Probabilistic Risk Analysis and Terrorism Risk

Since the terrorist attacks of September 11, 2001, and the subsequent establishment of the U.S. Department of Homeland Security (DHS), considerable efforts have been made to estimate the risks of terrorism and the cost effectiveness of security policies to reduce these risks. DHS, industry, and the academic risk analysis communities have all invested heavily in the development of tools and approaches that can assist decisionmakers in effectively allocating limited resources across the vast array of potential investments that could mitigate risks from terrorism and other threats to the homeland. Decisionmakers demand models, analyses, and decision support that are useful for this task and based on the state of the art. Since terrorism risk analysis is new, no single method is likely to meet this challenge. In this article we explore a number of existing and potential approaches for terrorism risk analysis, focusing particularly on recent discussions regarding the applicability of probabilistic and decision analytic approaches to bioterrorism risks and the Bioterrorism Risk Assessment methodology used by the DHS and criticized by the National Academies and others.     

Optimal Security Investments and Extreme Risk

In the aftermath of 9/11, concern over security increased dramatically in both the public and the private sector. Yet, no clear algorithm exists to inform firms on the amount and the timing of security investments to mitigate the impact of catastrophic risks. The goal of this article is to devise an optimum investment strategy for firms to mitigate exposure to catastrophic risks, focusing on how much to invest and when to invest. The latter question addresses the issue of whether postponing a risk mitigating decision is an optimal strategy or not. Accordingly, we develop and estimate both a one‐period model and a multiperiod model within the framework of extreme value theory (EVT). We calibrate these models using probability measures for catastrophic terrorism risks associated with attacks on the food sector. We then compare our findings with the purchase of catastrophic risk insurance.     

How does homeland security affect U.S. firms' international competitiveness?

This paper frames the issue of homeland security and its relationship to the international competitiveness of U.S. firms in general. This is largely a conceptual statement, identifying the areas of national security (homeland security) that are key to business, and exploring the management concerns of business to the new threats and opportunities that have arisen.We establish the point that homeland security is a purposeful, conscious, and rational response to terrorist events that is an emergent and evolving systems phenomenon. This systems approach is an especially useful way to look at the implications of homeland security in its relation to business. We then look specifically at the kinds of costs and risks that are generated for U.S. international business (exports, imports, incoming and outgoing investments) as a result of this phenomenon. Management strategies for dealing with these costs and risks are explored for U.S. firms.Our conclusion is to demonstrate the scope of analysis that is needed to understand and to managerially cope with the homeland security problem. We show the value of using theory from various disciplines for analyzing a multi-dimensional problem like this. And finally we are able to recommend some policy dimensions for both companies and the U.S. Government toward mitigating the negative impacts of the homeland security problem.     

Systemic Valuation of Strategic Preparedness Through Application of the Inoperability Input-Output Model with Lessons Learned from Hurricane Katrina

The U.S. Department of Homeland Security (DHS) has mandated all regions to "carefully weigh the benefit of each homeland security endeavor and only allocate resources where the benefit of reducing risk is worth the amount of additional cost" (DHS, 2006, p. 64). This mandate illuminates the need to develop methods for systemic valuation of preparedness measures that support strategic decision making. This article proposes an analysis method that naturally emerges from the structure of the inoperability input-output model (IIM) through which various regional- and sector-specific impact analyses can be cost-effectively integrated for natural and man-made disasters. The IIM is described extensively in a companion paper (Lian et al., 2007). Its reliance on data classifications structured by the U.S. Census Bureau and its extensive accounting of economic interdependencies enables us to decompose a risk analysis activity, perform independent assessments, and properly integrate the assessment for a systemic valuation of risk and risk management activity. In this article, we account for and assess some of the major impacts of Hurricanes Katrina and Rita to demonstrate this use of the IIM and illustrate hypothetical, reduced impacts resulting from various strategic preparedness decisions. Our results indicate the capability of the IIM to guide the decision-making processes involved in developing a preparedness strategy.     

