AbSRiM: An Agent‐Based Security Risk Management Approach for Airport Operations

Security risk management is essential for ensuring effective airport operations. This article introduces AbSRiM, a novel agent‐based modeling and simulation approach to perform security risk management for airport operations that uses formal sociotechnical models that include temporal and spatial aspects. The approach contains four main steps: scope selection, agent‐based model definition, risk assessment, and risk mitigation. The approach is based on traditional security risk management methodologies, but uses agent‐based modeling and Monte Carlo simulation at its core. Agent‐based modeling is used to model threat scenarios, and Monte Carlo simulations are then performed with this model to estimate security risks. The use of the AbSRiM approach is demonstrated with an illustrative case study. This case study includes a threat scenario in which an adversary attacks an airport terminal with an improvised explosive device. The approach provides a promising way to include important elements, such as human aspects and spatiotemporal aspects, in the assessment of risk. More research is still needed to better identify the strengths and weaknesses of the AbSRiM approach in different case studies, but results demonstrate the feasibility of the approach and its potential.     

基于交易成本理论的IT外包风险控制策略研究综述

IT外包在过去10年中迅速发展,但潜藏着巨大的风险.为了更好地管理风险,对现有研究成果做了全面的梳理、归纳和提炼,将风险控制策略进一步分类为2个子系统:①主要策略子系统,包括合同机制、关系治理、组织整合、控制机制和动态成本监控;②辅助策略子系统,包括引入第三方专业机构、外包决策优化、不同的管理模式、标准化工具.这2个子系统为建立企业ITOR策略研究的方法论提供了良好的基础,有助于丰富企业ITOR管理理论.     

Radon Risk Information and Voluntary Protection: Evidence from a Natural Experiment

This study examines the perceived risks and mitigating behavior of Maine households who received new information on their exposures to significant health risks from indoor radon. The observed responses of these households illustrate conceptual issues related to designing an effective risk information program. Despite the involvement of generally well-motivated homeowners and well-intentioned researchers and government officials, we conclude that the risk information approach used in Maine failed to induce appropriate, cost-effective voluntary protection. The results indicate that, after receiving radon test results, information on associated health risks, and suggestions on how to reduce exposures: perceived risks tended to understate objective risks by orders of magnitude, and there was no statistically significant relationship between mitigating behavior and objective risks. These results suggest that the formation of risk perceptions and subsequent behavioral adjustments involve complex interactions among information, contextual, socioeconomic, and psychological variables. Therefore, government programs that seek to reduce health and safety risks with information programs, instead of using more conventional enforced standards, must be crafted very carefully to accommodate this complex process.     

企业研发外包的控制机制:信息泄露下的支付合同选择

采用委托代理模型的框架,通过分析研发项目特点、外包代理方的行为特征及其信息泄漏对研发外包支付合同的影响,提出了相应的支付合同选择机制。研究表明,在无信息泄漏的情况下,当研发机构的努力程度可观测时,研发委托方可以采用固定支付合同实现外包;反之,委托方需要与代理方分享利润,并且利润分享比例与代理方的风险规避度、市场的不确定性和研发机构的开发效率负相关。在存在信息泄露的情况下,利润分享比例与研发项目对委托企业的重要性程度及其项目本身的复杂性程度负相关,并且委托方还应根据研发机构获取市场能力的不同进行调整。     

Toward an Epidemiology of Safety and Security Risks: An Organizational Vulnerability Assessment in International Airports

International airports are complex sociotechnical systems that have an intrinsic potential to develop safety and security disruptions. In the absence of appropriate defenses, and when the potential for disruption is neglected, organizational crises can occur and jeopardize aviation services. This investigation examines the ways in which modern international airports can be “authors of their own misfortune” by adopting practices, attitudes, and behaviors that could increase their overall level of vulnerability. A sociotechnical perspective, the macroergonomic approach, is applied in this research to detect the potential organizational determinants of vulnerability in airport operations. Qualitative data nurture the case study on international airports produced by the present research. Findings from this study highlight that systemic weaknesses frequently reside in areas at the intersection of physical, organizational, and social spaces. Specific pathways of vulnerability can be drawn across these areas, involving the following systemic layers: individual, task, tools and technology, environment, and organization. This investigation expands the existing literature on the dynamics that characterize crisis incubation in multiorganization, multistakeholder systems such as international airports and provides practical recommendations for airport managers to improve their capabilities to early detect symptoms of organizational vulnerability.     

