According to a model for homeland security risk analysis that is currently under consideration for use in supporting resource allocation decisions, the formula for the risk associated with a specified scenario is as follows:

Risk = C * L(S|A) * L(A)  (Equation 1)

where L(A) is the likelihood of an attack being attempted, L(S|A) is the likelihood of adversary success given attack, C is the consequences following a successful attack, and the total risk is obtained by summing the results of Equation 1 for all relevant scenarios.  At first glance, it would appear to the casual reader that this model is simply an implementation of risk measured in terms of expected loss, with the exception of the non-standard representation of L(.) for expressing the probability of the event contained within the parenthesis (I disagree with this notation, but let’s just go with it for now). Further elaboration of this model was presented at a recent workshop I attended, where it was noted that the consequence variable C corresponded to the “worst reasonable case” consequences given a successful attack.

Equation 1 is a valid representation of risk if and only if the consequence represents a conditional expected consequence, or rather mean value of consequence given adversary success. That is, Equation 1 works in the context of risk expressed as an expected loss, all things considered.  While admittedly I have no information that fully explains the intent of the qualifying phrase “worst reasonable case,” one can reasonably assume from this phrasing that such a value takes on a value well above the mean, and perhaps positioned somewhere in the upper tail of the corresponding probability distribution on loss.

For sake of argument and without loss of generality, let’s assume that worst reasonable case corresponds to some percentile value above the median, say 90%. That is, the worst reasonable case loss according to this hypothetical interpretation is the value of loss that will not be exceeded in 9 out of 10 cases (or rather, will only be exceeded in 1 out 10, or 10% of attacks). Alternatively, worst reasonable case can be taken as the conditional average value of loss in some finite region of the upper tail, or any other percentile value above the median. Of course, the exact interpretation of “worst reasonable case” is vague, but assuming that it takes on any value other than the mean is equally valid in making the point in this critique.

One reasonable assumption in using the risk model in Equation 1 is that given inputs for consequence characterized as “worst reasonable case” for each scenario, the result from Equation 1 should be the “expected worst reasonable case” consequence in light of non-zero probabilities of adversary success and failure and non-zero probabilities for attack and no attack. As described in any textbook on risk analysis or decision theory, the use of an expected conditional loss given success in Equation 1 yields risk that is, in fact, in terms of an expected loss across all included scenarios. Now assuming that “worst reasonable case” preserves its interpretation in the context of both “worst reasonable case” consequence given success and “expected worst reasonable case” consequence (e.g., “worst reasonable case” always implies a percentile value of 0.9 or 90%), does Equation 1 adhere to this assumption? Only one single counterexample of how the translation does not hold is necessary to answer this question in the negative.

Example: Consider two scenarios, labeled “Scenario 1″ and “Scenario 2″ with conditional consequence distributions (given a successful attack) shown in Figure 1. From these distributions, the “worst reasonable case” (at 90%) is 12.6 and 6.3 for Scenarios 1 and 2, respectively. Now let’s assume that the probability of adversary success for Scenario 1 has been determined to be 0.8 (probability of adversary failure is 0.2), and the same parameter for Scenario 2 has been determined to be 0.7 (probability of adversary failure is 0.3). This gives conditional consequence distributions (given attack) for both scenarios as shown in Figure 2, where it is assumed that attack failure produces no consequence. From these conditional consequence distributions given adversary success, the “conditional worst reasonable case” consequences are 12.3 and 6.1 for Scenarios 1 and 2, respectively.

Now, let’s further assume that the probability of attack in a given time frame is 0.4, with 0.7 of this probability being allocated to Scenario 1 and the balance (0.3) being allocated to Scenario 2. From this extra information, the probability of attack for Scenarios 1 and 2 are 0.28 and 0.12, respectively (0.6 probability of no attack). The aggregate consequence distribution is shown in Figure 3. Recalling that we are setting “worst reasonable case” to the 90% percentile value on loss, the “worst reasonable case” consequence in light of the conditional consequences and probabilities for attack (and no-attack) and success (and failure) for each scenario is in the low 10’s (just read the consequence value off the chart that corresponds to a probability of 0.9 on the y-axis).

