The authors of a book I read recently spoke of the “three D’s” of security: “denial,” “detection,” and “deterrence” (the latter being my personal favorite).  These “three Ds” brought to mind another set of “Ds” I came across while on an ASME Fellowship to the Department of Homeland Security in 2003-2004: “detect,” “delay,” “defend,” and “devalue.”  This post talks about these two different sets of security “D” words, and the extent to which one is or is not better than the other.

To begin this discussion, let’s first consider a logical expression for security vulnerability, which is usually expressed in terms of the probability of adversary success given attempt:

Pr(S) = 1 – Pr(“Detect”)·Pr(“Engage”)·Pr(“Neutralize”)

In words, this equation states that adversary non-success (defender success) requires that the defender detect, engage (which consists of delay and response) then neutralize the adversary (in sequence) – failure to do any one of these will result in adversary success (barring any random things outside the protector’s control that might thwart the adversary’s attempt).

From the point of view of the equation above, DHS is dead on and more.  The equivalence of detection is evident.  In order to engage an adversary, one must respond to the adversary prior to him executing an attack.  Delaying an adversary long enough to respond enables engagement – the longer the delay, the greater likeliness that the defenders will respond in time to do something to stop him.  Defense is essentially equivalent to neutralization in that the objective is to thwart the attacker once engaged.  So, the first three “Ds” of the DHS security quartet correspond to the three parameters of the security vulnerability equation.

But where does devalue fit in?  I must admit that I never heard anyone use the word “devalue” in the context of security prior to my days at DHS.  The focus on devalue is not on improving security, but on improving the resilience or hardness of a system to withstand an attack.  That is, a “devalued” target is one that has been modified in such a way that would result in less loss to the defender (and hence less gain to the adversary) in the event of an attack.  In this sense, devalue seeks to influence adversary target selection by making it intrinsically difficult to achieve the desired gain even when the security system fails.  For example, without doing anything to improve security, the switch to using bleach instead of chlorine in a water treatment facility in effect devalues such a target since bleach is much less harmful to humans in the event of its deliberate release.  Adversaries bent on exploiting infrastructure to harm adjacent communities might be less interested in attack a water treatment plant that made such a shift.

Now consider the security triplet described by Fuqua and Wilson (see my recent post on their 1977 book) in light of the above equation for security vulnerability (i.e., deny, detect, deter).  Fuqua and Wilson essentially looked at the security problem from the point of view of an asset owner (e.g., the “executive”).  Again, the equivalence in the detection term is evident.  “Denial” considers the combination of both engagement and neutralization following detection (such as by a local police force), as well as simple barriers that can’t realistically be overcome (e.g,, 12-foot walls followed by several layers of fences covered in razor-wire), distance or terrain with deadly animals (e.g., attack dogs, flocks of scary geese, alligators in moats), etc.  The focus with denial, though, is more broadly focused on denying success in whichever way possible; detection need not occur for an adversary to be denied opportunity. The combination of detection measures and denial measures (including those that require detection and those that do not) cover the same elements as the equation posed at the beginning of this post, but in a slightly different way as follows:

Pr(S) = 1 – Pr(“Denial”|”Detection”)Pr(“Detection”) – Pr(“Denial”|”No Detection”)Pr(“No Detection”)

(the astute reader might notice that this equation above equates the event “denial” with “adversary failure,” or rather “failure to deny” is the same as “adversary success”).  Obviously, this equation is more general than the one posed initially as the defender still stands a chance at denying the adversary success through non-detection-dependent denial measures.

“Deterrence” (again, my personal favorite) touches on those measures that influence the perceptions of adversaries.  Arguably, all visible security measures have some deterrence value as they shape the adversary’s perceived probability of success.  Measures taken to devalue a target also act as a deterrent in the sense that it lessens the adversary’s perceived gain from success.  Even deceptive measures such as decoys that have no intrinsic “aggressor resistance” have at least a little deterrence value so long as the adversary remains fooled.  If the adversary feels that success is less likely than failure, and that the gain from success is less than desired, the overall likeliness of an event is lower than is success seemed likely and the gain was sufficient.  So, unlike all the other “D” words talked about so far, deterrence is the only term that specifically targets the likeliness of event portion of the risk equation.

So which set of “D” words is better?  It really is hard to say.  Fuqua and Wilson offer a term (“deterrence”) that relates to likeliness of event, while the DHS approach (“devalue”) offers a term that relates to the physical vulnerability portion of the risk equation.  Otherwise, the two sets of “D” words are the same, more or less.  In the end, all these “D” words (as well as words that start with letters other than “D”) are important since they assist security practitioners in thinking through problems.

