Rather than sleeping, I decided to read an article by Leonard B. Loeb entitled “Military Security in a Scientific Age” published in Science, Vol. 120, No. 3109 (July 30, 1954), pp. 15-163 (link here).  In it I found the following paragraph that seemed to resonate with my interests:

… it is only during a war that weapons development can be prosecuted, politically and economically, to greatest advantage and also it is only during a given conflict that strategic and tactical problems are sufficiently clearly defined to enable efficient weapons and devices development.  It is only when the aggressor moves and discloses his strategy, weapons and tactics that the planning to defeat him can be properly undertaken.  Doubtless under these conditions the aggressor enjoys the initial advantage, but such advantage of initiative is in all ways on the side of the aggressor who can choose time, place and means.  When the conflict begins, then and only then, can the nonaggressor nation that is richer in scientific potential go into effective action against an adversary who has frozen his weapons into production some years before he attacks.  Thus the aggressor’s weapons are on the obsolecent side once he initiates action, while the nonaggressor can go into production on newer type weapons (p. 162).

I think this quote says a lot when viewed in the context of our modern security problems.

Send article as PDF to

While searching for information on the history of security risk management, I came across the following short, yet very interesting publication out of the University of California:

Hennecke, R. C. (1949). The Rule and the Reason: A Security Handbook.  Ernest O. Lawrence Radiation Laboratory. DOWNLOAD HERE.

This book is short but sweet, but my scan of it is not perfect.  The book is divided into two chapters:

• The first chapter is on basic security principles and regulations.  Sections in this chapter include a discussion on clearances, personal conduct, physical security and information security.  The author excerpts quotes on each of these topics from a number of books and guides, including the UCRL Security Manual.
• The second chapter is fun… it is titled “The Enemy,” and basically asks the questions “who is he,” “where does he come from,” “how many is he,” “what is he after,” and “how successful has he been.” While the focus here was on Soviet infiltration of a lab, these questions should be on every threat analyst’s mind today.

Send article as PDF to

I am not exactly sure when this report came out, but very recently the New York City Police Department released a report entitled “Engineering Security: Protective Design for High Risk Buildings” and accompanying Risk Calculator (see screen shots below; I would incorporate the calculator directly into the post but alas this tool does not offer this possibility).  The report can be linked to at Scribd.

This NYPD Risk Tiering methodology embodied in the calculator above, like many, MANY others that came before it, uses the Threat x Vulnerability x Consequence construct to organize the factors believed to influence the security risk associated with buildings in New York City.  From what I can pick out, the security context driving this methodology is as follows:

• Protector: Building owner
• Asset: Building structure, occupants
• Threat: Explosive, and to a lesser extent, Chem/Bio

The Risk Tiering Methodology breaks down Threat, Vulnerability and Impact (their consequence) as follows:

• Threat: threat profile (history, intelligence), target attractiveness (value characteristics)
• Vulnerability: adjacency (nearby to attractive targets), accessibility (security), structural performance (fragility)
• Impact: maximum occupancy, economic criticality, transportation criticality, critical infrastructure proximity

Though it is not clear from the methodology write-up in Appendix A, the final risk score is calculated as follows:

• Each factor for each model parameter is scored on a scale of 1-3
• The score for each of Threat, Vulnerability and Impact is obtained by adding the scores of the associated factors; thus, the Threat score ranges from 2-6, Vulnerability ranges from 3-9 and Impact ranges from 4-12.
• The final risk score is obtained by multiplying together the Threat, Vulnerability and Impact scores; thus, the final Risk score ranges from 24-648.

How is this methodology and guidance used? First, the NYPD clearly states wherever possible that the guidelines contained in this document are only guidelines and are NOT legal requirements.  That said, the purpose of the methodology is for building owners to simply classify their structures as either LOW Tier (risk score of 24-79), MEDIUM Tier (risk score of 120-197) and HIGH Tier (risk score of 288-648).  Based on the results of this top level screening activity, one of three things may happen:

• If the building owner does his work and classifies his building as HIGH, then the guidance in this document applies to help mitigate the risk.  This includes guidelines on perimeter security, access control and monitoring, structural design, emergency preparedness and protecting air handling systems.
• If the building owner classifies his building as LOW, then the implication early on in the document is that he need not read any further.  Of course, such protectors are welcome and encouraged to read on at their leisure (I would assume), but the guidelines are not tailored to buildings in this tier.
• If the building owner classifies his building as MEDIUM, then it seems up to him whether to follow the guidelines or not.  I believe this is simply a judgment call that relies on the consideration of one or more factors outside what the methodology call for.
• If the building owner classifies his building as being somewhere between HIGH and MEDIUM or MEDIUM and LOW, then it seems up to him to figure out what is best.  The guidance document says nothing about these intermediate areas and instead restricts its focus on those buildings classified as HIGH and in some cases MEDIUM.  A bit of guidance on what the building owner should do in these middle cases, however obvious it might seem, would be helpful.