Figure 1. Cumulative probability distribution functions for the simple conditional consequence distribution given adversary success for Scenarios 1 and 2

Figure 2. Cumulative probability distribution functions for the simple conditional consequence distribution given attack for Scenarios 1 and 2

Figure 3. Cumulative probability distribution functions for the aggregate consequence distribution

For Equation 1 to be mathematically valid, it must be coherent. That is, the “worst reasonable case” as read from the distribution in Figure 3 must equal that calculated from Equation 1. Let’s see if this is the case. For Scenario 1, the “worst reasonable case” consequence conditioned on adversary success is 12.6, with a probability of adversary success of 0.8 and a probability of attack of 0.28. Thus, the “expected worst reasonable case” consequence for Scenario 1 is (12.6)(0.8)(0.28)=2.8. For Scenario 2, the “worst reasonable case” consequence conditioned on adversary success is 6.3, with a probability of adversary success of 0.7 and a probability of attack of 0.12. Thus, the “expected worst reasonable case” consequence for Scenario 2 is (6.3)(0.7)(0.12)=0.5. Adding these two values together gives a “total expected worst reasonable case” consequence of (2.8)+(0.5)=3.3. This value for “expected worst reasonable case” is NOT equivalent to the value read from the plot in Figure 3. In fact, according to Figure 3.3, a consequence of 3.3 is about equal to the 70% percentile on aggregate loss. THIS VALUE IS MARKEDLY LESS THAN THE ACTUAL “WORST REASONABLE CASE VALUE”, which suggests that the value obtained from Equation 1 may SIGNIFICANTLY UNDERESTIMATE the worst reasonable aggregate consequence. This effect is even more exaggerated when considering many more than 2 scenarios.

Bottom Line: Unless “worst reasonable case” consequence is another way of saying “expected” consequence (which I doubt, otherwise the word “expected” would be used), there is no guarantee that Equation 1 produces results that are coherent with more rigorous calculations on the underlying probability distributions. Accordingly, Equation 1 is improper for use in the context of informing resource allocation decisions for homeland security.

Send article as PDF to

From 5-7 June 2008, I will be attending the “Critical Infrastructure Protection: Metrics and Tools” workshop sponsored by The Center for Homeland Defense and Security, Naval Postgraduate School, in Monterey, CA.

The agenda for this conference is as follows:

Thursday, 5 June 2008

1800-1830: Opening Speaker, Brandon Wales (Department of Homeland Security)

1830-2000: Reception (Cocktails and Hors D’oeuvres)

——————————

Friday, 6 June 2008

0800-0815: Coffee/Tea

0815-0830: Introduction and Orientation, Ted G. Lewis (Naval Postgraduate School) and Tom Mackin (California Polytechnic State University)

0830-0900: Prioritizing Assets in Critical Infrastructure Systems, by Hilda Blanco (University of Washington)

0900-0930: Strategic Homeland Infrastructure Risk Assessment, by Kristine Poptanich (Department of Homeland Security)

0930-1000: Threat-Based Approach to Risk Case Study: The Strategic Homeland Infrastructure Risk Assessment (SHIRA), by Kim Jin, Geoffrey S. French, and Pasha Vasilev (CENTRA Technology, Inc.)

1000-1030: Break

1030-1100: The Importance & Challenge of Integrating Assessments of Threat, by Deanne Morgan (Royal Canadian Mounted Police)

1100-1130: Techniques for Adversary Threat Probability Assessment, by William McGill (Penn State University) [ME]

1130-1200: The Mathematics of Terrorism Risk: Equilibrium Force Allocations and Attack Probabilities, by Michael R. Powers (Temple University)

1200-1330: Lunch

1330-1400: A Service Oriented Approach (SOA) to the IT-based Protection of Critical Infrastructures – A First Approach to Integrate SOA Into a Complex Operational Analysis Within Risk Assessment and Risk Management Processes, by Stefan Pickl (University of the Federal Armed Forces, Munich)