With all this talk about “D” words, I find myself tempted to write a security-related song about the letter “D” in the spirit of Cookie Monster’s song about the letter “C”.   I call it “D’s are for Security” or the “Security Song:”

D is for denial, to stop you from harming me

D is for detection, to catch my enemies

D is for deterrence, to scare you away from me

Oh, security is all about “Ds.”

Send article as PDF to

I just got word of a report summarizing a recent workshop held in McLean, VA focused on the “simple” question “why have we not been attacked again” since 9/11? The workshop was sponsored by the Defense Threat Reduction Agency (DTRA) in cooperation with Science Applications International Corporation (SAIC).  The cover page of the report is shown in the Scribd window below.  Per the dissemination control markings, this product is available to the public release.

Basically, this report examines a total of 29 well-defined hypotheses that address the question at issue, namely reasons for the non-occurrence of another attack (a challenging question indeed).  These hypotheses were the compiled as part of an extensive literature review centered on publications that offered reasons why he haven’t experienced a successful attack.  The fact that cells were foiled, according to the authors, was taken to mean that attacks were attempted, but were unsuccessful (a summary of failed attacks is provided in Appendix C of the report).  Using the information collected during this literature review, a comprehensive list of critical assumptions, supporting evidence and contradictory evidence was compiled for each hypothesis. The goal for the workshop was to identify the likely reasons for non-occurrence of an attack based on all available evidence and assumptions combined with the opinions of subject matter experts.

The 29 hypotheses were sorted into four bins as follows, two for each of capabilities and motivations (i.e., the two variables that comprise the DoD definition of threat). Note that these hypotheses are NOT mutually exclusive nor are they collectively, and as stated in the report, it is quite possible that one or more (or perhaps none) of these hypothesis contribute to the fact that the US hasn’t experienced a successful attack in the last 7 years.

Bin I: US and Allied Counterterrorism Efforts (Capabilities part of Threat)

• Hypothesis A: US homeland security efforts
• Hypothesis B: US and allied counterterrorism operations
• Hypothesis C: The wars in Iraq and Afghanistan have drawn jihadists away
• Hypothesis D: Reduced state support for terrorism
• Hypothesis E: Crackdowns on private financing of terrorism since 9/11

Bin II: Terrorist Attack Capabilities (Capabilities part of Threat)

• Hypothesis F: Terrorist threat has been massively exaggerated
• Hypothesis G: Time is required to rebuild al-Qaeda’s capabilities
• Hypothesis H: Al-Qaeda is waiting to acquire a CBRN capability
• Hypothesis I: The assimilation of US muslims
• Hypothesis J: A lull is occurring between Iraq and the next generation of al-Qaeda
• Hypothesis K: Non-Salafist groups have lacked the capability

Bin III: Another Attack Ill-Advised (Motivations part of Threat)

• Hypothesis L: Al-Qaeda’s next attack must surpass 9/11
• Hypothesis M: 9/11 was a strategic miscalculation
• Hypothesis N: Al-Qaeda is safeguarding its sanctuary in Pakistan
• Hypothesis O: Striking the US homeland again could rally support for America
• Hypothesis P: Al-Qaeda has become more sensitive to killing American civilians
• Hypothesis Q: Al-Qaeda is warning the US of its intent to attack
• Hypothesis R: Al-Qaeda needs success, resulting in conservative planning
• Hypothesis S: Domestic extremist organizations have lacked the motivation
• Hypothesis T: “Lone Wolf” terrorists have lacked the motivation
• Hypothesis U: Hezbollah has been restrained by Iran and Syria

Bin IV: Other Attack Priorities (Motivations part of Threat)

• Hypothesis V: Opportunities in Iraq have diverted jihadist resources
• Hypothesis W: Al-Qaeda has shifted its focus to Europe
• Hypothesis X: Al-Qaeda’s focus has returned to toppling Middle Eastern regimes
• Hypothesis Y: Regional groups are focusing on regional targets
• Hypothesis Z: Al-Qaeda’s goal is to “bleed” the United States dry economically
• Hypothesis AA: 9/11 was meant to be a one-time attack
• Hypothesis BB: Al-Qaeda is focused on preventing Shia ascendancy
• Hypothesis CC: Non-Salafist groups have lacked the motivation to attack

Methodology

This information on each hypothesis, to include a full description, critical assumptions, supporting and contradictory evidence, was then fed to one of three working groups comprised of national security practitioners (see Appendix A for a full list).  The goal of each working group was to walk through the available information and assumptions, discuss it amongst the group, and then each expert would render an independent judgment on the “likelihood that the hypothesis is valid” and the “confidence in the assessment given the quality of available evidence, knowledge, experience, …”  The aggregate results for each hypothesis produced a matrix as shown below given a five-tier likelihood scale and a three-tier confidence scale (don’t be fooled by the placement of the X’s along the Y-axis – there is no meaning to the relative position of an X in the box.  The editors simply forgot to center them vertically in the box.).