Cost of Equity in Homeland Security Resource Allocation in the Face of a Strategic Attacker

Hundreds of billions of dollars have been spent in homeland security since September 11, 2001. Many mathematical models have been developed to study strategic interactions between governments (defenders) and terrorists (attackers). However, few studies have considered the tradeoff between equity and efficiency in homeland security resource allocation. In this article, we fill this gap by developing a novel model in which a government allocates defensive resources among multiple potential targets, while reserving a portion of defensive resources (represented by the equity coefficient) for equal distribution (according to geographical areas, population, density, etc.). Such a way to model equity is one of many alternatives, but was directly inspired by homeland security resource allocation practice. The government is faced with a strategic terrorist (adaptive adversary) whose attack probabilities are endogenously determined in the model. We study the effect of the equity coefficient on the optimal defensive resource allocations and the corresponding expected loss. We find that the cost of equity (in terms of increased expected loss) increases convexly in the equity coefficient. Furthermore, such cost is lower when: (a) government uses per‐valuation equity; (b) the cost‐effectiveness coefficient of defense increases; and (c) the total defense budget increases. Our model, results, and insights could be used to assist policy making.     

Using Probabilistic Terrorism Risk Modeling for Regulatory Benefit-Cost Analysis: Application to the Western Hemisphere Travel Initiative in the Land Environment

This article presents a framework for using probabilistic terrorism risk modeling in regulatory analysis. We demonstrate the framework with an example application involving a regulation under consideration, the Western Hemisphere Travel Initiative for the Land Environment, (WHTI‐L). First, we estimate annualized loss from terrorist attacks with the Risk Management Solutions (RMS) Probabilistic Terrorism Model. We then estimate the critical risk reduction, which is the risk‐reducing effectiveness of WHTI‐L needed for its benefit, in terms of reduced terrorism loss in the United States, to exceed its cost. Our analysis indicates that the critical risk reduction depends strongly not only on uncertainties in the terrorism risk level, but also on uncertainty in the cost of regulation and how casualties are monetized. For a terrorism risk level based on the RMS standard risk estimate, the baseline regulatory cost estimate for WHTI‐L, and a range of casualty cost estimates based on the willingness‐to‐pay approach, our estimate for the expected annualized loss from terrorism ranges from $2.7 billion to $5.2 billion. For this range in annualized loss, the critical risk reduction for WHTI‐L ranges from 7% to 13%. Basing results on a lower risk level that results in halving the annualized terrorism loss would double the critical risk reduction (14–26%), and basing the results on a higher risk level that results in a doubling of the annualized terrorism loss would cut the critical risk reduction in half (3.5–6.6%). Ideally, decisions about terrorism security regulations and policies would be informed by true benefit‐cost analyses in which the estimated benefits are compared to costs. Such analyses for terrorism security efforts face substantial impediments stemming from the great uncertainty in the terrorist threat and the very low recurrence interval for large attacks. Several approaches can be used to estimate how a terrorism security program or regulation reduces the distribution of risks it is intended to manage. But, continued research to develop additional tools and data is necessary to support application of these approaches. These include refinement of models and simulations, engagement of subject matter experts, implementation of program evaluation, and estimating the costs of casualties from terrorism events.     

Strategic Alternative Responses to Risks of Terrorism

The terrorist acts of September 11, 2001 were a wake‐up call for changing our traditional response to risks of terrorism. Given that government and worldwide think‐tank organizations maintain that risks of terrorism will continue for the indefinite future, the following questions deserve strategic answers. How long can we respond to terrorism with tactical measures only, sustain current curtailments of some of our freedoms, travel, and quality of life, and absorb losses in human life and properties? Should not underlying strategic motivation lead to the tactical measures? Why do so many groups and individuals in some developing countries hate us? Is it because they fear that the ideas we export through television, movies, literature, and music have a corrupting influence on their cultures? Is it because of past operations that we conducted in such countries as Iran, Nicaragua, El Salvador, and Granada? Can the genesis of the risks of terrorism to the homeland be traced to the unfavorable socioeconomic conditions in less‐privileged and developing countries, where civil and religious freedoms are close to nonexistent, and sanitary conditions, health and education, and critical infrastructures of essential utilities are almost at the same level that existed in the United States almost a century ago? If we could make progress at improving the quality of life of the billions of people in the developing countries and become more sensitive to their needs, cultures, and heritage, would their hatred subside? What other measures can we take to reduce their hatred, without compromising our basic cultural and democratic principles or their cultural and social heritage?     