1400-1430: Modeling Population Response to Asymmetric Warfare, by Maksim Tsvetovat (George Mason University)

1430-1500: Probabilistic Project Management for a Terrorist Planning a Dirty Bomb Attack on a Major US Port, by Richard John (University of Southern California)

1500-1530: Break

1530-1600: Maritime Security and Risk Assessment Methodology (MSRAM): Balancing Resources to Risk, by Brady Downs (US Coast Guard)

1600-1630: Introduction to the Terrorism Risk Assessment and Management (TRAM) Methodology, by Chel Stromgren (Department of Homeland Security)

1630-1700: Convergence of Critical Infrastructure Protection and Continuity of Operations in Banking and Finance: A Network Modeling Framework for Holistic Risk Management in the Financial Services Sector, by Stephen Lieberman (University of Connecticut)

——————————

Saturday, 7 June 2008

0800-0830: Coffee/Tea, Pastry and Fruit

0900-0930: The Healthcare and Public Health Sector: Challenges and Strategies to Conducting Sector Wide Assessments, by Harry Mayer (Office of Health and Human Services)

0930-1000: How Much and on What?, by Robert Powell (University of California at Berkeley)

1000-1030: Problems in Cascading Networks, by Ted Lewis (Naval Postgraduate School)

——————————

Send article as PDF to

Lately I have been doing a lot of traveling between State College, PA and Washington, DC for meetings and such.  To pass the 3.5-hours minimum driving time each way, I, like many others listen to audiobooks on subjects that excite me.  The following is a list of titles for good audiobooks I listened to that are sure to educate, if not inspire, risk professionals.  Note that I purchased all these books from Audible.com via ITunes.

• Freakonomics, by Stephen D. Levitt and Stephen J. Dubner.  The essence of this book was that everything is governed by incentives.  But, as the author points out in his preface, there really is no coherent theme to the book; it is just a compilation of interesting studies focused on such things as connection between child names and socioeconomic status (imagine someone named Orangejello and Lemonjello, both siblings), the connection between crime and legalized abortion, incentives for drug dealing, and so on.  This book runs about 7 hours in the car, and is between $10 and $20.
• Predictably Irrational: The Hidden Forces that Shape Our Decisions, by Dan Ariely[Prof. Ariely maintains a blog that talks about irrational things he encounters in daily life or hears about from others).  This book basically describes the science of behavioral economicsvia a variety of fun case studies highlighting just how predictable humans are at being irrational.  Prof. Ariely covers such issues as the impact zero cost has on a consumer vice very low cost, say, 0.01-cents.  Also the role of relativity in getting people to do what you want.  For example, envision providing two options to a decision problem that are completely different such that the decision maker cannot make an intuitive judgment call as to which is better.  Lets call them option A and option B.  According to Ariely’s account, if you provide a third option C that is similar, yet inferior, to your preferred option (call it A), then it is very likely that the “decider” will choose the option A since now he is empowered to make an intuitive judgment as to which is better.  That is, because the decision maker can now compare option A with option C on the basis of similarity, he can confidently say A is better than C.  Yet he still cannot make any statement as to whether A or C is better than B.  So, he chooses A.  I wonder what implications this has for risk communication and intelligence briefing…  This audiobook runs about 7 hours, and is between $10 and $20.
• Blink: The Power of Thinking Without Thinking, by Malcolm Gladwell.  We all know that most people aren’t deliberate in their decision making process, especially if they are “experts” in this subjects they are called to task on.  Yet, despite what many people say about how analysis is good, people do surprisingly well by going by first instinct (of course, I would only trust the intuition of someone expert in the domain of which I seek information; in experts I kinda-sorta trust, all others bring sound data and reasoning).  The focus of this book is on those snap judgments that seem to arise from no conscious thought at all.  The author talks about how in some cases more data is not a good thing, particularly if it is irrelevant, non-diagnostic, and so on.  Thin-slicing is an interesting theme that is present throughout much of the book – people tend to make sense of a situation by taking a thin slice of what is going on.  That is, people only pay attention to just a few of the seemingly infinite number of environmental cues to size up a situation or make a judgment about the future.  Of course, expertise allows us to separate the cues that matter from those that don’t.  What worries me, personally, are those decision makers that think they see something going on related to a cue that matters, or perhaps believes that an irrelevant cue has significant bearing on, say, the likeliness of an undesirable future event.  How can intelligence and risk analysts characterize the mental models of their customers so as to tailor intelligence products that helps them correctly size-up a situation while mitigating the effects of erroneous thinking?  Beats me at the moment.  This book runs about 7 hours, and costs between $10 and $20.
• Gut Feelings: The Intelligence of the Unconscious, by Gerd Gigerenzer.  If you like the three books above, this book goes the next step.  I am only half-way through this book, so I will defer commenting on it until later.  But if you are interested in understanding better the science behind gut feelings, intuition, and snap judgment, this book is a good listen.  What does separate this book from the others is its connection to fast and frugal heuristics, which are described in Prof. Gigerenzer’s book Simple Heuristics that Make Us Smart.  As with the others, this book is about 7 hours long, and costs between $10 and $20.

