I recently received some interesting reports from and published by Mike Pugh (a member of the RISKANAL email newsgroup) that talk about the use of probabilistic analysis to inform nuclear safety decisions.  Both of these predate WASH-1400 by several years.  The citations are below with clickable links to download the full documents:

Pugh, M. C. (1969). “Probabilistic Approach to Safety Analysis.” TRG Report 1949 (R), The Reactor Group, United Kingdom Atomic Energy Authority.  DOWNLOAD HERE.

This paper gives a brief and simple description of some of the methods employed by the Steam Generating Heavy Water Reactor (SGHWR) Design Office in the application of probability theory to achieve a safe and economic design.  Although this paper is specifically related to the design of SGHWRs the methods employed are of a general nature and could be equally applied to other reactor systems.

Pugh, M. C. (1971). “The Use of Probability Techniques in a Reactor Design Office.” SRS/GR/5, Safety and Reliability Directorate, United Kingdom Atomic Energy Authority.  DOWNLOAD HERE.

The paper briefly describes how probability techniques were used in the Steam Generating Heavy Water Reactor (SGHWR) Design Office of the UKAEA to achieve a safe economic reactor design.

Probability techniques have proved to be a very useful design tool and generally promote a better understanding of a design.  The basic techniques are of value to all members of a design team who can use them in the same way that stressing and heat transfer techniques are used, i.e., to analyse simple problems and to place the more complex problems into the right perspective so that detailed analysis can be performed by a specialist.

Send article as PDF to

UPDATE: I just came across some evidence to suggest that some of the techniques in WASH-1400 evolved from a variety of other places…  I will post these older docs and reports on a new page soon.

Thanks to the diligent searching/scanning efforts of my new graduate student Jon Becker and assistance from several members of the RISKANAL users group, for the first time ever you can download the entire WASH-1400 report right from a single web page.  Prior to this landmark event, pieces of WASH-1400 were scattered across the Internet – a few appendices at the NRC website, an executive summary at OSTI and other pieces elsewhere.  I just updated Wikipedia to link to this post so that future readers interested in learning more about the heritage of PRA can download a copy of this important report for their personal consumption.

Click on any of the links below to download the desired section of the “Reactor Safety Study: An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants” (WASH-1400, NUREG 75/014)

• Executive Summary (18 pages, 4.4 MB)
• Main Report (228 pages, 11.7 MB)
• Appendix I: Accident Definition and Use of Event Trees (113 pages, 11.4 MB)
• Appendix II: Fault Trees (607 pages, 35.2 MB)
• Appendix III: Failure Data (112 pages, 11.5 MB)
• Appendix IV: Common Mode Failures: Bounding Techniques and Special Techniques (55 pages, 6.2 MB)
• Appendix V: Quantitative Results of Accident Sequences (142 pages, 6.1 MB)
• Appendix VI: Calculation of Reactor Accident Consequences (500 pages, 23.7 MB)
• Appendix VII: Release of Radioactivity in Reactor Accidents (292 pages, 25.3 MB)
• Appendix VIII: Physical Processes in Reactor Meltdown Accidents (177 pages, 19.0 MB)
• Appendix IX: Safety Design Rationale for Nuclear Power Plants (43 pages, 5.2 MB)
• Appendix X: Design Adequacy (166 pages, 17.5 MB)
• Appendix XI: Analysis of Comments on the Draft WASH-1400 Report (141 pages, 12.6 MB)

Need I say that WASH-1400 is a big document???  Here is a funny email exchange I had with my graduate student before he realized just how big WASH-1400 is:

PROFMCGILL (me), 11:51AM: “I need a scanned copy of the WASH-1400 “Reactor Safety Study” report by Norman C. Rasmussen.  It is not available online.  The Engineering Library has it.  I need the executive summary, main report and all its appendices. Can you make this happen?”

GRADSTUDENT (Jon), 11:54AM: “On it. I’ll have that to you when I come back from lunch.”

PROFMCGILL, 12:02PM: “Good luck… do you have any idea how long it is?”

