strategic terrorist (adaptive adversary) whose attack probabilities are endogenously determined in the model. We study the effect of the equity coefficient on the optimal defensive resource allocations and the corresponding expected loss. We find that the cost of equity (in terms of increased expected loss) increases convexly in the equity coefficient. Furthermore, such cost is lower when: (a) government uses per‐valuation equity; (b) the cost‐effectiveness coefficient of defense increases; and (c) the total defense budget increases. Our model, results, and insights could be used to assist policy making.     

Intelligent Adversary Risk Analysis: A Bioterrorism Risk Management Model

The tragic events of 9/11 and the concerns about the potential for a terrorist or hostile state attack with weapons of mass destruction have led to an increased emphasis on risk analysis for homeland security. Uncertain hazards (natural and engineering) have been successfully analyzed using probabilistic risk analysis (PRA). Unlike uncertain hazards, terrorists and hostile states are intelligent adversaries who can observe our vulnerabilities and dynamically adapt their plans and actions to achieve their objectives. This article compares uncertain hazard risk analysis with intelligent adversary risk analysis, describes the intelligent adversary risk analysis challenges, and presents a probabilistic defender–attacker–defender model to evaluate the baseline risk and the potential risk reduction provided by defender investments. The model includes defender decisions prior to an attack; attacker decisions during the attack; defender actions after an attack; and the uncertainties of attack implementation, detection, and consequences. The risk management model is demonstrated with an illustrative bioterrorism problem with notional data.     

Portfolio Analysis of Layered Security Measures

Layered defenses are necessary for protecting the public from terrorist attacks. Designing a system of such defensive measures requires consideration of the interaction of these countermeasures. In this article, we present an analysis of a layered security system within the lower Manhattan area. It shows how portfolios of security measures can be evaluated through portfolio decision analysis. Consideration is given to the total benefits and costs of the system. Portfolio diagrams are created that help communicate alternatives among stakeholders who have differing views on the tradeoffs between security and economic activity.     

Deterrence and Risk Preferences in Sequential Attacker–Defender Games with Continuous Efforts

Most attacker–defender games consider players as risk neutral, whereas in reality attackers and defenders may be risk seeking or risk averse. This article studies the impact of players' risk preferences on their equilibrium behavior and its effect on the notion of deterrence. In particular, we study the effects of risk preferences in a single‐period, sequential game where a defender has a continuous range of investment levels that could be strategically chosen to potentially deter an attack. This article presents analytic results related to the effect of attacker and defender risk preferences on the optimal defense effort level and their impact on the deterrence level. Numerical illustrations and some discussion of the effect of risk preferences on deterrence and the utility of using such a model are provided, as well as sensitivity analysis of continuous attack investment levels and uncertainty in the defender's beliefs about the attacker's risk preference. A key contribution of this article is the identification of specific scenarios in which the defender using a model that takes into account risk preferences would be better off than a defender using a traditional risk‐neutral model. This study provides insights that could be used by policy analysts and decisionmakers involved in investment decisions in security and safety.     

Optimal Resource Allocation for Defense of Targets Based on Differing Measures of Attractiveness

This article describes the results of applying a rigorous computational model to the problem of the optimal defensive resource allocation among potential terrorist targets. In particular, our study explores how the optimal budget allocation depends on the cost effectiveness of security investments, the defender's valuations of the various targets, and the extent of the defender's uncertainty about the attacker's target valuations. We use expected property damage, expected fatalities, and two metrics of critical infrastructure (airports and bridges) as our measures of target attractiveness. Our results show that the cost effectiveness of security investment has a large impact on the optimal budget allocation. Also, different measures of target attractiveness yield different optimal budget allocations, emphasizing the importance of developing more realistic terrorist objective functions for use in budget allocation decisions for homeland security.     

Cyber Risk Management for Critical Infrastructure: A Risk Analysis Model and Three Case Studies

Managing cyber security in an organization involves allocating the protection budget across a spectrum of possible options. This requires assessing the benefits and the costs of these options. The risk analyses presented here are statistical when relevant data are available, and system‐based for high‐consequence events that have not happened yet. This article presents, first, a general probabilistic risk analysis framework for cyber security in an organization to be specified. It then describes three examples of forward‐looking analyses motivated by recent cyber attacks. The first one is the statistical analysis of an actual database, extended at the upper end of the loss distribution by a Bayesian analysis of possible, high‐consequence attack scenarios that may happen in the future. The second is a systems analysis of cyber risks for a smart, connected electric grid, showing that there is an optimal level of connectivity. The third is an analysis of sequential decisions to upgrade the software of an existing cyber security system or to adopt a new one to stay ahead of adversaries trying to find their way in. The results are distributions of losses to cyber attacks, with and without some considered countermeasures in support of risk management decisions based both on past data and anticipated incidents.     