If you classify yourself as HIGH Tier, does money follow from the city? Apparently not, even though what classifies the building as HIGH Tier might have everything to do with factors external to what the building owner can do anything about.  The only controllable variables by a building owner whose building already exists are:

• Accessibility (to install security or not)
• A self-defined maximum occupancy (how many people will I allow in my building)
• Economic criticality (should I allow profitable businesses to occupy well or not)
• Structural performance (should I harden, retrofit or not)
• Target attractiveness (should I change the line of business/occupancy permitted in my building)

The external factors outside the ability of the building owner to influence are:

• Threat profile (events happened already)
• Adjacency (the building is where it is, and unless I sell or my neighbors move, there is nothing I can do)
• Transportation criticality (same argument as above)
• Critical Infrastructure proximity (same argument above)

If a building owner scores a 3 on each of these, the range of possible total risk scores he might calculate is between 224 and 648.  That is, if every parameter outside his ability to influence is at its lowest, the building owner’s risk tier is in that ambiguous intermediate zone to the left of MEDIUM.  A simple nudge of two or more external factors to a value of 2 will push the building into the HIGH Tier category.  Here I see a potential to “game” the methodology by both parties.  For example:

• If $$$ is attached to being classified as HIGH Tier, then the building owner might conservatively assess the external factors to his benefit.  Or perhaps he will argue that he is one of those “special” MEDIUM Tiered buildings.
• If no $$$ is available, then the building owner might argue against high values for these parameters (or perhaps compensate for high values with lessened values for the other parameters since the building owner has complete control of his information so long as these guidelines are not legal requirements)
• If the city wants to decrease risk as the building owner’s expense, they could bias the external parameters toward higher values (the city has complete control of the information shaping these values); if the building owners don’t budge on this information, perhaps this methodology provides a platform for arguing in favor of antiterrorism design regulations.

Now, for use in the DESIGN of new buildings or to replace old buildings, or perhaps as part of the deliberation on whether to purchase or lease a pre-existing structure, there is greater control of whether to build/buy a building adjacent to more attractive buildings, near transportation nodes and critical infrastructure.  Here the building owner has greater flexibility.

What about the scoring scheme? In general the scoring scheme is fine since it is only used to place a particular building in a risk tier.  That said, the scoring system presently has a lot of holes.  For instance the range of possible scores is said to be 24-648 (a span of 624), but if you do the math you will find that there are only 315 combinations of possible scores given the constraints on what values each model parameter can take.  If you then remove the duplicate scores, there are only 103 unique scores (and I can guarantee none of them are prime like those defining the upper limit of the LOW [79] and MEDIUM [197] tiers).  And oddly enough, the greatest number of possible unique scores is assigned to the HIGH Tier.  See the table below for a full listing of scores and associated Tiers.

When one considers all possible scores including duplicates, one sees a breakdown among tiers as follows (counts shown atop each piece slice):

[Note I label the intermediate zones adjacent to the MEDIUM Tier as MEDIUM-LOW and MEDIUM-HIGH].  If one lumps MEDIUM-HIGH with HIGH (medium high being those special MEDIUM classified buildings), then there are 121 scores that suggest the building needs attention, or about 38% of the possible scores.  Of course, if MEDIUM-LOW and MEDIUM-HIGH stay with MEDIUM, then this Tier absorbs about 66% of the possible scores, leaving a lot of wiggle room for fudging answers in a manner favorable to whomever is doing the fudging (e.g., if $$$ is available, then my MEDIUM-LOW building is one of those special MEDIUM buildings).  But despite this score breakdown, I do see NYPD’s point – most buildings in practice will probably fall under the LOW Tier.