The Case against Commercial Antivirus Software: Risk Homeostasis and Information Problems in Cybersecurity

New cybersecurity technologies, such as commercial antivirus software (AV), sometimes fail to deliver on their promised benefits. This article develops and tests a revised version of risk homeostasis theory, which suggests that new cybersecurity technologies can sometimes have ill effects on security outcomes in the short run and little-to-no effect over the long run. It tests the preliminary plausibility of four predictions from the revised risk homeostasis theory using new survey data from 1,072 respondents. The estimations suggest the plausible operation of a number of risk homeostasis dynamics: (1) commercial AV users are significantly more likely to self-report a cybersecurity event in the past year than nonusers, even after correcting for potential reverse causality and informational mechanisms; (2) nonusers become somewhat less likely to self-report a cybersecurity event as the perceived riskiness of various e-mail-based behaviors increases, while commercial AV users do not; (3) the negative short-run effect of commercial AV use on cybersecurity outcomes fade over time at a predicted rate of about 7.03 percentage points per year of use; and (4) after five years of use, commercial AV users are statistically indistinguishable from nonusers in terms of their probability of self-reporting a cybersecurity event as perceptions of risky e-mail-based behaviors increase.     

Social Amplification of Wildfire Risk: The Role of Social Interactions and Information Sources

Wildfire is a persistent and growing threat across much of the western United States. Understanding how people living in fire‐prone areas perceive this threat is essential to the design of effective risk management policies. Drawing on the social amplification of risk framework, we develop a conceptual model of wildfire risk perceptions that incorporates the social processes that likely shape how individuals in fire‐prone areas come to understand this risk, highlighting the role of information sources and social interactions. We classify information sources as expert or nonexpert, and group social interactions according to two dimensions: formal versus informal, and generic versus fire‐specific. Using survey data from two Colorado counties, we empirically examine how information sources and social interactions relate to the perceived probability and perceived consequences of a wildfire. Our results suggest that social amplification processes play a role in shaping how individuals in this area perceive wildfire risk. A key finding is that both “vertical” (i.e., expert information sources and formal social interactions) and “horizontal” (i.e., nonexpert information and informal interactions) interactions are associated with perceived risk of experiencing a wildfire. We also find evidence of perceived “risk interdependency”—that is, homeowners’ perceptions of risk are higher when vegetation on neighboring properties is perceived to be dense. Incorporating social amplification processes into community‐based wildfire education programs and evaluating these programs’ effectiveness constitutes an area for future inquiry.     

Robustness of Optimal Investment Decisions in Mixed Insurance/Investment Cyber Risk Management

An integrated risk management strategy, combining insurance and security investments, where the latter contribute to reduce the insurance premium, is investigated to assess whether it can lead to reduced overall security expenses. The optimal investment for this mixed strategy is derived under three insurance policies, covering, respectively, all the losses (total coverage), just those below the limit of maximum liability (partial coverage), and those above a threshold but below the maximum liability (partial coverage with deductibles). Under certain conditions (e.g., low potential loss, or either very low or very high vulnerability), the mixed strategy reverts however to insurance alone, because investments do not provide an additional benefit. When the mixed strategy is the best choice, the dominant component in the overall security expenses is the insurance premium in most cases. Optimal investment decisions require an accurate estimate of the vulnerability, whereas larger estimation errors may be tolerated for the investment-effectiveness coefficient.     