Several other hypotheses were developed during the meeting as follows, though none were assessed for validity (because no evidence was provided, I suppose).  I am suprised, actually, that these seemingly obvious hypotheses didn’t make the original list.

• Al-Qaeda is still coasting on 9/11
• Terrorists are simply waiting for the right conditions to attack
• The US responses to another attack is too uncertain to jeopardize current successes

For those familiar with the analytic techniques taught by Professor Frank Hughes of the National Defense Intelligence College, this exercise is essentially an implementation of Chamberlin’s Method of Multiple Working Hypotheses (MMWH) (different from the Analysis of Competing Hypotheses, or ACH).  Basically, the available evidence is weighed against each hypothesis in isolation to determine a subjective level of internal support (e.g., internal = human comfort level with asserting the hypothesis as true). No consideration is given to the complementary hypotheses, nor are two or more hypotheses considered in tandem to assess synergies, subadditivities, or independence. In practice, though, it is often very difficult to look at anything in isolation, so I suspect the judgments were shaped, perhaps only in a small way, by how each expert viewed the alternatives.  Unfortunately, while this is good for ACH, it isn’t necessarily good for MMWH.

Results of this Analysis

Despite their apparent lack of concern for page length, unfortunately the authors did not provide a single page summary of the results.  Rather, the authors simply summarized the results up front (bottom line up front, or BLUF style) and provided the raw opinion matrices (such as shown above) for each individual hypothesis in Appendix B.  The outcomes from this study were expressed in terms of the “most compelling hypotheses” (A, B, I, L, S, V, W, Y, CC) and “unpersuasive hypotheses” (F, P). (I am not sure I like the word persuasive, as it implies that the analysis must be good enough to persuade someone to see past their preinclinations, or rather, their anchors).

Additionally, the analysis did summarize areas of uncertainty that might shape future analytic efforts aimed at better understanding Al-Qaeda (pp. 27-28).  In addition, the report offers several “independent counterterrorism strategies” as explained on pages 29-30.

Critique on this Study

Based on my understanding and experience as an intelligence community methodologist, I feel compelled to offer the following critiques.

• The opinion matrices are very confusing to me, a person who has thought extensively about confidence and likeliness and many other uncertainty analysis issues.  Typically, one speaks of likelihood (or what I refer to as likeliness) in the context of uncertainty about future events (what will happen?), not for questions of fact (what happened? why?).  In general, it is sufficient to ask the simple question “is hypothesis xxx a reason for why we haven’t had another attack?”  The answer then is YES or NO (as it should be since it is a question of fact).  The confidence level assigned to this judgment then discounts the opinion in accordance with how much information, background knowledge, etc. was available to support this judgment.  For example, if you believe the answer is YES, then the choice of confidence level places the probability that you are right somewhere between 50% and 100% (where obviously words with higher (lower) intent place you closer to 100%(50%)).  Using two scales basically asks the experts to make as assessment of confidence on their assessment of uncertainty, or as the information science people like to call it, “second-order” uncertainty.  For questions of future events, this is ok since your judgment (with confidence) expresses a probability distribution over alternative futures.  But for questions of fact where the answer is YES or NO, it makes no sense to say “even chance YES” with “medium confidence” (basically, this statement says the expert doesn’t know with less than perfect confidence; does this mean the residual confidence is applied to something other than “even chance”?).

• No guidance was described on how the experts arrived at judgments of confidence, but rather the facilitators left the details of confidence assessment open to individual interpretation.  (Actually, the first paragraph on page 148 described an “intellectual dilemma” concerning confidence as it related to validity).  This individual interpretation problem is such a no-no that government explicitly addressed it in the Intelligence Reform and Prevention of Terrorism Act (IRPTA), subsequently followed up by the Director of National Intelligence in Intelligence Community Directive 203 (ICD 203).  That is, analysts must “properly caveat and express uncertainties or confidence in analytic judgments.”  Subjective confidence judgments, as the psychologists call them, are extremely sensitive to bias, mood, stress, and a variety of other factors separate from sound reasoning.  In fact, much of the intelligence community’s training efforts are focused on providing a variety of tools and techniques aimed at mitigating the effects of irrelevant (non-analytic) contributors to confidence.  I, personally, spent my entire time at DIA constructing alternative methods for expressing analytic confidence that strived, to the maximum extent possible, to remove all subjectivity out of confidence assessments.  According to my scheme (which I am writing up now), I won’t believe a single thing you say unless you show in writing your reasoning and source analysis.  Some of Kris Wheaton’s (Intelligence Studies Program at Mercyhurst College) students also studied this problem; one even went so far as to construct a tool to help in this area (read about it here or download the thesis).  But despite all this, the DTRA study resorted to the old confusing way of doing business <heavy sigh>.  But then again, DTRA is not part of the intelligence community, so ICD 203 and IRPTA I suppose does not apply to them.