I do not advise using the NYPD Risk Tiering methodology as the basis for a quantitative benefit-cost analysis.  The best one can say is that for a given investment, the risk moved from HIGH Tier to MEDIUM or LOW Tier, which in itself says nothing other than risk was nudged downward.  Each Impact score has no intrinsic meaning (at least it is not explicit), and thus even if one converted the Threat and Vulnerability scores to some equivalent probabilities via some mathematical operation with a semblance of validity (i.e, 0 to 1 instead of x to y), because of all the holes and the use of integer values for scores, the distance between two successive scores on the list of possibilities carries no real meaning.  For example, the next lowest score after 648 is 594 (a difference of 54), then followed by 576 (a difference of 18) and 540 (a difference of 36).  Let’s say you have two buildings one with a score of 648 (met by a T=6, V=9 and I=12) and the other with a score of 576 (met by a T=6, V=8 and I=12).  Now let’s say we have a fixed-price solution that will bring I to 11, but we have enough money to only implement the solution in one place.  Should we do it, and if so, where?  If we assume that we have the solution and have to use it, the change in the first building is from 648 to 594 (a difference of 54 points) and the change in the second building is from 576 to 528 (a difference of 48 points).  Which should we pursue?  Note that the risk tier after implementation in both cases is still HIGH.  What if the building originally had a risk score of 288 (met by T=4, V=6 and I=12) and after implementation changed to 264 (a difference of 24 points)?  The difference is less, but the Tier went from HIGH to not HIGH.  At least here the building is classified differently.  In the end, the answers to these questions are ambiguous, and that ambiguous answer are not the type useful for benefit-cost analysis.

In summary: the methodology is easy (efficient), and perhaps helpful in telling a building owner whether he or she should take the time to think about antiterrorism measures.  Beyond that, the effectiveness of this approach in itself for informing decisions at HIGH Tier buildings (and special “MEDIUM” tier buildings) is in question owing to the inability to perform benefit cost analysis.  I suppose, though, that the higher tiered buildings actually have the resources to pay for more extensive analysis anyway (and are pretty much in tune with their risk profile), so perhaps this tool is really just for telling the lowered-tiered buildings not to worry so much.  The ambiguity between MEDIUM and HIGH worries me, though.

Send article as PDF to

Since the events of 9/11, particularly following the creation of the Department of Homeland Security, much attention has been paid to the use of probabilistic or quantitative risk analysis methods for the purposes of informing security investment decisions.  The debate on the appropriateness of these techniques was quite intense for awhile (say 2003-2006), and to some extent I think there was no clear winner (though I think we are finally coming to grips with what “risk-informed decisions” really means, which in a sense weakens the need for this debate).  Among the fighting and debating, I often found myself wondering what the late Prof. Norm Rasmussen would say about the value of QRA for security.  Now, a number of well-respected scholars have spent quite a deal of time and effort writing on the issue (e.g., Apostolakis, Cox, Bier, Ayyub, Haimes, Kunreuther, Slovic, Pate-Cornell, Diesler, Lave, etc.).  But nowhere could I find even a comment from Rasmussen on the issue.

[NOTE: Norman C. Rasmussen was the director of the famous 1975 Reactor Safety Study, or WASH-1400.  Because of its extreme significance in those days, the report was nicknamed "The Rasmussen Report." I hope to have a copy of the WASH-1400 report posted to this site sometime really soon - oddly enough I can't find it anywhere online]

Then there was my visit to Sandia.  I was priviledged to sit in on a presentation delivered by a scientist at Sandia National Labs that walked through the history of Security Risk Analysis from the Sandia perspective.  On one of the slides there was a quote about the appropriateness of QRA for security attributed to Professor Rasmussen himself!  I was truly taken aback!  I asked whether there was citation I could use for this quote, and low-and-behold there was.  Thanks to the Sandia people, I was able to obtain a copy of this paper and post it here via Scribd:

The citation information is as follows:

• Rasmussen, N. C. (1976). “Probabilistic Risk Assessment: Its Possible Use in Safeguards Problems.” Presented at the Institute for Nuclear Materials Management meeting, Fall 1976, pp. 66-88.

Note the timing… this commentary was made just after the 1975 release of the WASH-1400 report.  My understanding was that many believed PRA/QRA could be applied to problems outside the domain of nuclear safety, perhaps to include nuclear safeguards.  Prof Rasmussen believed then that QRA methods, as outlined in WASH-1400, are NOT appropriate for quantifying safeguards risks (though he says nothing about their usefulness in empowering analysts with knowledge to better inform decision makers).

