Terrorism Risks and Cost‐Benefit Analysis of Aviation Security

We evaluate, for the U.S. case, the costs and benefits of three security measures designed to reduce the likelihood of a direct replication of the 9/11 terrorist attacks. To do so, we assess risk reduction, losses, and security costs in the context of the full set of security layers. The three measures evaluated are installed physical secondary barriers (IPSB) to restrict access to the hardened cockpit door during door transitions, the Federal Air Marshal Service (FAMS), and the Federal Flight Deck Officer (FFDO) Program. In the process, we examine an alternate policy measure: doubling the budget of the FFDO program to $44 million per year, installing IPSBs in all U.S. aircraft at a cost of $13.5 million per year, and reducing funding for FAMS by 75% to $300 million per year. A break‐even cost‐benefit analysis then finds the minimum probability of an otherwise successful attack required for the benefit of each security measures to equal its cost. We find that the IPSB is costeffective if the annual attack probability of an otherwise successful attack exceeds 0.5% or one attack every 200 years. The FFDO program is costeffective if the annual attack probability exceeds 2%. On the other hand, more than two otherwise successful attacks per year are required for FAMS to be costeffective. A policy that includes IPSBs, an increased budget for FFDOs, and a reduced budget for FAMS may be a viable policy alternative, potentially saving hundreds of millions of dollars per year with consequences for security that are, at most, negligible.     

A Decision Framework for Managing Risk to Airports from Terrorist Attack

This article presents an asset‐level security risk management framework to assist stakeholders of critical assets with allocating limited budgets for enhancing their safety and security against terrorist attack. The proposed framework models the security system of an asset, considers various threat scenarios, and models the sequential decision framework of attackers during the attack. Its novel contributions are the introduction of the notion of partial neutralization of attackers by defenders, estimation of total loss from successful, partially successful, and unsuccessful actions of attackers at various stages of an attack, and inclusion of the effects of these losses on the choices made by terrorists at various stages of the attack. The application of the proposed method is demonstrated in an example dealing with security risk management of a U.S. commercial airport, in which a set of plausible threat scenarios and risk mitigation options are considered. It is found that a combination of providing blast‐resistant cargo containers and a video surveillance system on the airport perimeter fence is the best option based on minimum expected life‐cycle cost considering a 10‐year service period.     

An Adversarial Risk Analysis Framework for Cybersecurity

Risk analysis is an essential methodology for cybersecurity as it allows organizations to deal with cyber threats potentially affecting them, prioritize the defense of their assets, and decide what security controls should be implemented. Many risk analysis methods are present in cybersecurity models, compliance frameworks, and international standards. However, most of them employ risk matrices, which suffer shortcomings that may lead to suboptimal resource allocations. We propose a comprehensive framework for cybersecurity risk analysis, covering the presence of both intentional and nonintentional threats and the use of insurance as part of the security portfolio. A simplified case study illustrates the proposed framework, serving as template for more complex problems.     

Risk-Based Decision Making for Terrorism Applications

This article describes the anti-terrorism risk-based decision aid (ARDA), a risk-based decision-making approach for prioritizing anti-terrorism measures. The ARDA model was developed as part of a larger effort to assess investments for protecting U.S. Navy assets at risk and determine whether the most effective anti-terrorism alternatives are being used to reduce the risk to the facilities and war-fighting assets. With ARDA and some support from subject matter experts, we examine thousands of scenarios composed of 15 attack modes against 160 facility types on two installations and hundreds of portfolios of 22 mitigation alternatives. ARDA uses multiattribute utility theory to solve some of the commonly identified challenges in security risk analysis. This article describes the process and documents lessons learned from applying the ARDA model for this application.     