GRADSTUDENT, 12:25PM: “Ha! You have a truly formidable ability to fill people with dread in the span of one question. I’ll find out after lunch which I am about to take.”

PROFMCGILL, 12:35PM: “Enjoy lunch.”

A few hours later…

GRADSTUDENT, 2:23PM: “The report you have requested occupies about a foot of library shelf space.”

At this point, my grad student decided to commence an extensive librarian-assisted Internet search to find whatever pieces of the report there was to be found in electronic form.  He dreaded the idea of having to scan the fold-out fault trees!  Fortunately, everything was avaiable, just not in the same place.

Send article as PDF to

Since the events of 9/11, particularly following the creation of the Department of Homeland Security, much attention has been paid to the use of probabilistic or quantitative risk analysis methods for the purposes of informing security investment decisions.  The debate on the appropriateness of these techniques was quite intense for awhile (say 2003-2006), and to some extent I think there was no clear winner (though I think we are finally coming to grips with what “risk-informed decisions” really means, which in a sense weakens the need for this debate).  Among the fighting and debating, I often found myself wondering what the late Prof. Norm Rasmussen would say about the value of QRA for security.  Now, a number of well-respected scholars have spent quite a deal of time and effort writing on the issue (e.g., Apostolakis, Cox, Bier, Ayyub, Haimes, Kunreuther, Slovic, Pate-Cornell, Diesler, Lave, etc.).  But nowhere could I find even a comment from Rasmussen on the issue.

[NOTE: Norman C. Rasmussen was the director of the famous 1975 Reactor Safety Study, or WASH-1400.  Because of its extreme significance in those days, the report was nicknamed "The Rasmussen Report." I hope to have a copy of the WASH-1400 report posted to this site sometime really soon - oddly enough I can't find it anywhere online]

Then there was my visit to Sandia.  I was priviledged to sit in on a presentation delivered by a scientist at Sandia National Labs that walked through the history of Security Risk Analysis from the Sandia perspective.  On one of the slides there was a quote about the appropriateness of QRA for security attributed to Professor Rasmussen himself!  I was truly taken aback!  I asked whether there was citation I could use for this quote, and low-and-behold there was.  Thanks to the Sandia people, I was able to obtain a copy of this paper and post it here via Scribd:

The citation information is as follows:

• Rasmussen, N. C. (1976). “Probabilistic Risk Assessment: Its Possible Use in Safeguards Problems.” Presented at the Institute for Nuclear Materials Management meeting, Fall 1976, pp. 66-88.

Note the timing… this commentary was made just after the 1975 release of the WASH-1400 report.  My understanding was that many believed PRA/QRA could be applied to problems outside the domain of nuclear safety, perhaps to include nuclear safeguards.  Prof Rasmussen believed then that QRA methods, as outlined in WASH-1400, are NOT appropriate for quantifying safeguards risks (though he says nothing about their usefulness in empowering analysts with knowledge to better inform decision makers).

Just to quickly layout the outline for this paper, Prof Rasmussen begins by offering an overview of all three levels of QRA then comments on the differences between security and safety problems, the most clear being that terrorists are not random and that there is some deliberate attempt to maximize consequences.  Rasmussen also points out that the only practical conservative value to assume in security is one, which given the tendency for terrorists to maximize consequences, almost always results in an unacceptable quantitative risk.  His solution – “make the unauthorized access to special nuclear material very difficult,” that is, make the probability of access so small that even if all the other probabilities are unity, the benefit of having nuclear power still outweighs the risk of malicious terrorist use of nuclear material.  Basically, this amounts to a focus on vulnerability reduction, but only those aspects of vulnerability pertaining to the unauthorized access to special nuclear material (not egress, use, response, recovery, etc. dimensions).  The paper concludes with a short question and answer exchange between Prof. Rasmussen and several audience members, some of which is quite interesting (and clearly dated before the existence of the Design Basis Threat).

In the end, I believe this talk is where the idea of “assuming probability of attack is one” came from, though I could be wrong.