Just to quickly layout the outline for this paper, Prof Rasmussen begins by offering an overview of all three levels of QRA then comments on the differences between security and safety problems, the most clear being that terrorists are not random and that there is some deliberate attempt to maximize consequences.  Rasmussen also points out that the only practical conservative value to assume in security is one, which given the tendency for terrorists to maximize consequences, almost always results in an unacceptable quantitative risk.  His solution – “make the unauthorized access to special nuclear material very difficult,” that is, make the probability of access so small that even if all the other probabilities are unity, the benefit of having nuclear power still outweighs the risk of malicious terrorist use of nuclear material.  Basically, this amounts to a focus on vulnerability reduction, but only those aspects of vulnerability pertaining to the unauthorized access to special nuclear material (not egress, use, response, recovery, etc. dimensions).  The paper concludes with a short question and answer exchange between Prof. Rasmussen and several audience members, some of which is quite interesting (and clearly dated before the existence of the Design Basis Threat).

In the end, I believe this talk is where the idea of “assuming probability of attack is one” came from, though I could be wrong.

Send article as PDF to

Thanks to the Penn State Engineering Library, I now have pristine scanned copies of two classic literature reviews focused on psychological deterrents to nuclear theft.  These are:

• Meguire, P. G. and Kramer, J. J. (1976). “Psychological Deterrents to Nuclear Theft: A Preliminary Literature Review and Bibliography.” NSBIR 76-1007, prepared for the Defense Nuclear Agency by the Law Enforcement Standards Laboratory, National Bureau of Standards [Scribd link]

A review of the unclassified literature dealing with psychological deterrents was conducted for the Defense Nuclear Agency (DNA). Its purpose was to identify techniques that might be useful in the DNA’s Forced-Entry Deterrent Systems (FEDS) Program for psychologically deterring nuclear weapon theft. The review indicates that while human psychological processes (sensory, perceptual and cognitive) can be manipulated by various means, definitive empirical data are lacking which relate directly to deterring nuclear weapon theft. Behavioral impact research should be undertaken by DNA to (1) ascertain the deterrence values of the many techniques identified and (2) test the hypotheses implicit in the FEDS concept.

• Lapinsky, G. W. and Goodman, C. (1980). “Psychological Deterrents to Nuclear Theft: An Updated Literature Review and Bibliography.” NSBIR 80-1038, prepared for the Defense Nuclear Agency by the Law Enforcement Standards Laboratory, National Bureau of Standards [Scribd link]

A review of the unclassified literature dealing with psychological deterrents was conducted for the Defense Nuclear Agency (DNA). The review indicates that while human psychological processes (sensory, perceptual and cognitive) can be manipulated by various means, definitive empirical data are lacking which directly relate to deterring nuclear weapon theft. Behavioral impact research should be undertaken by DNA to ascertain the deterrence values of the many techniques identified.

UPDATE: My undergraduate assistant tracked down a number of very useful references extracted from the 1980 report.  These will be posted really soon.

Send article as PDF to

In Spring 2009, I anticipate having 65 students (or more) enrolled in my SRA 311 (Risk Management: Assessment and Mitigation) course.   SRA 311 is the last required core course for the Security Risk Analysis undergraduate major at Penn State University.  Most students in this course will be second-semester juniors or first-semester seniors interested in a career in security risk analysis or intelligence analysis.

All SRA 311 students are required to contribute to a final course project that seeks to perform a risk study for a real problem of real interest to real decision makers.  I anticipate 5-person teams, and with 65 students this means I should have about 13 teams.  This also means I need at least 13 final course project ideas to choose from.

To meet my needs, I am currently seeking course project ideas for my SRA 311 students.  If you have any risk analysis project ideas that would lend itself to student participation, please send me an email or leave a comment to this post.  Ideas from last semester include:

• Self-assessment methodology for social network participation risk
• Risk analysis self-assessment methodology for campus lab theft
• Press release preparedness methodology
• many others…

Some of the ideas I have for Spring 2009 include:

• User risk assessment for an online social/collaborative environment (PSU Home, Second Life, etc.)
• Research lab security assessment methodology
• Methodology for hazard preparedness (each group focused on a different hazard)
• Technology transfer risk assessment methodology
• Structure and content of a regional threat and vulnerability forecast
• Risk assessment methodology for organizational surprise

What I would really like are some information security-oriented risk analysis project ideas, a few homeland security ones, maybe one or two methods geared toward the national security or business intelligence communities, etc.