An Effective Statistical Approach for Comparative Risk Assessment1

Comparative risk assessment is an evaluation process designed to rank environmental problems based on the severity of potential hazards. The purpose of this paper is to provide an effective statistical approach to analyze perceived environmental risks. Environmental problems, evaluative criteria, and other potential moderator variables need to be determined first, and then the risk perception data collected. Repeated measures analysis is used to first test for interactions between environmental problems and potential moderator variables. If there are no significant interactions, then the risk difference among environmental problems is tested unconditionally; otherwise the risk difference is tested conditionally. Cluster analysis for environmental problems is performed only when the risk difference is significant. The clustering results can be objectively determined by using the simultaneous T² confidence intervals. Risk-based priority setting is made according to the clusters obtained. To illustrate this approach, an empirical study of comparative socioeconomic risks in Taiwan was conducted. Socioeconomic impacts areas including social security, quality of life, production cost, investment willingness, and economic resources are used as evaluative criteria. Results indicate that selected impact areas do affect relative risk differences among 24 environmental problems, and the difference is significant for each area. Therefore, cluster analysis is conducted separately for each impact area. Risk-based priority settings for clusters of environmental problems are reported.     

Analyzing the Cost of Screening Selectee and Non-Selectee Baggage

Determining how to effectively operate security devices is as important to overall system performance as developing more sensitive security devices. In light of recent federal mandates for 100% screening of all checked baggage, this research studies the trade-offs between screening only selectee checked baggage and screening both selectee and non-selectee checked baggage for a single baggage screening security device deployed at an airport. This trade-off is represented using a cost model that incorporates the cost of the baggage screening security device, the volume of checked baggage processed through the device, and the outcomes that occur when the device is used. The cost model captures the cost of deploying, maintaining, and operating a single baggage screening security device over a one-year period. The study concludes that as excess baggage screening capacity is used to screen non-selectee checked bags, the expected annual cost increases, the expected annual cost per checked bag screened decreases, and the expected annual cost per expected number of threats detected in the checked bags screened increases. These results indicate that the marginal increase in security per dollar spent is significantly lower when non-selectee checked bags are screened than when only selectee checked bags are screened.     

A Risk Analysis Framework for Cyber Security and Critical Infrastructure Protection of the U.S. Electric Power Grid

The purpose of this article is to introduce a risk analysis framework to enhance the cyber security of and to protect the critical infrastructure of the electric power grid of the United States. Building on the fundamental questions of risk assessment and management, this framework aims to advance the current risk analysis discussions pertaining to the electric power grid. Most of the previous risk-related studies on the electric power grid focus mainly on the recovery of the network from hurricanes and other natural disasters. In contrast, a disproportionately small number of studies explicitly investigate the vulnerability of the electric power grid to cyber-attack scenarios, and how they could be prevented or mitigated. Such a limited approach leaves the United States vulnerable to foreign and domestic threats (both state-sponsored and “lone wolf”) to infiltrate a network that lacks a comprehensive security environment or coordinated government response. By conducting a review of the literature and presenting a risk-based framework, this article underscores the need for a coordinated U.S. cyber security effort toward formulating strategies and responses conducive to protecting the nation against attacks on the electric power grid.     

Cyber Risk Management for Critical Infrastructure: A Risk Analysis Model and Three Case Studies

Managing cyber security in an organization involves allocating the protection budget across a spectrum of possible options. This requires assessing the benefits and the costs of these options. The risk analyses presented here are statistical when relevant data are available, and system‐based for high‐consequence events that have not happened yet. This article presents, first, a general probabilistic risk analysis framework for cyber security in an organization to be specified. It then describes three examples of forward‐looking analyses motivated by recent cyber attacks. The first one is the statistical analysis of an actual database, extended at the upper end of the loss distribution by a Bayesian analysis of possible, high‐consequence attack scenarios that may happen in the future. The second is a systems analysis of cyber risks for a smart, connected electric grid, showing that there is an optimal level of connectivity. The third is an analysis of sequential decisions to upgrade the software of an existing cyber security system or to adopt a new one to stay ahead of adversaries trying to find their way in. The results are distributions of losses to cyber attacks, with and without some considered countermeasures in support of risk management decisions based both on past data and anticipated incidents.     

Intelligent Adversary Risk Analysis: A Bioterrorism Risk Management Model

The tragic events of 9/11 and the concerns about the potential for a terrorist or hostile state attack with weapons of mass destruction have led to an increased emphasis on risk analysis for homeland security. Uncertain hazards (natural and engineering) have been successfully analyzed using probabilistic risk analysis (PRA). Unlike uncertain hazards, terrorists and hostile states are intelligent adversaries who can observe our vulnerabilities and dynamically adapt their plans and actions to achieve their objectives. This article compares uncertain hazard risk analysis with intelligent adversary risk analysis, describes the intelligent adversary risk analysis challenges, and presents a probabilistic defender–attacker–defender model to evaluate the baseline risk and the potential risk reduction provided by defender investments. The model includes defender decisions prior to an attack; attacker decisions during the attack; defender actions after an attack; and the uncertainties of attack implementation, detection, and consequences. The risk management model is demonstrated with an illustrative bioterrorism problem with notional data.     