Send article as PDF to

Today I received a nice set of declassified articles related to US dependence on foreign minerals and associated risks.  This was my very first FOIA success, and it took only 263 days to fill! (I made the request to the CIA on 22 Sep 08, and it was filled on 12 Jun 09).  The articles include:

• Strategic Minerals: Review of the Issues (in the CIA International Economic & Energy Weekly, 27 November 1981) [see Scribd link]
• Western Platinum Dependence: A Risk Assessment (CIA Research Paper, January 1985) [see Scribd link]
• Russia Increasingly Influential in the Global Diamond Market (date unknown) [see Scribd link]
• Critical Minerals: Estimated Import Dependence of Major Free World Industrial Nations [see Scribd link]

I intend to use these products as examples of how some members of the intelligence community do a risk assessment AND how to make a FOIA request.  Enjoy!

BTW: CIA makes it very easy to submit FOIA requests – they provide all the instructions on their website.  But only if they would accept email requests… presently requests can only be made by mail or fax.

Send article as PDF to

An 2004 paper by Paul Slovic et al. entitled “Risk As Analysis and Risk As Feelings: Some Thoughts about Affect, Reason, Risk and Rationality” published in the journal Risk Analysis, Vol. 24, No. 2, pp. 311-322 (DOI: 10.1111/j.0272-4332.2004.00433.x) reprinted an excellent Doonesbury strip (by Gary Trudeau) from 1994 entitled “Street Calculus”:

I am not the type (like many other professors and office professionals) to print out comic strips and tack them to my door, leaving them in full view for my visitors to read for years on end as they slowly fade and deteriorate.  But I am the type to post such strips to my blog as it highlights what could very well be going on inside peoples’ heads as they size up different risk situations.

Basically, this comic shows two individuals each using their own mental model for sizing up the risks associated with a completely unknown person passing him or her by in the street.  Each mental model identifies a set of cues that enable the individual to associate the current circumstances with those patterns derived from past experience.  Based on how each individual sizes up the situation, in this case with respect to “risk factors” and “mitigation factors” separately, the individual then runs a mental simulation of a variety of perceived plausible futures to assign a score to RF and MF, where an MF greater than RF means the risk is acceptable.  (Note that pattern recognition and mental simulation are the two sources of power described by Gary Klein’s book of the same name).  Perhaps in reality, though, each individual unconsciously sizes up the situation in a holistic matter, where the resulting level of fear or comfort (consider these two factors opposite feelings along a single continuum) determines perceived acceptability of proceeding along the planned travel path (vice making a course correction to mitigate perceived risk).

Do people actually entertain such checklists in their mind?  I suppose that the speed at which the situation depicted in the comic is unfolding insists that the bearers of risk leverage simple heuristics (again, derived from experience) to make their decision.  I highly doubt that the situation permitted enough time to be systematic in their analysis, but rather Gerd Gigerenzer’s fast and frugal heuristics concept applies.  That is not to say that such heuristics are bad, only that using them produces less transparent decisions that may be prone to the influence of harmful biases or misperceptions.

The topic of risk acceptance will be a large part of the next SRA 311 lecture scheduled for Thursday, 6 Nov 2008.  I think I will flash this comic as part of the discussion.

Send article as PDF to

The authors of a book I read recently spoke of the “three D’s” of security: “denial,” “detection,” and “deterrence” (the latter being my personal favorite).  These “three Ds” brought to mind another set of “Ds” I came across while on an ASME Fellowship to the Department of Homeland Security in 2003-2004: “detect,” “delay,” “defend,” and “devalue.”  This post talks about these two different sets of security “D” words, and the extent to which one is or is not better than the other.

To begin this discussion, let’s first consider a logical expression for security vulnerability, which is usually expressed in terms of the probability of adversary success given attempt:

Pr(S) = 1 – Pr(“Detect”)·Pr(“Engage”)·Pr(“Neutralize”)

In words, this equation states that adversary non-success (defender success) requires that the defender detect, engage (which consists of delay and response) then neutralize the adversary (in sequence) – failure to do any one of these will result in adversary success (barring any random things outside the protector’s control that might thwart the adversary’s attempt).