A Methodology for Modeling Regional Terrorism Risk

Over the past decade, terrorism risk has become a prominent consideration in protecting the well‐being of individuals and organizations. More recently, there has been interest in not only quantifying terrorism risk, but also placing it in the context of an all‐hazards environment in which consideration is given to accidents and natural hazards, as well as intentional acts. This article discusses the development of a regional terrorism risk assessment model designed for this purpose. The approach taken is to model terrorism risk as a dependent variable, expressed in expected annual monetary terms, as a function of attributes of population concentration and critical infrastructure. This allows for an assessment of regional terrorism risk in and of itself, as well as in relation to man‐made accident and natural hazard risks, so that mitigation resources can be allocated in an effective manner. The adopted methodology incorporates elements of two terrorism risk modeling approaches (event‐based models and risk indicators), producing results that can be utilized at various jurisdictional levels. The validity, strengths, and limitations of the model are discussed in the context of a case study application within the United States.     

Optimal Resource Allocation for Defense of Targets Based on Differing Measures of Attractiveness

This article describes the results of applying a rigorous computational model to the problem of the optimal defensive resource allocation among potential terrorist targets. In particular, our study explores how the optimal budget allocation depends on the cost effectiveness of security investments, the defender's valuations of the various targets, and the extent of the defender's uncertainty about the attacker's target valuations. We use expected property damage, expected fatalities, and two metrics of critical infrastructure (airports and bridges) as our measures of target attractiveness. Our results show that the cost effectiveness of security investment has a large impact on the optimal budget allocation. Also, different measures of target attractiveness yield different optimal budget allocations, emphasizing the importance of developing more realistic terrorist objective functions for use in budget allocation decisions for homeland security.     

Security Investment in Contagious Networks

Security of the systems is normally interdependent in such a way that security risks of one part affect other parts and threats spread through the vulnerable links in the network. So, the risks of the systems can be mitigated through investments in the security of interconnecting links. This article takes an innovative look at the problem of security investment of nodes on their vulnerable links in a given contagious network as a game‐theoretic model that can be applied to a variety of applications including information systems. In the proposed game model, each node computes its corresponding risk based on the value of its assets, vulnerabilities, and threats to determine the optimum level of security investments on its external links respecting its limited budget. Furthermore, direct and indirect nonlinear influences of a node's security investment on the risks of other nodes are considered. The existence and uniqueness of the game's Nash equilibrium in the proposed game are also proved. Further analysis of the model in a practical case revealed that taking advantage of the investment effects of other players, perfectly rational players (i.e., those who use the utility function of the proposed game model) make more cost‐effective decisions than selfish nonrational or semirational players.     

Robust allocation of a defensive budget considering an attacker's private information

Attackers' private information is one of the main issues in defensive resource allocation games in homeland security. The outcome of a defense resource allocation decision critically depends on the accuracy of estimations about the attacker's attributes. However, terrorists' goals may be unknown to the defender, necessitating robust decisions by the defender. This article develops a robust-optimization game-theoretical model for identifying optimal defense resource allocation strategies for a rational defender facing a strategic attacker while the attacker's valuation of targets, being the most critical attribute of the attacker, is unknown but belongs to bounded distribution-free intervals. To our best knowledge, no previous research has applied robust optimization in homeland security resource allocation when uncertainty is defined in bounded distribution-free intervals. The key features of our model include (1) modeling uncertainty in attackers' attributes, where uncertainty is characterized by bounded intervals; (2) finding the robust-optimization equilibrium for the defender using concepts dealing with budget of uncertainty and price of robustness; and (3) applying the proposed model to real data.     

What's Wrong with Hazard‐Ranking Systems? An Expository Note

Two commonly recommended principles for allocating risk management resources to remediate uncertain hazards are: (1) select a subset to maximize risk-reduction benefits (e.g., maximize the von Neumann-Morgenstern expected utility of the selected risk-reducing activities), and (2) assign priorities to risk-reducing opportunities and then select activities from the top of the priority list down until no more can be afforded. When different activities create uncertain but correlated risk reductions, as is often the case in practice, then these principles are inconsistent: priority scoring and ranking fails to maximize risk-reduction benefits. Real-world risk priority scoring systems used in homeland security and terrorism risk assessment, environmental risk management, information system vulnerability rating, business risk matrices, and many other important applications do not exploit correlations among risk-reducing opportunities or optimally diversify risk-reducing investments. As a result, they generally make suboptimal risk management recommendations. Applying portfolio optimization methods instead of risk prioritization ranking, rating, or scoring methods can achieve greater risk-reduction value for resources spent.     