On the Relationship between Safety and Decision Significance

Risk analysts are often concerned with identifying key safety drivers, that is, the systems, structures, and components (SSCs) that matter the most to safety. SSCs importance is assessed both in the design phase (i.e., before a system is built) and in the implementation phase (i.e., when the system has been built) using the same importance measures. However, in a design phase, it would be necessary to appreciate whether the failure/success of a given SSC can cause the overall decision to change from accept to reject (decision significance). This work addresses the search for the conditions under which SSCs that are safety significant are also decision significant. To address this issue, the work proposes the notion of a θ‐importance measure. We study in detail the relationships among risk importance measures to determine which properties guarantee that the ranking of SSCs does not change before and after the decision is made. An application to a probabilistic safety assessment model developed at NASA illustrates the risk management implications of our work.     

Using Incident Response Trees as a Tool for Risk Management of Online Financial Services

The article introduces the use of probabilistic risk assessment for modeling the incident response process of online financial services. The main contribution is the creation of incident response trees, using event tree analysis, which provides us with a visual tool and a systematic way to estimate the probability of a successful incident response process against the currently known risk landscape, making it possible to measure the balance between front‐end and back‐end security measures. The model is presented using an illustrative example, and is then applied to the incident response process of a Swedish bank. Access to relevant data is verified and the applicability and usability of the proposed model is verified using one year of historical data. Potential advantages and possible shortcomings are discussed, referring to both the design phase and the operational phase, and future work is presented.     

Enterprise risk management for automation in correctional facilities with pandemic and other stressors

Real-time tracking of tool and equipment inventories is a critical function of many organizations and sectors. For prisons and correctional facilities, tracking and monitoring of assets such as cookware, hardware, keys, janitorial equipment, vocational/technical specialty tools, etc., is essential for safety, security, trust, efficiency, education, etc. The performance of automated systems for this purpose can be diminished by a variety of emergent and future sociotechnical factors alone and in combination. This article introduces a methodology for contractor evaluation and selection in acquisition of innovative asset management systems, with an emphasis on evolving system requirements under uncertainty. The methodology features a scenario-based preferences analysis of emergent and future conditions that are disruptive to the performance of the asset-control system. The conditions are across technologies, operating environments, regulations, workforce behaviors, offender behaviors, prices and markets, organizations, cyber threats, etc. The methodology addresses the influence and interaction of the conditions to disrupt system priorities. Examples include: (i) infectious disease disrupting priorities among requirements and (ii)  radio-frequency identification (RFID) and wireless-technology innovations disrupting priorities among stakeholders. The combinations of conditions that most and least matter for the system acquisition are characterized. The methodology constitutes a risk register for monitoring sources of risk to project performance, schedule, and cost throughout the system lifecycle. The results will be of interest to both practitioners and scholars engaged in systems acquisition as the pandemic interacts with other factors to affect risk, uncertainty, and resilience of organizational missions and operations.     

Use of Fuzzy Evidential Reasoning in Maritime Security Assessment

Over the last few years, there has been a growing international recognition that the security performance of the maritime industry needs to be reviewed on an urgent basis. A large number of optional maritime security control measures have been proposed through various regulations and publications in the post-9/11 era. There is a strong need for a sound and generic methodology, which is capable of taking into account multiple selection criteria such as the cost effectiveness of the measures based on reasonable security assessment. The use of traditional risk assessment and decision-making approaches to deal with potential terrorism threats in a maritime security area reveals two major challenges. They are lack of capability of analyzing security in situations of high-level uncertainty and lack of capability of processing diverse data in a utility form suitable as input to a risk inference mechanism. To deal with such difficulties, this article proposes a subjective security-based assessment and management framework using fuzzy evidential reasoning (ER) approaches. Consequently, the framework can be used to assemble and process subjective risk assessment information on different aspects of a maritime transport system from multiple experts in a systematic way. Outputs of this model can also provide decisionmakers with a transparent tool to evaluate maritime security policy options for a specific scenario in a cost-effective manner.     

