HLSS505Wk7

profileRawono1
retrieve.pdf

Risk Analysis, Vol. 28, No. 6, 2008 DOI: 10.1111/j.1539-6924.2008.01142.x

Some Limitations of “Risk = Threat × Vulnerability × Consequence” for Risk Analysis of Terrorist Attacks

Louis Anthony (Tony) Cox, Jr.∗

Several important risk analysis methods now used in setting priorities for protecting U.S. infrastructures against terrorist attacks are based on the formula: Risk = Threat × Vulner- ability × Consequence. This article identifies potential limitations in such methods that can undermine their ability to guide resource allocations to effectively optimize risk reductions. After considering specific examples for the Risk Analysis and Management for Critical As- set Protection (RAMCAPTM) framework used by the Department of Homeland Security, we address more fundamental limitations of the product formula. These include its failure to adjust for correlations among its components, nonadditivity of risks estimated using the formula, inability to use risk-scoring results to optimally allocate defensive resources, and in- trinsic subjectivity and ambiguity of Threat, Vulnerability, and Consequence numbers. Trying to directly assess probabilities for the actions of intelligent antagonists instead of modeling how they adaptively pursue their goals in light of available information and experience can produce ambiguous or mistaken risk estimates. Recent work demonstrates that two-level (or few-level) hierarchical optimization models can provide a useful alternative to Risk = Threat × Vulnerability × Consequence scoring rules, and also to probabilistic risk assessment (PRA) techniques that ignore rational planning and adaptation. In such two-level optimization mod- els, defender predicts attacker’s best response to defender’s own actions, and then chooses his or her own actions taking into account these best responses. Such models appear valuable as practical approaches to antiterrorism risk analysis.

KEY WORDS: Game theory; hierarchical optimization; RAMCAP; rational opponent; terrorism risk assessment; two-level optimization

1. THE RISK = THREAT × VULNERABILITY × CONSEQUENCE FRAMEWORK

In April, 2007, the Department of Homeland Security (DHS) released a risk-based performance standard for security of chemical facilities in the United States (http://www.dhs.gov/xlibrary/assets/IP ChemicalFacilitySecurity.pdf). The new standard es-

timates risks by means of the following formula:

Risk = Threat × Vulnerability × Consequence. (1)

It is based on the Risk Analysis and Management for Critical Asset Protection (RAMCAPTM)

∗ Cox Associates, Denver, CO 80218, USA; [email protected].

framework.(1) Table I shows the explanations provided for the terms in this formula, as well as for “conditional risk,” i.e., risk when intent to attack is assumed (i.e., conditioned on Threat = 1).

RAMCAPTM models the actions of rational ad- versaries using a “reasonable worst case” approach, as follows:

The worst reasonable case consequence should consider that the adversary is intelligent and adaptive and will at- tempt to optimize or maximize the consequences of a particular attack scenario. . . . Rational judgment is nec- essary in defining the reasonable worst case. . . . [T]here is a gaming aspect to the decisions of the adversary. . .

[s]uch models have not yet been developed. (RAM- CAPTM Framework, pp. 28 and 45)

1749 0272-4332/08/0100-1749$22.00/1 C© 2008 Society for Risk Analysis

1750 Cox

Table I. RAMCAPTM Terminology

Term RAMCAPTM Definition

Risk The potential for loss or harm due to the likelihood of an unwanted event and its adverse consequences. It is measured as the combination of the probability and consequences of an adverse event, i.e., threat. When the probability and consequences are expressed numerically, the expected risk is computed as the product of those values with uncertainty considerations. . .. In security, risk is based on the analysis and aggregation of three widely recognized factors: threat, vulnerability, and consequence.

Conditional risk A measure of risk that focuses on consequences, vulnerability, and adversary capabilities, but excludes intent. It is used as a basis for making long-term risk management decisions. The adversary capabilities, countermeasures, and residual vulnerability are often combined into a measure of likelihood of adversary success.

Consequence The outcome of an event occurrence, including immediate, short- and long-term, direct and indirect losses and effects. Loss may include human casualties, monetary and economic damages, and environmental impact, and may also include less tangible and therefore less quantifiable effects, including political ramifications, decreased morale, reductions in operational effectiveness, or other impacts.

Threat Any indication, circumstance, or event with the potential to cause the loss of, or damage to, an asset or population. In the analysis of risk, threat is based on the analysis of the intention and capability of an adversary to undertake actions that would be detrimental to an asset or population.

Vulnerability Any weakness in an asset’s or infrastructure’s design, implementation, or operation that can be exploited by an adversary. Such weaknesses can occur in building characteristics, equipment properties, personnel behavior, locations of people, equipment and buildings, or operational and personnel practices.

One purpose of this article is to show how the concept of “reasonable worst case” can be made more precise in some applications by assuming that intelligent attackers optimize (and, where necessary, adapt in light of new information) their attack plans to maximize the expected damage achieved. How- ever, modeling the optimizing behaviors of attack- ers requires risk assessment models different from Equation (1). The following sections survey some important limitations on approaches that attempt to directly estimate Risk = Threat × Vulnerability × Consequence for purposes of allocating defensive re- sources, without modeling intelligent planning and optimization by attackers.

2. RAMCAPTM QUALITATIVE RISK ASSESSMENT

Before considering more fundamental limita- tions of Equation (1), we first consider some flaws in the specific implementation of the equation in RAMCAPTM. RAMCAPTM proposes two options for risk assessment, which it calls “qualitative” and “quantitative,” although both are based on semiquantitative (ordered categorical) ratings of Threat, Vulnerability, and Consequence. The “qual- itative” approach (which might also be called semi- quantitative) categorizes economic consequences us- ing the following rating scale: 0 = $0–25M loss; 1 =

$25–50M; 2 = $50–100M; . . . ; 13 = $102–401M and above. Fatalities and injuries are scored similarly: 0 = 0–25 fatalities, 1 = 25–50 fatalities, . . . , 13 = 102,401 fatalities or more, with a similar rating scale for num- ber of injuries. (Severity of injuries is not included in the injury score.) (The RAMCAPTM tables actu- ally leave small gaps between intervals, e.g., $0–25M, $26–50M, $51–100M, etc., so that consequences such as $25.4M or $50.7M do not fall in any category. We assume that “26” includes values greater than 25 and less than 26, and similarly for other gaps.)

Vulnerability is assessed similarly, using a “like- lihood of attack success scale” that assigns a score of 0 to success probabilities below 0.0312; 1 to proba- bilities from 0.0312 to 0.0625; 2 to probabilities from 0.0625 to 0.125; 3 to probabilities from 0.125 to 0.25; 4 to probabilities from 0.25 to 0.5; and 5 to probabil- ities above 0.5. (Probabilities in “bin” 5 are further subdivided into 0.5–0.75, 0.75–0.9, and greater than 0.9.)

