AbSRiM: An Agent‐Based Security Risk Management Approach for Airport Operations

Security risk management is essential for ensuring effective airport operations. This article introduces AbSRiM, a novel agent‐based modeling and simulation approach to perform security risk management for airport operations that uses formal sociotechnical models that include temporal and spatial aspects. The approach contains four main steps: scope selection, agent‐based model definition, risk assessment, and risk mitigation. The approach is based on traditional security risk management methodologies, but uses agent‐based modeling and Monte Carlo simulation at its core. Agent‐based modeling is used to model threat scenarios, and Monte Carlo simulations are then performed with this model to estimate security risks. The use of the AbSRiM approach is demonstrated with an illustrative case study. This case study includes a threat scenario in which an adversary attacks an airport terminal with an improvised explosive device. The approach provides a promising way to include important elements, such as human aspects and spatiotemporal aspects, in the assessment of risk. More research is still needed to better identify the strengths and weaknesses of the AbSRiM approach in different case studies, but results demonstrate the feasibility of the approach and its potential.     

A Decision Framework for Managing Risk to Airports from Terrorist Attack

This article presents an asset‐level security risk management framework to assist stakeholders of critical assets with allocating limited budgets for enhancing their safety and security against terrorist attack. The proposed framework models the security system of an asset, considers various threat scenarios, and models the sequential decision framework of attackers during the attack. Its novel contributions are the introduction of the notion of partial neutralization of attackers by defenders, estimation of total loss from successful, partially successful, and unsuccessful actions of attackers at various stages of an attack, and inclusion of the effects of these losses on the choices made by terrorists at various stages of the attack. The application of the proposed method is demonstrated in an example dealing with security risk management of a U.S. commercial airport, in which a set of plausible threat scenarios and risk mitigation options are considered. It is found that a combination of providing blast‐resistant cargo containers and a video surveillance system on the airport perimeter fence is the best option based on minimum expected life‐cycle cost considering a 10‐year service period.     

Use of Fuzzy Evidential Reasoning in Maritime Security Assessment

Over the last few years, there has been a growing international recognition that the security performance of the maritime industry needs to be reviewed on an urgent basis. A large number of optional maritime security control measures have been proposed through various regulations and publications in the post-9/11 era. There is a strong need for a sound and generic methodology, which is capable of taking into account multiple selection criteria such as the cost effectiveness of the measures based on reasonable security assessment. The use of traditional risk assessment and decision-making approaches to deal with potential terrorism threats in a maritime security area reveals two major challenges. They are lack of capability of analyzing security in situations of high-level uncertainty and lack of capability of processing diverse data in a utility form suitable as input to a risk inference mechanism. To deal with such difficulties, this article proposes a subjective security-based assessment and management framework using fuzzy evidential reasoning (ER) approaches. Consequently, the framework can be used to assemble and process subjective risk assessment information on different aspects of a maritime transport system from multiple experts in a systematic way. Outputs of this model can also provide decisionmakers with a transparent tool to evaluate maritime security policy options for a specific scenario in a cost-effective manner.     

Critical Asset and Portfolio Risk Analysis: An All-Hazards Framework

This article develops a quantitative all-hazards framework for critical asset and portfolio risk analysis (CAPRA) that considers both natural and human-caused hazards. Following a discussion on the nature of security threats, the need for actionable risk assessments, and the distinction between asset and portfolio-level analysis, a general formula for all-hazards risk analysis is obtained that resembles the traditional model based on the notional product of consequence, vulnerability, and threat, though with clear meanings assigned to each parameter. Furthermore, a simple portfolio consequence model is presented that yields first-order estimates of interdependency effects following a successful attack on an asset. Moreover, depending on the needs of the decisions being made and available analytical resources, values for the parameters in this model can be obtained at a high level or through detailed systems analysis. Several illustrative examples of the CAPRA methodology are provided.     