The one thing I noticed from these books is that they cross reference the same published research.  So, while these studies have been peer-reviewed by numerous scholars and are well respected, be mindful of systematic bias… (but in this case this bias is a good thing since it is supported by sound science).

One last point – I liked these titles so much that I actually purchased a hard copy of each for handy reference.  Perhaps you will like them as much as I.  Happy listening!

Send article as PDF to

To follow up on my previous post regarding the work of Peter Sandman, I can’t help but advertise his short, yet important article entitled “Risk Words You Can’t Use” published in the August 2005 issue of The Synergist.  While this article is a quick read, I will distill it down further and caveat some with my personal experience:

• Conservative: To risk people, conservative means an overestimate of risk.  To laypeople, a “conservative” estimate is a low estimate.  So whereas a risk person would use conservative to overstate the risk, a layperson (or perhaps decision maker) may interpret the message to be an understatement of risk, and thereby think that the risk could be much worse.  Now, engineers and scientists understand what is meant by the word “conservative,” as in my “conservative analysis still shows the structure will not fail.”  And fortunately for me, when I described my idea of conservative discounting of expert opinions (to be explained in a later post that I will link to when it is available) I was speaking to an audience of security engineers.  I will keep Sandman’s advice to not use the word conservative when speaking to non-technical audiences, and instead opt for the word “overestimate.”
• Significant/Insignificant:To risk people and statisticians, a significant finding is one that is non-random.  To laypeople, whether an issue is significant depends on their emotions and value structure.  So, to tell people that the terrorism risk is insignificant might not communicate well.  It is true (right now based on our current understanding and situation) that a person’s individual risk to terrorism is very, VERY low, but the outrage is high, and thus the public’s emotional response might label terrorism as a significant threat.
• Positive/Negative: To risk people, a positive relationship means that when one variable goes up, so does the other.  To laypeople, a “positive” relationship is favorable from the point of view of risk.  The same can be said of negative relationships.
• Bias: Bias to a risk person means non random.  Bias to a layperson spells deceit.
• Anecdotal: Anecdotal evidence to a risk person means the evidence is just one sample from a much larger sample space.  Anecdotal to a layperson suggests the evidence is an amusing story.  This word might not bode well when talking about anecdotal evidence on poor public response following a catastrophic event.
• Risk [my personal favorite]: To risk people, the risk associated with a situation describes its probability and the corresponding consequences.  To laypeople, risk usually refers only to the probability component.  In fact, when lecturing on the use of “uncertainty phrases,” I often emphasize that the word “likely” is not an adverb tied to any particular notion, but one that can be used to qualify likeliness, confidence, and risk.  Of course, people probability consider how they feel about a hazard when judging whether the probability, or rather risk to them, is acceptable.  Others, particularly when speaking about finances, use risk to describe uncertainty – the higher the risk, the more uncertain the outcome.  The philosopher Frank Knight sides with these interpretations in his description of “risk proper,” or measurable uncertainty, described in Risk, Uncertainty, and Profit. Most people argue that the only measure of uncertainty, at least when it comes to gambling situations, is probability, so what Knight is suggesting is that assessing “risk proper” is equivalent to a probability assessment.  But Peter Sandman suggests that what people really mean by risk is how outraged they feel about the situation.
• Safe: To risk people, safety is the judgment of risk tolerance.  If we are safe, then the risk does not exceed some threshold value (whether implicit or explicit).  To laypeople, “safe” = “no risk,” that is they treat it as a binary concept – you are either safe or you are not.  Or rather, there is risk or there is not.  I suppose the same reasoning can be extended to the word secure: to risk people, if we are secure, then the residual adversary risk is low enough for us to accept; to laypeople, “secure” = “no harm will come to them” in the event of an attempt.  Relative statements about safety and security are unambiguous though – to say something is more or less safe or secure than another thing is perfectly acceptable.
• Prepared:To be prepared means that we possess the capabilities and vigilance necessary to deal with a hazardous situation when it arises.  To risk people, preparedness is tied to risk acceptability – if we are prepared, then we have the capabilities needed to keep risk overall at an acceptable level.  To laypeople, prepared, like safe and secure, is taken to mean no (or perhaps minimal) harm will come to them.
• Confident: To say to someone else that you are confident when you are merely hopeful is not okay.  In the eyes of laypeople, confident = surety, though perhaps not so much anymore if the word has lost its meaning in the eyes of risk communication consumers.