The RAMCAPTM documentation suggests us- ing event tree analysis to estimate the likelihood of attack success. In event tree analysis, differ- ent possible sequences of events are represented by corresponding sequences of nodes in a tree (a directed acyclic graph in which each node has a unique parent, except for the first or “root” node, which represents an initiating event such as “Attack attempted”). Nodes represent events, multiple arcs

Risk Analysis of Terrorist Attacks 1751

branching from a node represent different possible outcomes of a random event, and the probability of each terminal node (each “leaf” of the tree) is the product of the conditional probabilities of the arcs along the unique path leading from the root node to it. To use event trees to estimate attack success prob- abilities, the conditional probabilities for the arcs in the tree must be estimated. This begs the question of how such probabilities are to be determined, es- pecially for “events” that represent attacker actions. Several researchers have commented that modeling actions as random variables is inadequate for repre- senting the purposive behaviors of intelligent attack- ers.(2−4)

Finally, a “conditional risk matrix” (i.e., a risk matrix assuming that an attack takes place) assigns overall conditional risk scores to pairs of conse- quence and vulnerability scores, via the following formula:

Conditional Risk Score = Consequence Score

+ Vulnerability Score. (2)

This reflects the identity:

log(vulnerability × consequence) = log(vulnerability) + log(consequence) (3)

because the scales used to rate consequence and vul- nerability are logarithmic. (There also appears to be an implicit independence assumption that allows vul- nerability and consequence scores to be assessed sep- arately, which might not be realistic.)

The qualitative risk rating does not provide ad- equate information to guide resource allocation, in general. For example, it assigns the same qualitative risk score (“5”) to (a) a 100% probability of zero fatalities (quantitative risk = 0, qualitative risk = 5 + 0 = 5) and (b) a 20% probability of 100 fatal- ities (qualitative risk = 3 + 2 = 5). Similarly, a zero probability of a $100 billion loss is given the same risk score (“11”) as a certainty of a $1 billion loss. Such anomalies arise because consequence scores and vul- nerability scores are summed to get risk scores; thus, even if one score is zero, the risk score (unlike the quantitative risk) can be nonzero. The scoring also can assign relatively small scores to relatively large risks. For example, a 0.10 probability of 100 deaths (expected value = 10 deaths) would have a smaller risk score (4) than a 0.26 probability of 26 deaths (expected value = 6.76 expected deaths, risk score = 5).

3. LIMITATIONS OF RAMCAPTM FOR QUANTITATIVE RISK ASSESSMENT

RAMCAPTM’s “quantitative” approach (which might be called semi-qualitative) is also based on Equation (1). Vulnerability and consequence num- bers are calculated as the arithmetic average of the upper and lower values of the “bins” (the value ranges in the preceding “qualitative” approach) for attack success probability and consequence of a suc- cessful attack, respectively. All quantities are inter- preted as expected values.

The RAMCAPTM framework states that an ad- vantage of using the above formula with a defined set of scales for vulnerability and consequence is that “the risk associated with one asset can be added to others to obtain the aggregate risk for an entire facility. . . [and] can be aggregated and/or compared across whole industries and economic sectors. This is precisely the goal of DHS.” However, such summa- tion is in general mathematically incorrect, as shown in the following examples. Moreover, it lets facility owners manipulate risk estimates up or down, de- pending on preferences. It is unable to distinguish among some risks (limited resolution) and can give incorrect estimated risk rankings. The following ex- amples illustrate these limitations.

3.1. Example: Distortions Due to Use of Arithmetic Averages on Logarithmic Scales

For the following two risks:

• A: (Vulnerability = 0.25, Consequence = $400M)

• B: (Vulnerability = 1, Consequence = $60M),

the formula Conditional Risk = Vulnerability × Consequence implies that A has a larger conditional risk than B ($100M vs. $60M.) However, RAM- CAPTM would assign a vulnerability of (0.125 + 0.25)/2 = 0.1875 and a consequence of (200M + 400M)/2 = 300M to A, implying an estimated con- ditional risk of 0.1875 ∗ 300M = $56.25M for A. It would assign a vulnerability of (0.9 + 1)/2 = 0.95 and a consequence of (50M + 100M)/2 = $75M to B, im- plying an estimated conditional risk of 0.95 ∗ $75M = $71.25M for B. Thus, it reverses the correct ranking of these two risks.

1752 Cox

3.2. Example: Limited Resolution

RAMCAPTM quantitative risk assessment as- signs the same quantitative conditional risk estimate of [(0.125 + 0.25)/2] ∗ [($0 + $25M)/2] = $2.34M to a facility with Vulnerability = 0.15, Consequence = $1M and a facility with Vulnerability = 0.25, Conse- quence = $25M. Yet, many stakeholders might view these as significantly different risks.

3.3. Example: Manipulating Vulnerability Estimates by Aggregating Attack Scenarios

Suppose that a facility can be attacked via any of six separate approaches (generically called front, back, left, right, top, and bottom). The success prob- ability for each approach (if attempted) is 0.07, and these success probabilities are independent of each other. (This is for illustration only; such indepen- dence assumptions may dangerously oversimplify re- ality.) If one approach is attempted and fails, others may be attempted. The consequence of a successful attack is the same in each case. Thus, the sum of the conditional risks is proportional to the sum of the vul- nerabilities contributed by the different approaches: 6 ∗ [(0.0625 + 0.125)/2] = 0.5625.

To achieve a lower vulnerability number, a fa- cility owner can simply represent each possible at- tack path (e.g., “attack via front,” “attack via back,” etc.) as one possible aspect of the same overall at- tack (“attack via some approach”). The overall at- tack has success probability: Pr(attack succeeds) = 1 – Pr(all approaches fail) = 1 – (1 – 0.07)6 = 0.353, which is coded as (0.25 + 0.5)/2 = 0.375. Thus, the fa- cility owner can claim a vulnerability estimate of ei- ther 0.5625 or 0.375, whichever he or she prefers, by choosing to calculate the vulnerability of the facility as the sum of the vulnerabilities from different attack paths or as the vulnerability from overall probability of a successful attack. The claim that “the risk associ- ated with one asset can be added to others to obtain the aggregate risk for an entire facility” is not true in general, as the correct probabilistic formulas, such as Pr(attack succeeds) = 1 − Pr(all approaches fail), are not additive.