Unlike in Fall 2008, many Spring 2009 projects will be focused on building simple decision support tools that implement the methodology, complemented by a media presentation (You Tube video, website, poster, NO POWERPOINT).  Of course, for those niche studies, the project will be dominated by a paper.

Send article as PDF to

The December 19, 2008 issue of the Chronicle of Higher Education contained an interesting article by Jeffrey Young (Vol. 55, No. 17, p. 9) describing the “Top 10″ cyber-security risks to university communities.  In ascending order of seriousness (10 low, 1 high), these ten threats/risks/activities are:

Note that according to the article, this list was based on surveys and interviews with over a “dozen college technology leaders.”

This article reminds me of a 1976 study that asked three different communities (“experts”, students, and members of the League of Women Voters) for their opinions on how set of 30 activities and technologies should be ranked in order of seriousness (see this link for the results, and this link for the questionnaire).  However, unlike the 1976 where different groups were asked to rank order an activity based on the chances of someone dying from it in a given year, it is unclear what the basis for seriousness is.  Does the ordering have to do with probability of victimization due to the malicious code or user action?  If so, this list is surely missing the consequence dimension.  Or is it ranked ordered based on probability of each activity being the proximate cause of bad consequences?  My guess is that the ordering takes an “all things considered” approach.  I really wish there was more a description of what “seriousness” means in this context so I could better appreciate the basis for the rank ordering.

Despite this, we should all be aware of what can cause us harm – after all, the first step in risk reduction is to identify what can hurt you (our number one vulnerability is ignorance, as I always say).  At the very least, this list highlights to higher-education readers (most likely faculty and staff, fewer students) some of the cyber challenges of modern computing.  But I must ask, what threats/risks/activities are missing from this list?

Send article as PDF to

Hot off the press is the latest issue of the International Association for Intelligence Education (IAFIE) newsletter.  In it I contributed an article describing my strategy for, and experiences thus far, teaching my security risk analysis course at Penn State.  The title of the article is “A New Approach to Teaching Security Risk Analysis,” and can be viewed by going to the IAFIE web page, newsletter section.  At the time of writing of this post, the newsletter is not yet available via the website, but I suspect it will be available really soon. So, see below for the full version of the article in the form I submitted it (which may differ from the final version as I did give the editor free-reign to make changes):

A New Approach to Teaching Security Risk Analysis

Interest in risk analysis has increased in the homeland security and intelligence communities in recent years.  The homeland security community uses elements of risk analysis to help decide how to buy-down the potential for loss due to naturally-occurring and anthropic events.  The intelligence community thinks about different aspects of risk issues in most, if not all, strategic assessments.  Private industry, too, leverages risk analysis in both the traditional economic sense (financial risk, insurance) as well as for security (physical, information) and to inform strategic and operational decisions (project risk, political risk).  Unfortunately, while the need for risk analysts is great and perhaps increasing, few educational programs educate students in what risk is and how to go about assessing risk in a manner that best informs the decision making process.

In Fall 2006, the College of Information Sciences and Technology at The Pennsylvania State University established a first-of-its-kind undergraduate major in Security Risk Analysis (SRA).  The goal of the SRA degree program is to educate future security professionals on the threats that challenge society, how decision makers think, and how to properly assess, communicate, and make suggestions on ways to manage risk.  Accordingly, among the many courses students must take include SRA-specific courses in the threat environment, information security, decision analysis, risk management, visual analytics, human-computer interaction, and so on.

As part of my role as a new assistant professor at Penn State, I was asked to develop and instruct the junior level course in risk management (SRA 311).  If one takes a moment to survey the literature on security risk analysis, there is no established pedagogy for teaching risk management at the undergraduate level save for a discussion on the subject that might occur in an course on probability and statistics or industrial engineering.  Textbooks on security risk analysis tend to focus their attention on the technical details of physical or cyber security, often leaving only a chapter-length (e.g., marginal) treatment of risk analysis.  These same books present risk analysis as a tool to order scenarios (e.g., risk analysis = risk matrices) much like the way ACH is treated as a tool to facilitate reasoning.  The one thing I can say with confidence is that risk analysis is not a tool – it is a way of thinking about problems that applies to security, intelligence, and just about every other discipline where critical decisions must be made.