From the point of view of the equation above, DHS is dead on and more.  The equivalence of detection is evident.  In order to engage an adversary, one must respond to the adversary prior to him executing an attack.  Delaying an adversary long enough to respond enables engagement – the longer the delay, the greater likeliness that the defenders will respond in time to do something to stop him.  Defense is essentially equivalent to neutralization in that the objective is to thwart the attacker once engaged.  So, the first three “Ds” of the DHS security quartet correspond to the three parameters of the security vulnerability equation.

But where does devalue fit in?  I must admit that I never heard anyone use the word “devalue” in the context of security prior to my days at DHS.  The focus on devalue is not on improving security, but on improving the resilience or hardness of a system to withstand an attack.  That is, a “devalued” target is one that has been modified in such a way that would result in less loss to the defender (and hence less gain to the adversary) in the event of an attack.  In this sense, devalue seeks to influence adversary target selection by making it intrinsically difficult to achieve the desired gain even when the security system fails.  For example, without doing anything to improve security, the switch to using bleach instead of chlorine in a water treatment facility in effect devalues such a target since bleach is much less harmful to humans in the event of its deliberate release.  Adversaries bent on exploiting infrastructure to harm adjacent communities might be less interested in attack a water treatment plant that made such a shift.

Now consider the security triplet described by Fuqua and Wilson (see my recent post on their 1977 book) in light of the above equation for security vulnerability (i.e., deny, detect, deter).  Fuqua and Wilson essentially looked at the security problem from the point of view of an asset owner (e.g., the “executive”).  Again, the equivalence in the detection term is evident.  “Denial” considers the combination of both engagement and neutralization following detection (such as by a local police force), as well as simple barriers that can’t realistically be overcome (e.g,, 12-foot walls followed by several layers of fences covered in razor-wire), distance or terrain with deadly animals (e.g., attack dogs, flocks of scary geese, alligators in moats), etc.  The focus with denial, though, is more broadly focused on denying success in whichever way possible; detection need not occur for an adversary to be denied opportunity. The combination of detection measures and denial measures (including those that require detection and those that do not) cover the same elements as the equation posed at the beginning of this post, but in a slightly different way as follows:

Pr(S) = 1 – Pr(“Denial”|”Detection”)Pr(“Detection”) – Pr(“Denial”|”No Detection”)Pr(“No Detection”)

(the astute reader might notice that this equation above equates the event “denial” with “adversary failure,” or rather “failure to deny” is the same as “adversary success”).  Obviously, this equation is more general than the one posed initially as the defender still stands a chance at denying the adversary success through non-detection-dependent denial measures.

“Deterrence” (again, my personal favorite) touches on those measures that influence the perceptions of adversaries.  Arguably, all visible security measures have some deterrence value as they shape the adversary’s perceived probability of success.  Measures taken to devalue a target also act as a deterrent in the sense that it lessens the adversary’s perceived gain from success.  Even deceptive measures such as decoys that have no intrinsic “aggressor resistance” have at least a little deterrence value so long as the adversary remains fooled.  If the adversary feels that success is less likely than failure, and that the gain from success is less than desired, the overall likeliness of an event is lower than is success seemed likely and the gain was sufficient.  So, unlike all the other “D” words talked about so far, deterrence is the only term that specifically targets the likeliness of event portion of the risk equation.

So which set of “D” words is better?  It really is hard to say.  Fuqua and Wilson offer a term (“deterrence”) that relates to likeliness of event, while the DHS approach (“devalue”) offers a term that relates to the physical vulnerability portion of the risk equation.  Otherwise, the two sets of “D” words are the same, more or less.  In the end, all these “D” words (as well as words that start with letters other than “D”) are important since they assist security practitioners in thinking through problems.

With all this talk about “D” words, I find myself tempted to write a security-related song about the letter “D” in the spirit of Cookie Monster’s song about the letter “C”.   I call it “D’s are for Security” or the “Security Song:”

D is for denial, to stop you from harming me

D is for detection, to catch my enemies

D is for deterrence, to scare you away from me

Oh, security is all about “Ds.”