An Attacker–defender Resource Allocation Game with Substitution and Complementary Effects

The United States is funding homeland security programs with a large budget (e.g., 74.4 billion for FY 2019). A number of game-theoretic defender–attacker models have been developed to study the optimal defense resource allocation strategies for the government (defender) against the strategic adversary (attacker). However, to the best of our knowledge, the substitution or complementary effects between different types of defensive resources (e.g., human resource, land resource, and capital resource) have not been taken into consideration even though they exist in practice. The article fills this gap by studying a sequential game-theoretical resource allocation model and then exploring how the joint effectiveness of multiple security investments influences the defensive budget allocation among multiple potential targets. Three false belief models have been developed in which only the defender, only the attacker, and both the defender and attacker hold false beliefs about the joint effectiveness of resources. Regression analysis shows that there are significant substitution effects between human and capital resources. The results show that the defender will suffer a higher loss if he fails to consider the substitution or complementary effects. Interestingly, if the attacker holds a false belief while the defender does not, the defender will suffer an even higher loss, especially when the resources are substitutes. However, if both the attacker and defender hold false beliefs, there will be lower loss when resources are complementary. The results also show that the defender should allocate the highly effective resource when the resources substitute each other. This article provides some new insights to the homeland security resource allocation.     

Cost of Equity in Homeland Security Resource Allocation in the Face of a Strategic Attacker

Hundreds of billions of dollars have been spent in homeland security since September 11, 2001. Many mathematical models have been developed to study strategic interactions between governments (defenders) and terrorists (attackers). However, few studies have considered the tradeoff between equity and efficiency in homeland security resource allocation. In this article, we fill this gap by developing a novel model in which a government allocates defensive resources among multiple potential targets, while reserving a portion of defensive resources (represented by the equity coefficient) for equal distribution (according to geographical areas, population, density, etc.). Such a way to model equity is one of many alternatives, but was directly inspired by homeland security resource allocation practice. The government is faced with a strategic terrorist (adaptive adversary) whose attack probabilities are endogenously determined in the model. We study the effect of the equity coefficient on the optimal defensive resource allocations and the corresponding expected loss. We find that the cost of equity (in terms of increased expected loss) increases convexly in the equity coefficient. Furthermore, such cost is lower when: (a) government uses per‐valuation equity; (b) the cost‐effectiveness coefficient of defense increases; and (c) the total defense budget increases. Our model, results, and insights could be used to assist policy making.     

Real-time threat assessment based on hidden Markov models

An essential factor toward ensuring the security of individuals and critical infrastructures is the timely detection of potentially threatening situations. To this end, especially in the law enforcement context, the availability of effective and efficient threat assessment mechanisms for identifying and eventually preventing crime- and terrorism-related threatening situations is of utmost importance. Toward this direction, this work proposes a hidden Markov model-based threat assessment framework for effectively and efficiently assessing threats in specific situations, such as public events. Specifically, a probabilistic approach is adopted to estimate the threat level of a situation at each point in time. The proposed approach also permits the reflection of the dynamic evolution of a threat over time by considering that the estimation of the threat level at a given time is affected by past observations. This estimation of the dynamic evolution of the threat is very useful, since it can support the decisions by security personnel regarding the taking of precautionary measures in case the threat level seems to adopt an upward trajectory, even before it reaches the highest level. In addition, its probabilistic basis allows for taking into account noisy data. The applicability of the proposed framework is showcased in a use case that focuses on the identification of potential threats in public events on the basis of evidence obtained from the automatic visual analysis of the footage of surveillance cameras.     

The Impact of Joint Responses of Devices in an Airport Security System

In this article, we consider a model for an airport security system in which the declaration of a threat is based on the joint responses of inspection devices. This is in contrast to the typical system in which each check station independently declares a passenger as having a threat or not having a threat. In our framework the declaration of threat/no-threat is based upon the passenger scores at the check stations he/she goes through. To do this we use concepts from classification theory in the field of multivariate statistics analysis and focus on the main objective of minimizing the expected cost of misclassification. The corresponding correct classification and misclassification probabilities can be obtained by using a simulation-based method. After computing the overall false alarm and false clear probabilities, we compare our joint response system with two other independently operated systems. A model that groups passengers in a manner that minimizes the false alarm probability while maintaining the false clear probability within specifications set by a security authority is considered. We also analyze the staffing needs at each check station for such an inspection scheme. An illustrative example is provided along with sensitivity analysis on key model parameters. A discussion is provided on some implementation issues, on the various assumptions made in the analysis, and on potential drawbacks of the approach.     