So here I was – a new professor tasked with teaching a course that has never been offered before and with no textbook to guide its development.  Fortunately, the philosophy of risk and risk analysis is really not that hard to explain.  In its most generic form, risk “measures” the potential for gain or loss associated with future events.  The process of doing risk analysis comes down to providing defensible answers to the following three of questions (i.e., the “risk triplet”):

• What can happen?
• How likely is it to happen?
• What are the consequences if it does?

In my experience doing risk analysis, the challenge isn’t understanding what risk analysis is – after all, it often only takes one chapter in a book or a few lectures to explain the fundamentals of risk.  The real difficulties lie in producing analysis that carefully reasons from available evidence to a statement of risk, is mindful of alternative plausible events and outcomes, is free of undue and harmful bias, is critical of the competence and credibility of information sources, and communicates risk in a manner that is informative yet non-judgmental regarding its acceptability. After much thinking about this, it occurred to me that the same things taught to basic analysts in the IC are equally applicable to emerging risk professionals and for the same reasons.  As it turns out, the pedagogy for teaching risk analysis the “right” way was already there, but not where I expected.

Now that I am most of the way through my first offering of SRA 311, I found that many of the same topics discussed in intelligence training courses have been very helpful in getting my students to think carefully about each question of the risk triplet.  Besides covering the basic philosophy of risk and all the components of traditional security risk analysis (e.g., threat, vulnerability, consequence), we discussed the cognitive aspects of analysis from the point of view of descriptive models and empirical evidence, the mechanics of variety of structured analytic methods aimed at assisting reasoning (e.g., problem restatement, divergent/convergent thinking, event/possibility/decision trees), source analysis and analytic confidence (DNI intellectual standards), and risk communication.  We used a variety of in-class examples to give students practice doing risk analysis, to include information security (e.g., benefits/risks of cell phones in SCIFs), physical security (e.g., terrorist attacks, theft/pilferage), and intelligence case studies (e.g., embassy threat analysis).  Finally, I stress over and over again Elder and Paul’s Eight Elements of Thought and Intellectual Standards as an approach to thinking critically about everything we do, whether it be in the form of critical article reviews, methodology/analysis appraisals, and as guidelines for completing the final course project.

Of course, at present I have no real basis for saying whether my approach to teaching risk analysis is any better than an alternative approach I have not conceived.  After all, this is my first time teaching such a course on risk analysis and have no baseline with which to make a comparison.  But having seen real risk professionals in action and knowing what they do and what they need to do better, combined with experiencing first hand the marked improvement in analytic quality of those intelligence professionals that received formal schooling on structured analysis, I assign a high degree of subjective confidence that this approach will serve the security risk analysis community well.  While my educational strategy is not new in the context of intelligence analysis, it is truly a new approach to teaching security risk analysis.

Now it is time to write some journal articles, so I suspect I will not be authoring any more newsletter articles for a few months…

Send article as PDF to

Everyone says that structured analytic techniques are good things to have as part of a “Thinkers Toolkit.”  In the security risk analysis degree program at Penn State, several of my colleagues and I make every attempt to instruct our students in the proper application of and value added of using structured analytic techniques to enhance one’s ability to think clearly, carefully and rigorously through complex problems.  Unfortunately, our situations suffer from a significant setback – most of our students lack “real world” experience doing analysis for problems in the security and intelligence communities (or perhaps doing any real analysis at all for any community).  Accordingly, we often find ourselves searching for carefully constructed case studies that provide the right balance of realism and accessibility to students that may not have sufficient domain knowledge to speak credibly on any particular issue.  We desire case studies that contain enough information to allow students to define the problem, articulate alternative hypotheses, leverage evidence to establish probability distributions over a set of future alternatives and degrees of confidence in analytic judgments, do source analysis, and so on.