网络时代的外包管理

本文比较分析了网络时代与工业时代外包管理的不同、网络时代制造业和服务业外包管理模型的区别,并从我国尚处于工业化后期、正在以国民经济信息化带动工业化加速发展这一现实出发,提出了可供我国企业选择的五种外包管理模式。     

信息系统外包决策的AHP/PROMETHEE方法

针对信息系统外包项目优选这一重要问题,在已有方法的基础上,结合层次分析法与偏好顺序结构评估法,提出了一种基于这两种方法相结合的信息系统外包项目选择决策方法。以管理、战略、技术、经济、质量与风险6项因素作为评价准则,用层次分析法确定信息系统外包项目选择问题的层次结构与评价准则的权重,用偏好顺序结构评估法确定信息系统外包项目的排序,并通过算例说明该方法的有效性。     

Cyber Security Risk Management: Public Policy Implications of Correlated Risk,Imperfect Ability to Prove Loss,and Observability of Self‐Protection

The correlated nature of security breach risks, the imperfect ability to prove loss from a breach to an insurer, and the inability of insurers and external agents to observe firms’ self‐protection efforts have posed significant challenges to cyber security risk management. Our analysis finds that a firm invests less than the social optimal levels in self‐protection and in insurance when risks are correlated and the ability to prove loss is imperfect. We find that the appropriate social intervention policy to induce a firm to invest at socially optimal levels depends on whether insurers can verify a firm's self‐protection levels. If self‐protection of a firm is observable to an insurer so that it can design a contract that is contingent on the self‐protection level, then self‐protection and insurance behave as complements. In this case, a social planner can induce a firm to choose the socially optimal self‐protection and insurance levels by offering a subsidy on self‐protection. We also find that providing a subsidy on insurance does not provide a similar inducement to a firm. If self‐protection of a firm is not observable to an insurer, then self‐protection and insurance behave as substitutes. In this case, a social planner should tax the insurance premium to achieve socially optimal results. The results of our analysis hold regardless of whether the insurance market is perfectly competitive or not, implying that solely reforming the currently imperfect insurance market is insufficient to achieve the efficient outcome in cyber security risk management.     

Science and Decisions: Advancing Risk Assessment

At the request of the U.S. Environmental Protection Agency (EPA), the National Research Council (NRC) recently completed a major report, Science and Decisions: Advancing Risk Assessment, that is intended to strengthen the scientific basis, credibility, and effectiveness of risk assessment practices and subsequent risk management decisions. The report describes the challenges faced by risk assessment and the need to consider improvements in both the technical analyses of risk assessments (i.e., the development and use of scientific information to improve risk characterization) and the utility of risk assessments (i.e., making assessments more relevant and useful for risk management decisions). The report tackles a number of topics relating to improvements in the process, including the design and framing of risk assessments, uncertainty and variability characterization, selection and use of defaults, unification of cancer and noncancer dose‐response assessment, cumulative risk assessment, and the need to increase EPA's capacity to address these improvements. This article describes and summarizes the NRC report, with an eye toward its implications for risk assessment practices at EPA.     

信息共享程度对物流外包激励契约的影响

本文分析了由供应商、制造商和第三方物流企业(3PLs)组成的物流外包系统,考虑了供应商和制造商信息共享程度的影响,建立了协同工作环境下的激励契约模型.结果表明,委托人偏好低努力水平时,信息共享对激励契约没有影响;委托人偏好高努力水平时,信息共享能更好的激励代理人选择委托人希望的行动.信息不共享时,3PLs只有提高对供应商努力水平的积极性;信息共享时,3PLs收入波动性增大,提高对供应商和对制造商的努力水平都能使其获得帕累托改进.本研究为物流成本在供应链成员中的分摊提供了理论依据,并提出了模型改进和研究建议.     

Operations Risk Management: Overview of Paul Kleindorfer's Contributions

This paper reviews Paul Kleindorfer's contributions to Operations Management (OM), with a special focus on his research on risk management. An annotated bibliography of selected other contributions reviews the breadth of topics that have occupied Kleindorfer's research attention over his now 45 + years of research. These include optimal control theory, scheduling theory, decision sciences, investment planning and peak load pricing, plus a number of important applications in network industries and insurance. In the area of operations risk management, we review recent work that Kleindorfer and his colleagues in the Wharton Risk Center have undertaken on environmental management and operations, focusing on process safety and environmental risks in the chemical industry. This work is directly related to Kleindorfer's work in the broader area of “sustainable operations”, which he, Kal Singhal and Luk Van Wassenhove recently surveyed as part of the new initiative at POMS to encompass sustainable management practices within the POMS community. Continuing in the area of supply chain risks, the paper reviews Kleindorfer's contributions to the development of an integrated framework for contracting and risk hedging for supply management. The emphasis on alignment of pricing, performance and risk management in this framework is presaged in the work undertaken by Kleindorfer and his co‐authors in the 1980s on after‐sales support services for high‐technology products. This work on supply chain risk, and its successors, is reviewed here in light of its growing importance in managing the unbundled and global supply chains characteristic of the new economy.     