3.4. Example: Nonadditive Vulnerabilities

Suppose that an attack on a facility succeeds if and only if both of two activities, A and B, are successfully completed. A can be accomplished in either of two ways, A1 or A2, and B can be achieved

in either of two ways, B1 or B2. A must be completed before B can be attempted. Thus, the four possible successful attack sequences are (A1, B1), (A1, B2), (A2, B1), and (A2, B2). If each of A1, A2, B1, B2 independently has a 0.4 success probability, then the overall probability of a successful attack is Pr(A is completed) ∗ Pr(B is completed | A is completed) = [1 – Pr(A1 and A2 both fail)] ∗ [1 – Pr(B1 and B2 both fail)] = (1 – 0.6 ∗ 0.6)2 = 0.41. But summing the vulnerabilities contributed by each of the four attack scenarios (A1, B1), (A1, B2), (A2, B1), and (A2, B2), each having a success probability 0.4 ∗ 0.4 = 0.16, yields a total vulnerability estimate of 4 ∗ 0.16 = 0.64, larger than the correct probability, 0.41.

3.5. Example: Product of Expected Values Not Equal to Expected Value of Product

Suppose that Threat and Vulnerability are each uniformly distributed between 0 and 1 and that Con- sequence is uniformly distributed between 0 and $25M. RAMCAPTM applies Equation (1) to the ex- pected values of the quantities on its right side, yield- ing: Risk = (0.5) ∗ (0.5) ∗ ($12.5M) = 3.125M. How- ever, if Threat is perfectly positively correlated with each of Vulnerability and Consequence (with Vulner- ability = Threat and Consequence = $25M ∗ Threat), then the correct value of Risk is $6.3M. If Threat is perfectly negatively correlated with each of Vul- nerability and Consequence [with Vulnerability = 1 – Threat and Consequence = $25M ∗ (1 – Threat)], then the correct value of Risk is only about $2M. Thus, correlations among the components substantially af- fect the correct value of Risk.

More simply, suppose that each of T, V, and C is equally likely to be 0 or 1. (For simplicity, here C is scaled to vary from 0 to 1.) Then the product of their expected values is 0.5 ∗ 0.5 ∗ 0.5 = 0.125. But if the variables are interdependent, with the value of C determining the values of T and V via the equa- tions T = C and V = C, then the expected value of their product, TVC, is 0.5, not 0.125. On the other hand, if T = C and V = 1 – C, then the expected value of TVC is 0. Thus, multiplying expected val- ues gives an answer (0.125) that may be very dif- ferent from the correct expected value of the prod- uct, taking into account the dependences among the components, which may be as low as 0 or as high as 0.5. Because the formula Risk = Threat × Vulner- ability × Consequence ignores dependences among components, the numerical value of Risk that it pro- duces (with all terms being expected values, as in

Risk Analysis of Terrorist Attacks 1753

RAMCAP) may be either higher than the correct value (e.g., 0.125 instead of 0) or lower than the cor- rect value (e.g., 0.125 instead of 0.5).

In practice, positive correlations might arise if in- telligent attackers are more likely to attack targets with high Vulnerability and Consequence values, or if some (e.g., unusually large) targets are likely to be both more valuable and more vulnerable than oth- ers. Then, Equation (1) with terms interpreted as ex- pected values may underestimate risks.

4. RISK RANKINGS ARE NOT ADEQUATE FOR RESOURCE ALLOCATION

After a risk assessment has been completed, how can its results be used to improve risk management decision making? One common answer is that risk managers should rank order estimated risks from highest to lowest based on the risk assessment re- sults, and then allocate risk management resources to risk-reducing countermeasures (e.g., for vulnera- bility reduction or consequence mitigation) from the top of the list down, until available resources have been spent. For example, a Department of Energy (DOE) report states that:

the risk values are then determined and ranked from the highest to the lowest producing a relative risk rank- ing. Obviously, resources should be used to reduce the vulnerabilities or mitigate the consequences from the highest ranked threat scenarios first. In the National Strategy for Homeland Security, it is stated “Protect- ing America’s critical infrastructures thus require that we determine the highest risks. . . .” In planning security upgrades at Brookhaven National Laboratory, a select committee was established and this relative risk ranking concept was used for ordering the upgrade schedule.(5)

However, allocating resources “to reduce the vul- nerabilities or mitigate the consequences from the highest ranked threat scenarios first” may not be an effective way to allocate defensive resources to re- duce risks. Effective risk management requires con- sidering risk reductions achieved by different allo- cations of limited resources. These are not neces- sarily implied by the sizes of different risks be- cause countermeasures may only partly reduce risks and because costs of different countermeasures con- strain which ones can be implemented with avail- able budget. In addition, if the optimal portfolio of risk-reducing activities requires diversifying de- fensive investment across multiple types of facilities with uncertain but correlated risks, then any prior- ity rule that ranks all instances of one type above

all instances of another is obviously inconsistent with an optimal (diversified) selection of risk-reducing activities.

4.1. Example: Priority Ranking May Not Support Effective Resource Allocation

4.1.1. Setting

Suppose that an agency must allocate a limited budget to reduce risks of terrorist attacks. Three op- portunities have been identified to reduce risks, as follows:

• Act A reduces risk from 100 to 80. It costs $30. • Act B reduces risk from 50 to 10. It costs $40. • Act C reduces risk from 25 to 0. It costs $20.

Here, “risk” is measured on a scale such as expected casualties in the event of an attack, i.e., it is a con- ditional risk. (This example can also be constructed so that all three acts start from the same base level of risk, say 50, and A, B, and C reduce risk by 20, 40, and 25, respectively. Using different base levels allows for the possibility that options A, B, and C protect differ- ent subpopulations.) The goal for resource allocation is to achieve the largest possible total risk reduction for the available budget.

Problem: What priority ranking of A, B, and C achieves the largest risk reduction from allocation of limited funds, if resources are allocated from the top of this priority list down until they are exhausted?

Solution: No priority ranking exists that answers this question. Instead, the correct answer depends on the budget. For a budget of $45, the largest feasible risk reduction is achieved by funding B, so the best priority order puts B first. If the budget is $50, then funding A and C achieves the greatest risk reduction, so B should be ranked last. At $60, the best invest- ment is to fund B and C, so now A should be ranked last. Thus, no rank ordering of A, B, and C optimizes resource allocations independent of the budget. For example, no possible rank order is optimal for bud- gets of both $49 and $50.

The difficulty illustrated here is that resource- constrained investments in reducing risks cannot in general be optimized using priority rankings. Re- source allocation problems that can be solved this way have been characterized,(6) but selecting a port- folio of expensive risk-reducing activities to maxi- mize the risk reduction achieved is not a problem of this type.

1754 Cox

5. SOME FUNDAMENTAL LIMITATIONS OF RISK = THREAT × VULNERABILITY × CONSEQUENCE

Some of the limitations discussed in the preced- ing sections are specific to RAMCAPTM and can be overcome fairly easily. Instead of using arithmetic averages on a log scale, one could use geometric averages. Instead of discretizing or “binning” esti- mated values of the Vulnerability and Consequence attributes, one could use point estimates without bin- ning. Instead of simply multiplying expected values, one could adjust for covariance (as in the formulas E(XY) = E(X)E(Y) + Cov(X, Y) or E(XYZ) = E(X)E(Y)E(Z) + E(X)Cov(Y, Z) + E(Y)Cov(X, Z) + E(Z)Cov(X, Y) + E{[(X – E(X)][Y – E(Y)] [Z – E(Z)]}) or use Monte Carlo simulation to esti- mate the mean of a product of (possibly correlated) factors. However, other difficulties appear to be in- trinsic to Equation (1). This section discusses limita- tions that appear to be impossible to avoid.