Identifying Changing Aviation Threat Environments Within an Adaptive Homeland Security Advisory System

A critical component of aviation security consists of screening passengers and baggage to protect airports and aircraft from terrorist threats. Advancements in screening device technology have increased the ability to detect these threats; however, specifying the operational configurations of these devices in response to changes in the threat environment can become difficult. This article proposes to use Fisher information as a statistical measure for detecting changes in the threat environment. The perceived risk of passengers, according to prescreening information and behavior analysis, is analyzed as the passengers sequentially enter the security checkpoint. The alarm responses from the devices used to detect threats are also analyzed to monitor significant changes in the frequency of threat items uncovered. The key results are that this information‐based measure can be used within the Homeland Security Advisory System to indicate changes in threat conditions in real time, and provide the flexibility of security screening detection devices to responsively and automatically adapt operational configurations to these changing threat conditions.     

Using Probabilistic Terrorism Risk Modeling for Regulatory Benefit-Cost Analysis: Application to the Western Hemisphere Travel Initiative in the Land Environment

This article presents a framework for using probabilistic terrorism risk modeling in regulatory analysis. We demonstrate the framework with an example application involving a regulation under consideration, the Western Hemisphere Travel Initiative for the Land Environment, (WHTI‐L). First, we estimate annualized loss from terrorist attacks with the Risk Management Solutions (RMS) Probabilistic Terrorism Model. We then estimate the critical risk reduction, which is the risk‐reducing effectiveness of WHTI‐L needed for its benefit, in terms of reduced terrorism loss in the United States, to exceed its cost. Our analysis indicates that the critical risk reduction depends strongly not only on uncertainties in the terrorism risk level, but also on uncertainty in the cost of regulation and how casualties are monetized. For a terrorism risk level based on the RMS standard risk estimate, the baseline regulatory cost estimate for WHTI‐L, and a range of casualty cost estimates based on the willingness‐to‐pay approach, our estimate for the expected annualized loss from terrorism ranges from $2.7 billion to $5.2 billion. For this range in annualized loss, the critical risk reduction for WHTI‐L ranges from 7% to 13%. Basing results on a lower risk level that results in halving the annualized terrorism loss would double the critical risk reduction (14–26%), and basing the results on a higher risk level that results in a doubling of the annualized terrorism loss would cut the critical risk reduction in half (3.5–6.6%). Ideally, decisions about terrorism security regulations and policies would be informed by true benefit‐cost analyses in which the estimated benefits are compared to costs. Such analyses for terrorism security efforts face substantial impediments stemming from the great uncertainty in the terrorist threat and the very low recurrence interval for large attacks. Several approaches can be used to estimate how a terrorism security program or regulation reduces the distribution of risks it is intended to manage. But, continued research to develop additional tools and data is necessary to support application of these approaches. These include refinement of models and simulations, engagement of subject matter experts, implementation of program evaluation, and estimating the costs of casualties from terrorism events.     

Estimating Conditional Probabilities of Terrorist Attacks: Modeling Adversaries with Uncertain Value Tradeoffs

Many analyses conducted to inform security decisions depend on estimates of the conditional probabilities of different attack alternatives. These probabilities are difficult to estimate since analysts have limited access to the adversary and limited knowledge of the adversary’s utility function, so subject matter experts often provide the estimates through direct elicitation. In this article, we describe a method of using uncertainty in utility function value tradeoffs to model the adversary’s decision process and solve for the conditional probabilities of different attacks in closed form. The conditional probabilities are suitable to be used as inputs to probabilistic risk assessments and other decision support techniques. The process we describe is an extension of value‐focused thinking and is broadly applicable, including in general business decision making. We demonstrate the use of this technique with simple examples.     

A Discussion of Findings and Their Possible Implications from a Workshop on Bioterrorism Threat Assessment and Risk Management

In November 2001, the Monterey Institute of International Studies convened a workshop on bioterrorism threat assessment and risk management. Risk assessment practitioners from various disciplines, but without specialized knowledge of terrorism, were brought together with security and intelligence threat analysts to stimulate an exchange that could be useful to both communities. This article, prepared by a subset of the participants, comments on the workshop's findings and their implications and makes three recommendations, two short term (use of threat assessment methodologies and vulnerability analysis) and one long term (application of quantitative risk assessment and modeling), regarding the practical application of risk assessment methods to bioterrorism issues.     

