Risk Analysis for Critical Asset Protection

This article proposes a quantitative risk assessment and management framework that supports strategic asset-level resource allocation decision making for critical infrastructure and key resource protection. The proposed framework consists of five phases: scenario identification, consequence and criticality assessment, security vulnerability assessment, threat likelihood assessment, and benefit-cost analysis. Key innovations in this methodology include its initial focus on fundamental asset characteristics to generate an exhaustive set of plausible threat scenarios based on a target susceptibility matrix (which we refer to as asset-driven analysis) and an approach to threat likelihood assessment that captures adversary tendencies to shift their preferences in response to security investments based on the expected utilities of alternative attack profiles assessed from the adversary perspective. A notional example is provided to demonstrate an application of the proposed framework. Extensions of this model to support strategic portfolio-level analysis and tactical risk analysis are suggested.     

Portfolio Analysis of Layered Security Measures

Layered defenses are necessary for protecting the public from terrorist attacks. Designing a system of such defensive measures requires consideration of the interaction of these countermeasures. In this article, we present an analysis of a layered security system within the lower Manhattan area. It shows how portfolios of security measures can be evaluated through portfolio decision analysis. Consideration is given to the total benefits and costs of the system. Portfolio diagrams are created that help communicate alternatives among stakeholders who have differing views on the tradeoffs between security and economic activity.     

Using Probabilistic Terrorism Risk Modeling for Regulatory Benefit-Cost Analysis: Application to the Western Hemisphere Travel Initiative in the Land Environment

This article presents a framework for using probabilistic terrorism risk modeling in regulatory analysis. We demonstrate the framework with an example application involving a regulation under consideration, the Western Hemisphere Travel Initiative for the Land Environment, (WHTI‐L). First, we estimate annualized loss from terrorist attacks with the Risk Management Solutions (RMS) Probabilistic Terrorism Model. We then estimate the critical risk reduction, which is the risk‐reducing effectiveness of WHTI‐L needed for its benefit, in terms of reduced terrorism loss in the United States, to exceed its cost. Our analysis indicates that the critical risk reduction depends strongly not only on uncertainties in the terrorism risk level, but also on uncertainty in the cost of regulation and how casualties are monetized. For a terrorism risk level based on the RMS standard risk estimate, the baseline regulatory cost estimate for WHTI‐L, and a range of casualty cost estimates based on the willingness‐to‐pay approach, our estimate for the expected annualized loss from terrorism ranges from $2.7 billion to $5.2 billion. For this range in annualized loss, the critical risk reduction for WHTI‐L ranges from 7% to 13%. Basing results on a lower risk level that results in halving the annualized terrorism loss would double the critical risk reduction (14–26%), and basing the results on a higher risk level that results in a doubling of the annualized terrorism loss would cut the critical risk reduction in half (3.5–6.6%). Ideally, decisions about terrorism security regulations and policies would be informed by true benefit‐cost analyses in which the estimated benefits are compared to costs. Such analyses for terrorism security efforts face substantial impediments stemming from the great uncertainty in the terrorist threat and the very low recurrence interval for large attacks. Several approaches can be used to estimate how a terrorism security program or regulation reduces the distribution of risks it is intended to manage. But, continued research to develop additional tools and data is necessary to support application of these approaches. These include refinement of models and simulations, engagement of subject matter experts, implementation of program evaluation, and estimating the costs of casualties from terrorism events.     

A Decision Framework for Managing Risk to Airports from Terrorist Attack

This article presents an asset‐level security risk management framework to assist stakeholders of critical assets with allocating limited budgets for enhancing their safety and security against terrorist attack. The proposed framework models the security system of an asset, considers various threat scenarios, and models the sequential decision framework of attackers during the attack. Its novel contributions are the introduction of the notion of partial neutralization of attackers by defenders, estimation of total loss from successful, partially successful, and unsuccessful actions of attackers at various stages of an attack, and inclusion of the effects of these losses on the choices made by terrorists at various stages of the attack. The application of the proposed method is demonstrated in an example dealing with security risk management of a U.S. commercial airport, in which a set of plausible threat scenarios and risk mitigation options are considered. It is found that a combination of providing blast‐resistant cargo containers and a video surveillance system on the airport perimeter fence is the best option based on minimum expected life‐cycle cost considering a 10‐year service period.     