5.1. “Threat” Is Not Necessarily Well Defined

Equation (1) assumes that a Threat probabil- ity number exists, at least in principle, reflecting the probability of an attack in a stated interval of time. However, if the attack probability in that interval de- pends on the assessed Threat number, then any es- timate of Threat may be self-defeating. This occurs if attacker’s response to the Threat estimate (or to defender’s actions based on it) invalidates the esti- mate. In general, any threat estimate that does not model how attackers respond to the threat estimate (and resulting defender actions) may be unreliable. This holds no matter how the threat estimates are arrived at, e.g., whether by Bayesian, frequentist, or other (e.g., game-theoretic) threat assessment.

5.1.1. Example: Self-Defeating Threat Predictions

Suppose that two players, Attacker and De- fender, engage in the following game.

Stage 1: Defender estimates the Threat (= attack probability), Vulnerability, and Consequence values for each of M facilities. Defender identifies the N top-ranked (highest Threat × Vulnerability × Con- sequence values) facilities, where N < M reflects De- fender’s resource constraints.

Stage 2: Attacker randomly selects K > 0 of the other (M – N) facilities to attack, with probabilities proportional to their Vulnerability × Consequence

values (and independent of their estimated Threat probability numbers). (K reflects Attacker’s resource constraints.)

In this setting, assigning a high enough Threat value to a facility to place it in the top N facil- ities guarantees that it will not be attacked (true Threat and Risk = 0, conditioned on estimated Threat and Risk being sufficiently high). Thus, estimating a threat as high makes the true threat low. The concept of a threat as a static probability number that is “out there” to be estimated is fundamentally inadequate for protecting against informed, intelligent attackers if the threat estimate itself affects the threat being estimated. Although this example has used a deliber- ately simple pair of decision rules for Defender and Attacker, it illustrates that Attacker’s strategy may exploit Defender’s own threat estimates and ranking, thus undermining their predictive validity.

5.1.2. Example: Ambiguity of Threat Estimates

Suppose that an adversary will attack a facility within the next year if and only if he knows that the attack will succeed with probability at least 0.8. Suppose that a perfectly reliable and well-calibrated vulnerability assessment expert announces that the probability that an attack on the facility will succeed (assuming, for purposes of the vulnerability assess- ment, that it is attempted) is 0.33, based on knowl- edge that an attack can succeed if and only if the ad- versary has a secret weapon (or inside help, etc.), and the probability of obtaining this required advantage in the next year is only 0.33. A threat assessment ex- pert knowing these probability numbers might well conclude that the facility will not be attacked in the next year (since 0.33 < 0.8). But in reality, the prob- ability of an attack on this facility in the next year is 0.33, the probability that the adversary will gain the secret weapon and then attack. (A 100% chance of a 33% chance of success at the time the adversary makes a go-no go decision would indeed guarantee no attack, but a 33% chance of a 100% chance of suc- cess does not.)

5.2. “Vulnerability” Can Be Ambiguous and Difficult to Calculate via Event Trees

The concept of “vulnerability” as the conditional probability that an attack succeeds, given that it is at- tempted, is vague about how the attack is conducted and what contingency plans an attacker uses if some

Risk Analysis of Terrorist Attacks 1755

setbacks are encountered. These details can greatly affect the calculated vulnerability values.

5.2.1. Example: Ambiguity of Attack Success Probabilities Elicited from Experts, Due to Unspecified Implications of an Attack

Suppose that we ask an expert in terrorism risk analysis for (a) the probability that a certain facility will be attacked within the next year (the “threat” to that facility) and (b) the probability that an attack will succeed in destroying or compromising the fa- cility, assuming that an attack is made (the “vulner- ability” of the facility). The expert knows (although we do not) that an attack will be made in the next year if and only if the potential attackers first ob- tain a device that is guaranteed to make the attack successful. Any attack made without that device will fail. The probability that the device is obtained in the next year is 1/3. Based on this knowledge, the answer to question (a) is that the threat is 1/3. But the cor- rect answer to question (b) depends on exactly how the expert interprets the question. If she interprets “assuming that an attack is made” to mean “assume that an attack is made, whether or not the attackers have the device,” then the probability that the attack will succeed is only 1/3 (the probability that the de- vice is obtained prior to the attack). But if she inter- prets “assuming that an attack is made” to imply that the attackers will necessarily have the device (since otherwise they would not attack), then the probabil- ity that the attack will succeed is 1. Which answer, 1/3 or 1, the expert gives in response to question (b) depends entirely on her assumptions about the im- plications of the assumption that an attack is made. Because no uniquely correct interpretation or set of implications is specified as part of the question, there is no unique correct answer. Using such elicited prob- abilities to allocate resources makes the allocation depend on interpretations of ambiguous hypothetical conditions, rather than on how terrorists will actually behave.

Suggesting that event tree analysis can be used to estimate vulnerability numbers begs the question of exactly how plans, contingency plans, and adap- tive responses (and, if necessary, replanning) of intel- ligent agents should be modeled so that they can be represented as event trees. The following examples show that treating activities of intelligent attackers as random variables in a standard event tree is gen- erally not adequate for modeling how determined in- telligent attackers learn from failure and adaptively

modify their plans and behaviors. Risk assessment approaches that do not model such features of intelli- gent attacks can underestimate risks and misallocate resources.

5.2.2. Example: Ambiguous Elicited Probabilities of Successful Attack

For simplicity, suppose that an attacker moves among only four states, Ready, Succeed, Fail, and Interdicted. The attacker starts in the Ready state. From that state, all he can do is attempt an attack. The attack consists of a single activity, which either succeeds (with probability s) or fails (with probabil- ity 1 – s) when attempted. A failed attempt leads to a probability c of being interdicted (“caught”). If this is avoided, then the attacker eventually re- turns to Ready, perhaps after a delay. This example considers how this simple process might be repre- sented and analyzed via probabilistic risk assessment (PRA), which seeks to characterize risk via the fre- quency (or probability) and severity of possible ad- verse consequences.(3)

Problem: If the attack success and interdiction probabilities are s = 0.2 and c = 0.1, respectively, then what is the probability that this situation will end with a successful attack (“vulnerability”)?