• While the experts were treated to a lot of information and assumptions all with citations to some published document, were the experts advised to consider the quality of the underlying sources?  Or were the sources vetted using some scheme to determine whether they should be included as part of a hypothesis write-up?  This is unclear to me, but very important as I would not want to trust any analysis that hasn’t at least performed some sort of source analysis (and I don’t want to hear that an article must be good since it was published in The Guardian).

• What I find funny is that despite some of the hypotheses judged by a majority as “almost certainly” valid with “high confidence,” the authors (perhaps guided by the experts) hedge the analysis by claiming that “the most unassailable conclusion of the study is that we simply do not know why the United States has not been successfully attacked again” (p. 26).  Well of course we do not know, but the way this statement was phrased suggests to me that while the experts found the exercise less than perfectly credible, perhaps because things weren’t clear (e.g., confidence), the structure was too limiting (e.g., you can offer hypotheses, but we won’t assess them), or time was too short (e.g., too much to do, so little time).  Or, perhaps this hedge isn’t a hedge at all, but an otherwise obvious analytical caveat explaining to readers that we can’t ever really know ground truth, so regardless of what we say with high or low confidence, we will never know with complete certainty why there hasn’t been another attack.

Final Thoughts

In general, this report was very interesting to read and actually gave me a lot to think about, both conceptually and methodologically.  The most interesting parts of this report are Appendix B (where the methodology is explained), the Introduction chapter that explains the conference structure and key findings, and the immense detail provided for each of the 29 hypotheses.  Actually, the quality of the information supporting each hypothesis is such that I can strip out the materials from 4 or 5 hypotheses and use it as a basis for an in-class ACH (or MMH) exercise.  I plan to do this sometime this week – should be fun.

Send article as PDF to

A recent commentary piece I authored for the Security Analysis and Risk Management Association’s (SARMA) August-September 2008 Risk Communicator just appeared in my email inbox and on the SARMA website.  For convenience, I repeat this editorial below (it can be linked to here).  Note that I noticed one typo and one inconsistency after the fact, which I corrected in the version below (mods shown with underline or strike-through; hopefully the SARMA folks will follow suit).

Risk analysis, much like any other professional analytic activity, informs decision-making. Most security professionals have no objections to this seemingly obvious statement. But how does risk analysis actually “inform” decision-making? Do the end results of a risk analysis matter, or is the process of doing risk analysis more important?

Much debate in recent years centered on the appropriate arithmetic or logical expression for security risk. It is hard nowadays to call yourself a security risk professional unless you have been party to a debate over the appropriateness of qualitative versus quantitative risk methods — or perhaps even so-called “quantified” approaches. This debate continues today in government and industry, and is unlikely to subside until the debaters discover the “holy grail” of risk formulas that applies equally well to anything and everything; that is, unless we finally learn to accept that such a formula does not exist, nor would we be much better off even if it did.

A useful risk analysis methodology is one that generates meaningful risk knowledge throughout its implementation. Regardless of the strategy used to score and aggregate threat, vulnerability and consequence, good risk analysis seeks to generate useful knowledge of a system and its weaknesses, and estimates how the system might respond to challenges brought on by a variety of plausible threats. Numbers or labels used to describe risk rarely yield any new insights in themselves. At best, risk results offer a sanity check on methodology and intuition — and any disagreement between the intuition and the final result provides a means for revealing flawed reasoning or a flawed analytic approach, and nothing more.

I believe that the debate over formula has less to do with the pursuit of mathematical correctness and more to do with it being much easier to argue over equations than it is to debate the “value-added” of a process. Formulas produce visible numbers (whether correct or not); processes generate invisible insights. Consequently, it is harder to measure the benefit of a methodology in terms of its ability to create understanding than it is to criticize the mathematical correctness of an arithmetic expression. And But much like the opening statement of this essay, most security professionals would agree that the process of doing analysis is more meaningful than the final answer.

