McGill Research Blog

• For a limited time we won't use chemicals to sweeten our drinks… http://twitpic.com/zexcd #

Powered by Twitter Tools

Send article as PDF to

• This is the year that will make or break me (more likely the former, I hope…)… #
• When will @mightcould come to central PA? Their sounds are awesome and great for late night writing… #

Powered by Twitter Tools

Send article as PDF to

• Sipping on my last espresso doppio in Milan before heading back to the states… Italy is truly my favorite vacation place… #
• Wow… getting home from Milan really sucked… I mean, it was truly awful… travel to the US from Europe is really a pain these days… #
• After Friday, I will be taking a four month break from traveling… traveling anywhere, especially to DC, is such a drag on time and energy #
• USAirways lost my son's stroller… guess who had to carry his squirmy 25lb body for 2 hours on the hot, overcrowded customs line at PHL? #
• Whoah… there is some sort of debate thing happening on my Facebook wall… should I intervene? What should I do? #
• One of yesterday's speakers had a heart attack right before she was going to answer a colleague's question… I hope she is all right now… #

Powered by Twitter Tools

Send article as PDF to

Note: Article updated on 17 Jan 2010

In 1981, Kaplan and Garrick published a paper entitled “On the Quantitative Definition of Risk” that defined risk as the set of all ordered triplets comprised of answers to the following triplet of questions (Kaplan and Garrick 1981):

• What can go wrong?
• How likely is it to go wrong?
• What are the consequences?

These three questions set the stage for what most risk professionals consider to be the fundamental questions of risk assessment. In recent years, more questions have been suggested, including:

• How much uncertainty is present in the analysis? (Lowder 2008)
• Over what time frame? (Haimes 2009)
• Are these risks tolerable?

In 1991, Professor Yacov Haimes offered a second set of three questions focused on the practice of risk management (Haimes 1991):

• What can be done?
• What options are available and what are the benefits and costs of each?
• What impact do these options have on future options?

Mr. Bob Ross offered a few more interesting risk questions, including several for establishing the risk context (Ross 2009):

• What are my risk management responsibilities?
• What outcomes and objectives am I expected to achieve?
• How are risks perceived by those to whom I am answerable?

Ross also offered a few more for risk management (labeled risk response or more generally risk treatment):

• What could I do about it? (the “options” part of the second Haimes risk management question)
• What should I do about it?
• What will I do about it?

And a few more on risk management effectiveness:

• How well is my chosen course of action working?
• Has anything changed that requires altering my existing risk management measures?
• Are there current trends and/or potential future developments that could require altering my existing risk management measures?

At a high level, Dr. Tony Cox summarizes all of risk analysis in terms of four high-level questions as follows (Cox 2009):

• How bad is it? (Risk Assessment)
• What to say about it? (Risk Communication)
• What to do about it? (Risk Management)
• Who to blame for it? (Risk Attribution)

Seeing how the ultimate goal of studying risk in general is to communicate risk knowledge to people that can then use it to make better (i.e., risk informed or risk supported) decisions. Risk communication, then, must consider the following lower-level questions that would help analysts decide on what to say about risk (Morgan et al. 2002; Apgar 2006):

• What does the intended recipient think or know?
• What does the recipient need to know?
• How should it be told?

Mr. Bob Ross offered the following additional questions for risk communication:

• Between whom does it need to be communicated?
• How can the necessary risk information be most effectively communicated?

Of course, there is always the risk that a communication goes south, thus we should also entertain the questions:

• How likely is it that the communication will work?
• How bad would it be if it doesn’t?

If you look carefully at these questions, you might find some overlap among them and also find that they may be interpreted in different ways by different people. In fact, we could consolidate all of these questions into a triplet of risk analysis triplets. These are summarized as follows.  Given a clearly and precisely specified situational context (e.g., security context), risk analysis centers on the following nine broad questions:

Risk Assessment Triplet

1. What can happen? Answer: scenarios characterized by the pairing of cause and outcome, where associated with outcome is the time frame
2. How likely is it? Answer: product of probability of cause and probability of outcome given cause; uncertainy in the answers is captured using imprecise probabilities
3. How bad would it be? Answer: severity of the cause/outcome pair

Risk Communication Triplet

1. What does the recipient presently think, know and perceive? Answer: the recipient’s mental model and lens for interpreting and integrating new information
2. What does the recipient need to know? Answer: key messages to improve the recipient’s understanding
3. How should it be told? Answer: in what form must the information be communicated and who should communicate it, this includes all risks associated with communications

Risk Negotiation Triplet*

1. What can be done? Answer: the types of changes that can be made in the time frame of interest
2. What options are available? Answer: Answer: real feasible options that are available with assessed benefits and costs of each, where benefits and costs include impact on future options, and all assessments include uncertainty
3. What should be done? Answer: compares benefits, costs and risks of each option in addition to other factors with a variety of non risk-related alternatives including the “do-nothing” option

*Note: In this context, Risk Negotiation refers to an organization’s discussions and deliberations around a variety of risk treatments relative to the organization’s attitude and tolerance for risk.