Solution: The answer depends completely on ex- actly how the two probabilities s = 0.2 and c = 0.1 are interpreted, and on the apparently subtle philo- sophical distinction between aleatory and epistemic probabilities. One possible answer is that the proba- bility of a successful attack is s = 0.2. This is correct if the success probability of s = 0.2 is interpreted as an epistemic probability reflecting uncertainty about whether the attacker can successfully complete the attack activity once it is attempted. (For example, an attack team that rams a car loaded with gasoline into an airport building may have a 20% probabil- ity of discovering that this successfully compromises the integrity of the building and kills a large num- ber of people; and an 80% probability of discovering that it does not work very well, and just blows up the car and kills the driver. In this case, attempting the attack will resolve the uncertainty. A success prob- ability of s = 0.2 would then be the answer to the question.)

A different answer is correct if the success prob- ability is interpreted as an aleatory (or stochastic) probability. In this interpretation, failure on one at- tempt does not reveal that success is impossible: it only means that the attacker was not lucky on

1756 Cox

Fig. 1. Transition diagram for a simple stochastic attack process. Arrows indicate possible transitions among the four states (Ready, Succeed, Fail, Interdicted). Each transition arrow is labeled with its probability of occurrence, as follows: s = probability that Succeed follows Ready; 1 − s = probability that Fail follows Ready; c = probability that Interdicted follows Fail; 1 − c = probability that Ready follows Fail).

that particular attempt. After returning to the Ready state, another attempt could be made, and the proba- bility of success would then be s = 0.2. (For example, this is the interpretation that might be most relevant if “success” of an attack depends on random factors such as the direction of the wind, traffic conditions, or the chance presence or absence of police or detectors at the time of the attack.)

If the aleatory probability interpretation is used, then the situation moves among different states ac- cording to the Markov transition diagram in Fig. 1. There are thus two possible eventual outcomes (ab- sorbing states) of this process: Succeed or Interdicted. The probability of eventual success starting from the Ready state, denoted by p, satisfies the recursive equation:

p = s + (1 − s)(1 − c)p.

That is, it is the sum of the probability of immedi- ate success starting from Ready, which is s, plus [the probability of returning to Ready, which is (1 – s) (1 – c)] × [probability of eventual success starting from Ready, which is p]. The solution is:

p[1 − (1 − s)(1 − c)] = s, or p = s/[s+c(1 − s)].

For the particular numerical values in this example, s = 0.2 and c = 0.1, the probability of a successful attack being completed before interdiction is:

p = s/[s + c(1 − s)] = 0.2/(0.2 + 0.1 ∗ 0.8) = 0.714.

Thus, an aleatory interpretation of the probabilities s = 0.2 and c = 0.1 leads to a predicted risk of 0.714, significantly higher than the predicted risk of 0.2 if an epistemic interpretation is used.

In most practical applications of Equation (1), interpretations of probability numbers (aleatory or epistemic) are left to subject matter experts. Hence it can be unclear how users of such models are supposed to interpret the probabilities produced

and whether the risks quantified by the model are correct. For example, defining vulnerability as “con- ditional probability that an attack succeeds, given that it is attempted” would be inadequate, as it is silent about whether “probability” is to be inter- preted as aleatory or epistemic—and this difference matters.

5.2.3. Example: Event Trees Versus Decision Modeling for Actions of Intelligent Attackers

Even if all probabilities are known and are aleatory, standard event tree modeling that ignores rational decision making by an attacker may lead to conclusions and recommendations importantly dif- ferent from those generated by models that account for the optimizing behavior of intelligent attackers. Treating attackers as optimizers and calculating their best responses to different conditions may allow a de- fender with limited resources to achieve larger risk reductions than can be produced by any model (in- cluding Equation (1)) that ignores details of how in- telligent attackers adapt their plans as information becomes available before and during the course of an attack. “Best response” models represented as two- level or few-level hierarchical optimization problems (e.g., in which defender calculates attacker’s best re- sponses to various conditions, and then chooses de- fensive investments to minimize the damage from attacker’s best response) are typically far easier to formulate, solve, and understand than full game- theoretic analyses, yet are adequate for much prac- tical work in counterterrorism and infrastructure protection.(7)

Problem setting: Suppose that an attack on a fa- cility succeeds if and only if Attacker successfully completes both of two activities, A and B. It costs At- tacker 1 unit (on some scale) to attempt each activity. Activities A and B have respective success probabili- ties of 0.8 and 0.5, when and if each is attempted. The benefit to Attacker of a successful attack is 10 (on a scale comparable to the one used for costs). Attacker acts intelligently to maximize expected net value. He can afford to initiate one attack per year and the fa- cility is one of 100 similar facilities that are equally likely to be targeted; thus, the probability that it will be attacked in a year is assumed by Defender to be Threat = 0.01.

Defender, with a limited budget, must choose which of two expensive countermeasures to imple- ment: option 1 reduces the success probability for attack activity A from 0.8 to 0.24; while option

Risk Analysis of Terrorist Attacks 1757

2 reduces the success probability for activity B from 0.5 to 0.145.

Problem: (a) Which countermeasure should De- fender implement, option 1 or option 2 (assuming that he can afford only one)? (b) How much risk re- duction will this achieve?

Solution based on traditional event tree analysis: The probability that an attack succeeds is the proba- bility that both A and B succeed. This is 0.8 ∗ 0.5 = 0.4 in the absence of intervention; 0.24 ∗ 0.5 = 0.12 if option 1 is implemented; and 0.8 ∗ 0.145 = 0.116 if option 2 is implemented. Therefore, the decision to implement option 2 maximizes predicted risk re- duction. It reduces the predicted conditional risk of a successful attack (conditioned on an attack being attempted) from 0.4 to 0.116.

Solution accounting for intelligent decision mak- ing by adversary: An intelligent adversary maximizes the expected net benefit of an attack by trying the ac- tivities in order of decreasing failure-probability-per- unit-cost ratio until no remaining activity has pos- itive expected value. This is a simple example of an index policy for dynamic optimization.(8−10) Thus, Attacker’s optimal strategy if Defender does noth- ing to reduce vulnerabilities is to first attempt activ- ity B (having a failure-probability-per-unit-cost ratio of 0.5/1 = 0.5) and then attempt activity A (having a failure-probability-per-unit-cost ratio of 0.2/1 = 0.2) if B succeeds. This attack sequence has an expected net benefit to Attacker of (−1 to attempt B) + (0.5 probability that B succeeds) ∗ [(−1 to attempt A) + (0.8 probability that A succeeds) ∗ (10 benefit if B & A both succeed)] = −1 +.5 ∗ (−1 + 0.8 ∗ 10) = 2.5. Since this is positive, it is worthwhile for Attacker to undertake an attack.