Send article as PDF to

In their really, REALLY good paper entitled “Assessing the Competence and Credibility of Human Sources of Intelligence Evidence: Contributions from Law and Probability” published in the journal Law Probability and Risk, Vol 6, pp. 247-274 (doi:10.1093/lpr/mgm025), authors David A. Schum (of George Mason University) and Jon R. Morris (of CIA DS&T) identified a set of twenty-five (25) questions whose answers bear on the question of whether a human source of information is competent and credible.  The twenty-five questions are as follows divided into four categories: competence, veracity, objectivity, and observational sensitivity.

Competence (or is the source qualified to provide the information?)

Leveraging all relevant existing evidence, for each of the five (5) questions below, respond with one of the following four answers: (a) the evidence on this question favors this source’s competence; (b) the evidence on this question disfavors this source’s competence; (c) I cannot decide whether the evidence on this question favors or disfavors the source’s competence; or (d) there is no available evidence bearing on this question.

1. Did this source actually make the observation being claimed or have access to the information reported?
2. Does this source have an understanding of what was observed or any knowledge or expertise regarding this observation?
3. Is this source generally a capable observer?
4. Has this source been consistent in his/her motivation to provide us with information?
5. Has this source been responsive to inquiries we have made of him/her?

Veracity (or does the source believe what he/she is saying?)

Leveraging all relevant existing evidence, for each of the ten (10) questions below, respond with one of the following four answers: (a) the evidence on this question favors this source’s veracity; (b) the evidence on this question disfavors this source’s veracity; (c) I cannot decide whether the evidence on this question favors or disfavors the source’s veracity; or (d) there is no available evidence bearing on this question.

1. Has the source told us anything that is inconsistent with what this source has just reported to us?
2. Is this source subject to any outside influences?
3. Could this source have been exploited in any way in this report to us?
4. Is there any other evidence from other sources that contradicts or conflicts with what this source has just reported?
5. Is there any evidence from other sources that corroborates or confirms with what this source has just reported?
6. What evidence do we have about this source’s character and honesty?
7. What does this source’s reporting track record show about the source’s honesty in reporting to us?
8. Is there evidence that this source tailored this report in a way that this source believes will capture our attention?
9. Are there collateral details in this report that reflect the possibility of this source’s dishonesty?
10. Evidence regarding the demeanor and bearing of this source during the interview?

Objectivity (or was the source’s belief based on the evidence obtained by the source?)

Leveraging all relevant existing evidence, for each of the five (5) questions below, respond with one of the following four answers: (a) the evidence on this question favors this source’s objectivity; (b) the evidence on this question disfavors this source’s objectivity; (c) I cannot decide whether the evidence on this question favors or disfavors the source’s objectivity; or (d) there is no available evidence bearing on this question.

1. Is there evidence about what this source expected to observe during the reported observation?
2. Is there evidence about what this source wished to observe during the reported observation?
3. Was this source concerned about the consequences of what this source believed during the observation?
4. Is there any evidence concerning possible defects in the source’s memory? Also, how long ago did this source’s observation take place?
5. Is there any other evidence from other sources that contradicts or conflicts with what this source has just reported?

Observational Sensitivity (or how good was the evidence obtained by the source?)

Leveraging all relevant existing evidence, for each of the five (5) questions below, respond with one of the following four answers: (a) the evidence on this question favors this source’s observational sensitivity; (b) the evidence on this question disfavors this source’s observational sensitivity; (c) I cannot decide whether the evidence on this question favors or disfavors the source’s observational sensitivity; or (d) there is no available evidence bearing on this question.

1. The source’s sensory capacity at the time of observation?
2. The conditions under which the observation took place?
3. The source’s track record of accuracy in previous reports?
4. Is there any other evidence from other sources that contradicts or conflicts with what this source has just reported?
5. Are there collateral details in this report that reflect the possibility of this source’s inaccuracy?