The real question, then, is how do we craft a risk analytic process that maximizes knowledge creation? Shifting the debate toward process instead of product offers the potential for a greater return on intellectual investment than quibbling over details of calculation. After all, it is the reasoning that establishes decision-maker trust in the results of a risk analysis, not the form of the risk output. So let’s focus less on how to calculate risk, and more on understanding how to build a methodology that actually improves our ability to make reasoned risk management decisions.

Send article as PDF to

Paul Fuqua and Jerry Wilson’s book Terrorism: The Executive’s Guide to Survival (Gulf Publishing Company, 1977, ISBN: 0872018210) is a neat little gem of a text that provides practical information for executives on how to protect their person and their business.  An abstract of this book is available here.

According to the rear cover of the book, Paul Fuqua and Jerry Wilson are both veterans of the Washington DC Metropolitan Police Department.  Paul Fuqua was a police officer and later director of public information, whereas Jerry Wilson ultimately served as police chief from August 1969 through September 1974.  Both have B.S. degrees in Administration of Justice from American University, but any boost in credibility from this degree pales in comparison to their years of practical experience dealing with anti-war protesters converging on DC (imagine the need politicians felt for executive protection), the 1968 Washington DC riot in the wake of the murder of Martin Luther King, Jr. (as line officers at the time), the Watergate scandal (not sure how relevant this experience is to the book, but I felt it worth mentioning), the rise of international terrorism (e.g., airline hijackings), and other routine and extreme urban crime events.

The purpose of this book is stated in the foreground of the front cover – to help executives “know what [they] can do to prevent, bombings, kidnappings, and extortion.”  The authors emphasize the importance of this book implicitly via a background image of what appears to be splattered blood atop a black wall or broken glass (morbid, but effective; unfortunately my scan only shows a black and white image).  From the point of view of the executive reader, the question at issue is “what can I do” to prevent bombings, kidnappings, extortion, or splattered blood?  Actually, when you read the book, you quickly learn that the advice offered by the authors is more broadly geared toward risk reduction, which includes both prevention (to reduce probability of event) and protection (to reduce vulnerability).

As one might expect given the authors’ backgrounds, the book is very practical and not academic in the least.  The authors actually state in the Preface that “abstract theory has been subordinated to practical knowledge” (p. vii).  In this book, I personally would have chosen to use the word “guidance” in lieu of knowledge because it doesn’t get deep enough into any particular subject (though its breadth is nice and wide).  In 151 pages, the authors give the most brief historical account of bombings (Ch 1), how bombs work (Ch 2), how to prepare a risk study (Ch 3), how to deal with bomb threats (Ch 4), how to search for hidden bombs (Ch 5), how to evacuate a facility subject to a bomb threat (Ch 6), how to deal with mail bombs (Ch 7), how to protect against placement of bombs in the first place (Ch 8), how to prevent kidnapping (Ch 9), and how to deal with a kidnapping or hostage situation when one occurs (Ch 10).  All chapters following Ch 2 are packed full of guidance and procedures addressing the theme of the chapter, to include checklists and form templates and pictures when appropriate.  This book is definitely worth an hour or two of perusal if it can be picked up on the cheap.  Right now, Alibris.com has a listing for a used copy of this book for around $6.50 (say $10.00 with shipping and handling).

The following are some things I noticed that apply to the stuff I routinely think about:

• At the end of the chapter on the history of bombings (Ch 1), the authors clearly articulate that “whether or not the ultimate goals of a bombing campaign are achieved is of little interest to the individual targets of specific bombings.  For the individual victim the loss of life, limb, or property is likely to be the important consideration, regardless of the broader goals of the bomber (p. 17).  In fact, the authors highlight that the level of control in the area of event prevention is minimal, as their is “no feasible absolute procedure for the prevention of bombings” within the ability of typical protectors to implement.  Accordingly, the authors stress (in not so many words) that the emphasis of most security risk management activities are on vulnerability reduction and loss prevention (both are arguably vulnerability management, where vulnerability is taken to be probability of loss given event).  I couldn’t agree more, but to call an activity a “risk assessment” insists on at least a meager consideration of the likeliness of event.