Risk management revisits this triplet of triplets over and over again in perpetuity. With time, we learn how well our choices fared through continuous analysis and reanalysis of our systems and their environments. With every action we take, the systems we protect respond with new or modified risks with updated probabilities and severities, and new options and considerations emerge while others become infeasible or irrelevant. And of course, with time and change comes new uncertainties and misunderstandings, both of which require the dedicated attention of risk professionals to study and resolve.

References

Apgar, D. (2006). Risk Intelligence: How to Manage What You Don’t Know. Harvard Business School Press (ISBN 1591399548).

Coles-Kemp, L. (2009). “The Effect of Organisational Structure and Culture on Information Security Risk Processes.” Risk Research Symposium (link here).

Cox, L. A. (2009). “Traditional and Current Risk Analysis.” Presented at the MORS 2009 Workshop, April 2009 (link here).

Haimes, Y. Y. (1991). “Total Risk Management.” Risk Analysis, Vol. 11, No. 2, pp. 169-171 (doi link).

Haimes, Y. Y. (2009). “On the Complex Definition of Risk: A Systems-Based Approach.” Risk Analysis, Vol. 29, No. 12, pp. 1647-1654 (doi link).

Kaplan, S. and Garrick, B. J. (1981). “On the Quantitative Definition of Risk.” Risk Analysis, Vol. 1, No. 1, pp. 11-27 (doi link).

Lowder, J. (2008). “The Difference Between Quantitative and Qualitative Risk Analysis and Why it Matters (Part 1).” BlogInfoSec.org (link here).

Morgan, M. G., Fischhoff, B., Bostrom, A. and Atman, C. (2002). Risk Communication: A Mental Models Approach. Cambridge University Press (ISBN 0521002567).

Ross, R. G. (2009). “Total Risk Management Revisited.” Working Paper.

Send article as PDF to

• Might Could is an awesome band… http://bit.ly/8d2tJq … their albums are available on iTunes… good for late night risk analysis… #
• Why do I always get stuck working on a short-fused project during the holiday season? It seems I will be working up until my flight to Italy #

Powered by Twitter Tools

Send article as PDF to

I typically come across a few excellent quotes that really resonate with what I am presently thinking about whenever I go on a paper reading binge.  Here are some interesting ones that I found recently:

Every year (or, perhaps, every day), some new industry or institution discovers that it, too, has a risk problem.  It can, if it wishes, repeat the learning process that its predecessors have undergone.  Or, it can attempt to short-circuit that process, and start with its product, namely the best available approaches to risk communication. – Baruch Fischhoff (1995)

Contemporary approaches to disaster reduction need to become more concerned with human-to-human relations, such as conflict resolution and consensus building among people, rather than human-to-nature relations. – Katsuya Yamori (2008)

References

Fischhoff, G. (1995). “Risk Perception and Communication Unplugged: Twenty Years of Process.” Risk Analysis, Vol. 15, No. 2, pp. 137-145 (doi link).

Yamori, K. (2008). “Narrative Mode of Thought in Disaster Reduction: A Crossroad for Narrative and Gaming Approaches.” in Sugiman, T., Gergen, K. J., Wagner, W. and Yamada, Y. eds. Meaning in Action: Constructions, Narratives and Representations.  Springer, pp. 241-252 (doi link).

Send article as PDF to

(This is the first post containing a Nasrudin tale related to risk…)

Nasrudin was throwing handfulls of crumbs around his house.

‘What are you doing?’ someone asked him.

‘Keeping the tigers away.’

‘But there are no tigers in these parts.’

‘That’s right.  Effective, isn’t it?’ (Shah 4)

From a risk management point of view, Nasrudin asserts that because of his actions (i.e., throwing handfulls of crumbs around his house), all risks associated with the presence of tigers has been mitigated.  That is, Nasrudin believes that his actions reduced the probability of tiger presence to zero, thus bringing risk to zero.  And because no tigers have appeared, Nasrudin suggests that his strategy is “effective.”