Transparency after 9/11: Balancing the “Right-to-Know” with the Need for Security

Mandatory and voluntary environmental information disclosure has grown dramatically over the past decade. The prevailing view had become that the public has a “right-to-know” the risks they face and that more information would ultimately lead to better societal decision-making. This all changed on September 11, 2001. The concern for homeland security has led to thousands of web pages and documents at public reading rooms being withdrawn. This article reports on a panel discussion with leading environmental information disclosure experts on the change in the transparency landscape post 9-11. Among the questions addressed: Have companies begun to rethink this trend post 9/11? What is the public's “right-to-know”? Does reducing the amount of information available to the public increase or decrease the risk to communities or emergency responders? Will the heightened threat of terrorist use of chemicals put pressure on companies to find alternative chemicals and processes?     

Assessing the Benefits and Costs of Homeland Security Research: A Risk-Informed Methodology with Applications for the U.S. Coast Guard

This article describes a methodology for risk-informed benefit–cost analyses of homeland security research products. The methodology is field-tested with 10 research products developed for the U.S. Coast Guard. Risk-informed benefit–cost analysis is a tool for risk management that integrates elements of risk analysis, decision analysis, and benefit–cost analysis. The cost analysis methodology includes a full-cost accounting of research projects, starting with initial fundamental research costs and extending to the costs of implementation of the research products and, where applicable, training, maintenance, and upgrade costs. The benefits analysis methodology is driven by changes in costs and risks leading to five alternative models: cost savings at the same level of security, increased security at the same cost, signal detection improvements, risk reduction by deterrence, and value of information. The U.S. Coast Guard staff selected 10 research projects to test and generalize the methodology. Examples include tools to improve the detection of explosives, reduce the costs of harbor patrols, and provide better predictions of hurricane wind speeds and floods. Benefits models and estimates varied by research project and many input parameters of the benefit estimates were highly uncertain, so risk analysis for sensitivity testing and simulation was important. Aggregating across the 10 research products, we found an overall median net present value of about $385 million, with a range from $54 million (5th percentile) to $877 million (95th percentile). Lessons learned are provided for future applications.     

Augmenting the Deliberative Method for Ranking Risks

The Department of Homeland Security (DHS) characterized and prioritized the physical cross‐border threats and hazards to the nation stemming from terrorism, market‐driven illicit flows of people and goods (illegal immigration, narcotics, funds, counterfeits, and weaponry), and other nonmarket concerns (movement of diseases, pests, and invasive species). These threats and hazards pose a wide diversity of consequences with very different combinations of magnitudes and likelihoods, making it very challenging to prioritize them. This article presents the approach that was used at DHS to arrive at a consensus regarding the threats and hazards that stand out from the rest based on the overall risk they pose. Due to time constraints for the decision analysis, it was not feasible to apply multiattribute methodologies like multiattribute utility theory or the analytic hierarchy process. Using a holistic approach was considered, such as the deliberative method for ranking risks first published in this journal. However, an ordinal ranking alone does not indicate relative or absolute magnitude differences among the risks. Therefore, the use of the deliberative method for ranking risks is not sufficient for deciding whether there is a material difference between the top‐ranked and bottom‐ranked risks, let alone deciding what the stand‐out risks are. To address this limitation of ordinal rankings, the deliberative method for ranking risks was augmented by adding an additional step to transform the ordinal ranking into a ratio scale ranking. This additional step enabled the selection of stand‐out risks to help prioritize further analysis.     

Is Risk Analysis Scientific?

This article discusses to what extent risk analysis is scientific in view of a set of commonly used definitions and criteria. We consider scientific knowledge to be characterized by its subject matter, its success in developing the best available knowledge in its fields of study, and the epistemic norms and values that guide scientific investigations. We proceed to assess the field of risk analysis according to these criteria. For this purpose, we use a model for risk analysis in which science is used as a base for decision making on risks, which covers the five elements evidence, knowledge base, broad risk evaluation, managerial review and judgment, and the decision; and that relates these elements to the domains experts and decisionmakers, and to the domains fact‐based or value‐based. We conclude that risk analysis is a scientific field of study, when understood as consisting primarily of (i) knowledge about risk‐related phenomena, processes, events, etc., and (ii) concepts, theories, frameworks, approaches, principles, methods and models to understand, assess, characterize, communicate, and manage risk, in general and for specific applications (the instrumental part).     