Role of Comparative Risk Assessment in Addressing Environmental Security in the Middle East

During the 21st century, environmental challenges are likely to intensify across the world and possibly lead to violent conflicts. Strategies for conflict avoidance will be incomplete unless they recognize, discuss, and mitigate regional environmental stress factors. Comparative risk assessment (CRA) is one of the most critical tools emerging to influence modern environmental policies and is increasingly used to create a common language to help reconcile competing interests in development and environmental disputes around the world. This article considers the environmental challenges facing the Middle East in light of their "transboundary" nature and proposes CRA as a framework for setting environmental priorities and reducing tensions in the region.     

On the Risk Management and Risk Governance of Petroleum Operations in the Barents Sea Area

In this article, we discuss issues of risk management and risk governance with respect to petroleum operations in the Barents Sea area. We will focus on the decision problems related to whether or not to open the Barents Sea for petroleum activities in special vulnerable areas. We will explore to what extent the International Risk Governance Council risk governance framework provides valuable insights for and assistance to the decisionmaker and other stakeholders (including the industry and NGOs). The study covers issues related to risk assessment and appraisal, risk acceptance and tolerability, the use of the precautionary principle, risk perception, stakeholder involvement, risk communication, and risk management. The overall aim of the article is to point to areas where the risk governance could have been and can be improved for these and similar decision problems.     

Long‐Term Contracting: The Role of Private Information in Dynamic Supply Risk Management

We examine the critical role of evolving private information in managing supply risk. The problem features a dyadic channel where a dominant buyer operates a multiperiod inventory system with lost sales and fixed cost. He replenishes from a supplier, whose private state of production is vulnerable to random shocks and evolves dynamically over time. We characterize the optimal inventory policy with a simple semi‐stationary structure; it distorts order quantity for limiting information rent only in the initial period; the optimal payment compensates for production cost in every period but concedes real information rent only in the initial period. These properties allow us to derive an easy‐to‐implement revenue‐sharing contract that facilitates ex ante strategic planning and ex post dynamic execution. This work advances our understanding on when and how to use private information in dynamic risk management.     

The Impact of Costliness,Competitive Importance,and Modularity of Investments on Outsourcing

This study is motivated by examples of outsourcing that are not readily explained by widely established economic theories. We extend recent literature that develops the idea that outsourcing can help firms avoid overinvestment by specifying more precisely the conditions under which this thesis is likely to apply. Our extension is realized through a two‐period game theoretic model in which the outsourcing and in‐house investments are driven by (1) the cost required to develop a product or process module, (2) competitive relevance, defined as the module's share in the production cost or the module's importance to the customer, and (3) modularity, defined as the extent to which generic investments in the module can approach firm‐specific investments in terms of the overall product/process performance. The analysis generates predictions about what types of insourcing, outsourcing, and non‐sourcing behaviors are likely to emerge in different parts of the parameter space. Outsourcing to a more concentrated industry upstream emerges at equilibrium when modularity is high, relevance low to medium, and development cost high enough that none or only a subset of focal firms wants to invest. While firms are forced to insource and overinvest due to a prisoner's dilemma when the development cost is sufficiently high relative to the module's relevance, we do not find outsourcing equilibria that solve this problem in a two‐period game with no commitment. This result implies that some form of tacit coordination in a multi‐period game may be necessary. We conclude the study with a discussion of empirical implications.     

基于系统边界分析的信息安全管理斡件研究

基于系统边界安全对整个系统安全重要性的考虑,对系统安全边界的内涵进行了扩展,研究了系统边界安全管理的职能和基本规则,由于边界安全管理中的冲突产生和不确定决策的存在,提出了系统安全管理的斡件概念,并对斡件的基本构成和工作机理进行了分析,最后举一案例来验证了安全管理斡件的有效性.