• In their review of the history of “anti-colonial bombings” (pp. 13-14), the authors highlight activities of the Irgun Lvai Teumi group (I think this spelling is incorrect), a old-school paramilitary guerilla organization “whose objective was the creation of an independent Jewish state within its original biblical boundaries.” This objective sounds oddly similar to the activities of modern day Palestinian groups.  I recall reading something about such a group in Bruce Hoffman’s book Inside Terrorism (Columbia University Press, 1999, ISBN: 0231114699).  The way this information was presented was especially intriguing to me in light of the modern Israel-Palestinian crisis; however, since Fuqua and Wilson do not cite any of its sources and have no stated experience in terrorism studies or being witness to these events, I am forced to take their summaries with a grain of salt.  Notwithstanding the potential factual inaccuracies, the intent of this chapter was to justify why it is important to think about bomb risk.  Fortunately for the reader (though unfortunately for society), the explosive threat is broadly accepted by society as both real and significant.  But I must admit that I am tempted to pull out Dr. Hoffman’s book and give it another read.

• In their Chapter 3 on preparing a risk study, the authors offer a three step process for assessing risk that consists of (1) reviewing past histories of bombing, (2) determining critical areas of an organization that would be most affected by a bombing, and (3) reviewing security countermeasures to see whether they meet security objectives.  To implement the first step, the authors ask that you convince yourselves that bomb threats are important to consider in your specific circumstances, nothing more.  Depending on who the decision maker is, this might be easy or hard depending on the risk attitude of the decision maker, predispositions (warranted or not), external stressors, etc.  The second step asks to identify and classify all physical areas of an organization in terms of impact following an explosive event.  The classification scheme is based on a four-tier qualitative criticality rubric that, in my eyes, is simple and sweet (shown below).  The third and final step offers a comprehensive security assessment checklist that “offers a starting point for an organizations own security survey.”  Accordingly, this step offers no guidance on which checkmarks matter in different contexts; it is purely up to the decision maker to decide (and rightly so).  But as far as being a practical book for executives, some guidance should have been offered.

• Finally, the authors talk about the “three D’s of security”: “denial,” “detection,” and “deterrence.”  At first glance, I thought several items were missing from the “three D’s.”  After all, when I first started at the Department of Homeland Security in mid-2003, a different string of “D’s were tossed around the Protective Security Division (under the direction of Mr. James F. McDonnell) of the Information Analysis and Infrastructure Protection (IAIP) directorate, namely “detect,” “delay,” “defend,” and “devalue.”  So why the difference?  I think I have an answer, but I will defer responding until a later post…

Send article as PDF to

While perusing my files of long lost papers that never made it, I came across the following op-ed piece I submitted to some major newspaper on July 12, 2006  (I forget which newspaper it was, but I think it was the Washington Post given I lived in DC at the time).  Unfortunately, the piece, like many articles submitted to major newspapers, wasn’t included for publication.  Since I still largely believe what I wrote (though I could probably say it more clearly nowadays), I decided to post it here.  Blogs really do come in handy when it comes to offering a home for what would otherwise be an abandoned writing.

The recently released Department of Homeland Security grant allocation for 2006 has sparked wide protest. Numerous experts scoffed at the distribution, and many are calling for threat-based prioritization of homeland security money. As a student of risk analysis, to hear from these experts that resource allocation decisions should be “threat” based initially struck me the wrong way – my training has taught me that resource allocation decisions should always be risk-based. But after giving it some thought, I realized that what I was hearing was just another case of unstated assumptions.

Risk, as it is commonly referred to in the security domain, is the combination of threat, vulnerability, and consequence. The threat associated with a given target is a measure of its attractiveness to our adversaries. To focus on threat alone is to take the narrow-minded view of the risk problem – theoretically speaking, what is attractive to our adversaries might not be valuable from our perspective. Full consideration of all three dimensions is necessary to rationally allocate resources in such a way as to maximize risk reduction per dollar spent.

But is this always true? My answer is that it depends on your assumptions. If one assumes that the adversary has perfect knowledge of our nation’s weaknesses, then the most vulnerable and most consequential targets are in fact the most attractive from the adversary point of view. Threat follows vulnerability and consequence in this case, and thus higher risk means higher threat. However, if we assume that the adversary’s perceptions differ from our own, then threat might not necessarily follow risk, and allocating funds based on threat alone would result in suboptimal expenditures.

Of course, the situation is not either-or, but somewhere in between. It doesn’t take a rocket scientist to figure the weaknesses of our infrastructure, but we also shouldn’t assume our adversaries know that places like Wisconsin exist. And as research has shown time and time again, protection in one area shifts adversary attention toward a softer target; perhaps as New York becomes more resilient and less vulnerable, adversary attention might gradually shift toward softer, less protected regions.