An Emerging New Risk Analysis Science: Foundations and Implications

To solve real‐life problems—such as those related to technology, health, security, or climate change—and make suitable decisions, risk is nearly always a main issue. Different types of sciences are often supporting the work, for example, statistics, natural sciences, and social sciences. Risk analysis approaches and methods are also commonly used, but risk analysis is not broadly accepted as a science in itself. A key problem is the lack of explanatory power and large uncertainties when assessing risk. This article presents an emerging new risk analysis science based on novel ideas and theories on risk analysis developed in recent years by the risk analysis community. It builds on a fundamental change in thinking, from the search for accurate predictions and risk estimates, to knowledge generation related to concepts, theories, frameworks, approaches, principles, methods, and models to understand, assess, characterize, communicate, and (in a broad sense) manage risk. Examples are used to illustrate the importance of this distinct/separate risk analysis science for solving risk problems, supporting science in general and other disciplines in particular.     

Security Investment in Contagious Networks

Security of the systems is normally interdependent in such a way that security risks of one part affect other parts and threats spread through the vulnerable links in the network. So, the risks of the systems can be mitigated through investments in the security of interconnecting links. This article takes an innovative look at the problem of security investment of nodes on their vulnerable links in a given contagious network as a game‐theoretic model that can be applied to a variety of applications including information systems. In the proposed game model, each node computes its corresponding risk based on the value of its assets, vulnerabilities, and threats to determine the optimum level of security investments on its external links respecting its limited budget. Furthermore, direct and indirect nonlinear influences of a node's security investment on the risks of other nodes are considered. The existence and uniqueness of the game's Nash equilibrium in the proposed game are also proved. Further analysis of the model in a practical case revealed that taking advantage of the investment effects of other players, perfectly rational players (i.e., those who use the utility function of the proposed game model) make more cost‐effective decisions than selfish nonrational or semirational players.     

A Risk Analysis Approach to Prioritizing Epidemics: Ebola Virus Disease in West Africa as a Case Study

The 2014 Ebola virus disease (EVD) outbreak affected several countries worldwide, including six West African countries. It was the largest Ebola epidemic in the history and the first to affect multiple countries simultaneously. Significant national and international delay in response to the epidemic resulted in 28,652 cases and 11,325 deaths. The aim of this study was to develop a risk analysis framework to prioritize rapid response for situations of high risk. Based on findings from the literature, sociodemographic features of the affected countries, and documented epidemic data, a risk scoring framework using 18 criteria was developed. The framework includes measures of socioeconomics, health systems, geographical factors, cultural beliefs, and traditional practices. The three worst affected West African countries (Guinea, Sierra Leone, and Liberia) had the highest risk scores. The scores were much lower in developed countries that experienced Ebola compared to West African countries. A more complex risk analysis framework using 18 measures was compared with a simpler one with 10 measures, and both predicted risk equally well. A simple risk scoring system can incorporate measures of hazard and impact that may otherwise be neglected in prioritizing outbreak response. This framework can be used by public health personnel as a tool to prioritize outbreak investigation and flag outbreaks with potentially catastrophic outcomes for urgent response. Such a tool could mitigate costly delays in epidemic response.     

Social Security Wealth and Retirement Decisions in Italy

Abstract. This paper uses administrative data to study the retirement decisions of Italian private‐sector non‐agricultural employees during the period 1977–97. Our analysis tries to assess the importance of the financial incentives built into the social security system. The basic idea is very simple: at any given age, and based on the available information, workers compare the expected present value of two alternatives: retiring today or working one more year, and then choose the best one. A key role in this kind of comparisons is played by social security wealth, whose level and changes reflect the expectations about the profile of future earnings and the institutional features of the social security system. The various incentive measures that we consider differ in the precise weight given to the social security wealth that workers accrue as they continue to work. Our model does not provide a structural representation of the retirement process. A worker's decision is modeled here following a ‘quasi reduced‐form’ approach, with the incentive measures entering as predictors of the worker's choice in addition to standard variables. The estimated models are then used to predict retirement probabilities under alternative policies that change social security wealth and derived incentive measures.     