Risk Analysis for Environmental Health Triage

The Homeland Security Act mandates the development of a national, risk-based system to support planning for, response to, and recovery from emergency situations involving large-scale toxic exposures. To prepare for and manage consequences effectively, planners and responders need not only to identify zones of potentially elevated individual risk but also to predict expected casualties. Emergency response support systems now define "consequences" by mapping areas in which toxic chemical concentrations do or may exceed Acute Exposure Guideline Levels (AEGLs) or similar guidelines. However, because AEGLs do not estimate expected risks, current unqualified claims that such maps support consequence management are misleading. Intentionally protective, AEGLs incorporate various safety/uncertainty factors depending on the scope and quality of chemical-specific toxicity data. Some of these factors are irrelevant, and others need to be modified, whenever resource constraints or exposure-scenario complexities require responders to make critical trade-off (triage) decisions in order to minimize expected casualties. AEGL-exceedance zones cannot consistently be aggregated, compared, or used to calculate expected casualties and so may seriously misguide emergency response triage decisions. Methods and tools well established and readily available to support environmental health protection are not yet developed for chemically-related environmental health triage. Effective triage decisions involving chemical risks require a new assessment approach that focuses on best estimates of likely casualties, rather than on upper plausible bounds of individual risk. If risk-based consequence management is to become a reality, federal agencies tasked with supporting emergency response must actively coordinate to foster new methods that can support effective environmental health triage.     

A Framework for Analyzing the Economic Tradeoffs Between Urban Commerce and Security Against Terrorism

This article presents a framework for economic consequence analysis of terrorism countermeasures. It specifies major categories of direct and indirect costs, benefits, spillover effects, and transfer payments that must be estimated in a comprehensive assessment. It develops a spreadsheet tool for data collection, storage, and refinement, as well as estimation of the various components of the necessary economic accounts. It also illustrates the usefulness of the framework in the first assessment of the tradeoffs between enhanced security and changes in commercial activity in an urban area, with explicit attention to the role of spillover effects. The article also contributes a practical user interface to the model for emergency managers.     

Cyber Risk Management for Critical Infrastructure: A Risk Analysis Model and Three Case Studies

Managing cyber security in an organization involves allocating the protection budget across a spectrum of possible options. This requires assessing the benefits and the costs of these options. The risk analyses presented here are statistical when relevant data are available, and system‐based for high‐consequence events that have not happened yet. This article presents, first, a general probabilistic risk analysis framework for cyber security in an organization to be specified. It then describes three examples of forward‐looking analyses motivated by recent cyber attacks. The first one is the statistical analysis of an actual database, extended at the upper end of the loss distribution by a Bayesian analysis of possible, high‐consequence attack scenarios that may happen in the future. The second is a systems analysis of cyber risks for a smart, connected electric grid, showing that there is an optimal level of connectivity. The third is an analysis of sequential decisions to upgrade the software of an existing cyber security system or to adopt a new one to stay ahead of adversaries trying to find their way in. The results are distributions of losses to cyber attacks, with and without some considered countermeasures in support of risk management decisions based both on past data and anticipated incidents.     

An Integrated Framework for Environmental Multi‐Impact Spatial Risk Analysis

Quantitative risk analysis is being extensively employed to support policymakers and provides a strong conceptual framework for evaluating decision alternatives under uncertainty. Many problems involving environmental risks are, however, of a spatial nature, i.e., containing spatial impacts, spatial vulnerabilities, and spatial risk‐mitigation alternatives. Recent developments in multicriteria spatial analysis have enabled the assessment and aggregation of multiple impacts, supporting policymakers in spatial evaluation problems. However, recent attempts to conduct spatial multicriteria risk analysis have generally been weakly conceptualized, without adequate roots in quantitative risk analysis. Moreover, assessments of spatial risk often neglect the multidimensional nature of spatial impacts (e.g., social, economic, human) that are typically occurring in such decision problems. The aim of this article is therefore to suggest a conceptual quantitative framework for environmental multicriteria spatial risk analysis based on expected multi‐attribute utility theory. The framework proposes: (i) the formal assessment of multiple spatial impacts; (ii) the aggregation of these multiple spatial impacts; (iii) the assessment of spatial vulnerabilities and probabilities of occurrence of adverse events; (iv) the computation of spatial risks; (v) the assessment of spatial risk mitigation alternatives; and (vi) the design and comparison of spatial risk mitigation alternatives (e.g., reductions of vulnerabilities and/or impacts). We illustrate the use of the framework in practice with a case study based on a flood‐prone area in northern Italy.     