An Exploratory Risk Perception Study of Attitudes Toward Homeland Security Systems

Understanding the issues surrounding public acceptance of homeland security systems is important for balancing security needs and potential civil liberties infringements. A psychometric survey was used in an exploratory study of attitudes regarding homeland security systems. Psychometric rating data were obtained from 182 respondents on psychological attributes associated with 12 distinct types of homeland security systems. An inverse relationship was observed for the overall rating attributes of acceptability and risk of civil liberties infringement. Principal components analysis (PCA) yielded a two-factor solution with the rating scale loading pattern suggesting factors of perceived effectiveness and perceived intrusiveness. These factors also showed an inverse relationship. The 12 different homeland security systems showed significantly different scores on the rating scales and PCA factors. Of the 12 systems studied, airport screening, canine detectors, and radiation monitoring at borders were found to be the most acceptable, while email monitoring, data mining, and global positioning satellite (GPS) tracking were found to be least acceptable. Students rated several systems as more effective than professionals, but the overall pattern of results for both types of subjects was similar. The data suggest that risk perception research and the psychometric paradigm are useful approaches for quantifying attitudes regarding homeland security systems and policies and can be used to anticipate potentially significant public acceptance issues.     

Use of Fuzzy Evidential Reasoning in Maritime Security Assessment

Over the last few years, there has been a growing international recognition that the security performance of the maritime industry needs to be reviewed on an urgent basis. A large number of optional maritime security control measures have been proposed through various regulations and publications in the post-9/11 era. There is a strong need for a sound and generic methodology, which is capable of taking into account multiple selection criteria such as the cost effectiveness of the measures based on reasonable security assessment. The use of traditional risk assessment and decision-making approaches to deal with potential terrorism threats in a maritime security area reveals two major challenges. They are lack of capability of analyzing security in situations of high-level uncertainty and lack of capability of processing diverse data in a utility form suitable as input to a risk inference mechanism. To deal with such difficulties, this article proposes a subjective security-based assessment and management framework using fuzzy evidential reasoning (ER) approaches. Consequently, the framework can be used to assemble and process subjective risk assessment information on different aspects of a maritime transport system from multiple experts in a systematic way. Outputs of this model can also provide decisionmakers with a transparent tool to evaluate maritime security policy options for a specific scenario in a cost-effective manner.     

Security Assurance: How Online Service Providers Can Influence Security Control Perceptions and Gain Trust

Security researchers agree that security control is a difficult to observe credence quality of online services that Internet users cannot easily assess through research or experience. Yet there is evidence that users form perceptions of security control that strongly determine how much trust they put in online services. This study investigates whether users’ security control perceptions arise solely from their predispositions or whether online service providers can influence them. The study also examines whether these seemingly undependable perceptions of security control lead to trust or whether more traditional factors might offer a better explanation of trust under security risks. To address these issues, this study proposes a new theory of security assurance that integrates the frameworks of trust and quality signals. The results show that rather than being guided by predispositions, users appear to mainly assess security control based on indirect cues controlled by service providers. Importantly, Internet users do not treat the credence quality of security the same way they treat qualities that can be understood through search and experience. Although returning users develop security control perceptions and trust from the usual heuristics of ongoing relationships, they also continue to evaluate market information about service providers like they do in new relationships. The proposed model offers a new perspective of how users respond to the uncertain and technically challenging qualities prevalent in online services.     

Cyber risk assessment in small and medium-sized enterprises: A multilevel decision-making approach for small e-tailors

The role played by information and communication technologies in today's businesses cannot be underestimated. While such technological advancements provide numerous advantages and opportunities, they are known to thread organizations with new challenges such as cyberattacks. This is particularly important for small and medium-sized enterprises (SMEs) that are deemed to be the least mature and highly vulnerable to cybersecurity risks. Thus, this research is set to assess the cyber risks in online retailing SMEs (e-tailing SMEs). Therefore, this article employs a sample of 124 small e-tailers in the United Kingdom and takes advantage of a multi-criteria decision analysis (MCDA) method. Indeed, we identified a total number of 28 identified cyber-oriented risks in five exhaustive themes of “security,” “dependency,” “employee,” “strategic,” and “legal” risks. Subsequently, an integrated approach using step-wise weight assessment ratio analysis (SWARA) and best–worst method (BWM) has been employed to develop a pathway of risk assessment. As such, the current study outlines a novel approach toward cybersecurity risk management for e-tailing SMEs and discusses its effectiveness and contributions to the cyber risk management literature.