Modeling intelligent adversaries for terrorism risk assessment: some necessary conditions for adversary models

Intelligent adversary modeling has become increasingly important for risk analysis, and a number of different approaches have been proposed for incorporating intelligent adversaries in risk analysis models. However, these approaches are based on a range of often-implicit assumptions about the desirable properties of intelligent adversary models. This "Perspective" paper aims to further risk analysis for situations involving intelligent adversaries by fostering a discussion of the desirable properties for these models. A set of four basic necessary conditions for intelligent adversary models is proposed and discussed. These are: (1) behavioral accuracy to the degree possible, (2) computational tractability to support decision making, (3) explicit consideration of uncertainty, and (4) ability to gain confidence in the model. It is hoped that these suggested necessary conditions foster discussion about the goals and assumptions underlying intelligent adversary modeling in risk analysis.     

An Adversarial Risk Analysis Framework for Cybersecurity

Risk analysis is an essential methodology for cybersecurity as it allows organizations to deal with cyber threats potentially affecting them, prioritize the defense of their assets, and decide what security controls should be implemented. Many risk analysis methods are present in cybersecurity models, compliance frameworks, and international standards. However, most of them employ risk matrices, which suffer shortcomings that may lead to suboptimal resource allocations. We propose a comprehensive framework for cybersecurity risk analysis, covering the presence of both intentional and nonintentional threats and the use of insurance as part of the security portfolio. A simplified case study illustrates the proposed framework, serving as template for more complex problems.     

Cyber Risk Management for Critical Infrastructure: A Risk Analysis Model and Three Case Studies

Managing cyber security in an organization involves allocating the protection budget across a spectrum of possible options. This requires assessing the benefits and the costs of these options. The risk analyses presented here are statistical when relevant data are available, and system‐based for high‐consequence events that have not happened yet. This article presents, first, a general probabilistic risk analysis framework for cyber security in an organization to be specified. It then describes three examples of forward‐looking analyses motivated by recent cyber attacks. The first one is the statistical analysis of an actual database, extended at the upper end of the loss distribution by a Bayesian analysis of possible, high‐consequence attack scenarios that may happen in the future. The second is a systems analysis of cyber risks for a smart, connected electric grid, showing that there is an optimal level of connectivity. The third is an analysis of sequential decisions to upgrade the software of an existing cyber security system or to adopt a new one to stay ahead of adversaries trying to find their way in. The results are distributions of losses to cyber attacks, with and without some considered countermeasures in support of risk management decisions based both on past data and anticipated incidents.     

A Fuzzy‐Based Risk Assessment Framework for Autonomous Underwater Vehicle Under‐Ice Missions

The use of autonomous underwater vehicles (AUVs) for various scientific, commercial, and military applications has become more common with maturing technology and improved accessibility. One relatively new development lies in the use of AUVs for under‐ice marine science research in the Antarctic. The extreme environment, ice cover, and inaccessibility as compared to open‐water missions can result in a higher risk of loss. Therefore, having an effective assessment of risks before undertaking any Antarctic under‐ice missions is crucial to ensure an AUV's survival. Existing risk assessment approaches predominantly focused on the use of historical fault log data of an AUV and elicitation of experts’ opinions for probabilistic quantification. However, an AUV program in its early phases lacks historical data and any assessment of risk may be vague and ambiguous. In this article, a fuzzy‐based risk assessment framework is proposed for quantifying the risk of AUV loss under ice. The framework uses the knowledge, prior experience of available subject matter experts, and the widely used semiquantitative risk assessment matrix, albeit in a new form. A well‐developed example based on an upcoming mission by an ISE‐explorer class AUV is presented to demonstrate the application and effectiveness of the proposed framework. The example demonstrates that the proposed fuzzy‐based risk assessment framework is pragmatically useful for future under‐ice AUV deployments. Sensitivity analysis demonstrates the validity of the proposed method.     