To date we have come across several case studies used in the intelligence community, such as those developed by Professor Francis Hughes at the National Defense Intelligence College and several of the cases authored by Thomas Shreeve as part of the Intelligence Community Case Method Program.  And fortunately for us, these case studies have proven to be moderately successful when used as part of our classes.  However, we are still in search of more case studies that walk students through a problem, asking them to apply different structured analytic techniques to enable them to draw defensible inferences from data, make judgments of risk and choose from among alternative strategies for mitigating risk, explore how different ways of communicating analytic results might influence the decision maker, and so on.  And of course, we are also interested in case studies that have a variety of alternative endings, mainly to highlight that the results of the analysis and the way its communicated does have an affect on the outcomes of a situation as well as setting the stage for later analysis.

In my pursuit of fun books to read to my kids before bedtime, I recently came across the Choose Your Own Adventure series of books that many of us enjoyed during our more youthful years.  I tried to recall my experiences reading these books, such as navigating through all the alternative storylines one can follow based on the choices made during the book (one CYOA fan actually took the time to actually develop a map of The Mystery of Chimney Rock by Edward Packard; I must admit that I was tempted to do the same).  Then a thought hit me – would it be possible to develop a CYOA book that resembled a storyline that one might encounter in a professional security or intelligence position?  In addition to providing a compelling story, such a book would, of course, provide greater depth to a problem, provide evidence, and try to be as real as possible so that readers can draw on external resources to aid them in their analysis.  Now here is the kicker – each analysis or decision node would insist that the reader apply a specific structured analytic technique to arrive at the best possible answer or decision.  Once the answer is chosen, the story will then continue.  Some decision nodes would be critical to preserving national security, whereas some others might be less so or even irrelevant to the outcome.  When used as part of a course, the analyst would then prepare written reports along the way outlining the steps they took to arrive at a judgment or decision.

As an attempt to appeal to those individuals having read and enjoyed CYOA books in the past, I decided to label this idea as “Choose Your Own Analytic Adventure” or CYOAA.  See the prototype cover I prepared for the first such book in the series shown above.  I imagine that the analytic training community could create an entire series of such analytic books spanning all aspects of interest, to include terrorism, resource allocation, HUMINT targeting and collection, counter-deception, counter-proliferation, risk analysis, post-blast investigation, cyber security, communicating to decision makers, etc.  What we would need to do this are good writers, good ideas, good researchers, and of course, good artists capable of drawing pretty maps, figures, and sketches (and perhaps permission from the CYOA people to model our books after their likeness).  Just imagine it – we could hand these books out as part of class, and not only would they provide a basis for practicing analysis, but they would also make for a good addition to one’s professional library.  And if they are truly written well, then perhaps they might also make for good recreational reading.

Send article as PDF to

Recently, I came across two very good blogs that touch on areas of security risk analysis that overlap with my current interests.  They are as follows:

• BlogInfoSec.com: An Information Security Magazine in Blog Format.  This blog is authored by a team of nearly a dozen seasoned information security professionals.  A recent series of posts I found particularly interesting were authored by Jeff Lowder (Director of Information Security and Risk Management at Disney Interactive Media Group, a branch of The Walt Disney Company) that centered on the Qualitative vs. Quantitative Risk Analysis debate (see Part I and Part II; Part III is forthcoming).  In fact, in part I of this three part series, Mr. Lowder offered a fourth question to the risk analysis triplet: how much uncertainty is present in the analysis? (basically, a question centered on what level of confidence should be afforded by a decision maker to the analysis, data and methodology considered).
• Schneier on Security.  This blog provides a medium for Bruce Schneier (a.k.a. the “rock star” of security) to post his thoughts on security issues, link to articles he has authored and interviews he participated in, and to advertise his collection of best-selling security books.  This guy has a lot of interesting things to say – in fact, after reading some of his posts, I felt personally inspired to purchase the complete set of all his books (I will share my thoughts on these books after I get through with them).

On the topic of recommendations, I highly recommend the pair of books written by Kevin Mitnick and coauthor William Simon.  These books are The Art of Deception: Controlling the Human Element of Security (ISBN: 0471237124) and The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers (ISBN: 0764569597).  The first book is all about the role of social engineering in breaking into security systems, and the latter is an anthology of stories that collectively describe how and why hackers hack.  Both of these books are excellent, and I highly recommend them for any student of security risk analysis.  In fact, I plan to introduce The Art of Intrusion to my SRA 311 class tomorrow, and reserve The Art of Deception as required reading for my planned special topics course in Deception and Security.  The Art of Intrusion was particularly enlightening in that it debunked my (suspected) misconceptions on how hackers go about hacking… I will save this discussion for a future post.

Send article as PDF to