Anyone have a good modern analogy to this sillyness?

References

Shah, I. (1983). The Exploits of the Incomparable Mulla Nasrudin.

Send article as PDF to

One of the projects I am currently working on centers on post-blast investigation, with a particular emphasis on inferring the center of a blast insult against a target (whatever it might be), the size of the charge and whether any directional effects were present based on observed distress of engineered materials and structures.  In the process of researching this topic, me and my postdoc (Andrew Sorensen) discovered a variety of interesting materials, both old and new.  Those that were new, we bought.  Those that were old and no longer available for purchase, we tracked down.  Here is what we came up with:

New References (i.e., available for purchase as new)

• Beveridge, A. Ed. (1998). Forensic Investigation of Explosives. CRC Press. ISBN 0748405658.
• Harmon, D. E. (2008). Careers in Explosives and Arson Investigation. Rosen Central. ISBN: 1404213465.
• National Fire Protection Association (2008). NFPA 921 Fire & Explosion Investigations 2008 Edition. NFPA Press. Doc Number: NFPA 921.
• Noon, R. (1995). Engineering Analysis of Fires and Explosions. CRC Press. ISBN: 084938107X.
• Thurman, J. T. (2006). Practical Bomb Scene Investigation. CRC Press. ISBN: 0849341981.

Old References (i.e., not available new, you would be lucky to find them used)

• Biggs, J. M. (1964). Introduction to Structural Dynamics. McGraw-Hill. 0070052557. Download.
• Herman, S. (1975). Bomb Scene Investigation. Download.
• U.S. Army. (1971). Industrial Defense Against Civil Disturbances, Bombings Sabotage. Download.
• Yallop, H. G. (1980). Explosion Investigation. Forensic Science Society and Scottish Academic Press. ISBN: 0950242551. Download.

Online References

• U.S. Department of Justice (2000). A Guide for Explosion and Bombing Scene Investigation. Technical Working Group for Bombing Scene Investigation, NCJ 181869. Download.

What am I missing?  Tell me and I will get a copy.

Send article as PDF to

Rather than sleeping, I decided to read an article by Leonard B. Loeb entitled “Military Security in a Scientific Age” published in Science, Vol. 120, No. 3109 (July 30, 1954), pp. 15-163 (link here).  In it I found the following paragraph that seemed to resonate with my interests:

… it is only during a war that weapons development can be prosecuted, politically and economically, to greatest advantage and also it is only during a given conflict that strategic and tactical problems are sufficiently clearly defined to enable efficient weapons and devices development.  It is only when the aggressor moves and discloses his strategy, weapons and tactics that the planning to defeat him can be properly undertaken.  Doubtless under these conditions the aggressor enjoys the initial advantage, but such advantage of initiative is in all ways on the side of the aggressor who can choose time, place and means.  When the conflict begins, then and only then, can the nonaggressor nation that is richer in scientific potential go into effective action against an adversary who has frozen his weapons into production some years before he attacks.  Thus the aggressor’s weapons are on the obsolecent side once he initiates action, while the nonaggressor can go into production on newer type weapons (p. 162).

I think this quote says a lot when viewed in the context of our modern security problems.

Send article as PDF to

One of my undergraduate research students (Nick Picciano) came across an interesting 1970’s manual published by the International Association of Chiefs of Police entitled Ambush Attacks: A Risk Reduction Manual for Police.  DOWNLOAD HERE.

This manual is interesting in that it focuses on educating police officers on how to minimize their chances of becoming a victim of a surprise attack.  The first section (for which I am missing the table of contents for) provides an overview of ambush attack events, which according to this manual is defined as an attack that possesses all of the following three characteristics:

• Suddenness
• Surprise
• Lack of Provocation

The remainder of section one summarizes statistics on the types of injuries resulting from ambush attacks, time of day/day of week when they occur, types (direct attacks, sniper attacks, or coordinated), types of weapons used, US regions where they occur, officer ranks involved, past criminal history of the assailants, etc.  These statistics were drawn from data collected in the early 1970’s.

The second section of this manual describes ambush countermeasures (leadership/policy, field operations, intelligence, training, equipment). There are a lot of neat images that accompany this section, a few of which are excerpted below:

Send article as PDF to