On the Complex Quantification of Risk: Systems‐Based Perspective on Terrorism

This article highlights the complexity of the quantification of the multidimensional risk function, develops five systems‐based premises on quantifying the risk of terrorism to a threatened system, and advocates the quantification of vulnerability and resilience through the states of the system. The five premises are: (i) There exists interdependence between a specific threat to a system by terrorist networks and the states of the targeted system, as represented through the system's vulnerability, resilience, and criticality‐impact. (ii) A specific threat, its probability, its timing, the states of the targeted system, and the probability of consequences can be interdependent. (iii) The two questions in the risk assessment process: “What is the likelihood?” and “What are the consequences?” can be interdependent. (iv) Risk management policy options can reduce both the likelihood of a threat to a targeted system and the associated likelihood of consequences by changing the states (including both vulnerability and resilience) of the system. (v) The quantification of risk to a vulnerable system from a specific threat must be built on a systemic and repeatable modeling process, by recognizing that the states of the system constitute an essential step to construct quantitative metrics of the consequences based on intelligence gathering, expert evidence, and other qualitative information. The fact that the states of all systems are functions of time (among other variables) makes the time frame pivotal in each component of the process of risk assessment, management, and communication. Thus, risk to a system, caused by an initiating event (e.g., a threat) is a multidimensional function of the specific threat, its probability and time frame, the states of the system (representing vulnerability and resilience), and the probabilistic multidimensional consequences.     

Evaluating the Perceived Efficacy of Randomized Security Measures at Airports

Both the increase in traveler numbers and the heightened threat posed by terrorism in recent years represent significant challenges to airport security measures. To ensure that a high level of security is maintained, randomized security checks have been proposed as a promising alternative to traditional security approaches. The use of randomized checks means that only a specific number of people are selected for security screening. However, the likely effects of such a change in security procedures on travelers’ security perceptions and on the deterrence of criminal activities remain unclear. Thus, the present study examines how varying the percentage of people screened during security checks influences people's security perceptions. In two online experiments, the participants were asked to imagine that they sought to smuggle an explosive dummy past an airport security check. The only information provided was the number of people screened during security checks, which was manipulated between-subjects in the first experiment and within-subjects in the second experiment. The participants then had to rate their security perception (i.e., the perceived likelihood of successfully smuggling the explosive dummy). The findings show that people perceive traditional security checks to be safer than randomized checks, irrespective of whether 90% or 30% of people are screened. Hence, if randomized security checks would indeed be implemented, it would automatically lead to a decreased perception of security. Furthermore, this decreased security perception might lead to an actual reduction in security, as the deterrence of criminal activities could also be reduced.     

A Comparative Analysis of PRA and Intelligent Adversary Methods for Counterterrorism Risk Management

In counterterrorism risk management decisions, the analyst can choose to represent terrorist decisions as defender uncertainties or as attacker decisions. We perform a comparative analysis of probabilistic risk analysis (PRA) methods including event trees, influence diagrams, Bayesian networks, decision trees, game theory, and combined methods on the same illustrative examples (container screening for radiological materials) to get insights into the significant differences in assumptions and results. A key tenent of PRA and decision analysis is the use of subjective probability to assess the likelihood of possible outcomes. For each technique, we compare the assumptions, probability assessment requirements, risk levels, and potential insights for risk managers. We find that assessing the distribution of potential attacker decisions is a complex judgment task, particularly considering the adaptation of the attacker to defender decisions. Intelligent adversary risk analysis and adversarial risk analysis are extensions of decision analysis and sequential game theory that help to decompose such judgments. These techniques explicitly show the adaptation of the attacker and the resulting shift in risk based on defender decisions.     

水环境安全评价方法及其在京津冀地区的应用

为了克服模糊综合评价方法中的权重选取以及最大最小算法导致的信息缺失问题，本文提出一种改进的模糊综合评价方法。首先以熵权法、灰色关联分析法以及主成分分析法为基础，建立组合权重模型；其次，在加权平均原则下引入综合评分方法进行评价得到最终评价结果。从经济社会、水质状况和资源条件三个方面出发，初步建立了包含17个指标的水环境安全评价体系。利用主成分分析法对初步建立的指标体系进行了筛选，最终确定了13个指标作为评价指标。在筛选之后的指标体系下，用改进的模糊综合评价法对北京、天津、河北以及京津冀地区总体的水环境安全进行了评价，给出了2006-2014年间各地区水环境安全变化情况，结果显示京津冀地区水环境安全基本呈现北京优于河北优于天津的趋势；京津冀地区总体的水环境安全呈现先变好再变差的趋势。森林覆盖率是水环境安全最主要的影响因素，其次是第三产业占GDP的比重、人均水资源量以及Ⅰ-Ⅲ类水质占比。弹性系数分析表明，这四个指标的改善也是对京津冀地区水环境安全提高最有效的措施。最后，根据对评价结果的分析，提出了提高京津冀水环境安全的一些建议。