Adversarial Risk Analysis with Incomplete Information: A Level‐k Approach

This article proposes, develops, and illustrates the application of level‐k game theory to adversarial risk analysis. Level‐k reasoning, which assumes that players play strategically but have bounded rationality, is useful for operationalizing a Bayesian approach to adversarial risk analysis. It can be applied in a broad class of settings, including settings with asynchronous play and partial but incomplete revelation of early moves. Its computational and elicitation requirements are modest. We illustrate the approach with an application to a simple defend‐attack model in which the defender's countermeasures are revealed with a probability less than one to the attacker before he decides on how or whether to attack.     

Probabilistic Risk Analysis and Terrorism Risk

Since the terrorist attacks of September 11, 2001, and the subsequent establishment of the U.S. Department of Homeland Security (DHS), considerable efforts have been made to estimate the risks of terrorism and the cost effectiveness of security policies to reduce these risks. DHS, industry, and the academic risk analysis communities have all invested heavily in the development of tools and approaches that can assist decisionmakers in effectively allocating limited resources across the vast array of potential investments that could mitigate risks from terrorism and other threats to the homeland. Decisionmakers demand models, analyses, and decision support that are useful for this task and based on the state of the art. Since terrorism risk analysis is new, no single method is likely to meet this challenge. In this article we explore a number of existing and potential approaches for terrorism risk analysis, focusing particularly on recent discussions regarding the applicability of probabilistic and decision analytic approaches to bioterrorism risks and the Bioterrorism Risk Assessment methodology used by the DHS and criticized by the National Academies and others.     

An Adversarial Risk Analysis Framework for Cybersecurity

Risk analysis is an essential methodology for cybersecurity as it allows organizations to deal with cyber threats potentially affecting them, prioritize the defense of their assets, and decide what security controls should be implemented. Many risk analysis methods are present in cybersecurity models, compliance frameworks, and international standards. However, most of them employ risk matrices, which suffer shortcomings that may lead to suboptimal resource allocations. We propose a comprehensive framework for cybersecurity risk analysis, covering the presence of both intentional and nonintentional threats and the use of insurance as part of the security portfolio. A simplified case study illustrates the proposed framework, serving as template for more complex problems.     

一个非对称风险度量模型及组合证券投资分析

在分析Jia&Dyer的风险-价值理论基础上,给出了一个基于预先给定的目标收益的非对称风险函数。该风险函数是低于参考点的离差和高于参考点的离差的加权和,它利用一阶"上偏矩"来修正二阶下偏矩,进一步建立了在此非对称风险函数下的二次规划组合证券投资模型;并证明了该模型与三阶随机占优准则的一致性;最后通过上海证券市场的实际数据验证了该模型的有效性和实用性。     

Intelligent Adversary Risk Analysis: A Bioterrorism Risk Management Model

The tragic events of 9/11 and the concerns about the potential for a terrorist or hostile state attack with weapons of mass destruction have led to an increased emphasis on risk analysis for homeland security. Uncertain hazards (natural and engineering) have been successfully analyzed using probabilistic risk analysis (PRA). Unlike uncertain hazards, terrorists and hostile states are intelligent adversaries who can observe our vulnerabilities and dynamically adapt their plans and actions to achieve their objectives. This article compares uncertain hazard risk analysis with intelligent adversary risk analysis, describes the intelligent adversary risk analysis challenges, and presents a probabilistic defender–attacker–defender model to evaluate the baseline risk and the potential risk reduction provided by defender investments. The model includes defender decisions prior to an attack; attacker decisions during the attack; defender actions after an attack; and the uncertainties of attack implementation, detection, and consequences. The risk management model is demonstrated with an illustrative bioterrorism problem with notional data.     

Risk Analysis and Risk Management: An Historical Perspective

This paper reviews the history of risk analysis and risk management, giving special emphasis to the neglected period prior to the 20th century. The overall objective of the paper is to: (1) dampen the prevailing tendency to view present-day concerns about risk in an ahistorical context; (2) shed light on the intellectual antecedents of current thinking about risk; (3) clarify how contemporary ideas about risk analysis and societal risk management differ significantly from the past; and (4) provide a basis for anticipating future directions in risk analysis and management.     