If option 2 is implemented, then the optimal at- tack still attempts activity B first (with a failure- probability-per-unit-cost ratio of 0.855) and then, if B succeeds, attempts A (with a failure-probability-per- unit-cost ratio of 0.2/1 = 0.2), for an expected cost of (−1 to attempt B) + (0.145 probability that B suc- ceeds) ∗ [(−1 to attempt A) + (0.8 probability that A succeeds) ∗ (10 benefit if B & A both succeed)] = −1 + 0.145 ∗ (−1 + 0.8 ∗ 10) = 0.015. Again, an at- tack is worthwhile.

However, if option 1 is implemented, then it is best for Attacker to attempt activity A first (with a failure-probability-per-unit-cost ratio of 0.76/1 = 0.76) and then, if A succeeds, attempt B (with a failure-probability-per-unit-cost ratio of 0.5/1 = 0.5), for an expected net benefit to Attacker of (−1 to attempt A) + (0.24 probability that A succeeds) ∗ [(−1 to attempt B) + (0.5 probability that B suc-

ceeds) ∗ (10 benefit if B & A both succeed)] = −1 + 0.24 ∗ (−1 + 0.5 ∗ 10) = −0.04. Since the expected net benefit of this attack is negative, the attacker has no attractive attack opportunity left at this target lo- cation. (Trying B first and then A if B succeeds would have an expected value of (−1 to attempt B) + (0.5 probability that B succeeds) ∗ [(−1 to attempt A) + (0.24 probability that A succeeds) ∗ (10 benefit if B & A both succeed)] = −1 + 0.5 ∗ (−1 + 0.24 ∗ 10) = −0.30.)

Therefore, the optimal defensive strategy, tak- ing into account the Attacker’s intelligent responses to different countermeasures, is to implement op- tion 1. Doing so reduces the risk from 0.4 to 0. This differs significantly from the recommenda- tions and predicted risk reduction made above us- ing event tree analysis, which models Attacker’s be- havior using random variables instead of optimized decisions.

The principle illustrated in this example—that modeling an intelligent attacker’s intelligent (opti- mizing, adaptive) behavior leads to different rec- ommendations and risk estimates from traditional event tree analysis—also applies to expected-utility- maximizing attackers with exponential utility func- tions and to attack opportunities with general prece- dence constraints.(9) The lesson here is that event trees can be used, but that they do not represent or solve Attacker’s and Defender’s key planning and decision problems. These must therefore be solved using other principles, such as the index policy illus- trated above.

A different approach, involving optimization of decisions based on their probable consequences, tak- ing into account the actions of opponents, is es- sential. This example has illustrated a very sim- ple case of a two-level hierarchical optimization in which Defender can evaluate each feasible alterna- tive course of action (i.e., implement option 1, op- tion 2, both, or neither) by calculating Attacker’s best response to it. This enables Defender, in turn, to choose a best course of action for reducing risk, taking Attacker’s best response into account. This general approach, mathematically reminiscent of leader-follower games, has been developed by mili- tary operations researchers into a powerful planning and resource allocation technique that appears to be practical for many counterterrorism and infrastruc- ture protection risk management applications (e.g., Reference 7). Hierarchical optimization dispenses with the Threat component, conceived of as a sin- gle number to be estimated, and goes beyond sim- plistic estimates of vulnerability in Equation (1).

1758 Cox

Instead, it focuses on predicting and controlling at- tacker behaviors via the incentives created by defen- sive investments. Hierarchical optimization can pro- duce strategies (perhaps mixed) for the opponents as outputs, rather than requiring them as inputs. Such modeling avoids both the (potentially unrealistic) idealizations of game theory(3) and the limitations of Equation (1).

5.2.4. Example: Probabilistic Versus Decision Modeling for Actions of Intelligent Attackers

This example reinforces the previous one by showing that, even in the absence of any compli- cated optimization calculations, an attacker who sim- ply “follows the path of least resistance” (by pick- ing activities that are most likely to succeed in completing the attack) may behave very differently from what a simple PRA model of an attack would predict.(2) As a result, the best choice of countermea- sures may differ from what would be recommended using PRA calculations that treat attacker activities as random variables rather than as outcomes of intel- ligent planning and adaptation to intelligence about countermeasures.

Suppose that public health is threatened if some logical combination of events takes place. For clar- ity, consider this small example, with only four basic events:

• A = a specific infectious agent is introduced into a building via air intake;

• B = the infectious agent is introduced into the building via drinking water;

• C = the agent escapes detection until after building occupants are exposed and some be- come infected;

• D = one or more people become ill or die as a result of the undetected exposure.

The probability of D over the next year can be calcu- lated as follows:

Pr(D) = Pr(D | C) ∗ Pr(C) = Pr(D | C) ∗ [Pr(C | B) ∗ Pr(B)

+ Pr(C | A) ∗ Pr(A) − Pr(C | A&B) ∗ Pr(B | A) ∗ Pr(A)].

In this expression, each of the initiating events A and B would typically be assigned an estimated annual frequency of occurrence. Pr(C | B) and Pr(C | A) re- flect any detection countermeasures that are in place. Pr(D | C) reflects virulence, time to diagnosis, and availability of effective treatments.

If the numbers are Pr(A) = 0.01, Pr(B) = 0.02, Pr(C | A) = 0.5, Pr(C | B) = 0.4, Pr(D | C) = 0.2, and Pr(A & B) = Pr(B | A) ∗ Pr(A) is small enough to ignore, then the annual probability predicted for D would be estimated as:

Pr(D) = Pr(D | C) ∗ [Pr(C | B) ∗ Pr(B) + Pr(C | A) ∗ Pr(A)]

= 0.2 ∗ [0.4 ∗ 0.02 + 0.5 ∗ 0.01] = 0.0026.

A countermeasure that reduces the nondetect prob- ability for airborne agents from 0.5 to 0.25 would reduce predicted risk to 0.0021 (i.e., by (0.0026 − 0.0021)/0.0026 = 19.2%). A countermeasure that reduces the nondetect probability for waterborne agents from 0.4 to 0.2 would reduce predicted risk to 0.0018 (i.e., by 30.8%). Installing both counter- measures reduces predicted risk to 0.0013, i.e., by half.

If the initiating events are caused by intelligent attackers with good intelligence about what counter- measures have been implemented, then the risk as- sessment changes dramatically. Absent countermea- sures, such an attacker who has sufficient resources to afford an average of 0.01 + 0.02 = 0.03 attacks per facility-year at this location would focus on the path of least resistance or greatest success probabil- ity, i.e., the airborne route. Doing so creates an an- nual risk of: 0.2 ∗ [0.4 ∗ 0 + 0.5 ∗ 0.03] = 0.0030. A countermeasure that reduces the nondetect prob- ability for airborne agents from 0.5 to 0.25 would cause the attacker to shift the attack toward water- borne attacks. After the countermeasure has been implemented, the new risk becomes 0.2 ∗ [0.4 ∗ 0.03 + 0.25 ∗ 0] = 0.0024, corresponding to only a 7.7% reduction in risk. Implementing a countermeasure that reduces the nondetect probability for water- borne agents from 0.4 to 0.2 would leave the op- timal attack strategy (airborne route) and resulting risk unchanged at 0.0030. Implementing both coun- termeasures would reduce risk to 0.0015 (or pos- sibly to 0, if a success probability of only 0.0015 is too low to justify the attacker’s investment of resources).