At the end of the day, we really shouldn’t assume that we know what all our adversaries think. Rather, we should accept that our adversaries are dynamic, constantly learning, and always looking for opportunities to achieve surprise. The best we really can do is focus our attention on what is truly our most valuable assets, and assume that our adversaries won’t waste their energy on targets of lesser value. Under this assumption, threat-based allocation is in fact risk-based, and arguments over semantics really don’t change the decision process. But like in all other decision situations, we really should make clear what our assumptions are to allay any further confusion.

Send article as PDF to

The title of this post aligns with the title of the lecture that Professor Lotfi Zadeh (of fuzzy logic fame, among other subjects) is scheduled to deliver as part of the Distinguished Lecture Series of the College of Information Sciences and Technology at Penn State University (see the flier below).

I strongly encourage all uncertainty, risk, intelligence, control theory, etc. researchers situated nearby this event to attend.  And with his 60+ years of active research in all areas of information science, computer science and engineering, Professor Zadeh exhibits a level of depth and breadth that is unmatched by anyone I ever had the privilege of listening to.

Whether you can attend or not, below are citations for several of his most recent publications.  Unfortunately, access to these requires a subscription to each particular journal.  An alternative, of course, is to request the article via your local library (e.g., interlibrary loan), or go to the Library of Congress, New York Public Library, or nearby library of a public university and download it there.  Of course, you could also email Professor Zadeh himself (I leave it to you to find his email address) and ask if he might send these to you.

• “Toward a Generalized Theory of Uncertainty: An Outline” (2005).  doi:10.1016/j.ins.2005.01.017
  
• “Generalized Theory of Uncertainty (GTU)” (2006). doi:10.1016/j.csda.2006.04.029
• “Toward Human-Level Machine Intelligence.” (2007). doi:10.1109/SOFA.2007.4318296
• “Computation with Imprecise Probabilities.” (2008). doi:10.1109/IRI.2008.4582989
• “Is there a Need for Fuzzy Logic?” (2008). doi:10.1016/j.ins.2008.02.012

More information on Professor Zadeh’s research legacy (to include a number of his papers in PDF format) can be found at his personal website hosted by the Berkeley Initiative on Soft Computing.

Send article as PDF to

For those readers following the current financial crisis, one can come up with a number of seemingly good reasons for and against the US government’s proposed bailout package.  I admit that I am very ignorant of the inner workings of the extremely complex system we call “the economy” as it is (as most people are, whether they realize it or not, economists included).  Because of this, I am in no position to assess the benefits (which may, in general, be negative) and risks associated with a bailout.  The only information I have is the direct cost of action (up to $700,000,000,000 or more) and direct cost of inaction ($0).

Due to my extreme ignorance of the economy, all I can estimate are three possible futures given that the US government proceeds with the bailout (mutually exclusive and collectively exhaustive; event labels shown in parentheses following scenario narratives):

• The bailout will hurt the economy relative to inaction (“-”|B)
• The action taken will not change anything about the economy relative to inaction (N|B)
• The bailout will improve the economy relative to inaction (“+”|B)

Following LaPlace’s principle of indifference, I am forced to assign a probability of [0,1] to each of these three scenarios since I have minimal understanding of the economy.  In “precisiated” form (to use the term coined by Professor Lotfi Zadeh), this means that the probability of each scenario above is equal at 0.333… or 1/3.

If the bailout does not happen (“Not B” ior “~B”), then there are three possible outcomes:

• The economy is worse in X years than it is now (“Worse”|~B)
• The economy is the same in X years as it is now (“Same”|~B)
• The economy is better in X years than it is now (“Better”|~B)

Let’s assume X = 5.  Again, following principle of indifference, I am forced to assign a probability of [0,1] to each of these three scenarios.  In “precisiated” form, this means that the probability of each ~B scenario above is equal at 0.333… or 1/3.

Just for sake of argument, lets express the state of the economy in terms of an overall “utility” value labeled U.  For the three ~B scenarios above, we then have the following utility values where a value of 0 corresponds to the current (i.e., today’s) state:

• U(“Worse”|~B) = -a
• U(“Same”|~B) = 0
• U(“Better”|~B) = b

Obviously, -a ≤ 0 ≤ b, or rather “a” and “b” provide magnitudes and the signs preceding these variables specify whether this magnitude is good or bad.  Now let’s examine the expected utility associated with each option “Not Bailout” or “Bailout.”  For the ~B option, we have (not including cost to implement):

U(~B) = U(“Worse”|~B)·Pr(“Worse”|~B)+U(“Better”|~B)·Pr(“Better”|~B) = (-a+b)/3

For the B (bailout) option, we have (not including the cost to implement):