Using the Questions

According to the authors, the twenty-five questions above have been implemented in a system called MACE (or Method for Assessing the Credibility of Evidence) that apparently has been under development for some time (I wonder if MACE was fully funded by CIA; if so, do I hear FOIA request?).  The remainder of the paper describes the MACE system and how it works.  For the purposes of this post, it is sufficient to point out that MACE is an evidence marshalling tool.  That is, MACE provides a structured set of questions that enables the analyst to make sense of the evidence bearing on a particular source’s competence and credibility.

In addition to providing an answer to each of the twenty-five questions, MACE insists that the analyst judge the relative importance of each question involving a particular situation and a particular report.  Morever, MACE asks the following two questions:

1. On balance, does the evidence favor or disfavor the source’s competence, veracity, objectivity, and observational sensitivity, keeping in mind the number of questions that remain unanswered?
2. On balance, how strongly does the accumulated evidence favor or disfavor our believing of the report this source has just given us, keeping in mind the number of questions that remain unanswered?

Why Care?

According to the standards for analytic tradecraft articulated in Intelligence Community Directive 203 (ICD 203), all intelligence products must “properly describe the quality and reliability of underlying sources” (section D.4.e.(1)).  [Note that the standard in section D.4.e.(2) is also very important, that is, "properly caveats and expresses uncertainties or confidence in analytic judgments."  But I will defer this discussion until a bit later.]  What Schum and Morris provide is a means for arriving at meaningful statements of source competence and credibility that simply were not available in a documented form prior to publication of this paper.

And why do I, as a risk (not necessarily intelligence, though I can play the part) professional think this is important?  Well, most (if not all) security risk analyses rely mostly on the opinions of subject matter experts, organizational representatives, etc. (i.e., humans) for the information needed to make a judgment about threat, vulnerability, and risk.  Much like in intelligence analysis, risk analysts must carefully appraise the information used to support analysis in terms of both its content and its source so as to ensure that the product is free of unintended bias and influence.

Send article as PDF to

Below is a discussion paper I submitted to the Journal of Bridge Engineering (published by the American Society of Civil Engineers) that, for whatever reason, never made it to the ASCE publishing office (I am still slightly upset by this).  Basically, this piece provides commentary and suggestions on a peer-reviewed paper submitted by Mr. James C. Ray of the Engineering Research & Development Center of the US Army Corps of Engineers (a GREAT place to work, by the way).  The citation for the original paper is as follows:

• Ray,  J. C. (2007). “Risk-Based Prioritization of Terrorist Threat Mitigation Measures on Bridges.” Journal of Bridge Engineering, Vol. 12, No. 2, pp. 140-146.  doi:10.1061/(ASCE)1084-0702(2007)12:2(140).

I think James Ray is a good guy, and I had the privilege to work with him and his shop on a number of occasions in the past.  So I figured why not spend some time carefully reading his paper and offering my own thoughts.  The entire discussion piece follows below:

<<Discussion Begins Below – slightly modified from the original given I had the luxury of time>>

Risk analysis for malicious anthropic events has become a high-interest, and quite contentious, topic since the tragic events of 2001, which has led to an increased awareness of the problem and spurred enormous interest within the academic and professional communities on how to effectively and defensibly assess and manage the risk associated with these types of events.  The author’s [Mr. James Ray's] recent contribution toward developing a risk-based prioritization methodology for terrorist threat mitigation measures on bridges brings to bear some of the important aspects a bridge owner must consider when assessing terrorism-related risks, and for this the author must be commended.  We hope that the ideas from this paper spur wider advances in the application of risk based methodologies for protecting bridge assets, among other things.

As a potential direction for improvement, the methodology could be adapted to a probabilistic framework so as to facilitate quantitative benefit-cost analysis.  Take, for example, the general expression for security risk analysis that provides the philosophical basis for most security risk assessment methodologies:

Risk = Threat x Vulnerability x Consequence (Eq. 1)

Equation 1 states that security risk is defined as the combination (not strictly a product) of threat, vulnerability, and the ensuing consequences.  That is, risk is a multidimensional concept.  The quantification of security risk can be achieved by interpreting Eq. 1 in an appropriate mathematical framework, the most widely accepted being probability theory.