In summary, for the same total frequency of initiating events (i.e., 0.03 per year), the intelli- gent attack gives a slightly higher predicted risk than a fault-tree model (0.0030 instead of 0.0026). However, the two approaches give very different predictions for the effects of alternative risk man- agement countermeasures. For example, a counter- measure that reduces the nondetect probability for waterborne agents from 0.4 to 0.2 would reduce

Risk Analysis of Terrorist Attacks 1759

predicted risk to 0.0018 in the fault-tree model, but would leave it unchanged at 0.0030 in the intelligent attacker model. The two models have opposite im- plications for which countermeasure to implement if only one can be afforded. The purely probabilis- tic model predicts that the larger risk reduction is achieved by the countermeasure that reduces nonde- tect probability for the waterborne route, while the intelligent attacker model predicts that implement- ing this countermeasure will leave risk unchanged. Thus, it is important to use decision-optimizing mod- els rather than purely probabilistic models if initiat- ing events do in fact result from the efforts of intelli- gent agents who adapt their attacks to exploit relative weaknesses in defenses. The reason is that intelligent agents can use information as it becomes available to continually update their strategies (for example, to follow the changing path of least resistance until no attractive path forward remains). This type of adap- tation to exploit changing situations is not evident in standard PRA models for applications without intel- ligent agents.

5.3. “Consequence” Can Be Ambiguous and/or Subjective

In many applications, the Consequence term in Equation (1) is interpreted as a single number. (Of course, the number can be drawn from a distribu- tion or arrived at via multiattribute modeling.) This number may represent the midpoint of a range or the mean of a probability distribution for multiple possible consequences. However, in general, there is no unique “correct” way to represent an uncer- tain consequence by a single number.(11) Such num- bers are inherently either subjective (if they are calculated for a particular, stated risk attitude) or ambiguous (otherwise).

5.3.1. Example: Values of Uncertain Consequences Are Subjective or Ambiguous

The following example is adapted from Cox.(11)

Decision analysis (e.g., Reference 12, p. 208) proves that, for a decisionmaker with an exponential util- ity function, the certainty equivalent (CE) value of a prospect with normally distributed consequences is CE(X) = E(X) − k ∗ Var(X), where

• k = a parameter reflecting aversion to risk (k = 2 × coefficient of risk aversion);

• E(X) = mean of prospect X;

• Var(X) = variance of prospect X; and • CE(X) = certainty equivalent value of X (i.e.,

the deterministic value that is considered equal in value to the uncertain prospect).

For example, consider three prospects (e.g., attack scenarios), A, B, and C, having normally distributed consequences (on a scale such as financial impact, life-years lost, etc.) with respective means of 1, 2, and 3 and respective variances of 0, 1, and 2. Then, the CEs of prospects A, B, and C for a decisionmaker with exponential utility and parameter k are:

CE(A) = 1; CE(B) = 2 − k ; CE(C) = 3 − 2k.

For a risk-neutral decisionmaker (for whom k = 0), the ordering of the prospects from the largest to the smallest CE value is therefore C > B > A. For a risk-averse decisionmaker with k = 1, all three prospects have the same CE value of 1. For a more risk-averse decisionmaker with k = 2, the ordering of the prospects is A > B > C. Thus, the CEs of the severities of the prospects are oppositely ordered by decisionmakers with different degrees of risk aver- sion. This illustrates that there is no objectively cor- rect ordering of CEs that is independent of subjective attitudes toward risk.

Risk assessments based on Equation (1) typically do not specify or record the risk attitudes of those who use it. Therefore, the Consequence value as- signed to an event with uncertain consequences typ- ically has ambiguous meaning: a different planner with a different risk attitude might assign a differ- ent value, and neither choice is objectively (indepen- dent of the subjective risk attitude) better than the other. (If a specific numerical interpretation of con- sequence categories is given, then variations of this example can be constructed to make the value repre- sented here as “1” fall on the boundary between two consequence categories, thus showing that the cor- rect classification of an uncertain risk is also ambigu- ous or subjective.)

6. DISCUSSION AND CONCLUSIONS

The concepts of Threat, Vulnerability, and Con- sequence as numbers that experts can estimate and use in calculating risk are problematic for assessing risks from intelligent adversaries. Threat estimates may be self-defeating if attackers use intelligence about the defender’s own threat estimates to help de- cide where and when to attack. Vulnerability, mean- ing the probability that an attack succeeds if it is

1760 Cox

attempted, may depend on the attacker’s ability to dynamically replan and continue the attack when obstacles are encountered. The information needed to predict what an intelligent attacker will do and how likely he or she is to succeed must include such contingent actions, and therefore is not well repre- sented by a single vulnerability number. Rather, vul- nerability is perhaps better represented as a model for calculating the conditional probability that an attack will succeed if the attacker plans optimally (and then reoptimizes throughout the course of the attack as new information becomes available). The correct answer to “How likely is it that an at- tack will succeed?” typically depends on the at- tacker’s response to the defender’s preparations. At- tempting to assess vulnerability holistically, or by standard PRA techniques, without explicit analysis of the attacker’s best responses can produce mis- leading risk estimates and poor risk management recommendations.

Finally, when the consequences of an attack are very uncertain (perhaps depending on factors such as wind direction and speed at the time of attack and ability to warn and/or evacuate people quickly and effectively), the use of Consequence numbers may be inherently subjective and/or ambiguous. Even in principle, there may be no set of Consequence num- bers that different rational risk managers (having dif- ferent risk attitudes) agree with.

These limitations suggest that Equation (1) ig- nores some key problems. It forces practitioners to try to use and interpret numbers that have no clear conceptual definitions and that do not model the planning, learning, and adaptive replanning of intel- ligent attackers. Although expert probability elici- tation techniques can certainly be applied even to poorly defined or meaningless quantities, simply elic- iting numerical values does not resolve the concep- tual limitations of Threat, Vulnerability, and Conse- quence numbers, nor model what real attackers will do to achieve their goals, nor make the elicited values useful for predicting risks or for priority setting and resource allocation.

What would be better? Perhaps the most im- portant improvement is to model attacker actions not as random events, but as results of intelligent, goal-directed choices that are responsive to infor- mation about defenses and about success or failure of attempted actions. Several technical options for such modeling have been developed, including the following.