U(B) = Pr(“-”|B)·[(-a-c)/3+(b-d)/3+(0-e)/3]+Pr(N|B)·[(-a+b)/3]+Pr(“+”|B)·[(-a+f)/3+(b+g)/3+(0+h)/3]

or

U(B) = [(-a-c+b-d-e)/9]+[(-a+b)/9]+[(-a+f+b+g+h)/9]

or

U(B) = (-a+b)/3 + (f+g+h-c-d-e)/9

In the above, “c” is the magnitude of “Δbad” with respect to the non-bailout possibility of “-a”; “d” is the magnitude of “Δbad” with respect to the non-bailout possibility of “b”; “e” is the magnitude of “Δbad” with respect to the non-bailout possibility of “0″; “f” is the magnitude of “Δgood” with respect to the non-bailout possibility of “-a”; “g” is the magnitude of “Δgood” with respect to the non-bailout possibility of “b”; and “h” is the magnitude of “Δgood” with respect to the non-bailout possibility of “b.”

The expected five-year benefit of the bailout action is the difference between the expected utility of bailout and the expected utility of no bailout, or:

Benefit(B) = U(B) – U(~B) = (f+g+h-c-d-e)/9

The question now is whether expected benefit exceeds the cost of implementing the bailout plan, or does Benefit(B) ≥ $7·10¹¹?  In terms of the benefit above, is (f+g+h-c-d-e) ±Y ≥ $6.3·10¹² ± Z? (note that I added the “Y” and “Z” to account for costs, benefits, and risk outside the immediate scope of my reasoning). Well, I cannot answer this question of judgment given my personal knowledge of “the economy.”  And again, I doubt there is more than perhaps just a few people out there that could state with any appreciable degree of confidence that this inequality will be true in five years time.  The only reliable way to work toward an answer to this question is to debate various positions.  Admittedly, this is what congress is doing right now.  But for a problem as big as the media and president claims it to be, I doubt sufficient debate can occur in the perceived window of opportunity for action (regardless of whether this perception is accurate).

Now why did I go through all of that only to say that I have no idea whether or not this equality is true?  The reason is simple – when it comes down to strict economic terms, the real question is whether (f+g+h-c-d-e) ≥ $6.3·10¹².  Basically, this is the explicit form of the otherwise vague question “do the benefits of the bailout meet or exceed its costs?”  To date, answers have been as vague as the question they are working with.

I have my own suspicions as to why the bailout is being given serious consideration, and it is simpler than the reasons offered in the media.  Basically, decision makers are averse to increased ontological uncertainty.  Ontological uncertainty, as explained by Professor DG Elms at the University of Canterbury in his paper “Structural Safety – Issues and Progress” published in the journal Progress in Structural Engineering Materials, Vol. 6, No. 2, pp. 116-126 (2004), doi:10.1002/pse.176, has to with the unknown and unexpected, or uncertainty due to our lack of understanding of what really exists (I personally do not see much difference, conceptually, between ontological uncertainty and epistemic uncertainty, as both are reducible forms of uncertainty having to do with lack of knowledge). Let’s view the bailout as a measure aimed at mitigating increasing ontological uncertainty.  Currently, decision makers and their advisers across government and academia have some understanding of how this complex system we call “the economy” works as it was a few days, weeks, or months ago (as meager this understanding is).  Unfortunately, the extremeness of recent events is forcing a structural change within this complex economic system. When the dust settles say, one, two, or three years hence, we will be left with a new economy that, while functional, has the potential to be radically different from the economy we have come to understand.  The bailout, thus, can be viewed as a strategy aimed at trying to keep the economy as it was AND to not let it self-correct.  If the economy stays as it was, then our collective understanding of how it works remains relevant.

But no one can deny that, regardless of whether the bailout passes, change is-a-happenin.  Several structural changes have occurred already, e.g., less lending, government intervention with AIG, Bank of America purchasing Washington Mutual, Citigroup wanting to purchase Wachovia, etc.  How does the economy work now relative before when Washingto Mutual and Wachovia existed?  And with any intervention, while it may preserve what is left of “the economy” as we knew it, it is bound to set precedent for future government intervention both here and abroad, may adjust investor attitudes toward risky propositions, sour public sentiment, and so on.  That is, while the bailout might quell change in the economic system, it may also significantly impact the socio-political system that the economy relies on to function.  At this point, I suspect the total amount of structural change that will occur, bailout or not, will leave our experts more in the dark about how our system works than they were not too long ago.  That is, ontological uncertainy is increasing regardless of whether action is taken.  Then again, were we in the dark to start with?  If so, this might explain why we find ourselves in this mess.

Send article as PDF to