The author proposes to adapt the interpretation of Eq. 1 used by AASHTO highway vulnerability assessment methodology (AASHTO 2003).  This approach facilitates a relatively rapid and inexpensive assessment of risk to bridge assets that can be used to identify critical bridge elements and develop candidate proposals for mitigating risk.  However, this attractive quality comes at the expense of departing from a sound probabilistic framework, which means that the risk estimated by this methodology lacks meaningful units (such as annual loss in dollars or fatalities) and mathematical correctness.  If the intent is to allocate a fixed budget reserved for the sole purpose of decreasing risk (i.e., the money is there and must be spent), this is a non-issue so long as the relative risk accurately represents the “true” proportion attributed to different bridge elements and threats.  In contrast, if the intent is to use these results to justify a request for funds to decrease risk, meaningful measures of risk and benefit are necessary to determine whether (1) certain risks are unacceptable in the first place, and (2) expenditures are cost-effective from a risk reduction standpoint.  Defensible answers to these questions require that Eq. 1 be interpreted in a probabilistic framework.

Fortunately, the proposed methodology as presented can be made to fall inline with a probabilistic framework provided certain modifications are made.  A simple high-level interpretation of Eq. 1 in a probabilistic framework would express the risk, R, for a specific threat type against a certain bridge element as:

R = P_AP_S|AC (Eq. 2)

where P_A is the probability of attack in a specified time period for a given combination of threat type and critical element, P_S|A is the probability of the adversary successfully damaging the element given attack (as a function of security measures and hardness of target), and C describe the consequences or impact of a successful attack measured in meaningful units such dollars or casualties per event.

The following is an attempt to integrate the author’s model into the probabilistic model in Eq. 2.  For clarity, Table 1 provides a summary of the author’s model parameters with suggested symbols and interpretations, where the letters “O,” “V,” and “I ” are used in lieu of the more traditional “P” to emphasize which part of the author’s risk equation each attribute belongs to.  Based on the definitions provided by the author for the attributes in Table 1, Eq. 3 can now be rewritten as:

R = (O_A x O_C|A x O_T|A,C) x (O_S|A,C,T x V_D|A,C,T,S) x (w_DI_D + w_TI_T)  (Eq. 3)

where in comparison with Eq. 3, P_A = (O_A x O_C|A x O_T|A,C), P_S|A = (O_S|A,C,T x V_D|A,C,T,S), and C = (w_DI_D + w_TI_T).  Since the author already interprets the values for each parameter on a scale of zero to one, the guidance offered in his original paper still holds with risk recast in terms of probability theory.  The loss conversion factors w_i (i = D or T) are used to bring values for each consequence type to consistent, meaningful units.  For example, if risk is measured in dollars and the economic loss per day of outage of the component is $100,000 per day, w_D = 1 and w_T = $100,000/day (with I_T measured in days).  Note that I_S and the span ratio S_R were deliberately omitted from Eq. 3 since, to our knowledge, the effects of structural importance and length of span is already captured by the values for repair cost and time out of service.  Also, I_H was omitted since, in most cases, this parameter is a matter of perception and does not have a clear, tangible value (though it can be easily included if such a value can be established).

It would be interesting to see how the results of the case study presented in Table 3 of the paper differ under the proposed revision in Eq. 3, and I would not be surprised if the rank order of scenarios based on risk is similar, if not the same, as that generated by the author’s methodology.  However, the advantage of interpreting Eq. 1 in a probabilistic framework is that the results facilitate meaningful benefit-cost analysis, where the benefit is defined in units that can be rationally compared with the costs to implement a given risk mitigation strategy. Moreover, leveraging a probabilistic framework lends a bit more credibility to the model as it aligns better with how risk is traditionally estimated.

Table 1: Summary of the author’s model attributes with variable names

Send article as PDF to