From my experience, I have five types of phrases to add:

• [Low/Moderate/High] Confidence:Philosophically speaking, to the analyst, anything said with a non-zero degree of confidence implies some degree greater than even odds of being correct.  This means that both “low confidence” and “high confidence” judgments are believed to be the right answer vice any alternative, but “low confidence” statements are afforded less commitment and as such are pegged to a representative probability value closer to 0.5 than a “high confidence” judgment.  To the decision maker, however, the scale may be expanded from a half probability scale to a full probability scale, where the words “low,” “moderate,” and “high” span the entire range.  So when the analyst says something with “moderate” confidence to indicate, say, a 75% chance of being correct, the decision maker might see it as a 50/50 judgment.  I would love to experiment with this to see whether or not what I just described is true.
• “In General”: When mathematicians use the phrase “in general,” they mean what they say applies to all cases.  When lay people use the phrase in general, they mean that what they say is believed to apply to a simple majority of cases.
• Likely, Probable [and other uncertainty phrases]:  To risk people, the word likely conveys some degree of likeliness that exceeds 50%.  To laypeople, likely may communicate likeliness or risk.  In the latter, one might find that something deemed “likely” to a layperson may have an objectively low probability of happening, yet a high enough impact if it does to warrant use of the term in their non-probabilistic minds.  But whoever said words like “likely” and “probable” can only be used in the context of probability theory?  After all, what came first – the word “probable” or the “theory of probability?”
• Likelihood versus Likeliness: To mathematicians, “likelihood” means something very specific.  The likelihood of something in the context of Bayes theorem is the functional expression Pr(B|A) (read as “the probability of B given A) whose input argument is “A.”  That is, the “likelihood” is the hypothetical probability distribution constructed over a space of events conditioned on the occurrence of “A.”  The “likelihood function” or simply “likelihood” L(A|B) is proportional to Pr(B|A).  To non-mathematicians, including most (if not all) dictionaries, “likelihood” describes the notion of chance, where probability is one such measure of likelihood for an event.  According to WordReference.com, the word “likeliness” is an equivalent word for “likelihood,” but doesn’t carry with it all the mathematical baggage that might confuse a mathematician.  This is why I always use the word “likeliness” to characterize the notion of chance instead of “likelihood.”
• Possible: To mathematicians and risk people, a “possible” event is one that carries with it a non-zero probability.  More specifically, a possible event is one that is admitted into the set of alternatives (sample space) for a given question.  To non-mathematicians and laypeople, the word “possible” may be used to describe degree of chance or even risk.  How often have you heard people use possible to convey the likeliness of an event?  I read a study published by Sarah Lichtenstein and J. Robert Newman in 1967 (Psychonomic Science, Vol. 9, No. 10, pp. 563-564) showed that a group of 177 people, when individually asked to place numbers on words that convey uncertainty, could not agree on a probability value for the word “possible.”  The results showed a range of responses spanning probabilities of 0.01 to 0.99, with a median at 0.49.  What does this say?  To me this study makes my point – possible means that the probability is greater than 0, but we don’t know where.  But it also says that, at a micro level, possible might actually assign a value to possible.  Fortunately, the word “impossible” does not suffer the same ambiguity.