Using Probabilistic Terrorism Risk Modeling for Regulatory Benefit-Cost Analysis: Application to the Western Hemisphere Travel Initiative in the Land Environment

This article presents a framework for using probabilistic terrorism risk modeling in regulatory analysis. We demonstrate the framework with an example application involving a regulation under consideration, the Western Hemisphere Travel Initiative for the Land Environment, (WHTI‐L). First, we estimate annualized loss from terrorist attacks with the Risk Management Solutions (RMS) Probabilistic Terrorism Model. We then estimate the critical risk reduction, which is the risk‐reducing effectiveness of WHTI‐L needed for its benefit, in terms of reduced terrorism loss in the United States, to exceed its cost. Our analysis indicates that the critical risk reduction depends strongly not only on uncertainties in the terrorism risk level, but also on uncertainty in the cost of regulation and how casualties are monetized. For a terrorism risk level based on the RMS standard risk estimate, the baseline regulatory cost estimate for WHTI‐L, and a range of casualty cost estimates based on the willingness‐to‐pay approach, our estimate for the expected annualized loss from terrorism ranges from $2.7 billion to $5.2 billion. For this range in annualized loss, the critical risk reduction for WHTI‐L ranges from 7% to 13%. Basing results on a lower risk level that results in halving the annualized terrorism loss would double the critical risk reduction (14–26%), and basing the results on a higher risk level that results in a doubling of the annualized terrorism loss would cut the critical risk reduction in half (3.5–6.6%). Ideally, decisions about terrorism security regulations and policies would be informed by true benefit‐cost analyses in which the estimated benefits are compared to costs. Such analyses for terrorism security efforts face substantial impediments stemming from the great uncertainty in the terrorist threat and the very low recurrence interval for large attacks. Several approaches can be used to estimate how a terrorism security program or regulation reduces the distribution of risks it is intended to manage. But, continued research to develop additional tools and data is necessary to support application of these approaches. These include refinement of models and simulations, engagement of subject matter experts, implementation of program evaluation, and estimating the costs of casualties from terrorism events.     

The Need to Reconcile Concepts that Characterize Systems Facing Threats

Desirable system performance in the face of threats has been characterized by various management concepts. Through semistructured interviews with editors of journals in the fields of emergency response and systems management, a literature review, and professional judgment, we identified nine related and often interchangeably used system performance concepts: adaptability, agility, reliability, resilience, resistance, robustness, safety, security, and sustainability. A better understanding of these concepts will allow system planners to pursue management strategies best suited to their unique system dynamics and specific objectives of good performance. We analyze expert responses and review the linguistic definitions and mathematical framing of these concepts to understand their applications. We find a lack of consensus on their usage between interview subjects, but by using the mathematical framing to enrich the linguistic definitions, we formulate comparative visualizations and propose distinct definitions for the nine concepts. We present a conceptual framing to relate the concepts for management purposes.     

Finding and fixing systems weaknesses: probabilistic methods and applications of engineering risk analysis.

Methods of engineering risk analysis are based on a functional analysis of systems and on the probabilities (generally Bayesian) of the events and random variables that affect their performances. These methods allow identification of a system's failure modes, computation of its probability of failure or performance deterioration per time unit or operation, and of the contribution of each component to the probabilities and consequences of failures. The model has been extended to include the human decisions and actions that affect components' performances, and the management factors that affect behaviors and can thus be root causes of system failures. By computing the risk with and without proposed measures, one can then set priorities among different risk management options under resource constraints. In this article, I present briefly the engineering risk analysis method, then several illustrations of risk computations that can be used to identify a system's weaknesses and the most cost-effective way to fix them. The first example concerns the heat shield of the space shuttle orbiter and shows the relative risk contribution of the tiles in different areas of the orbiter's surface. The second application is to patient risk in anesthesia and demonstrates how the engineering risk analysis method can be used in the medical domain to rank the benefits of risk mitigation measures, in that case, mostly organizational. The third application is a model of seismic risk analysis and mitigation, with application to the San Francisco Bay area for the assessment of the costs and benefits of different seismic provisions of building codes. In all three cases, some aspects of the results were not intuitively obvious. The probabilistic risk analysis (PRA) method allowed identifying system weaknesses and the most cost-effective way to fix them.