• Decision tree analysis. This generalizes event tree analysis by allowing choice nodes as well as chance nodes in the tree representing attack sequences. At each choice node, the attacker can decide what to do next based on all the in- formation available at that node (i.e., the se- quence of event outcomes and actions that led to it). Intelligent attacks are modeled by as- suming that, at each choice node, the attacker chooses the outgoing arc that maximizes condi- tional expected utility starting from that node. (A decision tree goes beyond TVC by allowing T = “probability of attack” and V = “proba- bility of success” to evolve as future informa- tion items (events or actions) become known. Thus, “threat” and “vulnerability” are not sim- ply numbers, but stochastic processes with nu- merical values that change contingent on dif- ferent information. Risk is not determined by multiplying T, V, and C, but by optimizing via backward dynamic programming in a decision or game tree.) Off-the-shelf decision tree soft- ware products provide extensive support for commercial-quality quantitative risk analysis using decision trees.(4,13)

• Probabilistic activity AND-OR networks. A practical limitation in formulating decision trees is that they can be very large when there are many choices to be made. (For example, if N activities must be completed to accom- plish a certain goal, and if they can be at- tempted in any order, then there is a choice of N! possible orders in which to try them.) One solution to this problem(8) is to represent attack opportunities as stochastic activity net- works in which nodes represent activities, arcs represent precedence constraints, and each ac- tivity has a specified probability of being suc- cessfully completed if it is attempted and re- quires a specified amount of time (or other resources) to attempt. The attacker uses an optimal index policy (Denardo et al., 2004) to continually choose the most promising re- maining path forward, given the outcomes of activities attempted so far, and abandons the attack only when no attractive path forward (with positive expected value to the attacker) remains.

• Project planning models of terrorist attacks. Such models apply off-the-shelf project planning and risk analysis software to

Risk Analysis of Terrorist Attacks 1761

represent the interdependent tasks that terrorists must successfully undertake to com- plete planned attacks; to plan in what order to attempt these activities; and to calculate the overall probability of successful completion from the success probabilities for individual tasks.(13)

• Hierarchical optimization. This focuses on op- timizing allocations of defensive resources, assuming that attackers will then adopt “best responses” to the allocations. This suggests two- (or more-) level hierarchical optimiza- tion, as in the simple examples in the previ- ous section and the more complex real-world applications in Reference 7. Synergies or other interactions among defensive options magnify the value of optimizing allocations, rather than using holistic scores or priority orders to allo- cate defensive resources.

These and other approaches such as game the- ory models(3) typically do not even attempt to assess Threat, Vulnerability, and Consequence numbers or scores as inputs. Instead, they focus on modeling how intelligent attackers can best exploit opportunities to do damage and how defenders can optimize alloca- tion of defensive resources to minimize the damage that attackers can do, assuming that the attackers will take full advantage of remaining weaknesses.

Regardless of which technical option(s) are used, treating attackers as intelligent opportunists, rather than as dice-rolling random variables, appears promising for overcoming key limitations of purely probabilistic modeling approaches.(2−4) Rather than trying to assess risks holistically based on proba- bility judgments about what damage attackers may do (e.g., through expert judgments of Threat, Vul- nerability, and Consequence scores), it is far more useful—and technically practical—to focus on opti- mizing defenses, assuming that attackers will then op- timize their attacks accordingly.

ACKNOWLEDGMENTS

I am extremely grateful to an anonymous re- viewer who provided detailed, thoughtful comments on technical substance (e.g., pointing out that two- level optimization can produce mixed strategies as outputs) and exposition (e.g., questioning whether it would not be better to introduce decision trees rather than relying on index policies). The article was much improved by this reviewer’s suggestions. I also

thank Professor Bill Huber for deriving a formula for the expected value of the product of any number of variables in terms of their means and covariances and for drawing my attention to Rio-type inequalities for expectations of products of random variables. I thank Professors Gerald Brown and Vicki Bier for many stimulating conversations on game-theoretic approaches, optimization approaches, and alterna- tives for protecting the United States against terrorist attacks. All views in this article are solely my own.

REFERENCES

1. RAMCAPTM Framework. 2006. Available at: www.asme-iti. org/RAMCAP/RAMCAP Framework 2.cfm.

2. Golany B, Kaplan EH, Marmur A, Rothblum UG. Nature plays with dice—terrorists do not: Allocating resources to counter strategic vs. probabilistic risk. European Journal of Operational Research, 2009; 192:198–208.

3. Bier VM, Cox LA Jr, Azaiez MN. Why both game theory and reliability theory are important in defending infrastructure against intelligent attacks. Chapter 1 in Bier VM, Azaiez, MN (eds). Game Theoretic Risk Analysis of Security Threats. New York: Springer 2009.

4. National Research Council (NRC). Committee on Method- ological Improvements to the Department of Homeland Security’s Biological Agent Risk Analysis, Department of Homeland Security Bioterrorism Risk Assessment: A Call for Change. Washington, DC: National Academies Press, 2008. Available at http://www.nap.edu/catalog.php?record id=12206#toc.

5. Indusi JP. Terrorist Protection Planning Using a Relative Risk Reduction Approach. Upton, NY: Brookhaven National Lab- oratory. BNL-71383-2003-CP; 2003. Available at http://www. pubs.bnl.gov/documents/25368.pdf.

6. Bertsimas D, Nino-Mora J. Conservation laws, extended poly- matroids and multiarmed bandit problems: Polyhedral ap- proach to indexable systems. Mathematics of Operations Re- search, 1996; 21(2):257–306.

7. Brown G, Carlyle M, Salmeron J, Wood K. Defending critical infrastructure. Interfaces, 2006; 36(6):530–544.

8. Cox LA Jr. A probabilistic risk assessment program for analyz- ing security risks. In LA Cox, Jr., Ricci PF (eds). New Risks: Issues and Management (pp. 331–340). New York: Plenum, 1990.

9. Denardo EV, Rothblum UG, Van Der Heyden L. Index poli- cies for stochastic search in a forest with an application to R&D project management. Mathematics of Operations Re- search, 2004; 29(1):162–181.

10. Sethuraman J, Tsitsikilis JN. Stochastic search in a forest re- visited. Mathematics of Operations Research, 2007; 32(3):589– 593.

11. Cox LA Jr. What’s wrong with risk matrices? Risk Analysis, 2008; 28(2):497–512.

12. Infanger G. Dynamic asset allocation strategies using a stochastic dynamic programming approach. In SA Zenios & WT Ziemba (eds). Handbook of Assets and Liability Manage- ment, vol. 1. New York: North Holland, 2006. Chapter 5.

13. von Winterfeldt D, O’Sullivan TM. Should we protect com- mercial airplanes against surface-to-air missile attacks by ter- rorists? Decision Analysis, 2006; 3(2):63–75.

14. Rosoff H, von Winterfeldt D. A risk and economic analysis of dirty bomb attacks on the ports of Los Angeles and Long Beach. Risk Analysis, 2007; 27(3):533–546.