I am curious to hear your thoughts on these and other words that we should be careful about using in the context of risk communication, or “analytic communication” for that matter.

Send article as PDF to

For those unfamiliar with this description of risk, check out the website maintained by Peter Sandman.  Dr. Sandman is a scholar on risk communication and risk perception, and has made a name for himself via the concept “Risk = Hazard + Outrage.”  He has published some very interesting things, one of which can be found on my list of 100 books to review.  A selection of his works is available electronically on his curriculum vitae.

Back to the formula “Risk = Hazard + Outrage”…  This is not a mathematical formula in any strict sense of the word.  Rather it is conceptual in nature, where the “risk” is defined by the objective nature of the “hazard” and augmented by the “outrage” felt by the individuals exposed to it.  Through his many inquiries into how people perceive risk, Dr. Sandman put forward what I will call “Sandman’s First Law of Risk Communication” (though he states it may be the only law): Outrage, not hazard, drives reputation (I might prefer to replace the word “reputation” with “acceptability”).  Basically, regardless of whether the hazard is objectively high or low, the outrage felt by the public or decision maker is what drives the degree of risk attached to a hazardous phenomenon.  People tolerate objectively high hazard (e.g., driving) is the outrage is low, whereas people do not accept objectively low hazards (e.g., terrorism) if the outrage is high.  The reputation of a risk manager or decision maker charged with making decisions that affect risk is more by how well they manage outrage than how they manage hazard.  Based on this view, Dr. Sandman suggests ways for managing outrage.

Much of Dr. Sandman’s work emphasizes the point that the Society for Risk Analysis makes in their stated definition of risk:

Risk analysis is broadly defined to include risk assessment, risk characterization, risk communication, risk management, and policy relating to risk. Our interests include risks to human health and the environment, both built and natural. We consider threats from physical, chemical, and biological agents and from a variety of human activities as well as natural events. We analyze risks of concern to individuals, to public and private sector organizations, and to society at various geographic scales. Our membership is multidisciplinary and international.

That is, risk analysis includes risk assessment, risk management AND risk communication (among other topics).  Based on Sandman’s work, it seems that though a high risk hazard can be managed so as to bring the risk down to a level acceptable to the risk manager, the strategies used to mitigate risk may be inadequate or insufficient unless accompanied by strategies to manage the outrage felt by those affected by the hazard.  Sound risk policy must effectively manage risks assessed to be high, and must also manage the outrage felt by the targets of risk.  For a risk analysis to be complete, it must look at an issue from all angles.

Now I leave it to you (and myself) to check out the rest of Dr. Sandman’s work to better understand his philosophy on risk communication and risk perception.  This is interesting stuff, but keep in mind there is a lot more to read on this issue of risk communication and risk perception, in particular the following:

• Strategies for Risk Communication: Evolution, Evidence, Experience, edited by Troy Tucker, Scott Ferson, Adam Finkel, and David Slavin [ISBN: 1-57331-681-4].  This title is also availabe in PDF via Blackwell Publishing.  I hear that this volume has content that will revolutionize the field.
• Risk Communication: A Mental Models Approach, by M. Granger Morgan, Baruch Fischoff, Ann Bostrom, and Cynthia Atman [ISBN: 978-0521002561]
• The Perception of Risk, by Paul Slovic [ISBN: 1853835285]

Send article as PDF to