Agent‐Based Simulation for Human‐Induced Hazard Analysis

Terrorism could be treated as a hazard for design purposes. For instance, the terrorist hazard could be analyzed in a manner similar to the way that seismic hazard is handled. No matter how terrorism is dealt with in the design of systems, the need for predictions of the frequency and magnitude of the hazard will be required. And, if the human‐induced hazard is to be designed for in a manner analogous to natural hazards, then the predictions should be probabilistic in nature. The model described in this article is a prototype model that used agent‐based modeling (ABM) to analyze terrorist attacks. The basic approach in this article of using ABM to model human‐induced hazards has been preliminarily validated in the sense that the attack magnitudes seem to be power‐law distributed and attacks occur mostly in regions where high levels of wealth pass through, such as transit routes and markets. The model developed in this study indicates that ABM is a viable approach to modeling socioeconomic‐based infrastructure systems for engineering design to deal with human‐induced hazards.     

考虑最坏中断损失下的P-中位设施选址问题的模型与算法研究

蓄意突袭以及恐怖袭击会造成设施服务的突然中断成为网络系统的主要危害之一,因此网络设施选址决策应该同时考虑正常和紧急状态下系统的运作成本.本文研究考虑最坏中断损失下的网络设施选址问题,建立了该问题的双层规划模型,上层规划涉及设施选址决策,下层规划研究确定设施位置后,设施中断产生最大损失的问题.本文运用基于拉格朗日松弛的混合遗传算法来求解该双层规划问题.将European150数据集作为研究对象,对比研究了本文研究问题与传统的P-中位选址问题的结果,分析不同选址策略下网络系统的效率被中断影响的程度是不同的.最后通过改变一些关键参数,比如常规运作权重、设施数量、中断设施数量,对相关结果进行了分析.     

Security of Separated Data in Cloud Systems with Competing Attack Detection and Data Theft Processes

Empowered by virtualization technology, service requests from cloud users can be honored through creating and running virtual machines. Virtual machines established for different users may be allocated to the same physical server, making the cloud vulnerable to co‐residence attacks where a malicious attacker can steal a user's data through co‐residing their virtual machines on the same server. For protecting data against the theft, the data partition technique is applied to divide the user's data into multiple blocks with each being handled by a separate virtual machine. Moreover, early warning agents (EWAs) are deployed to possibly detect and prevent co‐residence attacks at a nascent stage. This article models and analyzes the attack success probability (complement of data security) in cloud systems subject to competing attack detection process (by EWAs) and data theft process (by co‐residence attackers). Based on the suggested probabilistic model, the optimal data partition and protection policy is determined with the objective of minimizing the user's cost subject to providing a desired level of data security. Examples are presented to illustrate effects of different model parameters (attack rate, number of cloud servers, number of data blocks, attack detection time, and data theft time distribution parameters) on the attack success probability and optimization solutions.     

ETHNIC DIVERSITY AND THE SPREAD OF CIVIL WAR

This paper theoretically and empirically investigates the relationship between local‐level ethnic composition and the spread of conflict. Cross‐country literature on conflict finds that ethnic diversity, and ethnic polarization in particular, are associated with greater incidence of conflict. However, the question remains as to where within ethnically diverse countries conflict begins and where and how it spreads. To study this question, I present a model in which local ethnic groups' decision to attack depends on three key variables: ethnic population shares, ethnic groups' weapons ratio, and the share of co‐ethnic successes in the battles that took place in the previous period. The model generates three predictions: conflict starts in ethnically homogeneous areas and only later spreads to ethnically heterogeneous areas; neighbor co‐ethnics' success increases subsequent probability of winning and may lead to attack; and greater ethnic diversity is associated with costlier conflict. I find strong support for these predictions using detailed municipal‐level data on attacks and ethnic polarization during the initial spread of the Bosnian Civil War. Moreover, my conflict model is able to predict the sequence of actual conflict outcomes with reasonably high accuracy. (JEL: D39, D74, J15, R12)     

Improving Risk-Based Decision Making for Terrorism Applications

How can we best allocate limited defensive resources to reduce terrorism risks? Dillon et al.'s Antiterrorism Risk-Based Decision Aid (ARDA) system provides a useful point of departure for addressing this crucial question by exhibiting a real-world system that calculates risk reduction scores for different portfolios of risk-reducing countermeasures and using them to rank-order different possible risk mitigation alternatives for Navy facilities. This comment points out some potential limitations of any scoring system that does not take into account risk externalities, interdependencies among threats, uncertainties that are correlated across targets, and attacker responses to alternative allocations of defensive resources. In at least some simple situations, allocations based on risk reduction scores and comparisons can inadvertently increase risks by providing intelligent attackers with valuable information, or they can fail to reduce risks as effectively as nonscoring, optimization-based approaches. These limitations of present scoring methods present exciting technical challenges and opportunities for risk analysts to develop improved methods for protecting facilities and infrastructure against terrorist threats.