Cost‐Benefit Analysis for Optimization of Risk Protection Under Budget Constraints

Cost‐benefit analysis (CBA) is commonly applied as a tool for deciding on risk protection. With CBA, one can identify risk mitigation strategies that lead to an optimal tradeoff between the costs of the mitigation measures and the achieved risk reduction. In practical applications of CBA, the strategies are typically evaluated through efficiency indicators such as the benefit‐cost ratio (BCR) and the marginal cost (MC) criterion. In many of these applications, the BCR is not consistently defined, which, as we demonstrate in this article, can lead to the identification of suboptimal solutions. This is of particular relevance when the overall budget for risk reduction measures is limited and an optimal allocation of resources among different subsystems is necessary. We show that this problem can be formulated as a hierarchical decision problem, where the general rules and decisions on the available budget are made at a central level (e.g., central government agency, top management), whereas the decisions on the specific measures are made at the subsystem level (e.g., local communities, company division). It is shown that the MC criterion provides optimal solutions in such hierarchical optimization. Since most practical applications only include a discrete set of possible risk protection measures, the MC criterion is extended to this situation. The findings are illustrated through a hypothetical numerical example. This study was prepared as part of our work on the optimal management of natural hazard risks, but its conclusions also apply to other fields of risk management.     

A Multicriteria Decision Analysis Model and Risk Assessment Framework for Carbon Capture and Storage

Multicriteria decision analysis (MCDA) has been applied to various energy problems to incorporate a variety of qualitative and quantitative criteria, usually spanning environmental, social, engineering, and economic fields. MCDA and associated methods such as life‐cycle assessments and cost‐benefit analysis can also include risk analysis to address uncertainties in criteria estimates. One technology now being assessed to help mitigate climate change is carbon capture and storage (CCS). CCS is a new process that captures CO₂ emissions from fossil‐fueled power plants and injects them into geological reservoirs for storage. It presents a unique challenge to decisionmakers (DMs) due to its technical complexity, range of environmental, social, and economic impacts, variety of stakeholders, and long time spans. The authors have developed a risk assessment model using a MCDA approach for CCS decisions such as selecting between CO₂ storage locations and choosing among different mitigation actions for reducing risks. The model includes uncertainty measures for several factors, utility curve representations of all variables, Monte Carlo simulation, and sensitivity analysis. This article uses a CCS scenario example to demonstrate the development and application of the model based on data derived from published articles and publicly available sources. The model allows high‐level DMs to better understand project risks and the tradeoffs inherent in modern, complex energy decisions.     

A Risk Analysis Framework for Cyber Security and Critical Infrastructure Protection of the U.S. Electric Power Grid

The purpose of this article is to introduce a risk analysis framework to enhance the cyber security of and to protect the critical infrastructure of the electric power grid of the United States. Building on the fundamental questions of risk assessment and management, this framework aims to advance the current risk analysis discussions pertaining to the electric power grid. Most of the previous risk-related studies on the electric power grid focus mainly on the recovery of the network from hurricanes and other natural disasters. In contrast, a disproportionately small number of studies explicitly investigate the vulnerability of the electric power grid to cyber-attack scenarios, and how they could be prevented or mitigated. Such a limited approach leaves the United States vulnerable to foreign and domestic threats (both state-sponsored and “lone wolf”) to infiltrate a network that lacks a comprehensive security environment or coordinated government response. By conducting a review of the literature and presenting a risk-based framework, this article underscores the need for a coordinated U.S. cyber security effort toward formulating strategies and responses conducive to protecting the nation against attacks on the electric power grid.     

Cognitive and Motivational Biases in Decision and Risk Analysis

Behavioral decision research has demonstrated that judgments and decisions of ordinary people and experts are subject to numerous biases. Decision and risk analysis were designed to improve judgments and decisions and to overcome many of these biases. However, when eliciting model components and parameters from decisionmakers or experts, analysts often face the very biases they are trying to help overcome. When these inputs are biased they can seriously reduce the quality of the model and resulting analysis. Some of these biases are due to faulty cognitive processes; some are due to motivations for preferred analysis outcomes. This article identifies the cognitive and motivational biases that are relevant for decision and risk analysis because they can distort analysis inputs and are difficult to correct. We also review and provide guidance about the existing debiasing techniques to overcome these biases. In addition, we describe some biases that are less relevant because they can be corrected by using logic or decomposing the elicitation task. We conclude the article with an agenda for future research.